Blog:

Ghost hardware. Tearing down and analysing ghost hunting devices

Dave Null 30 Mar 2016

The Problem: Ghosts

What Philosopher Arthur Koestler probably didn’t have in mind while coining the term “the ghost in the machine” to describe Cartesian Dualism was that some people would someday build machines to try to detect paranormal activity. Indeed, as technology has progressed in the past decades, an increasing number of technologies have been developed which can be used to more easily find and interact with ghosts.

Ghosts, as many people know, are the great menace of our time. They’re the malware of the living world.

Ghosts are responsible for all manner of disruptions in our reality. From the common-garden spook to the chaotic poltergeist, the ongoing struggle to find and disarm problematic ghosts is left to only a select few groups of “ghost hunters” who dedicate their time and expertise to track down and engage with disruptive spirits, with the hopes of banishing them from the living world once and for all.

As part of our ongoing dedication to all things hardware, we’ve been spending a bit of time here at PTP buying and tearing down ghost-hunting hardware. It’s our hope that, with an increase in transparency over the issues identified in ghost hunting hardware, these technologies can improve over time to become more resilient to malicious spirits.

The Market

The ghost-hunting hardware market is interesting in its idiosyncrasies. While many people might balk at the idea of “ghost hunting hardware” – after all, what can a simple machine do to aid the discovery of ghosts? – the hardware vendors in this market are usually very honest in their descriptions about what the hardware actually does.

The products developed in this market rely on feedback from ghost hunters who have, over some generations, discovered a set of foundational principles of the physical properties of ghosts.

Ghosts, as we now know, communicate on frequencies only slightly peripheral to those used day-to-day by the living. For that reason, ghost-directed hardware is developed to probe and examine the electromagnetic, ultraviolet and near infrared spectra.

For that reason, we’ve decided to take a look at a relatively sensible sample of ghost-hunting products on the market today.

Our Overall Conclusions

If you’re thinking of buying and using any kind of ghost hunting hardware  – know the risks! Make sure you only use professional gear – hardened from tampering or interception from ghouls or other malicious spirits.

There’s currently so many problems with this hardware that you may well be opening yourself up to more risk simply by using these in the field. You may want to weigh up the potential risks vs the potential gains you might make by using hardware like this.

You may also want to consider the costs of buying equipment like this off-the-shelf, vs making very minor modifications yourself. Some of the equipment we tested sold for up to five times the list price of the OEM hardware. Only really minor modifications were made – if any!

Also, make sure it works as expected. There’s currently very little oversight in the ghost hunting hardware market. There’s no ombudsman, and no repercussions for vendors selling hardware which doesn’t do what it advertises. There’s some crooks out there, taking advantage of this relatively unregulated market.

So, however often you’re out there hunting ghosts, remember that threats might come from the tools you’re using, the people you buy products from, on top of the ghosts you’re hunting. Please, stay safe out there.

Without further ado, here’s the first review…

Ghost hunting device No.1, the Ghost Pro

The first piece of kit we’ll be looking at is a full spectrum camera – colloquially known as a “Ghost Pro”. Full spectrum cameras are supposed to allow you to see beyond the visible spectrum, into the infrared and ultraviolet ranges. This one has Wi-Fi as well, for ease of remote control.

There’s a few questions we wanted to answer with this one. Who’s the camera actually made by? Action cameras, unless they’re by very well-known brands, are very often rebadged OEM hardware with very minimal tweaks (if any). How can we be certain that the hardware is produced to the standard demanded by ghost-adjacent professionals?

The second thing we wanted to know is: are there any vulnerabilities in this product which might lead to damage, disruption, or theft? While many ghosts are currently known to be technologically illiterate, it’s only a matter of time before more technically savvy ghosts start to appear. How can we be sure that these technologies will be resilient to emerging threats such as hacker ghosts?

Finally, a question on price. What makes it worth $160? Action cameras are, in general, alarmingly cheap. Do the supposed hardware modifications allowing visual access to the UV and IR spectra in this camera justify the extreme bump in price?

The Body

The camera comes in a very similar package to most other action cameras. It’s small, grey, plastic, and relatively sturdy. It says “4K” and “Wi-Fi” on it – both of which are the advertised key functionalities of this product.

We can answer one question relatively easily. One of the most telling signs of which OEM product we’re dealing with can be ascertained by seeing which mobile application it tells you to download. In this case, it’s the “Ez iCam” app, so we can download that from the Play Store, pull the APK out and decompile it.

