I can see if I can find the links within the app for my android devices.surfrock66 wrote:I'm hoping to download the firmware files directly (similar to what they did here: http://www.contextis.com/resources/blog ... ip-camera/ ) so I'm hoping for the URL...when I get home tonight, I may just do some advanced DNS sniffing.
Moving To Discord: https://discord.gg/UmXNvjq
Hello everyone, due to bugs with the forum software that I do not have time to care about, I am going to be shutting down these forums and moving my discussions to Discord instead. I will eventually keep releases here on the site but the forums will be removed sooner or later. I encourage people to join my personal Discord if you have questions, if you are looking for any of my projects, etc.
Registration Code (Part 1): w%kQ6
Registration Code (Part 2): b<#$1[*(cw~
In order to register on this forum, you must use the codes above. Combine them into one code (copy paste).
Hello everyone, due to bugs with the forum software that I do not have time to care about, I am going to be shutting down these forums and moving my discussions to Discord instead. I will eventually keep releases here on the site but the forums will be removed sooner or later. I encourage people to join my personal Discord if you have questions, if you are looking for any of my projects, etc.
Registration Code (Part 1): w%kQ6
Registration Code (Part 2): b<#$1[*(cw~
In order to register on this forum, you must use the codes above. Combine them into one code (copy paste).
"Hacking" The Motorola FOCUS66 Camera
- atom0s
- Site Admin
- Posts: 450
- Joined: Sun Jan 04, 2015 11:23 pm
- Location: 127.0.0.1
- Contact:
Re: "Hacking" The Motorola FOCUS66 Camera
Derp~
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
- atom0s
- Site Admin
- Posts: 450
- Joined: Sun Jan 04, 2015 11:23 pm
- Location: 127.0.0.1
- Contact:
Re: "Hacking" The Motorola FOCUS66 Camera
Ok for urls and such within the app, I found the following:
Here is a useful function to determine your camera's model and such:
This information does seem to be dependent on the camera model. There are checks for various product types and so on.
This information is more or less generic overall and should not trusted to work for any model of camera!
Code: Select all
http://ota.hubble.in/ota1/%s_patch/version.txt
http://ota.hubble.in/ota/%s_patch/version.txt
Firmware file names are build as:
"%s-%s.tar.gz" or "%s-%s.tar"
Firmware seems to download as:
https://ota.hubble.in/ota/%s_patch/%s-%s.tar.gz"
Firmware seems to get pushed to the camera via:
UpgradeDialogFirmware.this.pushFirmwareToCamera("http://192.168.193.1:8080/cgi-bin/haserlupgrade.cgi", UpgradeDialogFirmware.2.this.val$filePath, UpgradeDialogFirmware.access$600(UpgradeDialogFirmware.this, UpgradeDialogFirmware.this.modelId, UpgradeDialogFirmware.this.currentFWUpgrade));
Some other firmware download checks:
if (this.modelId.equals("0086"))
{
Object[] arrayOfObject3 = new Object[3];
arrayOfObject3[0] = this.modelId;
arrayOfObject3[1] = this.modelId;
arrayOfObject3[2] = this.firmwareVersion;
downloadFirmware(String.format("https://ota.hubble.in/ota/%s_patch/%s-%s.tar", arrayOfObject3));
return;
}
if (this.firmwareVersion.equals("01.17.00"))
{
Object[] arrayOfObject2 = new Object[3];
arrayOfObject2[0] = this.modelId;
arrayOfObject2[1] = this.modelId;
arrayOfObject2[2] = this.firmwareVersion;
downloadFirmware(String.format("https://ota.hubble.in/ota/%s_patch/%s-%s.tar.gz", arrayOfObject2));
return;
}
Object[] arrayOfObject1 = new Object[3];
arrayOfObject1[0] = this.modelId;
arrayOfObject1[1] = this.modelId;
arrayOfObject1[2] = this.firmwareVersion;
downloadFirmware(String.format("https://ota.hubble.in/ota1/%s_patch/%s-%s.tar.gz", arrayOfObject1));
}
A fullupgrade URL for the camera:
