I bought an IP Camera (to use inside a product we are developing) similar to this one:
http://www.alibaba.com/product-detail/H-264-960H-the-smallest-38x38mm_1389016530.html
Unfortunately it arrived with no documentation. Even the IP I should figure out myself, it was not a big issue because normally IP Cameras use the 192.168.1.x range.
Using the ping command it was easy to figure out it was in the address 192.168.1.168.
Now let me see which ports are opened:
$ sudo nmap -sS -P0 192.168.1.168 Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-08 20:47 EST Nmap scan report for 192.168.1.168 Host is up (0.099s latency). Not shown: 996 closed ports PORT STATE SERVICE 23/tcp open telnet 80/tcp open http 3001/tcp open nessus 8080/tcp open http-proxy MAC Address: 00:A7:21:63:A7:7F (Unknown) Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds
Wow, telnet port is open, let try it:
$ telnet 192.168.1.168 Trying 192.168.1.168... Connected to 192.168.1.168. Escape character is '^]'. A320D login: root Welcome!Baby! [~]#
CRAZY!!! It allows me to log in as root with not password and printed a funny “Welcome!Baby!” msg!
Well, it is funny to me, but for people using these cameras connected to Internet to protect their property it is very dangerous.
UPDATE: More info about the camera hw/processor:
[~]#cat /proc/cpuinfo Processor : FA626TE rev 1 (v5l) BogoMIPS : 532.48 Features : swp half thumb CPU implementer : 0x66 CPU architecture: 5TE CPU variant : 0x0 CPU part : 0x626 CPU revision : 1 Hardware : Faraday GM8126 Revision : 0000 Serial : 0000000000000000
UPDATE 2: I didn’t find a serial connector in the board, then I searched in the datasheet and discovered UART1 RX is pin 87 and TX is pin 88. Then I connected a small wire from my USB/serial dongle to pins 87 and 88, then after testing many serial configuration I discovered that they are using an unusual baudrate 38400 8n1 and finally got the boot log:
MP SPI-NOR Bootstrap v0.2
Boot image offset: 0x10000. Booting Image .....
0567Will set the following freq...
PLL1: 800 MHz, PLL2: 540 MHz, CPU freq: 540 MHz, AHB freq: 270 MHz, DDR freq: 8z
go...
*********************************************
Please input Space to run Linux
Please input ESC to run UBOOT
Please input . to run burn-in
Otherwise, system will run Linux after 5 sec
*********************************************
Load image from SPI-NOR offset 0x80000 to sdram 0x4000000
Jump 0x4000000
Uncompressing Linux.............................................................
Linux version 2.6.28 (root@localhost.localdomain) (gcc version 4.4.0 (Faraday C3
CPU: FA626TE [66056261] revision 1 (ARMv5TE), cr=0000797f
CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
Machine: Faraday GM8126
Warning: bad configuration page, trying to continue
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512
Kernel command line: mem=128M console=uart,shift,2,io,0xF9830000,38400
Early serial console at I/O port 0xf9830000 (options '38400', shift 2)
console [uart0] enabled
PID hash table entries: 512 (order: 9, 2048 bytes)
IC: GM8128 MP
GM Clock: CPU = 540 MHz, AHBCLK = 270 MHz, PLL1CLK = 800 MHz, PLL2CLK = 540 MHz
console handover: boot [uart0] -> real [ttyS0]
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 128MB = 128MB total
Memory: 118528KB available (3697K code, 187K data, 7316K init)
Calibrating delay loop... 532.48 BogoMIPS (lpj=266240)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
net_namespace: 424 bytes
Fmem: node 0 is online, alloc pages = 20480(active pages = 32768)
high_memory:0xc8000000, VM Start:0xc8800000, End:0xe0000000
NET: Registered protocol family 16
PMU: Mapped at 0xf9900000
pmu_get_cpu_clk:221
Attach GM AHB-DMA Driver
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switched to NOHz mode on CPU #0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
Video Timer(timer3) Max 31000ms in 0xf9720840 HZ.
JFFS2 version 2.2. (NAND) �© 2001-2006 Red Hat, Inc.
