Cheap Chinese Camera - Part 2

So I got this tip that a firmware release actually has telnetd enabled.

Since I already know how the camera checks for new firmware updates, I just spoofed the "latest version" request and tried to trick it into downloading the 22.00.16 release that had telnet enabled.

It worked like a charm and it now runs 22.00.16 and yes, telnetd is indeed enabled. Login with username root and no password.

dmesg

[    0.000000] Booting Linux on physical CPU 0
[    0.000000] Linux version 3.4.43-gk (user15@ubuntu) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) #59 PREEMPT Wed Oct 25 00:10:50 PDT 2006
[    0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387d
[    0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine: Goke GK7102 RB_JXH42 board V2.00
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] AHB: 0x90000000  0xf2000000  -- 0x1000000
[    0.000000] APB: 0xa0000000  0xf3000000  -- 0x1000000
[    0.000000] PPM: 0xc0000000  0xc0000000  -- 0x200000
[    0.000000] BSB: 0xc2800000  0xf5000000  -- 0x200000
[    0.000000] DSP: 0xc2a00000  0xf6000000  -- 0x1600000
[    0.000000] hal version = 20151223 
[    0.000000] On node 0 totalpages: 9728
[    0.000000] free_area_init_node: node 0, pgdat 8045c430, node_mem_map 80493000
[    0.000000]   Normal zone: 76 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 9652 pages, LIFO batch:1
[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[    0.000000] pcpu-alloc: [0] 0 
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 9652
[    0.000000] Kernel command line: console=ttySGK0,115200 noinitrd mem=38M rw mtdparts=gk7101_flash:256K(boot),64K(bootenv),2560K(kernel),7168K(rootfs),1024K(rom),5312K(APP) rootfstype=squashfs root=/dev/mtdblock3 init=linuxrc ip=192.168.1.229:192.168.1.225:192.168.1.1:255.255.255.0:"gk7101":eth0 mac=3C:97:0E:22:E1:14 phytype=0
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Memory: 38MB = 38MB total
[    0.000000] Memory: 33832k/33832k available, 5080k reserved, 0K highmem
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000]     DMA     : 0xff600000 - 0xffe00000   (   8 MB)
[    0.000000]     vmalloc : 0x82800000 - 0xff000000   (1992 MB)
[    0.000000]     lowmem  : 0x80000000 - 0x82600000   (  38 MB)
[    0.000000]     modules : 0x7f000000 - 0x80000000   (  16 MB)
[    0.000000]       .text : 0x80008000 - 0x80413000   (4140 kB)
[    0.000000]       .init : 0x80413000 - 0x80433000   ( 128 kB)
[    0.000000]       .data : 0x80434000 - 0x8045cd00   ( 164 kB)
[    0.000000]        .bss : 0x8045cd24 - 0x8048edf8   ( 201 kB)
[    0.000000] NR_IRQS:128
[    0.000000] >> gk7101 init irq vic1...
[    0.000000] >> gk7101 init irq vic2...
[    0.000000] gk7101 init vic...
[    0.000000] mach gk7101 init timer...
[    0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
[    0.000000] Console: colour dummy device 80x30
[    0.000000] console [ttySGK0] enabled
[    0.010000] Calibrating delay loop... 597.60 BogoMIPS (lpj=2988032)
[    0.070000] pid_max: default: 32768 minimum: 301
[    0.070000] Mount-cache hash table entries: 512
[    0.080000] CPU: Testing write buffer coherency: ok
[    0.090000] Setting up static identity map for 0xc0542e30 - 0xc0542e68
[    0.100000] NET: Registered protocol family 16
[    0.110000] gk7101 init timer...
[    0.110000] Init HW timer for DSP communication
[    0.120000] gk7101 init gpio...
[    0.120000] gpiochip_add: registered GPIOs 0 to 63 on device: gk7101-gpio0
[    0.130000] gpio map init...
[    0.130000] create proc dir
[    0.140000] gk7101 register devices 8
