Short security overview of the Escam G02

Update 29.04.2019

Seems the Cam is highly Vulnerable to security risks in the used P2P implementation found by Paul Marrapese

Being honest i have just waited for something like this to appear because of the strange UDP Hole Punching P2P Protocol used. Blocking UDP Traffic on Port 31200 should „solve“ the problem if you dont need the Cloud connectivity, but i would prefer to simply not use that cameras anymore.


Some months ago a purchased an Escam G02 from Banggood for approx. 18€.

Some days after that Pierre Kim released a paper which showed horrible security flaws in millions of Wifi Webcams, of course after reading this i asked myself if the Escam G02 is also affected.

After getting the cam i started digging. Please keep in mind that i am no pro security researcher, but i think i digged deep enought.

Web Interface Security

The Webinterface looks horrible and is „secured“ by the standard admin/admin combo but the rest looks okay. Also it does not feature TLS. Mostly everything is controlled by a cgi script called params.cgi. I was not able to find any problems with that but who knows. Nevertheless the WebIF uses Basic auth but the Password is only base64 encoded, so a MitM could easily retrieve the credentials. If you really want to expose the WebIF to the internet you should change all Passwords (yep there are more that one for the admin) and use the cam behind a SSL Proxy.

Open Ports

Now its time to see which ports are open on this device. Open Telnet would be the worst case. But don’t worry haven’t found that. There are 4 ports open: 80 (WebIF), 554 (rtsp), 1935 (rtmp), 8080 Onvif. No more open ports to find.

Serial Debug port

I thought maybe i could gather shell access by finding Serial debug port. There really is one labeled J3 on the PCB. Pin 1 is TX, Pin 2 is Ground, couldnt figure out where RX was. Port uses standard 115200 baud 8N1. Didnt matter what i have tried, i was not able to stop the automatic boot.

Here is a boot log if someone is interested:

