Apr
13

IP Camera’s and other toys :: Notes from the edge

Lawrence Sheed // 13 Apr 2010 // 3 Comments

When I was younger, I used to like taking things apart.  I still do that, but they tend to work better these days, hehe

This last few weeks I’ve been playing with IP Camera’s for a pet project that started off as a request over Skype for info about surveillance.
As the ever useful Taobao is full of vendors selling the same 4 or 5 camera’s for reasonable prices I ordered a couple to take a peek at.

I’ve only taken one apart so far – the really really cheap one that I installed in the office so I can get a look at who comes up the stairs without having to move my fat ass out of the chair.  A quick shortcut in FF, and it works quite nicely as a separate browser window in the corner of the desktop.

Onto the discovery phase :)

I had a quick spin with NMAP, but other than discovering that they rather naughtily misuse a Mac Address assigned to the evil Cisco, not much help.
Also nothing appeared to be running on any other ports than the web port :(
nmap -A 192.168.0.88

Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-13 19:27 CST
Interesting ports on 192.168.0.88:
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
|_ html-title: IPCamera
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=5.00%I=7%D=4/13%Time=4BC45529%P=i686-pc-linux-gnu%r(GetReq
SF:uest,2E1,"HTTP/1\.1\x20200\x20OK\r\nExpires:\x200\r\nConnection:\x20clo
SF:se\r\ncache-control:\x20no-cache\r\n\r\n\r\n
SF:IPCamera\r\n\r
SF:\n\r\n\r\n\r\n\r\n
SF:\r\n\r\n\r\n\r\n\r\n\r\n\r\n<BODY\x20onLoad=\" SF:doPop\(\);\">\xb6\xd4\xb2\xbb\xc6\xf0\xa3\xac\xc4\xfa\xb5\xc4\xe4\xaf\x
SF:c0\xc0\xc6\xf7\xb2\xbb\xd6\xa7\xb3\xd6\xbf\xf2\xbc\xdc\xa3\xa1</BODY></ SF:NOFRAMES>\r\n</FRAMESET>\r\n\r\n</HTML>\r\n")%r(FourOhFourRequest,1DF,"
SF:HTTP/1\.1\x20200\x20OK\r\nConnection:\x20close\r\ncache-control:\x20no-
SF:cache\r\n\r\n<HTML>\r\n<HEAD>\r\n<TITLE></TITLE>\r\n<meta\x20http-equiv SF:=\"Content-Type\"\x20content=\"text/html;\x20charset=gb2312\"></HEAD>\r
SF:\n<BODY\x20BGCOLOR=\"#C4CEEF\"\x20onLoad=\"window\.status='\xbb\xb6\xd3 SF:\xad\xca\xb9\xd3\xc3\xcd\xf8\xc2\xe7\xc9\xe3\xcf\xf1\xbb\xfa!';return\x SF:20true;\">\r\n\r\n
<TABLE\x20WIDTH=140\x20BORDER=0\x20CELLSPACING=0\x20C SF:ELLPADDING=0>\r\n
<TR>\r\n\t
<TD\x20HEIGHT=80\x20ALIGN=center\x20BGCOLOR= SF:\"#C4CEEF\"><FONT\x20color=\"#FF6633\"\x20size=\"\+2\"\x20FACE=\"Arial\ SF:"><B>IP\x20Camera</B></FONT></TD>

\r\n</TR>

\r\n</TABLE>

\r\n\r\n</BODY>\r
SF:\n</HTML>\r\n");
MAC Address: 00:0A:42:33:66:54 (Cisco Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop

Next up is the usual dissection. I had done some minor googling on the device I bought, which is basically this below:

As its an OEM product, this is available under a whole bunch of different names – mostly with IP-510 or similar in the title, eg LTI-510 etc.

For a cheap OEM product, it actually seems to be reasonably well made though – the Case is an nice and solid aluminium sheath that looks like its been repurposed from something else, and the board itself is suprisingly well diagrammed. Its almost made for hacking!

