Hacking An IP Camera To Run Your Own Software

Ah, generic unbranded IP cameras. Safe, secure? Probably not. [Alex] has been hacking around with one of his very own, and he’s recently busted the thing wide open.

Determining that the camera had a software update function built in, [Alex] saw an opening for hijinks. The first issue was that the camera only accepts encrypted update packages, which complicates things somewhat. However, through some smart reverse engineering, the format of the updates and their encryption method became obvious to [Alex]. Oh, and partly because there was a GitHub repository online featuring the source code used by the manufacturer to encrypt their updates. That definitely helped. It also led [Alex] to suspect the manufacturer may not have properly respected the open source license of some of the routines involved.

In the demo of the exploit, [Alex] has the camera reach out to www.pudim.com.br instead of the servers of the original manufacturer. That’s a pretty clear way to show that the camera has been owned.

We first featured [Alex]’s work in this space all the way back in 2019. It’s come a long way since then!

Continue reading “Hacking An IP Camera To Run Your Own Software”

Hands-On With PineCube: An Open IP Camera Begging For Better Kernel Support

When the PineCube was announced by the Pine64 project in 2020, it created a fair bit of interest. Most of this was due to the appeal of a single-board computer (SBC) in a network-based (IP) camera form factor with integrated camera module, for a mere $29.99. Add an enclosure to it, and you would have a neat little package combining a 5 MP camera module with 100 Mbit Ethernet and WiFi. As a bonus, the system could be powered either via an optional battery pack as well as passive PoE, in addition to MicroUSB.

A few weeks ago I bought two of these boards, as part of a client project, and set out to use it for a custom IP camera implementation. With existing Linux-on-SBC and MIPI (CSI) camera experience on my end ranging from the Raspberry Pi to the Odroid, Orange Pi and Banana Pi boards, I felt fairly confident that I could make it work with minimal fuss.

Unfortunately, my experiences were anything but positive. After spending many hours with the PineCube, I’m not able to recommend it for those seeking an IP camera. There are many reasons for this, which I’ll try to explain in this article.

Continue reading “Hands-On With PineCube: An Open IP Camera Begging For Better Kernel Support”

Reverse Engineering A Modern IP Camera

Security cameras used to be analog devices feeding back into a room full of tiny screens and commercial grade VCRs. As technology moved forward, IP cameras began to proliferate. Early models simply presented a video stream and configuration page to the local network. Modern models aimed at the home market differ however. More often than not, configuration is through a strange smartphone app, and video is accessed through third-party servers. It’s all a bit oblique, and so [Alex] decided to take a look under the hood. 

The exploration begins externally, with [Alex] capturing data sent to and from the camera with Wireshark. Straight away, red flags are raised. For as yet unknown reasons, the camera attempts to resolve Google, Facebook and Alibaba servers over DNS. Disassembly then follows, revealing that a serial terminal with root access is available. [Alex] uses this to probe around, uncovering the firmware update script and a way to decrypt said updates.

The work thus is a great example of how to approach hacking a given device from first principles. The overall goal is to find a way to gain complete control over the camera, reprogramming it to serve up video as [Alex] wishes, rather than to a distant third party server. It’s not the first time we’ve seen an IP camera hacked, and we doubt it will be the last. If you’ve got one cracked, be sure to let us know.

Easy Time-lapse Video Via Phone And Command Line

A good time-lapse video can be useful visual documentation, and since [Tommy]’s phone is the best camera he owns he created two simple shell scripts to grab time-lapse images and assemble them into a video. [Tommy]’s work is just the glue between two other things: an app that turns the phone into an IP camera with a web server on the local network, and the ability to grab a still image from that server on demand.

The app he uses for his iPhone normally serves video but has an undocumented feature that allows single frames to be downloaded by adding ‘/photo’ to the end of the URL, but the ability to get a still image is a common feature on IP camera apps for smartphones. His capture script (GitHub repository here) should therefore need only minor changes to work with just about any IP camera app.

Perching a phone over a workspace and using it to create a time-lapse with a couple of shell scripts is a great example of combining simple tools to get better functionality. It could be a good way to get additional use out of an older smartphone, too. Heck, even older dumbphones can still get some use out of them; Shmoocon 2017 brought us details on rolling your own 1G network.

Yet Another IoT Botnet

[TrendMicro] are reporting that yet another IoT botnet is emerging. This new botnet had been dubbed Persirai and targets IP cameras. Most of the victims don’t even realize their camera has access to the Internet 24/7 in the first place.

Trend Micro, have found 1,000 IP cameras of different models that have been exploited by Persirai so far. There are at least another 120,000 IP cameras that the botnet could attack using the same method. The problem starts with the IP cameras exposing themselves by default on TCP Port 81 as a web server — never a great idea.

Most IP cameras use Universal Plug and Play, which allows them to open ports from inside the router and start a web server without much in the way of security checks. This paints a giant target in cyber space complete with signs asking to be exploited. After logging into a vulnerable device the attacker can perform a command injection attack which in turn points gets the camera to download further malware.

The exploit runs in memory only, so once it has been rebooted it should all be fine again until your next drive by malware download. Check your devices, because even big named companies make mistakes. IoT is turning into a battlefield. We just hope that with all these attacks, botnets, and hacks the promise of the IoT idea isn’t destroyed because of lazy coders.

Part of feature image from Wikipedia, Creative Commons license.

IP camera hack

How To Backup And Restore Your IP Camera Firmware

[Filipe] has been playing around with custom firmware for inexpensive IP cameras. Specifically, he has been using cameras based on a common HI3815 chip. When you are playing around with firmware like this, a major concern is that you may end up bricking the device and rendering it useless. [Filipe] has documented a relatively simple way to backup and restore the firmware on these cameras so you can hack to your heart’s content.

The first part of this hack is hardware oriented. [Filipe] cracked open the camera to reveal the PCB. The board has labeled serial TX and RX pads. After soldering a couple of wires to these pads, [Filipe] used a USB to serial dongle to hook his computer up to the camera’s serial port.

Any terminal program should now be able to connect to the camera at 115200 baud while the camera is booting up. The trick is to press “enter” during the boot phase. This allows you to log in as root with no password. Next you can reset the root password and reboot the camera. From now on you can simply connect to the phone via telnet and log in as root.

From here, [Filipe] copies all of the camera’s partitions over to an NFS share using the dd command. He mentions that you can also use FTP for this if you prefer. At this point, the firmware backup is completed.

Knowing how to restore the backup is just as important as knowing how to create it. [Filipe] built a simple TFTP server and copied the firmware image to it in two chunks, each less than 5MB. The final step is to tell the camera how to find the image. First you need to use the serial port to get the camera back to the U-Boot prompt. Then you configure the camera’s IP address and the TFTP server’s IP address. Finally, you copy each partition into RAM via TFTP and then copy that into flash memory. Once all five partitions are copied, your backup is safely restored and your camera can live to be hacked another day.

Extending The Features Of An IP Camera

adding-external-control-via-IP-camera

[Dave Astolfo] wanted to be able to let his CNC mill run by itself with the ability to monitor it remotely. The only problem with that idea is that if he checked in and saw something bad happening he needed a remote kill switch as well. He ended up killing two birds with one stone by adding extra features to an IP camera.

These Internet Protocol cameras are pretty nifty. Just plug their power cord in and they’ll connect to WiFi and start streaming video. Many of them offer features like pan and tilt, and this model even features IR LEDs for night viewing that can be switched on and off through the web interface. That’s the point at which [Dave] started his hack. He patched into the leads on the IR LEDs. They’re monitored by an ATtiny85. When he turns on the LEDs via the webpage the ATtiny85 senses it and drives a servo motor to push the ESC key on the keyboard. As you can see in the clip after the break, this will stop the milling in its tracks. We especially liked the use of LEGO Technique pieces to make the servo mount removable.

Continue reading “Extending The Features Of An IP Camera”