# Camera MITM — Remaining Work

## Done in this session
- [x] Migrated tooling to new network (192.168.1.x)
- [x] Built PyQt6 GUI dashboard wrapping the same Controller
- [x] Added per-service start/stop (clickable Service buttons)
- [x] Added log rotation at 1 GiB
- [x] Added intruder detection service (ARP spoof / unknown LAN peer / unexpected outbound)
- [x] Added protocol fingerprint module (TLS/HTTP/IOTC/etc) and wired into sniffer + http_server
- [x] Fixed http_server to peek-before-wrap so non-TLS traffic on :443 is captured raw
- [x] Regen'd MITM cert with full SAN list for ubianet/aliyuncs/myqcloud
- [x] Added 146 endpoints to fuzzer KNOWN_ENDPOINTS (harvested from decompiled APK)
- [x] Editable dropdown in Cloud tab Raw POST for known endpoints
- [x] Built `firmware_fetch.py` with multi-version check_version/v3 attempts
- [x] Built `ota_bucket_probe.py` to enumerate Tencent COS firmware buckets
- [x] Built `cve_checks.py` with original verifiers for CVE-2025-12636, CVE-2021-28372, CVE-2023-6322/3/4
- [x] Built CVE tab in GUI with per-CVE Verify buttons + Generate Report
- [x] Built Help tab in GUI documenting every tab and command
- [x] Discovered V11-V18 (8 new findings) and documented in `~/dumps/findings.md`

## Phase 1: TUTK Library (still blocked on firmware)
- [ ] Need device-side firmware to extract `libIOTCAPIs.so` (the app version is symbol-stripped + has no static auth key)
- [ ] Alternative: Frida-hook the running UBox app to dump `p4p_crypto_init` arguments at runtime
- [ ] Once we have a TUTK lib, write Python ctypes wrapper for IOTC connect/send/recv
- [ ] Connect to camera with admin/yyc1G::HPEv7om3O OR admin/iotCam31
- [ ] Send DEVINFO_REQ (cmd 816), FILE_LIST_REQ (cmd 4864), CAPTURE_PICTURE_REQ (cmd 8482)

## Phase 2: Firmware Acquisition
- [ ] **Run `Probe OTA Bucket` button** on Cloud tab — try to find a public-read FW object
- [ ] **MITM the camera's boot-time check** — start MITM, power-cycle camera, capture the real check_version request and response
- [ ] If MITM works: inject fake check_version response with our URL and observe how the camera downloads (V7)
- [ ] Pull the **second** Javiscam app `com.macrovideo.javiscam` and diff against `cn.ubia.ubox` for different OTA URLs / keys
- [ ] FCC ID 2AYAGJXJ-DQ6B-SW1 — pull Internal Photos PDF to identify SoC for hardware-side dump option

## Phase 3: API Enumeration
- [ ] Run full Fuzz Endpoints job (146 known + ~600 wordlist) and document any new endpoints
- [ ] Try IDOR via kuid swap on `user/account/get_current_user`
- [ ] Try IDOR via uuid swap on `user/families`, `user/qry/notification/get`
- [ ] Enumerate OAM endpoints using leaked HMAC secret `2894df25f8f740dff5266bc155c662ca`
- [ ] Test the leaked Google/AMap API keys for damage assessment (V11)

## Phase 4: Paper + Disclosure
- [ ] Generate CVE report from CVE tab and attach to SECURITY_PAPER.md
- [ ] Add V11-V18 to SECURITY_PAPER.md
- [ ] Add OAM endpoint findings (Phase 3) to paper
- [ ] Final review and formatting
- [ ] Decide on coordinated disclosure to UBIA (CISA already attempted for CVE-2025-12636; UBIA did not respond)