SetecLabs/cam-mitm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
main
cam-mitm/TODO.md
sssnake 800052acc2 Initial commit — SetecSuite Camera MITM Framework 
Original tooling from the Camhak research project (camera teardown of a
rebranded UBIA / Javiscam IP camera). PyQt6 GUI on top of a curses TUI on
top of a service controller; per-service start/stop, intruder detection,
protocol fingerprinting, OAM HMAC signing, CVE verifiers, OTA bucket
probe, firmware fetcher, fuzzer, packet injection.

Tabs: Dashboard, Live Log, Intruders, Cloud API, Fuzzer, Inject, CVEs,
Config, Help. Real-time per-packet protocol detection, conntrack-based
original-destination lookup, log rotation at 1 GiB.

See SECURITY_PAPER.md for the full writeup, site/index.html for the
public report, README.md for usage. Run with:
    sudo /usr/bin/python3 gui.py

Co-authored by Setec Labs.
2026-04-09 08:14:18 -07:00

3.1 KiB
Raw Permalink Blame History

Camera MITM — Remaining Work

Done in this session

  • Migrated tooling to new network (192.168.1.x)
  • Built PyQt6 GUI dashboard wrapping the same Controller
  • Added per-service start/stop (clickable Service buttons)
  • Added log rotation at 1 GiB
  • Added intruder detection service (ARP spoof / unknown LAN peer / unexpected outbound)
  • Added protocol fingerprint module (TLS/HTTP/IOTC/etc) and wired into sniffer + http_server
  • Fixed http_server to peek-before-wrap so non-TLS traffic on :443 is captured raw
  • Regen'd MITM cert with full SAN list for ubianet/aliyuncs/myqcloud
  • Added 146 endpoints to fuzzer KNOWN_ENDPOINTS (harvested from decompiled APK)
  • Editable dropdown in Cloud tab Raw POST for known endpoints
  • Built firmware_fetch.py with multi-version check_version/v3 attempts
  • Built ota_bucket_probe.py to enumerate Tencent COS firmware buckets
  • Built cve_checks.py with original verifiers for CVE-2025-12636, CVE-2021-28372, CVE-2023-6322/3/4
  • Built CVE tab in GUI with per-CVE Verify buttons + Generate Report
  • Built Help tab in GUI documenting every tab and command
  • Discovered V11-V18 (8 new findings) and documented in ~/dumps/findings.md

Phase 1: TUTK Library (still blocked on firmware)

  • Need device-side firmware to extract libIOTCAPIs.so (the app version is symbol-stripped + has no static auth key)
  • Alternative: Frida-hook the running UBox app to dump p4p_crypto_init arguments at runtime
  • Once we have a TUTK lib, write Python ctypes wrapper for IOTC connect/send/recv
  • Connect to camera with admin/yyc1G::HPEv7om3O OR admin/iotCam31
  • Send DEVINFO_REQ (cmd 816), FILE_LIST_REQ (cmd 4864), CAPTURE_PICTURE_REQ (cmd 8482)

Phase 2: Firmware Acquisition

  • Run Probe OTA Bucket button on Cloud tab — try to find a public-read FW object
  • MITM the camera's boot-time check — start MITM, power-cycle camera, capture the real check_version request and response
  • If MITM works: inject fake check_version response with our URL and observe how the camera downloads (V7)
  • Pull the second Javiscam app com.macrovideo.javiscam and diff against cn.ubia.ubox for different OTA URLs / keys
  • FCC ID 2AYAGJXJ-DQ6B-SW1 — pull Internal Photos PDF to identify SoC for hardware-side dump option

Phase 3: API Enumeration

  • Run full Fuzz Endpoints job (146 known + ~600 wordlist) and document any new endpoints
  • Try IDOR via kuid swap on user/account/get_current_user
  • Try IDOR via uuid swap on user/families, user/qry/notification/get
  • Enumerate OAM endpoints using leaked HMAC secret 2894df25f8f740dff5266bc155c662ca
  • Test the leaked Google/AMap API keys for damage assessment (V11)

Phase 4: Paper + Disclosure

  • Generate CVE report from CVE tab and attach to SECURITY_PAPER.md
  • Add V11-V18 to SECURITY_PAPER.md
  • Add OAM endpoint findings (Phase 3) to paper
  • Final review and formatting
  • Decide on coordinated disclosure to UBIA (CISA already attempted for CVE-2025-12636; UBIA did not respond)
Reference in New Issue View Git Blame Copy Permalink