Getting Root On A Chinese IP Camera

With so many cheap network-connected devices out there being Linux-powered, it’s very tempting to try and hack into them, usually via a serial interface. This was the goal of [Andrzej Szombierski] when he purchased a cheap Chinese IP camera using an XM530 ARM-based SoC to explore and ultimately get root access on. This camera’s firmware provides the usual web interface on its network side, but it also has a UART on its PCB, courtesy of the unpopulated four-pin header.

Merely firing up a serial terminal application and connecting to this UART is not enough to get access, of course. The first obstacle that [Andrzej] struggled with was that U-Boot was configured to not output Linux kernel boot messages. After tackling that issue with some creative hacking, the next challenge was to figure out the root password, using a dump of the firmware image, which led to even more exploration of the firmware and the encoding used for the root password.

Even if some part of these challenges were possibly more accidental than on purpose by the manufacturer, it shows how these SoC-based Linux devices can put up quite a fight. This then leaves the next question, of what to do with such an IP camera after you have gained root access?

65 thoughts on “Getting Root On A Chinese IP Camera

  1. > This then leaves the next question, of what to do with such an IP camera after you have gained root access?

    Well, for one: cut out the middle man, so that your stream is finally only accessible by yourself?

      1. Some of the cheap IP cameras I have would reboot after a few failed tries of connecting back to thier servers in China. So after figuring out the hidden SDcard autorun scripts I killed that “feature” so the camera would not reboot every 60 seconds.

      1. I really wish someone (either the openIPC maintainers or someone else) would at least try to create a list of cameras and the SOCs they use The whole “you have to buy a camera, open it up, and look up the chip numbers” approach is really off-putting in just trying to find some hardware to explore openIPC.

        Hopefully there are enough curious people to help work on such a DB, especially in light of the current Eufy video doorbell scandal.

          1. I recall wireless routers with the ‘same’ model number being built with different SoCs and different flash sizes and yet they were able to maintain a supported device list. Perhaps there are lessons there OpenIPC could draw on.

            At the very least, it seems that there should be something possible involving FCC IDs for devices that have those to at least provide a starting point.

          1. Really? Is that still acceptable practice? I don’t know about other industry sectors, but in the food manufacturing sectors full bidirectional traceability along the supply chain is a near ubiquitous requirement (at least for anything that goes into commerce here in the US). We run two trace exercises annually (a forward and a backward trace) along with a mock recall, internal auditing, as well as third party auditing. Every revision to formulation (which I believe would be the equivalent of an “assembly” for the tech industries) is also tracked for traceability purposes, as for us it is of great importance that batches correspond with the correct packaging — or more specifically, their labeling — when changes that impact declarations are effected. Of course, the nature of food inevitably has direct implications upon the health of the end consumers, the general public, so it’s only obvious that the regulatory prescriptions that accompany the industry will accordingly be more thorough compared to others, but I’ve always been curious just how varied the requirements on traceability is for the other sectors?

        1. The FCC has teardowns and internal pictures of (theoretically) all electronic devices sold in the USA. Part of the EMF emissions/EMP resistance certification process.

          Don’t recall the exact web address. It’s a very useful resource for hackers.

    1. If you can do this then you can tell us if there was actually a backdoor Ruth hikvision CCTV/ Huawei routers or if it’s just the US trying to catch up with manufacturing and using dirty tactics to do so

      1. Your assumption that backdoors would be limited Hikvision systems is wrong, not the assumption about backdoors at all. Pretty much all these systems have service passwords, service accounts, or whatever else you’d like to call it. I can guarantee you the latter first hand also for premium vendors, or even more so: especially so.

        The more expensive the device or the more costly to physically reach for a technician, the higher the chance that a backdoor has been established which is used both for regular diagnosis, as well as manually resetting forgotten credentials. A reset button for such purpose isn’t viable in public spaces, and a hardware swap isn’t either.

        Surprisingly enough, IP cameras which stream to a cloud service and only from there to an end point client are usually more secure. (I’m not talking VPN but full termination of RTSP access, let alone ONVIF, the web interface or the usual proprietary protocol.) You do not even want to know how vulnerable or unprotected the local interfaces usually are. Respectively what the devices can be configured to do on a regular basis.

      1. Case and point “Tik-Tok” . Which coincidentally is the same sound as a time bomb. Clever how they have brainwashed all the smooth brains in the U.S.A. to trust this program. I can’t talk much as I have 4 Chinese PTZ cameras outside my house. 3 different brands. 3 different apps. It has crossed my mind they have back doors but its pretty boring at my house. Unless they like watching my 15 cats.

