Category: Hardware Hacking

Investigation of various hardware devices

Categories
Wifi Spy Camera

Wifi-Camera Firmware

Start of Flash memory dump, showing SOC name

Firmware extracted successfully from the SPI chip using a TNM5000 flash programmer, and also using a CH341 clone. Chip was also successfully re-written using the TNM5000 (after a config change with the Android App rendered the device inoperable).
It is noted that the SPI flash chip is rated at 3.3v, but running the chip reader at 3.3v provides adequate power to activate the SOC. It was found (by accident) that applying 1.8v is adequate to read/write the SPI with the SOC remaining inactive.
The Nantronics N25S80 profile in Linux flashrom was found to be adequate to read the chip with the CH341 (although required the –force parameter to override parameter checking, hence programming is not possible).
$ flashrom –programmer ch341a_spi -c N25S80 -r firmwarefile.bin -f

Flash appears to have three blocks – the first two have remained static across reads/testing, the third appears to contain config. Blocks are padded with repeating 0xFF.

Start AddressEnd AddressContent Guess?
0x000000x416EKernel/Bootloader?
Has an ASCII string near the start (AC791N_STORY) (that corresponds to a SOC with the same physical characteristics and manufacturer as the SOC onboard)

The block appears to end with a list of hardware parameters (in ASCII).
0x50000xC29C6Unclear – no obvious ASCII Strings – Suspect Main Program code
0xC5000 then later  0xC3000VariableConfig block with identifiable parameters in ASCII including known passwords in clear text
Wifi SSID (Video0_ZT953K)
Device ID (ZT953KTTYHST3W1L111A)
Device Password (hk123456)

Config Block

The base addresses shifted (0xC5000 initially, 0xC3000 later) after setting a device password using the mobile app.
It is also observed that “Saving” config sometimes appends a new section, rather than overwriting – hence the user set password (fixthispass1) was still observed after resetting it to default – highlighted section is the block below is the config following resetting the password using the mobile ap – also note at 0xC3F42 the ss1 after the default password which appears to be the over-run of the custom password (suggesting fixed buffers allocated and over-written in RAM, then copied to flash).

SOC identification

Searching for the string AC791BN_STORY provides links to the JieliTech github site which details their AC79 series IoT chips (although much of the documentation is in Chinese – google translate works to a degree).

Referring to this data sheet, and following circuit traces shows reasonable correlation between the pinout and connected devices (inc. USB, Antenna, VCC/GND, Mic) with the AC7911B data sheet linked above. Company Logo also matches the logo screen-printed on the chip (although printed chip ID doesn’t match datasheet).

Categories
Wifi Spy Camera

Wifi-Camera Initial Review

The device was initially reviewed with minimal invasion – noting it’s physical and logical behaviour, and trying to avoid activities that would connect to cloud services (eg not connecting it to an internet connected router – this will be done later).

On power up from reset (connecting from laptop, no android app)

