TODO.md

# Camera MITM — Remaining Work

## Done in this session
- [x] Migrated tooling to new network (192.168.1.x)
- [x] Built PyQt6 GUI dashboard wrapping the same Controller
- [x] Added per-service start/stop (clickable Service buttons)
- [x] Added log rotation at 1 GiB
- [x] Added intruder detection service (ARP spoof / unknown LAN peer / unexpected outbound)
- [x] Added protocol fingerprint module (TLS/HTTP/IOTC/etc) and wired into sniffer + http_server
- [x] Fixed http_server to peek-before-wrap so non-TLS traffic on :443 is captured raw
- [x] Regen'd MITM cert with full SAN list for ubianet/aliyuncs/myqcloud
- [x] Added 146 endpoints to fuzzer KNOWN_ENDPOINTS (harvested from decompiled APK)
- [x] Editable dropdown in Cloud tab Raw POST for known endpoints
- [x] Built `firmware_fetch.py` with multi-version check_version/v3 attempts
- [x] Built `ota_bucket_probe.py` to enumerate Tencent COS firmware buckets
- [x] Built `cve_checks.py` with original verifiers for CVE-2025-12636, CVE-2021-28372, CVE-2023-6322/3/4
- [x] Built CVE tab in GUI with per-CVE Verify buttons + Generate Report
- [x] Built Help tab in GUI documenting every tab and command
- [x] Discovered V11-V18 (8 new findings) and documented in `~/dumps/findings.md`

## Phase 1: TUTK Library (still blocked on firmware)
- [ ] Need device-side firmware to extract `libIOTCAPIs.so` (the app version is symbol-stripped + has no static auth key)
- [ ] Alternative: Frida-hook the running UBox app to dump `p4p_crypto_init` arguments at runtime
- [ ] Once we have a TUTK lib, write Python ctypes wrapper for IOTC connect/send/recv
- [ ] Connect to camera with admin/yyc1G::HPEv7om3O OR admin/iotCam31
- [ ] Send DEVINFO_REQ (cmd 816), FILE_LIST_REQ (cmd 4864), CAPTURE_PICTURE_REQ (cmd 8482)

## Phase 2: Firmware Acquisition
- [ ] **Run `Probe OTA Bucket` button** on Cloud tab — try to find a public-read FW object
- [ ] **MITM the camera's boot-time check** — start MITM, power-cycle camera, capture the real check_version request and response
- [ ] If MITM works: inject fake check_version response with our URL and observe how the camera downloads (V7)
- [ ] Pull the **second** Javiscam app `com.macrovideo.javiscam` and diff against `cn.ubia.ubox` for different OTA URLs / keys
- [ ] FCC ID 2AYAGJXJ-DQ6B-SW1 — pull Internal Photos PDF to identify SoC for hardware-side dump option

## Phase 3: API Enumeration
- [ ] Run full Fuzz Endpoints job (146 known + ~600 wordlist) and document any new endpoints
- [ ] Try IDOR via kuid swap on `user/account/get_current_user`
- [ ] Try IDOR via uuid swap on `user/families`, `user/qry/notification/get`
- [ ] Enumerate OAM endpoints using leaked HMAC secret `2894df25f8f740dff5266bc155c662ca`
- [ ] Test the leaked Google/AMap API keys for damage assessment (V11)

## Phase 4: Paper + Disclosure
- [ ] Generate CVE report from CVE tab and attach to SECURITY_PAPER.md
- [ ] Add V11-V18 to SECURITY_PAPER.md
- [ ] Add OAM endpoint findings (Phase 3) to paper
- [ ] Final review and formatting
- [ ] Decide on coordinated disclosure to UBIA (CISA already attempted for CVE-2025-12636; UBIA did not respond)
Initial commit — SetecSuite Camera MITM Framework Original tooling from the Camhak research project (camera teardown of a rebranded UBIA / Javiscam IP camera). PyQt6 GUI on top of a curses TUI on top of a service controller; per-service start/stop, intruder detection, protocol fingerprinting, OAM HMAC signing, CVE verifiers, OTA bucket probe, firmware fetcher, fuzzer, packet injection. Tabs: Dashboard, Live Log, Intruders, Cloud API, Fuzzer, Inject, CVEs, Config, Help. Real-time per-packet protocol detection, conntrack-based original-destination lookup, log rotation at 1 GiB. See SECURITY_PAPER.md for the full writeup, site/index.html for the public report, README.md for usage. Run with: sudo /usr/bin/python3 gui.py Co-authored by Setec Labs. 2026-04-09 08:14:18 -07:00			`# Camera MITM — Remaining Work`

