{"id":7518,"date":"2025-07-26T23:07:21","date_gmt":"2025-07-26T23:07:21","guid":{"rendered":"https:\/\/41j.com\/blog\/?p=7518"},"modified":"2025-07-29T08:18:35","modified_gmt":"2025-07-29T08:18:35","slug":"m7-wifi-camera-notes","status":"publish","type":"post","link":"https:\/\/41j.com\/blog\/2025\/07\/m7-wifi-camera-notes\/","title":{"rendered":"M7 Wifi Camera Notes"},"content":{"rendered":"\n

I picked up a cheap Wifi security camera on Amazon, it uses a mobile app called “seeing”. Which appears to be that referenced at seeing.store.<\/p>\n\n\n\n

No ports were open when scanned with nmap. Monitoring traffic on the router indicated it was talking to a remote server (appears to be on Alibaba’s cloud service):<\/p>\n\n\n\n

traffic when streaming video: \n18:19:21.995059 IP 192.168.8.191.36198 > 47.79.82.123.443: Flags [F.], seq 228080, ack 6579, win 6169, length 0\n18:19:21.998765 IP 47.79.82.123.443 > 192.168.8.191.36198: Flags [F.], seq 6579, ack 228080, win 831, length 0\n18:19:22.671581 IP 192.168.8.191.36200 > 47.79.82.123.443: Flags [S], seq 4002814628, win 29200, options [mss 1460,sackOK,TS val 4294938745 ecr 0,nop,wscale 3], length 0\n<\/code><\/pre>\n\n\n\n
With some more fiddling it appears that the cloud service coordinates with the phone\/camera but if they are on the same network the camera will stream directly to the phone:<\/p>\n\n\n\n
8:52:29.753976 IP navas-iPhone.lan.49936 > 192.168.8.191.10666: UDP, length 48\n...\n18:52:29.841608 IP 192.168.8.191.10666 > navas-iPhone.lan.49936: UDP, length 1332\n18:52:29.841943 IP 192.168.8.191.10666 > navas-iPhone.lan.49936: UDP, length 1332<\/code><\/pre>\n\n\n\n
Whatever communication the phone coordinates via the cloud appears to open up a UDP port on the camera. It first sends a packet with a payload of “dummy”:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Which the camera seems to echo back:
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The phone then sends a more complex binary payload:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The camera then replies with some clear text:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The phone sends some more binary data to setup the stream… I was able to replay the initial packet from a PC and receive the clear text reply. But this only works if the port has been opened via the phone first.<\/p>\n\n\n\n
With no clear routes into the camera via the network I pulled it apart. The camera uses a AllWinner IP Camera SoC. I tried probing all the pads labelled RX\/TX for a serial interface but didn’t have any luck here. <\/p>\n\n\n\n
So, dumped the flash next. <\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
Via a raspberry pi using: sudo flashrom -p linux_spi:dev=\/dev\/spidev0.0,spispeed=500K -r m7_firmware.bin<\/p>\n\n\n\n
m7cam<\/a>Download<\/a><\/div>\n\n\n\n
The camera appears to use an OpenWRT fork called Tina Linux. eGON<\/code> header found at beginning of flash, indicating use of Allwinner’s built-in BROM and SPL bootloader. Bootargs suggest a serial console should be present.. so some more hunting may reveal it.<\/p>\n\n\n\n
That’s all for now!<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
More notes.<\/p>\n\n\n\n
The pins on the top right of the board above labeled W-RX0 etc. show an interface which responds only during boot, here is some sample output:<\/p>\n\n\n\n