  2. The obvious first step: record what Chinese addresses the camera tries to connect to via Wireshark, then modify all those addresses to point to 127.0.0.1 instead in the firmware.

      1. Ditto. Pihole’s logs is how I confirmed my cheapnese cameras were calling home continuosly. I want to believe that’s for their control app, but better safe than sorry to have my underwear ass recorded raiding my fridge. Downside: no PTZ control (yet) without the manufacturer’s app.

      1. I would trust nothing made in China. I bought my nephew a party mask for Halloween. Using an app on your phone you can have it scroll messages or emojis. I decided to try it out first. The app wanted permissions for my camera, contact list, phone, wifi and files ! Just to make messages scroll across the mask ! If I denied any of these permissions the app wouldn’t install. In googling about this I found a hacker had discovered that the app had an internal link directed to a website in China. There were some unsubstantiated reports of weird text messages and phone calls. I filed a complaint with Amazon and they refunded my money and told me to pitch it and they would investigate my claim. I posted several warnings but Amazonia kept selling it. China is quietly launching it’s first strikes.

        1. > China is quietly launching it’s first strikes.
          And TikTok-blinded youth are their unknowing spies. At least Google warns “we are going to take note of what you search and wath you buy to tailor our ads”

  3. Story time

    I work for a Alarm company and we had a guy from Hikvision come in and show off the product. He went into detail on why each product has a silver sticker on the box flap and so on. He said you should only buy from an authorized dealer resale and do not try and use products from eBay or Amazon. He said it’s an older cheaper overseas model with modified firmware for not so much to spy on the user but use the users internet connection. Basically a zombie system so a hacker could use it to preform a DDoS attack or a node for a Tor connection. Well for giggles I bought a Hikvision DVR from eBay for 30 bucks. Didn’t have the silver sticker on the box, was indeed an overseas model and I compared the stock firmware with the firmware on the device. Sure enough the one I bought was intended to be part of a Tor node.

    This “Hack” has been around forever. Same “Hack” can be done on almost any embedded system if you’re smart enough.

    Also what is the point to root an IP Camera? It’s still gonna phone home unless you plan to use a 3rd party firmware. If you’re scared of a company spying on you then get a NDAA compliant camera system.

    1. NDAA compliance is very loose, it’s not from Huawei&Co but still wide open to other Chinese supply chain attacks.

      If you’re scared of spying, pull out your wallet and buy from the CSfC list.

    2. Ok, If you’re so curious. My point was to simply explore. The “security” part I’ve solved in a different way – the camera lives on an isolated network, so I can connect to its rtsp stream, but the camera can’t phone home.

      But for a more practical result of rooting, I was also able to tweak the firmware to block all outgoing connections except for one outgoing ssh tunnel – this way I was able to install it in an “unrestricted” network and still be able to access it remotely while preventing the original software from phoning home. This was an extremely quick-and-dirty hack so I don’t have any writeup, sorry :(

      1. Don’t be sorry. I think many of us here are thankful for your exploration of even this one IP camera, and it will motivate some to double-check that their cameras aren’t phoning home.

        FWIW, I picked up three Dahua (FLIR branded!) IP cameras a few years ago for next to nothing at a retail store. I’ve done the same as others, by only ever letting them be connected to their own VLAN, with no Internet access; there’s a ZoneMinder server and VPN handling remote access and streaming. But I’ve wanted to try hacking into their firmware since I bought them, so I’ll be opening one up over the holidays, and use your experience as a guide.

  4. One thing you may want to do with any of your “smart” devices is to put them on an isolated network segment, along with a scope and see how many times it tries to communicate outside of your network. When I did it with some plugs and a light I found they were contacting another country daily. It was at that point I decided I would just buy micro controllers and make my own instead.

  5. Great geek. When somebody needs to figure out is how to make the cheap damn cameras that you can get off of Amazon or eBay. Be modified to work off of say Google home or a independent output software video viewer. Currently we have umpteen gazillion cameras available and each of them have their own proprietary software that you have to view. I’m no expert but shouldn’t there be a simple? Video format that is required of cameras so that Google home Amazon Alexa independence video software viewer. So that the proprietary software from the camera manufacturer doesn’t have to be put on to the damn phone or tablet or computer for security/ watching the camera. Getting rude is super cool. Geeky neat keen. But is about as worthless as the $40 camera you buy off of Amazon or eBay for ease and use of monitoring

    1. ONVIF is supposed to be a standard for IP cameras. This camera sort-of supports it, at least the basic video stream is exposed. Of course you won’t be able to access the advanced settings such as person detection or alerts.

