Short security overview of the Escam G02

Update 29.04.2019

Seems the Cam is highly Vulnerable to security risks in the used P2P implementation found by Paul Marrapese

Being honest i have just waited for something like this to appear because of the strange UDP Hole Punching P2P Protocol used. Blocking UDP Traffic on Port 31200 should „solve“ the problem if you dont need the Cloud connectivity, but i would prefer to simply not use that cameras anymore.


Some months ago a purchased an Escam G02 from Banggood for approx. 18€.

Some days after that Pierre Kim released a paper which showed horrible security flaws in millions of Wifi Webcams, of course after reading this i asked myself if the Escam G02 is also affected.

After getting the cam i started digging. Please keep in mind that i am no pro security researcher, but i think i digged deep enought.

Web Interface Security

The Webinterface looks horrible and is „secured“ by the standard admin/admin combo but the rest looks okay. Also it does not feature TLS. Mostly everything is controlled by a cgi script called params.cgi. I was not able to find any problems with that but who knows. Nevertheless the WebIF uses Basic auth but the Password is only base64 encoded, so a MitM could easily retrieve the credentials. If you really want to expose the WebIF to the internet you should change all Passwords (yep there are more that one for the admin) and use the cam behind a SSL Proxy.

Open Ports

Now its time to see which ports are open on this device. Open Telnet would be the worst case. But don’t worry haven’t found that. There are 4 ports open: 80 (WebIF), 554 (rtsp), 1935 (rtmp), 8080 Onvif. No more open ports to find.

Serial Debug port

I thought maybe i could gather shell access by finding Serial debug port. There really is one labeled J3 on the PCB. Pin 1 is TX, Pin 2 is Ground, couldnt figure out where RX was. Port uses standard 115200 baud 8N1. Didnt matter what i have tried, i was not able to stop the automatic boot.

Here is a boot log if someone is interested:

https://gist.github.com/bjoerns1983/f4243bf9fe21aa559c7354cd2d804fff

Cloud Server

Bigger problem for my is the Cloud Service aka P2P Service so you can use Camera with the CamHi App. This protokol uses UDP hole punching to convert your firewall into swiss cheese. If deactived it does not contact any Servers, but than you also cant use the CamHi app. Fortunately this cam does not send all their config data to the server like the cams that Pierre Kim has watched over. The cam contacts these Server if you activate the P2P feature:

TCP:
47.91.149.233 (Alibaba use for FW Upgrades which do not use TLS 😉 )

UDP:
52.221.1.159 (Amazon Singapore)
123.56.143.156 (Alibaba)
52.8.0.180 (Amazon EC2)

I have not checked what the app transmits till now, if someone is interested i could do it in the future. Do youreself a favor and disable that feature, maybe also think of disabling DHCP and give the cam a false Gateway address so it cannot phone home.

Conclusion

For 18€ the cam is okay and not a complete security mess. Okay i cannot understand why it is not possible to use TLS for Software updates and the Webif but at least there is no open Telnet or vulnarable FTP Scripts.

If you only use the cam in your LAN through a VPN and disable the P2P feature  you are good to go. If you are more paranoid block the cam from the internet by your firewall.

25 Gedanken zu „Short security overview of the Escam G02“

  1. Dear Björn,

    I have purchased a similar cam, from 7Links (pearl.de). The pinout of the debug port seems to be the same, yet I was able to find RX on pin 3. You can log in using the account „default“, with no password. Then you can edit one of the scripts in the /mnt/mtd/ipc folder which is run by the camera binary with root privileges. Use it for example to re-write /etc/shadow to set a new root password (use echo „blabla“ > /etc/shadow) – et voila, the cam is yours.

    There is even a simpler way to gain access, though: Using the username and password for the web interface open the http:///cgi-bin/ht3510/printscreenrequest.cgi page. Telnet is now enabled for the current session. To permanenly enable telnet you can edit /mnt/mtd/ipc/conf/config_debug.ini and set the parameter to 1.

    Btw.. if you do not like vi as an editor you can use ftpput and ftpget to upload and download files from/to the camera. That way, you can use your favorite text editor.

    Best,
    Tobi

    1. Hello @TOBIAS HAGEMEIER. Please explain in more detail how I can do as root. I try with with „default“ but gives me access only as a standard user. I want to modify some file in /mnt/mtd/ipc folder but „Operation not permitted“ Please help me, I desperately need it to fix my ip camera. 🙁

      I tried to obtain root with this users and pass, but not working:

      admin:admin
      root:root
      root:null
      admin:null
      root:cxlinux
      admin:cxlinux
      default:null
      admin:123456
      root:123456
      admin:xmhdipc
      root:xmhdipc

      Messages with „default“ user.

