Student ID: IoTE-775

In this gist I will try to examine and exploit the Sricam SP009. I purchased it from the IOT Exploitation Kit.

1. First Recon

• doing Research on Manufacturer Details
• reassamble the ip-camera

2. Access over Harware Ports

• finding ports
• verify the used protocol
• getting access to the OS
• getting firmware

3. Acess over Wireless Interfaces and Network

• use interfaces in intended manner and dump network exchange information
• fuzz wireless interfaces

4. Reversing Android App

• finding firmware and keys for further access encryption
• API logic for cloud access
• vulnerabilities

There isn't any manufactural ID on the Cam. So seaching for the product will give the necessary documents. https://fccid.io/document.php?id=3474757 On the bottom of the quick user manual stands the FCCID.

Now we can search for the FCCID. https://fccid.io/2AC6K-SP020/Internal-Photos/Internal-Photos-3474756 This isn't exactly the same model but I guess it's nearly the same.

=> additional info from FCCID

Examing product without opening it reveals a 720p camera module, IR sensor, LED's for indicating running system, SD card slot and a reset button. On the backshell of the camera is a sticker with the ID (probably for network issues) and the default password.

outer Side of backshell with product sticker	inner Side of backshell with speaker

The main board reveals all the parts for the functionalities of the cam.

• Link: https://www.mediatek.com/products/broadbandWifi/mt7601u
• Identifier: MT7601UN 1530-BMJL GTP39Y55

According to mediatek "High-performance 802.11n for compact and cost-effective Wi-Fi devices".

• Link: http://www.grain-media.com/html/8136S_8135S.htm
• Identifier: GM8 135S-OC SMSKH-000 AG-1525

We can see that it's a ARM architecture. Next to the SoC lies the suspected UART interface.

• Link: http://www.datasheet.hk/search.php?part=25l12805d&stype=part
• Identifier: MX25L12805D
• Name: 128M-BIT [x 1] CMOS SERIAL FLASH

It surprised me, that according to the datasheet, the ship got 16 instead of 8 pins. We will examine later, whether it's possible to get some information from the chip via SPI.

• Link: http:/A3/www.everanalog.com/Product/ProductEA3036DetailInfo.aspx
• Identifier: EA3036 4j088s
• Name: 3CH power management IC

On the back of the main board are some other parts.

• Link: http://www.celtor.pl/2447,24c04d-eeprom-szeregowa-4kb-512bx-so8.html
• Identifier: 24c04d 538b1

• Link: http://www.inkocean.in/the-md8002a-8002a-sop8-smd-3w-audio-amplifier-ic-chip
• Identifier: 8002a swire15

The WiFi antenna is stucked in the front shell of the camera.

front shell with attached WIFI antenna

Inside this front shell lies this "LED ring" with some status LED's and the IR sensor for measuring brightness, I guess.

LED circuit back side	LED circuit front side

Without taking further measurements, I suspected the three pins in previous picture to be a UART serial port. As the first one has a squareformed joint, it's supposed to be the GND pin and the two other ones Tx and Rx. I examined the ports with a buspirate and beeing sure I have the right ports, I tried all popular baudrates and parity bits:

HiZ>m	#Choose protocol from main buspirate interface
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)

(1)>3	#taking UART
Set serial port speed: (bps)
 1. 300
 2. 1200
 3. 2400
 4. 4800
 5. 9600
 6. 19200
 7. 38400
 8. 57600
 9. 115200
10. BRG raw value

(1)>9	#taking baudrate 115200
Data bits and parity:
 1. 8, NONE *default 
 2. 8, EVEN 
 3. 8, ODD 
 4. 9, NONE
(1)>	# taking default value "no parity"
Stop bits:
 1. 1 *default
 2. 2
(1)>	# taking default value "no stop bits"
Receive polarity:
 1. Idle 1 *default
 2. Idle 0
(1)>	# is the Rx port high or low when it's idle, taking default
Select output type:
 1. Open drain (H=Hi-Z, L=GND)
 2. Normal (H=3.3V, L=GND)
(1)>	# taking open drain as driver circuit for the port
Ready
UART>v	# checking the Pinout of the BusPirate
Pinstates:
1.(BR)	2.(RD)	3.(OR)	4.(YW)	5.(GN)	6.(BL)	7.(PU)	8.(GR)	9.(WT)	0.(Blk)
GND	3.3V	5.0V	ADC	VPU	AUX	-	TxD	-	RxD
P	P	P	I	I	I	I	I	I	I	
GND	0.00V	0.00V	0.00V	0.00V	L	L	L	L	L	

