Registration Code (Part 1): w%kQ6
Registration Code (Part 2): b<#$1[*(cw~
In order to register on this forum, you must use the codes above. Combine them into one code (copy paste).

"Hacking" The Motorola FOCUS66 Camera

Personal posts regarding my releases and research on various topics.
User avatar
atom0s
Site Admin
Posts: 364
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

"Hacking" The Motorola FOCUS66 Camera

Post by atom0s » Mon Feb 09, 2015 1:13 am

Recently, my partner and I bought a double pack of the Motorola FOCUS66 cameras, see here:
http://www.walmart.com/ip/Motorola-FOCU ... k/39173367

We made this purchase because we had our Siberian Husky bred and wanted to keep an eye on her during the pregnancy while we were not home. As well as at night we can keep an eye on her from bed. Upon the purchase I setup the cameras, downloaded and installed the app on my phone and got things going within 10 minutes of unboxing. The setup is very simple and the cameras worked immediately.

However they do have a downside. There is no Windows client offered for your computer. They only offer a remote website to view the panel while logged into your account that the cameras are registered to. So obviously the cameras are streaming the data to their website while someone is connected for viewing. (This is a bit creepy knowing that these cameras stream to their website on request after it is registered to an account. But that is a different debate/post.) So I wanted to figure out a way to get the camera working locally on my PC without needing some emulation for Android/iOS etc.

Searching the net I couldn't find any info on these cameras, such as how they connect to the net, how they broadcast data, etc.
So I was on my own figuring things out. Granted this isn't really rocket science to do..

Analyzing The Device
Already from the start, we know that this thing connects to our router wirelessly. And the setup method it used to get them working kind of hints towards some "black magic" going on in the camera. So I looked at our DHCP table for the two cameras and grabbed the IPs of both.

First, I decided to test for any known services running on the devices, to see if the OS type was exposed. So I hit the cameras with telnet requests for basic stuff like FTP, SSH, etc. and got nothing. Then I checked for a webservice running, bingo. Both cameras are hosting a web server locally on the device. However hitting the device we are greeted with the following:

Code: Select all

404: Not Found!
File not found!
Not useful at all. So I loaded up a web-crawler app to try and crawl out some directories and files from the device. For this I snagged:
w3af http://w3af.org/

I used the default dictionaries that come with the app for the scanning and landed up finding only:
- Found Directories: /cgi-bin/
- Found Files: test.html

But the test.html file was more then enough to get some information from the device.

test.html Information / Functions
The test.html file shows a fairly crappy panel of basic test functions. I assume this file is used in the factory for basic testing before the device is packaged and shipped. Reading through the source of this file, it shows us that the web server is actually hosting the required files for the device to be communicated with. The main handling engine takes input commands like this:
http://192.168.2.37/action?command&comm ... mmand_here>

From this file alone, we can find a collection of possible commands:
- get_brightness
- value_temperature
- value_resolution
- pan_plus / pan_minus

just to name a few..

Scrolling all the way down in the source we can see the file is trying to include a web object (vlc plugin) directed at the page:
<param name="MRL" id="mrlVideo" value="rtsp://192.168.193.1:6667/blinkhd" />

So now we see a local address for the video (which is incorrect) and a new path /blinkhd.

So I tried going to the /blinkhd sub page and got nothing, so this file has to be accessed via the rtsp protocol.

Accessing The Video Stream
Knowing now that the stream is broadcasted via the RTSP protocol, I know that VLC media player can use those as one of its viewing options. Popping open VLC player and entering the proper path to the feed, I was greeted with a username and password prompt on one of the devices, and not the other. (More info on that later, heh..)

I took about 15-20 guesses to get the combo correct, sadly. The stream uses a default username and password combo of:
- Username: user
- Password: pass

Not exactly the best security measures put in place. This would be nice to be configurable by the user to prevent unwanted access watching the stream but hey.. it was a cheap set of cameras so what do you expect?

So at this point I am able to watch both cameras.. but I wanted to know more about the cameras firmware and why one camera wanted a login and the other didn't.

Digging Deeper...

