News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - krokos

Pages: [1]
1
Hi,

I have got my hands on a Yi home camera that is basically a hi3518 based camera. I have root terminal access to it via telnet and it is already running an FTP server among other stuff, so I can easily copy files over to it.

The first lines of dmesg are like this:

Quote
Linux version 3.0.8 (rock07@Server) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #1 Wed Apr 30 16:56:49 CST 2014
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: hi3518

So, I want to cross compile a simple "Hello World" C program for it. I downloaded the hi3518 SDK (v. 1.0.7.0) and I can successfully run the compiler.

Quote
$ arm-hisiv100nptl-linux-gcc --version
arm-hisiv100nptl-linux-gcc (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) 4.4.1
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Then I wrote the simplest Hello World program I could think:
Code: [Select]
#include <stdio.h>

int main(void){
    printf("\n-----------\nHello, I am the Yi camera!\n-----------\n\n\r");
    return 0;
}

I am trying to compile it with the following command:
Quote
$ arm-hisiv100nptl-linux-gcc hello.c -o hello

I also tried to specify the architecture, with the same results:
Quote
arm-hisiv100nptl-linux-gcc -march=armv5 hello.c -o hello
And an executable called "hello" is created as expected.
As soon I transfer it over the camera and making it executable (just to be sure), I get an "Illegal instruction" thrown at me when I am trying to run it.
Quote
./hello
Illegal instruction

Any ideas on why this happens? It should be pretty much straight forward to run this. What am I doing wrong?

2
Hey, I'd like to report a serious security vulnerability with a rather popular network camera by Tenvis, model "JPT3815W". I haven't tested if other models or firmware is affected as of now. My firmware is "version 1.1.0.5" and it's a 2014 model.

Long story short, it's very easy to access the live video feed from the camera without supplying any credentials. However, that's not the worst of it.

The problem, is that it's equally easy to get the wifi password of the network that the camera is installed in, along with its SSID! All the attacker needs is the camera's IP address (or the unique URL from Tenvis' DDNS).

For more details on how to reproduce that please check my article. I'm very interested in learning if this is a vulnerability shared among other models, firmware versions or even brands. Since we are talking about clones, their software is pretty much the same.
The chinese weren't so particularly impressed when i contacted them about this and simply replied "I’m afraid at present, we have no better way to protect customer’s privacy. Hope you can understand our difficulty."  :P :P :P ::)

Anyway, if you find the same vulnerability elsewhere, please report it here! :)

Take care!

Pages: [1]