[    0.140000] gk7101 register I2C
[    0.280000] bio: create slab  at 0
[    0.290000] spi spi.0: gk7101 SPI Controller 0 created 
[    0.290000] spi spi.0: master is unqueued, this is deprecated
[    0.300000] usbcore: registered new interface driver usbfs
[    0.310000] usbcore: registered new interface driver hub
[    0.310000] usbcore: registered new device driver usb
[    0.320000] i2c regbase: 0xf3003000 
[    0.320000] i2c i2c.0: i2c irq:registers 9
[    0.330000] i2c i2c.0: GK7101 I2C[0] adapter[i2c-0] probed!
[    0.340000] FS-Cache: Loaded
[    0.340000] CacheFiles: Loaded
[    0.350000] cfg80211: Calling CRDA to update world regulatory domain
[    0.360000] gk7101-sd gk7101-sd.0: Slot0 req_size=0x00010000, segs=16, seg_size=0x00010000
[    0.390000] gk7101-sd gk7101-sd.0: GK7101 SD/MMC[0] has 1 slots @ 46000000Hz, [0x09e130b0:0x00000000]
[    0.400000] NET: Registered protocol family 2
[    0.400000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.410000] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
[    0.420000] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[    0.430000] TCP: Hash tables configured (established 2048 bind 2048)
[    0.440000] TCP: reno registered
[    0.440000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.450000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.450000] NET: Registered protocol family 1
[    0.460000] RPC: Registered named UNIX socket transport module.
[    0.470000] RPC: Registered udp transport module.
[    0.470000] RPC: Registered tcp transport module.
[    0.480000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.490000] mdma init...
[    0.490000] mdma request irq: 54 
[    0.500000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.500000] NFS: Registering the id_resolver key type
[    0.510000] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.520000] msgmni has been set to 66
[    0.530000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[    0.540000] io scheduler noop registered
[    0.540000] io scheduler deadline registered
[    0.550000] io scheduler cfq registered (default)
[    0.550000] Serial: gk7101_uart driver
[    0.550000] serial_gk7101_probe: entry
[    0.550000] uart.0: ttySGK0 at MMIO 0xa0005000 (irq = 31) is a gk7101uart
[    0.560000] serial_gk7101_probe: succeed!
[    0.560000] serial_gk7101_probe: entry
[    0.560000] uart.1: ttySGK1 at MMIO 0xa001f000 (irq = 15) is a gk7101uart
[    0.570000] serial_gk7101_probe: succeed!
[    0.570000] serial_gk7101_probe: entry
[    0.570000] uart.2: ttySGK2 at MMIO 0xa001e000 (irq = 27) is a gk7101uart
[    0.580000] serial_gk7101_probe: succeed!
[    0.590000] brd: module loaded
[    0.590000] loop: module loaded
[    0.600000] adc initialized (10:11)
[    0.600000] slram: not enough parameters.
[    0.610000] speed_mod is 0
[    0.610000] support 4X mode read:0xe520f1ff
[    0.620000] gk7101_flash gk7101_flash.0: MX25L12845 (16384 Kbytes)
[    0.620000] 6 cmdlinepart partitions found on MTD device gk7101_flash
[    0.630000] Creating 6 MTD partitions on "gk7101_flash":
[    0.640000] 0x000000000000-0x000000040000 : "boot"
[    0.640000] 0x000000040000-0x000000050000 : "bootenv"
[    0.650000] 0x000000050000-0x0000002d0000 : "kernel"
[    0.660000] 0x0000002d0000-0x0000009d0000 : "rootfs"
[    0.660000] 0x0000009d0000-0x000000ad0000 : "rom"
[    0.670000] 0x000000ad0000-0x000001000000 : "APP"
[    0.680000] GKETH_init
[    0.680000] [GKETH_drv_probe] eth_base = 0xf200e000
[    0.690000] mii id = 0 
[    0.690000] ###### PHY Reset.1.0.2