UART>(2) # choosing mode to only receive output
Raw UART input
Any key to exit
>��ʛ���s�Ϲܒ`���e����k���������������ʗ���0������������������컚�Ϙ�ߚЛ�������������%�������i���C�������q ��q����"�c9�a�":�i���C�������q ��q����"�c9�a�"���i���C�������q ��q����"�c9�a�"���i��
...
q ��)���"��c9ñ":��C��������q ;�)���"�c9ñ":��C��������q ;�)���"�c9ñ":�i

Trying all different baudrates and parity bits didn't give any better result. With a hint of @adi_1318 was it easy. The square pin isn't GND, it's RX (RX,GND,TX) on baudrate of 115200.

So first lesson learned: Never trust in habits. With this Pinning I was able to get readable output and furthermore a shell without Write Rights. For the sake of readabilty I will put booting output into external link. LINK It gives some interesting information.

• The flash is similar to the suspected one, but has only 16MiB of storage.
• Flash software is iJFFS2 version 2.2. (NAND) from Red Hat
• Flash communicates via SPI and creates 6 partitions on the flash

SPI_FLASH spi0.0: MX25L12845E (16384 Kbytes)
Creating 6 MTD partitions on "nor-flash":
0x000000010000-0x000000080000 : "UBOOT"
0x000000080000-0x000000380000 : "LINUX"
0x000000380000-0x000000b00000 : "FS"
0x000000b00000-0x000000c00000 : "USER0"
0x000000c00000-0x000001000000 : "USER1"
0x000000000000-0x000001000000 : "ALL"

• OS runs Linux with busybox on squashfs filesystem
• DRAM is 64 MiB
• we have USB interfaces (probably for the SD Card Reader)

Drive Vbus because of ID pin shows Device A
fotg210 fotg210.0: FOTG2XX
fotg210 fotg210.0: new USB bus registered, assigned bus number 1
fotg210 fotg210.0: irq 9, io mem 0x93000000
fotg210 fotg210.0: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected

• there is a I2C bus

i2c /dev entries driver
ftiic010 ftiic010.0: irq 18, mapped at 84860000
I2C hangs detection thread started!

• uses lib80211 for WiFi functionalities

After getting through booting and many applies of trying the same we have a shell. LISTING_APPLY The shell will be harassed by intervalled output of WiFi Core that indicates it's in STA mode and scans for a certain AP.

=> continue with SPI

1. Finding link in the sourcecode of APK

• this part will be handled in the reversing part

2. Dumping from System via SDCard

• We can get nearly the whole filesystem by simply copying it onto an sdcard.
• It will be mounted as /mnt/disk1.

/mnt # mmc0: new high speed SDHC card at address e624
mmcblk0: mmc0:e624 SU08G 7.40 GiB 
 mmcblk0:
found removeable disk1 
mount  removeable disk1 OK 
dwDiscState = 2 

/# cp -r / /mnt/disk1/

Searching for interesting info bits in the file system

# ..e/david/offensiveIOT/ip_cam/filesystem # grep -rli aes
npc/npc
patch/bin/wpa_supplicant
patch/lib/mt7601Usta_v2.ko
lib/modules/ms.ko

# ..e/david/offensiveIOT/ip_cam/filesystem # grep -rli firmware
npc/npc
patch/bin/ifrename
patch/lib/mt7601Usta_v2.ko
gm/bin/busybox
gm/tools/ethtool

I will look in the reversing part at the npc and other interesting binaries. I wasn't able to find any fruitful info in cleartext on the system.

3. Dumping Flash via SPI

The UI experience of the App for communicating with the Cam is really bad and I wasn't patient enough, to set up WiFi connectivity with the App. In first glance I suspected it would setup open AP and I can simply connect to it but it doesn't. There is some functionality to connect to another existent WiFi by capturing with the Camea App generated QR-Code. I took another way and examined the OS of the Cam to find out what it is up to.

