News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: maisi Cloud IP camera  (Read 13532 times)

  • No avatar
  • *
January 04, 2016, 04:09:25 pm
I'm posting here because I haven't found any other information about this camera on the net and I want to give the next person to come along a step up, if I can.

I recently purchased a maisi Cloud IP camera, as it was on offer at Amazon (http://www.amazon.co.uk/dp/B013QOI8LE). I didn't much fancy the interface, so I wanted to try and get into it to see what it's made of.

The website given in their docs is www.mipcm.com; looking at the website source, it seems like a lot of other cameras use the MIPCM infrastructure to provide their features:

Quote
"www.luxcamapp.eu":{m_title:"Luxcam",m_scheme:"luxsecurityluxcam"},
"kh.gtscn.cn":{m_title:"-GAKATO-SMARTHOME",m_scheme:"guangsudagsdcn"},
"www.62918040.cn":{m_title:"富尼手机看家宝",m_scheme:"http"},
"www.mymobivue.com":{m_title:"MobiVue",m_scheme:"teamresearchastak"},

etc.

I didn't really get anywhere with their website. Going directly to the IP of the webcam gets you a little further; doing a Wireshark snoop of traffic between the camera and the browser reveals that they have a weird sort of public-key encryption scheme going on with their server. The API uses the result of this to negotiate sessions, which can eventually result in RTMP streams. I didn't fancy reimplementing their minified Javascript in another language, so I wanted to see if I could get access to the camera.

Port scanning didn't reveal a lot:

Quote
Host is up (0.036s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE
80/tcp   open  http
7010/tcp open  ups-onlinet
7020/tcp open  unknown
8600/tcp open  asterix

Port 8600 always responded with a binary message; when I was playing with this I couldn't format a request in the right format.

Quote
'8\x00\x00\x00l\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x002\xd517\x00\x00\x00\x00\xc4\x87#@\x00\x00\x00\x00\xf5\x8f\x05Tmrmt_hello\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\xe8\x87#@\x00\x00\x00\x00<removed webcam ID>\n\x00\x00'

(The mrmt_hello in this response is tantalisingly annoying).

Getting access to the communications between the camera and the cloud was tricky; I eventually solved it by making a bridge using a Raspberry Pi and sniffing the interface. The IP address it mainly talks to is 31.204.95.225, which is a mipcm server (it returns similar HTML to www.mipcm.com). The communications appear encoded to some degree, so I couldn't really read them.

As a last resort I used the online upgrade feature in the hope that it would make an HTTP request; and it did:

Quote
GET /version/ipc/gm8126/v1.9.5.1510231507/ipc_pack_patch_from_v1.7.1.1503091547_to_v1.9.5.1510231507.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip,deflate
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) MiningHTTPClient/0.1
Connection: Keep-Alive
Host: 61.147.109.92

This was on port 7080. The downloaded file appears to be packed using something called "ipc_pack" (at least, that's the first few bytes of the response). It also contains a binary file:

Quote
emrakul@emrakul:/raid/ipccamera$ binwalk httpresponse

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
514205        0x7D89D         ELF, 32-bit LSB executable, ARM, version 1 (SYSV)

It also finishes with some scripting:

Quote
unlzma -c /project/*.tar.lzma > /tmp/project.tar
rm /project/*.tar.lzma
patch_result_path=/tmp/patch_result
if [ -e /dev_data/ipc_pack_diff ]; then
    if [ -e /dev_data/com.mining.app.patch ]; then
        cp /dev_data/com.mining.app.patch /bin/
        chmod 777 /bin/com.mining.app.patch
    fi
    com.mining.app.patch -o /tmp/project.tar -n /tmp/project.new.tar -d /dev_data/ipc_pack_diff -f $patch_result_path
    if [ -e $patch_result_path ]; then
        read result < $patch_result_path
        if [ $result = "fail" ]; then
            rm -rf /dev_data/*
            reboot
            exit
        fi
    fi
   
    if [ -e /tmp/project.new.tar ]; then
        echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" patch apply success
        mv /tmp/project.new.tar /tmp/project.tar
    else
        echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" patch apply fail
    fi
fi

tar -xvf /tmp/project.tar -C /project/
rm -rf /tmp/project.tar
chmod -R 777 /project

#dev_start
if [ -e /mnt/mtd/flag_debug_dev_start ]; then
    echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" /mnt/mtd/flag_debug_dev_start existed
else
    echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" run /project/apps/app/ipc/data/sh/dev_start.sh
    cd /project/apps/app/ipc/data/sh
    ./dev_start.sh
fi

From the looks of the filenames here and from the server it looks like it's a GM8126 based camera, which led me to this website.