[    0.810000] mdiobus_register: PHY[0] whose id 0x00000000 
[    0.810000] goke MII Bus: probed
[    0.820000] gk7101-eth gk7101-eth.0: MAC Address[3e:97:0e:22:e1:14].
[    0.830000] usbcore: registered new interface driver cdc_wdm
[    0.830000] usbcore: registered new interface driver libusual
[    0.840000] musb-hdrc: version 6.0, ?dma?, otg (peripheral+host)
[    0.850000] musb phy Begin initial sequence ...
[    1.090000] gk7101 musb init end...
[    1.100000] musb-hdrc: ConfigData=0x03 (UTMI-16, SoftConn)
[    1.100000] musb-hdrc: MHDRC RTL version 2.0 
[    1.100000] musb-hdrc musb-hdrc: MUSB HDRC host driver
[    1.100000] musb-hdrc musb-hdrc: new USB bus registered, assigned bus number 1
[    1.110000] vm : ffde0000, phy : c21a0000
[    1.110000] dma_buf alloc ok!
[    1.120000] hub 1-0:1.0: USB hub found
[    1.120000] hub 1-0:1.0: 1 port detected
[    1.130000] musb-hdrc musb-hdrc: USB Host mode controller at f0006000 using PIO, IRQ 26
[    1.140000] platform add gk7101 musb...
[    1.140000] mousedev: PS/2 mouse device common for all mice
[    1.150000] input: GKInput as /devices/virtual/input/input0
[    1.150000] evbug: Connected device: input0 (GKInput at gk7101/input0)
[    1.150000] Protocol NEC[0]
[    1.160000] ir request irq: 62 
[    1.160000] IR Host Controller probed!
[    1.170000] gk7101 rtc init...
[    1.170000] rtc base: 0xf2080000 
[    1.170000] os read tm: t=0 
[    1.180000] gk7101-rtc: dev (254:0)
[    1.180000] gk7101-rtc gk7101-rtc: rtc core: registered gk7101-rtc as rtc0
[    1.180000] i2c /dev entries driver
[    1.190000] gk7101_wdt: GK7101 Watchdog Timer, (c) 2014 Goke Microelectronics
[    1.200000] [gk7101_wdt_init]: init
[    1.200000] [gk7101_wdt_probe]: probe
[    1.200000] [gk7101_wdt_probe]: probe mapped wdt_base=f3006000
[    1.210000] watchdog inactive, reset disabled, irq disabled
[    1.220000] IPv4 over IPv4 tunneling driver
[    1.220000] gre: GRE over IPv4 demultiplexor driver
[    1.230000] ip_gre: GRE over IPv4 tunneling driver
[    1.240000] TCP: cubic registered
[    1.240000] Initializing XFRM netlink socket
[    1.250000] NET: Registered protocol family 10
[    1.250000] IPv6 over IPv4 tunneling driver
[    1.260000] NET: Registered protocol family 17
[    1.270000] NET: Registered protocol family 15
[    1.270000] lib80211: common routines for IEEE802.11 drivers
[    1.280000] lib80211_crypt: registered algorithm 'NULL'
[    1.280000] Registering the dns_resolver key type
[    1.280000] VFP support v0.3: implementor 41 architecture 1 part 20 variant b rev 5
[    1.290000] os read tm: t=0 
[    1.300000] gk7101-rtc gk7101-rtc: setting system clock to 1970-01-01 00:00:00 UTC (0)
[    1.310000] net eth0: ###### GKETH_start_hw
[    1.310000] net eth0: DMA Error: Check PHY.
[    1.320000] eth open error
[    1.320000] net eth0: ###### GKETH_phy_stop
[    1.320000] IP-Config: Failed to open eth0
[    1.330000] IP-Config: Device `eth0' not found
[    1.340000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[    1.350000] Freeing init memory: 128K
[    1.590000] usb 1-1: new high-speed USB device number 2 using musb-hdrc
[    6.430000] gk_vi_init
[    6.450000]  request_irq...24 ok-- video_sync
[    6.470000]  request_irq...59 ok-- video_frame_last_pixel
[    6.470000]  request_irq...61 ok-- video_frame
[    6.490000]  gk7101_is_valid_gpio_irq...
[    6.650000] crypto initialized (10:11)
Media driver version (gcc version 4.6.1 (crosstool-NG 1.18.0) (uClibc)) v1.1.2 #svn r8850 Wed Jul 6 17:44:23 CST 2016
[    6.860000] Init software HR timer for DSP communication
