Hacking IP-Camera Digoo BB-M2 – Part 2 – Analyzing the boot process

The last article shows, how to identify the serial port on the IP-Camera. With this it is possible to solder wires on the IP-Camera and attach a USB to serial adapter to it.


Important is, that the wires do not produce a short circuit on the IP-Camera.

With picocom it is possible to read and write to the serial bus. If the serial bus adapter is not white-listed the command must be executed with root privileges.

$ sudo picocom -b 115200 /dev/ttyUSB0
picocom v1.7

port is        : /dev/ttyUSB0
flowcontrol    : none
baudrate is    : 115200
parity is      : none
databits are   : 8
escape is      : C-a
local echo is  : no
noinit is      : no
noreset is     : no
nolock is      : no
send_cmd is    : sz -vv
receive_cmd is : rz -vv
imap is        : 
omap is        : 
emap is        : crcrlf,delbs,

Terminal ready

Now the IP-Camera must be plugged in and the boot messages are printed on the picocom console.

U-Boot SPL 2013.07 (Sep 22 2016 - 21:41:56)
pll_init:347
l2cache_clk = 450000000
pll_cfg.pdiv = 8, pll_cfg.h2div = 4, pll_cfg.h0div = 4, pll_cfg.cdiv = 1, pll_cfg.l2div = 2
nf=36 nr = 1 od0 = 1 od1 = 1
cppcr is 02404900
CPM_CPAPCR 0470890d
nf=50 nr = 1 od0 = 1 od1 = 1
cppcr is 03204900
CPM_CPMPCR 0320490d
cppcr 0x9a7b5510
apll_freq 860160000 
mpll_freq 1200000000 
ddr sel mpll, cpu sel apll
ddrfreq 400000000
cclk  860160000
l2clk 430080000
h0clk 300000000
h2clk 300000000
pclk  150000000
CPM_DDRCDR(0000002c) = a0000002


U-Boot 2013.07 (Sep 22 2016 - 21:41:56)

Board: ISVP (Ingenic XBurst T10 SoC)
DRAM:  64 MiB
Top of RAM usable for U-Boot at: 84000000
Reserving 423k for U-Boot at: 83f94000
Reserving 32784k for malloc() at: 81f90000
Reserving 32 Bytes for Board Info at: 81f8ffe0
Reserving 124 Bytes for Global Data at: 81f8ff64
Reserving 128k for boot params() at: 81f6ff64
Stack Pointer at: 81f6ff48
Now running in RAM - U-Boot at: 83f94000
MMC:   msc: 0
the manufacturer f8
SF: Detected FM25Q64

In:    serial
Out:   serial
Err:   serial
Net:   CPM_MACCDR(54) = a0000017
Jz4775-9161
Hit any key to stop autoboot:  0 
the manufacturer f8
SF: Detected FM25Q64

SF: 2621440 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80600000 ...
   Image Name:   Linux-3.10.14
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    2037043 Bytes = 1.9 MiB
   Load Address: 80010000
   Entry Point:  8039a050
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.10.14 (root@hsx-desktop) (gcc version 4.7.2 (Ingenic 2015.02) ) #5 PREEMPT Thu Sep 22 09:11:41 CST 2016
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 RESET ERROR PC:00805077
[    0.000000] CPU0 revision is: 00d00100 (Ingenic Xburst)
[    0.000000] FPU revision is: 00b70000
[    0.000000] CCLK:860MHz L2CLK:430Mhz H0CLK:200MHz H2CLK:200Mhz PCLK:100Mhz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 00439000 @ 00010000 (usable)
[    0.000000]  memory: 00037000 @ 00449000 (usable after init)
[    0.493476] jz_mac jz_mac.0: MII Probe failed!
[    0.962286] drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
mdev is ok......
ifconfig: SIOCGIFFLAGS: No such device

