Love the channel. I was originally electronics technician and my work changed me to an IT guy so this is got the love for all the fun things. Keep up the good work..
I've always been very cautious with all types of IP Cameras ...would be interesting to see what you come up with regarding not only these Chinese cameras ...but also the more 'legit' cameras ...let's see what acronym agencies have their claws into our privacy.
I'm not the least bit concerned about China. With domestic products, I'm going to assume Moss@d or some Unit 8200 outfit has its grubby mitts all over them.
Your videos are fantastic! I really love the way you show the whole physical process without delving too much into the theoretical details. I already have a grasp on the underlying concepts so just observing your workflow with commentary is wonderful!
Another great video for sure. My only recurring request would be to make the videos longer. I’d love to see you continue digging into the firmware analysis / exploring the flash contents. I know you’ll make more videos, but it’d be great to be able to watch more of your initial analysis.. keep making the iot hacking videos, we love em!
I'm hooked on these videos! I've always wanted to reverse engineer Chinese made tech to see what data it sends back to China. I'm really excited to see future videos, keep it up!
I wouldn't discount the libraries too soon. It'd be a good way to hide stuff and have access to absolutely everything passing into them. They are open source, so can be modified to have anything included.
Great choice of subject. I have a few of these surveillance items that are definitely sketchy on some level. Even my fancy bird feeder might just as well been intended to spy on the customer as be used to watch birds. I wish I wasn't just a spectator though. There is so much to learn.
Please make a video when you reverse those binaries. The firmware extraction part is cool but it’s not always clear what the goal of extracting it is. I liked the netgear router one because discovering the passwords is a practical reason to want the firmware.
Nice content as always. You can check some cheap Chinese drone cameras also like Eachine E58. They have wifi camera but can be connected only to their proprietary app so if you can read/modify the firmware they can be more versatile.
Неплохо Мэт. Молодец. Теперь осталось собрать свой evil/autoupdatechek под MIPS протестировать в QEMU , запаковать всё обратно и залить обратно в чип 😅
I just discovered your channel. I am a software developer and DIY electroics is my hobby. The quality of your content is just amazing. I have a bunch of IoT devices that are cloud based, but they are still connectced to my local hosted home assistant. Would be could to follow along your journey and to hack my own devices. Thank you
Really enjoy these. My first EPROM reader/writer used a similar ZIF socket but you needed a UV light to erase the chip. Any recommendations on a decently priced microscope? My eyes are old too...
I always wondered how these "hacked IP cam" videos ended up on the web... But if people end up putting them in their bedrooms - I guess that's their bad to some degree?
Thanks for the video. What I always wanted to know is can the firmware be modded, put back on the device and make it you own, with out all the report back to home?
If you're just looking for what the device is doing on the network and where it's sending data, wireshark may be a better option. You can configure your router so all the packets get sent through your Linux host as a gateway. Also the "autoupdate" binary is probably something that checks for and installs updates to the firmware. I would be suspicious if it does more, but I wouldn't automatically assume so.
i think i got a similar camera from looting, idk how to get it working tho as it doesnt have any markings, this video is super cool showing off how it's builded up
Just in a process of reversing different camera that sells where I am for good money. I was hoping that it will have similar chip that yours have T__ of MIPS architecture. Since I was planning to run Thingino firmware on it. Thingino is pretty cool project though. You might be interested in it. Anyway... Mine is running ARM AK3918 SoC, so Thingino firmware is not an option. So I am looking for a way how to stop it from sending data to China and use something like RTSP on LAN only.
@@309electronics5 I Kinda went head on with dumping the firmware first. What you are mentioning should be possible, since there is some sort of config file that lists all services and other options like resolution etc., including RTSP with bool option next to it. I didn't yet have time to analyze device while it's running. Might get to do it later this week. Though I am hoping to have some option for modifying the firmware and either removing all embedded URL's the camera tries to talk to or I might try to just firewall-block all traffic to WAN coming from the camera, though I am not sure how that would work.
That will work exactly as you stated. Camera nic has xyz ipaddy and ALL packets from said ip get dropped at the fw. If you WANT it to send traffic through fw set rule for specific ip at other end though I would suggest allowing certain inbound traffic from explicitly listed addresses
looks like a simple remote access platform where you can download the clips to your phone without taking a risk to open your router port to the internet side. But that hardcoded ip address will fail overe the years if they go out of business.
