Support

Blog

When I was younger, I used to like taking things apart.  I still do that, but they tend to work better these days, hehe

This last few weeks I’ve been playing with IP Camera’s for a pet project that started off as a request over Skype for info about surveillance.
As the ever useful Taobao is full of vendors selling the same 4 or 5 camera’s for reasonable prices I ordered a couple to take a peek at.

I’ve only taken one apart so far – the really really cheap one that I installed in the office so I can get a look at who comes up the stairs without having to move my fat ass out of the chair.  A quick shortcut in FF, and it works quite nicely as a separate browser window in the corner of the desktop.

Onto the discovery phase 🙂

I had a quick spin with NMAP, but other than discovering that they rather naughtily misuse a Mac Address assigned to the evil Cisco, not much help.
Also nothing appeared to be running on any other ports than the web port 🙁
nmap -A 192.168.0.88

Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-13 19:27 CST
Interesting ports on 192.168.0.88:
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
|_ html-title: IPCamera
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=5.00%I=7%D=4/13%Time=4BC45529%P=i686-pc-linux-gnu%r(GetReq
SF:uest,2E1,"HTTP/1\.1\x20200\x20OK\r\nExpires:\x200\r\nConnection:\x20clo
SF:se\r\ncache-control:\x20no-cache\r\n\r\n\r\n
SF:IPCamera\r\n\r
SF:\n\r\n\r\n\r\n\r\n
SF:\r\n\r\n\r\n\r\n\r\n\r\n\r\n<BODY\x20onLoad=\" SF:doPop\(\);\">\xb6\xd4\xb2\xbb\xc6\xf0\xa3\xac\xc4\xfa\xb5\xc4\xe4\xaf\x
SF:c0\xc0\xc6\xf7\xb2\xbb\xd6\xa7\xb3\xd6\xbf\xf2\xbc\xdc\xa3\xa1</BODY></ SF:NOFRAMES>\r\n</FRAMESET>\r\n\r\n</HTML>\r\n")%r(FourOhFourRequest,1DF,"
SF:HTTP/1\.1\x20200\x20OK\r\nConnection:\x20close\r\ncache-control:\x20no-
SF:cache\r\n\r\n<HTML>\r\n<HEAD>\r\n<TITLE></TITLE>\r\n<meta\x20http-equiv SF:=\"Content-Type\"\x20content=\"text/html;\x20charset=gb2312\"></HEAD>\r
SF:\n<BODY\x20BGCOLOR=\"#C4CEEF\"\x20onLoad=\"window\.status='\xbb\xb6\xd3 SF:\xad\xca\xb9\xd3\xc3\xcd\xf8\xc2\xe7\xc9\xe3\xcf\xf1\xbb\xfa!';return\x SF:20true;\">\r\n\r\n
<TABLE\x20WIDTH=140\x20BORDER=0\x20CELLSPACING=0\x20C SF:ELLPADDING=0>\r\n
<TR>\r\n\t
<TD\x20HEIGHT=80\x20ALIGN=center\x20BGCOLOR= SF:\"#C4CEEF\"><FONT\x20color=\"#FF6633\"\x20size=\"\+2\"\x20FACE=\"Arial\ SF:"><B>IP\x20Camera</B></FONT></TD>

\r\n</TR>

\r\n</TABLE>

\r\n\r\n</BODY>\r
SF:\n</HTML>\r\n");
MAC Address: 00:0A:42:33:66:54 (Cisco Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop

Next up is the usual dissection. I had done some minor googling on the device I bought, which is basically this below:

As its an OEM product, this is available under a whole bunch of different names – mostly with IP-510 or similar in the title, eg LTI-510 etc.

For a cheap OEM product, it actually seems to be reasonably well made though – the Case is an nice and solid aluminium sheath that looks like its been repurposed from something else, and the board itself is suprisingly well diagrammed. Its almost made for hacking!

Chips onboard are as follows:

25.0618mhz crystal from TXC – bonus points for why its 25mhz. Reply in the comments 🙂
Davicom DM9008AEP, TRC9016NLE (both for Ethernet. imho Davicom is a second-rate Realtek)
ViMicro VC0528BRVC (Camera processor / CCD Controller)
And last, but not least, our CPU, which is an 8051, although not from ATMEL.
Part number on that is C8051F340. My first guess is that it incorporates some integrated flash on there for firmware. Unfortunately its likely to be all C and Assembler, and the last time I did embedded 8051 stuff was in the early 90’s.

Google confirms it – basically its an all in one controller with 32 or 64KB onboard, and roughly 4k ram. Woohoo!

Datasheet here – http://www.alldatasheet.com/datasheet-pdf/pdf/182721/SILABS/C8051F340.html

Good news is that the board has serial out clearly labeled on the top left side. Better news is that the chip has an onboard debug mode, so I don’t even need any ICE (In Circuit Emulation) tools should I want to take a look. Bad news is that I’m probably going to be too lazy to do it, as its more work and less fun than the second one I bought, which has Linux running on it.

That said, this one is cheap. Real cheap. Cheap enough that its probably worth knocking out a decent firmware, and reselling it with a better UI, and more features.
Might be possible, although anything more than whats there is probably stretching it given the ram / storage constraints. Looks like its all offboard processing/streaming for this model!

There are also some unpopulated spots on the board, which I strongly suspect would be for audio, given the board has a MIC input and no Mic, and the main controller is a ViMicro, which supports MP3 output also…

I’ll see if I can find a firmware file, and do a disassembly, or more probably see what I get out of the serial port connection in the near future.

Photos below. [Excuse the pasty white hands, its still winter for some reason in Shanghai, despite being April… Oh global warming. Where art thou, when I needest thee!]:

Some further files for the curious here –

http://kuklin.ru/ip400cam

Archives

Categories

Tags

PHOTOSTREAM