console init done
U-Boot 2012.10 (Feb 24 2016 – 22:33:54) for GK7102 rb sc1045 v2.00 (GOKE)
HAL: 20151223
DRAM: 64 MiB
Flash: 16 MiB
16 MiB
NAND: SPINAND MID = 0xff, DID = 0xffff, Data = 0x1ffffff !spinand_board_init[1581]: No support this SPI nand!
SF: Detected GD25Q128C with page size 256 B, sector size 64 KiB, total size 16 MiB
In: serial
Out: serial
Err: serial
Net: arm_freq(600MHz)…………..0x112032
use int MII…………..
gk7101
Hit any key to stop autoboot: 2  1  0
[PROCESS_SEPARATORS] run sfboot
[PROCESS_SEPARATORS] setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=linuxrc ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
SF: Detected GD25Q128C with page size 256 B, sector size 64 KiB, total size 16 MiB
put param to memory
mem size (41)
bsb size (2)
the kernel image is zImage or Image
entry = 0xc1000000
## Transferring control to Linux (at address c1000000)…
Starting kernel …
machid = 3988 r2 = 0xc0000100
Uncompressing Linux… done, booting the kernel.
[ 0.000000] Booting Linux on physical CPU 0
[ 0.000000] Linux version 3.4.43-gk (root@localhost.localdomain) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) #14 PREEMPT Fri Dec 9 14:49:48 CST 2016
[ 0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387d
[ 0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
[ 0.000000] Machine: Goke GK7102 RB_SC1045 board V2.00
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] AHB: 0x90000000 0xf2000000 — 0x1000000
[ 0.000000] APB: 0xa0000000 0xf3000000 — 0x1000000
[ 0.000000] PPM: 0xc0000000 0xc0000000 — 0x200000
[ 0.000000] BSB: 0xc2b00000 0xf5000000 — 0x200000
[ 0.000000] DSP: 0xc2d00000 0xf6000000 — 0x1300000
[ 0.000000] hal version = 20151223
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 10414
[ 0.000000] Kernel command line: console=ttySGK0,115200 noinitrd mem=41M rw rootfstype=jffs2 root=/dev/mtdblock3 init=linuxrc
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Memory: 41MB = 41MB total
[ 0.000000] Memory: 36760k/36760k available, 5224k reserved, 0K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 – 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 – 0xfffe0000 ( 896 kB)
[ 0.000000] DMA : 0xff600000 – 0xffe00000 ( 8 MB)
[ 0.000000] vmalloc : 0x83000000 – 0xff000000 (1984 MB)
[ 0.000000] lowmem : 0x80000000 – 0x82900000 ( 41 MB)
[ 0.000000] modules : 0x7f000000 – 0x80000000 ( 16 MB)
[ 0.000000] .text : 0x80008000 – 0x8042f000 (4252 kB)
[ 0.000000] .init : 0x8042f000 – 0x8044f000 ( 128 kB)
[ 0.000000] .data : 0x80450000 – 0x80478e40 ( 164 kB)
[ 0.000000] .bss : 0x80478e64 – 0x804aaf38 ( 201 kB)
[ 0.000000] NR_IRQS:128
[ 0.000000] >> gk7101 init irq vic1…
[ 0.000000] >> gk7101 init irq vic2…
[ 0.000000] gk7101 init vic…
[ 0.000000] mach gk7101 init timer…
[ 0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
[ 0.000000] Console: colour dummy device 80×30
[ 0.000000] console [ttySGK0] enabled
[ 0.010000] Calibrating delay loop… 597.60 BogoMIPS (lpj=2988032)
[ 0.080000] pid_max: default: 32768 minimum: 301
[ 0.080000] Mount-cache hash table entries: 512
[ 0.090000] CPU: Testing write buffer coherency: ok
[ 0.100000] Setting up static identity map for 0xc0559058 – 0xc0559090
[ 0.110000] NET: Registered protocol family 16
[ 0.120000] gk7101 init timer…
[ 0.120000] Init HW timer for DSP communication
[ 0.130000] gk7101 init gpio…
[ 0.130000] gpiochip_add: registered GPIOs 0 to 63 on device: gk7101-gpio0
[ 0.140000] gpio map init…
[ 0.140000] create proc dir
[ 0.140000] gk7101 register devices 8
[ 0.150000] gk7101 register I2C
[ 0.290000] bio: create slab <bio-0> at 0
[ 0.300000] spi spi.0: gk7101 SPI Controller 0 created
[ 0.300000] spi spi.0: master is unqueued, this is deprecated
[ 0.310000] usbcore: registered new interface driver usbfs
[ 0.320000] usbcore: registered new interface driver hub
[ 0.320000] usbcore: registered new device driver usb
[ 0.330000] i2c regbase: 0xf3003000
[ 0.330000] i2c i2c.0: i2c irq:registers 9
[ 0.340000] i2c i2c.0: GK7101 I2C[0] adapter[i2c-0] probed!
[ 0.350000] FS-Cache: Loaded
[ 0.360000] cfg80211: Calling CRDA to update world regulatory domain
[ 0.360000] CacheFiles: Loaded
[ 0.380000] gk7101-sd gk7101-sd.0: Slot0 req_size=0x00010000, segs=16, seg_size=0x00010000
[ 0.400000] gk7101-sd gk7101-sd.0: GK7101 SD/MMC[0] has 1 slots @ 46000000Hz, [0x09e130b0:0x00000000]
[ 0.410000] NET: Registered protocol family 2
[ 0.410000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.420000] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.430000] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.440000] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.450000] TCP: reno registered
[ 0.450000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.460000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.460000] NET: Registered protocol family 1
[ 0.470000] RPC: Registered named UNIX socket transport module.
[ 0.480000] RPC: Registered udp transport module.
[ 0.480000] RPC: Registered tcp transport module.
[ 0.490000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.490000] mdma init…
