Hacking my baby cam (Motorola MBP853)

Late August my daughter was born, I bought a wifi webcam to put into her room, one which boasted a feature packed mobile phone app for remote viewing, pan, tilt, room temperature and more.

motorola-focus-85-wi-fi-camera

The mobile app to control this webcam was broken from day one, the service did come back online a few days later and has worked quite well since but I had to question what I would do if the camera connectivity software failed.

I decided to find out how to use the camera as a dedicated IP device, there was no information from the manual or the supplier so I went digging.

 

Find the IP
My first step was to check my router maintenance page to identify the device IP address, this was the only unknown item in the list:

Screen Shot 2017-01-11 at 22.07.21.png

Using the Mac Network Utiliy I scanned the IP and discovered a web service on port 80:

Port Scan has started…

Port Scanning host: 192.168.0.30

Open TCP Port: 80     http

screen-shot-2017-01-11-at-22-07-55

Test Page
After playing (tried a few obvious page names) about I discovered a file “http://192.168.0.30/test.html“, this appeared to be a test page for the webcam, probably used at the factory to ensure the camera is fully functioning, although the video did not load I was able to move the camera, although the move function had no auto stop and the servo sounded like it might break!

screen-shot-2017-01-11-at-22-08-54

Clicking the centre arrow stopped the camera from trying to over rotate, at this point I was a little worried that a page existed with full access to a camera which would be pointed at my child, all you needed was access to the local network.

Viewing the source of the page its quite easy to see the available functions and how to control the camera:
screen-shot-2017-01-11-at-22-10-36

The send_command function code: AJAX_get(‘/?action=command&command=’+ cmd)

The video player which did not function showed us the URL required to watch the stream although it is hardcoded “rtsp://192.168.193.1:6667/blinkhd”.

screen-shot-2017-01-11-at-22-11-12
Updating the IP I was unable to view the video as it was secured, I put the URL into Google and came across an article with much more detail about hacking the a similar Motorola camera http://atom0s.com/forums/viewtopic.php?t=45

Wifi Setup
 It is possible to configure the network settings via wifisetup.html:

Screen Shot 2017-01-11 at 22.28.33.png

Viewing the Video on a Mobile

The article tells you that the video can be viewed if you pass the credentials: rtsp://user:pass@192.168.137.36:6667/blinkhd

The Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points.

wikipedia

Searching the Apple App Store for RTSP you will find several viewers, adding the correct URL to the app I installed on my iPhone made it possible to view the camera feed, while a username and password was required it was very insecure and every device would have the same config.

image_uploaded_from_ios_1024

Conclusion
I now have a method to use and configure my webcam without relying on the Hubble software, this is especially useful when the service is down or if it is every pay to use.

The device needs to be made more secure, I will look into changing the username and password or contact the supplier to see if they will provide firmware updates, these test files should not have been left on the device.

I have the option to use the feed on a spare monitor in my study which will be useful or even produce my own apps.

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s