Hello!

I am developing firmware for surveillance cameras for b2b and b2c services, as well as participating in federal surveillance projects.

About how we started, I wrote in the article .

Since then, much has changed - we began to support even more chipsets, for example, such as mstar and fullhan, met and made friends with a large number of both foreign and domestic manufacturers of IP cameras.

In general, camera developers often come to us, show new equipment, discuss technical aspects of firmware operation or manufacturing process.

ITKarma picture

But, as always, strange guys sometimes come - they bring frank China of unacceptable quality with firmware full of holes, and hastily smeared with the emblem of a third-rate factory, but at the same time claiming that they developed everything themselves: circuitry, firmware, and they turned out to be completely Russian product.

Today I’ll talk about some of these guys. To be honest, I am not a supporter of public flogging of negligent "import substitutes" - I usually decide that we are not interested in relations with such companies, and we part with them.
But, however, today, reading the news on Facebook and drinking morning coffee - I almost poured it by reading the news that the daughter of Rusnano, the company ELVIS-NeoTek, together with Rostec will deliver tens of thousands of cameras to schools.

Under the cut - details of how we tested them.

Yes, yes - these are the same guys who brought me frank cheap and bad China, under the guise of their own development.

So, let's take a look at the facts: They brought us a VisorJet Smart Bullet camera, from a domestic one - it had a box and a receipt for OTC (:-D), inside was a typical Chinese modular camera based on Hisilicon 3516 chipset.

After we made the firmware dump, it quickly became clear that the real manufacturer of the camera and firmware was a certain “Brovotech” office, which specializes in the supply of IP cameras with customization. Separately, the second name of this office was outraged: ezvis.net "- a clumsy fake of the name of the company Ezviz - b2c daughter of one of the world leaders Hikvision. Hmm, all in the best traditions of Abibas and Nokla.

In the firmware, everything turned out to be ± standard, unpretentious in Chinese:

Files in firmware
├── alarm.pcm
├── bvipcam
├── cmdserv
├── daemonserv
├── detectsns
├── font
├── lib
...
│ └── libsony_imx326.so
├── reset
├── start_ipcam.sh
├── sysconf
│ ├── 600106000-BV-H0600.conf
│ ├── 600106001-BV-H0601.conf
...
│ └── 600108014-BV-H0814.conf
├── system.conf - >/mnt/nand/system.conf
├── version.conf
└── www
...
├── logo
│ ├── elvis.jpg
│ └── qrcode.png

From the domestic manufacturer we see the file elvis.jpg - not bad, but with an error in the name of the company - judging by the site they are called "elvees".

Bvipcam is responsible for the operation of the camera - the main application that works with A/V streams and is a network server.

Now about holes and backdoors:

1. In bvipcam, the backdoor is very simple: strcmp (password, "20140808") & amp; & amp; strcmp (username, "bvtech"). It is not disconnectable, and works on non-disconnectable port 6000

ITKarma picture

2. In/etc/shadow, the static root password and open telnet port. Not the most powerful MacBook brute force this password in less than an hour.

ITKarma picture

3. All saved passwords, the camera can give through the control interface in clear form. That is, by logging on to the camera using the backdoor logoff from (1), you can easily grab the passwords of all users.

He personally did all these manipulations - the verdict is obvious. Third-grade Chinese firmware, which can’t be used close to serious projects.

By the way, a little later I found the article - it did a deeper work on the study of holes in cameras from brovotech. Yeah.

According to the results of the survey, we wrote a conclusion in ELVIS-NeoTek with all the facts discovered. In response, they received a chic answer from ELVIS-NeoTech: “The firmware for our cameras is based on the Linux SDK from the manufacturer of the HiSilicon controllers. Because These controllers are used in our cameras. At the same time, on top of this SDK, our own software was developed, which is responsible for the interaction of the camera using data exchange protocols. Testing specialists found it difficult to find out, since we did not provide root rights to the cameras.

And when evaluating from the side, an erroneous opinion could have formed. If necessary, we are ready to demonstrate to your specialists the whole process of production and firmware of cameras in our production. Including show part of the firmware source codes. "

Naturally, no one showed the source code.

I decided not to work with them anymore. And now, two years later, Elvees' plans to produce cheap Chinese cameras with cheap Chinese firmware under the guise of Russian development found their application.

Now I went to their site and found that they had updated the line of cameras and it no longer looked like Brovotech. Wow, maybe the guys realized and corrected - they did everything themselves, this time honestly, without a holey firmware.

But, alas, the simplest comparison is operating instructions of the "Russian" camera instructions on the Internet gave the result.

So, meet the original: cameras of the unknown vendor milesight.

ITKarma picture

ITKarma picture

Why is this milesight better than brovotech? From a security point of view, most likely nothing - a cheap solution to purchase.

Just look at the screenshot of the web interface of the milesight and ELVIS-NeoTek cameras - there will be no doubt: the “Russian” VisorJet cameras are a clone of the milesight cameras. Not only pictures of web interfaces coincide, but default IP 192.168.5.190 and camera drawings. Even the default password is similar: ms1234 vs en123456 in the clone.

In conclusion, I can say that I am a father, my children go to school and I am against the use of Chinese cameras with leaky Chinese firmware, with trojans and backdoors in their education.

Source