The IPCC H03 "security" camera

 
One of my Foscam cameras has recently started to act up, so I decided that it was time for some new security cameras, so I went on eBay and ordered a pair of IPCC H03 HD Megapixel 720P IP Cloud Cameras ;)

These should be capable of streaming HD 720P h264 in 30 frames per second, plus has a lot of features build in, like motion detection, audio, onvif and whatnot, which I'm probably isn't going to be using. And.. btw.. this audio feature requires that you to connect a microphone, that you have to buy separate. But no big deal, I won't be using audio anyway.

Unboxing and installation went flawless, they were so kind to put the IP address, default username and password on a label on the box. The build quality of both the camera and especially the attached mount, was above what I had expected.

Also the web interface is both quite nice looking, and responsive, the first thing I did was to find the user setup, to change the default passwords.

 Getting a picture out of the thing was a bit more tricky, the camera want you to download a plugin for the browser, but since I will be looking at the camera via ZoneMinder, I fired up VLC and tried out different url's.
Eventually and with a bit of help from Google, I found out that the following url did the trick:
rtsp://user:password@ipaddress:554/11

And I was pleased with a decent quality picture, all in all a success.

I have later on encountered issues with ZoneMinder giving me a blue screen instead of a picture, after some hours streaming. I haven't had time to figure out why, and this might as well be a problem with ffmpeg.

So now for the security part...
Dodumentation for the camera is very sparse, but the manufacture did provide a CD with some basic well illustrated guides for setting up the camera and features. What stuck me, was that the url for the rtsp stream, didn't include username and password. A quick test confirmed that this could be accessed unauthenticated. But but I guessed that it was because it has cached my IP, stored a cookie or something similar, to keep keep track on who has access, and who has not..
But no.. this wasn't the case, the stream could be accessed unauthenticated from anywhere.. hmmm..


So what else is there I thought?

Curl'ing the front page unauthenticated reveals the whole IU script, containing links to a few CGI scripts.
[ralf@bistromath ~]$ curl -s http://172.22.22.55/web/index.html | grep cgi
<script language="JavaScript1.2" src="/cgi-bin/getwifiattr.cgi" type="text/javascript"></script>
<script language="JavaScript1.2" src="/cgi-bin/p2p.cgi?cmd=p2p.cgi&-action=get" type="text/javascript"></script>
<SCRIPT LANGUAGE="JavaScript1.2" SRC="/cgi-bin/hi3510/bconf.cgi" TYPE="text/javascript"></SCRIPT>

So why not try calling some of them, still unauthenticated..
[ralf@bistromath ~]$ curl -s http://172.22.22.55/cgi-bin/getwifiattr.cgi
var wifissid = "ErikSpandMand";
var wifikeytype = "3";
var wifiwhichkey = "0";
var wifikey="sm0keit";
var wifienable="1";
var wifimac="DE:AD:BE:EF:00:00"
var linkstatus="1";
var linkssid="ErikSpandMand"
var wifimode="STA";

Hey wait aminute.. this is my wifi settings.. well... it's not entirely true.. I changed some things, but.. i mean.. it was..

My first plan was actually to just download the firmware and explorer it, but I haven't been able to find it. The manufactures homepage is here, http://www.ipccam.com/ecp_view.asp?id=379 and I'll buy a beer to the first person that can post a link to the firmware, possible even a security updated version..

The camera has a telnet server enabled, but the passwords in the web UI isn't linked to the passwords in /etc/passwd. The only user on the camera is root, and the password isn't readily available on Google. So the next part will break the warranty.. ;)

Unscrewing the lid and removing the diode board, reveals a serial port, this is TTL levels, so they has to be converted to normal RS232, to do this I used part of an old project with a MAX233, baud rate is 115200.
 


From here it is is pretty straightforward, actually easier than I thought. The camera runs u-boot, and getting root access, is as simple as breaking the boot sequence, adding init=/bin/sh to the kernel parameters and boot it up. The flash is just mounted as jffs2 and a simple passwd did the trick. And after a reboot I was able to log into the camera as root.

From looking at the bootlog, there is some services logging on to the camera as root, but they failed with wrong password, even before I changed it, and the camera is still able to stream with a changed root password.

There is a good chance that there is another way to root the camera via the web UI, a lot of the cgi scripts is simple shell scripts, and the http server build into the camera is also flawed, but breaking out the soldering iron did the trick in less than 30 minutes. The camera isn't vulnerable to shellshock so that it at least one thing that is secure.. ;)

Now with the camera rooted I could explore the filesystem live. A lot of the magic happens in a big ugly binary called vs_server in the web root, you can download it with:
wget http://172.22.22.55/vs_server

Run a strings on it and explore... A lot of the camera functions is compiled into this file, and they are called from /web/cgi-bin/hi3510/some.cgi among some of the useful functions, you can call  is /cgi-bin/hi3510/getuser.cgi if you have forgotten your username or password. This script simply returns all users on the camera and their passwords.

/cgi-bin/hi3510/snap.cgi takes s snapshot which is stored on a temporary mount, and returns a link to the image, so if the camera you are exploring is behind a firewall, that isn't forwarding port 554, this is a way to get pictures out of the camera.

Oh.. btw, the camera supports UPNP. I haven't tested how well this works, and which ports actually gets forwarded.