[    9.600000] rtusb init rt2870 --->
[    9.630000] 
[    9.630000] 
[    9.630000] === pAd = 82a82000, size = 1581168 ===
[    9.630000] 
[    9.650000] <-- RTMPAllocTxRxRingMemory, Status=0
[    9.650000] <-- RTMPAllocAdapterBlock, Status=0
[    9.670000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x8
[    9.670000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x4
[    9.690000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x5
[    9.690000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x6
[    9.710000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x7
[    9.710000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x9
[    9.720000] STA Driver version-JEDI.MP1.mt7601u.v1.5
[    9.730000] Compile time-Jul 26 2006,19:39:19
[    9.730000] ==>WaitForAsicReady MAC_CSR0=0x76010500
[    9.740000] ==>WaitForAsicReady MAC_CSR0=0x76010500
[    9.740000] NVM is EFUSE
[    9.750000] Endpoint(8) is for In-band Command
[    9.750000] Endpoint(4) is for WMM0 AC0
[    9.770000] Endpoint(5) is for WMM0 AC1
[    9.770000] Endpoint(6) is for WMM0 AC2
[    9.770000] Endpoint(7) is for WMM0 AC3
[    9.780000] Endpoint(9) is for WMM1 AC0
[    9.780000] Endpoint(84) is for Data-In
[    9.790000] Endpoint(85) is for Command Rsp
[    9.790000] 80211> RFICType = 3
[    9.800000] NumOfChan ===> 58
[    9.800000] 80211> Number of channel = 0x44
[    9.810000] 80211> Number of rate = 12
[    9.810000] 80211> CurTxPower = 0 dBm
[    9.820000] 80211> TxStream = 0
[    9.820000] crda> requlation requestion by core: 00
[    9.840000] 80211> CFG80211_Register
[    9.840000] MSC msc_proc_create: 82a82000
[    9.880000] usbcore: registered new interface driver rt2870
[   14.560000] sensor board reset...
[   14.940000] jxh42 sensor addr is 0x60, ID is 0xa042
[   14.980000] jxh42 sensor version is 0x81
[   15.000000] sensor board reset...
[   15.910000] net eth0: ###### GKETH_start_hw
[   15.910000] net eth0: DMA Error: Check PHY.
[   15.940000] eth open error
[   15.940000] net eth0: ###### GKETH_phy_stop
[   15.940000] ================> UP : RTMP_SEM_EVENT_WAIT(STA)
[   15.960000] 1. LDO_CTR0(6c) = a6478d, PMU_OCLEVEL 6
[   15.960000] 2. LDO_CTR0(6c) = a6478d, PMU_OCLEVEL 6
[   15.980000] ==>WaitForAsicReady MAC_CSR0=0x76010500
[   15.990000] RTMP_TimerListAdd: add timer obj 82baa764!
[   16.000000] RTMP_TimerListAdd: add timer obj 82baa794!
[   16.010000] RTMP_TimerListAdd: add timer obj 82baa7c4!
[   16.010000] RTMP_TimerListAdd: add timer obj 82baa734!
[   16.020000] RTMP_TimerListAdd: add timer obj 82baa6a4!
[   16.030000] RTMP_TimerListAdd: add timer obj 82baa6d4!
[   16.030000] RTMP_TimerListAdd: add timer obj 82b3ecdc!
[   16.040000] RTMP_TimerListAdd: add timer obj 82b2b5d0!
[   16.050000] RTMP_TimerListAdd: add timer obj 82b2b604!
[   16.050000] RTMP_TimerListAdd: add timer obj 82b3ed7c!
[   16.090000] RTMP_TimerListAdd: add timer obj 82b2df80!
[   16.090000] RTMP_TimerListAdd: add timer obj 82b2d7c0!
[   16.100000] RTMP_TimerListAdd: add timer obj 82b2df4c!
[   16.100000] RTMP_TimerListAdd: add timer obj 82b2e29c!
[   16.110000] RTMP_TimerListAdd: add timer obj 82b2dfb4!
[   16.120000] RTMP_TimerListAdd: add timer obj 82b2dfe8!
[   16.120000] RTMP_TimerListAdd: add timer obj 82b2e01c!
[   16.130000] RTMP_TimerListAdd: add timer obj 82a8640c!
[   16.140000] RTMP_TimerListAdd: add timer obj 82a85c4c!
[   16.140000] RTMP_TimerListAdd: add timer obj 82a863d8!
[   16.150000] RTMP_TimerListAdd: add timer obj 82a86728!
[   16.160000] RTMP_TimerListAdd: add timer obj 82a8665c!
