Just bought one unit of GK7102-based camera at US$8 (Yes, just US$8!). The seller claimed it had a 1080p sensor and three antennas but the sensor was found to be 720p and only one antenna is wired. No manufacturer information available but only a model "Y6A-WA" printed on the box.
After unboxing, the PCB was found detached from the base. Opening the base and show that the PCB has two mounting holes but only one screw was found. Moreover, the size of the mounting holes are too big for that screw!
CPU: ARMv6 CPU
RAM: 32M
Wireless: RTL8188fu
CMOS: SmartSens SC1245
Processor : ARMv6-compatible processor rev 7 (v6l)
BogoMIPS : 597.60
Features : swp half fastmult vfp edsp java tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xb76
CPU revision : 7
After searching, the CMOS was found to be a 720p sensor
| Product type | Model | Status | Resolution | Sensor Size | Pixel Size | Frame rate |
|---|---|---|---|---|---|---|
| Digital | SC2235 | Production | 2MP (1936H×1096V) | 1/2.7” | 3um*3um | 50FPS |
| Digital | SC1235 | Production | 1.3MP (1288Hx968V) | 1/3” | 3um*3um | 60 |
| Digital | SC1245 | Production | 720P (1288Hx728V) | 1/4” | 6um*6um | 60 |
The telnetd is running by default, The default login is
username: root
password: cxlinux
The firmware is quite old (20170515, obtained from rcS) so it has writable rootfs. Some new version/variants/rebranded has locked rootfs
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
/dev/mtdblock3 on /p2pcam type squashfs (ro,relatime)
/dev/mtdblock4 on /home type jffs2 (rw,relatime)
/dev/mmcblk0p1 on /tmp/mnt/mmc01/0 type exfat (rw,noatime,fmask=0022,dmask=0022,namecase=0,errors=continue)
dev: size erasesize name
mtd0: 00050000 00010000 "U"
mtd1: 001a0000 00010000 "K"
mtd2: 00120000 00010000 "R"
mtd3: 00280000 00010000 "A"
mtd4: 00270000 00010000 "H"
My guess:
U = U-Boot
K = Kernel
R = ROM
A = Application
H = Home
I have bricked many devices before, now I always backup everything before playing around.
First you have to put the latest busybox-armv6l into the micro SD card.
On PC
for i in 0 1 2 3 4; do nc -l 12345 > $i.bin.gz ; done
On the camera (Change $IP to the IP of your PC!)
for i in 0 1 2 3 4; do cat /dev/mtd$i |gzip |/mnt/mmc01/0/busybox-armv6l nc -w 60 $IP 12345 ; done
On PC, start any FTP Server program
On the camera (Change $IP to the IP of your PC and $USERNAME and $PASSWORD!)
for i in 0 1 2 3 4; do cat /dev/mtd$i |gzip |ftpput $IP -u $USERNAME -p $PASSWORD $i.bin.gz - ; done
After dumping the firmware, the boot loader is
U-Boot 2012.10 (Jul 14 2017 - 14:43:22) for GK7102 rb-sc1045-v2.0 (GOKE)
It looks like that feature to restore firmware from tftp and sd card is available. Here is the interesting strings from mtd0
ethaddr=3C:97:0E:22:E1:14
ipaddr=11.1.4.200
serverip=11.1.4.19
rootpath=/opt/work
gatewayip=11.1.4.1
netmask=255.255.255.0
hostname="gk7102"
bootfile=zImage
loadaddr=0xC1000000
The tftp firmware filename seems to be gk7101-evb_image.bin
Here are some messages showing that restoring from sd card is supported (not tested)
bad gk7101-evb_image.bin,exit update from sd card
bad crc check,exit update from sd card
- Spansion
- S25FL004A
- S25FL008A
- S25FL016A
- S25FL032P
- S25FL064A
- FL128PIFL
- MX25L6455E
- MX25L6465E
- MX25L12845
- MX253235D
- MX25L1605D
- MX25L1635D
- MX25L3255D
- Winbond
- W25Q16BV
- W25Q64FV
- W25Q128FV
- W25Q256FV`
By default, no web ui, no ONVIF
23/tcp open telnet BusyBox telnetd
7103/tcp open tcpwrapped
8001/tcp open rtsp
After checking the firmware from other variants (e.g. GUUDGO GD-SC03) that support ONVIF. It seems that there is one interesting string in hwcfg.ini that is missing from mine one.
