Skip to main content

View your hubble camera stream whereever you want

6 min read

tl;dr

Do you own a hubble/blink/monitoreverywhere device and want to view the camera stream bypassing the proprietary software? Point your multimedia player to rtsp://user:pass@CAMERA-IP:6667/blinkhd/track1.

Update 26.11.2016

Since I got a log of comments saying it does not work any longer ... here is the stream URL for the latest firmware (change the IP to your camera's):

$ mplayer rtsp://user:pass@192.168.1.18:6667/blinkhd/

Intro

Some time ago I bought this little and neat network attached camera baby monitor from Motorola called the FOCUS66-W.
It is advertised as being integrated to the hubbleconnected.com cloud service that allows you to control your cam via smartphone and to watch and record your streams from any internet capable device (Browser + App).

Despite the shitty Android app and the Adobe Flash driven website, it really is a cool device with some nice feature for such a small device and price tag:

  • Good infrared night vision
  • Motion triggered video snapshots and notification
  • Two way audio communication
  • Temperature sensors + alarms
  • Playing lullabies

But as you might know from other embedded hardware projects, this kind of toys always suffer from security problems. At least that was what I hoped for when I asked myself how to obtain the video stream and directly play it on any device. So I started investigating.



Before I started to investigate I wrote an email to their support asking why they use this securtiy nightmare called Adobe Flash to view the videos on hubbleconnected.com. Their answers was support bullshit - even though it came from the dev department - and so they left me no choice. :)

Having a look around

So, what is our starting point?

  1. we got a camera connected to the local wifi
  2. an app used for controlling the camera device and viewing the stream
  3. a cloudy space somewhere at Motorola as a possible synchronization point

So for 1. you guessed right ... we fire up nmap:

    $ nmap 192.168.1.25

    Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-20 12:51 CET
    Nmap scan report for 192.168.1.25
    Host is up (0.058s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE
    80/tcp   open  http
    6667/tcp open  irc
    8080/tcp open  http-proxy

    Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds
   

Well, I expected to see 80, but what is up with 6667 and 8080. We will - maybe - see in a minute.

Let's step back and think about how the communication between the cam and app is done. There are two possibilities, with or w/o signalling done by the cloud:

  1. App Cloud Cam
  2. App Cam

To this point we don't know and we need to investigate a bit further.

Uncovering communication

There is an pretty easy way to intercept all network traffic produced by your smartphone by creating a monitored wifi using hostapd, a bridge to your LAN and Wireshark. The actual setup depends on your specific settings but you may use this as a good starting point.

After we setup the bridged wifi and connected the smartphone to it, we fire up Wireshark on the interceptor and start the hubble app on our smartphone.

(Next step: pull out the interesting bits from the wireshark log.)

The app startup leads to three interesting communication streams as seen from the log file.

  1. The app calls some (unencrypted) RPC methods on port 80 on the camera device, such as:
    • /?action=command&command=get_mac_address
    • /?action=command&command=set_brightness&value=5
    • /?action=command&command=recording_cooloff_duration&value=60
    • ...
    This looks like initialization of the camera stream.
  2. In parallel it makes some encrypted calls to the hubble API (?) that I have not looked into yet.
  3. After the initialization is done the app opens up an RTSP Session to port 6667 on the camera device in the local network. If you do not share the same network it will fetch the vids out of the cloud.

    And yupp ... that stream is what we are looking for! <:o>
  4. Not so interesting for our investrigation to obtain the camera stream but it says quite a lot about coding standards at the manufacture: the app also makes a call to
    http://nodeapp.cvisionhk.com/appversion.json?os=android
    . Yupp right ... nodeapp ... naming things ... hard.
  5. The app also fetches the camera event history pictures that are shown on the dashboard unencrypted from http://hubble-resources.s3.amazonaws.com/devices//snaps/.jpg?AWSAccessKeyId=&Expires=1423854518&Signature=

Obtaining the video stream

In the last paragraph we found out where the video stream is hosted and that we could access it from the local area network. But the moment you fire up VLC to access the stream you will get prompted with a username and password input.

