Student ID: IoTE-775
In this gist I will try to examine and exploit the Sricam SP009. I purchased it from the IOT Exploitation Kit.
- First Recon
- doing Research on Manufacturer Details
- reassamble the ip-camera
- Access over Harware Ports
- finding ports
- verify the used protocol
- getting access to the OS
- getting firmware
- Acess over Wireless Interfaces and Network
- use interfaces in intended manner and dump network exchange information
- fuzz wireless interfaces
- Reversing Android App
- finding firmware and keys for further access encryption
- API logic for cloud access
- vulnerabilities
There isn't any manufactural ID on the Cam. So seaching for the product will probably give the necessary documents. http://www.sricam.com/product/id/07caa85ec45449fabc17c003345970bf.html http://www.sricam.com/download/id/3e984aa70a9d4e928b03c01787d6fb4f.html
I wasn't able of extracting any relevant FCCID, only for similiar models like SP022.
Examing product without opening it reveals a 720p camera module, IR sensor, LED's for indicating running system, SD card slot and a reset button. On the backshell of the camera is a sticker with the ID (probably for network issues) and the default password.
 |
 |
outer Side of backshell with product sticker |
inner Side of backshell with speaker |
The main board reveals all the parts for the functionalities of the cam.
- Link: https://www.mediatek.com/products/broadbandWifi/mt7601u
- Identifier: MT7601UN 1530-BMJL GTP39Y55
According to mediatek "High-performance 802.11n for compact and cost-effective Wi-Fi devices".
- Link: http://www.grain-media.com/html/8136S_8135S.htm
- Identifier: GM8 135S-OC SMSKH-000 AG-1525
We can see that it's a ARM architecture. Next to the SoC lies the suspected UART interface.
- Link: http://html.alldatasheet.com/html-pdf/575542/MCNIX/MX25L12835E/1114/7/MX25L12835E.html (similiar model)
- Identifier: MX25L12805E (on the chip is MX25L12805D printed)
- Name: 16M-BIT [x 1] CMOS SERIAL FLASH
=> new pic
It surprised me, that according to the datasheet, the chip got 16 instead of 8 pins. We will examine later, whether it's possible to get some information from the chip via SPI.
- Link: http:/A3/www.everanalog.com/Product/ProductEA3036DetailInfo.aspx
- Identifier: EA3036 4j088s
- Name: 3CH power management IC
On the back of the main board are some other parts.
- Link: http://www.celtor.pl/2447,24c04d-eeprom-szeregowa-4kb-512bx-so8.html
- Identifier: 24c04d 538b1
- Link: http://www.inkocean.in/the-md8002a-8002a-sop8-smd-3w-audio-amplifier-ic-chip
- Identifier: 8002a swire15
The WiFi antenna is stucked in the front shell of the camera.
 |
front shell with attached WIFI antenna |
Inside this front shell lies this "LED ring" with some status LED's and the IR sensor for measuring brightness, I guess.
 |
 |
LED circuit back side |
LED circuit front side |
Without taking further measurements, I suspected the three pins in previous picture to be a UART serial port.
As the first one has a squareformed joint, it's supposed to be the GND pin and the two other ones Tx and Rx.
HiZ>m #Choose protocol from main buspirate interface
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)
(1)>3 #taking UART
Set serial port speed: (bps)
1. 300
2. 1200
3. 2400
4. 4800
5. 9600
6. 19200
7. 38400
8. 57600
9. 115200
10. BRG raw value
(1)>9 #taking baudrate 115200
Data bits and parity:
1. 8, NONE *default
2. 8, EVEN
3. 8, ODD
4. 9, NONE
(1)> # taking default value "no parity"
Stop bits:
1. 1 *default
2. 2
(1)> # taking default value "no stop bits"
Receive polarity:
1. Idle 1 *default
2. Idle 0
(1)> # is the Rx port high or low when it's idle, taking default
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1)> # taking open drain as driver circuit for the port
Ready
UART>v # checking the Pinout of the BusPirate
Pinstates:
1.(BR) 2.(RD) 3.(OR) 4.(YW) 5.(GN) 6.(BL) 7.(PU) 8.(GR) 9.(WT) 0.(Blk)
GND 3.3V 5.0V ADC VPU AUX - TxD - RxD
P P P I I I I I I I
GND 0.00V 0.00V 0.00V 0.00V L L L L L
UART>(2) # choosing mode to only receive output
Raw UART input
Any key to exit
>��ʛ���s�Ϲܒ`���e����k���������������ʗ���0������������������컚�Ϙ�ߚЛ�������������%�������i���C�������q ��q����"�c9�a�":�i���C�������q ��q����"�c9�a�"���i���C�������q ��q����"�c9�a�"���i��
...
q ��)���"��c9ñ":��C��������q ;�)���"�c9ñ":��C��������q ;�)���"�c9ñ":�iTrying all different baudrates and parity bits didn't give any better result. With a hint of @adi_1318 was it easy. The square pin isn't GND, it's RX (RX,GND,TX) on baudrate of 115200.
So first lesson learned: Never trust in habits. With this Pinning I was able to get readable output and furthermore a shell without Write Rights. For the sake of readabilty I will put booting output into external link.
https://github.com/herrfeder/Offensive_IOT_Exploitation/blob/master/gist_files/booting_output.txt
It gives some interesting information.
- The flash is similar to the suspected one, but has only 16MiB of storage.
