
██╗  ██╗ ██████╗  ██████╗  █████╗ ████████╗ █████╗ ███╗   ██╗ █████╗      ██╗  ██╗
██║ ██╔╝██╔═══██╗██╔════╝ ██╔══██╗╚══██╔══╝██╔══██╗████╗  ██║██╔══██╗     ╚██╗██╔╝
█████╔╝ ██║   ██║██║  ███╗███████║   ██║   ███████║██╔██╗ ██║███████║█████╗╚███╔╝ 
██╔═██╗ ██║   ██║██║   ██║██╔══██║   ██║   ██╔══██║██║╚██╗██║██╔══██║╚════╝██╔██╗ 
██║  ██╗╚██████╔╝╚██████╔╝██║  ██║   ██║   ██║  ██║██║ ╚████║██║  ██║     ██╔╝ ██╗
╚═╝  ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝     ╚═╝  ╚═╝                                                                                 

──────────────────────────────────────────────────────────────────────────────────

Hacking EC27 IOT Bulb Cameras

May 16th, 2025

──────────────────────────────────────────────────────────────────────────────────

Introduction

I bought a very cheap IOT camera that fits right in a light bulb socket years ago, but hadn't actually set it up, especially not connect it to the Internet. I wasnt about to be the person that gets their camera hacked by some random dude, or have another government surveilling me through my camera. But the other day I came across this threadhttps://github.com/e27-camera-hack/E27-Camera-Hack/discussions/1 that had me doom scrolling through my commute.

Most out of box IOT camera apps are paywall blocked, so you'll have to shell out a lot of money to get streaming services, or live monitoring alerts, not to mention them having recordings of you and your family's daily lives.

Fortunately, depending on the chipset, there are already open source firmware and (hacks) available online from people much smarter than I. If you open your camera up, you can easily identify the chip manufacturer, and the MCU. My chip is an Anyka v200, so please only follow this guide if yours matches (v300s and v330s should also be supported)! Follow this guide at your own risk, by proceeding you accept responsibility of any damage to yourself and your devices.

To follow this guide you'll need:

EC27 Security Camera - Anyka Chipset
WiFi Connection
YI IOT App
Micro SD Card (and adapter) - you only need one regardless of how many cameras you have
Computer with FTP client and telnet client installed
(optionally) soldering iron, serial UART adapter and power supply

──────────────────────────────────────────────────────────────────────────────────

Set-up

Configure WiFi

Make sure your camera is connected to your home wifi before proceeding. This is achievable through either the app your camera comes with, or with the more advanced serial port -> static file configuration method. Instructions for this are specific to your device, so follow the manufacters guide you get. I attempted both methods, and recommend the static connect to wifi router method if available. When the device is powered off and you start the hack, you may lose your connection and soft brick your device. I tried the 'make your camera its own AP setting' and it didnt work at all for this. The app is more annoying, but if you use a specialty spam-filter email, so that once its setup you can delete it after!

Before you delete your camera app; however, make sure to grab its IP address! To do this, open the app and go to the settings. You should see a list of devices connected to your network. Find your camera and note down its IP address.

Access Your Camera

Once your device is connected to WiFi, open up your computer and get your ftp client ready. You can use something like FireZilla, WinSCP, or vsftpd, depending on your comfort level.

Your FTP parameters, may likely be the following with a blank/empty password. If this doesnt work, a quick Google for " + default ftp credentials" should do the trick.

ftp root@youripaddress

Once you are in, you should see a list of files and folders if in the GUI (or execute "ls" if you chose the command line varient). We want to backup some of our files, but to override system locks, we need to access our device another way. I chose to enable telnet.

But hold up, how are we going to enable telnet when we only have access to FTP?! Good question dillegent reader, there is a file containing a script on the camera called /etc/jffs2/time_zone.sh that executes at device start up. We have permission to modify this!

All we have to do is open the file up and add & telnetd to the bottom. If you are using the GUI method, you may be able to modify the file directly from your FTP client, or you can just copy the file to your local system, edit it, and then reupload it.

Mine looks like this:

export TZ=GMT+05:00
telnetd &

Once that file has been modified, feel free to restart your camera by turning it on and off again.

──────────────────────────────────────────────────────────────────────────────────

Backups

Now that we have telnet enabled, we are able to access the dev partitions to backup! Open up your terminal and type in the following command:

telnet youripaddress

Feel free to go nuts with the file backups, the camera itself doesnt have a lot of storage, but if you want to be selective with your backups you need at a minimum /usr and /etc/jffs2, especially the /etc/jffs2/isp_xxx.conf file.

