Interested? comment here

[btsimonh]

This repo is my exposure of my attempt to keep my privacy faced with Chinese hardware with no published privacy policy....
If you have the same or similar camera, and are interested in contributing, then put a comment against this issue; maybe we can collaborate.
I've got the initial work done (root prompt, but requiring serial access to establish, permanently), but the ideal would be an exploit which did not require serial access.
There are promising hints of such exploits, but they require detailed investigation (ARM decompilation and debugging) which I simply don't have the time to do.
There are also (purely from the connections of the developer) hints that these cameras may actually be mining bitcoin on the developer's behalf - a good way of financing the internet infrastructure required for delivering the cloud video. I've not got a problem with that :). But I do need to have some guarantees about it's interaction with my home network....

[csloz]

j3 translation = 左右 or left/right

bt mining on a gm8126, that would be amusing. I very very very much doubt it!

Have the SDK on the website under files/ARM9/GM8126

[Lexridge]

I don't mind using serial ports. I would like to try this soon. I got mine also from Amazon for ~$20 and it is absolutely great quality for a cheap IP camera. It would be great to figure out how to create a custom kernel for this thing. You are way more advanced here that I am, but I always try to get root on all my Android devices and install custom ROMS. I used to build the OS formally known as Cyanogenmod (Can't remember the new name, as my shitty S7 has a locked bootloader. No hacks!) for my Galaxy S5. I have used TFTP to flash many DD-WRT routers. So I know a bit. I will help out all I can.

[BenHarris]

Interested. Mine is an "ieGeek" branded model. The admin interface reports model "f128" and software version "v5.1.8.1807231703", so some way ahead of your patches

[BenHarris]

Bit of an update. I hooked up the serial connection, but it looks like the mmc utility has now been removed from the latest firmware, unfortunately! Any thoughts which don't require I buy an EEPROM programmer?

Here's what we have left

boot
bootd
bootlogo
bootm
bootp
chpart
cmp
cp
crc32
dcache
env
erase
fatinfo
fatload
fatls
flinfo
fwupd
go
help
i2c
icache
l2cache_test
md
memtester
mii
mm
mtdparts
mtest
mw
nm
ping
printenv
protect
reset
run
saveenv
setenv
sf
sspi
tftpboot
usb
usbboot
version

[btsimonh]

Hmm... I did not try the USB; you would need a cable with which you could both power it and plug in a usb device; but i suppose there is no reason for them to have wired it .....
You could dump the memory to serial, capture it and then write a program to reconstruct; may take some time :). But if you can get an image then modifying the upgrade file from the image may work.
You could TFTP boot a custom uboot with mmc available :). Done that a couple of time on old routers; not fun.
this covers all the options :).

[ethempekin]

Is this project finalised?

[btsimonh]

not worked on it for a long while.... so consider it historical information. They probably closed a lot of the holes :(.

[ethempekin]

Thanks. I was actually wondering if these cameras were able to be added to homebridge.

…

Sent from my iPad

On 11 Apr 2020, at 20:31, btsimonh ***@***.***> wrote:  not worked on it for a long while.... so consider it historical information. They probably closed a lot of the holes :(. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[NightDragon1]

I was able to get into my cam and to copy the memory. I just have no idea how to get the proper size of the partition table (have HxD installed) nor how to cut it to 16MB (by calculating it? or how?)
Firmwareversion is v5.1.10.1811090903

Any one up for help?

[NightDragon1]

Okay I just found the output of the uboot with, what i guess, are the partition table info:

SF: Detected MX25L12805D with page size 64 KiB, total 16 MiB
flash is 3byte mode
0 [0x10000 0x50000]
1 [0x60000 0x2a0000]
2 [0x300000 0x600000]
3 [0x900000 0x6f0000]
4 [0xff0000 0x10000]

after knowing this and comparing with the data on the wiki I'll continue to manipulate the file.

[NightDragon1]

Hi all.
I was able to gain root access to my cam and will submit some improvements to the Wiki regarding the whole procedure.
Somehow i was not able to get he paswd script to run.
Investigation ongoing.

[btsimonh]

@NightDragon1 - although my camera has been in a box for a year or more, I still follow the repo :). Good work, and any improvements welcome... it's very difficult to write a complete and easily reproducible procedure when you've done 50 different things to get to the final idea....

[NightDragon1]

@btsimonh Thanks, cool.
By the way i just found that on the internet: https://usermanual.wiki/Document/GM8136FlashUserGuideV10.1468680306/view

[MatteoGheza]

How can I drop a shell into the camera using uart?

Software version: v5.1.8.1808081601
Model: f006
Serial: 1jfi*********

[NightDragon1]

@MatteoGheza some information an be found on the Wiki,
I'm just writing a Step by Step tutorial and will provide it to @btsimonh to publish and update the wiki.
It just completes some dynamic and adds my experiences with hacking into it.

You have a model called f006. Not sure if it works for you. can you open the cam and provide a pic of the pcb?

[btsimonh]

@NightDragon1 - the wiki is public :) - you can modify directly?