msgmni has been set to 231
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
probe ftgpio010.0 OK!!, at c8858000
probe ftgpio010.1 OK!!, at c885c000
probe ftgpio010.2 OK!!, at c8860000
Serial: 8250/16550 driver 4 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xf9830000 (irq = 9) is a 16550A
serial8250: ttyS1 at I/O 0xf9840000 (irq = 10) is a 16550A
serial8250: ttyS2 at I/O 0xf9850000 (irq = 20) is a 16550A
serial8250: ttyS3 at I/O 0xf9880000 (irq = 21) is a 16550A
brd: module loaded
loop: module loaded
PPP generic driver version 2.4.2
NET: Registered protocol family 24
rtl8150: v0.6.2 (2004/08/27):rtl8150 based usb-ethernet driver
usbcore: registered new interface driver rtl8150
usbcore: registered new interface driver asix
usbcore: registered new interface driver cdc_ether
usbcore: registered new interface driver net1080
usbcore: registered new interface driver cdc_subset
usbcore: registered new interface driver zaurus
Linux video capture interface: v2.00
Driver 'sd' needs updating - please use bus_type methods
Driver 'sr' needs updating - please use bus_type methods
Creating 6 MTD partitions on "wb_spi_flash":
0x00080000-0x00eff000 : "Linux Section"
0x00f00000-0x01000000 : "User Section"
0x00001000-0x00010000 : "Loader Section"
0x00010000-0x00060000 : "BurnIn Section"
0x00060000-0x0007e000 : "UBoot Section"
0x0007e000-0x00080000 : "CFG Section"
Probe FTSSP010 SPI Controller at 0x98200000 (irq 6)
usbmon: debugfs is not available
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
AMBA bus_register ok
Enter Device A
temp = 340
Drive Vbus because of ID pin shows Device A
otg2xx device_register ok
AMBA_bus_match(...) Found Driver FOTG2XX_DRV
AMBA_bus_match(...) Found Driver FOTG2XX_DRV
FOTG2XX_DRV fotg2xx_dev: GM USB2.0 Host Controller
FOTG2XX_DRV fotg2xx_dev: new USB bus registered, assigned bus number 1
FOTG2XX_DRV fotg2xx_dev: irq 4, io mem 0xf9220000
FOTG2XX_DRV fotg2xx_dev: USB 2.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
FOTG200 Controller Initialization
fotg200 int enable = 1f30
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
mice: PS/2 mouse device common for all mice
i2c /dev entries driver
ftiic010 ftiic010.0: irq 18, mapped at c886c000
usbcore: registered new interface driver usbhid
usbhid: v2.6:USB HID core driver
Advanced Linux Sound Architecture Driver Version 1.0.18rc3.
ALSA device list:
No soundcards found.
TCP cubic registered
NET: Registered protocol family 17
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
Freeing init memory: 7316K
***************************************
Busybox starts to run
***************************************
Mounting root fs rw ...
Mounting other filesystems ...
Setting hostname ...
Mounting user's MTD partion
FTMAC with FARADAY Internal PHY support
Has JFFS2 on mtdblock1FTMAC110 Driver (Linux 2.6) 01/10/11 - (C) 2011 GM Corp.
reset Faraday Internal PHY.
mmc0: SDHCI controller on [ftsdc010] using DMA
ftrtc011 ftrtc011: rtc core: registered ftrtc011 as rtc0
Frammap: 1536 pages in DDR0 are freed.
Frammap: DDR0: memory base=0x1800000, memory size=0x4a00000, alignment=256K
Frammap: version 0.28.3, 1 DDR is managed.
VideoGraph v0.44 You may use
#echo 11 > /proc/videograph/dbg
to enable debug mode (0xbf05050c)
Debug message at 0xc88fc000 start pointer 0xbf0705f0 size 0x124f80
Insert dvr_common driver done.
Platform GM812600
enc_in0=(buf: 4177920,6,0)
enc_in0_d=(buf: 4177920,6,1)
enc_out0=(res: 1920,1088)
enc_out0=(buf: 1775616,4,0)
ssenc_out0=(buf: 1775616,1,0)
sub1_enc_out0=(res: 1920,1088)
sub1_enc_out0=(buf: 1775616,3,0)
sub2_enc_out0=(res: 1920,1088)
sub2_enc_out0=(buf: 1775616,3,0)
enc_in1=(buf: 614400,4,0)
enc_in1_d=(buf: 614400,4,1)
enc_out1=(res: 640,480)
enc_out1=(buf: 261120,4,0)
scl0_out1=(res: 320,240)
scl0_out1=(buf: 153600,2,0)
scl1_out1=(res: 160,112)
scl1_out1=(buf: 35840,2,0)
ssenc_out1=(buf: 261120,1,0)
sub1_enc_out1=(res: 640,480)
sub1_enc_out1=(buf: 261120,3,0)
sub2_enc_out1=(res: 640,480)
sub2_enc_out1=(buf: 261120,3,0)
enc_in2=(buf: 153600,4,0)
enc_in2_d=(buf: 153600,4,1)
enc_out2=(res: 320,240)
enc_out2=(buf: 65280,4,0)
ssenc_out2=(buf: 65280,1,0)
sub1_enc_out2=(res: 320,240)
sub1_enc_out2=(buf: 65280,3,0)
sub2_enc_out2=(res: 320,240)
sub2_enc_out2=(buf: 65280,3,0)
enc_in3=(buf: 35840,4,0)
enc_in3_d=(buf: 35840,4,1)
enc_out3=(res: 160,112)
enc_out3=(buf: 15232,4,0)
ssenc_out3=(buf: 15232,1,0)
sub1_enc_out3=(res: 160,112)
sub1_enc_out3=(buf: 15232,3,0)
sub2_enc_out3=(res: 160,112)
sub2_enc_out3=(buf: 15232,3,0)
ISP v3.06, built @ Mar 8 2013 16:32:20
set cmos clk out 27000000 Hz
sen_ar0331(init): sensor v:8192
pclk(74250000) XCLK(27000000)
t_row=2963 pclk=74250000
fcap: V0.3.13
vcap_dev: [0]:bAlbum_bug=0, bCrop_bug=1, bCU_bug=0
LL_BusDeadlock_bug=0, bSupportSplitOSDDispRamWritePort=1
fcap: [0]: Link List mode!