- Flash software is iJFFS2 version 2.2. (NAND) from Red Hat
- Flash communicates via SPI and creates 6 partitions on the flash
SPI_FLASH spi0.0: MX25L12845E (16384 Kbytes)
Creating 6 MTD partitions on "nor-flash":
0x000000010000-0x000000080000 : "UBOOT"
0x000000080000-0x000000380000 : "LINUX"
0x000000380000-0x000000b00000 : "FS"
0x000000b00000-0x000000c00000 : "USER0"
0x000000c00000-0x000001000000 : "USER1"
0x000000000000-0x000001000000 : "ALL"
- OS runs Linux with busybox on squashfs filesystem
- DRAM is 64 MiB
- we have USB interfaces (probably for the SD Card Reader)
Drive Vbus because of ID pin shows Device A
fotg210 fotg210.0: FOTG2XX
fotg210 fotg210.0: new USB bus registered, assigned bus number 1
fotg210 fotg210.0: irq 9, io mem 0x93000000
fotg210 fotg210.0: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
- there is a I2C bus
i2c /dev entries driver
ftiic010 ftiic010.0: irq 18, mapped at 84860000
I2C hangs detection thread started!
- uses lib80211 for WiFi functionalities
After getting through booting and many applies of doing some OS tasks we have a shell. The shell will be harassed by intervalled output of WiFi Core that indicates it's in STA mode and scans for a certain AP.
- Finding link in the sourcecode of APK
- this part will be handled in the reversing part
- Dumping from System via SDCard
- We can get nearly the whole filesystem by simply copying it onto an sdcard.
- It will be mounted as /mnt/disk1.
- Dumping Flash via SPI
/mnt # mmc0: new high speed SDHC card at address e624
mmcblk0: mmc0:e624 SU08G 7.40 GiB
mmcblk0:
found removeable disk1
mount removeable disk1 OK
dwDiscState = 2
/# cp -r / /mnt/disk1/
Searching for interesting info bits in the file system
# ..e/david/offensiveIOT/ip_cam/filesystem # grep -rli aes
npc/npc
patch/bin/wpa_supplicant
patch/lib/mt7601Usta_v2.ko
lib/modules/ms.ko
# ..e/david/offensiveIOT/ip_cam/filesystem # grep -rli firmware
npc/npc
patch/bin/ifrename
patch/lib/mt7601Usta_v2.ko
gm/bin/busybox
gm/tools/ethtool
The directory npc with the executable npc seems to be very interesting:
/npc # ls
dhcp.script minihttpd.conf patch txt wPipe
gwellipc mtd pipe_create upgfile_ok
img npc sound version.txt
/npc # cat npc | grep aes
aes-128-ecb
aes-128-cbc
aes-128-ofb
aes-128-cfb
aes-192-ecb
aes-192-cbc
aes-192-ofb
aes-192-cfb
aes-256-ecb
aes-256-cbc
aes-256-ofb
aes-256-cfb
aes-128-cfb1
aes-192-cfb1
aes-256-cfb1
aes-128-cfb8
aes-192-cfb8
aes-256-cfb8
id-aes128-wrap
id-aes192-wrap
id-aes256-wrap
e_aes.c
aes key setup failed
/npc # cat npc | grep -i password
Password
PasswordType
RemotlySetPassword
Super_Password
*cESSID:%s,cPassword:%s,dwEncType = %d
challengePassword
id-PasswordBasedMAC
password based MAC
userPassword
bad password read
problems getting password
CMS_PasswordRecipientInfo
SetApMode Essid and Password Fail!
AP MODE :password is too long!
PASSWORD
password is empty
Set Password
fgCheckMessageAck password incrrect
Password Fail IP=%d Counter=%d dwPassword=%d
Super Password verify OK (idle calling help) ...
Two Password verify OK (idle calling help) ...
manager Password verify OK (idle calling help) ...
Guest Password verify OK (idle calling help) ...
Password verify Fail 00 ...
No Password , Pass
Super Password verify ok3 ...
two Password verify ok3 ...
manager Password verify ok3 ...
guest Password verify ok3 ...
Password verify Fail3 ...
Super Password verify OK 2...
Super+manager Password verify OK 2...
Manager Password verify OK 2...
Guest Password verify OK 2...
Password verify fail 2...
No manager password, in lan 2
Super Password verify OK 1...
Super + manager Password verify OK 1...
Manager Password verify OK 1...
Guest Password verify OK 1...
Password verify fail 1...
Lan , no password
Super Password
super+manager Password
Password verify OK1 ...
Password verify fail 1...
npc has a lot of strings in it related to encrypting and network authentication. It's necessary to obtain this binary from the filesystem to examine it in detail. I will look in the reversing part at the npc and other interesting binaries. I wasn't able to find any fruitful info in cleartext on the system.
My initial concept was to use the Attify Badge with the description from the IOT Exploitation Manual with the tool spiflash (https://github.com/devttys0/libmpsse). As I own a Testclip for 8-pin DIP-Chips, I can simply attach it to the Flash Chip with the following pinning:
 |
 |
Testclip on the Flash Chip |
Pinning of the Testclip Cable |
It will sucessfully detect the Flash Chip probably indicated by the zeros:
oit@ubuntu> ~/tools/libmpsse/src/examples
$ sudo python spiflash.py -i
[sudo] password for oit:
FT232H Future Technology Devices International, Ltd initialized at 15000000 hertz
00 00 00
Now I will try to dump it's memory to a file. We need some information to do so like the address offset where the firmware image starts and the size of memory. We know from the booting process that the uBoot Partition starts at 0x10000 (int 65536) and the memory size is 16MiB (1610241024). So we can try to start the script with the right params:
oit@ubuntu> ~/tools/libmpsse/src/examples
$ sudo python spiflash.py -a 65536 -s 167510016 -r ip_cam.bin
FT232H Future Technology Devices International, Ltd initialized at 15000000 hertz
Reading 167510016 bytes starting at address 0x10000...saved to ip_cam.bin.