[NightDragon1]

@btsimonh no i can't. I guess just members of the repository with proper rights can. But I've never maintained a wiki on github, so no idea how the rules are.

[btsimonh]

try now - there is a setting for that!

[MatteoGheza]

You have a model called f006. Not sure if it works for you. can you open the cam and provide a pic of the pcb?

https://send.firefox.com/download/0a904a40a2d983b6/#jnHtnepephZ7HhUSse-6HA
Sorry for the quality.

[MatteoGheza]

In the other side of the pcb, it has some pin with "rx", "tx", "gnd" and "3.3v"

[NightDragon1]

@btsimonh works! Thanks! I'll add the content soon.
@MatteoGheza Looks quite differnt to our cam. But you could do the following: connect some wires to RX, TX and GND and try to connect with 115.200bps. Power the cam and see what's happening.
If you could provide a file with the output we could check what it is. But also take care that you check for sensible data listed there - such as passwords or hostnames, etc...

[NightDragon1]

Okay, a first draft of the guide is online.
In between i figured out what may cause the pwd script not to work: /etc/init.d/dev_init.sh: line 172: /mnt/mtd/dev_data/dev_pwd.sh: Permission denied
So i guess I have to set chmod +x on it.

[NightDragon1]

Note: setting the script to be executable fixed it. I have now access to my CAM. I one could review the guide and give me feedback, I would really appreciate it.

[MatteoGheza]

@MatteoGheza Looks quite differnt to our cam. But you could do the following: connect some wires to RX, TX and GND and try to connect with 115.200bps. Power the cam and see what's happening.

I'm trying with Termite 3.4, but I get garbage like ?[1E]<< < [00][00] [1C]<[1E] [1C][1E][00]>[1C] [1C][00] ?>>>>>< ?[00] <<8<< [1E] [1C]<[1C][00][1C][1C][1C]>
with the following configs:
bps: 115200
data bit: 6
stop bit: 1
parity: none
flow control: XON-XOFF

With putty, following the wiki, I can read only ▒▒5}▒▒=_▒▒▒▒▒▒▒▒

[MatteoGheza]

If this method fails, how can I execute commands into the camera (custom firmware, sd scripts, command injections,...)?
Now I'm trying with a custom firmware update from the camera local web UI.

[btsimonh]

this can't be right: data bit: 6
should be 8, but suspect typo :).
The fact you get anything from the port probably is a good thing.
Turn off flow control.
try 9600, 19200, 38400, 57600 as well.
double check your wiring :).
test from cold boot - the baud rate for uboot and linux may be different.

[NightDragon1]

@MatteoGheza If it fails you can only check if you have a Firmware version for what already "hacked" images are available for (see Wiki - Notes).

[MatteoGheza]

I'm trying to repair a broken component of the camera pcb, I'll try it tomorrow. Thanks.

[NightDragon1]

example:
rtmp://192.168.1.173:7010/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ
example RTSP:
rtsp://192.168.1.173:7020/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ
...

I think just found the meaning of p0 in the URL:. it seems like it's a "resolution/quality" parameter:
Stored in /mnt/mtd/ipc_data/ipc_conf.xml

<profiles>
   <token>p0</token>
   <name>HD</name>
   <fixed>0</fixed>
   <vsc>vsc0</vsc>
   <asc>asc3</asc>
   <vec>vec0</vec>
   <aec>aec_aac</aec>
</profiles>
<profiles>
   <token>p1</token>
   <name>Normal</name>
   <fixed>0</fixed>
   <vsc>vsc0</vsc>
   <asc>asc3</asc>
   <vec>vec1</vec>
   <aec>aec_aac</aec>
</profiles>
<profiles>
   <token>p2</token>
   <name>Half</name>
   <fixed>0</fixed>
   <vsc>vsc0</vsc>
   <asc>asc3</asc>
   <vec>vec2</vec>
   <aec>aec_aac</aec>
</profiles>
<profiles>
   <token>p3</token>
   <name>Min</name>
   <fixed>0</fixed>
   <vsc>vsc0</vsc>
   <asc>asc3</asc>
   <vec>vec3</vec>
   <aec>aec_aac</aec>
</profiles>

[btsimonh]

ohh... codec parameters. Can you make it do something browser compatible :)?

[MatteoGheza]

example:
rtmp://192.168.1.173:7010/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ
example RTSP:
rtsp://192.168.1.173:7020/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ

@NightDragon1 can you create a simple rtmp/rtsp uri builder?

[NightDragon1]

@NightDragon1 can you create a simple rtmp/rtsp uri builder?

@MatteoGheza Just a url genertation is one thing - but you need to sign in to the cam everytime

[MatteoGheza]

Ok, thanks

[Hurricos]

Just to mention it: This SoC is an armv5 one also seen in the ancient (2010ish) Ubiquiti AirCam. Quite interested if someone fishes up the full SDK -- could recompile something for the AirCam which is near EOL.

I have a 16-pin SPI flash cable I could use to reflash my Aircam.

