News:

Did you know - Google aren't very nice.  Apparently we're all evil pirates here on OpenIPCam, and they cancelled my adsense account due to that.  Sigh.

Author Topic: hacking ELP 720p cam  (Read 514 times)

  • No avatar
  • *
April 07, 2017, 09:23:23 am
Hi all!

I'd like to share with you my doubts and info about my basic approaches to ELP 720p, another cheap IP cam. Here is the link: (https://www.amazon.it/ELP-Macchina-Fotografica-Videocamere-Sorveglianza/dp/B016Q94M8O/ref=sr_1_1?ie=UTF8&qid=1491553982&sr=8-1-spons&keywords=720p&psc=1).

My goal would be entering into the shell and taking full control.

Problem is that apparently there's not any telnet or SSH service (according to nmap). And I prefer connecting remotely, without serial connection.
I've the last fw inside (firmware_General_HZXM_IPC_HI3518E_50H10L_S38_V4.02.R12.Nat.OnvifS.20160615_ALL), provided from this link (http://www.hkvstar.com/technology-news/china-ip-camera-configuration-firmware.html) and I was able to unpack it. But I think the shell/Busybox doesn't have all the app or the full app (i.e. telnetd, netcap, ...), useful for an injection approach or something like that.

I'm able to connect through the webUI: into the settings menu you can also configure NetServices like emailing, DDNS, FTP, ... The only useful browser to log in into webUI is IE11 without ActiveX control (because off the NPAPI plugin).
According to the info provided from the producer here the protocols: TCP / IP, HTTP, DHCP, DNS, DDNS, PPPoE, SMTP, NTP (HTTPS, RTP / RTSP, SIP, 802.1x, IPv6.

The cam sensor and the SoC: 1/4 "CMOS OV9712 + HI3518C (maybe a Hi3518E)

Connection: only eth (I use a powerline).

I'll show the nmap results in the next reply
« Last Edit: April 07, 2017, 09:45:16 am by cris.alberti »

  • No avatar
  • *
April 07, 2017, 09:25:43 am
nmap to all ports:

MAC Address: xxxxxxxxxxxxxxx (iStor Networks)
 Device type: general purpose
Running: Linux 2.6.X|3.X
 OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Uptime guess: 0.801 days (since Tue Mar 21 21:00:25 2017)
 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
 Service Info: Device: webcam
Not shown: 131040 closed ports

PORT      STATE         SERVICE       VERSION
80/tcp    open          http          uc-httpd 1.0.0
| http-methods: 
|_  Supported Methods: OPTIONS
|_http-title: NETSurveillance WEB

554/tcp   open          rtsp          LuxVision or Vacron DVR rtspd
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, GET_PARAMETER, PLAY, PAUSE

8899/tcp  open          soap          gSOAP 2.7
|_http-server-header: gSOAP/2.7
|_http-title: Site doesn't have a title (text/xml; charset=utf-8).

9527/tcp  open          unknown
| fingerprint-strings: 
|   GenericLines, NULL: 
|     HTTPD: fd: 55, IP: 0x501a8c0
|     RTP: onClientConnect enginedId 0 , clientId 0 , ip:port 192.168.1.5:25228 
|     HTTPD: invalid request
|     HTTPD: fd: 55, IP: 0x501a8c0
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|    HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|     HTTPD: Catch a broken socket
|_    HTTPD: Catch a brok

9530/tcp  open          unknown

34567/tcp open          dhanalakshmi?

3702/udp  open          ws-discovery?
| fingerprint-strings: 
|   SIPOptions: 
|     <?xml version="1.0" encoding="UTF-8"?>
|_    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa5="http://www.w3.org/2005/08/addressing" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:tt="http://www.onvif.org/ver10/schema" xmlns:ns1="http://www.w3.org/2005/05/xmlmime" xmlns:wstop="http://docs.oasis-open.org/wsn/t-1" xmlns:ns7="http://docs.oasis-open.org/wsrf/r-2" xmlns:ns2="http://docs.oasis-open.org/wsrf/bf-2" xmlns:dndl="http://www.onvif.org/ver10/network/wsdl/DiscoveryLookupBinding" xmlns:dnrd="http://www.onvif.org/ver10/network/wsdl/RemoteDiscoveryBinding" xmlns:d="http://schemas.xmlsoap.org/ws/2005/04/discovery" xmlns:dn="http://
8362/udp  open|filtered unknown
9148/udp  open|filtered unknown
12144/udp open|filtered unknown
14677/udp open|filtered unknown
16050/udp open|filtered unknown
16404/udp open|filtered unknown
18563/udp open|filtered unknown
19848/udp open|filtered unknown
24787/udp open|filtered unknown
26216/udp open|filtered unknown
26583/udp open|filtered unknown
26952/udp open|filtered unknown
28481/udp open|filtered unknown
34568/udp open|filtered unknown
36315/udp open|filtered unknown
41773/udp open|filtered unknown
43568/udp open|filtered unknown
46528/udp open|filtered unknown
47857/udp open|filtered unknown
57020/udp open|filtered unknown
58919/udp open|filtered unknown
59253/udp open|filtered unknown
59715/udp open|filtered unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service

