Retrieving SmartWares IP Camera firmware

SmartWares products are reliable and affordable, and I own some of their IP cameras (CIP-37210AT).
However, it is not possible to download any firmware from Smartwares website, and Wayback Machine hasn’t archived any interesting stuff either.

Alt text

So, in order to get our hands on the firmware, we have two ways: intercept network traffic by mitm-proxy the app request or hook the designated function via Frida.

By launching the application on rooted emulator, one of the first requests seems to really fit the bill.

Alt text

In fact, the response JSON provides the necessary URLs for downloading the latest firmware available (i.e., 3.2.0.0) for several camera models, including the CP721IP in question.

Alt text

A quick look at the APK via JADX can also be convenient: searched for the firmware keyword, it’s not hard to find locate the designated function.

Alt text

Let’s hook it with the following Frida rule. 

1
2
3
4
5
6
7
8
9
10
11
12
Java.perform(() => {
  const CameraManager = Java.use('nl.homewizard.android.cameras.camera.CameraManager');

  // Hooking firmwareVersionForCameraModel method
  CameraManager.firmwareVersionForCameraModel.implementation = function (model) {
      console.log("Hooking firmwareVersionForCameraModel Method...");
      console.log("Model: " + model);
      const firmwareVersion = this.firmwareVersionForCameraModel(model);
      console.log("FirmwareVersion: " + firmwareVersion);
      return firmwareVersion;
  };
});

Just to unsure https://cupdate.net/x.tar.gz is the correct URL for this IP-cam.

Alt text

Untar the archive and it contains a single bash script called “update.sh”.
The interesting part for our purpose is the following.

Alt text

The variable $TAGURL holds the final URL and, for the CP721IP camera model, is build in this fashion.

1
$TARURL="http://provisioning.homewizard.com/cameras/3.2/C721IP_3.2.00.tar.gz"

The download archive “C721IP_3.2.00.tar.gz” contains the following files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
├── app
│   └── bin
│       └── homewizard.sh
├── bin
│   ├── camcli
│   ├── snapshotserver
│   └── unabtoCamera
├── etc
│   ├── admin_default
│   ├── applyFirmwareUpdate.sh
│   ├── diagnose.sh
│   ├── init.d
│   │   ├── 8188_ap.sh
│   │   ├── 8188_sta.sh
│   │   ├── alive.sh
│   │   ├── boot.sh
│   │   ├── clearVideoSymlinks.sh
│   │   ├── network.sh
│   │   ├── runUnabto.sh
│   │   ├── snapshot.sh
│   │   └── waakhond.sh
│   ├── initWifiAP.sh
│   ├── mansnap.sh
│   ├── rtsp_user.sh
│   ├── scanWifi.sh
│   ├── setWifiSD.sh
│   ├── set_name.sh
│   ├── swap_webserver.sh
│   ├── udhcpd.conf
│   ├── watchAPMode.sh
│   ├── watchErrorMode.sh
│   └── wifiTestPrep.sh
├── mnt
│   ├── mtd
│   └── music
│       └── beep.wav
└── usr
    └── share
        └── udhcpc
            └── default.script

A look at binwalk to confirm we are dealing with ELF file format.

Alt text

And now… the fun part with Ghidra starts!

Alt text