Digging deeper into the camera information, I started Google'ing some key words from the test pages I found on the devices.
- blinkhd
- Various allowed commands shown in the html of the test page.

I came across a site with similar intentions for another camera. Sadly the information was not shown in my original searches since the cameras are different in some ways so my previous searches weren't close enough to get me to this persons site.

His site revealed some other pages that are on the devices web server that also worked on mine. One of which helped reveal some more information on the device which was:
http://192.168.2.37/blinkhome.html

This is another landing page to the camera showing off more features you can tinker with command wise, as well as two variations of the stream viewer. However, again, the pages have hard-coded IP addresses and do not work properly. The other fun-fact with this specific camera we have is that it seems like the firmware was rushed and not meant for this camera as files are missing.

Links, Files, and Overall Information
At the end of the day after tinkering with the camera I came up with the following information for our specific set of cameras:
- Main Test Page: http://192.168.2.37/test.html
- Second Test Page: http://192.168.2.37/blinkhome.html
- Java Viewing Page: http://192.168.2.37/java.html (Does not work because required Java applet is not on the device.)
- Java Applet (Missing from devices): http://192.168.2.37/cambozola.jar
- Stream URL: rtsp://192.168.2.37:6667/blinkhd (May require username/pass.)
- The username / password combo to the stream, if required, is: user / pass
- Commands are sent via: http://192.168.2.37/?action=command&com ... mmand_here>
- Firmware upgrades are done via: http://192.168.2.37:8080

One Stream But Not The Other!
As I mentioned above, one of the streams requested a password while the other did not. This is because the two devices, packaged and shipped together, (completely same model etc) had two different firmware versions.. That's right, two separate firmwares rather then both having the same. I'm not quiet sure how that happens but it did lol..

The older firmware did not care for a username and password while the newer one did.

The firmware information for the devices are:
- MBP2000W (01.16.46) - This camera wanted the username and password.
- MBP2000W (01.15.04) - This camera did not want the username and password.

Quite strange that two cameras in the same package are running two separate, but both equally incomplete, firmwares. The firmware used definitely does not look like it was made for these cameras specifically and was rather half-ass ported to them just enough to "work".
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.com/cgi-bin/webscr?c ... Q2GRT6KUJN
initialed85
Posts: 1
Joined: Sat Jul 04, 2015 10:27 pm

Re: "Hacking" The Motorola FOCUS66 Camera

Post by initialed85 » Sat Jul 04, 2015 10:36 pm

Hey buddy,

I found your forum searching for info on this camera. As per your discovery, I managed to get the RTSP stream working, so cheers for that. VLC commandline on my Mabook is:

./VLC "rtsp://user:pass@192.168.137.36:6667/blinkhd :rtsp-caching=0 :udp-caching:0 :tcp-caching=0 :network-caching:0"

I don't think any of the caching commands are working to be honest, still a fair bit of latency- I think it's just VLC on OSX though, I had a similar issue with a HTTP stream coming from a remote control tank, wasn't a thing when you viewed the stream in Chrome.

Of interest, however, I briefly had access to a Telnet server on the device while in pairing mode which showed a fairly Linux filesystem using BusyBox, like you'd find on any embedded device. Seemed to be superuser privileges.

So, maybe an option to exploit things there. I think I'll open the case up later and see if there's a serial or TTL header that ties into one of the TTY lines without any need for authentication. Telnet server disconnects me the minute I connect now
n8huntsman
Posts: 1
Joined: Sat Jul 25, 2015 2:46 pm

