{"id":1140,"date":"2018-11-29T06:09:40","date_gmt":"2018-11-29T12:09:40","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1140"},"modified":"2019-01-21T20:34:16","modified_gmt":"2019-01-22T02:34:16","slug":"ip-camera-security","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2018\/11\/ip-camera-security\/","title":{"rendered":"IP Camera Security"},"content":{"rendered":"

In reviewing my browser bookmarks I see this blog\u00a0https:\/\/reversatronics.blogspot.com\/<\/a> is still active.\u00a0 I’m examining the blog entry at\u00a0https:\/\/reversatronics.blogspot.com\/2013\/10\/sunluxy-dvr-backdoor.html<\/a> to learn and document my own adventures in embedded device security.<\/p>\n

The author (Billy) has a Sunluxy CCTV DVR. The company website no longer exists but is basically a JuanDVR. You can still find these devices if you search on Ebay or Alibaba. The author\u2019s link for the company no longer works but can be found at www.juancctv.com<\/a>. No photos were posted in the blog. Based on the the author identifying 5v TTL and references found in the blog comments the unit referenced would be similar to the stock image from DX.com.
\n
\n\"\"<\/p>\n

The author does not go into detail on how he identified a vulnerable CGI that provided root access to the device but he links to a pair of Craig Heffner blog articles (see references below). While reading Craig\u2019s blog we are going to try and recreate the work discussed on two stand-alone security cameras. I will reference one more Craig Heffner blog post as we will attempt to identify the UART serial ports on the cameras. I also include links and will document my use of the JTAGulator to identify UART.<\/p>\n

I own two security cameras that I had previously used as toddler monitors to watch my young kids. I have a SRICAM AP001 and ESCAM QF100.<\/p>\n

The AP001 uses a Ralink RT5350F. This same chipset is used in the Vocore v1.0. The QF001 uses a Hisilcon Hi3518E which is used by the RobinCore v0.2. Because these chipsets are used in open source hardware projects identifying the pinout and where to find RX\/TX is a lot easier otherwise. The resource section below details other individuals who opened up their security cameras and had an easy time finding UART because there were pinouts or they were otherwise easily identified. This is not the case with the AP001 and QF100. So far this blog will be a document of my failures in identifying UART. The attempts are educational and could have succeeded if I had gotten lucky. For details on the successful use of a JTAGulator see my post on working with the Linksys WRT54GL v1.1. Also see Joe Grande’s YouTube tutorial linked below.<\/p>\n

You will need to remove two of the rubber feet to unscrew and pop off the bottom of both cameras. The following images so the circuit boards for the QF100 and AP001<\/p>\n

SRICAM AP001 with bottom cover removed exposing the bottom of the circuit board.\u00a0 Nothing to see here.<\/p>\n

\"Bottom<\/a><\/p>\n

The circuit board removed from the SRICAM AP001.\u00a0 The chip driving everything is connected to the main board via a header.<\/p>\n

\"Top<\/a><\/p>\n

SRICAM AP001 circuit board with Ralink\u00a0RT5350F circuit board removed.<\/p>\n

\"AP001<\/a><\/p>\n

Examining the AP001 board does not show any candidates for UART. I soldered wires to each pin of the header that was not 3.3v or GND. I determined GND by doing a continuity test with my multi-meter.\u00a0 I then determined the potential voltage by powering on the device and testing the voltage for each pin.\u00a0 I soldered twenty (20) potential candidates and attached them to the JTAGulator.\u00a0 I had no success in identifying UART. UPDATE: See this blog post<\/a>.<\/p>\n

\"Connect<\/a><\/p>\n

ESCAM QF100 with the bottom cover removed exposing the bottom of the circuit board.\u00a0 On the board you see 0.5 mm pitch ribbon cables for communication with the camera as well as connectors the mic, speaker, and motor.\u00a0Examining the board does not show any candidates for UART.<\/p>\n

\"Bottom<\/a><\/p>\n

After examining the pinout and placement of TX\/RX on the RobinCore I determined that two traces coming from the upper right corner of the Hi3518E could be UART. I could not determine where these traces went so I took a new X-ACTO knife and carefully shaved the top coating of the traces until I saw copper.\u00a0 Using a magnifying glass I carefully soldered a pair of wires to the traces.\u00a0 I’ve had success with this method on other projects or when I’ve accidentally pulled a pad up like on the TP-Link WR703n.\u00a0 I attached the wires to the JTAGulator but had no luck in identifying UART.<\/p>\n