[   16.160000] RTMP_TimerListAdd: add timer obj 82abd684!
[   16.170000] RTMP_TimerListAdd: add timer obj 82abcec4!
[   16.190000] RTMP_TimerListAdd: add timer obj 82abd650!
[   16.190000] RTMP_TimerListAdd: add timer obj 82abd9a0!
[   16.220000] RTMP_TimerListAdd: add timer obj 82abd6b8!
[   16.220000] RTMP_TimerListAdd: add timer obj 82abd6ec!
[   16.230000] RTMP_TimerListAdd: add timer obj 82abd720!
[   16.230000] RTMP_TimerListAdd: add timer obj 82b3ec7c!
[   16.240000] RTMP_TimerListAdd: add timer obj 82b3ed4c!
[   16.250000] RTMP_TimerListAdd: add timer obj 82c01d20!
[   16.250000] RTMP_TimerListAdd: add timer obj 82c01d50!
[   16.260000] RTMP_TimerListAdd: add timer obj 82c01d80!
[   16.270000] RTMP_TimerListAdd: add timer obj 82c01db0!
[   16.270000] RTMP_TimerListAdd: add timer obj 82c01de0!
[   16.280000] RTMP_TimerListAdd: add timer obj 82c01e14!
[   16.290000] RTMP_TimerListAdd: add timer obj 82baa704!
[   16.290000] RTMP_TimerListAdd: add timer obj 82b2a5ec!
[   16.300000] RTMP_TimerListAdd: add timer obj 82b2a5bc!
[   16.340000] RTMP_TimerListAdd: add timer obj 82b2a58c!
[   16.340000] RTMP_TimerListAdd: add timer obj 82b3ecac!
[   16.360000] P2pGroupTabInit .
[ 16.360000] P2pScanChannelDefault <=== count = 3, Channels are 1, 6,11 separately
[ 16.380000] P2pCfgInit:: [ 16.380000] ==>WaitForAsicReady MAC_CSR0=0x76010500 [ 17.040000] cfg_mode=9 [ 17.040000] cfg_mode=9 [ 17.070000] wmode_band_equal(): Band Equal! [ 17.070000] Key1Str is Invalid key length(0) or Type(0) [ 17.100000] Key2Str is Invalid key length(0) or Type(0) [ 17.100000] Key3Str is Invalid key length(0) or Type(0) [ 17.130000] Key4Str is Invalid key length(0) or Type(0) [ 17.130000] ###### Force at HT20 (BW_20) mode !!! ######## [ 17.190000] 1. Phy Mode = 14 [ 17.190000] 2. Phy Mode = 14 [ 17.190000] NVM is Efuse and its size =1d[1e0-1fc] [ 17.230000] ERROR!!! MT7601 E2PROM: WRONG VERSION 0xc, should be 9 [ 17.300000] 3. Phy Mode = 14 [ 17.300000] AntCfgInit: primary/secondary ant 0/1 [ 17.530000] ---> InitFrequencyCalibration [ 17.530000] InitFrequencyCalibrationMode:Unknow mode = 3 [ 17.550000] InitFrequencyCalibration: frequency offset in the EEPROM = 109(0x6d) [ 17.550000] <--- InitFrequencyCalibration [ 17.570000] RTMPSetPhyMode: channel is out of range, use first channel=1 [ 17.580000] MCS Set = ff 00 00 00 01 [ 17.610000] <==== STA : rt28xx_init, Status=0 [ 17.650000] 80211> re-init bands... [ 17.650000] 80211> RFICType = 1 [ 17.700000] NumOfChan ===> 14 [ 17.700000] 80211> Number of channel = 0x44 [ 17.700000] 80211> Number of rate = 12 [ 17.750000] 80211> CurTxPower = 0 dBm [ 17.750000] 80211> TxStream = 1 [ 17.760000] 0x1300 = 00064300 [ 17.760000] RTMPDrvOpen(1):Check if PDMA is idle! [ 17.800000] RTMPDrvOpen(2):Check if PDMA is idle! [ 17.800000] <================ UP : RTMP_SEM_EVENT_UP(STA) [ 21.590000] sensor board reset... [ 23.490000] ==>rt_ioctl_siwfreq::SIOCSIWFREQ(Channel=13) [ 23.590000] PeerBeaconAtJoinAction(): HT-CtrlChannel=13, CentralChannel=>13 [ 23.590000] PeerBeaconAtJoinAction(): Set CentralChannel=13 [ 23.680000] jxh42_set_video_mode errorCode = 00000000! [ 24.310000] win_height:0 win_width:0 [ 24.310000] win_height:0 win_width:0 [ 25.180000] RTMP_TimerListAdd: add timer obj 82bfa518! [ 25.200000] Rcv Wcid(1) AddBAReq [ 25.210000] Start Seq = 00000004 [ 25.220000] RTMP_TimerListAdd: add timer obj 82bfc528! [ 28.520000] wlan0: no IPv6 routers present [ 29.030000] RTMP_TimerListAdd: add timer obj 82bfa558! [ 43.720000] FrequencyCalibration:MT7601 receive OFDM beacon. [ 53.800000] FrequencyCalibration:MT7601 receive OFDM beacon.