String str = JWebClient.downloadAsString("http://192.168.193.1:8080/cgi-bin/fullupgrade");
Some static strings for various firmware paths:
public static final String CHECK_LATEST_FW_OTA = "http://ota.hubble.in/ota/%s_patch/version.txt";
public static final String CHECK_LATEST_FW_OTA1 = "http://ota.hubble.in/ota1/%s_patch/version.txt";
public static final String CMD_UPGRADE_FW = "http://192.168.193.1:8080/cgi-bin/fullupgrade";
public static final String FIRMWARE_011700_PATTERN = "https://ota.hubble.in/ota/%s_patch/%s-%s.tar.gz";
public static final String FIRMWARE_DOWNLOAD_LINK_URL_0086_PATTERN = "https://ota.hubble.in/ota/%s_patch/%s-%s.tar";
public static final String FIRMWARE_DOWNLOAD_LINK_URL_0854_PATTERN = "https://ota.hubble.in/ota1/%s_patch/%s-%s.tar.gz";
More static strings:
private static final String CHECK_DEV_OTA_UPDATE_AVAILABLE_0854_URL = "http://ota.hubble.in/ota1/%s_patch/version_dev.txt";
private static final String CHECK_DEV_OTA_UPDATE_AVAILABLE_URL = "http://ota.hubble.in/ota/%s_patch/version_dev.txt";
private static final String CHECK_FW_UPGRADE_CMD = "action=command&command=check_fw_upgrade";
private static final String CHECK_FW_UPGRADE_RESULT_OK = "check_fw_upgrade: ";
private static final String CHECK_OTA_UPDATE_AVAILABLE_0854_URL = "http://ota.hubble.in/ota1/%s_patch/version.txt";
private static final String CHECK_OTA_UPDATE_AVAILABLE_URL = "http://ota.hubble.in/ota/%s_patch/version.txt";
private static final String DEV_DEVICE_LIST_OTA1_URL = "http://ota.hubble.in/ota1/%s_patch/udid.txt";
private static final String DEV_DEVICE_LIST_OTA_URL = "http://ota.hubble.in/ota/%s_patch/udid.txt";
private static final String FIRMWARE_DOWNLOAD_LINK_MODEL_0086_URL_PATTERN = "https://ota.hubble.in/ota/%s_patch/%s-%s.tar";
private static final String FIRMWARE_DOWNLOAD_LINK_MTAG = "https://ota.hubble.in/ota/06%s_patch/%s-%s.zip";
private static final String FIRMWARE_DOWNLOAD_LINK_URL_0854_PATTERN = "https://ota.hubble.in/ota1/%s_patch/%s-%s.tar.gz";
private static final String FIRMWARE_DOWNLOAD_LINK_URL_PATTERN = "https://ota.hubble.in/ota/%s_patch/%s-%s.tar.gz";
private static final String FIRMWARE_MD5_DOWNLOAD_LINK_URL_0854_PATTERN = "http://ota.hubble.in/ota1/%s_patch/%s-%s.md5";
private static final String FIRMWARE_MD5_DOWNLOAD_LINK_URL_MTAG = "http://ota.hubble.in/ota/06%s_patch/%s-%s.md5";
private static final String FIRMWARE_MD5_DOWNLOAD_LINK_URL_PATTERN = "http://ota.hubble.in/ota/%s_patch/%s-%s.md5";
private static final String FIRMWARE_TAR = "%s-%s.tar";
private static final String FIRMWARE_TAR_GZ = "%s-%s.tar.gz";
private static final String FIRMWARE_ZIP = "%s-%s.zip";
public static final String FW_VERSION_01_16_01 = "01.16.01";
public static final String FW_VERSION_01_16_99 = "01.16.99";
private static final String MODEL_0086_VERSION_STR = "version=";
Code: Select all
public static String getModelFromId(String paramString)
{
String str = "";
if (paramString != null)
{
if (!paramString.equalsIgnoreCase("0066")) {
break label22;
}
str = "FOCUS66";
}
label22:
do
{
return str;
if (paramString.equalsIgnoreCase("0096")) {
return "0096";
}
if (paramString.equalsIgnoreCase("0036")) {
return "MBP36N";
}
if (paramString.equalsIgnoreCase("0083")) {
return "MBP83";
}
if (paramString.equalsIgnoreCase("0836")) {
return "MBP836";
}
if (paramString.equalsIgnoreCase("0033")) {
return "MBP33N";
}
if (paramString.equalsIgnoreCase("0041")) {
return "MBP41N";
}
if (paramString.equalsIgnoreCase("0085")) {
return "FOCUS85";
}
if (paramString.equalsIgnoreCase("0854")) {
return "FOCUS854";
}
if (paramString.equalsIgnoreCase("0662")) {
return "0662";
}
} while (!paramString.equalsIgnoreCase("1662"));
return "1662";
}
This information is more or less generic overall and should not trusted to work for any model of camera!
