"Hacking" The Motorola FOCUS66 Camera

[atom0s]

I'm hoping to download the firmware files directly (similar to what they did here: http://www.contextis.com/resources/blog ... ip-camera/ ) so I'm hoping for the URL...when I get home tonight, I may just do some advanced DNS sniffing.

I can see if I can find the links within the app for my android devices.

[atom0s]

Ok for urls and such within the app, I found the following:

Code: Select all

http://ota.hubble.in/ota1/%s_patch/version.txt
http://ota.hubble.in/ota/%s_patch/version.txt

Firmware file names are build as:
"%s-%s.tar.gz" or "%s-%s.tar"

Firmware seems to download as:
https://ota.hubble.in/ota/%s_patch/%s-%s.tar.gz"

Firmware seems to get pushed to the camera via:
UpgradeDialogFirmware.this.pushFirmwareToCamera("http://192.168.193.1:8080/cgi-bin/haserlupgrade.cgi", UpgradeDialogFirmware.2.this.val$filePath, UpgradeDialogFirmware.access$600(UpgradeDialogFirmware.this, UpgradeDialogFirmware.this.modelId, UpgradeDialogFirmware.this.currentFWUpgrade));


Some other firmware download checks:
      if (this.modelId.equals("0086"))
      {
        Object[] arrayOfObject3 = new Object[3];
        arrayOfObject3[0] = this.modelId;
        arrayOfObject3[1] = this.modelId;
        arrayOfObject3[2] = this.firmwareVersion;
        downloadFirmware(String.format("https://ota.hubble.in/ota/%s_patch/%s-%s.tar", arrayOfObject3));
        return;
      }
      if (this.firmwareVersion.equals("01.17.00"))
      {
        Object[] arrayOfObject2 = new Object[3];
        arrayOfObject2[0] = this.modelId;
        arrayOfObject2[1] = this.modelId;
        arrayOfObject2[2] = this.firmwareVersion;
        downloadFirmware(String.format("https://ota.hubble.in/ota/%s_patch/%s-%s.tar.gz", arrayOfObject2));
        return;
      }
      Object[] arrayOfObject1 = new Object[3];
      arrayOfObject1[0] = this.modelId;
      arrayOfObject1[1] = this.modelId;
      arrayOfObject1[2] = this.firmwareVersion;
      downloadFirmware(String.format("https://ota.hubble.in/ota1/%s_patch/%s-%s.tar.gz", arrayOfObject1));
    }

A fullupgrade URL for the camera:
String str = JWebClient.downloadAsString("http://192.168.193.1:8080/cgi-bin/fullupgrade");

Some static strings for various firmware paths:
  public static final String CHECK_LATEST_FW_OTA = "http://ota.hubble.in/ota/%s_patch/version.txt";
  public static final String CHECK_LATEST_FW_OTA1 = "http://ota.hubble.in/ota1/%s_patch/version.txt";

  public static final String CMD_UPGRADE_FW = "http://192.168.193.1:8080/cgi-bin/fullupgrade";

  public static final String FIRMWARE_011700_PATTERN = "https://ota.hubble.in/ota/%s_patch/%s-%s.tar.gz";
  public static final String FIRMWARE_DOWNLOAD_LINK_URL_0086_PATTERN = "https://ota.hubble.in/ota/%s_patch/%s-%s.tar";
  public static final String FIRMWARE_DOWNLOAD_LINK_URL_0854_PATTERN = "https://ota.hubble.in/ota1/%s_patch/%s-%s.tar.gz";

