IP Camera Security

In reviewing my browser bookmarks I see this blog https://reversatronics.blogspot.com/ is still active.  I’m examining the blog entry at https://reversatronics.blogspot.com/2013/10/sunluxy-dvr-backdoor.html to learn and document my own adventures in embedded device security.

The author (Billy) has a Sunluxy CCTV DVR. The company website no longer exists but is basically a JuanDVR. You can still find these devices if you search on Ebay or Alibaba. The author’s link for the company no longer works but can be found at www.juancctv.com. No photos were posted in the blog. Based on the the author identifying 5v TTL and references found in the blog comments the unit referenced would be similar to the stock image from DX.com.

The author does not go into detail on how he identified a vulnerable CGI that provided root access to the device but he links to a pair of Craig Heffner blog articles (see references below). While reading Craig’s blog we are going to try and recreate the work discussed on two stand-alone security cameras. I will reference one more Craig Heffner blog post as we will attempt to identify the UART serial ports on the cameras. I also include links and will document my use of the JTAGulator to identify UART.

I own two security cameras that I had previously used as toddler monitors to watch my young kids. I have a SRICAM AP001 and ESCAM QF100.

The AP001 uses a Ralink RT5350F. This same chipset is used in the Vocore v1.0. The QF001 uses a Hisilcon Hi3518E which is used by the RobinCore v0.2. Because these chipsets are used in open source hardware projects identifying the pinout and where to find RX/TX is a lot easier otherwise. The resource section below details other individuals who opened up their security cameras and had an easy time finding UART because there were pinouts or they were otherwise easily identified. This is not the case with the AP001 and QF100. So far this blog will be a document of my failures in identifying UART. The attempts are educational and could have succeeded if I had gotten lucky. For details on the successful use of a JTAGulator see my post on working with the Linksys WRT54GL v1.1. Also see Joe Grande’s YouTube tutorial linked below.

You will need to remove two of the rubber feet to unscrew and pop off the bottom of both cameras. The following images so the circuit boards for the QF100 and AP001

SRICAM AP001 with bottom cover removed exposing the bottom of the circuit board.  Nothing to see here.

Bottom Removed from SRICAM AP001

The circuit board removed from the SRICAM AP001.  The chip driving everything is connected to the main board via a header.

Top of SRICAM AP001 Circuit Board

SRICAM AP001 circuit board with Ralink RT5350F circuit board removed.

AP001 with Ralink Header Removed

Examining the AP001 board does not show any candidates for UART. I soldered wires to each pin of the header that was not 3.3v or GND. I determined GND by doing a continuity test with my multi-meter.  I then determined the potential voltage by powering on the device and testing the voltage for each pin.  I soldered twenty (20) potential candidates and attached them to the JTAGulator.  I had no success in identifying UART. UPDATE: See this blog post.

Connect Ralink Header to JTAGulator

ESCAM QF100 with the bottom cover removed exposing the bottom of the circuit board.  On the board you see 0.5 mm pitch ribbon cables for communication with the camera as well as connectors the mic, speaker, and motor. Examining the board does not show any candidates for UART.

Bottom Removed from ESCAM QF100

After examining the pinout and placement of TX/RX on the RobinCore I determined that two traces coming from the upper right corner of the Hi3518E could be UART. I could not determine where these traces went so I took a new X-ACTO knife and carefully shaved the top coating of the traces until I saw copper.  Using a magnifying glass I carefully soldered a pair of wires to the traces.  I’ve had success with this method on other projects or when I’ve accidentally pulled a pad up like on the TP-Link WR703n.  I attached the wires to the JTAGulator but had no luck in identifying UART.

Connect JTAGulator to traces

A last ditch attempt, based on a comment from blog post referenced below, I attached a 20-pin ribbon cable and breakout board to the cameras connectors and tested with the JTAGulator.

Ribbon Cable to JTAGulator

So no luck so far in identifying UART (update based on comments below). This is just an educational tutorial as there are so many issues already documented with these two cameras.  Part 2 will go over telnet access and the command-line injection vulnerabilities that have been documented for these two devices.  I will document examination of the web code and binaries.  Maybe we will find new issues with these devices.

All images I took of the devices can be found in my coppermine gallery.

Resources
https://www.unifore.net/ip-video-surveillance/ip-camera-soc-hi3518e-vs-hi3518c.html
https://acassis.wordpress.com/2014/08/10/i-got-a-new-hi3518-ip-camera-modules/
https://acassis.wordpress.com/2014/05/25/boot-log-for-a-cheap-hi3518-chinese-ip-camera/
http://www.openipcam.com
https://acassis.wordpress.com/category/ipcam/

Craig Heffner Blog
http://www.devttys0.com/2013/10/from-china-with-love/
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/

Hacking IP Cameras
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
https://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and-found.html
https://www.pentestpartners.com/security-blog/hacking-the-aldi-ip-cctv-camera-part-2/https://cxsecurity.com/issue/WLB-2017030092
https://www.sec-consult.com/en/blog/2018/06/true-story-the-case-of-a-hacked-baby-monitor-gwelltimes-p2p-cloud/
http://marcusjenkins.com/hacking-cheap-ebay-ip-camera/
https://jelmertiete.com/2016/03/14/IoT-IP-camera-teardown-and-getting-root-password/

Open Source Hardware
https://www.indiegogo.com/projects/a-coin-sized-arm-linux-computer-with-wifi-video#/
https://vocore.io/v1.html
https://wikidevi.com/wiki/Ralink_RT5350
https://cdn.hackaday.io/files/19356828127104/Hi3518%20DataSheet.pdf

JTAGulator
https://www.youtube.com/watch?v=GgMOBhmEJXA

Twitter
Follow by Email
LinkedIn
YouTube
Google+
RSS

2 thoughts to “IP Camera Security”

  1. Hi, about the UART on th Hisilicon, it’s strange that you was unable to gain access to it, I got two Hi3518 wifi camera module and both have two test points near a corner of the cpu with a working UART at 115k,8n1.
    Both got zg2014 pw for root, restored every boot by an init script.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.