[ 0.500000] mdma request irq: 54
[ 0.510000] NFS: Registering the id_resolver key type
[ 0.510000] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[ 0.520000] fuse init (API version 7.18)
[ 0.530000] msgmni has been set to 71
[ 0.540000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
[ 0.550000] io scheduler noop registered
[ 0.550000] io scheduler deadline registered
[ 0.560000] io scheduler cfq registered (default)
[ 0.560000] uart.0: ttySGK0 at MMIO 0xa0005000 (irq = 31) is a gk7101uart
[ 0.570000] uart.1: ttySGK1 at MMIO 0xa001f000 (irq = 15) is a gk7101uart
[ 0.580000] uart.2: ttySGK2 at MMIO 0xa001e000 (irq = 27) is a gk7101uart
[ 0.590000] brd: module loaded
[ 0.600000] loop: module loaded
[ 0.610000] adc initialized (10:11)
[ 0.610000] slram: not enough parameters.
[ 0.620000] speed_mod is 0
[ 0.620000] USE 1X mode read and 1X mode write
[ 0.620000] gk7101_flash gk7101_flash.0: GD25Q128C (16384 Kbytes)
[ 0.630000] Creating 5 MTD partitions on "gk7101_flash":
[ 0.640000] 0x000000000000-0x000000040000 : "uboot"
[ 0.640000] 0x000000040000-0x000000050000 : "ubootenv"
[ 0.650000] 0x000000050000-0x000000200000 : "kernel"
[ 0.660000] 0x000000200000-0x000001000000 : "rootfs"
[ 0.670000] 0x000000000000-0x000001000000 : "all"
[ 0.670000] GKETH_init
[ 0.680000] [GKETH_drv_probe] eth_base = 0xf200e000
[ 0.680000] mii id = 0
[ 0.690000] ###### PHY Reset.1.0.2
[ 0.800000] mdiobus_register: PHY[0] whose id 0x00000000
[ 0.810000] goke MII Bus: probed
[ 0.810000] gk7101-eth gk7101-eth.0: MAC Address[02:11:22:a3:a0:00].
[ 0.820000] usbcore: registered new interface driver cdc_wdm
[ 0.830000] usbcore: registered new interface driver libusual
[ 0.830000] musb-hdrc: version 6.0, ?dma?, otg (peripheral+host)
[ 0.840000] musb phy Begin initial sequence …
[ 1.090000] gk7101 musb init end…
[ 1.090000] musb-hdrc musb-hdrc: MUSB HDRC host driver
[ 1.100000] musb-hdrc musb-hdrc: new USB bus registered, assigned bus number 1
[ 1.110000] vm : ffde0000, phy : c25a0000
[ 1.110000] dma_buf alloc ok!
[ 1.110000] hub 1-0:1.0: USB hub found
[ 1.120000] hub 1-0:1.0: 1 port detected
[ 1.120000] musb-hdrc musb-hdrc: USB Host mode controller at f0006000 using PIO, IRQ 26
[ 1.130000] platform add gk7101 musb…
[ 1.140000] mousedev: PS/2 mouse device common for all mice
[ 1.140000] input: GKInput as /devices/virtual/input/input0
[ 1.150000] Protocol NEC[0]
[ 1.150000] ir request irq: 62
[ 1.160000] IR Host Controller probed!
[ 1.160000] i2c /dev entries driver
[ 1.170000] gk7101_wdt: GK7101 Watchdog Timer, (c) 2014 Goke Microelectronics
[ 1.170000] [gk7101_wdt_init]: init
[ 1.180000] [gk7101_wdt_probe]: probe
[ 1.180000] [gk7101_wdt_probe]: probe mapped wdt_base=f3006000
[ 1.190000] watchdog inactive, reset disabled, irq disabled
[ 1.200000] IPv4 over IPv4 tunneling driver
[ 1.200000] gre: GRE over IPv4 demultiplexor driver
[ 1.210000] ip_gre: GRE over IPv4 tunneling driver
[ 1.210000] TCP: cubic registered
[ 1.220000] Initializing XFRM netlink socket
[ 1.220000] NET: Registered protocol family 10
[ 1.230000] IPv6 over IPv4 tunneling driver
[ 1.240000] NET: Registered protocol family 17
[ 1.240000] NET: Registered protocol family 15
[ 1.250000] lib80211: common routines for IEEE802.11 drivers
[ 1.250000] Registering the dns_resolver key type
[ 1.260000] VFP support v0.3: implementor 41 architecture 1 part 20 variant b rev 5
[ 1.700000] usb 1-1: new high-speed USB device number 2 using musb-hdrc
[ 7.990000] VFS: Mounted root (jffs2 filesystem) on device 31:3.
[ 7.990000] Freeing init memory: 128K
Starting mdev…
[ 10.610000] net eth0: ###### GKETH_start_hw
[ 10.620000] net eth0: ###### GKETH_phy_start_aneg…
[ 10.620000] ADDRCONF(NETDEV_UP): eth0: link is not ready
Archive: /mnt/mtd/ipc/ipc_server
inflating: ipc_server
Welcome to HiLinux
IPCamera login: Archive: /mnt/mtd/ipc/libNetLib.so
inflating: libNetLib.so
Archive: /mnt/mtd/ipc/libXqAPILib.so
inflating: libXqAPILib.so
Archive: /mnt/mtd/ipc/libxqun.so
inflating: libxqun.so
ipc_server libXqAPILib.so sd
libNetLib.so libxqun.so
ipc_server libXqAPILib.so sd
libNetLib.so libxqun.so
start watchdog set 60s timeout
The timeout was [ 12.650000] watchdog: GK7101 Watchdog: watchdog did not stop!
is 15 seconds
The timeout was set to 60 seconds
[ 14.070000] mt7601Usta: module license 'unspecified' taints kernel.
[ 14.080000] Disabling lock debugging due to kernel taint
[ 14.190000] rtusb init rtusbSTA —>
[ 14.200000]
[ 14.200000]
[ 14.200000] === pAd = 83182000, size = 899480 ===
[ 14.200000]
[ 14.210000] <– RTMPAllocTxRxRingMemory, Status=0
[ 14.220000] <– RTMPAllocAdapterBlock, Status=0
[ 14.220000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x8
[ 14.240000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x4
[ 14.240000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x5
[ 14.250000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x6
[ 14.250000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x7
[ 14.260000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x9
[ 14.270000] NVM is EFUSE
[ 14.270000] Endpoint(8) is for In-band Command
