News:

Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - cmeister2

Pages: [1]
1
Hacking & Modding / maisi Cloud IP camera
« on: January 04, 2016, 04:09:25 pm »
I'm posting here because I haven't found any other information about this camera on the net and I want to give the next person to come along a step up, if I can.

I recently purchased a maisi Cloud IP camera, as it was on offer at Amazon (http://www.amazon.co.uk/dp/B013QOI8LE). I didn't much fancy the interface, so I wanted to try and get into it to see what it's made of.

The website given in their docs is www.mipcm.com; looking at the website source, it seems like a lot of other cameras use the MIPCM infrastructure to provide their features:

Quote
"www.luxcamapp.eu":{m_title:"Luxcam",m_scheme:"luxsecurityluxcam"},
"kh.gtscn.cn":{m_title:"-GAKATO-SMARTHOME",m_scheme:"guangsudagsdcn"},
"www.62918040.cn":{m_title:"富尼手机看家宝",m_scheme:"http"},
"www.mymobivue.com":{m_title:"MobiVue",m_scheme:"teamresearchastak"},

etc.

I didn't really get anywhere with their website. Going directly to the IP of the webcam gets you a little further; doing a Wireshark snoop of traffic between the camera and the browser reveals that they have a weird sort of public-key encryption scheme going on with their server. The API uses the result of this to negotiate sessions, which can eventually result in RTMP streams. I didn't fancy reimplementing their minified Javascript in another language, so I wanted to see if I could get access to the camera.

Port scanning didn't reveal a lot:

Quote
Host is up (0.036s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE
80/tcp   open  http
7010/tcp open  ups-onlinet
7020/tcp open  unknown
8600/tcp open  asterix

Port 8600 always responded with a binary message; when I was playing with this I couldn't format a request in the right format.

Quote
'8\x00\x00\x00l\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x002\xd517\x00\x00\x00\x00\xc4\x87#@\x00\x00\x00\x00\xf5\x8f\x05Tmrmt_hello\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\xe8\x87#@\x00\x00\x00\x00<removed webcam ID>\n\x00\x00'

(The mrmt_hello in this response is tantalisingly annoying).

Getting access to the communications between the camera and the cloud was tricky; I eventually solved it by making a bridge using a Raspberry Pi and sniffing the interface. The IP address it mainly talks to is 31.204.95.225, which is a mipcm server (it returns similar HTML to www.mipcm.com). The communications appear encoded to some degree, so I couldn't really read them.

As a last resort I used the online upgrade feature in the hope that it would make an HTTP request; and it did:

Quote
GET /version/ipc/gm8126/v1.9.5.1510231507/ipc_pack_patch_from_v1.7.1.1503091547_to_v1.9.5.1510231507.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip,deflate
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) MiningHTTPClient/0.1
Connection: Keep-Alive
Host: 61.147.109.92

This was on port 7080. The downloaded file appears to be packed using something called "ipc_pack" (at least, that's the first few bytes of the response). It also contains a binary file:

Quote
emrakul@emrakul:/raid/ipccamera$ binwalk httpresponse

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
514205        0x7D89D         ELF, 32-bit LSB executable, ARM, version 1 (SYSV)

It also finishes with some scripting:

Quote
unlzma -c /project/*.tar.lzma > /tmp/project.tar
rm /project/*.tar.lzma
patch_result_path=/tmp/patch_result
if [ -e /dev_data/ipc_pack_diff ]; then
    if [ -e /dev_data/com.mining.app.patch ]; then
        cp /dev_data/com.mining.app.patch /bin/
        chmod 777 /bin/com.mining.app.patch
    fi
    com.mining.app.patch -o /tmp/project.tar -n /tmp/project.new.tar -d /dev_data/ipc_pack_diff -f $patch_result_path
    if [ -e $patch_result_path ]; then
        read result < $patch_result_path
        if [ $result = "fail" ]; then
            rm -rf /dev_data/*
            reboot
            exit
        fi
    fi
   
    if [ -e /tmp/project.new.tar ]; then
        echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" patch apply success
        mv /tmp/project.new.tar /tmp/project.tar
    else
        echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" patch apply fail
    fi
fi

tar -xvf /tmp/project.tar -C /project/
rm -rf /tmp/project.tar
chmod -R 777 /project

#dev_start
if [ -e /mnt/mtd/flag_debug_dev_start ]; then
    echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" /mnt/mtd/flag_debug_dev_start existed
else
    echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" run /project/apps/app/ipc/data/sh/dev_start.sh
    cd /project/apps/app/ipc/data/sh
    ./dev_start.sh
fi

From the looks of the filenames here and from the server it looks like it's a GM8126 based camera, which led me to this website.

Things to try next if I really care are:
- Opening it up and trying to get serial access
- Seeing if the encoded protocols contain any similarities to port 8600.

I attached the patch httpresponse in case anyone wants to take a gander. (Also available from the website: http://61.147.109.92:7080/version/ipc/gm8126/v1.9.5.1510231507/ipc_pack_patch_from_v1.7.1.1503091547_to_v1.9.5.1510231507.bin )

Pages: [1]