Customising A $30 IP Camera For Fun

WiFi cameras like many other devices these days come equipped with some sort of Linux subsystem. This makes the life of a tinkerer easier and you know what that means. [Tomas C] saw an opportunity to mod his Xiaomi Dafang IP camera which comes configured to work only with proprietary apps and cloud.

The hack involves voiding the warranty by taking the unit apart and installing custom firmware onto it. Photos posted by [Tomas C] show the mainboard powered by an Ingenic T20 which is a popular IP Camera processor featuring some image and video processing sub-cores. Upon successful flashing of the firmware, the IP camera is now capable of a multitude of things such as remote recording and playback which can be configured using the web UI as documented by [Tomas C]

We did a little more digging on the custom firmware and discovered that the original author of the custom firmware, [EliasKotlyar] has done a lot of work on this project. There are loads of images of the teardown of a camera and an excellent set of documentation of how he made the hack. Everything from adding serial headers, getting root access, dumping the firmware and even toolchain links are given on the page. This is extremely handy for a newbie looking to get into the game.

And IP Cameras are not of the only hackable hardware out in the wild. There are other devices that are running Linux based firmware such as the Wifi SD Cards that run OpenWRT. Check out the essential guide to compiling OpenWRT from source if you are looking to get started with your next IP Camera hack.

Thanks for the tip [Orlin82]

32 thoughts on “Customising A $30 IP Camera For Fun

  1. I’d rather something that completely replaces the original firmware. It sounds like this reverts if you don’t have the SD card in, does it? How much is remaining with the modded firmware?

    1. I’ve been fooling around with pikrellcam for the Raspberry pi, it is well documented and does whatever you fancy. But if you got one of these to begin with, go for it.

    2. I could be wrong, but I got the impression that the first thing you do is replace the bootloader so it’s first boot location is the sdcard. If the sdcard is there, it boots the new firmware off of it. If the scdard is not there, the boot falls through and it boots of the internal memory. I did not get the impression that the stock firmware was being flashed over. Again, I may be wrong. At any rate, it sounds like a cool project.

    1. get access using the init=bin/sh trick in uboot, grab the hash, shove it through johntheripper. this pw is only 8 chars, so no problemo/long wait. ymmv on other devices, obviously.

    2. Download the firmware from the manufacturer, mount it, go to /etc and copy out passwd and shadow (probably shadow), then use Hashcat (or whatever) to decrypt the password. A word of warning though, if you’re trying to do this on your CPU it will take approximately forever. So use your GPU instead, it will be much faster. Then it will only take forever.

  2. Are there any similar (cheap but complete) cameras which are intentionally more open?

    Raspberry Pi is great but you have to buy several parts, and the case is the big question. There are a ton of cheap outdoor wifi cameras on ebay, but none really target the “open” market.

    1. Probably none. All those cameras/DVRs, especially the cheap Chinese ones, contain video encoders which probably infringe some patents (almost certainly the GNU license since they all use Linux plus proprietary modifications), let alone their strange tendency to phone home, so producers have no intention to open the platform or publish source codes. It would be nice to reverse engineer some of those cheap 4/8 channel DVRs as they all contain fast ADCs for video, GPIO lines for alarms, ethernet, USB and SATA, which would make them interesting for hacking. They can be found new at a price comparable to a Raspberry PI or similar SBC, or a lot cheaper used.
      A couple examples:
      https://www.ebay.com/itm/323070967664
      https://www.ebay.com/itm/272851753323

      1. You can find the SDK and quite some technical details on Chinese forums. Enough to build your own application firmware to run on it. But the hardware is quite special purpose… The ADCs are fast, but have an integrated video decoder, so they output already digital video and not just the samples. The video receiver peripheral inside the CPU is tightly coupled to a video encoder and display engine so you can’t really make anything else than a DVR.

        Some of these chips may be interesting as a cheap CPU (2-10$) capable of running linux. Quite some come in TQFP package. The Allwinner V3s seems very well suites for that, it has integrated DRAM. The Hisilicon Hi3520 is also a nice option in TQFP but needs external RAM.

  3. Unless I’m missing something, modding this does NOT require taking the camera apart at all, just putting an SD card with the appropriate firmware, etc. on it and following some directions.

  4. I ended up getting a power brick for christmas with a sd card reader, wifi, RJ45 jack, 2 usb and of course the battery.
    It was $15 CAN dollars at of course Canadian Tier. I really believe there is a nice little computer inside to hack.
    Great little device. I cant wait to get in side of it. It is very well built. A little to much. It is in a plastic case but really well built.
    Tried once to open it, but to much plastic to do a quick peak in side. At the time I tried to find any info I could on it with no luck.
    The name of the device is Gigastone. I did find there web site and emailed them but they never replied back.

      1. Thank you very much.
        I guess it was there new A7.
        It was not there in Dec and Jan.
        And now it is. with some info.
        It would of been nice to get a reply of some sort though.
        I think tomorrow is surgery day for the little bugger and we will find out what is under the hood.]

        Thanks again for getting me to look again.

        1. Post details of the teardown somewhere, I’d be quite interested to see details, like CPU, RAM, flash, etc. I see there have been some teardowns of a previous iteration (A2) posted, but found nothing of this one.

  5. Nice hack. The Sricam Sp007 is a $35 720p IP camera that already has remote recording and playback functions tho. Much better quality waterproof housing too, judging by the pictures. So I wouldn’t want to go through all this trouble for if it’s about getting the functionality.

      1. Fair point. I have never considered the security risks, since I only use them for outside surveillance. However I can imagine that you don’t want a poorly secured (the camera does use a unique ID and a 8 character password) live feed from inside your home going who knows where.

        You can assign a fixed IP via the camera’s software, then block off outside RTSP and uPnP access. Then use a camera manager to setup a secure connection. Synology Surveillance Station is one I found recommended. I have not tried this myself yet. I might tho. I’m curious now to how easily I can get in the feed and how the camera performs when I shield it from direct connection.

  6. My favorite thing to do with webcams is to remove the IR filter and take a bit off the end of the lens thread so you can use it for really close up macro things. It’s usually enough to zoom in to see amoeba and be able to see the tip of a soldering iron glow.

    1. That sounds incredibly cheap and fun. I’d be interested in reading a writeup about it.

      It sounds simple as you describe it, but I’d like to have someone else who’s done it first share the practical details, just so I don’t end up with a broken camera.

  7. I just happened to be in need of some cheap IP camera’s so i bought 2 of these and applied the hack to each cam in about 5 minutes.
    Really simple instructions and some great hacking by EliasKotlyar, Thanks :)
    Zoneminder could only connect using FFMPEG instead of “remote” and there’s no PTZ available that i could find other than accessing the cam’s awesome HTTP pages.

  8. Hello, is there a way to contact You about this? I recently got one of these Generic H264 / 265 Encoders which seems to be based on same/similar hardware, and I am wondering if I can do some tinkering here to add some needed features. Thanks

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.