Monday, 16 July 2012

Fun with the Vstarcam IP camera

Recently, I got myself a VStarCam IP camera, model H6837WI, relatively cheap for what you get - a H264 capable, wireless/wired IP camera with two way audio, SD card recording and few other nice features.

The software provided with the camera is Windows only, which is a system I don't use very often at home ;) ...so I started with exploring the camera's web interface, by default run on port 81. It turned out that the quicktime plugin didn't seem to work in any browser and other than getting the direct H264 stream, this was the only way to get live video feed without the proprietary software.

Nothing about getting the H264 stream directly in the docs. Duh. :(

A bit frustrated, I run wireshark just to get an idea of what the camera is 'doing' when left idle. Hmmm...DNS requests to user.gocam.so? Looks like part of the default DDNS settings, which according to the documentation, let you use the vstarcam provided service to access your IP camera remotely using an external server...Call me paranoid, but that's definitely not something I would be happy with! By the way, urls found by google pointing to the vstarcam forum, redirect to piopo.25u.com, which is rather suspicious (did someone forgot to update their server software? oops). According to Virustotal, Sophos flags this domain as malicious, although it doesn't currently resolve to any IP... None of this made me anymore comfortable about using the default (or any) DDNS service and the security of it... Made a mental note to disable the DDNS and verify that the camera is not doing anything silly later on.

Right, all of this was a bit disappointing...but apart from traffic sniffing, there's one more thing you need to do with every device you connect to your network - port scan it of course! ;] So here we go, in the most simple way...

# nmap 192.168.1.126

Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-16 16:36 BST
Nmap scan report for 192.168.1.126
Host is up (0.029s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
81/tcp open hosts2-ns
554/tcp open rtsp
MAC Address: 00:E0:4C:AA:BB:CC (Realtek Semiconductor)

Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds

Telnet! Getting interesting...Ok, the web UI default credentials are...'admin' and no password ;] Let's see...

$ telnet 192.168.1.126
Trying 192.168.1.126...
Connected to 192.168.1.126.
Escape character is '^]'.

(none) login: admin
Password:
Login incorrect

Nah! How about root?

(none) login: root
warning: cannot change to home directory
/ #

Voila! Got shell and it's password free! ;] Let's do some exploring here...

/ # id
uid=0(root) gid=0(root)
/ # free
total used free shared buffers
Mem: 17344 15720 1624 0 2724
Swap: 0 0 0
Total: 17344 15720 1624
/ # uname -a
Linux (none) 2.6.24ssl #197 PREEMPT Thu Sep 22 14:07:30 CST 2011 armv5tejl unknown

Not the most recent kernel I'd say... ;) running on armv5, (not MIPS?)

/ # cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 119.60
Features : swp half fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 8192
I assoc : 4
I line length : 32
I sets : 64
D size : 8192
D assoc : 4
D line length : 32
D sets : 64

Hardware : object h264 ipcam
Revision : 0000
Serial : 0000000000000000

Not the most capable hardware, but hey... ;)

Either way, I have to admit that being able to get a proper shell on your cheap IP camera is pretty cool :) (Still, no toaster yet ;)). There's quite a lot of interesting stuff there, for a geek of course (yes, including the /etc/shadow file of course, but I won't spoil the fun ;)). My camera even came with a snapshot picture taken in what looks like a warehouse...

A definite bonus is the fact that the web UI is located in /mnt/www so you can poke around and adjust few bits here and there ;) You can actually grab the update file from the vendor website which contains most of the filesystem anyway and have a look around that way, too... :)

There's also a service running on port 6801/udp and I have no idea what's it for, and the netstat doesn't reveal associated binary name:

# netstat -tualn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:554 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.126:23 192.168.1.20:51680 ESTABLISHED
udp 0 0 0.0.0.0:6801 0.0.0.0:*


Speaking about binaries - by the looks of things, the toolchain used for the camera is rather ancient - glibc 2.3.6 and gcc 3.4.6. One could still cross compile that and thanks to the ftp client provided on the camera (didn't I say it's hackers friendly? ;)), or using the 'update' method, put and run their own binaries on the camera...;] BTW, the wireless adapter is Ralink 3070 which in theory should run aircrack-ng just fine... ;]

Another discovery - the vendor provided Windows software communicates with the camera via the camera webserver and binary cgi files using some sort of a binary protocol...I was looking at the netzob tool not long ago, and maybe I've just found some good opportunity to play with it...Rewriting a simple client in Python would be cool, as well as a remote code execution via the cgi ;). Did I mention that the IE interface uses ActiveX component?