Things to try next if I really care are:
- Opening it up and trying to get serial access
- Seeing if the encoded protocols contain any similarities to port 8600.

I attached the patch httpresponse in case anyone wants to take a gander. (Also available from the website: http://61.147.109.92:7080/version/ipc/gm8126/v1.9.5.1510231507/ipc_pack_patch_from_v1.7.1.1503091547_to_v1.9.5.1510231507.bin )
« Last Edit: January 04, 2016, 04:48:12 pm by cmeister2 »

  • No avatar
  • *
January 23, 2016, 11:07:22 am
So my CP2102 USB-UART chip came. I plugged it into the motherboard of the maisi camera, and the magic settings are 38400 baud / 8 data bits / 1 stop bit / No parity.

Got the following output on startup:

Code: [Select]
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.01.23 15:57:56 =~=~=~=~=~=~=~=~=~=~=~=
               MP SPI-NOR Bootstrap v0.2


Boot image offset: 0x10000. Booting Image .....


0567Will set the following freq...

PLL1: 800 MHz, PLL2: 540 MHz, CPU freq: 540 MHz, AHB freq: 270 MHz, DDR freq: 800 MHz

go...


*********************************************

Please input Space to run Linux

Please input ESC to run UBOOT

Please input . to run burn-in

Otherwise, system will run Linux after 5 sec

*********************************************

Load image from SPI-NOR offset 0xd0000 to sdram 0x4000000

Jump 0x4000000

Uncompressing Linux... done, booting the kernel.
Linux version 2.6.28 (root@debian) (gcc version 4.4.0 (Faraday C/C++ Compiler Release 20100325) ) #842 PREEMPT Mon Mar 9 15:47:40 HKT 2015
CPU: FA626TE [66056261] revision 1 (ARMv5TE), cr=0000797f
CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
Machine: Faraday GM8126
Warning: bad configuration page, trying to continue
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: mem=128M console=uart,shift,2,io,0xF9830000,38400
Early serial console at I/O port 0xf9830000 (options '38400', shift 2)
console [uart0] enabled
PID hash table entries: 512 (order: 9, 2048 bytes)
IC: GM8128 MP
GM Clock: CPU = 540 MHz, AHBCLK = 270 MHz, PLL1CLK = 800 MHz, PLL2CLK = 540 MHz
console handover: boot [uart0] -> real [ttyS0]
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 128MB = 128MB total
Memory: 118228KB available (3662K code, 322K data, 7524K init)
Calibrating delay loop... 534.52 BogoMIPS (lpj=267264)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
net_namespace: 636 bytes
Fmem: node 0 is online, alloc pages = 12288(active pages = 32768)
high_memory:0xc8000000, VM Start:0xc8800000, End:0xe0000000
NET: Registered protocol family 16
PMU: Mapped at 0xf9900000
pmu_get_cpu_clk:221 <fclk_mode=2, pll2_out=540000000>
Attach GM AHB-DMA Driver
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
Video Timer(timer3) Max 31000ms in 0xf9720840 HZ.
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 231
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
probe ftgpio010.0 OK!!, at c8858000
probe ftgpio010.1 OK!!, at c885c000
probe ftgpio010.2 OK!!, at c8860000
Serial: 8250/16550 driver 1 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xf9830000 (irq = 9) is a 16550A
brd: module loaded
loop: module loaded
PPP generic driver version 2.4.2
NET: Registered protocol family 24
rtl8150: v0.6.2 (2004/08/27):rtl8150 based usb-ethernet driver
usbcore: registered new interface driver rtl8150
usbcore: registered new interface driver asix
usbcore: registered new interface driver cdc_ether
usbcore: registered new interface driver net1080
usbcore: registered new interface driver cdc_subset
usbcore: registered new interface driver zaurus
Linux video capture interface: v2.00
Driver 'sd' needs updating - please use bus_type methods
Driver 'sr' needs updating - please use bus_type methods
Creating 6 MTD partitions on "wb_spi_flash":
0x000d0000-0x00bff000 : "Linux Section"
0x00c00000-0x01000000 : "User Section"
0x00001000-0x00010000 : "Loader Section"
0x00010000-0x000b0000 : "BurnIn Section"
0x000b0000-0x000ce000 : "UBoot Section"
0x000ce000-0x000d0000 : "CFG Section"
Probe FTSSP010 SPI Controller at 0x98200000 (irq 6)
usbmon: debugfs is not available
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
AMBA bus_register ok
Enter Device A
temp = 340
