Update 29.04.2019
Seems the Cam is highly Vulnerable to security risks in the used P2P implementation found by Paul Marrapese
Being honest i have just waited for something like this to appear because of the strange UDP Hole Punching P2P Protocol used. Blocking UDP Traffic on Port 31200 should „solve“ the problem if you dont need the Cloud connectivity, but i would prefer to simply not use that cameras anymore.
Some months ago a purchased an Escam G02 from Banggood for approx. 18€.
Some days after that Pierre Kim released a paper which showed horrible security flaws in millions of Wifi Webcams, of course after reading this i asked myself if the Escam G02 is also affected.
After getting the cam i started digging. Please keep in mind that i am no pro security researcher, but i think i digged deep enought.
Web Interface Security
The Webinterface looks horrible and is „secured“ by the standard admin/admin combo but the rest looks okay. Also it does not feature TLS. Mostly everything is controlled by a cgi script called params.cgi. I was not able to find any problems with that but who knows. Nevertheless the WebIF uses Basic auth but the Password is only base64 encoded, so a MitM could easily retrieve the credentials. If you really want to expose the WebIF to the internet you should change all Passwords (yep there are more that one for the admin) and use the cam behind a SSL Proxy.
Open Ports
Now its time to see which ports are open on this device. Open Telnet would be the worst case. But don’t worry haven’t found that. There are 4 ports open: 80 (WebIF), 554 (rtsp), 1935 (rtmp), 8080 Onvif. No more open ports to find.
Serial Debug port
I thought maybe i could gather shell access by finding Serial debug port. There really is one labeled J3 on the PCB. Pin 1 is TX, Pin 2 is Ground, couldnt figure out where RX was. Port uses standard 115200 baud 8N1. Didnt matter what i have tried, i was not able to stop the automatic boot.
Here is a boot log if someone is interested:
https://gist.github.com/bjoerns1983/f4243bf9fe21aa559c7354cd2d804fff
Cloud Server
Bigger problem for my is the Cloud Service aka P2P Service so you can use Camera with the CamHi App. This protokol uses UDP hole punching to convert your firewall into swiss cheese. If deactived it does not contact any Servers, but than you also cant use the CamHi app. Fortunately this cam does not send all their config data to the server like the cams that Pierre Kim has watched over. The cam contacts these Server if you activate the P2P feature:
TCP:
47.91.149.233 (Alibaba use for FW Upgrades which do not use TLS 😉 )
UDP:
52.221.1.159 (Amazon Singapore)
123.56.143.156 (Alibaba)
52.8.0.180 (Amazon EC2)
I have not checked what the app transmits till now, if someone is interested i could do it in the future. Do youreself a favor and disable that feature, maybe also think of disabling DHCP and give the cam a false Gateway address so it cannot phone home.
Conclusion
For 18€ the cam is okay and not a complete security mess. Okay i cannot understand why it is not possible to use TLS for Software updates and the Webif but at least there is no open Telnet or vulnarable FTP Scripts.
If you only use the cam in your LAN through a VPN and disable the P2P feature you are good to go. If you are more paranoid block the cam from the internet by your firewall.
Dear Björn,
I have purchased a similar cam, from 7Links (pearl.de). The pinout of the debug port seems to be the same, yet I was able to find RX on pin 3. You can log in using the account „default“, with no password. Then you can edit one of the scripts in the /mnt/mtd/ipc folder which is run by the camera binary with root privileges. Use it for example to re-write /etc/shadow to set a new root password (use echo „blabla“ > /etc/shadow) – et voila, the cam is yours.
There is even a simpler way to gain access, though: Using the username and password for the web interface open the http:///cgi-bin/ht3510/printscreenrequest.cgi page. Telnet is now enabled for the current session. To permanenly enable telnet you can edit /mnt/mtd/ipc/conf/config_debug.ini and set the parameter to 1.
Btw.. if you do not like vi as an editor you can use ftpput and ftpget to upload and download files from/to the camera. That way, you can use your favorite text editor.
Best,
Tobi
Hello @TOBIAS HAGEMEIER. Please explain in more detail how I can do as root. I try with with „default“ but gives me access only as a standard user. I want to modify some file in /mnt/mtd/ipc folder but „Operation not permitted“ Please help me, I desperately need it to fix my ip camera. 🙁
I tried to obtain root with this users and pass, but not working:
admin:admin
root:root
root:null
admin:null
root:cxlinux
admin:cxlinux
default:null
admin:123456
root:123456
admin:xmhdipc
root:xmhdipc
Messages with „default“ user.
