Reverse Engineering of an IP Cam (Part 1): Extract the Firmware and its Secrets

Published by TheJoe on 9 February 20269 February 2026

Estimated reading time: 2 minutes

It all started with a mystery (and very economical) surveillance IP camera Unotec. Without documentation and without access to the web interface, the only way to understand how it worked was “get inside”. In this first part, we'll see how I managed to download the internal configuration and decode the backup file to find the hidden credentials.

Bee hunting: The Backup command

Chipset-based cameras HiSilicon they often hide back doors in the form of CGI scripts. After some attempts aimed at guessing the standard paths used by manufacturers, I hit the big target. By entering the address into the browser:

http://192.168.5.123/cgi-bin/hi3510/backup.cgi

The browser has started downloading a file called config_backup.bin. But don't be fooled by the extension: in the world of IoT, files often “.bin” they are just standard archives renamed to discourage the less experienced.

File analysis: It really is a binary?

To understand what I was dealing with, I queried the file via the command file su Linux. This command does not trust the extension, must put in “Magic Bytes” nell’header del file.

$ file config_backup.bin
config_backup.bin: gzip compressed data, from Unix, original size 3276800

Here the mystery is revealed: the file is actually an archive .tar.gz. To open it, all you had to do was rename it or extract it directly:

mv config_backup.bin config_backup.tar.gz
tar -zxvf config_backup.tar.gz

What's in the “Black box”?

Once unpacked, I found part of the camera's file system structure in front of me, the partition /mnt/ dedicated to configurations. The folder /mnt/mtd/ipc/conf/ It turned out to be a gold mine of files .ini:

config_user.ini: It contained the login credentials… very difficult to guess (admin/admin).
config_md.ini: Motion Detection settings (result deactivated).
wifi.conf: The network parameters.
config_larm.ini: Triggers for FTP and Email alarms.

Look here: The essential plugins for the Linux guitarist

Why re-upload fails?

I tried editing the files .ini (for example by activating movement) and to recreate the archive to upload it again to the cam. However, I suspect the firmware does an integrity check (checksum) at startup. If the file is tampered with, the camera discards it and returns to factory settings.

This discovery led me to the next phase: if I can't change the rules “from inside” flashing the file, I will use CGI commands to instruct it “from outside”. But we will talk about this in the Part 2.

Stay tuned to find out how I used this information to intercept cam traffic!