All in all, one must admit - the H6837WI is a hacker friendly camera! ;] I still need to get the H264 streaming to work at some point though...after all that was the main reason why I got the camera in the first place...:)

Happy hacking! :)

15 comments:

  1. You think the VistaCam is hackable, you should check out the Foscam FI8918Ws. They are an older cam but are general sub $80 now and are extremely hack friendly.

    Check out openipcam.com sometime. They have a lot of info (And a wiki) on custom cam firmware, cam webUIs, etc.

    ReplyDelete
    Replies
    1. Thanks for the useful info :)
      Cheers,
      radegand

      Delete
  2. Nice post!

    Now I'm convinced to get this camera.

    I found it at DX.com by $74:
    http://dx.com/p/vstarcam-h6837wi-300kp-cmos-cctv-surveillance-security-camera-w-wi-fi-tf-white-156310?item=15

    ReplyDelete
  3. hey!!
    checked out the H6837WI, too and got it yesterday.
    today i hooked it up and configured via web interface.
    after some basics i changed the useraccount for webinterface - changed name and pwd of the user..
    after that the cam rebootet and BAM - no more login possible.
    the new accountname/pwd seems to be not accepted but the admin account was overwritten.
    so it resulted in - i can not log on to web-interface anymore.

    i also figured out that telnet works with root and no pwd.

    anyone an idea how to reset an account for the web-interface via telnet or somehow else???
    PLEASE HELP!

    ReplyDelete
    Replies
    1. Hey,
      don't more as 7 Characters
      greetz

      Delete
  4. Hi.

    I have the same camera and having several problems. Let me show you and please, tell me what you think. Thanks in advance from Spain.

    1.- Every night, the camera loses connection from the configured network. (My network, router, internet connection and wifi is trusted and secure)
    2.- Most of the times, when I perform a system reboot or I unplug the power adapter to change the place of the camera, it doesnt connect back to the previously configured wifi network. This is making impossible to operate remotely and is very inconvenient.
    3.- The camera log shows information that doesnt match with real events, like fake users connected with fake IPs. (My network, router, internet connection and wifi is trusted and secure)
    4.- PTZ fails. When I click and release an arrow key, the camera keeps moving to end of the axis. For example: If I press right arrow key to move the camera a bit to the right, the camera really moves to the end of right position. Same problem for all directions: up, down, left and right.
    5.- PTZ presets fails at starting. When I configure the camera to turn to the specified preset when starting, the camera goes to a wrong position after starting.

    Vstarcam is trying to helping me but... still nothing.

    Regards!

    ReplyDelete
  5. Great post,

    What is your firmware version?

    I bought this camera, but it firmware version doesn't have telnet :-/

    Thank you!

    ReplyDelete
  6. Hi Guy,

    I found the Linux kernel source code for the processor used on this camera and I managed to get it working inside it:

    https://acassis.wordpress.com/category/ipcam

    I'm planning to create a distro for IP Camera, similar to OpenWRT for routers. Unfortunately openipcam.com has a different purpose.

    Best Regards,

    Alan

    ReplyDelete
    Replies
    1. Great stuff! Thanks for the info, Your posts are very informative.

      An open distro for the camera would definitely be nice...

      Cheers,
      radegand

      Delete
  7. Hi Guys
    Definately not a geek so bear with me please.
    I have just bought a vstar webcam and at the price very impressed but that's where the romance ends. I cannot seem to get any help from the reseller or Vstar. They simply don't respond.

    I need to get the picture on my website and because we have a fixed Ip address and already have a mobotix camera. I am told we need the port number and that 81 is not it.
    Now the techie bit can someone tell me how to find it?

    Second problem is that at my house the image just comes up and then times out after 60 seconds. On I phones and at other people's computers it is fine. It says "Relay mode counting down" Cannot find any reference to this in the very scant information with the camera or online anywhere. I can only suspect the router as by moving the same computer to another router it works fine.
    All sugestions gratefully received

    Max

    ReplyDelete
    Replies
    1. Hi, I have a similar problem. I bought Vstarcam T6835WIP and despite the price of $50 it has good hardware but lots of software issues.
      I tryed to contact them via support@vstarcam.com or http://www.vstarcam.com/bbs/forum.php - their support forum - total lack of any kind of support ! - my posts were even deleted minutes after I submited them. I am very disapointed with their attitude against their clients. There's nothing else left for me to do but to hope that the new firmware releases can fix the issues that they have.

      Delete
  8. Hi, did you ever get H264 Streaming, I was hoping to use this with Raspberry Pi

    ReplyDelete
    Replies
    1. Yes, after one of the firmware updates I got it working with mplayer. Try this:

      mplayer rtsp:///H264

      Delete
    2. So what's the complete URL then?

      Delete

Have your say: