WiFi cameras like many other devices these days come equipped with some sort of Linux subsystem. This makes the life of a tinkerer easier and you know what that means. [Tomas C] saw an opportunity to mod his Xiaomi Dafang IP camera which comes configured to work only with proprietary apps and cloud.
The hack involves voiding the warranty by taking the unit apart and installing custom firmware onto it. Photos posted by [Tomas C] show the mainboard powered by an Ingenic T20 which is a popular IP Camera processor featuring some image and video processing sub-cores. Upon successful flashing of the firmware, the IP camera is now capable of a multitude of things such as remote recording and playback which can be configured using the web UI as documented by [Tomas C]
We did a little more digging on the custom firmware and discovered that the original author of the custom firmware, [EliasKotlyar] has done a lot of work on this project. There are loads of images of the teardown of a camera and an excellent set of documentation of how he made the hack. Everything from adding serial headers, getting root access, dumping the firmware and even toolchain links are given on the page. This is extremely handy for a newbie looking to get into the game.
And IP Cameras are not of the only hackable hardware out in the wild. There are other devices that are running Linux based firmware such as the Wifi SD Cards that run OpenWRT. Check out the essential guide to compiling OpenWRT from source if you are looking to get started with your next IP Camera hack.
Thanks for the tip [Orlin82]
Nice!
I’d rather something that completely replaces the original firmware. It sounds like this reverts if you don’t have the SD card in, does it? How much is remaining with the modded firmware?
I didn’t get that impression, as I see there is a file for “firmware_original” on Github.
The article here mentions flashing firmware and modified firmware, doesn’t sound like it’d revert or need an SD card to stick.
Reading the FAQ https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/faq.md it sounds like the original software runs if the SD card is removed and the camera reboots. It does say that it doesn’t connect to anything on the custom firmware.
I’ve been fooling around with pikrellcam for the Raspberry pi, it is well documented and does whatever you fancy. But if you got one of these to begin with, go for it.
I could be wrong, but I got the impression that the first thing you do is replace the bootloader so it’s first boot location is the sdcard. If the sdcard is there, it boots the new firmware off of it. If the scdard is not there, the boot falls through and it boots of the internal memory. I did not get the impression that the stock firmware was being flashed over. Again, I may be wrong. At any rate, it sounds like a cool project.
I wonder how he got the root password. I see he found it but not a description of how. Does anyone know how can this be done?
get access using the init=bin/sh trick in uboot, grab the hash, shove it through johntheripper. this pw is only 8 chars, so no problemo/long wait. ymmv on other devices, obviously.
Download the firmware from the manufacturer, mount it, go to /etc and copy out passwd and shadow (probably shadow), then use Hashcat (or whatever) to decrypt the password. A word of warning though, if you’re trying to do this on your CPU it will take approximately forever. So use your GPU instead, it will be much faster. Then it will only take forever.
An 8 character password took 8 seconds on a Nvidia gpu with #cat last time I tried, should be faster now.
Are there any similar (cheap but complete) cameras which are intentionally more open?
Raspberry Pi is great but you have to buy several parts, and the case is the big question. There are a ton of cheap outdoor wifi cameras on ebay, but none really target the “open” market.
Probably none. All those cameras/DVRs, especially the cheap Chinese ones, contain video encoders which probably infringe some patents (almost certainly the GNU license since they all use Linux plus proprietary modifications), let alone their strange tendency to phone home, so producers have no intention to open the platform or publish source codes. It would be nice to reverse engineer some of those cheap 4/8 channel DVRs as they all contain fast ADCs for video, GPIO lines for alarms, ethernet, USB and SATA, which would make them interesting for hacking. They can be found new at a price comparable to a Raspberry PI or similar SBC, or a lot cheaper used.