Chips onboard are as follows:

25.0618mhz crystal from TXC – bonus points for why its 25mhz. Reply in the comments :)
Davicom DM9008AEP, TRC9016NLE (both for Ethernet. imho Davicom is a second-rate Realtek)
ViMicro VC0528BRVC (Camera processor / CCD Controller)
And last, but not least, our CPU, which is an 8051, although not from ATMEL.
Part number on that is C8051F340. My first guess is that it incorporates some integrated flash on there for firmware. Unfortunately its likely to be all C and Assembler, and the last time I did embedded 8051 stuff was in the early 90′s.

Google confirms it – basically its an all in one controller with 32 or 64KB onboard, and roughly 4k ram. Woohoo!

Datasheet here – http://www.alldatasheet.com/datasheet-pdf/pdf/182721/SILABS/C8051F340.html

Good news is that the board has serial out clearly labeled on the top left side. Better news is that the chip has an onboard debug mode, so I don’t even need any ICE (In Circuit Emulation) tools should I want to take a look. Bad news is that I’m probably going to be too lazy to do it, as its more work and less fun than the second one I bought, which has Linux running on it.

That said, this one is cheap. Real cheap. Cheap enough that its probably worth knocking out a decent firmware, and reselling it with a better UI, and more features.
Might be possible, although anything more than whats there is probably stretching it given the ram / storage constraints. Looks like its all offboard processing/streaming for this model!

There are also some unpopulated spots on the board, which I strongly suspect would be for audio, given the board has a MIC input and no Mic, and the main controller is a ViMicro, which supports MP3 output also…

I’ll see if I can find a firmware file, and do a disassembly, or more probably see what I get out of the serial port connection in the near future.

Photos below. [Excuse the pasty white hands, its still winter for some reason in Shanghai, despite being April... Oh global warming. Where art thou, when I needest thee!]:

Some further files for the curious here –

http://kuklin.ru/ip400cam

April 13, 2010   //   Technical Mumbo Jumbo   //   3 Comments   //   Tags: , , , , , , ,

3 Comments to “IP Camera’s and other toys :: Notes from the edge”

  • ertszi says:
    June 15, 2010 at 2:54 am

    I got this too! I’m looking afford your post on this!

    Somebody got this working on zoneminder
    http://www.zoneminder.com/forums/viewtopic.php?p=59162

    Reply
  • Colin Munro says:
    July 20, 2011 at 9:03 am

    Looking at the insides of mine, it looks like the ones photographed in the kuklin.ru site, instead of the photos of yours.

    In this configuration I appear to have the same CPU and ethernet controller, but the two boards are connected by only four points, so they must be communicating serially. Looking at the photos from kuklin.ru I think the video controller is attached to P1.0 and P1.1.

    Additionally there’s a 128Kb RAM chip thrown in there too, which is double the external address bus’s capability so I wonder if there’s some banking going on (especially with the ethernet controller having a RAM interface too)

    Our boards are also lacking all those nice labels :( Looks like creating improved firmware may till be more than trivial.

    Reply

Post comment

Archives

Categories

Most Popular Posts

Tags

adsl Apache Apple arm7 bmw china china telecom Chinese Spyware Removal Howto coffee cool debian disassembly dns firmware foscam Google government hacking hardware howto how to icp ipcam iPhone Kitto krups licence Mac miibeian mini3i nc745 nespresso nuvoton ophone outage problem Replace shanghai spam taobao Thoughts Time Machine Tuning uclinux video

Recent Comments

  • HenryX: If you have any problems about motocycle , I can answer you. I am a local Shanghaier with a 5 years’...
  • Johnny E: Hi Lawrence.. i have a 1999 Bmw E46 320i, i had to change the engine because it was broken, and now i...
  • Lawrence Sheed: Zoneminder is a video monitoring capture system. I have an IP Camera pointed at the entrance, and...
  • Shaun Wallace: That is pretty cool, and cheap too! I may order one thanks to your recommendation. What is zone...
  • Hector: My country doesn’t require a license for MOPEDS & no highway sticker. Liability and the cost of...

Recent Trackbacks

PHOTOSTREAM

Side Art