More static strings:
  private static final String CHECK_DEV_OTA_UPDATE_AVAILABLE_0854_URL = "http://ota.hubble.in/ota1/%s_patch/version_dev.txt";
  private static final String CHECK_DEV_OTA_UPDATE_AVAILABLE_URL = "http://ota.hubble.in/ota/%s_patch/version_dev.txt";
  private static final String CHECK_FW_UPGRADE_CMD = "action=command&command=check_fw_upgrade";
  private static final String CHECK_FW_UPGRADE_RESULT_OK = "check_fw_upgrade: ";
  private static final String CHECK_OTA_UPDATE_AVAILABLE_0854_URL = "http://ota.hubble.in/ota1/%s_patch/version.txt";
  private static final String CHECK_OTA_UPDATE_AVAILABLE_URL = "http://ota.hubble.in/ota/%s_patch/version.txt";
  private static final String DEV_DEVICE_LIST_OTA1_URL = "http://ota.hubble.in/ota1/%s_patch/udid.txt";
  private static final String DEV_DEVICE_LIST_OTA_URL = "http://ota.hubble.in/ota/%s_patch/udid.txt";
  private static final String FIRMWARE_DOWNLOAD_LINK_MODEL_0086_URL_PATTERN = "https://ota.hubble.in/ota/%s_patch/%s-%s.tar";
  private static final String FIRMWARE_DOWNLOAD_LINK_MTAG = "https://ota.hubble.in/ota/06%s_patch/%s-%s.zip";
  private static final String FIRMWARE_DOWNLOAD_LINK_URL_0854_PATTERN = "https://ota.hubble.in/ota1/%s_patch/%s-%s.tar.gz";
  private static final String FIRMWARE_DOWNLOAD_LINK_URL_PATTERN = "https://ota.hubble.in/ota/%s_patch/%s-%s.tar.gz";
  private static final String FIRMWARE_MD5_DOWNLOAD_LINK_URL_0854_PATTERN = "http://ota.hubble.in/ota1/%s_patch/%s-%s.md5";
  private static final String FIRMWARE_MD5_DOWNLOAD_LINK_URL_MTAG = "http://ota.hubble.in/ota/06%s_patch/%s-%s.md5";
  private static final String FIRMWARE_MD5_DOWNLOAD_LINK_URL_PATTERN = "http://ota.hubble.in/ota/%s_patch/%s-%s.md5";
  private static final String FIRMWARE_TAR = "%s-%s.tar";
  private static final String FIRMWARE_TAR_GZ = "%s-%s.tar.gz";
  private static final String FIRMWARE_ZIP = "%s-%s.zip";
  public static final String FW_VERSION_01_16_01 = "01.16.01";
  public static final String FW_VERSION_01_16_99 = "01.16.99";
  private static final String MODEL_0086_VERSION_STR = "version=";

Here is a useful function to determine your camera's model and such:

Code: Select all

  public static String getModelFromId(String paramString)
  {
    String str = "";
    if (paramString != null)
    {
      if (!paramString.equalsIgnoreCase("0066")) {
        break label22;
      }
      str = "FOCUS66";
    }
    label22:
    do
    {
      return str;
      if (paramString.equalsIgnoreCase("0096")) {
        return "0096";
      }
      if (paramString.equalsIgnoreCase("0036")) {
        return "MBP36N";
      }
      if (paramString.equalsIgnoreCase("0083")) {
        return "MBP83";
      }
      if (paramString.equalsIgnoreCase("0836")) {
        return "MBP836";
      }
      if (paramString.equalsIgnoreCase("0033")) {
        return "MBP33N";
      }
      if (paramString.equalsIgnoreCase("0041")) {
        return "MBP41N";
      }
      if (paramString.equalsIgnoreCase("0085")) {
        return "FOCUS85";
      }
      if (paramString.equalsIgnoreCase("0854")) {
        return "FOCUS854";
      }
      if (paramString.equalsIgnoreCase("0662")) {
        return "0662";
      }
    } while (!paramString.equalsIgnoreCase("1662"));
    return "1662";
  }

This information does seem to be dependent on the camera model. There are checks for various product types and so on.
This information is more or less generic overall and should not trusted to work for any model of camera!

[atom0s]

One of my camera's is model: 0066
Firmware Version: 01.19.30

I would check the version of firmware via:

Code: Select all

http://ota.hubble.in/ota/0066_patch/version.txt
http://ota.hubble.in/ota1/0066_patch/version.txt

Next, to download the firmware directly you'd use that version like this:

Code: Select all

https://ota.hubble.in/ota1/0066_patch/0066-01.19.30.tar.gz

---

Ok so it seems the paths used are based on your camera model.
The code seems to specifically use /ota1/ for all cameras, then falls back to /ota/ if you have a camera model '0086'. So I guess all cameras should use ota1 except that one based on how the code looks.

They also seem to force the use of /ota/ path if you have firmware below version 01.17.00.

[atom0s]

Some more information about the camera passwords:
- The default password the Hubble app will try to use / reset the camera to is: 000000
- The password seems to be stored in: mbp_cpwd.dat
- A default camera username/password combo that is used is: camera:000000

The password file is accessed via the Android SDK functions of:
- getExternalFilesDir(null)
- Environment.getExternalStorageState();

[surfrock66]

PERFECT. My firmware currently is: https://ota.hubble.in/ota1/0066_patch/0 ... .30.tar.gz

I'm doing some research and want ALL current and past firmwares for ALL models, so I'm going to be running this code in bash:

Code: Select all

for a in `seq 0 9`; do 
  for b in `seq 0 9`; do 
    for c in `seq 0 9`; do 
      for d in `seq 0 9`; do 
        echo "Model "$a$b$c$d
        if [ 200 -eq `wget --spider --server-response "https://ota.hubble.in/ota/"$a$b$c$d"_patch/version.txt" 2>&1 | awk '/^  HTTP/{print $2}'` ]; then
          wget "https://ota.hubble.in/ota/"$a$b$c$d"_patch/version.txt" 2>&1 | grep response
          echo "Version: "`cat version.txt`
          k=9; l=9; m=9; n=9; o=9; p=9
          k=`cat version.txt | head -c 1 | tail -c 1`
          if [ $k -eq 0 ]; then 
            l=`cat version.txt | head -c 2 | tail -c 1`
            if [ $l -eq 0 ]; then 
              m=`cat version.txt | head -c 4 | tail -c 1`
              if [ $m -eq 0 ]; then 
                n=`cat version.txt | head -c 5 | tail -c 1`
                if [ $n -eq 0 ]; then 
                  o=`cat version.txt | head -c 7 | tail -c 1`
                  if [ $o -eq 0 ]; then 
                    p=`cat version.txt | head -c 8 | tail -c 1`
                  fi
                fi
              fi
            fi
          fi
          rm version.txt
          for e in `seq 0 $k`; do 
            for f in `seq 0 $l`; do 
              for g in `seq 0 $m`; do 
                for h in `seq 0 $n`; do 
                  for i in `seq 0 9`; do 
                  #for i in `seq 0 $o`; do 
                    for j in `seq 0 9`; do 
                    #for j in `seq 0 $p`; do 
                      filename="https://ota.hubble.in/ota/"$a$b$c$d"_patch/"$a$b$c$d"-"$e$f"."$g$h"."$i$j".tar.gz"
                      echo $filename
                      wget $filename 2>&1 | grep response
                      echo ""
                      sleep 3
                      filename="https://ota.hubble.in/ota/"$a$b$c$d"_patch/"$a$b$c$d"-"$e$f"."$g$h"."$i$j".tar"
                      echo $filename
                      wget $filename 2>&1 | grep response
                      echo ""
                      sleep 3
                    done
                  done
                done
              done
            done
          done
        fi
        sleep 3
        if [ 200 -eq `wget --spider --server-response "https://ota.hubble.in/ota1/"$a$b$c$d"_patch/version.txt" 2>&1 | awk '/^  HTTP/{print $2}'` ]; then
          wget "https://ota.hubble.in/ota1/"$a$b$c$d"_patch/version.txt" 2>&1 | grep response
          echo "Version: "`cat version.txt`
          k=9; l=9; m=9; n=9; o=9; p=9
          k=`cat version.txt | head -c 1 | tail -c 1`
          if [ $k -eq 0 ]; then 
            l=`cat version.txt | head -c 2 | tail -c 1`
            if [ $l -eq 0 ]; then 
              m=`cat version.txt | head -c 4 | tail -c 1`
              if [ $m -eq 0 ]; then 
                n=`cat version.txt | head -c 5 | tail -c 1`
                if [ $n -eq 0 ]; then 
                  o=`cat version.txt | head -c 7 | tail -c 1`
                  if [ $o -eq 0 ]; then 
                    p=`cat version.txt | head -c 8 | tail -c 1`
                  fi
                fi
              fi
            fi
          fi
          rm version.txt
          for e in `seq 0 $k`; do 
            for f in `seq 0 $l`; do 
              for g in `seq 0 $m`; do 
                for h in `seq 0 $n`; do 
                  for i in `seq 0 9`; do 
                  #for i in `seq 0 $o`; do 
                    for j in `seq 0 9`; do 
                    #for j in `seq 0 $p`; do 
                      filename="https://ota.hubble.in/ota1/"$a$b$c$d"_patch/"$a$b$c$d"-"$e$f"."$g$h"."$i$j".tar.gz"
                      echo $filename
                      wget $filename 2>&1 | grep response
                      echo ""
                      sleep 3
                    done
                  done
                done
              done
            done
          done
        fi
      done
    done
  done
done

[atom0s]

Security Concerns
Looking through the firmware download for my cameras version I have found several things that are a bit concerning with security.
There are passwords for hubble's servers in plain text to various things:

Code: Select all

MainAppServerName = "cs.hubble.in/v1";
StunAppServerName = "stun.hubble.in";
StunAppPort = "3478"
StunStandardServer = "stun1.hubble.in:3478";
UPNPAppServerName = "cs.hubble.in";
SnapshotServerName= "cs.hubble.in";
WowzaServerName = "wowza.hubble.in:1935";
SMServerName = "cs.hubble.in";
FtpUploadMode = "without_mux";
FtpServerName = "upload1.hubble.in";
FtpServerUserName = "ftpuser";
FtpServerPassword = "upload@s3";
JsonClipServer = "http://upload1.hubble.in/v1/uploads/clip.json";
JsonSnapServer = "http://upload1.hubble.in/v1/uploads/snap.json";
JsonLogServer = "http://upload1.hubble.in/v1/uploads/log.json";
JsonImageServer = "http://upload1.hubble.in/v1/uploads/image.json";