Derp~
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
- atom0s
- Site Admin
- Posts: 450
- Joined: Sun Jan 04, 2015 11:23 pm
- Location: 127.0.0.1
- Contact:
Re: "Hacking" The Motorola FOCUS66 Camera
One of my camera's is model: 0066
Firmware Version: 01.19.30
I would check the version of firmware via:
Next, to download the firmware directly you'd use that version like this:
---
Ok so it seems the paths used are based on your camera model.
The code seems to specifically use /ota1/ for all cameras, then falls back to /ota/ if you have a camera model '0086'. So I guess all cameras should use ota1 except that one based on how the code looks.
They also seem to force the use of /ota/ path if you have firmware below version 01.17.00.
Firmware Version: 01.19.30
I would check the version of firmware via:
Code: Select all
http://ota.hubble.in/ota/0066_patch/version.txt
http://ota.hubble.in/ota1/0066_patch/version.txt
Code: Select all
https://ota.hubble.in/ota1/0066_patch/0066-01.19.30.tar.gz
Ok so it seems the paths used are based on your camera model.
The code seems to specifically use /ota1/ for all cameras, then falls back to /ota/ if you have a camera model '0086'. So I guess all cameras should use ota1 except that one based on how the code looks.
They also seem to force the use of /ota/ path if you have firmware below version 01.17.00.
Derp~
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
- atom0s
- Site Admin
- Posts: 450
- Joined: Sun Jan 04, 2015 11:23 pm
- Location: 127.0.0.1
- Contact:
Re: "Hacking" The Motorola FOCUS66 Camera
Some more information about the camera passwords:
- The default password the Hubble app will try to use / reset the camera to is: 000000
- The password seems to be stored in: mbp_cpwd.dat
- A default camera username/password combo that is used is: camera:000000
The password file is accessed via the Android SDK functions of:
- getExternalFilesDir(null)
- Environment.getExternalStorageState();
- The default password the Hubble app will try to use / reset the camera to is: 000000
- The password seems to be stored in: mbp_cpwd.dat
- A default camera username/password combo that is used is: camera:000000
The password file is accessed via the Android SDK functions of:
- getExternalFilesDir(null)
- Environment.getExternalStorageState();
Derp~
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
-
- Posts: 5
- Joined: Fri Mar 11, 2016 10:02 am
Re: "Hacking" The Motorola FOCUS66 Camera
PERFECT. My firmware currently is: https://ota.hubble.in/ota1/0066_patch/0 ... .30.tar.gz
I'm doing some research and want ALL current and past firmwares for ALL models, so I'm going to be running this code in bash:
I'm doing some research and want ALL current and past firmwares for ALL models, so I'm going to be running this code in bash:
Code: Select all
for a in `seq 0 9`; do
for b in `seq 0 9`; do
for c in `seq 0 9`; do
for d in `seq 0 9`; do
echo "Model "$a$b$c$d
if [ 200 -eq `wget --spider --server-response "https://ota.hubble.in/ota/"$a$b$c$d"_patch/version.txt" 2>&1 | awk '/^ HTTP/{print $2}'` ]; then
wget "https://ota.hubble.in/ota/"$a$b$c$d"_patch/version.txt" 2>&1 | grep response
echo "Version: "`cat version.txt`
k=9; l=9; m=9; n=9; o=9; p=9
k=`cat version.txt | head -c 1 | tail -c 1`
if [ $k -eq 0 ]; then
l=`cat version.txt | head -c 2 | tail -c 1`
if [ $l -eq 0 ]; then
m=`cat version.txt | head -c 4 | tail -c 1`
if [ $m -eq 0 ]; then
n=`cat version.txt | head -c 5 | tail -c 1`
if [ $n -eq 0 ]; then
o=`cat version.txt | head -c 7 | tail -c 1`
if [ $o -eq 0 ]; then
p=`cat version.txt | head -c 8 | tail -c 1`
fi
fi
fi
fi
fi
rm version.txt
