Chinese Jovision cameras and their OEM clones. Security hoax

It so happened that for one of the projects a controlled spatial positioning system of the target designator was needed. Servos from various manufacturers turned out to be quite expensive and it was decided to buy a controlled camera and use the camera's built-in servo for positioning. I never dealt with PTZ cameras, so the J2000IP-CmPTZ-111v2.0 camera, allegedly by the Russian manufacturer 3C-Groups, was purchased for testing.

Attention! The publication is not an overview of the camera and most likely describes the analysis of camera control mechanisms offered by the equipment manufacturer, as well as the safety assessment of its use.

So the camera J2000IP-CmPTZ-111v2.0, it is also Jovision JVS-H411 . None outstanding camera home segment. Like most cameras built on the HiSilicon 3518E chip.

Since the chip is quite common and there is an SDK for it, manufacturers on top of the assembled core begin to "wind up" their specific services from above. Firmware devices are usually different drivers wifi module. Wifi module can be determined from the name of the firmware taken from the address http://www.jovecloud.com/ipc/3518es/ :

jvs3518es-7601.bin - Ralink RT7601
jvs3518es-8188.bin - Realtek RTL8188
jvs3518es-9271.bin - Atheros AR9271

The firmware in my jvs3518es-7601.bin device and valid for the following list of Jovision devices:

H411 J2000IP-CmPTZ-111-V2.0 H411V1_1 H411S-H1 H411V2 HC420S-H2 HC520D-H1 HC420-H2 H411-H1 H411KEDA AT-15H2 SW-H411V3 HZD-600DM AJL-H40610-S1 AJL-H40610-S2 JD-H40810 

So. With the model decided. No this is not a Russian development, as positioned by the company "3C-Group", but simply an OEM clone of a camera of a large Chinese manufacturer.

But if this is a clone and firmware is Chinese, then it means that the services in it are protected by Chinese ones. In principle, it is. The camera involves registering with the Jovision cloud, a P2P-type connection, allows you to see the image on your phone and control the camera remotely. Like any sysadmin who does not trust third-party security services, especially Chinese, especially videos, the first thing I would recommend is to put in the camera the default gateway itself and use other control methods.

For remote camera control, the manufacturer provides OCX equipment for IE (for control from a local network) and Android application (for control via the Internet). Since the camera was planned to be used from under Unix systems, the variants with IE and Android disappeared as not suitable for the conditions of use.

No less accessible API was found on the network, so they began to reverse what they had available. OCX snap-in as it turned out uses 2 control options:

1. control through the closed ipc protocol.
2. management through the built-in thttpd server.

The first option was first excluded (then returned to it for the sake of interest), because reverse proprietary protocol could take a long time and began to dig the second option. It turned out that all requests to the camera go to a single URL

 http://<camip>/cgi-bin/jvsweb.cgi 

Naturally, as it should be in various security devices - access to the device should be closed with a username and password, something like this.

 http://<camip>/cgi-bin/jvsweb.cgi?username=admin&password=password 

And after that the management team should follow. But after I got to the inside of the firmware, I was very surprised by the contents of the jvsweb.cgi file.

 #!/bin/sh eval `./proccgi` echo Content-type: application/json #echo #echo $FORM_cmd #echo $FORM_action #echo $FORM_param #echo $FORM_username #echo $FORM_password #echo ./wagent $FORM_cmd $FORM_action "$FORM_param" $FORM_username $FORM_password 

A small program, proccgi, parses the web request to the server and converts it into variables, which are then "fed" to the program by the agent transferring this data to the control program.

As the study showed, the username and password fields do not affect anything from the word ALL . Only the first three parameters are important.

The main thing is that from this I want to convey to all readers: THE CAMERA IS UNSECURE! and it can be controlled by anyone on the same network. We continue research. Connecting to the camera via telnet (the default address is 192.8.8.8) is carried out using a fixed login and password root / jvbzd , which cannot be changed using the usual methods !!!!

Again, anyone can connect. It is for this reason that I first removed the camera access to the cloud. If the basic security policies are immediately compromised, then there is no point in trusting something higher.