Re: "Hacking" The Motorola FOCUS66 Camera

Post by n8huntsman » Sat Jul 25, 2015 2:57 pm

Found this while looking to do the same thing to the Motorola MBP85 that I bought. I wanted to add some things that I discovered to your list:
Since they don't make an app for windows phone and the webpage is flash based, hubbleconnect is useless to me. I really wanted to be able to use third party apps such as ip cam controller (on my phone) or blue iris on my server, or at the very least, it would be nice to be able to log into its IP address directly. The summer infant cam works the same way unfortunately.
When I access the webpage on my PC and use wireshark, I can see it receiving the stream from an IP address that take me to a page that shows "Wowza Streaming Engine 4 for Amazon EC2 4.1.0 build12602" I believe this is an Amazon server that allows embedded devices to upload data.
I did a bit of snooping with nmap and found that port 80, 6667, 8080, and 464 was open. It also shows the OS of the camera to be Linux 2.6.16 - 2.6.35 (embedded). Using blue iris, I tried multiple camera configurations and actually got video using the A-Link IPC1 JPEG settings, which use the http://IPADDRESS/cgi/jpg/image.cgi URL. That gives me basic functions in blue iris but I still don't have PTZ control, two way audio or any way of changing camera settings via blue Iris. The pages you found definitely help though. Also, putting http://IPADDRESS/cgi/jpg/image.cgi URL into my browser will show a still image. http://192.168.1.14:8080/wifisetup.html is another page I came across.
oddllama
Posts: 4
Joined: Sun Aug 30, 2015 3:28 am

Re: "Hacking" The Motorola FOCUS66 Camera

Post by oddllama » Sun Aug 30, 2015 3:32 am

Not sure if you guys are still interested, but I just got this camera and immediately wanted to open it up, so here is some info for you:

Kernel Dump
Linux version 2.6.35.4 (root@nxcommbuild-K5130) (gcc version 4.2.1) #1 PREEMPT Fri Jul 4 14:51:05 ICT 2014
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: W55FA92
Memory policy: ECC disabled, Data cache writeback
On node 0 totalpages: 16384
free_area_init_node: node 0, pgdat c053263c, node_mem_map c18c5000
Normal zone: 128 pages used for memmap
Normal zone: 0 pages reserved
Normal zone: 16256 pages, LIFO batch:3
CPU type 0x00fad007 is W55FA92
w55fa92_external_clock = 12.0 MHz
w55fa92_upll_clock = 240000 KHz
w55fa92_apll_clock = 432000 KHz
w55fa92_mpll_clock = 360000 KHz
w55fa92_system_clock = 240000 KHz
w55fa92_cpu_clock = 240000 KHz
w55fa92_ahb_clock = 120000 KHz
w55fa92_apb_clock = 60000 KHz
Disable APLL
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: root=/dev/ram0 console=ttyS1,115200n8 rdinit=/sbin/init mem=64M vt.global_cursor_default=0
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 64MB = 64MB total
Memory: 39600k/39600k available, 25936k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xff600000 - 0xffe00000 ( 8 MB)
vmalloc : 0xc4800000 - 0xe0000000 ( 440 MB)
lowmem : 0xc0000000 - 0xc4000000 ( 64 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc014b000 (1292 kB)
.text : 0xc014b000 - 0xc050b000 (3840 kB)
.data : 0xc050c000 - 0xc0532c40 ( 156 kB)
Hierarchical RCU implementation.
RCU-based detection of stalled CPUs is disabled.
Verbose stalled-CPUs detection is disabled.
NR_IRQS:47
Console: colour dummy device 80x30
selected clock b71b00 quot 5
console [ttyS1] enabled
w55fa92_avc_alloc_mem at phy =0x553000, vir_addr = 0xc0553000
ENCODER_TOTAL_SIZE = 0x85e000, DECODER_TOTAL_SIZE = 0x0
Instant num = 2, total required memory is 0x85e000, now kconfig size = 0xb72000
Encode 1 instance total size =0x42f000
w55fa92_avc_alloc_mem, dec_bs_phy_buffer = 0xdb1000, dec_ref_phy_buffer = 0xdb1000, mb_info_phy_buffer = 0xdb1000
w55fa92_avc_alloc_mem, out_phy_buffer = 0x553000, enc_recon_buf = 0x6a5000, enc_refer_buf = 0x7f7000
w55fa92_avc_alloc_mem, dec_out_phy_buf = 0xdb1000, _DECODER_BUF_START = 0xdb1000, DECODER_SUBTOTAL_SIZE = 0x0
Calibrating delay loop... 119.19 BogoMIPS (lpj=595968)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
devtmpfs: initialized
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Advanced Linux Sound Architecture Driver Version 1.0.23.
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource w55fa92-timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
register clock device
w55fa92_edma_init
JFFS2 version 2.2. (NAND) 2001-2006 Red Hat, Inc.
ROMFS MTD (C) 2007 Red Hat, Inc.
msgmni has been set to 77
alg: No test for stdrng (krng)
io scheduler noop registered (default)
w55fa92 SysMgr driver has been initialized successfully!
W55FA92 uart driver has been initialized successfully!
w55fa92-uart0: ttyS0 at MMIO 0xb8008000 (irq = 14) is a W55FA92
w55fa92-uart1: ttyS1 at MMIO 0xb8008100 (irq = 30) is a W55FA92
brd: module loaded
loop: module loaded
w55fa92_avc_init
fa92 AVC Encoder Supported
FAVC Encoder IRQ mode(34)v1.0
H264 Driver Version v1.0
The H264 Driver init OK and Max Resolution is 1280x720
Generic platform RAM MTD, (c) 2004 Simtec Electronics
w55fa92 mtd nand driver version: 20131231
NAND Flash ID: 92 F1 80 95 40 7F 7F 7F
NAND device: Manufacturer ID: 0x92, Chip ID: 0xf1 (Unknown NAND 128MiB 3,3V 8-bit)
SYSTEM: USE BCH_T4 HWECC algorithm(Parity number:32 bytes)
EXECUTE: USE BCH_T8 HWECC algorithm(Parity number:60 bytes)
USE BCH_T8 HWECC algorithm(Parity number:60 bytes)
Scanning device for bad blocks
(0x00000000)Change to BCH_T4: 32B
(0x00080000)Change to BCH_T8: 60B
Bad eraseblock 1023 at 0x000007fe0000
Creating 5 MTD partitions on "NAND 128MiB 3,3V 8-bit":
0x000000000000-0x000000080000 : "SYSTEM"
0x000000080000-0x000001000000 : "EXECUTE"
0x000001000000-0x000003000000 : "NAND1-1"
0x000003000000-0x000007f80000 : "NAND1-2"
0x000007f80000-0x000008000000 : "NAND1-n"
fmi-sm: registered successfully!
Using SPI1
Val of GPGFUN1 22020000
Use SW CS2
Setup GPIO IRQ
Register SPI BUsy IRQ
IRQB = 00000000
Val GPA1: 00000002
Init spidev
Probe SPIDev
SPI Address c343a9a0
Finish init SPIdev
### W55FA92 ether driver v0.1 has been initialized successfully!
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
USBH2.0 Clock source is UPLL, divider is 5
REG_OpModEn = 0x00000008
w55fa92-ehci w55fa92-ehci: Nuvoton w55fa92 EHCI Host Controller
w55fa92-ehci w55fa92-ehci: new USB bus registered, assigned bus number 1
w55fa92-ehci w55fa92-ehci: irq 21, io mem 0xb100b000
w55fa92-ehci w55fa92-ehci: USB 2.0 started, EHCI 0.95
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
USB device plug in
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
ohci_hcd_w55fa92_drv_probe
usb_hcd_w55fa92_probe
w55fa92-ohci w55fa92-ohci: Nuvoton W55FA92 OHCI Host Controller
w55fa92-ohci w55fa92-ohci: new USB bus registered, assigned bus number 2
w55fa92-ohci w55fa92-ohci: irq 22, io mem 0xb1005000
ohci_w55fa92_start
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
USB device plug in
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.