It’s evident from the decompiled APK that this is most likely an Eken camera.

Eken cameras aren’t known for their high price-points. The question of price can be also, at least, be partially answered.

A model number would be useful, to find out how much comparable a run-of-the-mill supernatural-neutral camera would cost. Luckily, once we’ve got the camera up and running, and the Wi-Fi functionality turned on, the SSID gives that away.

So, this particular Ghost Pro is almost certainly an Eken H9 at its core. They can go for between 30 and 50 USD on the primary market.

Since we paid $160, this feels like a bit of a rip-off. But let’s give them the benefit of the doubt for now – the vendor claims to have made considerable hardware modifications to bring this camera up to the task of full-spectrum video capture. Indeed, whether or not we’ve been ripped off might not be a question we can answer fully (since it’ll be nigh-on impossible to prove or disprove how much those modifications might have cost), but we can certainly take apart our camera to see what special addons it might have.

OSINT, but for a camera

Action camera owners are notorious hobbyists – meaning there’s a huge amount of information about these cameras and their internals online. Some figures in the action camera community have spent their time creating software to interact with these cameras, such as aftermarket firmware flashing tools. These tools are then used by other enthusiasts to extend the functionality of their otherwise relatively limited cameras.

There’s quite a few internal shots of various stock models of Eken camera online. There’s also quite a decent rundown of the internals on the FCC site (https://fccid.io/2ADDG-H9/Internal-Photos/Internal-photos-2784785 and https://fccid.io/2ADDG-H9-1/Internal-Photos/Internal-Photos-3647889). A few users have taken it upon themselves to teardown and document the internals of their Eken H9s as well https://www.goprawn.com/forum/sunplus-cams/148-eken-h9-spca6350-teardown.

This also means we have a good benchmark of what the internals of a “normal” (non-ghost-specific) Eken H9 look like.

Back to our board

The “Ghost Pro” board looks largely as expected, from what we’ve seen during the OSINT. It’s a different board revision than those we could find documented online. But the functionality looks largely similar.

These were the ICs found on the board:

  • iCatch SPCA6350A MCU
  • RealTek 8189ETV Wi-Fi Module
  • MXD 64M RAM
  • APX192 Power Management IC
  • XMD QH64AHIG SPI Flash

Some previous board revisions of the Ekan H9 seem to have obvious UART serial interfaces, which supposedly provide some kind of shell. However, there was nothing like this to be found on our “Ghost Pro”. Perhaps the manufacturers are comfortable that their PCB design is mature enough that they don’t require debug access to every single production device.

The design is based around the iCatch MCU. iCatch seem to design and make a lot of cameras, but it wasn’t that easy to find a datasheet for the SPCA6350A MCU.


The iCatch MCU


The RealTek Wi-Fi module.


Most probably the Wi-Fi antennae.


The lens/sensor ribbon cable, with part number markings.

We were expecting, if anything, to maybe find a custom sensor on our “Ghost Pro”, to justify the cost increase. On the FCC website, mentioned earlier, there’s a good picture of the Eken H9 stock sensor.

The markings are as follows:

  • H9 SENSOR
  • OV4689
  • 20150618-MH
  • JPZ

Hmm. It appears that our “Ghost Pro” has exactly the same sensor as the stock Eken H9. This likely precludes this camera from being a “custom” full-spectrum camera.

However it is much more likely that the vendor has taken an OEM product, removed the infrared filter, and resold it at 5x the price. You can find out how to remove an IR filter yourself all over the internet (e.g. https://www.youtube.com/watch?v=_288yeSB1G4).

There was also an interesting-looking bit of ground copper on the side of the board, just above the MCU.

Perhaps this was where factory test pads had been during the manufacture testing process? They look quite harshly ground off. There didn’t appear to be any activity in that area, from the look of the oscilloscope. So regardless, it’s an interesting insight into how this board might have been produced.

Anyway, there seemed to be no hardware modifications made to distinguish the “Ghost Pro” from an off-the-shelf Eken H9. Any “full spectrum” functionality is probably implemented at firmware level, rather than hardware. Which almost certainly precludes it from being literally “full spectrum”.

Getting a baseline

Now we’ve established that the “Ghost Pro” is just a stock Eken H9, it’s a good time to start looking at dynamic functionality. We can start by looking at what the camera does under normal working conditions. So, after installing the Ez iCam app on a test phone, pairing it with the camera, we can dump traffic while trying to use it under normal conditions.

In practice, this proved to be slightly difficult, as the app kept crashing and it wasn’t possible to get a reliable video stream out of it. However, some relatively interesting pcaps did emerge from the chaos.