Drive Vbus because of ID pin shows Device A
otg2xx device_register ok
AMBA_bus_match(...) Found Driver FOTG2XX_DRV
AMBA_bus_match(...) Found Driver FOTG2XX_DRV
FOTG2XX_DRV fotg2xx_dev: GM  USB2.0 Host Controller
FOTG2XX_DRV fotg2xx_dev: new USB bus registered, assigned bus number 1
FOTG2XX_DRV fotg2xx_dev: irq 4, io mem 0xf9220000
FOTG2XX_DRV fotg2xx_dev: USB 2.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
FOTG200 Controller Initialization
fotg200 int enable = 1f30
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
mice: PS/2 mouse device common for all mice
i2c /dev entries driver
i2c-mining-gpio i2c-mining-gpio.0: using pins 23 (SDA) and 24 (SCL, no clock stretching)
usbcore: registered new interface driver usbhid
usbhid: v2.6:USB HID core driver
Advanced Linux Sound Architecture Driver Version 1.0.18rc3.
ALSA device list:
  No soundcards found.
TCP cubic registered
NET: Registered protocol family 17
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
Freeing init memory: 7524K
usb 1-1: new high speed USB device using FOTG2XX_DRV and address 2
port status 10009
2nd port status 10009
***************************************
Busybox starts to run
***************************************
--------------starting mdev..............
Mounting root fs rw ...
Mounting other filesystems ...
Setting hostname ...
Mounting user's MTD partion
Adjust ingore, mtd1_len = 4194304
Has JFFS2 on mtdblock1
usb 1-1: configuration #1 chosen from 1 choice
mnvram_data_read ok. magic ok. addr:c6940000, data_size_read:36, crc:1564261398 !!. /home/mining/project/src/kernel/gm8126/arm-linux-2.6.28/module/mnvram/mnvram.c:97
mnvram_data_read ok. data_size:36 !!, data:{xlen:1156,ylen:141,xpos:383,ypos:1}mvar_video:1}. /home/mining/project/src/kernel/gm8126/arm-linux-2.6.28/module/mnvram/mnvram.c:118
mnvram_create crc 0-->1564261398!!, /home/mining/project/src/kernel/gm8126/arm-linux-2.6.28/module/mnvram/mnvram.c:267
insmod: page allocation failure. order:2, mode:0x20
[<c0a299dc>] (dump_stack+0x0/0x14) from [<c07aa3c0>] (__alloc_pages_internal+0x3c0/0x3e8)
[<c07aa000>] (__alloc_pages_internal+0x0/0x3e8) from [<c07c931c>] (cache_alloc_refill+0x2e0/0x5f8)
[<c07c903c>] (cache_alloc_refill+0x0/0x5f8) from [<c07c9868>] (__kmalloc+0x8c/0xd0)
[<c07c97dc>] (__kmalloc+0x0/0xd0) from [<bf0007e4>] (mnvram_create+0x18c/0x598 [mnvram])
 r7:000000db r6:c0374000 r5:00000c59 r4:bf001620
[<bf000658>] (mnvram_create+0x0/0x598 [mnvram]) from [<bf00401c>] (init_module+0x1c/0x3c [mnvram])
[<bf004000>] (init_module+0x0/0x3c [mnvram]) from [<c0762acc>] (do_one_initcall+0x54/0x17c)
[<c0762a78>] (do_one_initcall+0x0/0x17c) from [<c079e7d4>] (sys_init_module+0x98/0x184)
 r7:00002096 r6:00000000 r5:000ac008 r4:bf0014e0
[<c079e73c>] (sys_init_module+0x0/0x184) from [<c0764020>] (ret_fast_syscall+0x0/0x2c)
 r7:00000080 r6:bed48dce r5:00089a72 r4:00002096
Mem-info:
Normal per-cpu:
CPU    0: hi:   42, btch:   7 usd:  29
Active_anon:42 active_file:252 inactive_anon:65
 inactive_file:5032 unevictable:66 dirty:0 writeback:0 unstable:0
 free:137 slab:13368 mapped:172 pagetables:18 bounce:0
Normal free:548kB min:1440kB low:1800kB high:2160kB active_anon:168kB inactive_anon:260kB active_file:1008kB inactive_file:20128kB unevictable:264kB present:130048kB pages_scanned:131 all_unreclaimable? no
lowmem_reserve[]: 0 0
Normal: 1*4kB 0*8kB 0*16kB 1*32kB 0*64kB 0*128kB 0*256kB 1*512kB 0*1024kB 0*2048kB 0*4096kB 0*8192kB = 548kB
5350 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
32768 pages of RAM
211 free pages
13583 reserved pages
13368 slab pages
767 pages shared
0 pages swap cached
mnvram_create fail when kmalloc!!. /home/mining/project/src/kernel/gm8126/arm-linux-2.6.28/module/mnvram/mnvram.c:227
mnvram_create alloc finish. cast=2, buf_size:16384, buf_counts:3161. data_counts:1, crc_counts:1. /home/mining/project/src/kernel/gm8126/arm-linux-2.6.28/module/mnvram/mnvram.c:283
mnvram_create free finish. /home/mining/project/src/kernel/gm8126/arm-linux-2.6.28/module/mnvram/mnvram.c:320
mnvram_create remove finish, cast=2. g_cb.buf_counts:4. /home/mining/project/src/kernel/gm8126/arm-linux-2.6.28/module/mnvram/mnvram.c:348
mnvram_init OK!!
ftrtc011 ftrtc011: rtc core: registered ftrtc011 as rtc0