My tuya camera also has this ingenic t31 chip. I have also seen them a lot and it contains a riscV mcu core along side the mips! I managed to even disable the tuya app stack and enable telnet and rtsp!
I know that might be a bit much, but do you have any material on that? I wanted to do something similar but when going beyond the settings of routers networking gets difficult
@@mattbrwn no egress or ingress... Only access to my other vlans. Dns resolves every domain name to a local ip. Also forwarding ntp to a local ntp server. My wifi ap has the ability to assign different ssids to different vlans. One SSID is just typical. One has dhcp with a set dns to pinhole... The third is basically a black hole that can only access IPs on first VLAN
@@al_lazy3519 you can't really do this with a normal router. One got an edgerouter pro 8 and a unifi ac pro access point and a 48 port Cisco PoE managed switch.
@@xenoxaos1 That is pretty cool setup. I am in process of replacing all my routers with OpenWRT capable routers, which to my knowledge supports VLANs. Though I havent thought about blocking all the WAN traffic on the VLAN specifically for the IPCams purposes. Just by an accident you don't have any blog article showing how you did that? :-)
The amount of high quality content you're putting out is amazing. I love that there's an audience for in-depth cybersecurity stuff
Love the channel. I was originally electronics technician and my work changed me to an IT guy so this is got the love for all the fun things. Keep up the good work..
I've always been very cautious with all types of IP Cameras ...would be interesting to see what you come up with regarding not only these Chinese cameras ...but also the more 'legit' cameras ...let's see what acronym agencies have their claws into our privacy.
I call them Shodam Cameras.
you can install openipc on the t31 chip, i have this model
@@lifeai1889also look at thingino as an openipc alternative
I'm not the least bit concerned about China. With domestic products, I'm going to assume Moss@d or some Unit 8200 outfit has its grubby mitts all over them.
I think I am literally addicted to your channel.
I like the fact that the software actually told you which pin was a bad connection :)
Your videos are fantastic!
I really love the way you show the whole physical process without delving too much into the theoretical details.
I already have a grasp on the underlying concepts so just observing your workflow with commentary is wonderful!
Great to see your process and tools being used here, you make it look easy! Going to watch the rest of the series over the weekend.
Another great video for sure. My only recurring request would be to make the videos longer. I’d love to see you continue digging into the firmware analysis / exploring the flash contents. I know you’ll make more videos, but it’d be great to be able to watch more of your initial analysis.. keep making the iot hacking videos, we love em!
Ah, I always enjoy seeing the notice for a new video, it makes the work day go by faster. Thank you for this series.
I'm hooked on these videos! I've always wanted to reverse engineer Chinese made tech to see what data it sends back to China. I'm really excited to see future videos, keep it up!
Wow, gotta say, im impressed, learn so many new things here, great job!
I'm interested to see how this plays out as you dig deeper into this little device. Good stuff.
The disable wifi is to save battery, as this can record in the card and trigger with motion
It also makes it more difficult to be found (via WIFI signal leakage)
...or for concealment reasons by not giving away its presence by communicating with another wireless device.
I wouldn't discount the libraries too soon. It'd be a good way to hide stuff and have access to absolutely everything passing into them. They are open source, so can be modified to have anything included.
Perfect video man, awesome content, you are explaining your thoughts very well, keep going! Looking forward to the next vid!
Great choice of subject. I have a few of these surveillance items that are definitely sketchy on some level. Even my fancy bird feeder might just as well been intended to spy on the customer as be used to watch birds. I wish I wasn't just a spectator though. There is so much to learn.
just start doing it
Soli Deo Gloria, well said man. Congrats, this hacker garage is awesome.
✝️👑
Love waking up to a new Matt Brown video notification 😀. I'm looking forward to the binary reverse engineering!
I'm absolutely loving your videos!
Awesome, I'm looking forward to the next steps!
Please make a video when you reverse those binaries. The firmware extraction part is cool but it’s not always clear what the goal of extracting it is. I liked the netgear router one because discovering the passwords is a practical reason to want the firmware.
Video drops Wednesday of this
God I love reverse engineering videos 🎉🎉🎉
I think the wifi switch is to use that as some sort of spy camera and save battery, since it has a micro sd slot.