fcap: fosd00: minor=56
fcap: fosd02: minor=55
fcap: fosd01: minor=54
fcap: fosd03: minor=53
vcap_dev: [1]:bAlbum_bug=0, bCrop_bug=1, bCU_bug=0
LL_BusDeadlock_bug=0, bSupportSplitOSDDispRamWritePort=1
fcap: [1]: Link List mode!
fcap: fosd10: minor=52
fcap: fosd12: minor=51
fcap: fosd11: minor=50
fcap: fosd13: minor=49
load CFG: /mnt/mtd/isp_ar0331.cfg
glare_enable(0), entry_S1base_ev(1723), glare_th(150)
pclk(74250000) XCLK(27000000)
t_row=2963 pclk=74250000
SCL: Version, v1.17
SCL: div:4
FAVC Encoder IRQ mode(29)v4.2.1
FAVC codec Max Resolution is 1920x1072, built @ Apr 24 2013 15:37:02
FTDI210 registers 32 entities to video graph!
FTDI210 Driver v1.4 (1 engine(s))
ft-32ssp: common[ver:0.3.4] INIT OK!
card->cardno = 2
card->pbase = 98a00000
card->vbase = c8bfe000
card->irq = 11
my_card->capture.dma_ch = 4
my_card->playback.dma_ch = 5
ft-32ssp: SoundCard(2) attached OK (c65561d0)
I2S probe ok in Slave mode.
Init SAR ADC done.
register sar adc device (0) OK!!
Please: mknod /dev/th_gpio c 222 0
crwth_gpio init() ok!
-rw---- 1 root root 254, 0 Jan 1 00:00 /dev/rtc0
***************************************
Please: mknod /dev/th_key c 223 0
th_key init() ok!
IP camera starts to run
***************************************
mount: mounting /dev/mmcblk0p1 on /sd/ failed: No such file or directory
****************************************************
NVS & DVS & IPCAM
SoftVersion : V24.13292.01.71
FileVersion : 2013.10.28
****************************************************
1970-01-01 00:00:04
SDTimeJudError1 = 1
killall: rtsp: no process killed
sh: /app/rtsp: not found
connect_to_server fd:0
Y--ExistWiFi 0
NotExistAudio 0
NotExistIO 0
NotExistRS485 0
fcap: [0]:OSD P0 default fonts num=42
ispfcap: [0]:OSD P1 default fonts num=42
_set_init() OK!
Init
H264 rate control version: fix 0.95
SigPlatform 8126 version 81262210
nafcap: [0]:IN=ISP
l RecvEvent! SenseSignalID:64
TApp::TApp()
Init TDiskMgr
Init (UDP) Talk in IP:239.255.255.250 Port:3001
Init CtrlPTZ
BPS 2400 DataBit 8 ParityCheck 0 StopBit 0
InitPTZ() OK!
(dataout_0) Timeout to wait AP buffer get, skip! (0x952d,0x973f flow 528)
##### Transfer Group 0 Done,746ms!
fcap_lli(dev_handle_irq): [0]:P1 miss frame done!(frame_cnt=0x00000018,mach_sta)
Init (TCP) CmdSvr in LocalPort:3001
Init (UDP) uPnP in IP:239.255.255.250 Port:1900
1970-01-01 00:00:05
open /dev/fosd00
open device:/dev/fosd00 successfully!
open /dev/fosd01
open device:/dev/fosd01 successfully!
input_mode = 1
fcap_lli(do_Reset_workqueue): [0]:Do reset after 1964 ms.(2000 ms)
killall: onvif_gm: no process killed
arg is error
##### Transfer Group 1 Done,4136ms!
/bin/sh: can't access tty; job control turned off
/ # Connect 19 LocalPort 3001 RemoteIP 127.0.0.1 RemotePort 60720
main gCNetName:eth0!!!!
Connect 20 LocalPort 3001 RemoteIP 127.0.0.1 RemotePort 60721
Connect 21 LocalPort 3001 RemoteIP 127.0.0.1 RemotePort 60722
ForceKeyFrame[0] == true
ForceKeyFrame_sub[0] == true
Alan C. Assis 
Very interesting! I think that I need to do some more exhaustive probing on my existing IP-Cameras.
Hi celem,
I’m sure you will find out interesting things about your cameras.
These “IoT” devices are small and unsafe computers connected to the Internet! They are very dangerous because hackers could to access and and run malicious programs inside it!