i2c_adap_w55fa92_init
w55fa92_i2c_probe()
w55fa92-i2c w55fa92-i2c: bus frequency set to 100 KHz
w55fa92-i2c w55fa92-i2c: Add W55FA92 I2C port adapter
Linux video capture interface: v2.00
Video capture device 1 initialize successful
jpegcodec_init
jpeg engine is 120000KHz
cryptodev: driver 1.6 loaded.
[w55fa92-aes] Init OK
After snd_soc_register_dai
w55fa92-dac-i2c ret = 0x0
w55fa92-dac-i2c ret = 0x0
ADC clock get OK !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
w55fa92evb_asoc_dev = 0xc349fdc0 !!!
SPU DAC ON !!!
asoc: W55FA92_DAC HiFi <-> w55fa92-spu mapping ok
ret = 0x0 !!!, platform device added
******* global g_pw55fa92_adc_data address = 0xc3492460
0 = platform_driver_register

asoc: w55fa92ADC HiFi <-> w55fa92adc_cpu_dai mapping ok
ALSA device list:
#0: W55FA92_SPU (W55FA92_DAC)
#1: mach-w55fa92_ADC (W55FA92_ADC)
oprofile: hardware counters not available
oprofile: using timer interrupt.
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (618 buckets, 2472 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 17
Bridge firewalling registered
lib80211: common routines for IEEE802.11 drivers
lib80211_crypt: registered algorithm 'NULL'
selected clock b71b00 quot 5
Freeing init memory: 1292K
selected clock b71b00 quot 5
selected clock b71b00 quot 5
usb 1-1: new high speed USB device using w55fa92-ehci and address 2
Allocate 16 4K-Buffer for USB Host Bulk Transfer
Allocate 2 64K-Buffer for USB Host Bulk Transfer
USB device plug in
selected clock b71b00 quot 5
UBI: attaching mtd2 to ubi0
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: attached mtd2 to ubi0
UBI: MTD device name: "NAND1-1"
UBI: MTD device size: 32 MiB
UBI: number of good PEBs: 256
UBI: number of bad PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 1
UBI: available PEBs: 0
UBI: total number of reserved PEBs: 256
UBI: number of PEBs reserved for bad PEB handling: 2
UBI: max/mean erase counter: 12/7
UBI: image sequence number: 1379521997
UBI: background thread "ubi_bgt0d" started, PID 423
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 0, name "nand1-1"
UBIFS: file system size: 30474240 bytes (29760 KiB, 29 MiB, 240 LEBs)
UBIFS: journal size: 4444160 bytes (4340 KiB, 4 MiB, 35 LEBs)
UBIFS: media format: w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root: 0 bytes (0 KiB)
UBI: attaching mtd3 to ubi1
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: attached mtd3 to ubi1
UBI: MTD device name: "NAND1-2"
UBI: MTD device size: 79 MiB
UBI: number of good PEBs: 636
UBI: number of bad PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 1
UBI: available PEBs: 0
UBI: total number of reserved PEBs: 636
UBI: number of PEBs reserved for bad PEB handling: 6
UBI: max/mean erase counter: 7/5
UBI: image sequence number: 1918386606
UBI: background thread "ubi_bgt1d" started, PID 430
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 1, volume 0, name "nand1-2"
UBIFS: file system size: 78344192 bytes (76508 KiB, 74 MiB, 617 LEBs)
UBIFS: journal size: 3936256 bytes (3844 KiB, 3 MiB, 31 LEBs)
UBIFS: media format: w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root: 3700389 bytes (3613 KiB)
selected clock b71b00 quot 5
selected clock b71b00 quot 77
bFWReady == _FALSE call reset 8051...
usbcore: registered new interface driver rtl8188eu
==> rtl8188e_iol_efuse_patch
Thresh1=3901. Thresh2=3750. Sleeping_delay=10. Mode=0 Debug= 0 method='gpio'
Register platform device for low battery detection
requet irq successful
ADC opening REG_TP_CTL1 = 0xc00
w55fa92 Sensor open now
VideoIn port 1 open
Init NT_HM_1375 in port 1
Sensor reset
I2C added
detectd sensor id0=9 id1=55
NTChangeImageResolution:1280x720
HMSetResolution:1
sensor change resolution begin-----
RTL871X: set bssid:00:00:00:00:00:00
RTL871X: set ssid [g isQ J ) F| T Z.c3 Ç. ] fw_state=0x00000008
### Pick=2 ###
sensor change resolution end-----
video driver open successful.Mod version to be compatible with 66
videoin_ioctl VIDIOCGCAP
w55fa92 Sensor open now
Specified sensor addr = 0x4c0
Enable H.264 encoder clock
!!!!! Total size for audio = 0x10000
!!!!! Total size for audio = 0x10000
RTL871X: set bssid:00:00:00:00:00:00
R1X8Z%]Xs^t ssid TftA!= Ç . ] fw_state=0x00000808
RTL871X: indicate disassoc
RTL871X: assoc success
RTL871X: ap recv disassoc reason code(8) sta:e8:50:8b:87:c7:c3
RTL871X: set pairwise key to hw: alg:0(WEP40-1 WEP104-5 TKIP-2 AES-4) camid:-1021157376
RTL871X: set pairwise key to hw: alg:0(WEP40-1 WEP104-5 TKIP-2 AES-4) camid:-1021157376
RTL871X: indicate disassoc
RTL871X: set bssid:00:00:00:00:00:00
RTL871X: set ssid [g isQ J ) F| T Z.c3 Ç 2 ] fw_state=0x00000008
RTL871X: set ssid [Llama Wireless] fw_state=0x00000008
RTL871X: set bssid:bc:ae:c5:e7:c0:f7
RTL871X: start auth
RTL871X: auth success, start assoc
RTL871X: assoc success
RTL871X: set pairwise key to hw: alg:4(WEP40-1 WEP104-5 TKIP-2 AES-4) camid:4
Enable H.264 encoder clock
Enable H.264 encoder clock