Frammap: 2048 pages in DDR0 are freed.
Frammap: DDR0: memory base=0x3800000, memory size=0x2800000, alignment=256K
Frammap: version 0.28.3, 1 DDR is managed.
FTMAC with FARADAY Internal PHY support
FTMAC110 Driver (Linux 2.6) 01/10/11 - (C) 2011 GM Corp.
reset Faraday Internal PHY.
rt5370sta: module license 'unspecified' taints kernel.
rtusb init rtusbSTA --->


=== pAd = c89a9000, size = 530704 ===

<-- RTMPAllocAdapterBlock, Status=0
NVM is EFUSE
usbcore: registered new interface driver rtusbSTA
mmc0: SDHCI controller on <NULL> [ftsdc010] using DMA
Init SAR ADC done.
register sar adc device (0) OK!!

VideoGraph v0.44 You may use
   #echo 11 > /proc/videograph/dbg
to enable debug mode (0xbf15850c)
Debug message at 0xc8a6f000 start pointer 0xbf1785f0 size 0x124f80
Insert dvr_common driver done.
Platform GM812600
    enc_in0=(buf: 1843200,6,0)
    enc_in0_d=(buf: 1843200,6,1)
    enc_out0=(res: 1280,720)
    enc_out0=(buf: 783360,4,0)
    ssenc_out0=(buf: 783360,1,0)
    sub1_enc_out0=(res: 1280,720)
    sub1_enc_out0=(buf: 783360,2,0)
    sub2_enc_out0=(res: 1280,720)
    sub2_enc_out0=(buf: 783360,2,0)
    enc_in1=(buf: 614400,4,0)
    enc_in1_d=(buf: 614400,4,1)
    enc_out1=(res: 640,480)
    enc_out1=(buf: 261120,4,0)
    scl0_out1=(res: 320,240)
    scl0_out1=(buf: 153600,2,0)
    scl1_out1=(res: 160,112)
    scl1_out1=(buf: 35840,2,0)
    ssenc_out1=(buf: 261120,1,0)
    sub1_enc_out1=(res: 640,480)
    sub1_enc_out1=(buf: 261120,3,0)
    sub2_enc_out1=(res: 640,480)
    sub2_enc_out1=(buf: 261120,3,0)
    enc_in2=(buf: 153600,4,0)
    enc_in2_d=(buf: 153600,4,1)
    enc_out2=(res: 320,240)
    enc_out2=(buf: 65280,4,0)
    ssenc_out2=(buf: 65280,1,0)
    sub1_enc_out2=(res: 320,240)
    sub1_enc_out2=(buf: 65280,3,0)
    sub2_enc_out2=(res: 320,240)
    sub2_enc_out2=(buf: 65280,3,0)
    enc_in3=(buf: 35840,4,0)
    enc_in3_d=(buf: 35840,4,1)
    enc_out3=(res: 160,112)
    enc_out3=(buf: 20000,4,0)
    ssenc_out3=(buf: 15232,1,0)
    sub1_enc_out3=(res: 160,112)
    sub1_enc_out3=(buf: 20000,3,0)
    sub2_enc_out3=(res: 160,112)
    sub2_enc_out3=(buf: 20000,3,0)
ISP v3.20, built @ Oct 17 2013 15:48:46
set cmos clk out 27000000 Hz
pixel clock 42187500
27M
fcap: V0.3.13
vcap_dev: [0]:bAlbum_bug=0, bCrop_bug=1, bCU_bug=0
LL_BusDeadlock_bug=0, bSupportSplitOSDDispRamWritePort=1

fcap: [0]: Link List mode!
fcap: fosd00: minor=55
fcap: fosd02: minor=54
fcap: fosd01: minor=53
fcap: fosd03: minor=52
vcap_dev: [1]:bAlbum_bug=0, bCrop_bug=1, bCU_bug=0
LL_BusDeadlock_bug=0, bSupportSplitOSDDispRamWritePort=1

fcap: [1]: Link List mode!
fcap: fosd10: minor=51
fcap: fosd12: minor=50
fcap: fosd11: minor=49
fcap: fosd13: minor=48
load CFG: /etc/mipc/isp_ov9710.cfg
SCL: Version, v1.17
SCL: div:4
FAVC Encoder IRQ mode(29)v4.2.1
FAVC codec Max Resolution is 1280x720, built @ May 15 2012 15:43:33
MCP100 driver with CPU for VG,
GM8126 MPEG4 with CPU for VG, decoder ver: 3.2.2, encoder ver: 3.2.8, built @ May 14 2012 15:30:49
GM8126 MJPEG with CPU for VG, encoder ver: 3.2.5, decoder ver: 3.1.4, built @ May 14 2012 15:30:35

FTDI210 registers 32 entities to video graph!
FTDI210 Driver v1.4 (1 engine(s))
ft-32ssp: common[ver:0.3.4] INIT OK!
card->cardno = 2
card->pbase = 98a00000
card->vbase = c8efe000
card->irq = 11
my_card->capture.dma_ch = 4
my_card->playback.dma_ch = 5
ft-32ssp: SoundCard(2) attached OK (c69e35d0)
I2S probe ok in Slave mode.
ADDR: ae:ca:05:f9:18:53
ftmac110_link_change:2225 <SPEED100>
ftmac110_link_change:2239 <FULL>
input_mode = 0
ADDR: ae:ca:05:f9:18:53
ftmac110_link_change:2225 <SPEED100>
ftmac110_link_change:2239 <FULL>


Welcome to <camera ID>@12024@m@u (armv5tel-Linux-2.6.28@ttyS0/b)