/etc/network # cat interfaces 
auto lo

iface lo inet loopback

iface eth0 inet static
	address	172.19.78.3
	broadcast 172.31.255.255
	netmask 255.240.0.0
	gateway 172.19.78.2
	pre-up	/sbin/insmod /lib/modules/2.6.14/extra/ftmac100.ko
	post-down /sbin/rmmod ftmac100.ko

# => no hints in the configuration on the interfaces

/etc # cat wpa_supplicant0.conf 
ctrl_interface=/etc/Wireless  
 network={ 
     ssid="Free-AP0"   
     key_mgmt=NONE  
  }
# but a wpa_supplicant conf with a given SSID  

As I setted up an open AP with the SSID "Free-AP0" the Cam connects immediatly to it.

 CH  1 ][ Elapsed: 6 s ][ 2017-08-17 18:16 ][ paused output                                        
                                                                                                        
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                        
 00:C0:CA:62:41:8F   -9 100       90       13    0   1  54   OPN              Free-AP0                  
                                                                                                        
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                              
                                                                                                        
 00:C0:CA:62:41:8F  F8:0C:F3:FF:5F:6C   14   54 - 6      0       11       # Smartphone with App                               
 00:C0:CA:62:41:8F  20:F4:1B:5C:07:AD  -19    1 - 1      0        5       # IPCam                               

To set up open or WEP/WPA access points quickly with internet access, I recommend the little bashtool qw (https://github.com/file-not-found/qw). Prequesities are hostapd and dnsmasque. You can do it with hostapd by bridging or routing the connectivity manually.

root@greenpc2 ~/wlan # ./qw ap Free-AP0 wlan0       
Enter passphrase (leave blank for open network): 
Configuration file: /tmp/qw_1_hostapd.conf
Using interface wlan0 with hwaddr 00:c0:ca:62:41:8f and ssid "Free-AP0"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED 
wlan0: STA f8:0c:f3:ff:5f:6c IEEE 802.11: authenticated		# smartphone tries to connect
wlan0: STA f8:0c:f3:ff:5f:6c IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED f8:0c:f3:ff:5f:6c
wlan0: STA f8:0c:f3:ff:5f:6c RADIUS: starting accounting session C7E9972B18913018
Unsupported authentication algorithm (1)
handle_auth_cb: STA 20:f4:1b:5c:07:ad not found
Unsupported authentication algorithm (1)
handle_auth_cb: STA 20:f4:1b:5c:07:ad not found
wlan0: STA 20:f4:1b:5c:07:ad IEEE 802.11: authenticated		# IPCam tries to connect
wlan0: STA 20:f4:1b:5c:07:ad IEEE 802.11: associated (aid 2)
wlan0: AP-STA-CONNECTED 20:f4:1b:5c:07:ad
wlan0: STA 20:f4:1b:5c:07:ad RADIUS: starting accounting session 611E6C4DC8EFDE0C

As the IPCam has network connection we will take the first step of network recon and scan the IPCam itself:

root@greenpc2 /home/david # nmap 10.0.0.21

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-15 15:10 CEST
Nmap scan report for 10.0.0.21
Host is up (0.022s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
554/tcp  open  rtsp	# streaming video data locally
5000/tcp open  upnp	# connect to distanced web server for streaming data
MAC Address: 20:F4:1B:5C:07:AD (Shenzhen Bilian electronic)

=> UPNP There is a telnet daemon on the device. It seems to work:

root@greenpc2 /home/david # nmap 10.0.0.21

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-15 15:23 CEST
Nmap scan report for 10.0.0.21
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
554/tcp  open  rtsp
5000/tcp open  upnp
MAC Address: 20:F4:1B:5C:07:AD (Shenzhen Bilian electronic)

As I suspect an encrypted connection between IPCam, Smartphone and Backend Server, we need to sniff directly on the IPCam or the smartphone. I guess, it's much easier on the Phone. My smartphone for experimenting is rooted. This is necessary for sniffing raw traffic on the network. I downloaded tcpdump for android (http://www.androidtcpdump.com/) and load it into the phone. For placing and executing an external binary are only a few places appropriate in the android file system. You can use /data/local/tmp or /sdcard/tmp or maybe some other. With adb we can control our Phone now.

