Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Author Topic: How I got root on my camera  (Read 285 times)

  • No avatar
  • *
July 02, 2017, 04:22:42 pm
My camera uses a mobile app (Showmo) to use a China based cloud service for all device control. I tried to http directly to the camera with my browser but all I get is a blank listing of "Index of /mnt/web/".

So I did a bit of sleuthing and found this:

So I tried that out:

Code: [Select]
$ nmap -sV -T4 -F
This reports the following:

Code: [Select]
Starting Nmap 7.01 ( ) at 2017-07-02 15:41 EDT
Nmap scan report for
Host is up (0.89s latency).
Not shown: 98 closed ports
23/tcp open  telnet  BusyBox telnetd
80/tcp open  http    uc-httpd 1.0.0
Service Info: Host: IPC365

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds

So it's running uc-httpd 1.0.0.  Well a bit of googling later I come to learn that this is a httpd with a directory traversal bug.

And there's a little python program provided to attack my camera.

Code: [Select]
$ python2
[+] uc-httpd 0day exploiter [+]
[+] usage: python http://<target_ip>
[+] File or Directory: /etc/passwd


So then I fed this into johntheripper with gpu acceleration and I got my root password in a few minutes.

Code: [Select]
$ telnet
Connected to
Escape character is '^]'.
IPC365 login: root
login: can't chdir to home directory '/root'
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:

BusyBox v1.19.4 (2014-12-19 12:49:44 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

So I poked around and learned this a GM8136 device.

I noticed that an SDK for a similar chip was available on openipcam, so I used that filename as an example of the naming convention and searched for "GM8136 SDK release v1.0.rar" and discovered dozens of download links. I had to guess what a download button looks like in Chinese, but I figured it out.

Following the instructions in the SDK, I was able to crosscompile a full copy of busybox and get it into my /tmp/ directory and it works beautifully.

Poking around, I've learned the following:

Essentially all of the application code lives in an encrypted (blowfish-448) ELF which uses a common unix command as its filename (possibly to make googling harder). The encrypted ELF has formatted the SD card to the WFS0.4 encrypted filesystem so it can no longer be mounted and used to store my own application data between reboots. Also, whenever I try to kill the encrypted ELF process, the camera promptly reboots after a short delay.

So the punchline is that I have root over telnet, but I cannot access the camera output, my images, or my videos. I can run my own code, but I'm stuck for now with this mystery app that may or may not be adequately secured and could conceivably already be compromised with no way for me to tell.

One bit of good news is that /proc/config.gz is present if I decided to try to roll my own kernel.

So that's how I got this far. I hope my experience helps others to explore their own cameras.

Anyway, what now?