Let's try to climb even deeper. The process of booting the camera consists of booting the kernel, reading the basic system settings, launching the port-interceptor checker and starting the control program itself. If everything is clear with the first two points, then a question arises with the third point.
Port Interceptor based on the list of hard-reserved ports for services, checks for occupancy and reserves for itself. The control program is a statically compiled binary with a weight of 5 megabytes, in which all the logic of the camera control is sewn up.

The camera core has a built-in watchdog and if the control program does not receive a alive signal at the right time, the camera automatically restarts.

In order to start the camera in debug mode, you need to do 3 steps:

1. Reboot the camera and within 5 seconds after the start of the reboot, go to the camera with a telnet
2. Run ps w and kill "startup" processes startup.sh and / tmp / sctrl . startup.sh you need to "shoot first", because in the line following the launch of / tmp / sctrl is the reboot command
3. Run / tmp / sctrl with keys:
   
   • cmd = 0/1 - enable command control system interface
   • debug = 0/1 - enable extended debug

All specified actions must be performed within 10-15 seconds, before the watchdog is completed. After starting the control program, you will see a log of work, as well as a log of processing incoming commands.
The management program is divided into several parts:

1. ipc control module
2. http control module
3. cloud connection module
4. network device detection module
5. onvif interface control module

The ipc control module runs continuously and waits for commands on port 9101
The http control module is implemented on a free thttpd server, it runs constantly and waits for commands on port 80
The cloud connection module checks the connection every 10 seconds.
Network device detection module is trying to find a recorder
The onvif interface control module works in conjunction with thttpd and provides very curved and poor management support.

Yes! forgot to write. The camera provides encryption of traffic between the client and the camera, but !!! The encryption key is the same for all firmware and is in the / tmp / encrypt file !!!

We discard the sad questions and try to return to the control of the camera. All data received via the web interface is transparently transmitted to the control module. The control module consists of a dozen subprograms responsible for processing a particular command. Unfortunately, the developers apparently decided that the code of the control program will never be interesting to anyone and put in one basket with the routines for managing the state of the camera, the routines for managing the memory, procedure calls and the state of the control system itself.

A list of control routines can be obtained through the request

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=webhelp 

Here is a list of all camera control units.

 cmd list and help information mptz mptz zoom [X] [Y] [ZOOM] timer display all timer list stream for stream test account account operation cmd webalarm alarm operation command webmdetect motion detect operation command webprivacy privacy operation command webrecord record operation command webstorage storage operation command webstream stream operation command webifconfig ifconfig operation command webwifi wifi operation command webosd osd operation command websnapshot Have a snapshot of the channel webhelp Display help info webipcinfo ipcinfo operation command webdevinfo webdevinfo operation command webimage image operation command yst yst operation command system websystem operation command multimedia multimedia operation command ptz ptz operation command webaudio webaudio operation command redirect redirect stdout stderror webled led control command webad audio detect wdtoff Manual close watchdog 

My main task was to ensure clear positioning of the camera, but unfortunately, due to the software implementation of the product, it turned out that this was impossible to do. Why

The PTZ control kinematics interface works via RS485 and does not have any external sensors and counters for determining the current camera position. The interface that transmits commands to the PTZ transfers to the kernel module the step to which the engine must be turned in the right direction. To determine the sector of work, during the initial initialization, the camera rotates to the zero position along both axes and starts rotation in the direction of increasing coordinates. Having determined the end of the sector of rotation of the horizontal coordinate, the camera divides the resulting sector by 65536. The same happens with the vertical coordinate. Thus, an internal coordinate grid is obtained on the basis of which the camera is positioned. When we send the rotation commands to the camera using the control interface, only the internal counter inaccessible to the user is counted in the camera and saved. When we save the Preset, the control program saves the current coordinates in which the camera is currently located and then uses them for positioning. Precise point positioning is not available to the user.

But not time to give up :) We continue to dig the possibilities of the camera. The cJSON library is responsible for parsing the input data into the control interface, so the param variable must have a valid JSON structure.

The query string always looks like this:

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=<cmd>&action=<action>&param={"key1":"value1","key2":"value2"} 

For this request, the camera usually returns several lines depending on the result.