FaradGPIO-21 autorequested
ay GPIO-9 autorequested
ARM Linux 2.6



Copyright (C) 2005 Faraday Corp. <www.faraday.com.tw>

Released under GNU GPL



<camera id>@12024@m@u login: GPIO-30 autorequested
GPIO-45 autorequested
NICLoadFirmware: We need to load firmware
<-- RTMPAllocTxRxRingMemory, Status=0
RTMP_TimerListAdd: add timer obj c89f4070!
RTMP_TimerListAdd: add timer obj c89f4088!
RTMP_TimerListAdd: add timer obj c89f40a0!
RTMP_TimerListAdd: add timer obj c89f4058!
RTMP_TimerListAdd: add timer obj c89f4010!
RTMP_TimerListAdd: add timer obj c89f4028!
RTMP_TimerListAdd: add timer obj c89be6a4!
RTMP_TimerListAdd: add timer obj c89ab184!
RTMP_TimerListAdd: add timer obj c89ab1a0!
RTMP_TimerListAdd: add timer obj c89be700!
RTMP_TimerListAdd: add timer obj c89adad4!
RTMP_TimerListAdd: add timer obj c89ad344!
RTMP_TimerListAdd: add timer obj c89adab8!
RTMP_TimerListAdd: add timer obj c89adcf8!
RTMP_TimerListAdd: add timer obj c89adaf0!
RTMP_TimerListAdd: add timer obj c89adb0c!
RTMP_TimerListAdd: add timer obj c89adb28!
RTMP_TimerListAdd: add timer obj c89be674!
RTMP_TimerListAdd: add timer obj c89be6e4!
-->RTUSBVenderReset
<--RTUSBVenderReset
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
1. Phy Mode = 5
2. Phy Mode = 5
NVM is Efuse and its size =2d[2d0-2fc]
phy mode> Error! The chip does not support 5G band 5!
RTMPSetPhyMode: channel is out of range, use first channel=1
3. Phy Mode = 9
AntCfgInit: primary/secondary ant 0/1
<7>Abnormal time diff = 12 ms

H264 rate control version: fix 0.95
fcap: [0]:OSD P0 default fonts num=42

fcap: [0]:OSD P1 default fonts num=42

Platform 8126 version 81262210
fcap: [0]:IN=ISP
fcap: [1]:OSD P0 default fonts num=42

fcap: [1]:OSD P1 default fonts num=42

bAutoTxAgcG = 0
MCS Set = ff 00 00 00 01
<==== rt28xx_init, Status=0
0x1300 = 00064300
(dataout_0) Timeout to wait AP buffer get, skip! (0xe34a,0xe49c flow 320)

##### Transfer Group 0 Done,555ms!
(dataout_0) Timeout to wait AP buffer get, skip! (0xe4e0,0xe634 flow 320)
(dataout_1) Timeout to wait AP buffer get, skip! (0xe574,0xe6d0 flow 320)

##### Transfer Group 1 Done,531ms!
Platform 8126 version 81262210
fcap: [1]:IN=ISP
GPIO-19 autorequested
27M
(dataout_0) Timeout to wait AP buffer get, skip! (0xe663,0xe7b6 flow 320)
(dataout_1) Timeout to wait AP buffer get, skip! (0xe702,0xe851 flow 320)
(dataout_2) Timeout to wait AP buffer get, skip! (0xe7ad,0xe909 flow 320)

##### Transfer Group 2 Done,531ms!
(dataout_0) Timeout to wait AP buffer get, skip! (0xe7dd,0xe943 flow 320)
(dataout_0) Timeout to wait AP buffer get, skip! (0xe982,0xead1 flow 320)
(dataout_1) Timeout to wait AP buffer get, skip! (0xe987,0xeae5 flow 320)
(dataout_2) Timeout to wait AP buffer get, skip! (0xe988,0xeb0e flow 320)
GPIO-6 autorequested