      The actual video stream is usually available via rtsp, so if you’re lucky you can manually configure the URL on the receiver.

      1. That was true for older cameras. I played with more recent models and found (at least a few of) them to be bricks out of the box until they’re hooked into an Android software.

        They do look like they’re just as poorly done with boatloads of ways to attack them onboard. Hopefully I’ll have time to tear at the stack of devices soon.

  6. “…it shows how these SoC-based Linux devices can put up quite a fight. This then leaves the next question, of what to do with such an IP camera after you have gained root access?”

    Just let it be – perpetually pointed at a picture of the adorable Pooh Bear!

  7. I actually got a baby monitor that uses a webcam with this exact chipset.

    I was able to dump the firmware of the camera with this exact method, so that helped me.
    How this baby monitor works is quite interesting:
    The camera looks for a specific (read: hard-coded) wireless SSID and attempts to connect to it.
    The “monitor”-part (which seems to have the same SoC) creates that SSID and, after the camera is connected, accesses the video feed.
    The monitor has controls to listen to the audio the camera picks up and also has buttons to play a melody on the camera (or transmit voice). Just like an intercom :D

    Unfortunately, I was not able to dump the firmware of the “monitor”, because it resets after a short time for some reason. Maybe I could try to directly dump the flash then.

  8. Anybody knows Bascom cameras/DVR? Seems to be an OEM brand of devices manufactured by Zhuhai Raysharp Technology Co.,Ltd (China) since MAC addresses start with 00:23:63. Works quite poorly, and no FW update since 2018/2020 for any device. Poor Windows/Mac client app, accessing devices remotely through a private P2P system (VVSeeP2P ? And probaly others, since it seems that various P2P protocols are used for different devices), and communicating with servers in Europe (bascom-cameras.com domain) but also China (anlian.co domain). Also a list of a dozen of IP addresses found in exe. Haven’t found any disclosed vulnerabilities, but quite sure there must be some…

  9. Each time researchers checked Chinese stuff for spying it turned out that in cases where spying was done it was done with and for US companies.
    For example on Huawei phones the big spying was done by the keyboard which was supplied by Microsoft and was transmitting a ton of stuff to Microsoft servers.
    You can still blame the Chinese companies for taking the money from those assholes of course. but I’d worry more about the data going to the US than to China.

    Yeah yeah, I know, this post will very likely be destroyed on this ‘Twitter v2.0’ comment system..

    1. Microsoft is evil and would prefer to operate over it’s user as does China over it’s people. Windows 11 has eliminated conventional boot up from what I read. It’s windows 11 or nothing.

      Twitter 2.0 must be the comment moderation The Washington Post uses too. Only far left comments allowed.

  10. I have a client that has requested a camera to be setup in a van (a councillor service that travels to different schools). They need camera footage sent to a PC/NVR/NAS on their network while it’s within wifi range (when the van is parked at its base school)

    My idea was to find a camera that runs an FTP or SMB server, so that a PC can poll the camera and access the SD card to transfer video files over the network while in range
    I thought this would be simple enough, but I’ve not been able to find a camera to do this yet
    Sure, you could use another device in tandem with any old camera, but I’d really like to stick to a single device, keep it simple and keep power consumption at a minimum
    There’s a plan to have more of these vans, so an elegant solution that could be done right the 1st time and easily replicated is the aim
    I’m not much of a software hacker, so I need help! 🥺

  11. Hi, can anybody help me with: how to gain root access or simply configure firmware/cloud url, so I can directly connect to IP Camera remotely via any Cloud.

    We are building a Cloud Application for viewing IP Cameras remotely. Currently, we are focusing on XM530 line of cameras, specifically: R80X20-PQL – it is onvif compatible, has PTZ controls, motion detection, 2-way communication.

    Problem: While the cloud id allows us to view the camera remotely, it only works on company apps like: Icsee, XMeye. Other means of getting remote view and functions are not feasible – Static IP (too expensive here), DDNS (ISP settings make it really difficult)

    What we want to do: We want to provide manual monitoring of IP Cameras as a means to deter theft. For this, we are building our own app (desktop/web-app) for connecting hundred(s) of IP Cameras to the Cloud. We will also be developing AI features to detect and automate certain things. But we are unable to connect to the camera remotely. Cloud ID is something that works on Company Apps but we don’t know how to add it on our system (no idea about what cloud/url /protocol its operating on)

    Any help will be deeply appreciated.

    Regards,
    Shubham
    info @ thefinan sol . com

Leave a Reply to NoneCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.