[yppo]

I found something interesting:

http://www.openipcam.com/forum/index.php?topic=1429.0

One of the most interesting ones is project\apps\app\ipc\data\sh\sd_card_insert.sh, which contains the following lines of code:

Code: [Select]
#run hook
if [ -e /mnt/sd/upgrade/upgrade.sh ]; then
chmod 777 /mnt/sd/upgrade/upgrade.sh
sh /mnt/sd/upgrade/upgrade.sh &
fi

Yes - when you insert an SD card into the camera which contains a script at upgrade/upgrade.sh it gets run. As root.

Can this be used to exploit the SD or gain access faster?

[MatteoGheza]

What is the default FS used by camera? I read that the camera read only sd cards with a custom encrypted filesystem (???) and, if sd card is not readable, the camera formats it.

[MatteoGheza]

Can someone try the sd card exploit?

[tylerobara]

Can someone try the sd card exploit?

I subscribed to track progress and am comfortable enough to get a script to the right place on the SD, but not enough to know what to put in the script.

[yppo]

I was thinking of trying this.
As what to put in the script - just a simple script that can ping or do a get on a place where you can monitor.

[tylerobara]

I was thinking of trying this.
As what to put in the script - just a simple script that can ping or do a get on a place where you can monitor.

gotcha - I will dig this camera out again and put some curls, pings and nslookups in the script - in an infinite loop I suppose.

[btsimonh]

In my original testing, the camera firmware always erased the SD card after boot.
But.. that does not mean it would not run the script first.
But... I'm sure I would have noticed the script that ran something from the card when decomposing the squashfs & jffs partitions on my camera - I've experience with USB hacking previously, and would have looked hard for such an exploit :).
So, let's hope for some positive results :).

[MatteoGheza]

Can you check (or post here) the script that check the FS of the sd card?

[metalshreds]

I'd be interested in being able to use some of these security cameras in a local capacity bypassing the mipc app potentially using motioneye os or something similar. Are there any requirements of what camera to get to start messing around with one? privacy is my main concern as that MIPC app is too intrusive. Thanks for all the work you've done so far!

[NightDragon1]

While this projects focus is to hack, gain access and overrule the mipc cams, i just want to mention I found a almost low budget CAM with no cloud compulsion (while it does have features but you can simple not use them): Reolink E1 Pro.
It does support RTSP and so... very handy for most things. I also blocked the IPs in my router from being able to access the Internet - just in case.

Note: Regarding Wifi password length/complexity and SSID: The webpage says and also the smartphone apps don't support passwords longer than a 127 chars. It also says it doesn't support special chars. But I can tell you that by using the desktop app and entering the access data (and just ignoring the failed/warning messages after you applied the settings, it does work.

[MatteoGheza]

USD 140.77?! (€114.99 in Europe).
Note: the 3MP hd version (https://www.amazon.de/-/en/Swivelling-Surveillance-Detection-Compatible-Assistant/dp/B08627T218/) is cheaper (USD 48.96 or €39.99)

[MatteoGheza]

Can you check (or post here) the script that check the FS of the sd card?

Any update on this?

[metalshreds]

While this projects focus is to hack, gain access and overrule the mipc cams, i just want to mention I found a almost low budget CAM with no cloud compulsion (while it does have features but you can simple not use them): Reolink E1 Pro.
It does support RTSP and so... very handy for most things. I also blocked the IPs in my router from being able to access the Internet - just in case.

Perfect, that exactly what I want! I wish there were more local only webcams, I've spent too much time looking for one. Thanks!

[Teku16]

Has anyone tried the SD card exploit yet? I have several of these cams and am kinda tired of them not being on my home assistant, also of them sending my feed to who-knows-where. Do the smarter people here know if this is a similar camera, and if anything discussed above might work? I have no idea how to debug serial from this thing, but could figure it out if directed. Thanks

[tylerobara]

Has anyone tried the SD card exploit yet? I have several of these cams and am kinda tired of them not being on my home assistant, also of them sending my feed to who-knows-where. Do the smarter people here know if this is a similar camera, and if anything discussed above might work? I have no idea how to debug serial from this thing, but could figure it out if directed. Thanks

I never got around to it but I might have time this weekend. I did get these cameras loaded into TinyCam pro and from there into HA. Not pretty but works. And TinyCam can do the pan/tilt "ok".

[Teku16]

Has anyone tried the SD card exploit yet? I have several of these cams and am kinda tired of them not being on my home assistant, also of them sending my feed to who-knows-where. Do the smarter people here know if this is a similar camera, and if anything discussed above might work? I have no idea how to debug serial from this thing, but could figure it out if directed. Thanks

I never got around to it but I might have time this weekend. I did get these cameras loaded into TinyCam pro and from there into HA. Not pretty but works. And TinyCam can do the pan/tilt "ok".

My camera(s) is not pan/tilt, and I would try the tinycam route but have no android devices. My cameras are running v5.3.3.2008151009 it looks like

[Doomsdayrs]

You have a model called f006. Not sure if it works for you. can you open the cam and provide a pic of the pcb?

https://send.firefox.com/download/0a904a40a2d983b6/#jnHtnepephZ7HhUSse-6HA Sorry for the quality.

If you still have the image, please embed it directly here instead.