826-x-ip-camera
826-x-ip-camera copied to clipboard
btsimonh
Interested? comment here
This repo is my exposure of my attempt to keep my privacy faced with Chinese hardware with no published privacy policy.... If you have the same or similar camera, and are interested in contributing, then put a comment against this issue; maybe we can collaborate. I've got the initial work done (root prompt, but requiring serial access to establish, permanently), but the ideal would be an exploit which did not require serial access. There are promising hints of such exploits, but they require detailed investigation (ARM decompilation and debugging) which I simply don't have the time to do. There are also (purely from the connections of the developer) hints that these cameras may actually be mining bitcoin on the developer's behalf - a good way of financing the internet infrastructure required for delivering the cloud video. I've not got a problem with that :). But I do need to have some guarantees about it's interaction with my home network....
j3 translation = 左右 or left/right
bt mining on a gm8126, that would be amusing. I very very very much doubt it!
Have the SDK on the website under files/ARM9/GM8126
I don't mind using serial ports. I would like to try this soon. I got mine also from Amazon for ~$20 and it is absolutely great quality for a cheap IP camera. It would be great to figure out how to create a custom kernel for this thing. You are way more advanced here that I am, but I always try to get root on all my Android devices and install custom ROMS. I used to build the OS formally known as Cyanogenmod (Can't remember the new name, as my shitty S7 has a locked bootloader. No hacks!) for my Galaxy S5. I have used TFTP to flash many DD-WRT routers. So I know a bit. I will help out all I can.
Interested. Mine is an "ieGeek" branded model. The admin interface reports model "f128" and software version "v5.1.8.1807231703", so some way ahead of your patches
Bit of an update. I hooked up the serial connection, but it looks like the mmc utility has now been removed from the latest firmware, unfortunately! Any thoughts which don't require I buy an EEPROM programmer?
Here's what we have left
boot
bootd
bootlogo
bootm
bootp
chpart
cmp
cp
crc32
dcache
env
erase
fatinfo
fatload
fatls
flinfo
fwupd
go
help
i2c
icache
l2cache_test
md
memtester
mii
mm
mtdparts
mtest
mw
nm
ping
printenv
protect
reset
run
saveenv
setenv
sf
sspi
tftpboot
usb
usbboot
version
Hmm... I did not try the USB; you would need a cable with which you could both power it and plug in a usb device; but i suppose there is no reason for them to have wired it ..... You could dump the memory to serial, capture it and then write a program to reconstruct; may take some time :). But if you can get an image then modifying the upgrade file from the image may work. You could TFTP boot a custom uboot with mmc available :). Done that a couple of time on old routers; not fun. this covers all the options :).
not worked on it for a long while.... so consider it historical information. They probably closed a lot of the holes :(.
Thanks. I was actually wondering if these cameras were able to be added to homebridge.
Sent from my iPad
On 11 Apr 2020, at 20:31, btsimonh [email protected] wrote:
not worked on it for a long while.... so consider it historical information. They probably closed a lot of the holes :(.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
I was able to get into my cam and to copy the memory. I just have no idea how to get the proper size of the partition table (have HxD installed) nor how to cut it to 16MB (by calculating it? or how?) Firmwareversion is v5.1.10.1811090903
Any one up for help?
Okay I just found the output of the uboot with, what i guess, are the partition table info:
SF: Detected MX25L12805D with page size 64 KiB, total 16 MiB
flash is 3byte mode
0 [0x10000 0x50000]
1 [0x60000 0x2a0000]
2 [0x300000 0x600000]
3 [0x900000 0x6f0000]
4 [0xff0000 0x10000]
after knowing this and comparing with the data on the wiki I'll continue to manipulate the file.
Hi all. I was able to gain root access to my cam and will submit some improvements to the Wiki regarding the whole procedure. Somehow i was not able to get he paswd script to run. Investigation ongoing.
@NightDragon1 - although my camera has been in a box for a year or more, I still follow the repo :). Good work, and any improvements welcome... it's very difficult to write a complete and easily reproducible procedure when you've done 50 different things to get to the final idea....
@btsimonh Thanks, cool. By the way i just found that on the internet: https://usermanual.wiki/Document/GM8136FlashUserGuideV10.1468680306/view
How can I drop a shell into the camera using uart?