A second look at the Wireshark log tells us that they implemented a digest authentication, so no simple sniffing possible - as for eg. basic auth. To bad. :(

So what you could try next if you live outside of germany is to get you a copy of John the Ripper with activated hdda plugin and try to crack the username and password right of the data you obtained from your wireshark log.

But that is illegal in germany. What about reverse engineering the app to extract the username and password? Naah, that may be illegal too.

Ok, ok what about brute forcing the shit out of your cam? Nope illegal too and they will never ever have used a trivial password as found in any dictionary!!

And that is the moment when you remember your good old friend strings. Simply apply it to the unzipped APK and look what happens:

$ strings -a -t x classes.dex |grep -C2 rtsp
[...]
2b1831 rtsp://user:pass@%s:%d/blinkhd
[...]

BAZINGA!! :D

Oh yes, that's a complex password ... not.

Now point VLC to rtsp://user:pass@CAMERA-IP:6667/blinkhd/track1 and you are ready to go.

Other observations

After I got all the nfo that I needed to view the camera stream I played a little more with the APK and the wireshark logs.

Hardware

The camera seems to be Nuvoton N329 as indicated by the RPC repsonses from the camera device.

The App

Although the camera is labeled with the Motorola logo and managed by hubbleconnected.com you find a lot of reference to a second similar service called monitoreverywhere.com.

The app itself is developed by Hong Kong based company called CVISION. They also provide some links to test videos in their app. Say hello to one of their devs (^^):

There are also a lot more commmands that can be triggered by the RPC web interface. Just check classes.dex with the strings command.

Vice zu Besuch bei Doug Coulter

1 min read

Vice hat letztes Jahr Doug Coulter in seiner Hütte im Wald besucht. Bei der Gelegenheit konnten sie auch einen Blick auf seinen selbst entwickelten Fusionsreaktor werfen. W00T?!!

But Doug's most exciting creation is his guerilla-engineered nuclear fusion reactor. His pursuit of a limitless source of clean and self-sufficient energy takes place in what he calls his "den of creative chaos," which is essentially a cluttered workshop in the entrance of his home, directly underneath his bedroom.

Tubbe - Eiscafe Ravetto

1 min read

Ich kaufe nicht mehr so oft Musik, seit man nur noch die Wahl hat zwischen einem Datenträger, für den es seit 10 Jahren kein Abspielgerät in unserem Haushalt mehr gibt (CD) und der DRM Kastration durch Itunes und Kosorten.

Umso erstaunter war ich selbst, als ich mir die Tage Tubbe's "Eiscafe Ravetto" gegen Geld auf die Platte holte. Ging ganz gut und obwohl mir dieser Weichspüler Sound - der im Moment die deutsche Musiklandschaft beherrscht und auch hier durchschimmert - gewaltig auf den Sack geht, schaffen es Tubbe doch noch genug Aggressivität Dreck in ihre Musik zu legen um mir ziemlich zu gefallen.

Echt schwer zu sagen, wo Mia aufhört und der deepe Club (Yo!) anfängt.(Quelle)

Da hat das Audiolith Universum einen Stern geboren, von dem man sicher noch mehr hören wird. Es bleibt spannend.

 

Lars Andersen: a new level of archery

1 min read

Ich muss noch viiiiiel lernen!

*buntu 15.04

1 min read

Seit heute sind die verschiedenen Ubuntus in der Version 15.04 Alpha-2 verfügbar. Sonst habe ich mit diesem Release immer gewechselt, nur in den letzten zwei Jahren nicht mehr. Mal sehen vielleichtist es Zeit alte Gewohnheiten wieder aufleben zu lassen.

Mein geliebtes KDE wird jetzt in der 5er Version ausgeliefert und das Breeze Zeug sieht guuuut aus! Sehr aufgeräumt und gefällig.

http://www.webupd8.org/2015/01/ubuntu-flavors-1504-vivid-vervet-alpha.html


Quack Fat (Spoonbill Remix)

1 min read