apk-link login: Archive:  /system/system/lib/drivers.zip
   creating: drivers/
  inflating: drivers/gpioapp.ko
  inflating: drivers/sensor_jxh42.ko
  inflating: drivers/sensor_jxh62.ko
  inflating: drivers/sensor_jxh61.ko
  inflating: drivers/motoract.ko
  inflating: drivers/rf433.ko
  inflating: drivers/tx-isp.ko
  inflating: drivers/sinfo.ko
  inflating: drivers/eeprom_at24.ko
  inflating: drivers/sensor_ar0130.ko
ifconfig: wlan0: error fetching interface information: Device not found
not find mac===Get wifi ap mac:===
ifconfig: wlan0: error fetching interface information: Device not found
not find mac===Get wifi mac:===
===NetWorkSetMac===FC:cd:dc:ca:19:bb
sscanf return 6
@@@@ APSSID APCAM_FFFFFFCA19FFFFFFBB @@@@
===Get wifi ap mac:E0:B9:4D:ED:9C:98===
===Get wifi mac:E0:B9:4D:ED:9C:98===
===NetWorkSetMac===FC:cd:dc:ca:19:bb
SysParamRead system.ini
RTSP Port 10554
ONVIF Port 10080
SysLanguageRead language.ini
Now Language is English !
/usr/bin/unzip -o /system/www/audio_en.zip -d /tmp
kernelversion = Thu Sep 22 09:11:41 CST 2016 
user0: pwd:
user1: pwd:
user2:admin pwd:
SysDefaultVoiceInit : 2
sysversion:E10.71.1.16.55E
SysParamRead factory.ini
ssid: wifiauth 0 wifikey:
===NetWorkEthInitMac===FC:cd:dc:ca:19:bb
ifconfig: SIOCGIFFLAGS: No such device
ifconfig: SIOCSIFHWADDR: No such device
ifconfig: SIOCGIFFLAGS: No such device
========mac=FC:cd:dc:ca:19:bb===========
route: SIOCDELRT: No such process
ifconfig: SIOCSIFADDR: No such device
route: SIOCADDRT: No such device
dns1:8.8.8.8 dns2:192.168.1.1
===IpcSocketInit=6666===
===IpcSocketInit end=3===
===snetworkethmac:FC:cd:dc:ca:19:bb  snetworkwifimac:E0:B9:4D:ED:9C:98===
 SearchAppInit by zxh
ServiceInit by zxh
update Socket proc is start
update socket init
start app update thread
===SearchThreadProc===
Archive:  /system/system/bin/encoder.zip
  inflating: encoder
===wificam is start===
===wificam insmod ko is start===
===wificam insmod ko is end  ===
adc_max : 0
adc_min : 0
GpioDataGpioMux:0
GpioDataGpioMux:0
GPIO_PIN_DIR:0
GpioDataGpioDir:0
GpioMotoInit
GpioAduioOut 0 
===Get wifi ap mac:E0:B9:4D:ED:9C:98===
===Get wifi mac:E0:B9:4D:ED:9C:98===
===NetWorkSetMac===FC:cd:dc:ca:19:bb
SysParamRead system.ini
RTSP Port 10554
ONVIF Port 10080
SysLanguageRead language.ini
Now Language is English !
/usr/bin/unzip -o /system/www/audio_en.zip -d /tmp
kernelversion = Thu Sep 22 09:11:41 CST 2016 
user0: pwd:
user1: pwd:
user2:admin pwd:
SysDefaultVoiceInit : 2
sysversion:E10.71.1.16.55E
SysParamRead factory.ini
===Get wifi ap mac:E0:B9:4D:ED:9C:98===
===Get wifi mac:E0:B9:4D:ED:9C:98===
===NetWorkSetMac===FC:cd:dc:ca:19:bb
sscanf return 6
@@@@ APSSID APCAM_FFFFFFCA19FFFFFFBB @@@@
alarm433 alarmcam.ini
===audio Codec Init===0
< Audio In Init Start >
Samplerate:16000 Bitwidth:16 Soundmode:1 FrmNum:20 NumPerFrm:320 ChnCnt:1
Audio In GetChnParam usrFrmDepth : 20
< Audio In Init End   >
Audio In SetInPutVolume vol:11
===AudioInInit OK===
< Audio Out Init Start >
Samplerate:16000 Bitwidth:16 Soundmode:1 FrmNum:20 NumPerFrm:320 ChnCnt:1
< Audio Out Init End  >
===AudioOutInit OK===
AudioPlayProc:156
1AlarmTimerParamRead 4 ff-ff-ff-ff
SD/TF Card not insert!
===H264ParamInit===
H264ParamInit bright 128 hue 128 saturation 128 contrast 128 videomode 0 videoenv 0 bitrate 1024 framerate 15 ratemode 1 bitratesub 15 frameratesub 512 ratemodesub 1 bitratesubsub 10 frameratesubsub 128 ratemodesubsub 0
===H264StreamInit===
ifconfig: SIOCSIFADDR: No such device
route: SIOCDELRT: No such process
===cmd:route add default gw 192.168.1.1 wlan0===
NetWorkSetInterface 0
killall: udhcpc: no process killed
g_sensor_type = 18 
===InitVideoEncoder===
Encoder_Read_Video_Resolution : 0
#################################Sensor = jxh62 ####################################
=================main profile 1280x720p=====================