 {"status":"ok","data":""} {"status":"param error","data":""} param error     

I will sign for all the control commands I have found and their fields / parameters. The data specified in curly brackets contains the data that must be placed in the param field of the request. Most commands support action = list for displaying current settings. Let's start with the account command.

• account

User management web interface system

  list # List all account with passwords add: # add account {"acID": "aborche","acPW": "123","acDescript":"test","Power":17} check: # check password {"acID":"aborche","acPW":"123"} modify: # modify account {"acID":"aborche","acOldPW":"123","acNewPW":"1234"} del: # delete account {"acID":"aborche1"} count # count accounts 

Thus, the request list of accounts will look like this.

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=account&action=list 

and adding user

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=account&action=add&param={"acID": "aborche","acPW": "123","acDescript":"test","Power":17} 

• webalarm

Motion Detection Alerts

  list # List all alarms set: # Set alarm {"delay":10,"sender":"ipcmail@163.com","server":"smtp.163.com","username":"ipcmail","passwd":"ipcam71a", "receiver0":"lfx@jovision.com","receiver1":"(null)","receiver2":"(null)","receiver3":"(null)"} 

Let's stop for a minute on these two teams. All data received from the camera is open and access occurs without a login and password! So if you do not want to lose access to your mailbox (as an example), be careful and get a second mailbox.

• webmdetect

Motion definition

  <ch> list # List motion detects # cmd=webmdetect&action=1 list # cmd=webmdetect 1&action=list <ch> set: {"bEnable":0,"nSensitivity":50,"nThreshold":15,"nRectNum":0, "stRect":[{"x":0,"y":0","w":0,"h":0}, {"x":0,"y":0,"w":0,"h":0}, {"x":0,"y":0,"w":0,"h":0}, {"x":0,"y":0,"w":0,"h":0}], "nDelay":10,"nStart":0,"bOutClient":0,"bOutEMail":0} 

Please note that due to the curvature of the parsing of the input parameters, you can freely transfer any length of commands with any parameters. Since the camera has several channels (video streams), some commands may come with a channel number.

• webprivacy

Determination of the private zone in the image that does not need to be broadcast

  <ch> list # List privacy zones # cmd=webprivacy&action=1 list # cmd=webprivacy 1&action=list <ch> set: # Set privacy zone {"bEnable":0,"stRect":[{"x":0,"y":0,"w":0,"h":0}, {"x":0,"y":0,"w":0,"h":0}, {"x":0,"y":0,"w":0,"h":0}, {"x":0,"y":0,"w":0,"h":0}]} 

• webrecord

Recording settings

  # cmd=webrecord&action=1 list # cmd=webrecord 1&action=list <ch> list # List settings <ch> set: # {"bEnable":1,"file_length":600,"timing_enable":0,"discon_enable":0, "alarm_enable":0,"timing_start":0,"timing_stop":0,"disconnected":0, "detecting":0,"alarming":0,"alarm_pre_record":6,"alarm_duration":10} 

• webstorage

external memory card content

  list # List settings format # Format storage 

• webstream

Streaming settings

  # cmd=webstream&action=1%20list # cmd=webstream 1&action=list # cmd=webstream -c<chid> <streamid>&action=ability # cmd=webstream -c1 1&action=ability <ch> list # List streams <ch> set: # Set stream settings {"bEnable":1, "bAudioEn":1, "viWidth":1280, "viHeight":720, "width":1280, "height":720, "framerate":20, "bitrate":1024, "ngop_s":4, "rcMode":1, "encLevel":1, "quality":40, "minQP":24, "maxQP":46} <ch> resolution # Get stream possible resolution <ch> ability # Get stream settings requestidr # ????? 

• webifconfig

Network interface settings

  list # Get interfaces configuration set: # Set interfaces configuration {"inet":"dhcp", "eth": {"name":"eth0","bDHCP":1,"addr":"","mask":"","gateway":"0.0.0.0", "mac":"02:00:01:01:01:12","dns":"8.8.8.8"}, "pppoe": {"name":"ppp0","username":"x","passwd":"1"}, "wifiap": {"name":"","passwd":"","quality":0,"keystat":0,"iestat":""} } scan # ReScan wifi networks 

• webwifi

Wifi connection management

  list # List wifi networks connect: # Connect to network {"name":"ZyXEL53", "passwd":"", "quality":2, "keystat":1, "iestat":"\u0004\u0002"} changemode: ???? 