\"Connect<\/a><\/p>\n

A last ditch attempt, based on a comment from blog post referenced below, I attached a 20-pin ribbon cable and breakout board to the cameras connectors and tested with the JTAGulator.<\/p>\n

\"Ribbon<\/a><\/p>\n

So no luck so far in identifying UART (update based on comments below<\/a>). This is just an educational tutorial as there are so many issues already documented with these two cameras.\u00a0 Part 2 will go over telnet access and the command-line injection vulnerabilities that have been documented for these two devices.\u00a0 I will document examination of the web code and binaries.\u00a0 Maybe we will find new issues with these devices.<\/p>\n

All images I took of the devices can be found in my coppermine gallery<\/a>.<\/p>\n

Resources<\/strong>
\nhttps:\/\/www.unifore.net\/ip-video-surveillance\/ip-camera-soc-hi3518e-vs-hi3518c.html<\/a>
\nhttps:\/\/acassis.wordpress.com\/2014\/08\/10\/i-got-a-new-hi3518-ip-camera-modules\/<\/a>
\nhttps:\/\/acassis.wordpress.com\/2014\/05\/25\/boot-log-for-a-cheap-hi3518-chinese-ip-camera\/<\/a>
\nhttp:\/\/www.openipcam.com<\/a>
\nhttps:\/\/acassis.wordpress.com\/category\/ipcam\/<\/a><\/p>\n

Craig Heffner Blog<\/strong>
\nhttp:\/\/www.devttys0.com\/2013\/10\/from-china-with-love\/<\/a>
\nhttp:\/\/www.devttys0.com\/2013\/10\/reverse-engineering-a-d-link-backdoor\/<\/a>
\nhttp:\/\/www.devttys0.com\/2012\/11\/reverse-engineering-serial-ports\/<\/a><\/p>\n

Hacking IP Cameras<\/strong>
\nhttps:\/\/pierrekim.github.io\/blog\/2017-03-08-camera-goahead-0day.html<\/a>
\nhttps:\/\/jumpespjump.blogspot.com\/2015\/09\/how-i-hacked-my-ip-camera-and-found.html<\/a>
\nhttps:\/\/www.pentestpartners.com\/security-blog\/hacking-the-aldi-ip-cctv-camera-part-2\/<\/a>https:\/\/cxsecurity.com\/issue\/WLB-2017030092<\/a>
\nhttps:\/\/www.sec-consult.com\/en\/blog\/2018\/06\/true-story-the-case-of-a-hacked-baby-monitor-gwelltimes-p2p-cloud\/<\/a>
\nhttp:\/\/marcusjenkins.com\/hacking-cheap-ebay-ip-camera\/<\/a>
\nhttps:\/\/jelmertiete.com\/2016\/03\/14\/IoT-IP-camera-teardown-and-getting-root-password\/<\/a><\/p>\n

Open Source Hardware<\/strong>
\nhttps:\/\/www.indiegogo.com\/projects\/a-coin-sized-arm-linux-computer-with-wifi-video#\/<\/a>
\nhttps:\/\/vocore.io\/v1.html<\/a>
\nhttps:\/\/wikidevi.com\/wiki\/Ralink_RT5350<\/a>
\nhttps:\/\/cdn.hackaday.io\/files\/19356828127104\/Hi3518%20DataSheet.pdf<\/a><\/p>\n

JTAGulator<\/strong>
\nhttps:\/\/www.youtube.com\/watch?v=GgMOBhmEJXA<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

In reviewing my browser bookmarks I see this blog\u00a0https:\/\/reversatronics.blogspot.com\/ is still active.\u00a0 I’m examining the blog entry at\u00a0https:\/\/reversatronics.blogspot.com\/2013\/10\/sunluxy-dvr-backdoor.html to learn and document my own adventures in embedded device security. The author (Billy) has a Sunluxy CCTV DVR. The company website no longer exists but is basically a JuanDVR. You can still find these devices if […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[167,114],"tags":[173,174,172,171],"class_list":["post-1140","post","type-post","status-publish","format-standard","hentry","category-bookmarks","category-hardware-hacking","tag-iot","tag-ip-cameras","tag-jtagulator","tag-uart"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1140"}],"version-history":[{"count":14,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1140\/revisions"}],"predecessor-version":[{"id":1246,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1140\/revisions\/1246"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}