[74648][D]PACKET_CMD_USER_DATA 5a 51 0 0 64 d2 66 24\n[74649][D]PACKET_CMD_USER_DATA 5a 51 0 0 64 d2 66 24\n[74724][D]ecd.poweron_qrcode 0, ecd.ring_power_off_valid_count 0\n[75051][I]GET_WIFI_DATA(3) len: 9 1\n[75052][I]GET_NET_INFO(25) len: 8 0\n$>Welcome to Wlan Bluetooth Console Tools ......\n$>[75202][D]PACKET_CMD_USER_DATA 5a 51 0 0 64 d2 66 24\n[75202][I]GET_SOME_DATA(7) len: 8 0\n[75724][D]ecd.poweron_qrcode 0, ecd.ring_power_off_valid_count 0\n[75724][I][W0] wifi: 0 81 0 | 335 137, 0(0\/0\/0), 0(0\/0\/0) | 403 0 135 112002 1042001100 | 127320 67068 60252\n[UMAC WARN] sta_add():360, scan entry >= 10, discard rssi lowest one\n[UMAC WARN] sta_add():360, scan entry >= 10, discard rssi lowest one\n[UMAC WARN] sta_add():360, scan entry >= 10, discard rssi lowest one\n[76715][D]PACKET_CMD_USER_DATA 5a 51 0 0 64 d2 66 24\n[76715][I]GET_WIFI_DATA(3) len: 9 1\n[76724][D]ecd.poweron_qrcode 0, ecd.ring_power_off_valid_count 0\n[76724][I][W0] wifi: 0 81 0 | 169 33, 0(0\/0\/0), 0(0\/0\/0) | 403 0 135 112002 1042001100 | 127320 67716 59604\n[76733][D]PACKET_CMD_USER_DATA 5a 51 0 0 64 d2 66 24\n[76738][I]GET_SOME_DATA(7) len: 8 0\n[net INF] msg <wlan scan success>\n[76888][D]NET_CTRL_MSG_WLAN_SCAN_SUCCESS\nen1: Trying to associate with 94:83:c4:6c:98:2c (SSID='youanji1' freq=2412 MHz)\nen1: Associated with 94:83:c4:6c:98:2c\nen1: Clear keys to send no encrypt 4 of 4-way handshake\nen1: WPA: Key negotiation completed with 94:83:c4:6c:98:2c [PTK=CCMP GTK=CCMP]\nen1: CTRL-EVENT-CONNECTED - Connection to 94:83:c4:6c:98:2c completed [id=0 id_str=]\n[net INF] msg <wlan connected>\n[net INF] netif is link up\n[net INF] start DHCP...\n[77267][D]============= dhcp =============\n[77269][D]ip:0.0.0.0\n[77271][D]netmask: 0.0.0.0\n[77274][D]gateway: 0.0.0.0\n[77276][D]dns[0]: 0.0.0.0\n[77279][D]dns[1]: 0.0.0.0\n[77281][D]dns[2]: 0.0.0.0\n[77283][D]dns[3]: 0.0.0.0\n[77286][D]invalid ip\n[77288][D]NET_CTRL_MSG_WLAN_CONNECTED\n[77724][D]ecd.poweron_qrcode 0, ecd.ring_power_off_valid_count 0\n[77724][I][W0] wifi: 0 81 0 | 182 48, 0(0\/0\/0), 98(1\/0\/0) | 403 0 135 112002 1042001100 | 127320 71412 55908\n[77746][D]PACKET_CMD_USER_DATA 5a 51 0 0 64 d2 66 24\n[77746][I]GET_WIFI_DATA(3) len: 9 1\n[77761][D]PACKET_CMD_USER_DATA 5a 51 0 0 64 d2 66 24\n[77761][I]GET_SOME_DATA(7) len: 8 0\n[net INF] netif (IPv4) is up\n[net INF] address: 192.168.8.207\n[net INF] gateway: 192.168.8.1\n[net INF] netmask: 255.255.255.0\n[net INF] msg <network up>\n[78221][D]============= dhcp =============\n[78224][D]ip:192.168.8.207\n[78227][D]netmask: 255.255.255.0<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
I picked up a cheap Wifi security camera on Amazon, it uses a mobile app called “seeing”. Which appears to be that referenced at seeing.store. No ports were open when scanned with nmap. Monitoring traffic on the router indicated it was talking to a remote server (appears to be on Alibaba’s cloud service): With some […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-7518","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1RRoU-1Xg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/7518","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/comments?post=7518"}],"version-history":[{"count":3,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/7518\/revisions"}],"predecessor-version":[{"id":7533,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/7518\/revisions\/7533"}],"wp:attachment":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/media?parent=7518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/categories?post=7518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/tags?post=7518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}