To copy the dev partitions, first save them to a local file, then copy them to your computer:

cat /dev/mtd0 > mtd0.bin
cat /dev/mtd1 > mtd1.bin
# until
cat /dev/mtd6 > mtd6.bin

These files will take a bit, but will be worth it in case something gets messed up.

While we are still logged in, double check that your drivers in /usr/modules/ are included in the list below. These files end in .ko

Camera Sensors:

H62
H63
gc1034
gc1054
gc1084

WiFi Sensors:

atbm603x_wifi_usb
rtl8188fu
ssv6x5x

If these drivers do not match, you will have to put together your own custom hack with these drivers.

──────────────────────────────────────────────────────────────────────────────────

The Upload Vulnerability

Security researchers found this "feature" in the cameras that allow for updates to be fed to the device via a micro-sd card automatically on boot-up. This is processed at a root level, so anyone with physical access to the camera and its power supply can execute custom code. So, please only do this for cameras you are authorized to use.

Update files must be named "update.tar", placed in a folder named "update" in the root of your microsd card, and contain squash archive files of the /usr/ and /etc/ directories along with any other changes that need to be fed to the system, with each directory being its own squash file.

SD Card Root - 
    update /
        update.tar 
            fw_version  #must be your exact firmware version
            root.sqsh4  #contains your etc/ and bin/ 
            usr.sqsh4   #contains your usr/

This Github https://github.com/MuhammedKalkan/Anyka-Camera-Firmware/releases/download/1.0.4/update.tar has good pre-made firmware, I wound up using for my camera.

Create Custom Update Files

To create your own squash files (at your own risk):

#root.sqsh4:
 mkdir camera-root
 mv backups/etc/camera-root
 mv backups/bin/camera-root
 mksquashfs camera-root root.sqsh4 -comp xz -Xdict-size 100%

#usr.sqsh4:
 mkdir camera-usr
 mv backups/usr/camera-usr
 mksquashfs camera-usr usr.sqsh4 -comp xz -Xdict-size 100%

#update.tar:
 mkdir update
 mv root.sqsh4 update
 mv usr.sqsh4 update
 mv fw_version update
 tar -cvf update.tar update

Sending the Hack

Once we have the SD card prepped with the update.tar file, go ahead and power off your camera, put the card in, and power it on again. Upon startup, you should hear something along the lines of "Update in progress" and then a "System update complete". After this, remove the sd card, to avoid forgetting about it later and re-updating the same file later. The update process removes the "/etc/jffs2/isp_xxx.conf file to prevent update loops, so you will have to copy this file you made sure to save earlier, back to its rightful location via telnet, then restart the camera again!"

──────────────────────────────────────────────────────────────────────────────────

New Camera Features

That should be it as far as hacking goes! The firmware I chose to use enables RTSP feeds (high-res and low-res, respectively) at:

rtsp://ipaddress:554/vs0 and rtsp://ipaddress:554/vs1

and camera Web UI controls at:

http://ipaddress:8080

To access the RTSP streams, you can use something like VLC Media viewer (compatible both on windows and linux).

From here you can do some cool stuff like integrate this into Smart Homes, monitoring apps like BlueIris, or anything else under the sun that supports these feeds. I didn't get that fancy, but I definitley want to see all the cool stuff you all can do.

──────────────────────────────────────────────────────────────────────────────────

Advanced Method - Serial Port (rx-tx ports)

If you are a super hacker, want full and absolute access to the underlying firmware there are Rx Tx ports on the circuit board you can solder to and access from your computer. As many of you know, with great experience comes trial and error. I was very opposed to setting up the YI IOT app that you are supposed to use to set the device up, so I figured sending the update with the wifi-data pre-baked would work... It did not!! TLDR; I bricked the first camera I got so, I tried this method! But I am not nearly advanced enough to solder to a very cheap circuit board as such lol my poor soldering job snapped clean off and broke the copper around the board along with it, so all my hopes and dreams were crushed but this is how I would have done it, if I was better! I could go into l33t h4ck3r mode and enlist my boyfriend to hold the wires to the board while I add the wifi configuration (contained in /etc/jffs2/anyka_conf.ini) manually, but I will update that if that ever happens!

Conclusion

So now you can use the cheap camera you definitley didnt get off Ali-Express without having to worry too much about the men spying on you and your family or your data being sold off to the abyss. Hopefully this makes your hardware hacking experience much easier than mine was ! lol

kogatana-x