Running Processes
init-+-crond
|-ftpuploader---ftpuploader---4*[ftpuploader]
|-httpd
|-ip_server
|-mdnsd---mdnsd---mdnsd
|-msloader---msloader---41*[msloader]
|-networkmanager
|-ota_upgrade
|-recover
|-sh-+-bmmanager
| |-boot_script
| |-fwupgrade
| `-tempupdate
|-syslogd
|-telnetd---sh---sh---sh---pstree
|-telnetd
|-udhcpc
|-wpa_cli
`-wpa_supplicant

Currently defined functions:
[, [[, awk, basename, blockdev, bootchartd, cat, chmod, chvt, conspy,
cp, crond, crontab, cut, date, dd, df, dhcprelay, diff, dmesg, dnsd,
dnsdomainname, du, dumpleases, echo, egrep, env, expr, false,
fgconsole, fgrep, flash_eraseall, flash_lock, flash_unlock, flock,
fsync, ftpget, ftpput, getty, grep, gunzip, gzip, halt, hostname,
httpd, hush, hwclock, ifconfig, ifdown, ifplugd, ifup, init, inotifyd,
insmod, iostat, ipcrm, ipcs, kill, killall, linuxrc, ln, login,
logread, ls, lsmod, lsof, lspci, lsusb, makemime, md5sum, mdev, mkdir,
mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, modinfo, more,
mount, mpstat, mv, nbd-client, nc, netstat, nice, ntpd, pgrep, pidof,
ping, pkill, pmap, poweroff, printf, ps, pstree, pwd, pwdx, reboot,
renice, rev, rfkill, rm, rmdir, rmmod, route, rx, sed, sendmail,
setconsole, setserial, sh, sha3sum, sleep, smemcap, stat, stty, sync,
sysctl, syslogd, tail, tar, telnetd, test, tftp, top, touch, tr, true,
ubiattach, ubidetach, ubirmvol, ubirsvol, ubiupdatevol, udhcpc, udhcpd,
umount, unzip, usleep, vi, watchdog, wc, which, whois, zcat


I am currently poking around. if there is still interet, I'll be back by.
oddllama
Posts: 4
Joined: Sun Aug 30, 2015 3:28 am

Re: "Hacking" The Motorola FOCUS66 Camera

Post by oddllama » Sun Aug 30, 2015 6:01 am

Everything in the www folder:

BadPage.html functions.js percentImage_back1.png
OkPage.html fwupgrade.html plus2b.png
bg.jpg hover.jpg plusb.jpg
blank.png hover.png plusb.png
blinkhome.html interfacebg.jpg plusc.png
bodybg.gif java.html progress.js
boxbg.png javascript.html routersetup.html
boxbg_bottom.png logo.jpg sidebarbg.gif
bullet.jpg logo.png style.css
bullet.png menubg1.png style_upgrade.css
cgi-bin menubg2.png tempc.png
circle.png menubg_maintence.png tempf.png
controlbg.jpg minus.png test.html
controlbg.png minusb.jpg test1.html
controlbg3row.png minusc.png test_infra.html
fix.css percentImage.png wifisetup.html

default wifi config:

BOOTPROTO STATIC
DEVICE ra0
IPADDR 192.168.111.100
GATEWAY 192.168.111.1
NETWORK_TYPE Infra
SSID cvteststation01
AUTH_MODE WPA2PSK
ENCRYPT_TYPE AES
AUTH_KEY 81888188
WPS_TRIG_KEY POWER
P2P_IPADDR 192.168.100.1
P2P_SSID SkyEye_MT5931
P2P_AUTH_MODE WPA2PSK
P2P_ENCRYPT_TYPE AES
P2P_AUTH_KEY 12345678
P2P_CHANNEL 6
User avatar
atom0s
Site Admin
Posts: 364
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

Re: "Hacking" The Motorola FOCUS66 Camera

Post by atom0s » Sun Aug 30, 2015 11:03 am

Nice job to everyone that has posted. :) Glad to see others have interest in this. I got side-tracked with other things so I stopped messing around with my camera. The main purpose we got them for is also no longer happening so we don't use it as often.
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.com/cgi-bin/webscr?c ... Q2GRT6KUJN
LittleJohn
Posts: 1
Joined: Tue Sep 22, 2015 3:37 am

Re: "Hacking" The Motorola FOCUS66 Camera

Post by LittleJohn » Tue Sep 22, 2015 6:13 am

Hi,

Has anyone gotten any further with this? It is a great little device with Camera, Mic, Speaker, Thermister, Wifi and possibly USB at a good price. All Pro's

But the main con for me is lack of security and the fact it just seems to be happily streaming everything to a 3rd party server.

Things I would like to know:

- Is that a fully working USB port on the back?
- Are there any ports inside available for digital I/O or some other comms I2C, etc (could be handy for adding buttons and sensors).
- How to get root
- How to block streaming to 3rd party server
- How to block remote updates (which might override any hacks)
- How to build and upload a custom/modded firmware

*oddllama* : For those of use new to hacking, could you explain how your extracted your information.

I have a later firmware version and some of the information in the original post has changed... I'll update if I get a response.
phonic
Posts: 2
Joined: Tue Oct 06, 2015 9:24 am

Re: "Hacking" The Motorola FOCUS66 Camera

Post by phonic » Tue Oct 06, 2015 9:35 am

I've just got Motorola Focus 85, and have it setup with iSpy software.
However, none of the commends to pan and tilt work via the browser, but they work fine on the text.html page.

http://ipaddress/?action=command&command=pan_plus

As anyone got the commends working outside of the motorola's text page?

I also agree is would be nice to find a way to turn off the outbound live stream to the servers in Canada.
phonic
Posts: 2
Joined: Tue Oct 06, 2015 9:24 am

Re: "Hacking" The Motorola FOCUS66 Camera

Post by phonic » Wed Oct 07, 2015 9:00 pm

if anyone is still interested, the PTZ commands that work with current firmware are:

move_backward
move_forward
move_left
move_right

add 9.9 to move max in any direction (e.g. move_left9.9)

They also work with iSpy PTZ and object tracking.
oddllama
Posts: 4
Joined: Sun Aug 30, 2015 3:28 am

Re: "Hacking" The Motorola FOCUS66 Camera

Post by oddllama » Sun Nov 15, 2015 2:47 am

If anyone is interested, I can provide you with the telnet enabled firmware that I pulled from my camera. you can easily modify the config files to prevent calling home and set it up as a regular IP cam. :) There are a lot of tweaks that can be made. Unfortunately it's too big to upload to the boards here.

I have not tested it on my updated cam yet, some files will probably have to be tweaked to be accepted.
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest