I am root! – IP camera shell access

[Shawn] emailed us some pictures and a description of his latest hack. He cracked open a Rosewill RXS-3211 IP Camera because the output of the web interface made him certain that it was running Linux and he wanted to unlock some more potential from the device. These cameras are used for security, and offer a browser-based interface via a WiFi connection. After studying the circuit board he started poking around an unpopulated set of four pads and managed to get a serial connection up and running. The device’s serial terminal operates at 115200 baud using eight data bits, one stop bit, and even parity.

He wonder where to go from here and we have a few ideas. You can see in the terminal readout above that it announces when motion is detected. We think this motion detection would be quite useful with a small rover while adding live video broadcasting at the same time. An embedded Linux system should be able to interface with the device and we think that a bit of creative coding would open up the WiFi connection for other use as well. Not bad for a module that can be had for as little as $29. We’ve included all the images [Shawn] sent us after the break and we’d love to hear your thoughts on what you’d use this for in the comments.

Comments

  1. Rogan Dawes says:

    Next step is to reverse engineer the firmware to see if you can build your own custom firmware for the device. With any luck, it is using standard Linux drivers for things like the wifi and the camera, and you can use it as the controller for the rover, with your own vision application running on it.

    He doesn’t give any details about the amount of flash or RAM, or the actual devices making up the board, so that is probably one of the first things to do, before reversing the firmware.

  2. Rogan Dawes says:

    Don’t forget this, though:

    http://secunia.com/advisories/44721

  3. dancinbojangles says:

    Autonomous stray cat repellent water gun system.

    Automatic shaming system for office fridge-raiders.

  4. QW says:

    Could be used to create a serial to shh bridge for connecting retro computer to the net.

  5. Rogan Dawes says:

    And finally, another guy also hacking around with these devices: http://spareclockcycles.org/2011/05/23/exploiting-an-ip-camera-control-protocol/

    Last post from me, I promise.

  6. plaes says:

    This also smells like a case for gpl-violations.org :S

  7. IceBrain says:

    @plaes: it’s only a violation if you *ask* the company for the sources and they don’t provide them. They don’t need to distribute them with the camera.

  8. fartface says:

    Cool, but using those pieces of junk for security? good grief. Maybe he can hack it more and figure out how to hook a real camera to the mainboard instead of the $1.99 garbage cam on them. they have HORRIBLE light sensitivity and video quality because the camera portion is garbage.

  9. Ivan says:

    If this cam was 30$, it looks like the price suddenly more than doubled.

  10. Rogan Dawes says:

    Ivan, Amazon had 1 left for $29. Looks like someone took it since I last checked, though :-)

  11. ss says:

    @IceBrain: Actually, they are required to do one of the following: a) provide source code with the product, b) provide a written offer to send you the source code, or c) pass on the written offer provided by whoever gave them the software. I couldn’t find any of these on their site (or in the user manual), but maybe they package a CD or written notice with the camera itself.

  12. Shawn says:

    Actually I saw no mention of the providing Source Code on the box, in the manual or on the cd. I thought the same thing about the GPL when I got this. The Linksys WRT54G Routers say right on the packaging it’s Linux based.

  13. bosnyak says:

    The RXS-3211 is not wireless, it is wired ethernet only. I think this makes it a bit less attractive especially at the $60 price point.

  14. Chris says:

    I break into little embedded devices like these all the time. Usually, you need little more than a TTL/3.3V to RS232 serial/level converter and a piezoelectric buzzer. I use a device based on the Prolific PL-2303, as it goes straight from TTL to USB. The buzzer can be used to probe what you think is the serial TX port as you reboot the device. It will make chirping noises as text is sent to the port. Most of the time though, just find 4 pads, and probe with a voltmeter. Ground is usually pretty obvious, then find positive, the 2 that are left are RX and TX. Just connect to them and done. If you don’t get text, swap the lines. Almost everything modern runs at 11500/8/1

    You would be SHOCKED how often little embedded devices run Linux, and sometimes devices you don’t expect it in.
    I have found Linux based firmware in LG xxLG50 series TVs, cable boxes, an Ademco high end alarm system, cheap Chinese DVD players, and several IP phones.

  15. Doktor Jeep says:

    This is some good stuff right here.

  16. asheets says:

    rosewill==good, cheap, hackable stuff that occasionally overheats… . Love the brand.

  17. Mike says:

    Is it a MIPS or ARM based CPU?

  18. Shawn says:

    @bosnyak your right I just noticed he posted that in the article. I got it for $29.99 cheapest IP camera around and from a semi-known brand.

  19. Shawn says:

    @Mike its ARM9 based, it has a Prolific PL1029

  20. Doktor Jeep says:

    If it’s Linux, can Motion be installed on it?

  21. Retroplayer says:

    I have a couple of these:
    http://cgi.ebay.com/Wireless-WiFi-IP-Internet-PTZ-Dual-Audio-Camera-3G-/220755850175?pt=LH_DefaultDomain_0&hash=item336612f3bf

    Not from this seller (don’t remember who I bought them from) and it actually has a labeled serial port on it on the PCB. I also connected it up and found it was run on linux, but I never really thought of what I really wanted to do with it. It has so many features built in already. Maybe change the web interface? I did think about whether it would be possible to use a different compression algorithm (like xvid) since motion JPEG is so freakin large. But I doubt it has the processing power for that. The web interface requires an activex control to be installed so I have not been able to log into it from work or my smartphone (not android or iphone.)
    There also appears to be a JTAG port and possibly a second USB port (1 is used by wifi, the other by the camera….which probably means you could add a USB video converter if you had the linux drivers.) It’s actually a cool little camera. Video quality isn’t too bad and the IR LEDs work pretty well. The two-way audio portion is pretty useless though (too choppy and buzzy to really comprehend.) The trigger in and alarm out is pretty useful as you can use the trigger in to cause the camera to move to a preset location. Ahh, there’s an idea… add more trigger signals for the various resets. I could pretty much monitor my entire lower level that way. Also maybe motion tracking, since it is pan/tilt.

  22. Biomed Bob says:

    anyone know what the minimum distance is for it? My parents have a small bird’s nest underneath their eaves that the parent’s keep coming back to each year, and they’d love to put something like this in so they can watch the nest easily from. Challenge is that it’s less than 4″ straight down from the bottom of the roof to the nest. Coming in from the side is a similar challenge. It’s either something like this or a borescope with a simialr interface if I can find one.

  23. Rick Dean says:

    The feature to add is DLNA support so it can be viewed from a Samsung TV. I run minidlna from my linux server, and it is tiny enough that it might fit on the camera.

  24. Kris says:

    Newegg has these bad boys for $40.

  25. I grabbed one of these from Amazon after seeing this post and documented my experience tearing it apart here: http://blog.synack.me/2011/hacking-the-rosewill-rxs-3211-prolific-pl1029

  26. Justice says:

    @Jeremy Grosser

    Your link is down. I was exceptionally curious in figuring out how one established the serial link. More info?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,295 other followers