Please note that using the commands of webwifi and webifconfig, you can safely scan nearby WIFI networks and connect to them. Thus, the camera under control can safely spy on its surroundings.

• webosd

Manage camera ID on video

  <ch> list # Get channel info <ch> set: {"bShowOSD":1, "timeFormat":"MM/DD/YYYY hh:mm:ss", "position":1, "timePos":2, "channelName":"HD IPC", "osdbInvColEn":1,"bLargeOSD":1} 

• webipcinfo

Device Information

  list # Get device info set: { "type": "J2000IP-CmPTZ-111-V2.0", "product": "JVS-HI3518ES-7601", "version": "V2.2.4402", "acDevName": "HD IPC", "nickName": "", "sn": 36430, "ystID": xxxxxxxxxx, "nDeviceInfo": [], "nLanguage": 1, "date": "2016-10-22 14:31:43", "bSntp": 1, "sntpInterval": 24, "ntpServer": "192.168.205.1", "enableStreamWatchDog": 1, "tz": 3, "bDST": 0, "bIPSelfAdapt": 1, "rebootDay": 0, "rebootHour": 1, "bRestriction": 1, "portUsed": "8099,554,23,8127,51994,55434,6666,8732,58434,3702,9100,9104,9106,57241,4001,6072,8899,1998,17", "osdText": ["", "", "", "", "", ""], "osdX": 0, "osdY": 0, "osdSize": 32, "lcmsServer": ""} settime <datetime> system <reboot/reset/softreset> 

The function allows you to reboot or reset the device.

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=webipcinfo&action=system reboot 

• webdevinfo

  
  

   list # get device info set { "type": "ipc", "hardware": "JVS-HI3518ES-7601", "firmware": "V2.2.4402", "manufacture": "JVS-HI3518ES-7601", "sn": "XXXXXXXXXX", "model": "ipc-module", "channelCnt": 1, "streamCnt": 3, "ystChannelNo": [1, 2, 3, ..... 0], "name": "HD IPC", "date": "2016-12-26 20:55:23", "bSntp": 1, "sntpInterval": 24, "ntpServer": "ntp.fudan.edu.cn", "tz": 3, "bDST": 0 } settime <datetime> settime 2012-06-07 13:58:00 system <reboot/reset/softreset> 

  
  
• webimage

Image Settings

  list set: {"contrast": 135, "brightness": 135, "saturation": 135, "sharpen": 255, "exposureMax": 3, "exposureMin": 100000, "scene": 0, "daynightMode": 0, "dayStart": [{ "hour": 6, "minute": 0 }], "dayEnd": [{ "hour": 18, "minute": 0 }], "bEnableAWB": 1, "bEnableMI": 0, "bEnableST": 0, "bEnableNoC": 0, "bEnableWDynamic": 0, "bNightOptimization": 1, "bAutoLowFrameEn": 0} 

• yst

Flow Information for Remote Control

  list set: {"strGroup": "B", "nID": XXXXXXXXX, "nPort": 9101, "nStatus": 2, "bActiving": 1, "nYSTPeriod": 10, "bTransmit": "\u0001", "eLANModel": 0, "bWebServer": 1, "nWebPort": 80, "nPictureType": 3, "nPictureTypeOld": 1} get_port # get control port get_video # get video streams 

Let us dwell on this team. This command describes video streaming settings for remote control via OCX or phone. It is unlikely that any of these data will be useful to you except for two commands.

