6 min read
Do you own a hubble/blink/monitoreverywhere device and want to view the camera stream bypassing the proprietary software? Point your multimedia player to
Since I got a log of comments saying it does not work any longer ... here is the stream URL for the latest firmware (change the IP to your camera's):
$ mplayer rtsp://user:email@example.com:6667/blinkhd/
Some time ago I bought this little and neat network attached camera baby monitor from Motorola called the FOCUS66-W.
It is advertised as being integrated to the hubbleconnected.com cloud service that allows you to control your cam via smartphone and to watch and record your streams from any internet capable device (Browser + App).
Despite the shitty Android app and the Adobe Flash driven website, it really is a cool device with some nice feature for such a small device and price tag:
But as you might know from other embedded hardware projects, this kind of toys always suffer from security problems. At least that was what I hoped for when I asked myself how to obtain the video stream and directly play it on any device. So I started investigating.
Before I started to investigate I wrote an email to their support asking why they use this securtiy nightmare called Adobe Flash to view the videos on hubbleconnected.com. Their answers was support bullshit - even though it came from the dev department - and so they left me no choice. :)
So, what is our starting point?
So for 1. you guessed right ... we fire up nmap:
$ nmap 192.168.1.25 Starting Nmap 6.47 ( http:/
/ nmap.org ) at 2015-02-20 12:51 CET Nmap scan report for 192.168.1.25 Host is up (0.058s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 6667/tcp open irc 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds
Well, I expected to see 80, but what is up with 6667 and 8080. We will - maybe - see in a minute.
Let's step back and think about how the communication between the cam and app is done. There are two possibilities, with or w/o signalling done by the cloud:
To this point we don't know and we need to investigate a bit further.
There is an pretty easy way to intercept all network traffic produced by your smartphone by creating a monitored wifi using hostapd, a bridge to your LAN and Wireshark. The actual setup depends on your specific settings but you may use this as a good starting point.
After we setup the bridged wifi and connected the smartphone to it, we fire up Wireshark on the interceptor and start the hubble app on our smartphone.
(Next step: pull out the interesting bits from the wireshark log.)
The app startup leads to three interesting communication streams as seen from the log file.
/ hubble-resources.s3.amazonaws.com/ devices/ /snaps/ .jpg?AWSAccessKeyId= &Expires=1423854518&Signature=
In the last paragraph we found out where the video stream is hosted and that we could access it from the local area network. But the moment you fire up VLC to access the stream you will get prompted with a username and password input.
A second look at the Wireshark log tells us that they implemented a digest authentication, so no simple sniffing possible - as for eg. basic auth. To bad. :(
So what you could try next if you live outside of germany is to get you a copy of John the Ripper with activated hdda plugin and try to crack the username and password right of the data you obtained from your wireshark log.
But that is illegal in germany. What about reverse engineering the app to extract the username and password? Naah, that may be illegal too.
Ok, ok what about brute forcing the shit out of your cam? Nope illegal too and they will never ever have used a trivial password as found in any dictionary!!
And that is the moment when you remember your good old friend strings. Simply apply it to the unzipped APK and look what happens:
$ strings -a -t x classes.dex |grep -C2 rtsp [...] 2b1831 rtsp://user:pass@%s:%d/blinkhd [...]
Oh yes, that's a complex password ... not.
Now point VLC to
and you are ready to go.
After I got all the nfo that I needed to view the camera stream I played a little more with the APK and the wireshark logs.
The camera seems to be Nuvoton N329 as indicated by the RPC repsonses from the camera device.
Although the camera is labeled with the Motorola logo and managed by hubbleconnected.com you find a lot of reference to a second similar service called monitoreverywhere.com.
The app itself is developed by Hong Kong based company called CVISION. They also provide some links to test videos in their app. Say hello to one of their devs (^^):
There are also a lot more commmands that can be triggered by the RPC web interface. Just check classes.dex with the strings command.
1 min read
Vice hat letztes Jahr Doug Coulter in seiner Hütte im Wald besucht. Bei der Gelegenheit konnten sie auch einen Blick auf seinen selbst entwickelten Fusionsreaktor werfen. W00T?!!
But Doug's most exciting creation is his guerilla-engineered nuclear fusion reactor. His pursuit of a limitless source of clean and self-sufficient energy takes place in what he calls his "den of creative chaos," which is essentially a cluttered workshop in the entrance of his home, directly underneath his bedroom.
1 min read
Ich kaufe nicht mehr so oft Musik, seit man nur noch die Wahl hat zwischen einem Datenträger, für den es seit 10 Jahren kein Abspielgerät in unserem Haushalt mehr gibt (CD) und der DRM Kastration durch Itunes und Kosorten.
Umso erstaunter war ich selbst, als ich mir die Tage Tubbe's "Eiscafe Ravetto" gegen Geld auf die Platte holte. Ging ganz gut und obwohl mir dieser Weichspüler Sound - der im Moment die deutsche Musiklandschaft beherrscht und auch hier durchschimmert - gewaltig auf den Sack geht, schaffen es Tubbe doch noch genug Aggressivität Dreck in ihre Musik zu legen um mir ziemlich zu gefallen.
Echt schwer zu sagen, wo Mia aufhört und der deepe Club (Yo!) anfängt.(Quelle)
Da hat das Audiolith Universum einen Stern geboren, von dem man sicher noch mehr hören wird. Es bleibt spannend.
1 min read
Seit heute sind die verschiedenen Ubuntus in der Version 15.04 Alpha-2 verfügbar. Sonst habe ich mit diesem Release immer gewechselt, nur in den letzten zwei Jahren nicht mehr. Mal sehen vielleichtist es Zeit alte Gewohnheiten wieder aufleben zu lassen.
Mein geliebtes KDE wird jetzt in der 5er Version ausgeliefert und das Breeze Zeug sieht guuuut aus! Sehr aufgeräumt und gefällig.