$ adb shell		#opening shell on android phone
shell@mako:/ $ su
root@mako:/data/local/tmp # ./tcpdump -n -s 0 -w ipcam_cap                   
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C16598 packets captured
16598 packets received by filter
0 packets dropped by kernel
root@mako:/data/local/tmp # ls
hexdump.bin
ipcam_cap
tcpdump

I was trying to trigger many activities in the communication between App and IPCam to get interesting traffic. There was interesting traffic, indeed. It will be paired with the related App activity. To filter all the Android and Google Stuff it's useful to filter some IP's. I use wireshark for this:

not ip.addr == 172.217.22.99 && not ip.addr == 216.58.205.234

Register Screenshot 1	Register Screenshot 2

Login Check

Answer for existing login

Add Friend / Add camera to personal dash	After adding => Get Friends List

Add Friend Capture

Reply for existing login

Get Friends List

Delete Friend

Get Version

Reply for version

So I collected a list of participating servers with IP and used requests:

• api4.videoipcamera.com 146.0.238.42 POST /Users/LoginCheck.ashx
• api2.videoipcamera.com 218.30.35.92 POST /Users/LoginCheck.ashx
• api3.videoipcamera.cn 101.1.17.22
• api1.videoipcamera.cn 101.1.17.22 POST /Users/LoginCheck.ashx
• videoipcamera.com 218.30.35.92 POST /Users/GetFriendList.ashx POST /Users/AddFriend.ashx
• videoipcamera.cn 101.1.17.22 POST /Users/GetFriendList.ashx
• upg1.videoipcamera.cn 218.30.35.92 GET /00/06/latestversion.asp
• p2p1.videoipcamera.cn 146.0.238.42

There are some other servers participated talking directly to the IPCam and the Phone over UDP: Please be cautious, when intended to scan unkown web servers. Your actions could be understand as an attack.

# nmap 92.42.106.94                                                   

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-15 16:29 CEST
Nmap scan report for 92.42.106.94
Host is up (0.051s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
3389/tcp open   ms-wbt-server
5060/tcp closed sip
5061/tcp closed sip-tls

Nmap done: 1 IP address (1 host up) scanned in 7.72 seconds

We have some encrypted Info bits, that may will help me on reversing App and firmware:

Passwort: <password> => 891A54C4E2EAB52D01C6FBF85A4C143E
UserID: 0732910 => -2146750738

Encrypted UDP: 10.0.0.21 -> 10.0.0.27
00:00:00:02:00:00:00:01:00:00:00:50:00:00:00:01:00:09:41:38:00:00:00:07:00:00:00:01:0e:00:00:0f:00:30:61:72:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:2f:00:00:00:00:00:00:00:00

Encrypted UDP: 10.0.0.27 -> 146.0.238.42
0c:05:03:00:ee:b6:b9:67:ee:2e:0b:80:3c:88:2a:1d:4e:25:36:4f:9a:44:28:8e:00:00:00:00:e4:74:85:3b

Encrypted UDP: 146.0.238.42 -> 10.0.0.27
0d:01:00:00:9a:44:28:8e:b1:e8:c6:af:09:00:00:00:5c:2a:6a:5e:0f:a0:01:01:92:00:ee:2a:ca:a8:01:01:68:fa:98:1a:1f:40:01:01:67:29:7f:c7:ca:a8:01:01:dc:e7:8e:89:22:53:03:01:da:1e:23:5c:22:53:03:01:92:00:ee:2a:22:53:03:01:da:1e:23:5c:2b:5c:04:01:92:00:ee:2a:2b:5c:04:01

The directory npc with the executable npc seems to be very interesting:

/npc # ls
dhcp.script     minihttpd.conf  patch           txt             wPipe
gwellipc        mtd             pipe_create     upgfile_ok
img             npc             sound           version.txt

/npc # cat npc | grep aes
aes-128-ecb
aes-128-cbc
aes-128-ofb
aes-128-cfb
aes-192-ecb
aes-192-cbc
aes-192-ofb
aes-192-cfb
aes-256-ecb
aes-256-cbc
aes-256-ofb
aes-256-cfb
aes-128-cfb1
aes-192-cfb1
aes-256-cfb1
aes-128-cfb8
aes-192-cfb8
aes-256-cfb8
id-aes128-wrap
id-aes192-wrap
id-aes256-wrap
e_aes.c
aes key setup failed


