I'd like to share with you my doubts and info about my basic approaches to ELP 720p, another cheap IP cam. Here is the link: (https://www.amazon.it/ELP-Macchina-Fotografica-Videocamere-Sorveglianza/dp/B016Q94M8O/ref=sr_1_1?ie=UTF8&qid=1491553982&sr=8-1-spons&keywords=720p&psc=1).
My goal would be entering into the shell and taking full control.
Problem is that apparently there's not any telnet or SSH service (according to nmap). And I prefer connecting remotely, without serial connection.
I've the last fw inside (firmware_General_HZXM_IPC_HI3518E_50H10L_S38_V4.02.R12.Nat.OnvifS.20160615_ALL), provided from this link (http://www.hkvstar.com/technology-news/china-ip-camera-configuration-firmware.html) and I was able to unpack it. But I think the shell/Busybox doesn't have all the app or the full app (i.e. telnetd, netcap, ...), useful for an injection approach or something like that.
I'm able to connect through the webUI: into the settings menu you can also configure NetServices like emailing, DDNS, FTP, ... The only useful browser to log in into webUI is IE11 without ActiveX control (because off the NPAPI plugin).
According to the info provided from the producer here the protocols: TCP / IP, HTTP, DHCP, DNS, DDNS, PPPoE, SMTP, NTP (HTTPS, RTP / RTSP, SIP, 802.1x, IPv6.
The cam sensor and the SoC: 1/4 "CMOS OV9712 + HI3518C (maybe a Hi3518E)
Connection: only eth (I use a powerline).
I'll show the nmap results in the next reply