Digoo BB-M2: Hackable cheap WiFi camera

Do you like this post? A regular project like the PlaneSpotter Color takes many hours of my free time to develop and maintain. Would you offer me a beer for my hard work if I was your neighbour? Modern technology called teleportation makes it easy to send me a beer. Just click here. Thank you!

It is amazing what you can get for a few dollars. The Digoo BB-M2  WiFi IP camera is no exception and you can get even more out of it with a few simple tricks that some clever people found out. The camera offers 720p streaming, it contains to stepper motors to remote control the direction and it also has two-way audio capabilities. I guess in no time we will have some cool projects built around it.

Out of the box features

Even without hacking the camera has a lot to offer and I’m just going into the ones I found worth mentioning. The camera has a web interface (listing on port 81) providing different modes of acquiring a stream of images and adjusting the settings. I also managed to watch an rtsp stream on my Mac using VLC. Also surprisingly good is the IR feature which lets you basically see several meters into the dark. You can control the direction of the camera with relatively small steps and the web interface allows you to record and then recall fixed positions, e.g. one pointing to the door, one to the window etc.

 

“REST” API

The web interface is not very secure which makes it easier for unfriendly but also friendly take-over. The following request lets you move the camera to the left one step:

http://CAMERA_IP:81/decoder_control.cgi?loginuse=&loginpas=&command=7&onestep=0

Such a request can be easily issued from a shell script or an ESP8266 to control many features of the camera (hint, hint!).

Here are some commands I reverse engineered until now:

  • decoder_control.cgi
    • command=0: move camera up
      • onestep=0: endless
      • onestep=1: just one step
    • command=1: stop move up (this will be the same for all odd numbered commands)
    • command=2: move camera down
    • command=4: move camera left
    • command=6: move camera right
    • command=31: move camera to preset

 

Getting command line access

Some clever guys (read posts here and here) also found out how to get command line access. The root password could not be cracked (as far as I know) but you can add scripts to the writable part of the filesystem which will be executed automatically during boot up of the camera. To get telnet access do the following:

  1. Open ftp settings
  2. Enter the following as ftp-server: $(killall telnetd)
  3. In the field user enter: $(telnetd -l /bin/sh)
  4. Now click on set up, then on test. This will load a page with the error message “Test … Failed. Can not connect to the server”. This is expected and will start a script that will run as root
  5. Now you can access telnet without password, e.g. telnet CAMERA_IP 23
Digoo BB-M2 Camera – FTP settings for telnet access

There is still some reverse engineering todo. Some guys tried to crack the root password to circumvent the ftp hack but that did not succeed yet. Please leave a comment when that changes.

Digoo BB M2 Console after connecting by telnet

Summary

The Digoo BB-M2 camera is an affordable IP camera that you can hack and extend for your own needs. I recently created a time lapse movie to show my daughter that fresh water freezes quicker than salt water on our balcony (in Swiss winter):

 

Where to buy

Digoo BB-M2 Camera from Banggood (at the time of writing for as little as $20). Use this Coupon-Code to save 15%: BGhouse

 

 

Posted by squix78

4 comments

  1. Amazing price for the hardware, but it seems crazy to me to put such an insecure camera on my network.

    It’d be awesome if one of these cheap camera makers released the source for what is surely an embedded Linux distribution to begin with. My guess is that they are violating the GPL as it is. It would be a huge hit in the Maker community.

  2. So is it possible to password protect it or something like that? So people outside the local network can’t see my feed?

  3. Be careful with these. This looks like it is similar to a bunch of cameras which were hacked for DDOS attacks recently. Many of those use a very insecure cloud protocol which sends data to various servers in China. Some versions you can isolate so they can’t access the internet, others reboot every hour or so if the connection fails.

  4. Nearly all IP cameras or foscam clones (Foscam is a szhenzhen based company) have options in them for DDNS. Not all DDNS services use the same protocols. Thus; what may appear to be “sending data to various servers in Chna” MAY be just the default DDNS which (despite the WEBUI) is ON BY DEFAULT.
    Any secure setup should have a seperate, local LAN for the cameras (With IP FORWARD OFF) and some IPTABLES (Or similar firewalling) preventing unknown traffic from crossing to the outside world.

    In my experience of the past 7 years with these style cameras (and with Unix, Xenix, Linux since 1978) they function reasonably well for the price. But, self-protection = self-preservation.
    Isolate your networks. Then you won’t have to worry about rumours and innuendo.

Leave a Reply