mount

rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
/dev/ram0 on /mnt/ramdisk type tmpfs (rw,relatime)
/dev/ram0 on /etc type tmpfs (rw,relatime)
/dev/ram0 on /tmp type tmpfs (rw,relatime)
/dev/mtdblock4 on /rom type jffs2 (rw,relatime)
/dev/mtdblock5 on /npc type jffs2 (rw,relatime)

# cat /proc/cpuinfo
Processor       : ARMv6-compatible processor rev 7 (v6l)
BogoMIPS        : 597.60
Features        : swp half fastmult vfp edsp java tls 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xb76
CPU revision    : 7

Hardware        : Goke GK7102 RB_JXH42 board V2.00
Revision        : 0000
Serial          : 0000000000000000

# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00040000 00010000 "boot"
mtd1: 00010000 00010000 "bootenv"
mtd2: 00280000 00010000 "kernel"
mtd3: 00700000 00010000 "rootfs"
mtd4: 00100000 00010000 "rom"
mtd5: 00530000 00010000 "APP"

Cheap Chinese camera teardown

Specifications

It does however, have som decent specifications

  • 1280x720p h.264 video over RTSP
  • 802.11bgn single chain wireless
  • Microphone & speaker
  • microSD/TF slot
  • Some ONVIF compatibility
  • Solenoid IR-cut filter for night/day-vision
  • Infrared LEDs for night

Hardware

The SoC is quite a beast.

Then there is some OP-amps for speaker/microphone and voltage regulation.

Software

This is were the total meltdown is, as usual. The camera is discovered and controlled by an obscure unknown UDP protocol of some kind. It has to register to a Chinese cloud service called Cloudlinks then you have to use a very dodgy Android/iOS application called Yoosee to manage the registered devices. The Yoosee app is also used to configure the WiFi via a quite innovative "transmit by sound" technique.

The authentication also doesn't make sense and is probably very insecure.

Fortunately, it's accessible via RTSP with the URL rtsp://camera-ip:554/onvif1. And it will work fine without Internet-access. It also has a ONVIF SOAP interface on TCP port 5000, but it's quite unusable.

Reverse engineering

The real software author of the camera seems to be GWellTimes and the software product seems to be is named NPC, and the actual product might be this one.

The camera tries to contact the following servers on UDP/51700 or UDP/51880, then it uses more random UDP ports. It actually looks like some kind of tunnel. After I configured mine, I firewalled it for internet-access.

60.205.107.59       (Aliyun Computing Co., LTD)
104.250.144.74      (GorillaServers, Inc. (GORIL-3))
85.195.88.14        (Jeff King, jeff9023@gmail.com)
220.231.142.84      (Shenzhen Runxun Data Communication Co. Ltd.)
114.67.48.145       (Vcloud, Beijing Internet Harbor Technology Co.,Ltd)
183.202.215.187     (China Mobile Communications Corporation?)

It also tried to check for updated on some servers

http://upg.cloudlinks.cn/upg/22/00/latestversion.asp?ID=XXXXXX&MAC=XXXXXX&SEID=XXXXXXX&MVS=22.00.00.10&SubType=0

If it gets a response that there is a higher software available, it fetches it

http://upg.cloudlinks.cn/upg/22/00/npcupg_22.00.00.14.bin

The file it downloads seems to be some kind of firmware at first, consisting of a JFFS2 filesystem and a binary ending

$ binwalk npcupg_22.00.00.14.bin
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
32            0x20            JFFS2 filesystem, little endian
3054100       0x2E9A14        ELF, 32-bit LSB executable, ARM, version 1 (SYSV)

If we unpack the JFFS2 filesystem, we can see that it's only a form av upgrade package, since it lacks kernel and a ordinary linux root filesystem. Probably it's only targeted to a flash partition for OEM customization. It seems to support various camera sensors. The config/*.xml contains video encoding settings.

Main application seems to be npc (4M), and gwellipc (997K) for more basic functions.