Software version: v5.1.8.1808081601
Model: f006
Serial: 1jfi*********
@MatteoGheza some information an be found on the Wiki, I'm just writing a Step by Step tutorial and will provide it to @btsimonh to publish and update the wiki. It just completes some dynamic and adds my experiences with hacking into it.
You have a model called f006. Not sure if it works for you. can you open the cam and provide a pic of the pcb?
@btsimonh no i can't. I guess just members of the repository with proper rights can. But I've never maintained a wiki on github, so no idea how the rules are.
You have a model called f006. Not sure if it works for you. can you open the cam and provide a pic of the pcb?
https://send.firefox.com/download/0a904a40a2d983b6/#jnHtnepephZ7HhUSse-6HA Sorry for the quality.
In the other side of the pcb, it has some pin with "rx", "tx", "gnd" and "3.3v"
@btsimonh works! Thanks! I'll add the content soon. @MatteoGheza Looks quite differnt to our cam. But you could do the following: connect some wires to RX, TX and GND and try to connect with 115.200bps. Power the cam and see what's happening. If you could provide a file with the output we could check what it is. But also take care that you check for sensible data listed there - such as passwords or hostnames, etc...
Okay, a first draft of the guide is online.
In between i figured out what may cause the pwd script not to work: /etc/init.d/dev_init.sh: line 172: /mnt/mtd/dev_data/dev_pwd.sh: Permission denied
So i guess I have to set chmod +x on it.
Note: setting the script to be executable fixed it. I have now access to my CAM. I one could review the guide and give me feedback, I would really appreciate it.
@MatteoGheza Looks quite differnt to our cam. But you could do the following: connect some wires to RX, TX and GND and try to connect with 115.200bps. Power the cam and see what's happening.
I'm trying with Termite 3.4, but I get garbage like ?[1E]<< < [00][00] [1C]<[1E] [1C][1E][00]>[1C] [1C][00] ?>>>>>< ?[00] <<8<< [1E] [1C]<[1C][00][1C][1C][1C]>
with the following configs:
bps: 115200
data bit: 6
stop bit: 1
parity: none
flow control: XON-XOFF
With putty, following the wiki, I can read only ▒▒5}▒▒=_▒▒▒▒▒▒▒▒
If this method fails, how can I execute commands into the camera (custom firmware, sd scripts, command injections,...)? Now I'm trying with a custom firmware update from the camera local web UI.
this can't be right: data bit: 6 should be 8, but suspect typo :). The fact you get anything from the port probably is a good thing. Turn off flow control. try 9600, 19200, 38400, 57600 as well. double check your wiring :). test from cold boot - the baud rate for uboot and linux may be different.
@MatteoGheza If it fails you can only check if you have a Firmware version for what already "hacked" images are available for (see Wiki - Notes).
I'm trying to repair a broken component of the camera pcb, I'll try it tomorrow. Thanks.
example: rtmp://192.168.1.173:7010/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ example RTSP: rtsp://192.168.1.173:7020/live/1jfiegbqdqhxq_p0_JCWJXJQCIPOJ ...
I think just found the meaning of p0 in the URL:. it seems like it's a "resolution/quality" parameter: Stored in /mnt/mtd/ipc_data/ipc_conf.xml
<profiles>
<token>p0</token>
<name>HD</name>
<fixed>0</fixed>
<vsc>vsc0</vsc>
<asc>asc3</asc>
<vec>vec0</vec>
<aec>aec_aac</aec>
</profiles>
<profiles>
<token>p1</token>
<name>Normal</name>
<fixed>0</fixed>
<vsc>vsc0</vsc>
<asc>asc3</asc>
<vec>vec1</vec>
<aec>aec_aac</aec>
</profiles>
<profiles>
<token>p2</token>
<name>Half</name>
<fixed>0</fixed>
<vsc>vsc0</vsc>
<asc>asc3</asc>
<vec>vec2</vec>
<aec>aec_aac</aec>
</profiles>
<profiles>
<token>p3</token>
<name>Min</name>
<fixed>0</fixed>
<vsc>vsc0</vsc>
<asc>asc3</asc>
<vec>vec3</vec>
<aec>aec_aac</aec>
</profiles>
ohh... codec parameters. Can you make it do something browser compatible :)?