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=yst&action=get_port http://<camip>/cgi-bin/jvsweb.cgi?cmd=yst&action=get_video 

The first will show the system management port and port settings. The second will show the current video streams available in the system. The output of the second command is usually the same.

 rtsp://<camip>/live0.264 rtsp://<camip>/live1.264 

• ptz

Camera control

  move: # range = step(255*x(y)), sign +/- = direction {"chnid":0,"x":[0.01..1],"y":[0.01..1]} x,y - moving speed 0 - stop move move_auto: # set move speed {"chnid":1,"s":0.5} preset: #preset control {"chnid":0,"type":n,"presetid":p,"name":name} type: 0="list" 1="Save Preset" 2="Delete Preset" 3="Apply Preset" param={"chnid":1,"type":1,"presetid":1,"name":"preset 1"} - Save Preset 1 with name "preset 1" lens: # lens and picture control {"type":n,"value":v} type: 0="aperture" 1="focus" 2="magnify" value: 0.01..1 patrol: {"status":"ok","data":[{"id":0,"presetid": 1,"name":"1111","staytime":10},{"id":1,"presetid": 2,"name":"2222","staytime":10}]} type: 0="list" 1="Save Patrol" 2="Delete Patrol" 3="Start Patrol" 4="Stop Patrol" 

• mptz

  left right up down stop preset locatePreset aux # param=auxnum/-auxnum turn aux on/off dropon dropoff sensor zoom # Not working 

The ptz and mptz commands were the main reason for the beginning of the scratching of the firmware.

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=ptz&action=move&param=["chnid":1,"x":0,"y":-0.5] http://<camip>/cgi-bin/jvsweb.cgi?cmd=mptz&action=down 

Both teams give the camera a command to turn down. In the first case, we specify the speed with which the camera will fall. The speed is calculated as 255 times the speed. Thus, at a speed of 0.01, the camera will go down at a speed of 2 points per 1 tick. In the second case, the camera will go down at a speed of 100 points per 1 tick. I have not yet found out the value of tick. Need to measure.

The camera will go down until it reaches zero point, or until the next command is received.

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=ptz&action=move&param=["chnid":1,"x":0,"y":0] http://<camip>/cgi-bin/jvsweb.cgi?cmd=mptz&action=stop 

preset and locatePreset are used to quickly add and call positioning points

 http://<camip>/cgi-bin/jvsweb.cgi?cmd=mptz&action=preset 1 http://<camip>/cgi-bin/jvsweb.cgi?cmd=mptz&action=locatePreset 1 

• stream

Video encoder control

  stream CMD CHANNELID stream set CHANNELID TYPE VALUE CMD: start start the stream stop stop the stream flush flush the stream restart restart the stream set set param debug if be 1, print the received stream package TYPE: width - resolution width height - resolution height framerate - framerate such as 30,25,20,15,10... nGOP - I frame between bitrate - bitrate with unit of Kbit Per Second 

• multimedia

Image management

  imageget: {"chnid":1,"type":0} type: 0 contrast 1 brightness 2 saturation 3 sharpness imageset: {"chnid":1,"type":0} type: 0 contrast 1 brightness 2 saturation 3 sharpness 

Before starting the change of parameters, it is recommended to make an imageget for each setting, then make changes and make an imageset

• webaudio

Sound control

  list set: { "sampleRate": 8000, "bitWidth": 1, "encType": 0, "level": 2, "muted": 1, "micGain": 69 } 

• webad

Sound definition

  list set: { "bEnable": 1, "bEnableRecord": 1, "nStart": 0, "bOutClient": 1, "bOutEMail": 1, "bOutVMS": 1, "bBuzzing": 1, "ADThreshold": 80, "ADTimeInterval": 60, "ADPercentage": 30 } 

• webled

LED control

  list set: 0 - turn off 1 - turn on 

In principle, this is almost the entire set of commands that provide interaction with the camera. The remaining commands describe it makes no sense, because they provide debug output to the console.

After reading this article, I think you had a feeling that the devices that are designed to ensure our security should have a higher level of their own security. This article does not encourage you to hack the devices of these manufacturers, it only shows that many things may not be as they appear at first glance.

In the new firmware for the new cameras, the onvif module is pretty much rewritten, but the main problems are in the same condition.

I have a TENVIS JPT3815W camera on my turn, let's see what it has. Thank you for taking the time to read the article, I hope it was useful for you.

PS: if you need information about the decryption of Jovision firmware, then I can lay out.

© Aborche 2016