Hacking the Sony SNC-M1
Okay, be prepared, this will be a really long story!
[Szaboat|http://clock.hu/use] decided using a network camera for the [boxing project|http://www.artificis.hu/node/140] and [Zol|http://my.opera.com/Z0l/blog/] was supposed to get the camera working while Szaboat is on holiday. Also I was supposed to make it work with FFmpeg.
Webpage
The camera has a simple web page, with two buttons: Enter (=view) and Setting.
-break->
Setting requires HTTP authentication, but both are using Javascript and popups. Also it features an ActiveX application for viewing the video stream produced. To enter the administration, use http://camera/adm/file.cgi?next_file=setting.htm.
Video: first step
Anyway, as it is configurable to output MPEG4 in ASF or MJPEG, it looked like an easy task for MPlayer. It was.
Just passed the http://camera/img/video.asf to MPlayer and the picture showed up. Blocky (bitrate and quality is configurable), but working. But there was an interesting point while looking at the verbose log:
@@HTTP/1.1 200 OK%%%
@@Server: thttpd/2.20b%%%
@@Date: Mon, 17 Oct 2005 08:02:58 GMT%%%
@@Connection: close%%%
@@Cache-Control: no-cache%%%
@@Pragma: no-cache%%%
@@Expires: Mon, 06 Jan 1990 00:00:01 GMT%%%
@@Content-type: text/html%%%
So, this uses [thttpd|http://www.acme.com/software/thttpd/]? What OS does thttpd run on? POSIX ones. This may be Linux based?
OS
Next step was doing nmap on it:
@@PORT STATE SERVICE%%%
@@80/tcp open http%%%
@@MAC Address: 00:01:4A:XX:XX:XX (Sony)%%%
@@Device type: general purpose%%%
@@Running: Linux 2.4.X|2.5.X%%%
@@OS details: Linux 2.4.0 – 2.5.20%%%
I know this is spoofable, but I wont think it is. Interesting is that the MJPEG stream the camera is outputting at http://camera/img/mjpeg.cgi is a custom format one, a simple header following a standard JPEG image. JPEG can have comment fields, this has one with the string: “Ingenient Technologies 2003”. I looked at their [homepage|http://www.ingenient.com/], they are embedded developers, and look, they have a [product|http://www.ingenient.com/software.htm] called: “MP4070-LIN Embedded Linux RTOS”.
Interesting excerpts from the HTML pages:
@@%%%
@@%%%
@@%%%
@@
Hacking it
The admin script is definitely suitable for hacking, in 10 minutes I got it working: http://camera/adm/file.cgi?this_file=/proc/version&todo=.
The “todo=” is mandatory, else it will select “todo=reboot” and wont display anything.
/proc/cpuinfo:
@@Processor : ARM/VLSI ARM 7 TDMI rev 0 (v3l)%%%
@@BogoMIPS : 23.39%%%
@@Hardware : TMS320DM270%%%
@@Development Module Revision : 0000%%%
@@Serial : 0000000000000000
/proc/meminfo:
@@total: used: free: shared: buffers: cached:%%%
@@Mem: 19697664 14036992 5660672 0 1241088 3653632%%%
@@Swap: 0 0 0%%%
@@MemTotal: 19236 kB%%%
@@MemFree: 5528 kB%%%
@@MemShared: 0 kB%%%
@@Buffers: 1212 kB%%%
@@Cached: 3568 kB%%%
@@SwapCached: 0 kB%%%
@@Active: 1432 kB%%%
@@Inactive: 3348 kB%%%
@@HighTotal: 0 kB%%%
@@HighFree: 0 kB%%%
@@LowTotal: 19236 kB%%%
@@LowFree: 5528 kB%%%
@@SwapTotal: 0 kB%%%
@@SwapFree: 0 kB
/proc/version:
@@__Linux version 2.4.19-uc1 (root@annielinux) (gcc version 2.96 20000110 (experimental)) #506 Fri Jan 28 14:28:55 CST 2005__
/proc/mounts:
@@rootfs / rootfs rw 0 0%%%
@@/dev/root / cramfs ro 0 0%%%
@@/proc /proc proc rw 0 0%%%
@@/dev/ramdisk /mnt/ramdisk minix rw 0 0
Notes
The camera has a microphone aswell, recording is done into G.726 with selectable bitrate, but it is only included in the ASF. I added support for the custom MJPEG format into [FFmpeg|http://www.ffmpeg.org/], and [here is|http://www.artificis.hu/files/texts/ingenient.txt] a simple description of it.
Update:
/etc/motd: Welcome to Embedded Linux Solutions
Interesting list of new modules from /etc/rc: binfmt_xflat, leds, audio, flash, switchs, dm9000x.
/proc/kmsg: kernel messages, mostly the same as the output of ‘dmesg’. [See a dump here|http://www.artificis.hu/files/other/sony-scn-m1-dmesg.txt].
[XFLAT|http://www.cadenux.com/xflat/index.html] is used for file.cgi and upgrade.cgi (for firmware upgrade). Possible next step could be getting a firmware upgrade image (I was not able to find one), enable telnet/ftp in it (in /etc/inetd.conf they’re commented out), upgrade, enjoy.
Commenting is closed for this article.