Reverse Engineering A Modern IP Camera

Security cameras used to be analog devices feeding back into a room full of tiny screens and commercial grade VCRs. As technology moved forward, IP cameras began to proliferate. Early models simply presented a video stream and configuration page to the local network. Modern models aimed at the home market differ however. More often than not, configuration is through a strange smartphone app, and video is accessed through third-party servers. It’s all a bit oblique, and so [Alex] decided to take a look under the hood. 

The exploration begins externally, with [Alex] capturing data sent to and from the camera with Wireshark. Straight away, red flags are raised. For as yet unknown reasons, the camera attempts to resolve Google, Facebook and Alibaba servers over DNS. Disassembly then follows, revealing that a serial terminal with root access is available. [Alex] uses this to probe around, uncovering the firmware update script and a way to decrypt said updates.

The work thus is a great example of how to approach hacking a given device from first principles. The overall goal is to find a way to gain complete control over the camera, reprogramming it to serve up video as [Alex] wishes, rather than to a distant third party server. It’s not the first time we’ve seen an IP camera hacked, and we doubt it will be the last. If you’ve got one cracked, be sure to let us know.

Easy Time-lapse Video Via Phone And Command Line

A good time-lapse video can be useful visual documentation, and since [Tommy]’s phone is the best camera he owns he created two simple shell scripts to grab time-lapse images and assemble them into a video. [Tommy]’s work is just the glue between two other things: an app that turns the phone into an IP camera with a web server on the local network, and the ability to grab a still image from that server on demand.

The app he uses for his iPhone normally serves video but has an undocumented feature that allows single frames to be downloaded by adding ‘/photo’ to the end of the URL, but the ability to get a still image is a common feature on IP camera apps for smartphones. His capture script (GitHub repository here) should therefore need only minor changes to work with just about any IP camera app.

Perching a phone over a workspace and using it to create a time-lapse with a couple of shell scripts is a great example of combining simple tools to get better functionality. It could be a good way to get additional use out of an older smartphone, too. Heck, even older dumbphones can still get some use out of them; Shmoocon 2017 brought us details on rolling your own 1G network.

Yet Another IoT Botnet

[TrendMicro] are reporting that yet another IoT botnet is emerging. This new botnet had been dubbed Persirai and targets IP cameras. Most of the victims don’t even realize their camera has access to the Internet 24/7 in the first place.

Trend Micro, have found 1,000 IP cameras of different models that have been exploited by Persirai so far. There are at least another 120,000 IP cameras that the botnet could attack using the same method. The problem starts with the IP cameras exposing themselves by default on TCP Port 81 as a web server — never a great idea.

Most IP cameras use Universal Plug and Play, which allows them to open ports from inside the router and start a web server without much in the way of security checks. This paints a giant target in cyber space complete with signs asking to be exploited. After logging into a vulnerable device the attacker can perform a command injection attack which in turn points gets the camera to download further malware.

The exploit runs in memory only, so once it has been rebooted it should all be fine again until your next drive by malware download. Check your devices, because even big named companies make mistakes. IoT is turning into a battlefield. We just hope that with all these attacks, botnets, and hacks the promise of the IoT idea isn’t destroyed because of lazy coders.

Part of feature image from Wikipedia, Creative Commons license.

How To Backup And Restore Your IP Camera Firmware

[Filipe] has been playing around with custom firmware for inexpensive IP cameras. Specifically, he has been using cameras based on a common HI3815 chip. When you are playing around with firmware like this, a major concern is that you may end up bricking the device and rendering it useless. [Filipe] has documented a relatively simple way to backup and restore the firmware on these cameras so you can hack to your heart’s content.

The first part of this hack is hardware oriented. [Filipe] cracked open the camera to reveal the PCB. The board has labeled serial TX and RX pads. After soldering a couple of wires to these pads, [Filipe] used a USB to serial dongle to hook his computer up to the camera’s serial port.

Any terminal program should now be able to connect to the camera at 115200 baud while the camera is booting up. The trick is to press “enter” during the boot phase. This allows you to log in as root with no password. Next you can reset the root password and reboot the camera. From now on you can simply connect to the phone via telnet and log in as root.

From here, [Filipe] copies all of the camera’s partitions over to an NFS share using the dd command. He mentions that you can also use FTP for this if you prefer. At this point, the firmware backup is completed.

Knowing how to restore the backup is just as important as knowing how to create it. [Filipe] built a simple TFTP server and copied the firmware image to it in two chunks, each less than 5MB. The final step is to tell the camera how to find the image. First you need to use the serial port to get the camera back to the U-Boot prompt. Then you configure the camera’s IP address and the TFTP server’s IP address. Finally, you copy each partition into RAM via TFTP and then copy that into flash memory. Once all five partitions are copied, your backup is safely restored and your camera can live to be hacked another day.

Extending The Features Of An IP Camera

adding-external-control-via-IP-camera

[Dave Astolfo] wanted to be able to let his CNC mill run by itself with the ability to monitor it remotely. The only problem with that idea is that if he checked in and saw something bad happening he needed a remote kill switch as well. He ended up killing two birds with one stone by adding extra features to an IP camera.

These Internet Protocol cameras are pretty nifty. Just plug their power cord in and they’ll connect to WiFi and start streaming video. Many of them offer features like pan and tilt, and this model even features IR LEDs for night viewing that can be switched on and off through the web interface. That’s the point at which [Dave] started his hack. He patched into the leads on the IR LEDs. They’re monitored by an ATtiny85. When he turns on the LEDs via the webpage the ATtiny85 senses it and drives a servo motor to push the ESC key on the keyboard. As you can see in the clip after the break, this will stop the milling in its tracks. We especially liked the use of LEGO Technique pieces to make the servo mount removable.

Continue reading “Extending The Features Of An IP Camera”

A WiFi Controlled RC Car With An IP Camera

Controlling your car over WiFi is good, but mounting a webcam on it so you can actually see where you’re going is even better. [Michael] goes over how he made his wifi car with some great videos in the post about it.

The car used is a seemingly standard RC unit, which came with a speed controller that was recycled for network use. [Michael] removed the standard radio, but having this controller available kept him from having to engineer an H-bridge circuit. The radio was then replaced with a WiFi module from Sparkfun.

There were a few problems with the IP camera to begin with, as the lag was originally unbearable. After some tricks that would qualify as a good hack in itself, the camera was eventually able to perform on an acceptable level and output data to the FLTK app he used to control everything.  Check out one of his videos below of this car in action. Continue reading “A WiFi Controlled RC Car With An IP Camera”

Motion Sprinkler Chases Away Defecating Dogs

Don’t want dogs pooping on the front lawn? You could put up a sign, your could chase them away like a crotchety old miser, or you could build a motion detecting sprinkler system. It’s pretty hard to line up for a doody when you’re getting sprayed in the face (or worse) with cold water.

The setup is pretty simple. The bump-in image above shows the view from a webcam. The server monitoring the video is running software that detects motion between one frame and the next. When it sees something in the right position it signals an Arduino to trigger the solenoid which has been holding back the water. Check out the movie after the break which shows [Phil Tucker] tramping across the grass to trigger the  trap.

Sprinkler hacks are always a lot of fun. This variable-range sprinkler is still one of our favorites.

Continue reading “Motion Sprinkler Chases Away Defecating Dogs”