  • LEDs light and flash, indicating power, mode and activity (assumed based on labels).
  • Creates unencrypted wifi AP Video_ZT953K
  • Connecting to this gives a 192.168.0.2 local address, with GW 192.168.0.1
    • “GW” ip (believed to be camera) responds to ping (although sometimes duplicates packets)
    • GW mac : 78:28:f2:ec:ae:b0
    • Nmap shows no open TCP ports on GW, and no other devices on network (other than laptop)
    • Nmap OS fingerprint inconclusive (no open ports), but suggests Expressive esp8266 (FreeRTOS/lwIP) or similar embedded device IP stack.
$ sudo nmap 192.168.0.1 -p0-65535 -O
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-06 12:02 BST
Nmap scan report for 192.168.0.1
Host is up (0.0025s latency).
All 65536 scanned ports on 192.168.0.1 are closed
MAC Address: 78:28:F2:EC:AE:B0 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: 2N Helios IP VoIP doorbell (95%), Advanced Illumination DCS-100E lighting controller (95%), AudioControl D3400 network amplifier (95%), British Gas GS-Z3 data logger (95%), Daysequerra M4.2SI radio (95%), Denver Electronics AC-5000W MK2 camera (95%), DTE Energy Bridge (lwIP stack) (95%), Enlogic PDU (FreeRTOS/lwIP) (95%), Espressif esp8266 firmware (lwIP stack) (95%), Espressif ESP8266 WiFi system-on-a-chip (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.16 seconds
  • Nmap UDP scan shows some ports in “open/filtered” state. None of these respond to random data via netcat.
$ sudo nmap 192.168.0.1 -p0-65535 -sU -O
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-06 12:06 BST
Nmap scan report for 192.168.0.1
Host is up (0.0020s latency).
Not shown: 65532 closed ports
PORT      STATE         SERVICE
67/udp    open|filtered dhcps
3889/udp  open|filtered dandv-tester
32761/udp open|filtered unknown
55556/udp open|filtered unknown
MAC Address: 78:28:F2:EC:AE:B0 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: 2N Helios IP VoIP doorbell (95%), Advanced Illumination DCS-100E lighting controller (95%), AudioControl D3400 network amplifier (95%), British Gas GS-Z3 data logger (95%), Daysequerra M4.2SI radio (95%), Denver Electronics AC-5000W MK2 camera (95%), DTE Energy Bridge (lwIP stack) (95%), Enlogic PDU (FreeRTOS/lwIP) (95%), Espressif esp8266 firmware (lwIP stack) (95%), Espressif ESP8266 WiFi system-on-a-chip (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.25 seconds
  • Removing power, device stays active with wifi AP. No change in network presentation.
  • Powering off (press and hold power button) disables WiFi AP (and LED’s extinguish)
  • No change in network behaviour when SD card inserted.
  • Camera mac changes with each powercycle some seen include:
    • e0:3a:54:02:cf:6b
    • 68:e5:f1:b3:14:13
    • d8:df:5e:9f:cb:29
  • After a while the camera starts emitting SSDP like packets on UDP port 3889 (to broadcast).
UDP Broadcast Packet as seen in WireShark

Android Video0 App (Running in emulator)

When operating the app in a android emulator, the following entwork behaviour was observed:

  • T&C window tries to reach out to www.tplook.com (note TLS not used on the request http://www.tplook.com/video0/UserAgreement_en.html)
  • On startup App tries to DNS resolve
    • android.bugly.qq.com
    • api.ipify.org
    • ip-api.com
    • ip.nf
  • Triggering camera add functions (both network and standalone) doesn’t appear to emit any network traffic (guess is listening for the packets noted above).
  • Following manual add option (Completing form with UID from UDP broadcast packet shown above, and default password from manual) above triggers DNS lookups to all-master.iotcplatform.com but doesn’t communicate locally with the camera.

Android App (running on rooted device for packet capture)

Tablet was manually connected to Camera AP, and App then detects camera automatically. Application functions perform as expected, although it was later found that setting very long passwords in the App caused the device to enter a boot loop (which was recovered by re-flashing the SPI flash).
All network communication occurs over UDP, with a unknown binary format (although shows repeated patterns in messages). Further analysis needed!

Categories
Wifi Spy Camera

Wifi-Camera Physcial Teardown

Having reviewed the camera behaviour “as-is” then next step is to dismantle it, and see what can be learnt from the circuit board and chip choices. For an unknown device extra care should be taken to avoid any anti-tamper devices, however in this case, the device isn’t important and can be easily replaced if damaged.

Outside

Side View
Front
Base

Inside

Board removed from case
Rear of PCB
Front of PCB

SOC Connectors

Connectors/devices with obvious traces to the SOP-48 chip

  • USB-B micro
  • Micro SD
  • Camera
  • Microphone?
  • SPI Flash
  • LEDs
  • 2 Buttons

Chip List

LocationLocationLocationn
Case Format		DescriptionDataSheet
FrontYLD-JL815-09-16MM-V2.0 Camera + Ribbon assembly 
RearJL C018191-11BBSOP-48SOC Connections to all key chips and connectorsData sheet SDK Github
RearT25S80 PB22N1 PPG186SOP-88Mbit SPI FlashData Sheet (similar chip)
Rear24.000 MhzSurface Mount CanCrystal? 
RearHS2PSOP-3  
RearLTH7SOP-5Charge RegulatorLTC4054ES5-4.2 Data sheet
FrontA1SHBSOP-32x Mosfet (Charging circuit)A1SHB Data Sheet
FrontA14ZSOP-5  
Front442ASOP-5