[ 14.270000] Endpoint(4) is for WMM0 AC0
[ 14.280000] Endpoint(5) is for WMM0 AC1
[ 14.280000] Endpoint(6) is for WMM0 AC2
[ 14.290000] Endpoint(7) is for WMM0 AC3
[ 14.290000] Endpoint(9) is for WMM1 AC0
[ 14.290000] Endpoint(84) is for Data-In
[ 14.300000] Endpoint(85) is for Command Rsp
[ 14.310000] usbcore: registered new interface driver rtusbSTA
[ 14.340000] encript driver init successful!
[ 14.370000] gpio driver init successful!
[ 14.430000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
[ 15.430000] i2c i2c.0: I2C state 0x10, please check address 0x20!
[ 15.430000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
[ 16.430000] i2c i2c.0: I2C state 0x10, please check address 0x20!
[ 16.430000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
[ 17.430000] i2c i2c.0: I2C state 0x10, please check address 0x20!
Fail to send dat[ 17.430000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
a
[ 18.430000] i2c i2c.0: I2C state 0x10, please check address 0x78!
[ 18.430000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
[ 19.430000] i2c i2c.0: I2C state 0x10, please check address 0x78!
[ 19.430000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
[ 20.430000] i2c i2c.0: I2C state 0x10, please check address 0x78!
Fail to send data
sensor=15get sensor_type= 15
1145
[ 20.660000] gk_vi_init
[ 20.660000] request_irq…24 ok– video_sync
[ 20.660000] request_irq…59 ok– video_frame_last_pixel
[ 20.680000] request_irq…61 ok– video_frame
[ 20.680000] gk7101_is_valid_gpio_irq…
[ 20.750000] crypto initialized (10:11)
[ 20.890000] Media driver version (gcc version 4.6.1 (crosstool-NG 1.18.0) (uClibc)) v1.1.2 #svn r8850 Wed Jul 6 17:44:23 CST 2016
[ 21.120000] sensor board reset…
[ 21.410000] sensor board reset…
[ 21.720000] 1. LDO_CTR0(6c) = a64799, PMU_OCLEVEL c
[ 21.720000] 2. LDO_CTR0(6c) = a6478d, PMU_OCLEVEL 6
[ 21.730000] FW Version:0.1.00 Build:7640
[ 21.740000] Build Time:201308222153____
[ 21.740000] ILM Length = 47000(bytes)
[ 21.750000] DLM Length = 0(bytes)
[ 21.750000] Loading FW….
[ 21.800000] #
[ 21.800000] RTMP_TimerListAdd: add timer obj 8320c1ac!
[ 21.810000] RTMP_TimerListAdd: add timer obj 8320c1c4!
[ 21.820000] RTMP_TimerListAdd: add timer obj 8320c1dc!
[ 21.820000] RTMP_TimerListAdd: add timer obj 8320c194!
[ 21.830000] RTMP_TimerListAdd: add timer obj 8320c14c!
[ 21.840000] RTMP_TimerListAdd: add timer obj 8320c164!
[ 21.840000] RTMP_TimerListAdd: add timer obj 831a0fe4!
[ 21.850000] RTMP_TimerListAdd: add timer obj 831841e0!
[ 21.860000] RTMP_TimerListAdd: add timer obj 831841fc!
[ 21.860000] RTMP_TimerListAdd: add timer obj 831a103c!
[ 21.870000] RTMP_TimerListAdd: add timer obj 83186bb4!
[ 21.870000] RTMP_TimerListAdd: add timer obj 83186264!
[ 21.880000] RTMP_TimerListAdd: add timer obj 83186b98!
[ 21.880000] RTMP_TimerListAdd: add timer obj 83186dd8!
[ 21.890000] RTMP_TimerListAdd: add timer obj 83186bd0!
[ 21.900000] RTMP_TimerListAdd: add timer obj 83186bec!
[ 21.900000] RTMP_TimerListAdd: add timer obj 83186c08!
[ 21.910000] RTMP_TimerListAdd: add timer obj 831a0fb4!
[ 21.910000] RTMP_TimerListAdd: add timer obj 831a1024!
[ 21.920000] RTMP_TimerListAdd: add timer obj 83186e08!
[ 21.920000] RTMP_TimerListAdd: add timer obj 83186e20!
[ 21.930000] RTMP_TimerListAdd: add timer obj 83186e38!
[ 21.940000] RTMP_TimerListAdd: add timer obj 83186e50!
[ 21.970000] cfg_mode=9
[ 21.970000] wmode_band_equal(): Band Equal!
[ 21.980000] Key1Str is Invalid key length(0) or Type(0)
[ 21.980000] Key2Str is Invalid key length(0) or Type(0)
[ 21.990000] Key3Str is Invalid key length(0) or Type(0)
[ 22.000000] Key4Str is Invalid key length(0) or Type(0)
[ 22.010000] 1. Phy Mode = 14
[ 22.010000] 2. Phy Mode = 14
[ 22.010000] NVM is Efuse and its size =1d[1e0-1fc]
[ 22.050000] 3. Phy Mode = 14
[ 22.050000] AntCfgInit: primary/secondary ant 0/1
[ 22.250000] —> InitFrequencyCalibration
[ 22.250000] InitFrequencyCalibrationMode:Unknow mode = 3
[ 22.260000] InitFrequencyCalibration: frequency offset in the EEPROM = 48(0x30)
[ 22.270000] <— InitFrequencyCalibration
[ 22.270000] RTMPSetPhyMode: channel is out of range, use first channel=1
[ 22.280000] MCS Set = ff 00 00 00 00
[ 22.290000] <==== rt28xx_init, Status=0
[ 22.300000] 0x1300 = 00064300
[ 22.300000] RTMPDrvOpen(1):Check if PDMA is idle!
[ 22.320000] RTMPDrvOpen(2):Check if PDMA is idle!
[ 22.530000] motor driver init successful!
[ 22.820000] net eth0: ###### GKETH_phy_stop
[ 22.900000] net eth0: ###### GKETH_start_hw
[ 22.900000] net eth0: ###### GKETH_phy_start_aneg…
[ 22.910000] ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 26.060000] iFlag: 0, iCurStep: 55
BusyBox v1.18.5 (2016-01-06 23:06:46 PST) multi-call binary.
Usage: route [{add|del|delete}]
Edit kernel routing tables
Options:
-n Don't resolve names
-e Display other/more information
-A inet Select address family
The timeout was [ 28.460000] watchdog: GK7101 Watchdog: watchdog did not stop!
is 60 seconds
The timeout was set to 60 seconds
can't found rtc pcf8563
rtc: th_i2c_init error!
umount: can't forcibly umount /mnt/mtd/ipc/tmpfs/sd: Invalid argument