Very interesting video, thanks!
Can't wait to see an update :)
Nice content as always. You can check some cheap Chinese drone cameras also like Eachine E58. They have wifi camera but can be connected only to their proprietary app so if you can read/modify the firmware they can be more versatile.
Неплохо Мэт. Молодец. Теперь осталось собрать свой evil/autoupdatechek под MIPS протестировать в QEMU , запаковать всё обратно и залить обратно в чип 😅
I just discovered your channel. I am a software developer and DIY electroics is my hobby. The quality of your content is just amazing. I have a bunch of IoT devices that are cloud based, but they are still connectced to my local hosted home assistant. Would be could to follow along your journey and to hack my own devices.
Thank you
Love to see it, when people do exactly what i would do with this things
that is super cool Matt👍
Really enjoy these. My first EPROM reader/writer used a similar ZIF socket but you needed a UV light to erase the chip. Any recommendations on a decently priced microscope? My eyes are old too...
Very cool, learning new tricks is very cool. Thanks man!
Absolutely fascinating. Thanks for sharing!
Is it common for the flash to be unencrypted? Great content!!!
Yes it's usually unencrypted. There are some devices out there that do encryption but it's a hard thing to get right on embedded devices
Very interested in seeing more ip cameras hacked and figuring out where they send data
I believe having On/Off switch for Wi-Fi is amazing from Wireless security perspective
I really Enjoyed it
I always wondered how these "hacked IP cam" videos ended up on the web... But if people end up putting them in their bedrooms - I guess that's their bad to some degree?
Thanks for the video.
What I always wanted to know is can the firmware be modded, put back on the device and make it you own, with out all the report back to home?
If you're just looking for what the device is doing on the network and where it's sending data, wireshark may be a better option. You can configure your router so all the packets get sent through your Linux host as a gateway. Also the "autoupdate" binary is probably something that checks for and installs updates to the firmware. I would be suspicious if it does more, but I wouldn't automatically assume so.
i think i got a similar camera from looting, idk how to get it working tho as it doesnt have any markings, this video is super cool showing off how it's builded up
Great episode!
Very interesting content, helps me better understand how it all it's together.
Thanks ❤
I can imagine someone using a thinner pad where the battery is and using a bigger battery. It wouldn't surprise me if someone did it already really.
How hot does the hot air gun have to be for it to work? I have a hot air gun I could use but I don't know if it's hot enough.
Wouldn't the address' in autoupgradecheck be primarily for OTA firmware updates?
I don't believe battery I saw on the video has 2000 mAh capacity - as stated by manufacturer
can this be used to find a away to use those cameras locally without a Chinese server connection?
Just in a process of reversing different camera that sells where I am for good money. I was hoping that it will have similar chip that yours have T__ of MIPS architecture. Since I was planning to run Thingino firmware on it. Thingino is pretty cool project though. You might be interested in it. Anyway... Mine is running ARM AK3918 SoC, so Thingino firmware is not an option. So I am looking for a way how to stop it from sending data to China and use something like RTSP on LAN only.
What does it say on boot if it has a uart port? I had a tuya camera where i disabled the tuya init script and enabled telnet and rtsp
@@309electronics5 I Kinda went head on with dumping the firmware first. What you are mentioning should be possible, since there is some sort of config file that lists all services and other options like resolution etc., including RTSP with bool option next to it. I didn't yet have time to analyze device while it's running. Might get to do it later this week. Though I am hoping to have some option for modifying the firmware and either removing all embedded URL's the camera tries to talk to or I might try to just firewall-block all traffic to WAN coming from the camera, though I am not sure how that would work.
That will work exactly as you stated. Camera nic has xyz ipaddy and ALL packets from said ip get dropped at the fw. If you WANT it to send traffic through fw set rule for specific ip at other end though I would suggest allowing certain inbound traffic from explicitly listed addresses
Hi can you reverse engineering a jiofi 3
Convert it into a wifi repeater
The use of old technology its a good idea
Wiggling.. Is that the small-scale version of "percussive maintenance"? :D
very scientific here on this channel :D
Good quality video..Cheers
I've literally seen Hikvision cameras start opening ports on firewalls for inbound traffic with UPNP. I'm interested in what comes of this firmware.