			`## Done in this session`
			`- [x] Migrated tooling to new network (192.168.1.x)`
			`- [x] Built PyQt6 GUI dashboard wrapping the same Controller`
			`- [x] Added per-service start/stop (clickable Service buttons)`
			`- [x] Added log rotation at 1 GiB`
			`- [x] Added intruder detection service (ARP spoof / unknown LAN peer / unexpected outbound)`
			`- [x] Added protocol fingerprint module (TLS/HTTP/IOTC/etc) and wired into sniffer + http_server`
			`- [x] Fixed http_server to peek-before-wrap so non-TLS traffic on :443 is captured raw`
			`- [x] Regen'd MITM cert with full SAN list for ubianet/aliyuncs/myqcloud`
			`- [x] Added 146 endpoints to fuzzer KNOWN_ENDPOINTS (harvested from decompiled APK)`
			`- [x] Editable dropdown in Cloud tab Raw POST for known endpoints`
			- [x] Built `firmware_fetch.py` with multi-version check_version/v3 attempts
			- [x] Built `ota_bucket_probe.py` to enumerate Tencent COS firmware buckets
			- [x] Built `cve_checks.py` with original verifiers for CVE-2025-12636, CVE-2021-28372, CVE-2023-6322/3/4
			`- [x] Built CVE tab in GUI with per-CVE Verify buttons + Generate Report`
			`- [x] Built Help tab in GUI documenting every tab and command`
			- [x] Discovered V11-V18 (8 new findings) and documented in `~/dumps/findings.md`

			`## Phase 1: TUTK Library (still blocked on firmware)`
			- [ ] Need device-side firmware to extract `libIOTCAPIs.so` (the app version is symbol-stripped + has no static auth key)
			- [ ] Alternative: Frida-hook the running UBox app to dump `p4p_crypto_init` arguments at runtime
			`- [ ] Once we have a TUTK lib, write Python ctypes wrapper for IOTC connect/send/recv`
			`- [ ] Connect to camera with admin/yyc1G::HPEv7om3O OR admin/iotCam31`
			`- [ ] Send DEVINFO_REQ (cmd 816), FILE_LIST_REQ (cmd 4864), CAPTURE_PICTURE_REQ (cmd 8482)`

			`## Phase 2: Firmware Acquisition`
			- [ ] Run `Probe OTA Bucket` button on Cloud tab — try to find a public-read FW object
			`- [ ] MITM the camera's boot-time check — start MITM, power-cycle camera, capture the real check_version request and response`
			`- [ ] If MITM works: inject fake check_version response with our URL and observe how the camera downloads (V7)`
			- [ ] Pull the second Javiscam app `com.macrovideo.javiscam` and diff against `cn.ubia.ubox` for different OTA URLs / keys
			`- [ ] FCC ID 2AYAGJXJ-DQ6B-SW1 — pull Internal Photos PDF to identify SoC for hardware-side dump option`

			`## Phase 3: API Enumeration`
			`- [ ] Run full Fuzz Endpoints job (146 known + ~600 wordlist) and document any new endpoints`
			- [ ] Try IDOR via kuid swap on `user/account/get_current_user`
			- [ ] Try IDOR via uuid swap on `user/families`, `user/qry/notification/get`
			- [ ] Enumerate OAM endpoints using leaked HMAC secret `2894df25f8f740dff5266bc155c662ca`
			`- [ ] Test the leaked Google/AMap API keys for damage assessment (V11)`

			`## Phase 4: Paper + Disclosure`
			`- [ ] Generate CVE report from CVE tab and attach to SECURITY_PAPER.md`
			`- [ ] Add V11-V18 to SECURITY_PAPER.md`
			`- [ ] Add OAM endpoint findings (Phase 3) to paper`
			`- [ ] Final review and formatting`
			`- [ ] Decide on coordinated disclosure to UBIA (CISA already attempted for CVE-2025-12636; UBIA did not respond)`