Code: Select all

  SMTP = ( 
    {
      Host = "smtp.gmail.com";
      Port = "25";
      MailTo = "nuvoton.zy@gmail.com";
      Username = "nuvoton.zy@gmail.com";
      Password = "qwertyuiop,.";
      Subject = "SkyEye Alarm";
      Body = "Attention!! Have an alarm.";
    } );
  FTP = ( 
    {
      Host = "192.168.11.254";
      Port = "21";
      Username = "px30";
      Password = "px30";
      RemotePath = "/Test/AlarmOut/";
    } );
  DROPBOX = ( 
    {
      AppKey = "ue35sfmiplcnob7";
      AppSecret = "0wkhkr6zgitb49n";
      OAuthAccessTokenSecret = "m9rm5ofzr0bnqt5";
      OAuthAccessToken = "sp09g1pjuq3fgpg";
      RemotePath = "/Test/AlarmOut/";
    } );

Code: Select all

  DDNS = (
	{
		/* NO-IP */
		Server	     = "dynupdate.no-ip.com";		
		Username     = "xxxxxxx@xx.yy.zz";
		Password     = "????????";
		Hostname     = "xxxxxx.no-ip.org";
	}

Code: Select all

MainAppServerName = bms.demo.simplimonitor.com
StunAppServerName = stun.demo.simplimonitor.com
StunAppPort = 3478
UPNPAppServerName = bms.demo.simplimonitor.com
SnapshotServerName= bms.demo.simplimonitor.com
WowzaServerName = nxcomm-office.no-ip.info:1935
SMServerName = nxcomm-office.no-ip.info
FtpUploadMode = without_mux
FtpServerName = nxcomm-office.no-ip.info
FtpServerUserName = demo
FtpServerPassword = abc123
JsonClipServer = http://nxcomm-office.no-ip.info:10101/v1/uploads/clip.json
JsonSnapServer = http://nxcomm-office.no-ip.info:10101/v1/uploads/snap.json
JsonLogServer = http://nxcomm-office.no-ip.info:10101/v1/uploads/log.json

Code: Select all

  SMTP = ( 
    {
      Host = "smtp.gmail.com";
      Port = "25";
      MailTo = "nuvoton.zy@gmail.com";
      Username = "nuvoton.zy@gmail.com";
      Password = "qwertyuiop,.";
      Subject = "SkyEye Alarm";
      Body = "Attention!! Have an alarm.";
    } );
  FTP = ( 
    {
      Host = "192.168.11.254";
      Port = "21";
      Username = "px30";
      Password = "px30";
      RemotePath = "/Test/AlarmOut/";
    } );
  DROPBOX = ( 
    {
      AppKey = "ue35sfmiplcnob7";
      AppSecret = "0wkhkr6zgitb49n";
      OAuthAccessTokenSecret = "m9rm5ofzr0bnqt5";
      OAuthAccessToken = "sp09g1pjuq3fgpg";
      RemotePath = "/Test/AlarmOut/";
    } );
  PUSH_NOTIFICATION = ( 
    {
      ServerName = "hubble.in";
      UseHTTPS = "1";
    } );

[surfrock66]

Hmm; none of those WAN-addressed FTP servers respond and that gmail account's password was changed. Good find though.

From the firmware, there's a bunch of libraries, but I don't see a kernel or system image, so I think they're encoded in the .bin in there, whcih I'm trying to deconstruct now.

[surfrock66]

Ok using this: https://github.com/devttys0/binwalk

I was able to extract the actual OS from conprog.bin.00_07.

Seems the linux is in there (and is pretty static, it's like a romfs image), then the skyeye.zip is extracted and mounted to /mnt at boot. The skyeye code is easier to update.

[redrider8606]

it sounds like you guys have figured this one out. I have been searching for hours trying to find a solution to the horrible software that comes with the focus66 camera. Can anyone here walk me through how to connect these to a 3rd party software where the feed isn't sent out to unknown sources? I don't know much about commands and how to send them to the camera so please if anyone can help it would be much appreciated.Thanks!!

[jfarrell423]

Has anyone put together a set of instructions on how to get into the camera and use it outside Hubble. I am thinking it would be easy for an Internet Of Things hobbyist. I have 4 cameras and have been a computer analyst for 30 years. I would attempt to try to program it or try to consume the video stream using my own home built server.