      $ mount SD card
      mount: you must be root

      $ mv mnt mnt1
      mv: can’t rename ‚mnt‘: Permission denied

      $init isp
      init: must be run as PID 1

      $ reboot
      reboot: Operation not permitted

      1. Dear Akeo,

        you need to edit one of the scripts in the /mnt/mtd/ipc folder to modify the /etc/shadow file for you. For that you just make a copy of /etc/shadow:

        cp /etc/shadow /mnt/mtd/ipc/shadow

        Then you can edit this file with vi and replace the encrypted password for root with you own (line looks like „root:XXXXXXXXXXXX:0:0:99999:7:::“ — XXXX is the old encrypted password). After you have made your edit you just need to copy back the shadow file. Since it is only writable by root you need to modify for example the /mnt/mtd/ipc/findap.sh-script (which is world-editable… omg!). Open it with vi and insert the following two lines at the end:

        cp /mnt/mtd/ipc/shadow /etc/shadow -r
        chmod 766 /etc/shadow

        This will overwrite the /etc/shadow file with the data you provide on the next wifi scan of the camera. Since the findap.sh script is executed with root privileges this works as expected. Just save the file and scan for wifi networks and you should be able to switch to the root account with your favorite password.

        Best,
        Tobi

        1. Thank you very mutch for rapid answer, Tobias. Unfortunately when i try to run cp /etc/shadow /mnt/mtd/ipc/shadow its show “ Permission denied“. Is any way to stop prompt U-Boot run?? Because when this started is very dificil to write in command line + after about 40 seconds is makes reboot and is need to login again with default user. Admit I’m not very familiar with enghlish language and linux commands and assume it may be i’m wrong somewhere. Please please tell me step by step what to do first, like a school. 🙂
          My ip camera bricked after a wrong firmware.After this power on, make a Pan/Tilt test and after reboot itself(bootloop). I can not connect to it by lan or wifi. Only way to connect to her is through the serial.I try to modify platform.sh, but without success. 🙁

          1. I guess with only 40 seconds to modify things it will not be possible to get root access – it requires some more editing of files and also re-scanning the wifi. Within that time you will probably not be able to do the necessary modifications.

            Regardings the inaccessible file: You can modify the mentioned script file (findap.sh) and just add

            cp /etc/shadow /mnt/mtd/ipc/shadow
            chmod 777 /mnt/mtd/ipc/shadow

            to copy the file to a readable location (you have to remove those lines when copying the shadow file back!). Since you are running a completely different firmware (not the original one) this may just not work at all, though since things might work entirely different.

            Hope you manage to get the camera working again..

            Best,
            Tobi

          2. Sorry for disturb but i need desperately to fix my IP camera. 🙁

            This is result command:

            cat /mnt/mtd/ipc/findap.sh
            #! /bin/sh
            TARGET=“/mnt/mtd/ipc“
            CONF=“$TARGET/conf“
            WIFIPATH=“$CONF/wifi.conf“
            TMP=/mnt/mtd/ipc/tmpfs/wf129
            TMP1=/mnt/mtd/ipc/tmpfs/wf129t
            . $WIFIPATH
            NETFLAG=`cat /mnt/mtd/ipc/tmpfs/netflag.dat`
            if [ $NETFLAG -ne 0 ]
            then
            if ls /mnt/mtd/ipwlist ra0 scanning > /dev/null
            iwpriv ra0 get_site_survey | sed ‚1d 2d $d‘ > $TMP
            $TARGET/wfsort $TMP $TMP1
            mv $TMP1 $TMP

            Please tell which command need to use for modify this two lines:

            cp /etc/shadow /mnt/mtd/ipc/shadow
            chmod 777 /mnt/mtd/ipc/shadow

            I want to prepare into a notepad txt and after just paste it. Thanks again.

