Reverse-Engineering an IP camera - Part 3

In Part 1 of this analysis I started gathering information about this camera, and in Part 2 I found a way to gain root access to its operating system. This part will document the exploration I did using this access

CPU Information

So, the first thing I want to know was what processor this hardware is based on. This can be done by cat /proc/cpuinfo

cpu info

That's some information for a latter Google research. Now, I'm interested in figuring out more about my recently gained superpowers on this system.

Unfortunately, this Linux distribution is very limited. It's a embedded OS, of course, I should not expect a lot of programs installed, but there a lot of things that I can't do. For example, there's no SSH server installed to launch, so I'll stick with the serial connection for a while.

Camera software

So, let's see which program is running the main camera tasks (connection to server, sending video stream, etc). I'll do that by checking which processes controls each internet sockets:

process listening

So, it seems to be a single process called ipc that listens on all these ports. I found the process file and, unfortunately, it's a binary file. I was hoping for a python script or something that I could check the code.

However, there's something I can still try. On Part 1 I found that the camera could download a firmware update via internet, but it was encoded. Now, with full access to the camera operating system, I could find the updater script. Here a piece of it

update script

The marked line seems to be the code that decrypt the downloaded firmware. So I put the downloaded file on a SD card, inserted it on the camera, and run the command:

decrypt

And it seemed to work. At least, no error messages. Now I have a binary file that I could use to manually update the camera firmware (if I had any idea on how to do that :) ). But maybe I could extract more information from this file.

Considering that this binary is probably a compressed file, I copied it to my Windows computer and tried opening it with 7zip. And this magic software actually opened the file and extracted its contents:

firmware

Unfortunately, this is exactly the same structure I already have installed on the camera. The firmware just replaces the files with newer versions (Exactly what I should've expected, but...)

So, maybe now I'll try to reverse engineer this ipc program. There's not much development tools installed on the camera firmware to help on that, so it won't be straightforward. But, maybe, if I can understand how it works, I can replace this process with my own software, so I can stream video to any server I want.

That's a job for Part 4, available here