/npc # cat npc | grep -i password
Password
PasswordType
RemotlySetPassword
Super_Password
*cESSID:%s,cPassword:%s,dwEncType = %d
challengePassword
id-PasswordBasedMAC
password based MAC
userPassword
bad password read
problems getting password
CMS_PasswordRecipientInfo
SetApMode Essid and Password Fail!
AP MODE :password is too long!
PASSWORD
password is empty
Set Password
fgCheckMessageAck password incrrect
Password Fail IP=%d Counter=%d dwPassword=%d
Super Password verify OK (idle calling help) ...
Two Password verify OK (idle calling help) ...
manager Password verify OK (idle calling help) ...
Guest Password verify OK (idle calling help) ...
Password verify Fail 00 ...
No Password , Pass
Super Password verify ok3 ...
two Password verify ok3 ...
manager Password verify ok3 ...
guest Password verify ok3 ...
Password verify Fail3 ...
Super Password verify OK 2...
Super+manager Password verify OK 2...
Manager Password verify OK 2...
Guest Password verify OK 2...
Password verify fail 2...
No manager password, in lan 2
Super Password verify OK 1...
Super + manager Password verify OK 1...
Manager Password verify OK 1...
Guest Password verify OK 1...
Password verify fail 1...
Lan , no password
Super Password 
super+manager Password 
Password verify OK1 ...
Password verify fail 1...

npc has a lot of strings in it related to encrypting and network authentication. It's necessary to obtain this binary from the filesystem to examine it in detail.

1. Unzip the APK
2. APKTOOL
3. JADX
4. Java Decompiler (Unzip, then rebuild the classes.dex as jar https://github.com/pxb1988/dex2jar)

Simply unzipping the apk will unpack it's resources for Linking and Compiling and reveals DEX binary and the native ARM libraries. We can use the compiled dalvic executable dex file to convert it to a smali. We can use the dex file to repack it to a jar file.

0x000059a8   12 290          sym.RT_AES_KeyExpansion
0x00005ad8   43 604          sym.RT_AES_Encrypt
0x00005d4c   42 540          sym.RT_AES_Decrypt
0x00005f80   12 230          sym.RT_HMAC_SHA1
0x0000606c    1 42           sym.RT_SHA1_Init
0x0000609c   15 412          sym.RT_SHA1_Hash
0x00006248    6 96           sym.RT_SHA1_Append
0x000062a8    5 174          sym.RT_SHA1_End
0x00006358    3 72           sym.RT_SHA1

=> rework on this

JADX is a decompiler for java executables that will also process apk. You can simply execute the binary of jadx by appending your desired apk.

I recognized this:

Exception in thread java.lang.OutOfMemoryError: Java heap space

As I work in a VM with low RAM JADX overflows my virtual. By changing the environment variable we can maximize the memory space and using only one thread it will work better.

$ JAVA_OPTS="-Xmx1300M" ../tools/jadx/bin/jadx -j 1 Sricam_17.7.17_apk-dl.com.apk 

But there are a lot of errors on execution of JADX. Although I started in examining the decompiled files.

oit@ubuntu> ~/doku/Sricam_17.7.17_apk-dl.com
$ grep -rli aes
cn/jiguang/api/BasePreferenceManager.java
cn/jiguang/api/JCoreInterface.java


oit@ubuntu> ~/doku/Sricam_17.7.17_apk-dl.com/cn/jiguang
$ grep -rli encrypt
c/a/a.java
api/BasePreferenceManager.java
a/a/b/h.java

BasePreferenceManager.java seems to be interesting. Looking into the sourcecode reveals nothing good:

public abstract class BasePreferenceManager {
    private static final String AES_ENCRYPTION_SEED;
    private static final String JPUSH_PREF;
    private static SharedPreferences mSharedPreferences;
    private static final String[] z;
    /* JADX: method processing error */
    /*
        Error: java.lang.StackOverflowError
	...

This file as many others have shortly after beginning some decompiler errors. Some sort of decompiling protection I guess. I don't know enough about Android Reversing, so I can't interprete this the right way at the moment. => rework on this

=> apktool executed

APKTool will generate smali files from the APK. Smali is a readable format of the dalvik executable dex file. Looking into the smali file of BasePreferenceManager.smali we recognize some constant strings:

.method static constructor <clinit>()V
    .locals 14
    const/16 v9, 0x35
    const/16 v10, 0x11
    const/4 v8, 0x4
    const/4 v12, 0x1
    const/4 v1, 0x0
    const-string v2, "W#F\u0013titY\u0008p`\u0016\\\u0005ce(L]+n9Z\u0015t5k\u0004"

http://imgur.com/a/yjUfI http://imgur.com/a/BvP18