Anyone have Brovotech firmware?

watkipet

n3wb
Joined
Jan 28, 2021
Messages
6
Reaction score
2
Location
United States
I believe I have this Brovotech camera. It's difficult to tell because I bought the camera from Amazon from the seller, EZVIS in 2016. They no longer sell the product. The manual gives the name, "insee". I can't find that company anywhere. The camera web page lists this info:

Untitled.png
Untitled 2.png

You'll notice the firmware version is IPCAM_V1.55.150625

I have a firmware file entitled, "IPCAM_BV_C00_E_V1.55.150625.fm" which I must have downloaded from somewhere and was created June 15th 2015.

I'd like to see if there's an updated firmware for this camera. The PIR sensor doesn't seem to work with Onvif and, while an NVR can set the motion detection region, it won't persist in the camera. Setting the motion detection region from the web interface doesn't work at all (blank screen).

Does anyone have a firmware for this camera (or any other Brovotech camera)?
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

watkipet

n3wb
Joined
Jan 28, 2021
Messages
6
Reaction score
2
Location
United States
Just an update here. I've contacted the seller (I think). They actually responded and asked for the serial number and the proof of purchase. We'll see if I get an updated firmware.

In the meantime, I've been poking around in the firmware (using binwalk and jefferson). There's an article about similar cameras here. It's in Russian, but Google yields a pretty good translation.

I've cracked the password with a rules-based dictionary crack using hashcat. The GPU-accelerated attack took about 2 minutes. You should be able to reproduce my results. So now I can telnet in and poke around. I'm interested in the NVM data which stores the configuration options. I'll post what I find.
 

watkipet

n3wb
Joined
Jan 28, 2021
Messages
6
Reaction score
2
Location
United States
I like hashcat. And John also.
That sounds like a descrypt as opposed to an md5crypt.
I'm just beginning to learn both. Here's the passwd file:

Code:
root:$1$odNRCLXF$c55bMv2.BrBrZjFrX7qr60:0:0:root:/home:/bin/sh
$1 means MD5, right? It's not a very secure password. I think that's why a dictionary attack with rules didn't take very long.

Not without a copy of the firmware ...
I had seen another post where a new user was discouraged from posting firmware images. I'd be happy to post what I've got, but I don't think these cameras do any authentication of firmware images beyond a CRC check. Should I go ahead and post it?

I've been digging through the bvipcam executable (that's the one that basically does everything) with Ghidra. Even though debug symbols are stripped, many functions have the name of the function in their error log messages--so that helps my RE effort. Here are my notes on URLs so far:

Code:
# RTSP URLs
rtsp:/192.168.0.19:554/live/main
rtsp:/192.168.0.19:554/live/sub
rtsp:/192.168.0.19:554/live/jpeg

# RTMP URLs
rtmpdump -v -r "rtmp:/192.168.0.19:1935/live/livesub" --live | /Applications/VLC.app/Contents/MacOS/VLC -
rtmpdump -v -r "rtmp:/192.168.0.19:1935/live/livemain --live | /Applications/VLC.app/Contents/MacOS/VLC -

# Takes a snapshot and gives it back in the HTTP response
http://192.168.0.19/action/snap?cam=0
http://192.168.0.19/action/snap

# Crashes the camera
http://192.168.0.19/action/event

# The line below doesn’t do anything useful since I have the PoE model.
# Likewise there’s an action/set, but that only applies to wifi as well
curl -u admin:12345 -d '<?xml version="1.0" encoding="utf-8"?><request><subject>wifi</subject><action>scan</action><adapter>ra0</adapter></request>' http://192.168.0.19/action/get

# Port 6000 is some sort of admin interface. See the notes from Alex_Smirnove.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
$1 means MD5, right? It's not a very secure password.
Yes, you are correct, it's an md5crypt

I've been digging through the bvipcam executable (that's the one that basically does everything) with Ghidra. Even though debug symbols are stripped, many functions have the name of the function in their error log messages--so that helps my RE effort. Here are my notes on URLs so far:
I can relate to that!
The activity can get a bit obsessive. And frustrating.
But it may be good for the brain.
 

iTuneDVR

Pulling my weight
Joined
Aug 23, 2014
Messages
846
Reaction score
153
Location
Россия
You can try to contact DSSL, but they don't like to give FW to anyone, even to authorized service some times
Also, you can dig into more russian and try FW for OMNY BASE cameras, it's brovotech too
Да, ДССЛ жмоты в этом плане, все чего-то боятся там..
Общая ветка по OMNY тут

 

watkipet

n3wb
Joined
Jan 28, 2021
Messages
6
Reaction score
2
Location
United States
@slyker001 and @iTuneDVR: Thanks! Those were helpful. I terms of OMNY cameras, I think I have the one corresponding to the "OMNY miniCUBE II W" or "OMNY miniCUBE II". Maybe DSSL is afraid because all the best security camera hackers seem to be from Russia ;-)

I got an answer back from Brillcam, BTW! Pretty awesome that they're willing to support a camera they (I think) sold me 4 years ago. However, they want to update the firmware remotely. Given the age of the firmware I have (and the hardcoded passwords), I'm not keen on punching holes in my firewall so they can update it. I suspect the camera would get hacked by a bot in pretty short order. I asked if they'd send me the firmware images. We'll see what happens.
 
Joined
Oct 15, 2021
Messages
2
Reaction score
1
Location
Australia
@watkipet did you get any further with this one?

I have what appears to be a brovotech HDMI encoder which was bricked after an unsuccessful firmware update. I can telnet into it though and found the password to log in but I can't work out how I can try to re-flash the firmware.fw file to it now.

Does anyone know how I can reload the .fw file and if there is any special syntax required for the filename?

Cheers.
 
Top