Notifications
Clear all

Covert ip Camera  

  RSS
rcwi
 rcwi
(@rcwi)
New Member

A camera similar to below was hidden in a person's home to spy on them. There was no TF card in it. It is an IP camera and can be viewed live streaming via a mobile App. So, limited range.

I want to get into it to see the file system. Maybe it records MAC of connected devices, or other artifacts. It has a USB port. I am assuming it is using some version of Linux. I may even consider doing a chip off to image what ever eMMC is on there (depending if I have an adapter).

Hoping there is not that much security built in. I have the password to connect to it to do live streaming. Don't think that would give root, but maybe files won't need root privilege to read.

Any ideas or resources?

Thanks for any help,
Robert Craig

Quote
Posted : 05/08/2017 8:10 pm
C.R.S.
(@c-r-s)
Active Member

USB on these devices is for power supply only, I think. But worth to give it a try, maybe it contains a serial adapter.

I wouldn't bother to connect via wifi or try web exploitation etc, since it potentially destroys evidence. Chip-off is fine, but first I'd look for the (nearly) inevitable UART connector on the PCB or any other useful bus. If you've got an UART, you maybe get a root shell, or - if this is locked down - at least a boot loader console. From the boot loader console, you can dump the memory and slice the image using binwalk or manually, decompress partitions etc.

ReplyQuote
Posted : 05/08/2017 9:39 pm
jaclaz
(@jaclaz)
Community Legend

Check if this (there are some more detailed pictures) is more or less like it
http//www.wiseupshop.com/wiseup-720p-hd-wifi-hidden-camera-button-with-160-degree-wide-view-angle.html

My guess is that these are more or less (as often happens) generic no-names that this or that OEM re-brands, DIY, Wise Up, Fredi, Toughsty, CAMAKT,TANGMI etc.

There are seemingly two basic versions, some without and some with a heatsink, see
https://www.youtube.com/watch?v=nOyEsNsBpi8

This is (possibly only one among more than one) seemingly the actual manufacturer
https://www.alibaba.com/product-detail/Daretang-Wireless-mini-wifi-Camera-module_60514243987.html
http//daretang.com/index.html

Haven't seen any teardown/disassembly, though.

jaclaz

ReplyQuote
Posted : 05/08/2017 9:47 pm
rcwi
 rcwi
(@rcwi)
New Member

Thanks for the responses. They were very helpful.

The board does have 3 pin connector. The center pin is GND (checked with multimeter). The others are RXD and TXD?? No power to PCB yet.

Would a serial USB with the pins RXD, TXD, and GND work? Connect using Linux? Not to sure how, but finding resources and learning on the fly.

ReplyQuote
Posted : 08/08/2017 8:42 pm
C.R.S.
(@c-r-s)
Active Member

The board does have 3 pin connector. The center pin is GND (checked with multimeter). The others are RXD and TXD?

Plausible indeed, but try to research the datasheets for the components on the board and follow the traces/analyze the general layout to substantiate this. Ideally, you'd have a passive measurement device to connect first, an oscilloscope or logic analyzer.

Would a serial USB with the pins RXD, TXD, and GND work?

If it's UART, it's most likely on TTL level, so do not use a standard RS-232 adapter, but one for the proper signal level. One based on CP2102 should do the job, better FT232R.

They are omnipresent today for tinkering, do not always contain the advertised parts and vary in quality. So there's still some risk to let the magic smoke out, if you buy one and put it right into action. You can check your tool and basically the entire process with a cheap home router instead of the camera. These are well documented for OpenWRT flashing like this https://wiki.openwrt.org/toh/gl-inet/gl-ar150

Connect using Linux? Not to sure how, but finding resources and learning on the fly.

No Linux needed to connect, just a terminal program like Putty on the respective COM port. For binwalk you'll need Linux.

ReplyQuote
Posted : 08/08/2017 9:57 pm
jaclaz
(@jaclaz)
Community Legend

If it's UART, it's most likely on TTL level, so do not use a standard RS-232 adapter, but one for the proper signal level. One based on CP2102 should do the job, better FT232R.

They are omnipresent today for tinkering, do not always contain the advertised parts and vary in quality. So there's still some risk to let the magic smoke out, if you buy one and put it right into action.

Also, remember how there are TWO TTL levels, TTL and TTL/CMOS ( *almost everyone* insists of calling both TTL)
http//www.interfacebus.com/voltage_threshold.html

and almost noone ever provides (if not after some torture is applied) the actual USB/TTL or RS232/TTL converter specifications AND there are "smart" devices that auto select the level based on on the voltage used to power it.

It is - as often happens - a total mess.

In the (only seemingly unrelated) READ_ME_FIRST about recovery of the (in)famous 7200.11 there is a more extensive description
http//www.msfn.org/board/topic/143880-seagate-barracuda-720011-read_me_first/

The points

  • SERIAL Voltage and TTL levels
  • GROUNDING
  • LOOPBACK TESTS
  • SPEED/DATA BITS/PARITY/STOP BITS/FLOW CONTROL
  • CONVERTERS (or Data Cables)
  • POWERING the converter (or data cable)

are all of "general interest" if you are not familiar with the matter.

jaclaz

ReplyQuote
Posted : 08/08/2017 11:46 pm
rcwi
 rcwi
(@rcwi)
New Member

Thanks to everyone for the help. I am going to work on the suggestions. I will post if I have any luck.

Rob Craig

ReplyQuote
Posted : 14/08/2017 11:18 pm
Share: