Monday, March 27, 2017

Hacking Xfinity's Home Security Cameras, part 3

So we discontinued our Xfinity Home subscription (which isn't a statement against the service; we moved out of the Xfinity service area and into a Cox service area and opted not to install their home security package) several months ago.  Of course I took down the Xfinity cameras before we moved, and they've been in storage since.  Last night, I finally dug them out and set about getting them working -- without the touchscreen and security router that Xfinity had them set up for.  This blog post is mostly so I will remember how I did it, because all the information is out there, but it's not all correct (for my cameras, at least).

The problem, of course, is that when the cameras were paired to the Xfinity touchscreen/router/system, passwords were set to view the feeds, and to administer the cameras.  It's possible to get the cameras onto another Wifi by pressing the reset button for a few seconds (putting it into a WPS pairing mode) and then pressing the WPS button on your router.  But this is of no use if you don't know the passwords to get into the camera.

(First thing's first: use the power+ethernet dongle that you cleverly had the Xfinity tech leave you when he installed the cameras so that you can put them on your hardwired LAN.  Do that now.)

So, for the iCamera2 cameras, the information I found online says that the default username is "administrator" and the default password is a blank password.  This, obviously, didn't work with my camera because it was paired with the Xfinity system.  Additionally, the firmware that was loaded onto the camera doesn't have a web UI by default.  (But, if you have the password, you can enable it with a request to /adm/enable_ui.cgi.)

As an aside, I did try updating the firmware, thinking that might reset the password. I found a list of available firmware images in a comment on this blog post, which was a welcome find. I'll repeat his list here for convenience sake:

iCamera1000 Firmware Files

http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-105-1002R08.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R17.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R19.bin
http://edge.xfinity-home.top.comcast.net/firmware/DYW9HZ-308-1002R22.bin

iCamera2 Firmware Files

http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-104-300114.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-105-300124.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-105-300126.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-106-300128.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-106-300129.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-108-300132.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-110-300229.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-110-300230.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300235.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300238.bin
http://edge.xfinity-home.top.comcast.net/firmware/DAXNHZ-111-300239.bin

The online information also suggested that one should hold the reset button while applying power to the camera.  This appears to put the camera into some kind of recovery mode where the power LED flashes rapidly.  I was not able to see the camera perform any sort of initialization or DHCP request or anything, but eventually figured out that it had just assumed a 192.168.0.99 IP address.  I was able to communicate with it on that address, but the only thing available seemed to be a firmware update page, from which I could upload new firmware images (and have them installed) but that was it.

What I eventually worked out as the solution was to let the camera power on normally, then press and hold the reset button for some 30 seconds.  I did not see any indications that this did anything, but it looks like this resets the camera into a setup mode where the touchscreen can pair it.  After performing this step, I was able to access the camera using curl from my linux box:

# curl --basic --user administrator: 'http://10.0.1.133/adm/set_group.cgi?group=NETWORK&dns_server=10.0.0.1&dns_type=1'
OK
# curl --basic --user administrator: 'http://10.0.1.133/adm/set_group.cgi?group=HTTP&https_mode=1&http_mode=1'
OK
# curl --basic --user administrator: 'http://10.0.1.133/adm/set_group.cgi?group=USER&admin_name=root&admin_password=&login_check=1&user1=%2C'
OK

Of course, at this point I went to the web UI to verify that the password I'd just set was working. And it was. Thinking about it now, I'm wondering if once reset this way, the web UI is not disabled anymore. If not (that is, if the web UI is disabled and browsing to the camera yields a 404 error), it can be re-enabled with:

# curl --basic --user : 'http:///adm/enable_ui.cgi'


This was enough to get me into the camera's configuration UI and able to set up everything there. I will be repeating this with additional cameras later on, so I'll update this further if anything else becomes apparent. But, in case it helps anyone else, these were the steps I took and what I ended up with.