killall: gerddns: no process killed
killall: upnp_map: no process killed
killall: upnp_map: no process killed
killall: ddns_update: no process killed
audioout: close.
workthread: log init succeed.
libs_initnettype(WiFi): succeed.
macaddr: 78:A3:51:84:B1:6D
macflag: 1
videocomm(0): 6(6) 1280 720
videocomm(1): 7(7) 640 352
TimeZone: -8
workthread: init ini succeed.
workthread: timerreboot init succeed.
ptz type: motor
workthread: ptz init succeed.
HI_Media_SDKInit: efreq=50,resolution=31,maxresolution=6,maxwidth=1280,maxheight=720
HI_Media_SDKInit: maxchannel=2
HI_Media_SDKInit: maxresolution[0]=6
HI_Media_SDKInit: maxresolution[1]=7
timerreboot: enable=0,reboot time=00:00:00
GOKE ADI: R(8724) LIBC(uClibc) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) Sat Jun 25 04:57:54 CST 2016
Image library version (gcc version 4.6.1 (crosstool-NG 1.18.0) (uClibc)) v1.1.2 #svn r9021 Wed Jul 13 15:44:41 CST 2016
[ERROR] set vi source slowshutter mode failed.
[ 39.940000] fps is 25, support max shutter time is 20480000 curr shutter_time 0
[ 39.960000] fps is 20, support max shutter time is 25600000 curr shutter_time 20480000
[ 39.970000] exposure time updating…
[ 39.970000] exposure time updating…
vinWidth: 1280, vinHeight: 720
HI_SDK_Init: TH_flag=0,temp=0.000000,hum=0
initaudio: inputtype=1, input=14, output=9, aec=0
HI_Media_SDKInit: sensor: 31
HI_Media_SDKInit: vctrl: enable=1, recchn=1
encode(chn=0): profile=1,resolution=6,cbr=0,bitrate=1536,frame=20,iframe=40,quality=3,minq=26,maxq=45
encode(chn=0): audioenable=1, audiotype=1
encode(chn=1): profile=1,resolution=7,cbr=0,bi[ 40.020000] win_height:0 win_width:0
trate=128,frame=[ 40.030000] win_height:0 win_width:0
10,iframe=20,quality=0,minq=23,maxq=39
encode(chn=1): audioenable=1, audiotype=1
HI_Media_SDKInit: snap_chn=0
HI_Media_SDKInit: vctrl: mdvalue=35
audiovol: 1 14 9
HI_Media_SDKInit: HI_SDK_StartEncode(chn=0) succeed.
HI_Media_SDKInit: HI_SDK_StartEncode(chn=1) succeed.
audio: denoise=1
HI_Media_SDKInit: display mode: blackwhite
=======================================
[GK]DE-MBLK 4×4 basing on 1/16 orig pic version: v2.1.0
=======================================
[ 42.200000] fps is 10, support max shutter time is 51200000 curr shutter_time 25600000
color(ini): f=0xffffff, b=0x000000, ftrans=192, btrans=64
OSD(area=0): show=1, pos=0, x=672, y=0, str=YYYY-MM-DD hh:mm:ss
OSD(area=1): show=1, pos=1, x=0, y=576, str=IP Camera
OSD: no temp/hum sensor.
audioalarm: off 50
sdkmgr: max channel=2
HI_Media_LiveStreamInit: alarmsound: enable=0, dalaytime=5
ALARM_SERVER:
HI_Record_Stop
HI_Media_RecInit: HI_Record_Start(chn=1) succeed.
HI_Websvr_Init: init media su[ 42.480000] iFlag: 1, iCurStep: 256
cceed.
HI_Websvr_Init: PBServer start.
relay: start…
VCtrl_Proc: enable=1, debug=0,recchn=1, mdrectime=15, mode=lowrate
HI_Websvr_Init: httpport=80, snapchn=2
ircut: c2b_value=500, b2c_value=300
ircut: switch, imagetype=1.
ircut: switch, imagetype=0.
workthread: ircut init succeed.
infra: proc(22) start.
rled: auto.
workthread: infrared init succeed.
HI_Reset_Init: smart: enable=1
HI_Reset_Init: light: enable=1
HI_Reset_Init: apmode: status=1
workthread: reset init succeed.
workthread: wifikey init succeed.
workthread: netdetect init succeed.
workthread: ntpsvr init succeed.
p2p: xqun disable.
netdetect: WiFi (Enable).
netdetect: netflag(WiFi).
light: proc(23) start.
reset: proc(24) start.
ircut: proc(21) start.
workthread: search start.
workthread: wdt init succeed.
===================================================
ipc_server start : 1970-01-01 08:00:44
ipc_server version: V9.1.6.1.13-20170119
===================================================
wdt: default timeout: 60 sec.
wdt: default timeout: 3 sec.
ircut: switch status on.
ircut: switch, imagetype=1.
rled: close.
[ 44.310000] fps is 20, support max shutter time is 25600000 curr shutter_time 3608908
ircut: display switch(blackwhite -> color).
vctrl: md push failed, because of ircut switch.
vctrl: md push failed, because of ircut switch.
motor: selfdet stop.
HI_Ntp_Proc: enable=1, svr=time.windows.com, interval=1
vctrl: md push failed, because of ircut switch.
audiovol: 1 12 4
PlayNotificationSound: flag=1
audioout: open.
PlayNotificationSound: HI_SDK_StartAudioDecode: ret=0, format=1
vctrl: md push failed, because of ircut switch.
ircut: switch status off.
motor: preset stop.
PlayNotificationSound: file end.
libs_GetNTPTime: failed!
onvif: TZ: STD-8:0:0
onvif: TZInterval: 28800
onvif: login dev success! handle=8286216
onvif: login dev success! handle[alarm]=8287376
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HI_Media_LiveStreamRegisterMediaLink: cntindex=0,onlinenum=0
onvif: start stream succeed(ret=0x0)! handle(alarm)=8287376
HI_Media_LiveStreamParseStream: cntindex=0,sock=32,avchn=0,mediatype=4
SendMediaDataThread(entry): cntindex=0,avchn=0,af=1,sock=32,rbhandle=32777976
onvif: devmgmt_proc ok.
onvif: start: 1970-01-01 08:01:05
onvif: timg: productid=C9F0SeZ0N0P0L0
PlayNotificationSound: file end.
PlayNotificationSound: file end.
PlayNotificationSound: file end.