But when looking into the file, it only has 0x0000 in it:
oit@ubuntu> ~/tools/libmpsse/src/examples
$ hexdump ip_cam.bin
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
9fc0000
After some research I saw that others struggled with the same problem:
- Marzogh/SPIMemory#37
- https://www.ghostlyhaks.com/forum/rom-eeprom-bios-efi-uefi/64-can-t-dump-or-read-mx25l6406e-chip
I decided to give the Bus Pirate a try with the tool flashrom (https://www.flashrom.org/Bus_Pirate) as it's supports the BusPirate directly. I got the BusPirate SPI Pinning:
SPI>v
Pinstates:
1.(BR) 2.(RD) 3.(OR) 4.(YW) 5.(GN) 6.(BL) 7.(PU) 8.(GR) 9.(WT) 0.(Blk)
GND 3.3V 5.0V ADC VPU AUX CLK MOSI CS MISO
P P P I I I O O O I
GND 0.00V 0.00V 0.00V 0.00V L L L L L
and connected it to the Testclip, following:
Using the command for flashrom to write the memory into file :
oit@ubuntu> ~/tools/
$ flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r MX25L128.bin -c MX25L12835F/MX25L12845E/MX25L12865E
flashrom v0.9.9-r1954 on Linux 4.7.0-kali1-amd64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org
flashrom was built with libpci 3.5.2, GCC 6.3.0 20170221, little endian
Command line (7 args): flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -r MX25L128.bin -c MX25L12835F/MX25L12845E/MX25L12865E
Calibrating delay loop... OS timer resolution is 1 usecs, 2605M loops per second, 10 myus = 11 us, 100 myus = 111 us, 1000 myus = 1025 us, 10000 myus = 10064 us, 4 myus = 5 us, OK.
Initializing buspirate_spi programmer
Detected Bus Pirate hardware v3b
Detected Bus Pirate firmware 5.10
Using SPI command set v2.
SPI speed is 1MHz
Raw bitbang mode version 1
Raw SPI mode version 1
The following protocols are supported: SPI.
Probing for Macronix MX25L12835F/MX25L12845E/MX25L12865E, 16384 kB: probe_spi_rdid_generic: id1 0xc2, id2 0x2018
Found Macronix flash chip "MX25L12835F/MX25L12845E/MX25L12865E" (16384 kB, SPI) on buspirate_spi.
Chip status register is 0x00.
Chip status register: Status Register Write Disable (SRWD, SRP, ...) is not set
Chip status register: Bit 6 is not set
Chip status register: Block Protect 3 (BP3) is not set
Chip status register: Block Protect 2 (BP2) is not set
Chip status register: Block Protect 1 (BP1) is not set
Chip status register: Block Protect 0 (BP0) is not set
Chip status register: Write Enable Latch (WEL) is not set
Chip status register: Write In Progress (WIP/BUSY) is not set
This chip may contain one-time programmable memory. flashrom cannot read
and may never be able to write it, hence it may not be able to completely
clone the contents of this chip (see man page for details).
Reading flash...
This process takes very long but after nearly an hour it finished and I was able to examine a firmware binary:
oit@ubuntu> ~/tools/
$ strings MX25L128.bin | grep -i gcc
arm-unknown-linux-uclibcgnueabi-gcc (Buildroot 2012.02) 4.4.0 20100318 (experimental)
GcC\M
jGcc
Link for the binary: https://github.com/herrfeder/Offensive_IOT_Exploitation/blob/master/gist_files/ip_cam_firmware.bin
Some other interesting links for this purpose:
- http://freneticrapport.blogspot.de/2010/10/how-to-restore-bios-after-bad-flash.html
- http://hackaday.com/2009/06/30/parts-spi-eeprom-25aa25lc/
- https://medium.com/@rxseger/spi-interfacing-experiments-eeproms-bus-pirate-adc-opt101-with-raspberry-pi-9c819511efea
The UI experience of the App for communicating with the Cam is really bad and I wasn't patient enough, to set up WiFi connectivity with the App. In first glance I suspected it would setup open AP and I can simply connect to it but it doesn't. There is some functionality to connect to another existent WiFi by capturing with the Camea App generated QR-Code. I took another way and examined the OS of the Cam to find out what it is up to.
/etc/network # cat interfaces
auto lo
iface lo inet loopback
iface eth0 inet static
address 172.19.78.3
broadcast 172.31.255.255
netmask 255.240.0.0
gateway 172.19.78.2
pre-up /sbin/insmod /lib/modules/2.6.14/extra/ftmac100.ko
post-down /sbin/rmmod ftmac100.ko
# no hints in the configuration on the interfaces
/etc # cat wpa_supplicant0.conf
ctrl_interface=/etc/Wireless
network={
ssid="Free-AP0"
key_mgmt=NONE
}
# but a wpa_supplicant conf with a given SSID
As I setted up an open AP with the SSID "Free-AP0" the Cam connects immediately to it.
