PPPP API: what I know

While analyzing security of iMiniCam app, I learned some part of UDP protocol used to communicate with the camera. Here is quick bunch of facts.

UDP layer

Port 32100 (Proto_Hello, to external server) and port 32108 (others, to camera).

Type-length layer

Following structure represents first header that is always found in datagram.

struct header {
  uint8_t magic;
  enum proto_type type;
  uint16_t length;
}

In this structure magic is always set to 0xf1, type is one of the below values, packed on single byte and length count data that follows this packet, so if it is equal to zero, only those four bytes are transmitted.

Packet types

These are all the types present in binary, I was reverse engineering. Names are derived from function names that crafts their content, so i.e. for Proto_DevLgn that is equal to 0x10 there exists function PPPP_Proto_Write_DevLgn, PPPP_Proto_Read_DevLgn and PPPP_Proto_Send_DevLgn.

enum proto_type {
  Proto_Hello = 0;
  Proto_HelloAck = 1;
  Proto_HelloTo = 2;
  Proto_HelloToAck = 3;
  Proto_QueryDID = 8;
  Proto_QueryDIDAck = 9;
  Proto_DevLgn = 0x10;
  Proto_DevLgnAck = 0x11;
  Proto_DevLgn_CRC = 0x12;
  Proto_DevLgn1_CRC = 0x13;
  Proto_P2PReq = 0x20;
  Proto_P2PReqAck = 0x21;
  Proto_LanSerch = 0x30;
  Proto_PunchTo = 0x40;
  Proto_PunchPkt = 0x41;
  Proto_P2PRdy = 0x42;
  Proto_RSLgn = 0x60;
  Proto_RSLgnAck = 0x61;
  Proto_RSLgn1 = 0x62;
  Proto_RSLgn1Ack = 0x63;
  Proto_ListReq1 = 0x67;
  Proto_ListReq = 0x68;
  Proto_ListReqAck = 0x69;
  Proto_RlyHello = 0x70;
  Proto_RlyHelloAck = 0x71;
  Proto_RlyPort = 0x72;
  Proto_RlyPortAck = 0x73;
  Proto_ByteCount = 0x78;
  Proto_RlyReq = 0x80;
  Proto_RlyReqAck = 0x81;
  Proto_RlyTo = 0x82;
  Proto_RlyPkt = 0x83;
  Proto_RlyRdy = 0x84;
  Proto_SDevRun = 0x90;
  Proto_SDevLgn = 0x91;
  Proto_SDevLgn_CRC = 0x92;
  Proto_DRWAck = 0xd1;
  Proto_PSR = 0xd8;
  Proto_Alive = 0xe0;
  Proto_AliveAck = 0xe1;
  Proto_Close = 0xf0;
  Proto_MGMDumpLoginDID = 0xf4;
  Proto_MGMDumpLoginDIDDetail = 0xf5;
  Proto_MGMDumpLoginDID1 = 0xf6;
  Proto_MGMLogControl = 0xf7;
  Proto_MGMRemoteManagement = 0xf8;
}

Proto_Hello

This packet’s content is empty (length=0). Sent to external server. Response is Proto_HelloAck.

Proto_HelloAck

Length is 0x10. Content is according to following structure:

struct HelloAck {
  struct sockaddr_in wan_addr;
}

Final word

I hope this very quick introduction will help someone and will lead to documenting the protocol, in enough part, that it will be possible to develop open source client application able to communicate with the cameras using it.

[Import]Airlive WN-151ARM UART pinout & root access

NOTE: This post was imported from my previous blog – v3l0c1r4pt0r.tk. It was originally published on 24th November 2015.

Airlive WN-151ARM pinout

For curious ones. Here is pinout of serial connection. As you can see UART pins are at J4 header (should have pin 4 labeled and 1 be square).

J4 header
Num. Function
1 VCC
2 RX
3 TX
4 GND

Edit: Oh, and one more thing: goldpin header, you see in the picture is soldered by me, so do not be surprised if you have to hold wires all the time during the transmission.

Root access

There is also possibility to gain root access without removing the cover and possibly voiding the warranty. You have to connect to router’s AP and enter

http://192.168.1.254/system_command.htm

into your browser (panel authentication required). Now you can execute any command you want with root privileges! So let’s type

/usr/sbin/utelnetd -d &

into Console command field and press Execute button. If everything went well, you should now be able to connect to your router using telnet at its default TCP port 23. After that you should see BusyBox banner and command prompt.

It is worth noting that this hidden console cannot be accessed by unauthorized person, so only router administrator can use this (in theory, in practice there are surely a lot of routers using default credentials and security of httpd binary is unknown).

[Import]TP-Link TD-W8901G UART pinout

NOTE: This post was imported from my previous blog – v3l0c1r4pt0r.tk. It was originally published on 31st May 2014.

Some people might wonder: what is the pinout of my router’s serial connection. If you’re a happy owner of TP-Link TD-W8901G and asking that yourself, here is the answer:

TP-Link TD-W8901G’s pinout

In the link below there is also this router’s pinout and moreover author states that to make that port working there is a need to modify some resistors. I have V3.5 of that router and didn’t notice any mod to be necessary.

It is possible to solder goldpins in here and router so far haven’t fried. Of course you can try communicating without stable connection and it even works but after training your fingers while waiting for the firmware download/upload to complete you’ll change your mind, I guarantee:).

PS: that model is the one that was one of the victims of massive DNS changing some time ago so if this is the one you’re using as your bridge to the Internet you may be also interested in this.

PS2: if you have another router and want to find out what is the serial port pinout I recommend going here.