As far as I know:
- the 80 is for webUI;
- the 554 and 8899 are the streaming/ONVIF ports;
- the others? Maybe the activated NetServices?
- the UDP ports? Tunneling???????
« Last Edit: April 07, 2017, 09:33:02 am by cris.alberti »

  • No avatar
  • *
April 07, 2017, 09:37:37 am
If I try to connect through Raw protocol, port 9527 here is the output:


EasyCmsDevice send reg request, time = 1491392052
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:34:18, Time:155778 Min, Trail:155778 Min
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
Connect: 216.146.43.70 80 fail
EasyCmsDevice send reg request, time = 1491392173
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:36:18, Time:155780 Min, Trail:155780 Min
DdnsD: connect success!
DdnsD::DdnsSend GET /nic/update?hostname=xxxxxxxxxxxxxxx HTTP/1.0
Host: dynupdate.no-ip.com
Authorization: Basic Y3Jpc3RvMDpQNG56ZXIh
User-Agent: XiongmaiClinet-1.1 Linux


CDdnsBase::GetResponse HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Connection: close
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
Date: Wed, 05 Apr 2017 11:50:42 GMT

nochg 82.49.103.224

DDNS Update: Request Successful
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392294
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:38:18, Time:155782 Min, Trail:155782 Min
Connect: 216.146.38.70 80 OK
checkip: HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392415
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:40:18, Time:155784 Min, Trail:155784 Min
Connect: 216.146.38.70 80 OK
checkip: HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 105

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
EasyCmsDevice send reg request, time = 1491392536
EasyCmsDevice recv reg response success
Save SysTime to Flash:2017-04-05 12:42:18, Time:155786 Min, Trail:155786 Min
Connect: 91.198.22.70 80 fail
NTPD: NTP host[193.204.114.232], port[24]
NTPD: Recv Packet Timeout!
>>>>>>CCloudAlarmCli::instance()->UpdateStatus!!!>>>>>
DdnsD: connect success!
DdnsD::DdnsSend GET /nic/update?hostname=xxxxxxxxxxxxxxxxxxxxx HTTP/1.0
Host: dynupdate.no-ip.com
Authorization: Basic Y3Jpc3RvMDpQNG56ZXIh
User-Agent: XiongmaiClinet-1.1 Linux


Log in will be peformed with my webUI credentials. But the only command I can use is "user" with this output:

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.49.103.224</body></html>

 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
 Ip add is http://192.168.1.10:8899/onvif/device_service
user command usage:
                    user  -y : dump authority info
                    user  -group : dump full group info
                    user  -g     : dump group info
                    user  -user  : dump full user info
                    user  -u     : dump user info
                    user    -a     : dump all user name
                    user  -k : kick off user
                    user  -b : block user
                    user  -v : dump active user


  • No avatar
  • *
April 07, 2017, 09:43:58 am
Here's the fw.

First of all I've used 7z to unpack the original bin file and here the files inside:

custom-x.cramfs.img
Install
InstallDesc
romfs-x.cramfs.img (with the pwd and system files)
u-boot.bin.img
u-boot.env.img
user-x.cramfs.img
web-x.cramfs.img

The following steps are the same for each file.

$ xxd -a custom-x.cramfs.img | head

00000000: 2705 1956 2654 4b3f 5761 3b3d 0000 7000  '..V&TK?Wa;=..p.
00000010: 0077 0000 007b 0000 be2a 4cf4 0502 0101  .w...{...*L.....
00000020: 6c69 6e75 7800 0000 0000 0000 0000 0000  linux...........
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 453d cd28 0070 0000 0300 0000 0000 0000  E=.(.p..........
00000050: 436f 6d70 7265 7373 6564 2052 4f4d 4653  Compressed ROMFS
00000060: 122d e489 0000 0000 2e00 0000 2900 0000  .-..........)...
00000070: 436f 6d70 7265 7373 6564 0000 0000 0000  Compressed......
00000080: fd41 1402 5800 0014 c004 0000 ed41 1402  .A..X........A..
00000090: 7400 0014 430a 0000 4375 7374 6f6d 436f  t...C...CustomCo

$ binwalk custom-x.cramfs.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0                      0x0                         uImage header, header size: 64 bytes, header CRC: 0x26544B3F, created: 2016-06-15 11:25:49, image size: 28672 bytes, Data Address: 0x770000, Entry Point: 0x7B0000, data CRC: 0xBE2A4CF4, OS: Linux, CPU: ARM, image type: Standalone Program, compression type: gzip, image name: "linux"
64                   0x40                       CramFS filesystem, little endian, size: 28672 version 2 sorted_dirs CRC 0x89E42D12, edition 0, 46 blocks, 41 files


$ fdisk -l custom-x.cramfs.img

Disk custom-x.cramfs.img: 28 KiB, 28672 bytes, 56 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

$ dd if= custom-x.cramfs.img bs=64 skip=1 of=fs.custom

Now is ready to be opend with 7z and browsing in.

Into the fw (the romfs-x.cramfs.img  file) I've found two pwd files: passwd and passwd-
And after John's care:

 ./john --devices=0  --single  passwd

Apparently I've two system (?) credentials: root1919.....root1900
                                            root1907.....root1900

But I cannot enter into shell.

What can I do?

Tnx in advance for any reply.