CH 1 ][ Elapsed: 6 s ][ 2017-08-17 18:16 ][ paused output
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:C0:CA:62:41:8F -9 100 90 13 0 1 54 OPN Free-AP0
BSSID STATION PWR Rate Lost Frames Probe
00:C0:CA:62:41:8F F8:0C:F3:FF:5F:6C 14 54 - 6 0 11 # Smartphone with App
00:C0:CA:62:41:8F 20:F4:1B:5C:07:AD -19 1 - 1 0 5 # IPCam
To set up open or WEP/WPA access points quickly with internet access, I recommend the little bashtool qw (https://github.com/file-not-found/qw). Prequesities are hostapd and dnsmasque. You can do it with hostapd by bridging or routing the connectivity manually.
root@greenpc2 ~/wlan # ./qw ap Free-AP0 wlan0
Enter passphrase (leave blank for open network):
Configuration file: /tmp/qw_1_hostapd.conf
Using interface wlan0 with hwaddr 00:c0:ca:62:41:8f and ssid "Free-AP0"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
wlan0: STA f8:0c:f3:ff:5f:6c IEEE 802.11: authenticated # smartphone tries to connect
wlan0: STA f8:0c:f3:ff:5f:6c IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED f8:0c:f3:ff:5f:6c
wlan0: STA f8:0c:f3:ff:5f:6c RADIUS: starting accounting session C7E9972B18913018
Unsupported authentication algorithm (1)
handle_auth_cb: STA 20:f4:1b:5c:07:ad not found
Unsupported authentication algorithm (1)
handle_auth_cb: STA 20:f4:1b:5c:07:ad not found
wlan0: STA 20:f4:1b:5c:07:ad IEEE 802.11: authenticated # IPCam tries to connect
wlan0: STA 20:f4:1b:5c:07:ad IEEE 802.11: associated (aid 2)
wlan0: AP-STA-CONNECTED 20:f4:1b:5c:07:ad
wlan0: STA 20:f4:1b:5c:07:ad RADIUS: starting accounting session 611E6C4DC8EFDE0C
=> fuzzing wifi
As the IPCam has network connection we will take the first step of network recon and scan the IPCam itself:
root@greenpc2 /home/david # nmap 10.0.0.21
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-15 15:10 CEST
Nmap scan report for 10.0.0.21
Host is up (0.022s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
554/tcp open rtsp # streaming video data locally
5000/tcp open upnp # connect to distanced web server, will probably open port on router
MAC Address: 20:F4:1B:5C:07:AD (Shenzhen Bilian electronic)
As it has an open upnp port I suspected it to open a port on a router, when it is allowed to. I checked this out on a FritzBox but it doesn't open a port automatically.
There is a telnet daemon on the device. It seems to work:
root@greenpc2 /home/david # nmap 10.0.0.21
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-15 15:23 CEST
Nmap scan report for 10.0.0.21
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
554/tcp open rtsp
5000/tcp open upnp
MAC Address: 20:F4:1B:5C:07:AD (Shenzhen Bilian electronic)
<SOAP-ENV:Fault xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsdd="http://schemas.xmlsoap.org/ws/2005/04/discovery" xmlns:chan="http://schemas.microsoft.com/ws/2005/02/duplex" xmlns:wsa5="http://www.w3.org/2005/08/addressing" xmlns:xmime="http://tempuri.org/xmime.xsd" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:tt="http://www.onvif.org/ver10/schema" xmlns:wsrfbf="http://docs.oasis-open.org/wsrf/bf-2" xmlns:wstop="http://docs.oasis-open.org/wsn/t-1" xmlns:wsrfr="http://docs.oasis-open.org/wsrf/r-2" xmlns:tdn="http://www.onvif.org/ver10/network/wsdl" xmlns:tds="http://www.onvif.org/ver10/device/wsdl" xmlns:tev="http://www.onvif.org/ver10/events/wsdl" xmlns:wsnt="http://docs.oasis-open.org/wsn/b-2" xmlns:tptz="http://www.onvif.org/ver20/ptz/wsdl" xmlns:trt="http://www.onvif.org/ver10/media/wsdl"> SOAP-ENV:Client HTTP GET method not implemented </SOAP-ENV:Fault>
use exploit/linux/http/realtek_miniigd_upnp_exec_noauth use exploit/linux/http/dlink_upnp_exec_noauth
Binding to interface wlan0 ...
Verbose mode enabled! upnp> msearch
Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop...
msf > use auxiliary/scanner/upnp/ssdp_msearch msf auxiliary(ssdp_msearch) > set RHOSTS 10.0.1.25/32 msf auxiliary(ssdp_msearch) > run
[] Sending UPnP SSDP probes to 10.0.1.25->10.0.1.25 (1 hosts) [] No SSDP endpoints found. [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed
Regarding UPnP, this is an interesting presentation: http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf http://toor.do/upnp.html
As I suspect an encrypted connection between IPCam, Smartphone and Backend Server, we need to sniff directly on the IPCam or the smartphone. I guess, it's much easier on the Phone. My smartphone for experimenting is rooted. This is necessary for sniffing raw traffic on the network. I downloaded tcpdump for android (http://www.androidtcpdump.com/) and load it into the phone. For placing and executing an external binary are only a few places appropriate in the android file system. You can use /data/local/tmp or /sdcard/tmp or maybe some other. With adb we can control our Phone now.
$ adb shell #opening shell on android phone
shell@mako:/ $ su
root@mako:/data/local/tmp # ./tcpdump -n -s 0 -w ipcam_cap
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C16598 packets captured
16598 packets received by filter
0 packets dropped by kernel
root@mako:/data/local/tmp # ls
hexdump.bin
ipcam_cap
tcpdump
I was trying to trigger many activities in the communication between App and IPCam to get interesting traffic. There was interesting traffic, indeed. It will be paired with the related App activity. To filter all the Android and Google Stuff it's useful to filter some IP's. I use wireshark for this:
not ip.addr == 172.217.22.99 && not ip.addr == 216.58.205.234
 |
 |
Register Screenshot 1 |
Register Screenshot 2 |
 |
Login Check |
 |
Answer for existing login |
 |
 |
Add Friend / Add camera to personal dash |
After adding => Get Friends List |
 |
Add Friend Capture |
| |
Reply for existing login |
 |
Get Friends List |
 |
Delete Friend |
 |
Get Version |
 |
Reply for version |
Applying more filter to see communication between Laptop and the remote feature on videoipcamera.cn/view. Requires Internet Explorer to use it. There is a lot of traffic with three participants, so I have to use multiple rules.