view raw
Escam G02 uBoot Log
hosted with ❤ by GitHub

Cloud Server

Bigger problem for my is the Cloud Service aka P2P Service so you can use Camera with the CamHi App. This protokol uses UDP hole punching to convert your firewall into swiss cheese. If deactived it does not contact any Servers, but than you also cant use the CamHi app. Fortunately this cam does not send all their config data to the server like the cams that Pierre Kim has watched over. The cam contacts these Server if you activate the P2P feature:

TCP:
47.91.149.233 (Alibaba use for FW Upgrades which do not use TLS 😉 )

UDP:
52.221.1.159 (Amazon Singapore)
123.56.143.156 (Alibaba)
52.8.0.180 (Amazon EC2)

I have not checked what the app transmits till now, if someone is interested i could do it in the future. Do youreself a favor and disable that feature, maybe also think of disabling DHCP and give the cam a false Gateway address so it cannot phone home.

Conclusion

For 18€ the cam is okay and not a complete security mess. Okay i cannot understand why it is not possible to use TLS for Software updates and the Webif but at least there is no open Telnet or vulnarable FTP Scripts.

If you only use the cam in your LAN through a VPN and disable the P2P feature  you are good to go. If you are more paranoid block the cam from the internet by your firewall.

22 Gedanken zu „Short security overview of the Escam G02“

  1. Dear Björn,

    I have purchased a similar cam, from 7Links (pearl.de). The pinout of the debug port seems to be the same, yet I was able to find RX on pin 3. You can log in using the account „default“, with no password. Then you can edit one of the scripts in the /mnt/mtd/ipc folder which is run by the camera binary with root privileges. Use it for example to re-write /etc/shadow to set a new root password (use echo „blabla“ > /etc/shadow) – et voila, the cam is yours.