        2. I finally managed to be the root in a simpler way, with with the following command in U-boot:

          GK7102 # printenv
          [PROCESS_SEPARATORS] printenv
          arm_freq=0x00112032
          baudrate=115200
          bootargs=mem=30M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=hi_sfc:256K(boot),1280k(kernel),512K(dataBlock),6144K(rootfs) single
          bootcmd=run sfboot
          bootdelay=3
          bootfile=zImage_1045_41M
          consoledev=ttySGK0
          ethact=gk7101
          ethaddr=3C:97:0E:22:E1:76
          fileaddr=C1000000
          filesize=200000
          flashargs=‘run commonargs
          gatewayip=192.168.1.1
          hostname=“gk7101″
          ipaddr=192.168.1.88
          kernelAdrr=0x50000
          kernelLen=0x200000
          loadaddr=0xC1000000
          mem=41M
          netdev=eth0
          netmask=255.255.255.0
          nfsserver=192.168.60.85
          phytype=0
          rootfstype=rootfstype=jffs2 root=/dev/mtdblock3
          rootpath=/710x_rootfs/rootfs_uClibc
          run=sfboot
          serverip=192.168.1.72
          sfboot=setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=linuxrc ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${files ize}; bootm
          sfkernel=0x50000
          soctype=1
          stderr=serial
          stdin=serial
          stdout=serial
          tftpboot=setenv bootargs root=/dev/nfs nfsroot=${nfsserver}:${rootpath},proto=tc p,nfsvers=3,nolock ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}: ${netdev} mac=${ethaddr} phytype=${phytype} console=${consoledev},${baudrate} me m=${mem};tftpboot ${bootfile};bootm
          #setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm

          Replace the following line from sfboot : „init=linuxrc“ with „init=/bin/sh“ after line it should look like this:
          setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm

          run sfboot command

          And bingo, after that you should have root rights. Thank you all for your help, especially @TOBIAS HAGEMEIER.

    2. Dear Tobias,

      I tried to telnet the G02 cam but the user/password of the webserver don’t work.

      I want to telnet the Cam to discover all the scripts.
      I want to stop using the Hicam but for that I need to know how to til/pan the cam, the links for the streams, etc…
      Tks for your help.

  2. Hi there!

    I have a couple of ESCAM G02 and this post is very useful for me. Thanks Björn and Tobias for this information.

    Also, I have a mistery to resolve which gives me a headache: I’ve been poking around the firmware and I just can’t find how does the camera play the sounds when you are configuring its wifi. I guess it’s some thing called „PlayNotificationSound“ but I can’t find where. Perhaps this thing is hidden inside a binary? I don’t know 🙁

    Here’s why: It would be so great to play any sample remotely, per example an alarm sound when motion is detected. My expectations were that there sould be a magic program called „play alarm.wav“ or somewhat similar hahahaha, I’m optimist! I’ve also tried with no luck to stream a wav file via the backchannel of the 2-way audio system, there is almost no information on the internet about this…

    Have you any experience with this or have any remote idea of how I can advance?

    Bests regards and thanks in advance 🙂

  3. Hello,

    I found your site and i think i brik the camera, trying to put the echo in the run script (maybe some typo) and now the camera won’t boot.

    Any sugestion to bypass the problem? The reset button don’t do nothing.

    Thanks

  4. Hi Guys, i found that blog post via google while digging deeper into that sort of CAMS.

    I’m a IT known guy from germany doing all sort of Linux dev for IoT devices.
    I gained root access on the device and can do everything i like with it.
    Without even touching the Serial port or bruteforcing the Admin/root password.
    I have fetched full partition dumps from the device and discovered several ways to recover the device
    from most BRICKS without u-boot/serial access.
    If u look deeper in the WEB for most of thoose devices there is a SDK available to compile a own ROOTFS for the target that way I have created my own Firmware with various fixes included.

    If u need any infos or such feel free to ask.

    1. For TALUSTUS
      I was not able to get root access with the above mentioned examples. Is it still possible to add your own operating system onto a board with some kind of SDK-magic? I could connect with the serial so I got into u-boot.

        1. Thanks for the link Björn. I couldn’t find any info about redoing the firmware completely though. I have one of those GK7102 cameras and I couldn’t get root access on it since the security had been beefed up. That is no root while serial connection and the init=/bin/sh don’t work either. My last resort looks like completely redoing the firmware somehow with a SDK like TALASTUS mentioned. I have no idea where to start with this though and don’t have too much luck googling it either. I am probably using the wrong syntax looking for info since I’m a complete noob on hardware/firmware 🙂

          1. Daniel, thanks for pointing out my error 🙂 I tried init=bin/sh also but it still does not work. Probably the security have been looked over to make these a bit harder to crack. I have some old firmware that I have tried to flash but it won’t boot when I do. If I try with the standard firmware it works but with an old firmware it stops.

    2. Message for Talustus . Is there a way that you email me your basic compiled Firmware to access the Camera. I guest it’s something you need to install to the MicroSD card and restart the Camera. Thank ’s in advance MartialD1@hotmail.com
      Canada

    3. Hi Talustus , i am trying to reach you regarding some info regarding Ip camera you analised feew years ago.

      Thank s in advance
      Martial

Schreibe einen Kommentar zu lordw Antworten abbrechen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert