README: document generic core vs camera plugin file layout

Add a section explaining the relationship to setec-mitm and which files
are generic core vs camera-specific. No file moves — clone-and-run UX
preserved.

README.md

@@ -2,6 +2,40 @@
 
 A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.
 
+> **This is the camera-specific case study fork.** It bundles the generic [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) core *plus* a fully built-out target plugin for the Javiscam 2604 / UBox / UBIA camera family — UBox cloud client, OAM HMAC forging, CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers, firmware multi-version fetcher, OTA bucket probe, and a 146-endpoint API fuzzer wordlist. It's the engine that produced the **[camhak.seteclabs.io](https://camhak.seteclabs.io)** research report. Clone, run, point at the camera. No additional setup.
+
+> If you want the bare framework without any of the camera-specific code, use [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) instead. Both share the same core; cam-mitm is what you get when you fill in the `targets/javiscam_2604/` plugin slot all the way.
+
+## File layout — generic core vs camera-specific
+
+The same code organisation that setec-mitm formalises with its `targets/` plugin system is present here, just inlined into the top-level directories. Mapping:
+
+| File / dir | Generic core or camera plugin? |
+|---|---|
+| `mitm.py`, `gui.py` | **Generic core** — Controller + PyQt6 GUI + curses TUI |
+| `services/arp_spoof.py` | **Generic core** |
+| `services/dns_spoof.py` | **Generic core** |
+| `services/http_server.py` | **Generic core** (peek-before-wrap on :443) |
+| `services/udp_listener.py` | **Generic core** |
+| `services/sniffer.py` | **Generic core** (conntrack original-dst lookup, protocol fingerprinting) |
+| `services/intruder_watch.py` | **Generic core** |
+| `inject/packet.py` | **Generic core** |
+| `utils/log.py` | **Generic core** (1 GiB rotation) |
+| `utils/proto.py` | **Generic core** (12+ protocol fingerprints) |
+| `regen_cert.sh` | **Generic core** |
+| `api/server.py` | **Generic core** (REST API on :9090) |
+| `api/ubox_client.py` | **Camera plugin** — UBox cloud client + OAM HMAC signing |
+| `api/firmware_fetch.py` | **Camera plugin** — multi-version `check_version/v3` caller |
+| `api/ota_bucket_probe.py` | **Camera plugin** — Tencent COS OTA bucket enumerator |
+| `api/cve_checks.py` | **Camera plugin** — CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers |
+| `api/fuzzer.py` | **Camera plugin** — 146 hardcoded UBox endpoints + ~600 wordlist |
+| `gui.py` Cloud API tab | **Camera plugin** UI |
+| `gui.py` Fuzzer tab | **Camera plugin** UI |
+| `gui.py` CVEs tab | **Camera plugin** UI |
+| `site/` | **Camera research output** — published as `camhak.seteclabs.io` |
+
+If you want to retarget this engine at a different device, the cleaner path is to use the generic [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) and write your own `targets/<your_brand>/plugin.py` rather than fork this one.
+
 ## Features
 
 - **ARP Spoofing** — MITM positioning between camera and gateway with automatic ARP table restoration on exit