    There is even a simpler way to gain access, though: Using the username and password for the web interface open the http:///cgi-bin/ht3510/printscreenrequest.cgi page. Telnet is now enabled for the current session. To permanenly enable telnet you can edit /mnt/mtd/ipc/conf/config_debug.ini and set the parameter to 1.

    Btw.. if you do not like vi as an editor you can use ftpput and ftpget to upload and download files from/to the camera. That way, you can use your favorite text editor.

    Best,
    Tobi

    1. Hello @TOBIAS HAGEMEIER. Please explain in more detail how I can do as root. I try with with „default“ but gives me access only as a standard user. I want to modify some file in /mnt/mtd/ipc folder but „Operation not permitted“ Please help me, I desperately need it to fix my ip camera. 🙁

      I tried to obtain root with this users and pass, but not working:

      admin:admin
      root:root
      root:null
      admin:null
      root:cxlinux
      admin:cxlinux
      default:null
      admin:123456
      root:123456
      admin:xmhdipc
      root:xmhdipc

      Messages with „default“ user.

      $ mount SD card
      mount: you must be root

      $ mv mnt mnt1
      mv: can’t rename ‚mnt‘: Permission denied

      $init isp
      init: must be run as PID 1

      $ reboot
      reboot: Operation not permitted

      1. Dear Akeo,

        you need to edit one of the scripts in the /mnt/mtd/ipc folder to modify the /etc/shadow file for you. For that you just make a copy of /etc/shadow:

        cp /etc/shadow /mnt/mtd/ipc/shadow

        Then you can edit this file with vi and replace the encrypted password for root with you own (line looks like „root:XXXXXXXXXXXX:0:0:99999:7:::“ — XXXX is the old encrypted password). After you have made your edit you just need to copy back the shadow file. Since it is only writable by root you need to modify for example the /mnt/mtd/ipc/findap.sh-script (which is world-editable… omg!). Open it with vi and insert the following two lines at the end:

        cp /mnt/mtd/ipc/shadow /etc/shadow -r
        chmod 766 /etc/shadow

        This will overwrite the /etc/shadow file with the data you provide on the next wifi scan of the camera. Since the findap.sh script is executed with root privileges this works as expected. Just save the file and scan for wifi networks and you should be able to switch to the root account with your favorite password.

        Best,
        Tobi

        1. Thank you very mutch for rapid answer, Tobias. Unfortunately when i try to run cp /etc/shadow /mnt/mtd/ipc/shadow its show “ Permission denied“. Is any way to stop prompt U-Boot run?? Because when this started is very dificil to write in command line + after about 40 seconds is makes reboot and is need to login again with default user. Admit I’m not very familiar with enghlish language and linux commands and assume it may be i’m wrong somewhere. Please please tell me step by step what to do first, like a school. 🙂
          My ip camera bricked after a wrong firmware.After this power on, make a Pan/Tilt test and after reboot itself(bootloop). I can not connect to it by lan or wifi. Only way to connect to her is through the serial.I try to modify platform.sh, but without success. 🙁

          1. I guess with only 40 seconds to modify things it will not be possible to get root access – it requires some more editing of files and also re-scanning the wifi. Within that time you will probably not be able to do the necessary modifications.

            Regardings the inaccessible file: You can modify the mentioned script file (findap.sh) and just add

            cp /etc/shadow /mnt/mtd/ipc/shadow
            chmod 777 /mnt/mtd/ipc/shadow

            to copy the file to a readable location (you have to remove those lines when copying the shadow file back!). Since you are running a completely different firmware (not the original one) this may just not work at all, though since things might work entirely different.

            Hope you manage to get the camera working again..

            Best,
            Tobi

          2. Sorry for disturb but i need desperately to fix my IP camera. 🙁

            This is result command:

            cat /mnt/mtd/ipc/findap.sh
            #! /bin/sh
            TARGET=“/mnt/mtd/ipc“
            CONF=“$TARGET/conf“
            WIFIPATH=“$CONF/wifi.conf“
            TMP=/mnt/mtd/ipc/tmpfs/wf129
            TMP1=/mnt/mtd/ipc/tmpfs/wf129t
            . $WIFIPATH
            NETFLAG=`cat /mnt/mtd/ipc/tmpfs/netflag.dat`
            if [ $NETFLAG -ne 0 ]
            then
            if ls /mnt/mtd/ipwlist ra0 scanning > /dev/null
            iwpriv ra0 get_site_survey | sed ‚1d 2d $d‘ > $TMP
            $TARGET/wfsort $TMP $TMP1
            mv $TMP1 $TMP

            Please tell which command need to use for modify this two lines:

            cp /etc/shadow /mnt/mtd/ipc/shadow
            chmod 777 /mnt/mtd/ipc/shadow

            I want to prepare into a notepad txt and after just paste it. Thanks again.

