Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - cmeister2

Pages: [1]
Hacking & Modding / maisi Cloud IP camera
« on: January 04, 2016, 04:09:25 pm »
I'm posting here because I haven't found any other information about this camera on the net and I want to give the next person to come along a step up, if I can.

I recently purchased a maisi Cloud IP camera, as it was on offer at Amazon ( I didn't much fancy the interface, so I wanted to try and get into it to see what it's made of.

The website given in their docs is; looking at the website source, it seems like a lot of other cameras use the MIPCM infrastructure to provide their features:



I didn't really get anywhere with their website. Going directly to the IP of the webcam gets you a little further; doing a Wireshark snoop of traffic between the camera and the browser reveals that they have a weird sort of public-key encryption scheme going on with their server. The API uses the result of this to negotiate sessions, which can eventually result in RTMP streams. I didn't fancy reimplementing their minified Javascript in another language, so I wanted to see if I could get access to the camera.

Port scanning didn't reveal a lot:

Host is up (0.036s latency).
Not shown: 65531 closed ports
80/tcp   open  http
7010/tcp open  ups-onlinet
7020/tcp open  unknown
8600/tcp open  asterix

Port 8600 always responded with a binary message; when I was playing with this I couldn't format a request in the right format.

'8\x00\x00\x00l\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x002\xd517\x00\x00\x00\x00\xc4\x87#@\x00\x00\x00\x00\xf5\x8f\x05Tmrmt_hello\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\xe8\x87#@\x00\x00\x00\x00<removed webcam ID>\n\x00\x00'

(The mrmt_hello in this response is tantalisingly annoying).

Getting access to the communications between the camera and the cloud was tricky; I eventually solved it by making a bridge using a Raspberry Pi and sniffing the interface. The IP address it mainly talks to is, which is a mipcm server (it returns similar HTML to The communications appear encoded to some degree, so I couldn't really read them.

As a last resort I used the online upgrade feature in the hope that it would make an HTTP request; and it did:

GET /version/ipc/gm8126/v1.9.5.1510231507/ipc_pack_patch_from_v1.7.1.1503091547_to_v1.9.5.1510231507.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip,deflate
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) MiningHTTPClient/0.1
Connection: Keep-Alive

This was on port 7080. The downloaded file appears to be packed using something called "ipc_pack" (at least, that's the first few bytes of the response). It also contains a binary file:

emrakul@emrakul:/raid/ipccamera$ binwalk httpresponse

514205        0x7D89D         ELF, 32-bit LSB executable, ARM, version 1 (SYSV)

It also finishes with some scripting:

unlzma -c /project/*.tar.lzma > /tmp/project.tar
rm /project/*.tar.lzma
if [ -e /dev_data/ipc_pack_diff ]; then
    if [ -e /dev_data/ ]; then
        cp /dev_data/ /bin/
        chmod 777 /bin/
    fi -o /tmp/project.tar -n /tmp/ -d /dev_data/ipc_pack_diff -f $patch_result_path
    if [ -e $patch_result_path ]; then
        read result < $patch_result_path
        if [ $result = "fail" ]; then
            rm -rf /dev_data/*
    if [ -e /tmp/ ]; then
        echo "[`date '+%Y-%m-%d %H:%M:%S'`]" patch apply success
        mv /tmp/ /tmp/project.tar
        echo "[`date '+%Y-%m-%d %H:%M:%S'`]" patch apply fail

tar -xvf /tmp/project.tar -C /project/
rm -rf /tmp/project.tar
chmod -R 777 /project

if [ -e /mnt/mtd/flag_debug_dev_start ]; then
    echo "[`date '+%Y-%m-%d %H:%M:%S'`]" /mnt/mtd/flag_debug_dev_start existed
    echo "[`date '+%Y-%m-%d %H:%M:%S'`]" run /project/apps/app/ipc/data/sh/
    cd /project/apps/app/ipc/data/sh

From the looks of the filenames here and from the server it looks like it's a GM8126 based camera, which led me to this website.

Things to try next if I really care are:
- Opening it up and trying to get serial access
- Seeing if the encoded protocols contain any similarities to port 8600.

I attached the patch httpresponse in case anyone wants to take a gander. (Also available from the website: )

Pages: [1]