I notice what appears to be a memory card slot so that could explain WiFi on/off switch.
Great skills, I feel at home with most of what u doing, amazing, thank you
Why the frimware you extracted is in readable form?
Was expecting it to phone home to Baidu but Alibaba also checks out.😁
Why do all of these devices go to tencent and alibaba? Are they like the AWS of China or are they involved with all of these hardware platforms?
amazing video man
Why dump the firmware to analyze the file system BEFORE attempting to gain a shell? Wouldn't it make more sense to attempt to get a shell first?
Well done Brainiac
Any decent IP cameras with open firmware?
Why not just monitor network traffic by using some proxy kind of like burpsuite instead of having to reverse the binary or extract the firmware ?
What temperature do you use to desolder?
Wait, so, how in the hell does the "Flash read" actually work?
Can you instruct those chips to simply send all onboard data or whats going on there?
i just love seeing linux on tiny chips !
A large portion of the embedded world runs on Linux. Just shows how important and usefull Linux really is
@@309electronics5 agreed 💯. its an amazing thing really. Even my printer runs on it.
Just came across your channel - good stuff. You definitely deserve this comment and a like to help your algorithm. :)
Hey are you running xgpro under wine? It really won't play well for me that way and I've had to resort to a vm...
He said he did on an earlier video - the one for the fake Chromecast device.
Can't you read the firmware with the chip in place?
I guess that by leaving the WiFi off, it won't accidentally connect to an open AP and reveal its presence. Or just to save power.
looks like a simple remote access platform where you can download the clips to your phone without taking a risk to open your router port to the internet side. But that hardcoded ip address will fail overe the years if they go out of business.
My tuya camera also has this ingenic t31 chip. I have also seen them a lot and it contains a riscV mcu core along side the mips!
I managed to even disable the tuya app stack and enable telnet and rtsp!
what did you put on the chip to detach it?
Flux and hot air
Cool but what about other projects?)
Hello, could you modify the firmware so that it is easier to get shell, maybe add ssh if it's not enabled or change the password if it has one
Video of getting a shell drops Wednesday 😎
@@mattbrwn ❤
When in doubt, just wiggle it xD
Try to hack into ezviz cameras. Check if it is compatible for custom firmware.
These can record locally to sd card when you turn wifi off.
9:46 that ZIF socket is really bad
Can you hack a ledger nano
I need to know your OS! 😅
Can anyone tell me what distro Matt uses?
How to unlock eeprom that has been permanent locked by Protection Lock Bits value 1
IPs for Alibaba and Tencent are probably just their cloud services, so probably the camera vendor is hosting stuff there
can you pls make a video on synology tC500 camera , pls , pls , pls
Nice one
let's watch
All my cameras are on a vlan that doesn't have any external access...
No egress? Or only no ingress?
I know that might be a bit much, but do you have any material on that? I wanted to do something similar but when going beyond the settings of routers networking gets difficult
@@mattbrwn no egress or ingress... Only access to my other vlans. Dns resolves every domain name to a local ip. Also forwarding ntp to a local ntp server. My wifi ap has the ability to assign different ssids to different vlans. One SSID is just typical. One has dhcp with a set dns to pinhole... The third is basically a black hole that can only access IPs on first VLAN
@@al_lazy3519 you can't really do this with a normal router. One got an edgerouter pro 8 and a unifi ac pro access point and a 48 port Cisco PoE managed switch.
@@xenoxaos1 That is pretty cool setup. I am in process of replacing all my routers with OpenWRT capable routers, which to my knowledge supports VLANs. Though I havent thought about blocking all the WAN traffic on the VLAN specifically for the IPCams purposes.
Just by an accident you don't have any blog article showing how you did that? :-)
Nice Haircut
Don't be a jerk.
@@aarong9378it wasnt meant as an insult, but I guess compliments dont translate well over the internet
о, эту базу мы смотрим
good 5to good been by he she life
база
Is that arch linux
Try hacking Ring video doorbell
where google chromecast part 2?
try to install openipc
GGs
the devices in not using TLS so you can easily intersect the traffic with burp and see what exactly is being sent
Do something more intense like a pcb active tamper alteration detection
+
First comment 🎉
thats average