##### Transfer Group 3 Done,549ms!
---> RTMPFreeTxRxRingMemory
<--- RTMPFreeTxRxRingMemory
RtmpAsicLoadFirmware: ver e9/e9, sum d854/3e50, mac d854e900
RtmpAsicLoadFirmware: WOW stops to go into 4K ram codes ...
NICLoadFirmware: We need to load firmware
<-- RTMPAllocTxRxRingMemory, Status=0
RTMP_TimerListAdd: add timer obj c89f4070!
RTMP_TimerListAdd: add timer obj c89f4088!
RTMP_TimerListAdd: add timer obj c89f40a0!
RTMP_TimerListAdd: add timer obj c89f4058!
RTMP_TimerListAdd: add timer obj c89f4010!
RTMP_TimerListAdd: add timer obj c89f4028!
RTMP_TimerListAdd: add timer obj c89be6a4!
RTMP_TimerListAdd: add timer obj c89ab184!
RTMP_TimerListAdd: add timer obj c89ab1a0!
RTMP_TimerListAdd: add timer obj c89be700!
RTMP_TimerListAdd: add timer obj c89adad4!
RTMP_TimerListAdd: add timer obj c89ad344!
RTMP_TimerListAdd: add timer obj c89adab8!
RTMP_TimerListAdd: add timer obj c89adcf8!
RTMP_TimerListAdd: add timer obj c89adaf0!
RTMP_TimerListAdd: add timer obj c89adb0c!
RTMP_TimerListAdd: add timer obj c89adb28!
RTMP_TimerListAdd: add timer obj c89be674!
RTMP_TimerListAdd: add timer obj c89be6e4!
-->RTUSBVenderReset
<--RTUSBVenderReset
CfgSetCountryRegion():CountryRegion in eeprom was programmed
CfgSetCountryRegion():CountryRegion in eeprom was programmed
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
1. Phy Mode = 5
2. Phy Mode = 5
NVM is Efuse and its size =2d[2d0-2fc]
phy mode> Error! The chip does not support 5G band 5!
RTMPSetPhyMode: channel is out of range, use first channel=1
3. Phy Mode = 9
AntCfgInit: primary/secondary ant 0/1
<7>Abnormal time diff = 11 ms
bAutoTxAgcG = 0
MCS Set = ff 00 00 00 00
<==== rt28xx_init, Status=0
0x1300 = 00064300
===>rt_ioctl_giwscan. 1(1) BSS returned, data->length = 226
__ratelimit: 2 callbacks suppressed
(dataout_1) Timeout to wait AP buffer get, skip! (0x47f,0x5c2 flow 320)
(dataout_2) Timeout to wait AP buffer get, skip! (0x47a,0x5f5 flow 320)
===>rt_ioctl_giwscan. 8(8) BSS returned, data->length = 1373
===>rt_ioctl_giwscan. 8(8) BSS returned, data->length = 1373
==>rt_ioctl_siwfreq::SIOCSIWFREQ(Channel=11)
RTMP_TimerListAdd: add timer obj c8a258a4!
ERROR!!! RTMPSetTimer failed, Halt in Progress!