A couple examples:
https://www.ebay.com/itm/323070967664
https://www.ebay.com/itm/272851753323
You can find the SDK and quite some technical details on Chinese forums. Enough to build your own application firmware to run on it. But the hardware is quite special purpose… The ADCs are fast, but have an integrated video decoder, so they output already digital video and not just the samples. The video receiver peripheral inside the CPU is tightly coupled to a video encoder and display engine so you can’t really make anything else than a DVR.
Some of these chips may be interesting as a cheap CPU (2-10$) capable of running linux. Quite some come in TQFP package. The Allwinner V3s seems very well suites for that, it has integrated DRAM. The Hisilicon Hi3520 is also a nice option in TQFP but needs external RAM.
Unless I’m missing something, modding this does NOT require taking the camera apart at all, just putting an SD card with the appropriate firmware, etc. on it and following some directions.
I ended up getting a power brick for christmas with a sd card reader, wifi, RJ45 jack, 2 usb and of course the battery.
It was $15 CAN dollars at of course Canadian Tier. I really believe there is a nice little computer inside to hack.
Great little device. I cant wait to get in side of it. It is very well built. A little to much. It is in a plastic case but really well built.
Tried once to open it, but to much plastic to do a quick peak in side. At the time I tried to find any info I could on it with no luck.
The name of the device is Gigastone. I did find there web site and emailed them but they never replied back.
I see a number of devices on the Gigastone website, not sure which one you mean.
Thank you very much.
I guess it was there new A7.
It was not there in Dec and Jan.
And now it is. with some info.
It would of been nice to get a reply of some sort though.
I think tomorrow is surgery day for the little bugger and we will find out what is under the hood.]
Thanks again for getting me to look again.
Sorry it was the A4..
Post details of the teardown somewhere, I’d be quite interested to see details, like CPU, RAM, flash, etc. I see there have been some teardowns of a previous iteration (A2) posted, but found nothing of this one.
Does it have an fcc-id number on it? They have teardown pictures if it does.
Nice hack. The Sricam Sp007 is a $35 720p IP camera that already has remote recording and playback functions tho. Much better quality waterproof housing too, judging by the pictures. So I wouldn’t want to go through all this trouble for if it’s about getting the functionality.
Ya but how do you keep a Sricam from phoning home and sending you vid stream outside your home?
Fair point. I have never considered the security risks, since I only use them for outside surveillance. However I can imagine that you don’t want a poorly secured (the camera does use a unique ID and a 8 character password) live feed from inside your home going who knows where.
You can assign a fixed IP via the camera’s software, then block off outside RTSP and uPnP access. Then use a camera manager to setup a secure connection. Synology Surveillance Station is one I found recommended. I have not tried this myself yet. I might tho. I’m curious now to how easily I can get in the feed and how the camera performs when I shield it from direct connection.
Also this is 1080p compared to Sricam 720p… It’s definitely an interesting option!
My favorite thing to do with webcams is to remove the IR filter and take a bit off the end of the lens thread so you can use it for really close up macro things. It’s usually enough to zoom in to see amoeba and be able to see the tip of a soldering iron glow.
That sounds incredibly cheap and fun. I’d be interested in reading a writeup about it.
It sounds simple as you describe it, but I’d like to have someone else who’s done it first share the practical details, just so I don’t end up with a broken camera.
I just happened to be in need of some cheap IP camera’s so i bought 2 of these and applied the hack to each cam in about 5 minutes.
Really simple instructions and some great hacking by EliasKotlyar, Thanks :)
Zoneminder could only connect using FFMPEG instead of “remote” and there’s no PTZ available that i could find other than accessing the cam’s awesome HTTP pages.
are you using the motor controls at all, i ordered one as well for my livestream
allowing some viewers 5 mins of camera time might be a giggle for them
Do you know if there is some custom firmware also for Victure PC 530 camera?
Error
410
This account is under investigation or was found in violation of the Medium Rules.
Anyone have an alternate link?
Hello, is there a way to contact You about this? I recently got one of these Generic H264 / 265 Encoders which seems to be based on same/similar hardware, and I am wondering if I can do some tinkering here to add some needed features. Thanks