not ip.addr == 172.217.22.99 && not ip.addr == 216.58.205.234 && ip.addr == 101.1.17.22 && http.request.method == GET
This will reveal a lot of GET requests to videoipcamera.cn and a binary setup.exe on http://videoipcamera.cn/view/setup.exe. This is necessary to use the cam-client on a PC. By the way, installing and starting it on Windows 10 and Windows 7 Internet Explorer will kill Internet Explorer.
 |
 |
Testclip on the Flash Chip |
Pinning of the Testclip Cable |
But Installing places some files into C:Programme/Viewer_IPCam(SDL2.dll,Viewer.ocx)
SDL2.dll won't reveal anything interesting with a short look in IDA Disassembler:
Viewer.ocx has some interesting strings in it that will reveal some new type of requests to the server:
Put that into a list with the new info:
Viewer 1 327681 -1 39 /
http:// DomainList 500 404 29 23 &Language= &AppName= &AppOS= &AppOS &AppVersion= &AppVersion
Users/LoginCheck.ashx &DomainList= &Pwd= VersionFlag=1&User=
Users/Logout.ashx &SessionID= UserID=
Users/AddFriend.ashx &MonitorPwd= &RemarkName= &Groupname= &FriendID=
Users/DeleteFriend.ashx &DelFromHisList=0 Users/GetFriendList.ashx &Type=
Users/PhoneCheckCode.ashx &PhoneNO= CountryCode=
Users/RegisterCheck.ashx &IgnoreSafeWarning= &VerifyCode= &CountryCode= &Email= &RePwd= VersionFlag=1&Pwd=
Users/modifyFriendRemarkName.ashx &OldRemarkName= &NewRemarkName=
Users/ModifyMonitorPwd.ashx {"error_code":"100100","error":"ÕÒ²»µ½¿ÉÓ÷þÎñÆ÷"} {"error_code":"100101","error":"·¢ËÍÇëÇóʧ°Ü"} ����ðí��HTTP
Host: Content-Length: %ld
User-Agent: Neeao/4.0
Accept-Encoding: gzip, default
Accept-Language: en-us
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
HTTP/1.0
POST GET Content-Type: application/x-www-form-urlencoded
So I collected a list of participating servers with IP and used requests:
| videoipcamera.com | 218.30.35.92 | POST /Users/GetFriendList.ashx | POST /Users/AddFriend.ashx |
| videoipcamera.cn | 101.1.17.22 | POST /Users/GetFriendList.ashx | POST /Users/AddFriend.ashx |
| upg1.videoipcamera.cn | 218.30.35.92 | GET /00/06/latestversion.asp | |
| p2p1.videoipcamera.cn | 146.0.238.42 | ||
| api1.videoipcamera.cn | 101.1.17.22 | POST /Users/LoginCheck.ashx | |
| api2.videoipcamera.cn | 218.30.35.92 | POST /Users/LoginCheck.ashx | |
| api3.videoipcamera.cn | 101.1.17.22 | POST /Users/LoginCheck.ashx | |
| api4.videoipcamera.com | 146.0.238.42 | POST /Users/LoginCheck.ashx | |
| 92.42.106.94 | |||
| 103.41.127.199 | |||
| 104-250-152-26.static.gorillaservers.com | 104.250.152.26 |
There are some other servers participated talking directly to the IPCam and the Phone over UDP: Please be cautious, when intended to scan unkown web servers. Your actions could be understand as an attack.
# nmap 92.42.106.94
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-15 16:29 CEST
Nmap scan report for 92.42.106.94
Host is up (0.051s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
3389/tcp open ms-wbt-server
5060/tcp closed sip
5061/tcp closed sip-tls
Nmap done: 1 IP address (1 host up) scanned in 7.72 seconds
$ nmap 103.41.127.199
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-22 15:13 CEST
Nmap scan report for 103.41.127.199
Host is up (0.33s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
3389/tcp open ms-wbt-server
6129/tcp filtered unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49165/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 40.67 seconds
david@greenpc2> ~
$ host 104.250.152.26
26.152.250.104.in-addr.arpa domain name pointer 104-250-152-26.static.gorillaservers.com.