---> RTMPFreeTxRxRingMemory
<--- RTMPFreeTxRxRingMemory
RtmpAsicLoadFirmware: ver e9/e9, sum d854/3e50, mac d854e900
RtmpAsicLoadFirmware: WOW stops to go into 4K ram codes ...
NICLoadFirmware: We need to load firmware
<-- RTMPAllocTxRxRingMemory, Status=0
RTMP_TimerListAdd: add timer obj c89f4070!
RTMP_TimerListAdd: add timer obj c89f4088!
RTMP_TimerListAdd: add timer obj c89f40a0!
RTMP_TimerListAdd: add timer obj c89f4058!
RTMP_TimerListAdd: add timer obj c89f4010!
RTMP_TimerListAdd: add timer obj c89f4028!
RTMP_TimerListAdd: add timer obj c89be6a4!
RTMP_TimerListAdd: add timer obj c89ab184!
RTMP_TimerListAdd: add timer obj c89ab1a0!
RTMP_TimerListAdd: add timer obj c89be700!
RTMP_TimerListAdd: add timer obj c89adad4!
RTMP_TimerListAdd: add timer obj c89ad344!
RTMP_TimerListAdd: add timer obj c89adab8!
RTMP_TimerListAdd: add timer obj c89adcf8!
RTMP_TimerListAdd: add timer obj c89adaf0!
RTMP_TimerListAdd: add timer obj c89adb0c!
RTMP_TimerListAdd: add timer obj c89adb28!
RTMP_TimerListAdd: add timer obj c89be674!
RTMP_TimerListAdd: add timer obj c89be6e4!
-->RTUSBVenderReset
<--RTUSBVenderReset
CfgSetCountryRegion():CountryRegion in eeprom was programmed
CfgSetCountryRegion():CountryRegion in eeprom was programmed
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
1. Phy Mode = 0
2. Phy Mode = 0
NVM is Efuse and its size =2d[2d0-2fc]
3. Phy Mode = 0
AntCfgInit: primary/secondary ant 0/1
<7>Abnormal time diff = 12 ms
bAutoTxAgcG = 0
RTMPSetPhyMode: channel is out of range, use first channel=1
MCS Set = 00 00 00 00 00
<==== rt28xx_init, Status=0
0x1300 = 000a4200
===>rt_ioctl_giwscan. 1(1) BSS returned, data->length = 226
===>rt_ioctl_giwscan. 6(6) BSS returned, data->length = 1004
===>rt_ioctl_giwscan. 10(10) BSS returned, data->length = 1657
==>rt_ioctl_siwfreq::SIOCSIWFREQ(Channel=11)
===>rt_ioctl_giwscan. 10(10) BSS returned, data->length = 1657
===>rt_ioctl_giwscan. 6(6) BSS returned, data->length = 895
===>rt_ioctl_giwscan. 7(7) BSS returned, data->length = 1121
(dataout_45) Timeout to wait AP buffer get, skip! (0x9b1a,0x9b84 flow 100)
===>rt_ioctl_giwscan. 7(7) BSS returned, data->length = 1271