        2. I finally managed to be the root in a simpler way, with with the following command in U-boot:

          GK7102 # printenv
          [PROCESS_SEPARATORS] printenv
          arm_freq=0x00112032
          baudrate=115200
          bootargs=mem=30M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=hi_sfc:256K(boot),1280k(kernel),512K(dataBlock),6144K(rootfs) single
          bootcmd=run sfboot
          bootdelay=3
          bootfile=zImage_1045_41M
          consoledev=ttySGK0
          ethact=gk7101
          ethaddr=3C:97:0E:22:E1:76
          fileaddr=C1000000
          filesize=200000
          flashargs=‘run commonargs
          gatewayip=192.168.1.1
          hostname=“gk7101″
          ipaddr=192.168.1.88
          kernelAdrr=0x50000
          kernelLen=0x200000
          loadaddr=0xC1000000
          mem=41M
          netdev=eth0
          netmask=255.255.255.0
          nfsserver=192.168.60.85
          phytype=0
          rootfstype=rootfstype=jffs2 root=/dev/mtdblock3
          rootpath=/710x_rootfs/rootfs_uClibc
          run=sfboot
          serverip=192.168.1.72
          sfboot=setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=linuxrc ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${files ize}; bootm
          sfkernel=0x50000
          soctype=1
          stderr=serial
          stdin=serial
          stdout=serial
          tftpboot=setenv bootargs root=/dev/nfs nfsroot=${nfsserver}:${rootpath},proto=tc p,nfsvers=3,nolock ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}: ${netdev} mac=${ethaddr} phytype=${phytype} console=${consoledev},${baudrate} me m=${mem};tftpboot ${bootfile};bootm
          #setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm

          Replace the following line from sfboot : „init=linuxrc“ with „init=/bin/sh“ after line it should look like this:
          setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm

          run sfboot command

          And bingo, after that you should have root rights. Thank you all for your help, especially @TOBIAS HAGEMEIER.

    2. Dear Tobias,

      I tried to telnet the G02 cam but the user/password of the webserver don’t work.

      I want to telnet the Cam to discover all the scripts.
      I want to stop using the Hicam but for that I need to know how to til/pan the cam, the links for the streams, etc…
      Tks for your help.

  2. Hi there!

    I have a couple of ESCAM G02 and this post is very useful for me. Thanks Björn and Tobias for this information.

    Also, I have a mistery to resolve which gives me a headache: I’ve been poking around the firmware and I just can’t find how does the camera play the sounds when you are configuring its wifi. I guess it’s some thing called „PlayNotificationSound“ but I can’t find where. Perhaps this thing is hidden inside a binary? I don’t know 🙁

    Here’s why: It would be so great to play any sample remotely, per example an alarm sound when motion is detected. My expectations were that there sould be a magic program called „play alarm.wav“ or somewhat similar hahahaha, I’m optimist! I’ve also tried with no luck to stream a wav file via the backchannel of the 2-way audio system, there is almost no information on the internet about this…

    Have you any experience with this or have any remote idea of how I can advance?

    Bests regards and thanks in advance 🙂

  3. Hello,

    I found your site and i think i brik the camera, trying to put the echo in the run script (maybe some typo) and now the camera won’t boot.

    Any sugestion to bypass the problem? The reset button don’t do nothing.

    Thanks

  4. Hi Guys, i found that blog post via google while digging deeper into that sort of CAMS.

    I’m a IT known guy from germany doing all sort of Linux dev for IoT devices.
    I gained root access on the device and can do everything i like with it.
    Without even touching the Serial port or bruteforcing the Admin/root password.
    I have fetched full partition dumps from the device and discovered several ways to recover the device
    from most BRICKS without u-boot/serial access.
    If u look deeper in the WEB for most of thoose devices there is a SDK available to compile a own ROOTFS for the target that way I have created my own Firmware with various fixes included.

    If u need any infos or such feel free to ask.

    1. For TALUSTUS
      I was not able to get root access with the above mentioned examples. Is it still possible to add your own operating system onto a board with some kind of SDK-magic? I could connect with the serial so I got into u-boot.

        1. Thanks for the link Björn. I couldn’t find any info about redoing the firmware completely though. I have one of those GK7102 cameras and I couldn’t get root access on it since the security had been beefed up. That is no root while serial connection and the init=/bin/sh don’t work either. My last resort looks like completely redoing the firmware somehow with a SDK like TALASTUS mentioned. I have no idea where to start with this though and don’t have too much luck googling it either. I am probably using the wrong syntax looking for info since I’m a complete noob on hardware/firmware 🙂

          1. Daniel, thanks for pointing out my error 🙂 I tried init=bin/sh also but it still does not work. Probably the security have been looked over to make these a bit harder to crack. I have some old firmware that I have tried to flash but it won’t boot when I do. If I try with the standard firmware it works but with an old firmware it stops.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.