for e in `seq 0 $k`; do
for f in `seq 0 $l`; do
for g in `seq 0 $m`; do
for h in `seq 0 $n`; do
for i in `seq 0 9`; do
#for i in `seq 0 $o`; do
for j in `seq 0 9`; do
#for j in `seq 0 $p`; do
filename="https://ota.hubble.in/ota/"$a$b$c$d"_patch/"$a$b$c$d"-"$e$f"."$g$h"."$i$j".tar.gz"
echo $filename
wget $filename 2>&1 | grep response
echo ""
sleep 3
filename="https://ota.hubble.in/ota/"$a$b$c$d"_patch/"$a$b$c$d"-"$e$f"."$g$h"."$i$j".tar"
echo $filename
wget $filename 2>&1 | grep response
echo ""
sleep 3
done
done
done
done
done
done
fi
sleep 3
if [ 200 -eq `wget --spider --server-response "https://ota.hubble.in/ota1/"$a$b$c$d"_patch/version.txt" 2>&1 | awk '/^ HTTP/{print $2}'` ]; then
wget "https://ota.hubble.in/ota1/"$a$b$c$d"_patch/version.txt" 2>&1 | grep response
echo "Version: "`cat version.txt`
k=9; l=9; m=9; n=9; o=9; p=9
k=`cat version.txt | head -c 1 | tail -c 1`
if [ $k -eq 0 ]; then
l=`cat version.txt | head -c 2 | tail -c 1`
if [ $l -eq 0 ]; then
m=`cat version.txt | head -c 4 | tail -c 1`
if [ $m -eq 0 ]; then
n=`cat version.txt | head -c 5 | tail -c 1`
if [ $n -eq 0 ]; then
o=`cat version.txt | head -c 7 | tail -c 1`
if [ $o -eq 0 ]; then
p=`cat version.txt | head -c 8 | tail -c 1`
fi
fi
fi
fi
fi
rm version.txt
for e in `seq 0 $k`; do
for f in `seq 0 $l`; do
for g in `seq 0 $m`; do
for h in `seq 0 $n`; do
for i in `seq 0 9`; do
#for i in `seq 0 $o`; do
for j in `seq 0 9`; do
#for j in `seq 0 $p`; do
filename="https://ota.hubble.in/ota1/"$a$b$c$d"_patch/"$a$b$c$d"-"$e$f"."$g$h"."$i$j".tar.gz"
echo $filename
wget $filename 2>&1 | grep response
echo ""
sleep 3
done
done
done
done
done
done
fi
done
done
done
done
- atom0s
- Site Admin
- Posts: 450
- Joined: Sun Jan 04, 2015 11:23 pm
- Location: 127.0.0.1
- Contact:
Re: "Hacking" The Motorola FOCUS66 Camera
Security Concerns
Looking through the firmware download for my cameras version I have found several things that are a bit concerning with security.
There are passwords for hubble's servers in plain text to various things:
Looking through the firmware download for my cameras version I have found several things that are a bit concerning with security.
There are passwords for hubble's servers in plain text to various things:
Code: Select all
MainAppServerName = "cs.hubble.in/v1";
StunAppServerName = "stun.hubble.in";
StunAppPort = "3478"
StunStandardServer = "stun1.hubble.in:3478";
UPNPAppServerName = "cs.hubble.in";
SnapshotServerName= "cs.hubble.in";
WowzaServerName = "wowza.hubble.in:1935";
SMServerName = "cs.hubble.in";
FtpUploadMode = "without_mux";
FtpServerName = "upload1.hubble.in";
FtpServerUserName = "ftpuser";
FtpServerPassword = "upload@s3";
JsonClipServer = "http://upload1.hubble.in/v1/uploads/clip.json";
JsonSnapServer = "http://upload1.hubble.in/v1/uploads/snap.json";
JsonLogServer = "http://upload1.hubble.in/v1/uploads/log.json";
JsonImageServer = "http://upload1.hubble.in/v1/uploads/image.json";
Code: Select all
SMTP = (
{
Host = "smtp.gmail.com";
Port = "25";
MailTo = "nuvoton.zy@gmail.com";
Username = "nuvoton.zy@gmail.com";
Password = "qwertyuiop,.";
Subject = "SkyEye Alarm";
Body = "Attention!! Have an alarm.";
} );
FTP = (
{
Host = "192.168.11.254";
Port = "21";
Username = "px30";
Password = "px30";
RemotePath = "/Test/AlarmOut/";
} );
DROPBOX = (
{
AppKey = "ue35sfmiplcnob7";
AppSecret = "0wkhkr6zgitb49n";
OAuthAccessTokenSecret = "m9rm5ofzr0bnqt5";
OAuthAccessToken = "sp09g1pjuq3fgpg";
RemotePath = "/Test/AlarmOut/";
} );
Code: Select all
DDNS = (
{
/* NO-IP */
Server = "dynupdate.no-ip.com";
Username = "xxxxxxx@xx.yy.zz";
Password = "????????";
Hostname = "xxxxxx.no-ip.org";
}
Code: Select all