Looks like there's a UBOOT setting to play with. And plenty to dig into.
« Last Edit: January 23, 2016, 02:03:32 pm by cmeister2 »

  • No avatar
  • *
January 25, 2016, 08:02:50 am
Success!

Gaining access to U-BOOT allowed me to dump the entire 16MB memory of the device over serial (about 6 hours at 38400 baud).

Running binwalk over the dumped file gave me a Linux filesystem. Digging into that led me to a set of scripts which appear to control lots of the system functionality.

One of the most interesting ones is project\apps\app\ipc\data\sh\sd_card_insert.sh, which contains the following lines of code:

Code: [Select]
#run hook
if [ -e /mnt/sd/upgrade/upgrade.sh ]; then
chmod 777 /mnt/sd/upgrade/upgrade.sh
sh /mnt/sd/upgrade/upgrade.sh &
fi

Yes - when you insert an SD card into the camera which contains a script at upgrade/upgrade.sh it gets run. As root.

One echo "root:root" | chpasswd later, and:

Welcome to <cameraid>@17651@m@u@e.192.168.1.76@w.192.168.1.100 (armv5tel-Linux-2.6.28@ttyS0/b)
Faraday ARM Linux 2.6

Copyright (C) 2005 Faraday Corp. <www.faraday.com.tw>
Released under GNU GPL

<cameraid>@17651@m@u@e.192.168.1.76@w.192.168.1.100 login: root
Password:
|---------------------------------------------------------------------------|
|                    A                                                      |
|                   AAA                                                     |
|                  AAAAA                                                    |
|                 AAAAAAA                                                   |
|                AAAA   AA                                                  |
|         A     AAAA     AA                                                 |
|        AAA   AAAA       AA          AAA   AAAAA    AAA   AAAAA    AAAAA   |
|       AAAAA AAAA         AA              AA   AA        AA   AA  AA   AA  |
|      AAAAAAAAAA           AA        AAA  AA   AA   AAA  AA   AA  AA   AA  |
|     AAAAA AAAA             AA       AAA  AA   AA   AAA  AA   AA  AA   AA  |
|    AAAAA    A               AA      AAA  AA   AA   AAA  AA   AA   AAAAAA  |
|   AAAAA                      AA     AAA  AA   AA   AAA  AA   AA       AA  |
| AAAAAA                        AAAA  AAA  AA   AA   AAA  AA   AA  AAAAAA   |
|===========================================================================|
|                                                                           |
|                                             http://www.shenzhenmining.com |
|                                           power by (C)shenzhenmining 2012 |
|---------------------------------------------------------------------------|
login[1130]: root login on 'ttyS0'


Access gained! In the upgrade script I could have run "telnetd -p <port>" to have run the telnet daemon on a port.

It looks like there's another script which runs periodically which changes the root password every few seconds. Not entirely sure what's going on with that, but it's easy enough to get around.

  • No avatar
  • *
May 16, 2018, 07:29:59 am
Hi cmeister2,

modified 'upgrade' files now available in

https://github.com/btsimonh/826-x-ip-camera

basically, the scripts in the upgrade files (for two base versions) have been updated to enable root telnet and other things.

Have fun and let me know how you get on.
I am unable to test your camera version, but have updated the 'upgrade' file you posted anyway.

s

  • No avatar
  • *
July 12, 2018, 12:40:35 am
I am very pleased to find this information now because it will make me more aware.