david@greenpc2> ~
$ nmap 104.250.152.26
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-22 15:18 CEST
Nmap scan report for 104-250-152-26.static.gorillaservers.com (104.250.152.26)
Host is up (0.24s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
6129/tcp filtered unknown
8080/tcp open http-proxy
9090/tcp open zeus-admin
33899/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 30.49 seconds
# getting UDP messages like
12:03:01:00:ee:2e:0b:80:8f:d7:ce:7c:d3:c0:52:cc:a1:6d:4e:9e:38:41:09:00
# will send like
13:01:01:00:ee:2e:0b:80:6d:7d:d8:fd:ac:f5:6b:d8:de:58:77:8a:38:41:09:00:01:07
We have some encrypted Info bits, that may will help me on reversing App and firmware:
Passwort: <password> => 891A54C4E2EAB52D01C6FBF85A4C143E
UserID: 0732910 => -2146750738
Encrypted UDP: 10.0.0.21 -> 10.0.0.27
00:00:00:02:00:00:00:01:00:00:00:50:00:00:00:01:00:09:41:38:00:00:00:07:00:00:00:01:0e:00:00:0f:00:30:61:72:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:2f:00:00:00:00:00:00:00:00
Encrypted UDP: 10.0.0.27 -> 146.0.238.42
0c:05:03:00:ee:b6:b9:67:ee:2e:0b:80:3c:88:2a:1d:4e:25:36:4f:9a:44:28:8e:00:00:00:00:e4:74:85:3b
Encrypted UDP: 146.0.238.42 -> 10.0.0.27
0d:01:00:00:9a:44:28:8e:b1:e8:c6:af:09:00:00:00:5c:2a:6a:5e:0f:a0:01:01:92:00:ee:2a:ca:a8:01:01:68:fa:98:1a:1f:40:01:01:67:29:7f:c7:ca:a8:01:01:dc:e7:8e:89:22:53:03:01:da:1e:23:5c:22:53:03:01:92:00:ee:2a:22:53:03:01:da:1e:23:5c:2b:5c:04:01:92:00:ee:2a:2b:5c:04:01
By following the stream of a UDP connection in wireshark (email_subscribe_cap), I can extract the payloads of a connection between my smartphone and 92.42.106.94. It probably uses some kind of encryption with a static key because it isn't readable in ASCII or UTF:
0103caa80a00011eee2e0b80c35bc578c80efcc9baa3e09b118ff7030001000011000000
0203caa800000000ee2e0b80c35bc578c80efcc9baa3e09b118ff70300010000010000000000000000000000
0103caa80a00011eee2e0b808c60ad4ce183cd1c932ed14e4e56f8030001000011000000
0103caa80a00011eee2e0b800e61bb5e8c95aec7fe38b295365af8030001000011000000
0103caa80a00011eee2e0b80656c4f1bab72fd6ad9dfe1381d5ef8030001000011000000
0103caa80a00011eee2e0b80eab2bb29c577a1a8b7dabdfa0362f8030001000011000000
0103caa80a00011eee2e0b80fa90318bb38fdf6ac122c338ed65f8030001000011000000
0103caa80a00011eee2e0b80f3655018b9997d49cb34611bcd69f8030001000011000000
0103caa80a00011eee2e0b80cb7e099f1abe7cf3681360a1b76df8030001000011000000
0103caa80a00011eee2e0b80e17df9283ff52ccb4d583099a771f8030001000011000000
0103caa80a00011eee2e0b80b486ca4d073e19397593056b8675f8030001000051000000
0103caa80a00011eee2e0b8024ac620c080cc0b07aa1dce26f79f8030001000051000000
0203caa800000000ee2e0b80b486ca4d073e19397593056b8675f80300010000010000000000000000000000
0203caa800000000ee2e0b8024ac620c080cc0b07aa1dce26f79f80300010000010000000000000000000000
0103caa80a00011eee2e0b806285763d44675edb36ca4289587df8030001000051000000
0103caa80a00011eee2e0b80422226691c0471f66ea96da44381f8030001000051000000
0203caa800000000ee2e0b806285763d44675edb36ca4289587df80300010000010000000000000000000000
0103caa80a00011eee2e0b802792d54f60749ffd12d983af2d85f8030001000051000000
0203caa800000000ee2e0b80422226691c0471f66ea96da44381f80300010000010000000000000000000000
0203caa800000000ee2e0b802792d54f60749ffd12d983af2d85f80300010000010000000000000000000000
0103caa80a00011eee2e0b80d535e0afb1b485afc31999fd1f58f9030001000011000000
0103caa80a00011eee2e0b80a93d6b265af1a0a1285cbcf3045cf9030001000011000000
0203caa800000000ee2e0b80d535e0afb1b485afc31999fd1f58f90300010000010000000000000000000000
0203caa800000000ee2e0b80a93d6b265af1a0a1285cbcf3045cf90300010000010000000000000000000000
0103caa80a00011eee2e0b80e7df0a9635e24ff4474f53a6dd32fa030001000011000000
0203caa800000000ee2e0b80e7df0a9635e24ff4474f53a6dd32fa0300010000010000000000000000000000
0103caa80a00011eee2e0b80d3c7d023babc772ac8116b7813fafa030001000011000000
0103caa80a00011eee2e0b807f17cfb405c0fb89776de7dbf7fdfa030001000011000000
0203caa800000000ee2e0b80d3c7d023babc772ac8116b7813fafa0300010000010000000000000000000000
0203caa800000000ee2e0b807f17cfb405c0fb89776de7dbf7fdfa0300010000010000000000000000000000
0103caa80a00011eee2e0b8033f562d0cab6ce75b81bd2271377fb030001000011000000
0203caa800000000ee2e0b8033f562d0cab6ce75b81bd2271377fb0300010000010000000000000000000000
0103caa80a00011eee2e0b80f294c12ee27f3fc290d223904e3efc030001000011000000
0103caa80a00011eee2e0b8014588d3f77361be5059b07b72e42fc030001000011000000
0203caa800000000ee2e0b80f294c12ee27f3fc290d223904e3efc0300010000010000000000000000000000
0203caa800000000ee2e0b8014588d3f77361be5059b07b72e42fc0300010000010000000000000000000000
0103caa80a00011eee2e0b804fac7af3260c1f8e54a103dc0c19fd030001000011000000
0103caa80a00011eee2e0b80e4f1756829b5f91b5b18e549ed1cfd030001000011000000
0103caa80a00011eee2e0b80a9c2a85c591407cc2bb91b9ed920fd030001000011000000
0103caa80a00011eee2e0b80bc405bce41ef914233428d10c024fd030001000011000000
0103caa80a00011eee2e0b80ca4c5703c34a618cb1e77ddea628fd030001000011000000
0103caa80a00011eee2e0b8070850f260f669da47dcb81f6952cfd030001000011000000
0203caa800000000ee2e0b80bc405bce41ef914233428d10c024fd0300010000010000000000000000000000
0203caa800000000ee2e0b80ca4c5703c34a618cb1e77ddea628fd0300010000010000000000000000000000
0203caa800000000ee2e0b8070850f260f669da47dcb81f6952cfd0300010000010000000000000000000000
This packets are exchanged between smartphone and multiple servers (146.0.238.42,103.41.127.199,104.250.152.26):
0103caa80a00011eee2e0b80b486ca4d073e19397593056b8675f8030001000051000000
0103caa80a00011eee2e0b8024ac620c080cc0b07aa1dce26f79f8030001000051000000
0203caa800000000ee2e0b80b486ca4d073e19397593056b8675f80300010000010000000000000000000000
0203caa800000000ee2e0b8024ac620c080cc0b07aa1dce26f79f80300010000010000000000000000000000
0103caa80a00011eee2e0b806285763d44675edb36ca4289587df8030001000051000000
0103caa80a00011eee2e0b80422226691c0471f66ea96da44381f8030001000051000000
0203caa800000000ee2e0b806285763d44675edb36ca4289587df80300010000010000000000000000000000
0103caa80a00011eee2e0b802792d54f60749ffd12d983af2d85f8030001000051000000
0203caa800000000ee2e0b80422226691c0471f66ea96da44381f80300010000010000000000000000000000
0203caa800000000ee2e0b802792d54f60749ffd12d983af2d85f80300010000010000000000000000000000
0.......p...........8...