i264e[info]: profile Constrained Baseline, level 3.1
i264e[info]: profile Constrained Baseline, level 3.0
===InitVideoEncoder end===0
File size = 261702
Read size = 261702
===H264 osd init===0
===H264 osd1 init===0
H264EncoderThread
===ShowVideoOsd_Time===
===ShowVideoOsd===
name:WIFICAM
channelname------------------:WIFICAM==len=7
===ShowbitrateOsd===
===StartOsdProcess===
===H264SoftWdtThread====
===H264SetParam===
===H264SetParam end===
[chn1] scaler->outwidth = 640 scaler->outheight = 360, sscaler.outwidth = 640 sscaler.outheight = 368
===H264IspStart===
IMP_ISP_EnableTuning 0
===H264DeNoise ===
===H264IspStart===
===H264DeNoise===
param.sense[0] = 3 
move->param.sense[0]=3
===IvsInit===0
===IvsThread===
VideoSetFrameRate fpsNum = 15 fpsDen = 1 
StreamLiveProc 0
StreamLiveProc 1
StreamLiveProc 2
StreamLiveProc 3
StreamRecordProc 3
StreamRecordProc 0
StreamRecordProc 1
StreamRecordProc 2
H264SetBitRate channel 0 ratemode 1 bybitrate 1024
frmRateNum = 25 
H264SetBitRate channel 2 ratemode 1 bybitrate 512
frmRateNum = 25 
1AlarmTimerParamRead 0 ff-ff-ff-ff
alarm time param is NULL !
StreamVideoProc 0
StreamVideoProc 1
StreamVideoProc 2
StreamVideoProc 3
P2P media thread is start...
P2P cmd thread is start...
pCfg->filename=
p2pdeviceid:MSC-005484-WGXZE
========version:2000001===========
HDXQ iRet 5
KJB iRet 2
DGM iRet 9
ADH iRet 12
GXD iRet 6
WCAM iRet -10
APLK iRet 12
HSL iRet 5
SSG iRet -6
XXM iRet -11
HSMART iRet 5
SMART iRet -6
SAKJ iRet -6
NAMI iRet -1
NAMI iRet -1
SCAN iRet -6
DRIP iRet 9
DAGRO iRet 9
XLT iRet -11
HS iRet 5
XWL iRet -11
MSC iRet 0
===logcnt=72===
P2pCheckThread
===curtime=1481006280===
Read DateTime:20161206 063800write date ok
===IpcSocketInit=6667===
===IpcSocketInit end=31===
IPCEncoderRecvProc 1
Starting Stream Video Process 0
Starting Stream Video Process 1
Starting Stream Video Process 2
Starting Stream Video Process 3
initialize iRet 0
======PPPP_LoginStatus_Check======
======PPPP_LoginStatus_Check end=0=====
sendto: Network is unreachable
No IGD UPnP Device found on the network !
user0: pwd0:
user1: pwd1:
user2:admin pwd2:
webport 81
web0===81===
web1===81===
======web init============81
motomode : 1
===MotoInit===
MotoReadMotoParam MotoOnStart 0 MotoDisPreset 0 speed 5
GpioMotoDirCmd iRet 0 motocmd:1 speed = 0 
GpioMotoDirCmd iRet 0 motocmd:5 speed = 0 
FactoryGetMotoLevelTimes 3675 value:3675
===MotoLevelMaxTimes===3675
FactoryGetMotoLevelTimesMid 1850 value:1850
===MotoLeftRightCenterTimes===1850
FactoryGetMotoVertTimes 1800 value:1800
===MotoVertMaxTimes===1800
===wifi usb error check status===FactoryGetMotoLevelTimesMid 900 value:900
===MotoUpDownCenterTimes===900
MotoLevelMaxTimes 3675 MotoLeftRightCenterTimes 1850 MotoVertMaxTimes 1800 MotoUpDownCenterTimes 900
nomal flip 0
nomal mirr 0
recognize start !!!
wifi start !!!
KernelMd5 =  
welcome : 1
szFileName = /tmp/start-ok.wav 
GpioAduioOut 1 
------------------recognize start
------------------recognize invalid data, errorCode:100, error:not enough signal
check lasttimes is ok
=====check lastime iRet=0====
GpioMotoDirCmd iRet 0 motocmd:19 speed = 5 
===XGParamRead===
===wificam is end===
XgPushProc start ****************************************************
MyDomain start ****************************************************
------------------recognize start
------------------recognize invalid data, errorCode:100, error:not enough signal
ircut is switch on
szFileName = /tmp/config-waite.wav 
**************** SmartconnectStart ********************
GpioAduioOut 0 
GpioAduioOut 1 
iRet 0
bFlagInternet 0
bFlagHostResolved 0
bFlagServerHello 0
NAT_Type 0
PPPP_Share_Bandwidth(1) iRet 0
P2pListenThread
start P2pListenThread=MSC-005484-WGXZE license=SPYURW
PPPP_Listen() lock getting...
PPPP_Listen() ...bInternetFlag = 1
===MotoStatus=1===
GpioAduioOut 0 

[Check (Kernel && TF update) 1 time !]
dhcp isn't open...,ipaddr:192.168.1.249 netmask:255.255.255.0 gateway:192.168.1.1 dns1:8.8.8.8 dns2:192.168.1.1

route: SIOCDELRT: No such process
------------------recognize start
------------------recognize invalid data, errorCode:100, error:not enough signal
------------------recognize start
===cmd:route add default gw 192.168.1.1 wlan0===
too many time range can not match signal
------------------recognize invalid data, errorCode:100, error:not enough signal
------------------recognize start
------------------recognize invalid data, errorCode:100, error:not enough signal
dns1:8.8.8.8 dns2:192.168.1.1
===dhcp is start and note encoder network===
NetWorkParamSync in 0
IPCEncoderDec cmd 4
wifi enable = 0 PowerOn = 0 
NetWorkParamSave ipaddr:192.168.1.249
route: SIOCADDRT: File exists
===IPCEncoderSetNetworkParam===

apk-link login: 

By hitting the enter key, the login prompt pops up. At the moment the login credentials are not known.

Posted in Embedded Security, IT-Security, Linux, Reverse Engineering
7 comments on “Hacking IP-Camera Digoo BB-M2 – Part 2 – Analyzing the boot process
  1. Matthias says:

    I also just received the camera yesterday and found your blog while looking for firmware updates.

    I’m gonna follow your attempts to get inside the camera 🙂
    A password to get into the telnet console would be really nice.

    Thanks so far!

  2. YGator says:

    /etc/passwd
    root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh

  3. Squix78 says:

    Is there a shadow file? Then it should be easy to decrypt the password according to this link: http://www.dankalia.com/tutor/01005/0100501005.htm

  4. Matthias Niedermaier Matthias Niedermaier says:

    This is the password we want to crack: $1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0

    The first number indicates the algorithM:
    $1 = MD5 hashing algorithm.
    $2 =Blowfish Algorithm is in use.
    $2a=eksblowfish Algorithm
    $5 =SHA-256 Algorithm
    $6 =SHA-512 Algorithm

    The second one “ybdHbPDn” is the salt of the hash.
    The last one “ii9aEIFNiolBbM9QxW9mr0” is the hash.
    With this information it is theoretically possible to brute force the password, but if the password is strong enough it is not feasible.

  5. tobias says:

    Not sure if it helps you but I found the following tutorial to access telnet on the cam (translated from german):
    1. open ftp settings
    2. enter the following as ftp-server: $(killall telnetd)
    3. in the field user enter: $(telnetd -l /bin/sh)
    4. now click on set up, then on test. this starts a script that will run as root
    5. now you can access telnet without password

  6. YGator says:

    @tobias, thanks for that. Can you give the url where you found the info? I’d like to see if they are doing anything else with the camera.

  7. tobias says:

    The info can be found in the comments section.
    You probably can skip the first 14 pages as they are only about shipment delays.
    https://www.mydealz.de/deals/wlan-720p-kamera-mit-ios-android-fernsteuerung-vorbestellung-bei-banggood-babyphone-nachtsicht-sicherheitskamera-video-anruf-bei-gast-853668?page=14

Leave a Reply

Your email address will not be published. Required fields are marked *

*

four × two =