Reverse Engineering The Web API Of An Akaso EK7000 Action Camera

Recently, [Richard Audette] bought an Akaso EK7000 action camera for his daughter’s no-smartphones-allowed summer camp, which meant that after his daughter returned from said camp, he was free to tinker with this new toy. Although he was not interested in peeling open the camera to ogle its innards, [Richard] was very much into using the WiFi-based remote control without being forced into using the ‘Akaso Go’ smartphone app. To do this, he had to figure out the details of what the Android app does so that it could be replicated. He provided a fake camera WiFi hotspot for the app in order to learn its secrets.

Normally, the camera creates a WiFi hotspot with a specific SSID (iCam-AKASO_C_1e96) and password (1234567890) which the Android app connects to before contacting the camera’s IP address at 192.72.1.1. The app then shows a live view and allows you to copy over snapshots and videos. Initially, [Richard] tried to decompile the Android app using JADX, but the decompiled code contained so many URLs that it was hard to make heads or tails of it. In addition, the app supports many different Akaso camera models, making it harder to focus on the part for this particular camera.

No worries! A Raspberry Pi SBC provided a fake camera WiFi hotspot. A simple application records HTTP requests from the app and provides responses. This was easier than setting up a man-in-the-middle attack, although — since the traffic isn’t encrypted — this was a possibility.

Ultimately, this allowed [Richard] to determine the relevant URLs to retrieve photos and videos, while the RTSP live stream URL was discovered from the decompiled Akasa Go app. Using the fake WiFi camera setup, the parameters to set the stream resolution and FPS were then determined, giving [Richard] full remote control over the camera without the need to use the mobile app.

We’ve seen a lot of camera WiFi reverse engineering. WiFi hotspots are handy for hacking. They also are handy in hotel rooms.

2 thoughts on “Reverse Engineering The Web API Of An Akaso EK7000 Action Camera

  1. FYI these are not all the same FW but this one seems fairly easy to hack so far, I’ve figured out there is an open httpd at 192.168.10.1:8082 just fiddling with PCAPdroid for a few minutes

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.