Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - btsimonh

Pages: [1]
Hi all,

searched the site for mipc and hit,1429.msg5003.html#msg5003

I recently bought a camera on amazon; it's basically the same firmware as described in the above thread, but updated.  There are a LOT of very similar 'IP cloud' cameras, all using different website URLs.

I started a github here and hope for some collaboration with changing the firmware.....

The mipcm cameras seem to have firmware developed by 'shenzhenmining'; the only other references to them are to dodgy bitcoin mining equipment - maybe they are flooding the market with cameras they can use to mine bitcoin?

The protocol between the camera and the browser uses some 'interesting' methods, which includes 'eval'ing returns to every message (it's called json, but is actually a javascript snippet).

With a serial connection, you can break into the uboot, and with a little careful modification of a JFFS2 partition, gain root access.  From there you can open telnet and ftp access.

The firmware is firmly based on the Grain 8126 SDK, based on a squashfs partition (which MAY be signed) plus a JFFS2 partition.  The method of firmware upgrade I've observed is downloading a file which contains a difference (a patch) on top of the shipping firmware, which is applied every boot to a 'project.rar', which is then extracted to memory to represent the running applications.
The firmware upgrade file can be decomposed into a number of parts, the last of which is a checksum or CRC of some form.  If we could reproduce the upgrade file, then this may provide a 'solderless' path to open frimware on the device.

Observing traffic, it does not SEEM to send all my personal info beyond that required to operate the camera to the internet.  However, the websites have NO privacy policy specified, and the is very little information on the operators (Maybe someone with Chinese language skills would have more success searching?).  There is not subscription cost to using the websites, so how can they operate (many amazon servers) based on the cheap cost of the cameras alone? (I can only assume that the whole operation is financed by some larger entity who wishes to remain secret - maybe the Iranian secret service has a major worldwide exploit going on :) ).
So for the time being, I would NOT recommend exposing your internal LAN to one of these cameras.
I have changed the configuration of my camera to set ALL the IP addresses I could find to be my laptop, yet the camera still knows at least one external address to talk out to, so I can't completely sanitise it yet.

What I would really like to do is completely replace the running firmware with some more open GM8126S firmware which supports OnVif, and over which I have some control.
If anyone knows of efforts to produce such an open firmware, please let me know, or comment in an issue in github.

oh... also, there is one image on the github where a connector is labelled in Chinese - If you read chinese, can you let me know what it says :)  I think maybe GPIO or 'external triggers'....


The following may be a complete list of brands using this style of firmware:

Code: [Select]
"":{m_title:"EYE DOT",m_scheme:"keepereyedot"},
"":{m_title:"DEVELE IPC",m_scheme:"develeipc"},
"":{m_title:"SmartCam HD 1Clic",m_scheme:"macwaysmartcam"},
"":{m_title:"Any Look",m_scheme:"yescctvanylook"},
"":{m_title:"PROLAB CLOUD",m_scheme:"prolabcloud"},
"":{m_title:"E-HAWK", m_scheme:"hootoo"},
"":{m_title:"MIPC",m_scheme:"mipcmv1", },
"":{m_title:"ITACAM", m_scheme:"itacam"},

Pages: [1]