GUUDGO GD-SC03
[config]
model = CloudCamera
main_bps = 768
sensor_position = 0
support_ptz = 1
ptz_mcu = 1
support_eth = 1
sound_detect = 1
ir_detect_type = 2
adc_setting_max = 700
adc_setting_min = -300
support_onvif = 1`
[config]
model = CHW-PTZ
support_ptz = 1
support_eth = 1
ir_detect_type = 2
adc_setting_max = 200
adc_setting_min = -100
support_allid = 1
sensor_position = 1
support_ap_mode = 1
However, adding the missing setting does not enable ONVIF, but one more port (554) is opened for rtsp.
23/tcp open telnet BusyBox telnetd
554/tcp open rtsp
7103/tcp open tcpwrapped
8001/tcp open rtsp
I believe the core functions are hidden inside the /ipcam/ipcam, maybe replacing it with version that support ONVIF is also needed
The default username is admin without password. Quite big security risk
rtsp://admin@IP
It seems that it connects to a default access point with ssid QCA2 and password chwqc002
/home/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
update_config=1
network={
ssid="QCA2"
key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
pairwise=TKIP CCMP
scan_ssid=1
group=CCMP TKIP WEP104 WEP40
psk="chwqc002"
}
By default, the startup script /home/start.sh and /home/factorytool.sh will try to load and run some files
Files copied from SD Card to /home
*-hwcfg.ini,
*-VOICE.tgz,
*-ptz.cfg,
*-hardinfo.bin,
*-custom_init.sh
Files will be run from SD Card
debug_cmd.sh
File will be flashed
firmware.bin
The flash command is
/bin/sdc_tool -d $BOARD_ID -c /home/model.ini /mnt/firmware.bin
It seems encrypted with Board ID, it can be found in the BoardType section of a XML file named /home/hardinfo.bin, the ID is 1007 in my case
<?xml version="1.0" encoding="UTF-8"?>
<DeviceInfo version="1.0">
<DeviceClass>0</DeviceClass>
<OemCode>0</OemCode>
<BoardType>1007</BoardType>
<FirmwareIdent>eyeplus_ipc_gk_005</FirmwareIdent>
<Manufacturer>EYEPLUS</Manufacturer>
<Model>GK7102</Model>
<GPIO>
<BoardReset>30_0x00000000_0_0</BoardReset>
<SpeakerCtrl>6_0x00000000_0_0</SpeakerCtrl>
<BlueLed>51_0x00000000_0_1</BlueLed>
<IrCut1B>20_0x00000000_0_1</IrCut1B>
</GPIO>
After some studies on sdc_tool, it seems that the firmware is encrypted using xor and/or AES?
xorstr
Usage:
sdc_tool -h|-?
sdc_tool -d ident [-c inifile] [-r] [-b] [-V] [-m mount_dir] [[-i image_path_in_partition] | pk2_file_path]
sdc_tool --md5 file
-d identier the image should match
-c inifile to save pubtime of image
-b reboot after process updating.
-m directory to mount partition, default '/tmp/mnt'
-r remove pk2 file after process updating.
-i IMAGE_PATH in the partition. default "/ipcam"
-V verbose
pk2_file_path path to pk2 file. if omitted, update from "IMAGE_PATH" of partition
Video recording on SD card can be started only when connected to the cloud service. The server list can be found at cloud.ini, the content of cloud_oversea.ini is identical
[SERVERINFO]
server_name=arcsoft.com
xmpp_server_ip=xmpp.icloseli.cn.
relay_server_ip=relaycn.arcsoftcloud.com
auto_update_server_ip=update.icloseli.cn.
lecam_purchase_server_ip=esd.icloseli.cn.
upns_pnserver=upns.icloseli.cn.
upns_xmpp_name=arcsoft.com
upns_xmpp_ip=xmpp.icloseli.cn.
argus_api_server_ip=argus.icloseli.cn.
argus_server_ip=argus.icloseli.cn.
relay_server_domain_name=relay.icloseli.cn.
stun_server_ip=stun.icloseli.cn.
cloud_auth_server_name=api.icloseli.cn.
bell_server_ip=bell.icloseli.cn
return_server_ip=relaycn.closeli.cn
This cheap IP camera can be hacked easily since anyone can login easily with the default root login, and anyone can view the video stream without password. The security of the cloud service is also questionable.
https://github.com/edsub/Goke_GK7102
https://github.com/ant-thomas/zsgx1hacks