└── fs_1
    ├── boot.sh
    ├── config
    │   ├── image_ar0130.xml
    │   ├── image_h42.xml
    │   ├── image_sc1135.xml
    │   ├── image_sc2135.xml
    │   ├── video_ar0130.xml
    │   ├── video_h42.xml
    │   ├── video_sc1135_bak.xml
    │   ├── video_sc1135.xml
    │   └── video_sc2135.xml
    ├── config-鱼眼-20161124.rar
    ├── dhcp.script
    ├── gwellipc
    ├── language
    │   ├── cf
    │   │   └── PushMesg.txt
    │   ├── ch
    │   │   └── PushMesg.txt
    │   └── en
    │       └── PushMesg.txt
    ├── minihttpd.conf
    ├── npc
    ├── patch
    │   ├── ar0130.ko
    │   ├── dsa.ko
    │   ├── gpioi2c1.ko
    │   ├── gpioi2c.ko
    │   ├── hi_gpio.ko
    │   ├── jxh42.ko
    │   ├── motor_drv.ko
    │   ├── sc1035.ko
    │   ├── sc1135.ko
    │   ├── sc1145.ko
    │   └── sc2135.ko
    ├── readme.txt
    ├── sensors
    │   ├── ar0130.bin
    │   ├── jxh42.bin
    │   ├── sc1035.bin
    │   ├── sc1135.bin
    │   ├── sc1145.bin
    │   └── sc2135.bin
    ├── sound
    │   ├── alarm_1.amr
    │   ├── alarm_2.amr
    │   ├── alarm_3.amr
    │   ├── alarm_4.amr
    │   ├── alarm_5.amr
    │   ├── alarm_6.amr
    │   ├── alarm.amr
    │   ├── beingcalled.amr
    │   ├── calling.amr
    │   ├── ch
    │   │   ├── wifi_ap_mode.amr
    │   │   └── wifi_sta_mode.amr
    │   ├── clear.amr
    │   ├── di.amr
    │   ├── DoorBell.amr
    │   ├── en
    │   │   ├── wifi_ap_mode1.amr
    │   │   ├── wifi_ap_mode.amr
    │   │   ├── wifi_sta_mode1.amr
    │   │   └── wifi_sta_mode.amr
    │   ├── key_press.amr
    │   ├── numbers_ch
    │   │   ├── 0.amr
    │   │   ├── 1.amr
    │   │   ├── 2.amr
    │   │   ├── 3.amr
    │   │   ├── 4.amr
    │   │   ├── 5.amr
    │   │   ├── 6.amr
    │   │   ├── 7.amr
    │   │   ├── 8.amr
    │   │   └── 9.amr
    │   ├── Reset_ch.amr
    │   ├── Reset_en.amr
    │   ├── set.amr
    │   ├── set_fail.amr
    │   ├── set_ok.amr
    │   ├── Unlock.amr
    │   ├── WifiLink_ch
    │   │   ├── LinkFail_again_ch.amr
    │   │   ├── Linking_ch.amr
    │   │   ├── LinkOk_ch.amr
    │   │   └── WaitLink_ch.amr
    │   └── WifiLink_en
    │       ├── LinkFail_again_en.amr
    │       ├── Linking_en.amr
    │       ├── LinkOk_en.amr
    │       └── WaitLink_en.amr
    ├── upgfile_ok
    └── version.txt

14 directories, 81 files

The strings of the binary data at 0x2E9A14 also reveals some interesting lines.

$ strings endbinarydata.bin 
/mnt/disc1/flash_erase
/patch/bin/flash_erase
/mnt/disc1/flashcp
/patch/bin/flashcp
/dev/mtd5
reboot -f

Probably a upgrade program in some way, that writes the JFFS2 to to mtd5 partition maybe?

Drawbacks

  • Initial configuration needs to be done via Yoosee app, and needs online cloud registration to activate.
  • No simple web interface, only configurable by app or Windows "CMS" software
  • Video only, no JPEG stills
  • Video bitrate/quality is not possible to configure, usually about ~1-2Mbps.
  • Doesn't care about NTP options via DHCP - seems to sync tome via UDP cloud tunnel.
  • No complete firmware files available anywhere

I will in time try to get root access to the device, and see if i can change the video encoding bitrate and if it's possible to output (M)JPEG via the built in web server.

IPsec VPN - RouterOS and FreeBSD

FreeBSD suggests using Racoon as the IKE daemon, and I buy that recommendation since RouterOS also uses racoon internally (hint: look at the ipsec,debug)

But this "simple"-tunnel method of RouterOS it a bit tricky to replicate on a default racoon setup. In this example I will use a IP-in-IP tunnel (also called ipencap) and has IP Protocol 4 (IP/4), but using a GRE (IP/47) should also be fine.

  • Route-based tunnel - not Proxy/Policy-based
  • Using IP-in-IP tunnel type ("ipencap" / IP Protocol 4)
  • Site A tunnel endpoint - 192.168.254.1/32
  • Site A local network - 192.168.1.0/24
  • Site B tunnel endpoint - 192.168.254.2/32
  • Site B local network - 192.168.2.0/24

SITE_A_IP and SITE_B_IP is the corresponding public IP-addresses. This howto doesn't cover any required firewall openings.