....iZo8...Ej.q.iZo(H..........0........N............[o....IC.q..[oPPvop.Po[... ...........433.../..............GVo8.[o............
.....C...U.8.[o..C..........W.sa....6..........`...|E.k........hildagard@temp-mail.de..............................................smtp.gmail.com,173.194.193.108,173.194.67.108...................anabelle@shitmail.de............................................2v..i....i0e....`iZo....`...=8O.^....F..0.......p...........8...Attention: alarm...............................................qDear User,
Please check the attached picture for more information.................................sa...|E.k........
- JADX
- APKTOOL
- Unzip the APK
- Bytecode Viewer (includes Java Decompiler and some others) https://github.com/Konloch/bytecode-viewer/
JADX is a decompiler for java executables that will also process apk. You can simply execute the binary of jadx by appending your desired apk.
I recognized this:
Exception in thread java.lang.OutOfMemoryError: Java heap space
As I work in a VM with low RAM JADX overflows my virtual. By changing the environment variable we can maximize the memory space and using only one thread it will work better.
$ JAVA_OPTS="-Xmx1300M" ../tools/jadx/bin/jadx -j 1 Sricam_17.7.17_apk-dl.com.apk
But there are a lot of errors on execution of JADX. Although I started in examining the decompiled files. At first glance I will search for JNI (Java Native Interfaces) that could reveal linkings to the library files:
oit@ubuntu> ~/doku/Sricam_17.7.17_apk-dl.com
$ grep -rli jni .
./com/mediatek/elian/ElianNative.java
./com/baidu/android/pushservice/g.java
./com/baidu/android/pushservice/message/g.java
./com/baidu/android/pushservice/c/e.java
./com/baidu/android/pushservice/c/j.java
./com/baidu/android/pushservice/c/b.java
./com/baidu/android/pushservice/util/c.java
./com/baidu/android/pushservice/util/s.java
./com/baidu/android/pushservice/j/d.java
./com/baidu/android/pushservice/jni/PushSocket.java
./com/baidu/android/pushservice/jni/BaiduAppSSOJni.java
./com/baidu/android/pushservice/g/d.java
./com/baidu/android/pushservice/f.java
./com/baidu/android/pushservice/config/b.java
./com/xapcamera/SetWifiActivity3.java
./com/tencent/connect/auth/AuthDialog.java
./com/tencent/stat/StatNativeCrashReport.java
./com/tencent/open/web/security/SecureJsInterface.java
./com/tencent/open/web/security/JniInterface.java
./ilnk/lib/IlnkApi.java
=> more info
Searching for other interesting strings:
oit@ubuntu> ~/doku/Sricam_17.7.17_apk-dl.com
$ grep -rli aes
cn/jiguang/api/BasePreferenceManager.java
cn/jiguang/api/JCoreInterface.java
oit@ubuntu> ~/doku/Sricam_17.7.17_apk-dl.com/cn/jiguang
$ grep -rli encrypt
c/a/a.java
api/BasePreferenceManager.java
a/a/b/h.java
BasePreferenceManager.java seems to be interesting. Looking into the sourcecode reveals nothing good:
public abstract class BasePreferenceManager {
private static final String AES_ENCRYPTION_SEED;
private static final String JPUSH_PREF;
private static SharedPreferences mSharedPreferences;
private static final String[] z;
/* JADX: method processing error */
/*
Error: java.lang.StackOverflowError
...
Checking this with multiple other decompilers lead to the same result. This file as many others have shortly after beginning some decompiler errors. Some sort of decompiling protection I guess. I don't know enough about Android Reversing, so I can't interprete this the right way at the moment and research doesn't bring good results about this.
Another interesting file points to a default user on the p2p server:
$ vim lnkConstant.java
public static final String P2P_PARAM_DEFAULT_DEVICE_ID = "XXX-000000-XXXXX";
public static final String P2P_PARAM_DEFAULT_DEVICE_NAME = "Node161205";
public static final String P2P_PARAM_DEFAULT_PWD = "admin";
public static final String P2P_PARAM_DEFAULT_SERVER = "EKPNHXIDAUAOEHLOTBSQEJSWPAARTAPKLXPGENLKLUPLHUATSVEESTPFHWIHPDIEHYAOLVEISQLNEGLPPALQHXERELIALKEHEOHZHUEKIFEEEPEJ-$$";
=> try out
It's possible to checkout the upgrade mechanism for the apk on the upg1 server. But redo all requests from a desktop browser by simply appending the clear strings like "/latestversion.asp" results in 404.
