Altering an action-cam connectivity behavior


Situation :

Target :
Brand: Xiaomi
Model: Mijia 4K
ID: YDXJ01FM
Connectivity: Wifi, Bluetooth, USB

Situation: Camera is connecting to phone via the Mi Home app by generating a wifi hotspot with no other way to establish communication
Objective: make the camera connect to an existing Wifi network, trigger the live streaming, discover its protocol and decode it to retrieve the video on the computer

Preparation :

  1. Network recon & enumeration
  2. Service & OS identification
  3. Software versions identification
  4. look for Vulnerabilities
  5. Wireshark eavesdropping at the pairing
  6. Replay captured packets
  7. if none works, improvise

Operations :

When the pairing process starts on the camera it gives like 30 seconds to start the link on the Mi Home app otherwise the hotspot goes down and interrupts the connection, which gives a very small window to shoot an Nmap enumeration, I chose to pair it with my phone and then enumerate :

┌──(root💀crashlogs)--[~/ops/mi4k]
└─# nmap -A 192.168.42.1 -p-
Nmap scan report for 192.168.42.1
Host is up (0.0071s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE         VERSION
23/tcp    open  telnet          BusyBox telnetd
53/tcp    open  domain          dnsmasq 2.72
| dns-nsid: 
|_  bind.version: dnsmasq-2.72
80/tcp    open  http            Cherokee httpd 1.2.101b200110_
|_http-server-header: Cherokee/1.2.101b200110_ (UNIX)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
111/tcp   open  rpcbind         2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|_  100000  2,3,4        111/udp   rpcbind
554/tcp   open  rtsp?
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER
7878/tcp  open  owms?
8787/tcp  open  msgsrvr?
9888/tcp  open  cyborg-systems?
12080/tcp open  tcpwrapped
MAC Address: B0:F1:EC:4D:84:10 (Ampak Technology)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: Host: a12; OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   7.13 ms 192.168.42.1

So far there’s a Cherokee web server running on port 80, Good start! Obviously, DCIM leads to the pictures library, next is the Live link which is very intriguing, the web page is empty but let’s try to perform a blind test on this one and bet the coins on the most used video streaming protocol: RTSP

Annnnnd … something! popped up VLC media player and opened a network reader giving rtsp://192.168.42.1/live as URL and got a beautiful view of me pushing up a screenshot.

Good good good! so far we’ve found out how to hijack the streaming flow, but we still need the Mi Home app and a phone in the loop, let’s see how we can get rid of this and make the cam connect to my home network !

1 Comment

July 13, 2022
Twicsy

What a stuff of un-ambiguity and preserveness of valuable knowledge on the topic of unexpected feelings.

reply

Leave a reply

We respect your privacy and will not publish your personal details.