This document provides technical details on the reverse engineering process of the TP-Link Tapo C200 camera.
There is an another great resource about reverse engineering the camera by DrmnSamoLiu that can be found here: https://drmnsamoliu.github.io/
The camera consists of the following components:
| Name | Component | Description |
|---|---|---|
| SoC | Realtek RTS3903 | CPU: 500MHz, rx5281 prid=0xdc02 |
| RAM | N/A | 64 MiB @ 1066 MHz |
| Serial Flash | XMC XM25QH64A | Page size: 256 Bytes, erase size: 64 KiB, total: 8 MiB. |
| Sensor | SC2232H |
| dev | start | end | size | erasesize | name |
|---|---|---|---|---|---|
| mtd0 | 0x000000000000 | 0x00000001d800 | x | x | factory_boot |
| mtd1 | 0x00000001d800 | 0x000000020000 | x | x | factory_info |
| mtd2 | 0x000000020000 | 0x000000040000 | x | x | art |
| mtd3 | 0x000000040000 | 0x000000050000 | x | x | config |
| mtd4 | 0x000000050000 | 0x000000060000 | x | x | boot |
| mtd5 | 0x000000060000 | 0x0000001c6400 | x | x | kernel |
| mtd6 | 0x0000001c6400 | 0x000000710000 | x | x | rootfs |
| mtd7 | 0x000000710000 | 0x000000800000 | x | x | rootfs_data |
| mtd8 | 0x000000060000 | 0x000000800000 | x | x | firmware |
The default root password is slprealtek and the U-Boot stop keyword is slp. Thanks to Kubik369 for this discovery.
The pinout for the camera ethernet port was provided by Kubik369. It is a Molex Picoblade connector (1.27mm pitch, 4-pin). The numbering is T-568A.