$ vim ./com/p2p/core/update/UpdateManager.java
...
private static final String UPDATE_URL = "http://upg1.videoipcamera.cn/";
...
public boolean checkUpdate() {
...
StringBuilder(UPDATE_URL).append(version_parse[0]).append(HttpUtils.PATHS_SEPARATOR).append(version_parse[1]).append("/latestversion.asp").toString();
...
public String getUpdateDescription() {
...
HttpURLConnection connection = (HttpURLConnection) new URL(new StringBuilder(UPDATE_URL).append(version_parse[0]).append(HttpUtils.PATHS_SEPARATOR).append(version_parse[1]).append("/des_html.asp").toString()).openConnection();
....
public void downloadApk(Handler handler, String filePath, String fileName) {
...
HttpURLConnection connection = (HttpURLConnection) new URL("http://upg1.videoipcamera.cn//" + version_parse[0] + HttpUtils.PATHS_SEPARATOR + version_parse[1] + HttpUtils.PATHS_SEPARATOR + this.version_server.trim() + ".apk").openConnection();
...
Another interesting file bit is in WXLoginRequest. It reveals another post request "Users/ThirdLogin.ashx" with ID and Token to http://api1.cloudlinks.cn/Users/ThirdLogin.ashx. Overall it reveals the origin of the smartphone app: https://www.yooseecamera.com/
$ vim ./com/xapcamera/network/WXLoginRequest.java
params.add(new BasicNameValuePair("AppID", "d591b466644a0420e5f29aefb0cf0088"));
params.add(new BasicNameValuePair("AppToken", "2db6962ff0901b8ce771f20f14a651a2786086e55615f951aa0c7c9b33fc5340"));
params.add(new BasicNameValuePair("Language", App.application.getResources().getConfiguration().locale.getLanguage()));
params.add(new BasicNameValuePair("AppOS", Constants.VIA_TO_TYPE_QQ_DISCUSS_GROUP));
params.add(new BasicNameValuePair("AppName", "com.yoosee"));
String[] parseVerson = new String[]{"00", "46", "00", Constants.VIA_REPORT_TYPE_WPA_STATE};
int c = Integer.parseInt(parseVerson[2]) << 8;
params.add(new BasicNameValuePair("AppVersion", String.valueOf((((Integer.parseInt(parseVerson[0]) << 24) | (Integer.parseInt(parseVerson[1]) << 16)) | c) | Integer.parseInt(parseVerson[3]))));
params.add(new BasicNameValuePair("PackageName", "com.yoosee"));
params.add(new BasicNameValuePair("ApiVersion", Constants.VIA_TO_TYPE_QQ_GROUP));
return doPost(params, "Users/ThirdLogin.ashx");
=> Trying with curl
oit@ubuntu> ~/tools/apktool
$ ./apktool -d Sricam_17.7.17_apk-dl.com.apk
APKTool will generate smali files from the APK. Smali is a readable format of the dalvik executable dex file. As JADX isn't capable of disassembling all files it could be fruitful to look at the smali files. It looks like kind of assembler. Looking into the smali file of BasePreferenceManager.smali we recognize some constant strings:
.method static constructor <clinit>()V
.locals 14
const/16 v9, 0x35
const/16 v10, 0x11
const/4 v8, 0x4
const/4 v12, 0x1
const/4 v1, 0x0
const-string v2, "W#F\u0013titY\u0008p`\u0016\\\u0005ce(L]+n9Z\u0015t5k\u0004"
But they have no typical length for a IV or a AES key.
The strings.xml file could be very useful, as it includes nearly all constant strings, that are used in the Java apk. But doesn't reveal anything new.
$ vim ./res/values/strings.xml
Simply unzipping the apk will unpack it's resources for Linking and Compiling and reveals DEX binary and the native ARM libraries. We can use the compiled dalvic executable dex file to convert it to a smali. We can use the dex file to repack it to a jar file. The Bytecode Viewer will do exactly this. For now I will simply examining the shared objects files for interesting functions by using information from previous findings.
$ r2 libelianjni.so
[0x00004b90]> afl
...
0x000059a8 12 290 sym.RT_AES_KeyExpansion
0x00005ad8 43 604 sym.RT_AES_Encrypt
0x00005d4c 42 540 sym.RT_AES_Decrypt
0x00005f80 12 230 sym.RT_HMAC_SHA1
0x0000606c 1 42 sym.RT_SHA1_Init
0x0000609c 15 412 sym.RT_SHA1_Hash
0x00006248 6 96 sym.RT_SHA1_Append
0x000062a8 5 174 sym.RT_SHA1_End
0x00006358 3 72 sym.RT_SHA1
...
But the binaries are really big and cannot be handled easily.
Bytecode Viewer runs into the same errors as JADX and won't give new information:
There is a document on the chip that these cameras use. I to have purchased cameras from China and have no Web interface to change the camera's settings. You are limited to what the manufacture wants you to be able to do. My cameras have WiFi but I am not able to change the SSID or IP address. This I think is a poor sales practise. I'm currently looking to change out the processor board to give me the Web server settings to make changes to the camera. I'll let you know how it goes....
GM8136S_GM8135S_Data_Sheet_V0.2.pdf
djdubuque.com I'll post images of my camera here