This is what I found out and works.

Site A - RouterOS

1. Setup tunnel interface on RouterOS, and setup a linknet

/interface ipip
add name=tun1 ipsec-secret=XXXXXXXXXX local-address=SITE_A_IP remote-address=SITE_B_IP
/ip address
add address=192.168.254.1/30 interface=tun1
/ip route
add dst-address=192.168.2.0/24 gateway=192.168.254.2

You're done on RouterOS.

Site B - FreeBSD

1. Setup tunnel interface and services on your FreeBSD (or similar system)

/etc/rc.conf:

cloned_interfaces="gif0"
ifconfig_gif0="inet 192.168.254.2 192.168.254.1 netmask 255.255.255.255 tunnel SITE_B_IP SITE_A_IP"
racoon_enable="YES"
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/setkey.conf"

gateway_enable="YES"
static_routes="net1"
route_net1="-net 192.168.1.0/24 192.168.250.1"

2. Configuration for racoon. Please note the "address SITE_B_IP 4 address SITE_A_IP 4" where the 4 is for ipencap (IP/4) tunnel packets.

/usr/local/etc/racoon/racoon.conf:

path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log notify;

listen {
    isakmp          SITE_B_IP [500];
}

remote SITE_A_IP [500] {
    exchange_mode       main;
    proposal_check      obey;

    # phase 1
    proposal {
        encryption_algorithm    aes 128;
        hash_algorithm          sha1;
        authentication_method   pre_shared_key;
        lifetime time           3600 secs;
        dh_group                2;
    }
}

# phase 2
sainfo (address SITE_B_IP 4 address SITE_A_IP 4) {
    pfs_group                       2;
    lifetime                        time 3600 sec;
    encryption_algorithm            aes 128;
    authentication_algorithm        hmac_sha256, hmac_sha1;
    compression_algorithm           deflate;
}

3. This one is tricky, the IPsec kernel policy configuration. This tells the kernel IP-stack - that traffic from SITE_B_IP to (out) SITE_A_IP that is of type ipencap (IP/4) shall be of encrypted with IPsec transport type ESP. The next line is for the opposite direction.

/usr/local/etc/racoon/setkey.conf:

flush;
spdflush;
spdadd SITE_B_IP SITE_A_IP ipencap -P out ipsec esp/transport/SITE_B_IP-SITE_A_IP/require;
spdadd SITE_A_IP SITE_B_IP ipencap -P in ipsec esp/transport/SITE_A_IP-SITE_B_IP/require;

4. And of course the shared secret.

/usr/local/etc/racoon/psk.txt:

SITE_A_IP    XXXXXXXX

Then of course restart services or do a full reboot.

I prefer route-based tunnels since they work almost like a physical link, and you can use traceroute and standard tools. Your routes decide whats reachable. Policy based tunnels are a bit magic and bypasses standard routing, and I find them hard to troubleshoot.

The theory of operation here is that the tunnel itself gets encrypted, not the specific packets going trough it.

  1. Packet arrives at Site A router. Router makes route lookup and the decision to forward packet to tunnel inteface.
  2. Tunnel encapsulates packet.
  3. Packet then matches Source, Destination and Protocol number defined in IPsec kernel policy (setkey.conf), witch applies the transport encryption.
  4. Encrypted payload leaves router

ifconfig gif0 should display:

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
    options=80000<LINKSTATE>
    tunnel inet SITE_B_IP --> SITE_A_IP
    inet 192.168.254.2 --> 192.168.254.1  netmask 0xffffffff 
    inet6 fe80::a3d9:9ef1:721c:a309%gif0 prefixlen 64 scopeid 0x4 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: gif

A tcpdump should show the something like:

19:04:14.700751 IP SITE_A_IP > SITE_B_IP: ESP(spi=0x06b57eb9,seq=0x12), length 136
19:04:15.706837 IP SITE_B_IP > SITE_A_IP: ESP(spi=0x02a7da91,seq=0x10), length 136
19:04:15.707011 IP SITE_A_IP > SITE_B_IP: ESP(spi=0x06b57eb9,seq=0x13), length 136
19:04:16.715800 IP SITE_B_IP > SITE_A_IP: ESP(spi=0x02a7da91,seq=0x11), length 136

Good luck!