$ mount SD card
mount: you must be root
$ mv mnt mnt1
mv: can’t rename ‚mnt‘: Permission denied
$init isp
init: must be run as PID 1
$ reboot
reboot: Operation not permitted
Dear Akeo,
you need to edit one of the scripts in the /mnt/mtd/ipc folder to modify the /etc/shadow file for you. For that you just make a copy of /etc/shadow:
cp /etc/shadow /mnt/mtd/ipc/shadow
Then you can edit this file with vi and replace the encrypted password for root with you own (line looks like „root:XXXXXXXXXXXX:0:0:99999:7:::“ — XXXX is the old encrypted password). After you have made your edit you just need to copy back the shadow file. Since it is only writable by root you need to modify for example the /mnt/mtd/ipc/findap.sh-script (which is world-editable… omg!). Open it with vi and insert the following two lines at the end:
cp /mnt/mtd/ipc/shadow /etc/shadow -r
chmod 766 /etc/shadow
This will overwrite the /etc/shadow file with the data you provide on the next wifi scan of the camera. Since the findap.sh script is executed with root privileges this works as expected. Just save the file and scan for wifi networks and you should be able to switch to the root account with your favorite password.
Best,
Tobi
Thank you very mutch for rapid answer, Tobias. Unfortunately when i try to run cp /etc/shadow /mnt/mtd/ipc/shadow its show “ Permission denied“. Is any way to stop prompt U-Boot run?? Because when this started is very dificil to write in command line + after about 40 seconds is makes reboot and is need to login again with default user. Admit I’m not very familiar with enghlish language and linux commands and assume it may be i’m wrong somewhere. Please please tell me step by step what to do first, like a school. 🙂
My ip camera bricked after a wrong firmware.After this power on, make a Pan/Tilt test and after reboot itself(bootloop). I can not connect to it by lan or wifi. Only way to connect to her is through the serial.I try to modify platform.sh, but without success. 🙁
Any pinout example for serial connection?
Thanks
I guess with only 40 seconds to modify things it will not be possible to get root access – it requires some more editing of files and also re-scanning the wifi. Within that time you will probably not be able to do the necessary modifications.
Regardings the inaccessible file: You can modify the mentioned script file (findap.sh) and just add
cp /etc/shadow /mnt/mtd/ipc/shadow
chmod 777 /mnt/mtd/ipc/shadow
to copy the file to a readable location (you have to remove those lines when copying the shadow file back!). Since you are running a completely different firmware (not the original one) this may just not work at all, though since things might work entirely different.
Hope you manage to get the camera working again..
Best,
Tobi
Sorry for disturb but i need desperately to fix my IP camera. 🙁
This is result command:
cat /mnt/mtd/ipc/findap.sh
#! /bin/sh
TARGET=“/mnt/mtd/ipc“
CONF=“$TARGET/conf“
WIFIPATH=“$CONF/wifi.conf“
TMP=/mnt/mtd/ipc/tmpfs/wf129
TMP1=/mnt/mtd/ipc/tmpfs/wf129t
. $WIFIPATH
NETFLAG=`cat /mnt/mtd/ipc/tmpfs/netflag.dat`
if [ $NETFLAG -ne 0 ]
then
if ls /mnt/mtd/ipwlist ra0 scanning > /dev/null
iwpriv ra0 get_site_survey | sed ‚1d 2d $d‘ > $TMP
$TARGET/wfsort $TMP $TMP1
mv $TMP1 $TMP
Please tell which command need to use for modify this two lines:
cp /etc/shadow /mnt/mtd/ipc/shadow
chmod 777 /mnt/mtd/ipc/shadow
I want to prepare into a notepad txt and after just paste it. Thanks again.
@TOBIAS HAGEMEIER can you help me with a full dump, MTD partitions, zImage or mtdblock1?
I think this is only way to save my cam. : (
I can not stop kernel execution, so I can not take the root right to modify files. Any ideea about how stop kernel execution? I find this: https://nm-projects.de/2017/01/hacking-ip-camera-digoo-bb-m2-part-3-getting-root-access/ but I do not know how to do it.