MainAppServerName = bms.demo.simplimonitor.com
StunAppServerName = stun.demo.simplimonitor.com
StunAppPort = 3478
UPNPAppServerName = bms.demo.simplimonitor.com
SnapshotServerName= bms.demo.simplimonitor.com
WowzaServerName = nxcomm-office.no-ip.info:1935
SMServerName = nxcomm-office.no-ip.info
FtpUploadMode = without_mux
FtpServerName = nxcomm-office.no-ip.info
FtpServerUserName = demo
FtpServerPassword = abc123
JsonClipServer = http://nxcomm-office.no-ip.info:10101/v1/uploads/clip.json
JsonSnapServer = http://nxcomm-office.no-ip.info:10101/v1/uploads/snap.json
JsonLogServer = http://nxcomm-office.no-ip.info:10101/v1/uploads/log.json
Code: Select all
SMTP = (
{
Host = "smtp.gmail.com";
Port = "25";
MailTo = "nuvoton.zy@gmail.com";
Username = "nuvoton.zy@gmail.com";
Password = "qwertyuiop,.";
Subject = "SkyEye Alarm";
Body = "Attention!! Have an alarm.";
} );
FTP = (
{
Host = "192.168.11.254";
Port = "21";
Username = "px30";
Password = "px30";
RemotePath = "/Test/AlarmOut/";
} );
DROPBOX = (
{
AppKey = "ue35sfmiplcnob7";
AppSecret = "0wkhkr6zgitb49n";
OAuthAccessTokenSecret = "m9rm5ofzr0bnqt5";
OAuthAccessToken = "sp09g1pjuq3fgpg";
RemotePath = "/Test/AlarmOut/";
} );
PUSH_NOTIFICATION = (
{
ServerName = "hubble.in";
UseHTTPS = "1";
} );
Derp~
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
Need a great web host? Check out: AnHonestHost.com
Donations can be made via Paypal:
https://www.paypal.me/atom0s
-
- Posts: 5
- Joined: Fri Mar 11, 2016 10:02 am
Re: "Hacking" The Motorola FOCUS66 Camera
Hmm; none of those WAN-addressed FTP servers respond and that gmail account's password was changed. Good find though.
From the firmware, there's a bunch of libraries, but I don't see a kernel or system image, so I think they're encoded in the .bin in there, whcih I'm trying to deconstruct now.
From the firmware, there's a bunch of libraries, but I don't see a kernel or system image, so I think they're encoded in the .bin in there, whcih I'm trying to deconstruct now.
-
- Posts: 5
- Joined: Fri Mar 11, 2016 10:02 am
Re: "Hacking" The Motorola FOCUS66 Camera
Ok using this: https://github.com/devttys0/binwalk
I was able to extract the actual OS from conprog.bin.00_07.
Seems the linux is in there (and is pretty static, it's like a romfs image), then the skyeye.zip is extracted and mounted to /mnt at boot. The skyeye code is easier to update.
I was able to extract the actual OS from conprog.bin.00_07.
Seems the linux is in there (and is pretty static, it's like a romfs image), then the skyeye.zip is extracted and mounted to /mnt at boot. The skyeye code is easier to update.
-
- Posts: 1
- Joined: Tue Apr 26, 2016 2:07 pm
Re: "Hacking" The Motorola FOCUS66 Camera
it sounds like you guys have figured this one out. I have been searching for hours trying to find a solution to the horrible software that comes with the focus66 camera. Can anyone here walk me through how to connect these to a 3rd party software where the feed isn't sent out to unknown sources? I don't know much about commands and how to send them to the camera so please if anyone can help it would be much appreciated.Thanks!!
-
- Posts: 2
- Joined: Fri Aug 05, 2016 9:45 am
Re: "Hacking" The Motorola FOCUS66 Camera
Has anyone put together a set of instructions on how to get into the camera and use it outside Hubble. I am thinking it would be easy for an Internet Of Things hobbyist. I have 4 cameras and have been a computer analyst for 30 years. I would attempt to try to program it or try to consume the video stream using my own home built server.
Who is online
Users browsing this forum: No registered users and 1 guest