Reverse Engineering of an IP Cam (Part 2): Freeing an old cam from the Chinese Cloud

Published by TheJoe on

Estimated reading time: 2 minutes

Posted on 21 January 2026

You know those IoT devices (video intercoms, cameras, sensors) which suddenly become useless because the official app disappears from the stores or the cloud servers in China are turned off, transforming the device into a useless and expensive paperweight? It happened to me with an IP Cam Unotec based on chipset HiSilicon Hi3510. No accessible web interface, just stubborn hardware trying to contact now non-existent remote servers.

In this article I will explain how I regained total control of the device, turning a paperweight into a local sentinel that saves images to a Debian server “in house”, without going through external servers.

The Strategy: DNS Hijacking e FTP Mirroring

Analyzing network traffic, it turned out that the camera was trying to resolve the domain www.myidoorbell.com to upload content via FTP. The idea was as simple as it was effective: implement a Man-in-the-Middle amichevole.

1. DNS redirection with Pi-hole

To intercept the camera, I used Pi-hole. I created a local DNS record so that every request to the cloud domain would be resolved with the IP of my internal Debian server (192.168.5.110).

FTP Server Configuration (vsftpd)

The camera is “old school” and uses the FTP protocol in passive mode. Many modern configurations of vsftpd they fail because they map connections in IPv6 or do not correctly communicate the local IP for data transfer.

After various tests, the winning configuration in the file /etc/vsftpd.conf was:

listen=YES
listen_ipv6=NO
pasv_address=192.168.5.110
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=40100

Without the directive pasv_address, the server responded with a null address (0.0.0.0), preventing the cam from transmitting the image bytes, even though the login was successful.

Look here:  Eternal Terminal: The persistent terminal for those who work remotely

The “Remote control” CGI: Activate the Sensors

Once the DNS and FTP bridge is in place, the camera connected but sent blank files. The reason? The motion sensor (Motion Detection) it was disabled by default in the internal parameters.

Not being able to repackage the firmware due to integrity checks (checksum), I took advantage of the API CGI exposed by the Hi3510 chip. Using the credentials found in the configuration files (admin:admin), I sent the commands via HTTP:

# Forza uno scatto immediato e l'invio via FTP
curl -u admin:admin "http://192.168.5.123/cgi-bin/hi3510/param.cgi?cmd=testftp"

# Attiva il rilevamento movimento nell'area principale
curl -u admin:admin "http://192.168.5.123/cgi-bin/hi3510/param.cgi?cmd=setmdattr&-m1_enable=1"

Final Result

When launching the command testftp, the Debian server successfully logged the upload: a sharp JPG file, captured directly by the cam sensor and saved locally.

Conclusions

  • DNS and Power: If you check name resolution in your network, you control the behavior of your IoT devices.
  • Reverse Engineering “Light”: Often there is no need to rewrite the firmware; you just need to understand how the device communicates with the outside.
  • Privacy Guaranteed: Now the Cam is isolated from the web, it does not send data to unknown servers and continues to carry out its work on-premise.
  • To do: I still have to find a paperweight.

Not enough?

The lightest Linux distributions for older computers Add a caption to the photo pop-up with CSS3 Some fonts, or rather some set of icons Buttons using only CSS Why should you (perhaps) change the DNS
Categories: GNU/LinuxNetworkingSecurityTech
Tags:

TheJoe

I keep this blog as a hobby by 2009. I am passionate about graphic, technology, software Open Source. Among my articles will be easy to find music, and some personal thoughts, but I prefer the direct line of the blog mainly to technology. For more information contact me.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

GNU/Linux

Reverse Engineering of an IP Cam (Part 1): Extract the Firmware and its Secrets

It all started with a mystery (and very economical) IP surveillance camera from Unotec. Without documentation and without access to the web interface, the only way to understand how it worked was “get inside”. In this first part, Read more

GNU/Linux

SSH Knock: Safe access with Port Knocking

When we talk about safety in remote access via SSH, One of the least known but potentially useful methods is SSH Knock, based on the Port Knocking technique. The idea is simple: Instead of leaving the ssh door Read more

GNU/Linux

Understanding permits in Linux: what they mean 777, 755, 775 and 644

If you have ever worked with a Linux server or install a software, You will probably have met commands like Chmod 755 of chodd 777. But what these numbers really mean? And how Read more