Recently, [Richard Audette] bought an Akaso EK7000 action camera for his daughter’s no-smartphones-allowed summer camp, which meant that after his daughter returned from said camp, he was free to tinker with this new toy. Although he was not interested in peeling open the camera to ogle its innards, [Richard] was very much into using the WiFi-based remote control without being forced into using the ‘Akaso Go’ smartphone app. To do this, he had to figure out the details of what the Android app does so that it could be replicated. He provided a fake camera WiFi hotspot for the app in order to learn its secrets.

Normally, the camera creates a WiFi hotspot with a specific SSID (iCam-AKASO_C_1e96) and password (1234567890) which the Android app connects to before contacting the camera’s IP address at 192.72.1.1. The app then shows a live view and allows you to copy over snapshots and videos. Initially, [Richard] tried to decompile the Android app using JADX, but the decompiled code contained so many URLs that it was hard to make heads or tails of it. In addition, the app supports many different Akaso camera models, making it harder to focus on the part for this particular camera.

No worries! A Raspberry Pi SBC provided a fake camera WiFi hotspot. A simple application records HTTP requests from the app and provides responses. This was easier than setting up a man-in-the-middle attack, although — since the traffic isn’t encrypted — this was a possibility.

Ultimately, this allowed [Richard] to determine the relevant URLs to retrieve photos and videos, while the RTSP live stream URL was discovered from the decompiled Akasa Go app. Using the fake WiFi camera setup, the parameters to set the stream resolution and FPS were then determined, giving [Richard] full remote control over the camera without the need to use the mobile app.

We’ve seen a lot of camera WiFi reverse engineering. WiFi hotspots are handy for hacking. They also are handy in hotel rooms.