@CODEDMIND here is info about pinout for serial connection: https://ibb.co/mDgeJK
I finally managed to be the root in a simpler way, with with the following command in U-boot:
GK7102 # printenv
[PROCESS_SEPARATORS] printenv
arm_freq=0x00112032
baudrate=115200
bootargs=mem=30M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=hi_sfc:256K(boot),1280k(kernel),512K(dataBlock),6144K(rootfs) single
bootcmd=run sfboot
bootdelay=3
bootfile=zImage_1045_41M
consoledev=ttySGK0
ethact=gk7101
ethaddr=3C:97:0E:22:E1:76
fileaddr=C1000000
filesize=200000
flashargs=‘run commonargs
gatewayip=192.168.1.1
hostname=“gk7101″
ipaddr=192.168.1.88
kernelAdrr=0x50000
kernelLen=0x200000
loadaddr=0xC1000000
mem=41M
netdev=eth0
netmask=255.255.255.0
nfsserver=192.168.60.85
phytype=0
rootfstype=rootfstype=jffs2 root=/dev/mtdblock3
rootpath=/710x_rootfs/rootfs_uClibc
run=sfboot
serverip=192.168.1.72
sfboot=setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=linuxrc ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${files ize}; bootm
sfkernel=0x50000
soctype=1
stderr=serial
stdin=serial
stdout=serial
tftpboot=setenv bootargs root=/dev/nfs nfsroot=${nfsserver}:${rootpath},proto=tc p,nfsvers=3,nolock ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}: ${netdev} mac=${ethaddr} phytype=${phytype} console=${consoledev},${baudrate} me m=${mem};tftpboot ${bootfile};bootm
#setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
Replace the following line from sfboot : „init=linuxrc“ with „init=/bin/sh“ after line it should look like this:
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
run sfboot command
And bingo, after that you should have root rights. Thank you all for your help, especially @TOBIAS HAGEMEIER.
Where sould i connect grnd?
Dear Tobias,
I tried to telnet the G02 cam but the user/password of the webserver don’t work.
I want to telnet the Cam to discover all the scripts.
I want to stop using the Hicam but for that I need to know how to til/pan the cam, the links for the streams, etc…
Tks for your help.
Hi Tobias , i have several of these camera. I would like to understand more about the security problem. Can we exchange few email so i can understand.
Thank s in advance
Martial Desgagne
Canada
Martiald1@hotmail.com
Hi there!
I have a couple of ESCAM G02 and this post is very useful for me. Thanks Björn and Tobias for this information.
Also, I have a mistery to resolve which gives me a headache: I’ve been poking around the firmware and I just can’t find how does the camera play the sounds when you are configuring its wifi. I guess it’s some thing called „PlayNotificationSound“ but I can’t find where. Perhaps this thing is hidden inside a binary? I don’t know 🙁
Here’s why: It would be so great to play any sample remotely, per example an alarm sound when motion is detected. My expectations were that there sould be a magic program called „play alarm.wav“ or somewhat similar hahahaha, I’m optimist! I’ve also tried with no luck to stream a wav file via the backchannel of the 2-way audio system, there is almost no information on the internet about this…
Have you any experience with this or have any remote idea of how I can advance?
Bests regards and thanks in advance 🙂
Hello,
I found your site and i think i brik the camera, trying to put the echo in the run script (maybe some typo) and now the camera won’t boot.
Any sugestion to bypass the problem? The reset button don’t do nothing.
Thanks
For ESCAM G02 I ran John the Ripper with the shadow filw and in just a couple of hours it got the password: hichiphx
Hi Guys, i found that blog post via google while digging deeper into that sort of CAMS.
I’m a IT known guy from germany doing all sort of Linux dev for IoT devices.
I gained root access on the device and can do everything i like with it.
Without even touching the Serial port or bruteforcing the Admin/root password.
I have fetched full partition dumps from the device and discovered several ways to recover the device
from most BRICKS without u-boot/serial access.
If u look deeper in the WEB for most of thoose devices there is a SDK available to compile a own ROOTFS for the target that way I have created my own Firmware with various fixes included.
If u need any infos or such feel free to ask.
For TALUSTUS
I was not able to get root access with the above mentioned examples. Is it still possible to add your own operating system onto a board with some kind of SDK-magic? I could connect with the serial so I got into u-boot.
Maybe you could also have a look at this: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks
Thanks for the link Björn. I couldn’t find any info about redoing the firmware completely though. I have one of those GK7102 cameras and I couldn’t get root access on it since the security had been beefed up. That is no root while serial connection and the init=/bin/sh don’t work either. My last resort looks like completely redoing the firmware somehow with a SDK like TALASTUS mentioned. I have no idea where to start with this though and don’t have too much luck googling it either. I am probably using the wrong syntax looking for info since I’m a complete noob on hardware/firmware 🙂
init=bin/sh
Daniel, thanks for pointing out my error 🙂 I tried init=bin/sh also but it still does not work. Probably the security have been looked over to make these a bit harder to crack. I have some old firmware that I have tried to flash but it won’t boot when I do. If I try with the standard firmware it works but with an old firmware it stops.
Message for Talustus . Is there a way that you email me your basic compiled Firmware to access the Camera. I guest it’s something you need to install to the MicroSD card and restart the Camera. Thank ’s in advance MartialD1@hotmail.com
Canada
Hi Talustus , i am trying to reach you regarding some info regarding Ip camera you analised feew years ago.
Thank s in advance
Martial