The camera uses Picture Transfer Protocol over IP (PTP/IP) as its main communication mechanism. That runs on port 15740. An Eken hacker previously blogged about the various transport protocols they observed in use on the Eken, which you can read here http://hackeken.blogspot.co.uk/2017/01/reverse-engineering-eken-android-app.html.

The app also attempts to set up an RTSP connection on port 554, with the URL rtsp://192.168.1.1/MJPG?W=640&H=360&Q=50&BR=500000. Assumedly, each parameter dictates the width, height, quality and bit-rate, respectively. The conversation between the app and the camera looks relatively sane in the pcap:

But, unfortunately, after flailing around for a bit, the app crashes. This does not, I imagine, meet the level of application stability required for a professional ghost hunt.

After quite a few hours of swearing and sweating, it was possible to take a few photos with the app and transfer them back from the camera to the phone.

From the packet capture of that session, it’s evident that all file transfer (of images, videos etc) is done over FTP.

That’s the username wificam and the password wificam.

It should also be noted that the Ez iCam mobile application seems to ping a limited amount of user metadata back to a server at sport.ez-icam.com.

This feel extraneous – certainly not the kind of cellular traffic I’d like pinging around the place while trying to hunt ghosts.

The hardest part of IoT hacking is making the thing work normally

After struggling with the app for long enough, a connection was made to the camera Wi-Fi AP with a laptop. Of course, it was possible to find the hard-coded Wi-Fi password in the decompiled APK.

It’s “1234567890”. There doesn’t appear to be any way to change this.

So, it was easy enough to connect to the “Ghost Pro” AP, and start poking around. Once connected, we could scan for open ports with nmap.

We have all three services we were expecting. There’s RTSP for the video content and the PTP/IP port for configuration and control communications (although nmap falls back to “tcpwrapped” when trying to figure out what port 15740 does).

Conveniently, the FTP port is also left open. By using what we learned from the earlier packet capture, it’s possible to connect to the FTP service and download files from the camera.

Since the files seem to have sequential names – it would be trivial to download everything off this thing relatively quickly once on the AP.

It was also possible to delete files from the camera as well:

That’s not ideal. Any malicious spirit with access to an FTP client could easily wipe evidence from the “Ghost Pro”.

As it turns out, there’s also no need to use the “wificam” credentials either – the camera will accept anything at all. Here’s what a malicious spirit might see, if they were trying to log into the server:

That’s not ideal at all.

Unauthorized Streaming

Since again there’s no further authentication, it’s also trivially possible to view the RTSP stream once you’re on the AP. Furthermore, it seems that there’s no real need to use the special rtsp:// URI either – as nmap shows:

We can basically view the stream using almost any common URI. With a tool like mplayer, this is really easy. We can simply run

mplayer -x 360 -y 480 rtsp://192.168.1.1/

and we’ll get back something like this:

Or this:

Not exactly optimised – but you get the idea.

Some Light Fuzzing

It’s often a good idea to lightly fuzz devices if you’re concerned that they might not have been properly hardened against malicious forces. In this case, a very light run of fuzzing was conducted using an RTSP DESCRIBE packet and radamsa.

Radamsa’s a really nice tool, especially for quick studies like this. After dumping a DESCRIBE request out of one of the pcap files, a quick fuzz was conducted like so:

radamsa -o 192.168.1.1:554 -n 100 ./DESCRIBE.bin

After a few seconds, the RTSP service went down. The culprit was found to be a single packet, similar to the following:

DESCRIBE rtsp://192.168.1.1/MJPG?W=640&H=360&Q=50&BR=340282366920938463463374607431773211456 RTSP/1.0
 CSeq: 170141183460469231731687303715884105728
 [User-Agent: ICatchMedia (LIVE555 Streaming Media v34780.06.5)
 Accept: application/sdp

Perhaps it was the request for an extremely unreasonable bitrate. But when the packet is replayed to the camera, the networking seems to go down entirely:

So – perhaps a simple DoS attack, against a camera you don’t want to record you? There’s no doubt a savvy ghost would include an attack like this in their arsenal.

Overview

So – what have we learned? We now know there are some security issues with the “Ghost Pro”, and therefore probably most Eken cameras.

  1. There’s a hard-coded Wi-Fi AP password (“1234567890”), which you can’t change.
  2. Once you’re attached to the Wi-Fi AP, you can connect to the FTP service on the camera and download all the files.
  3. Once you’re attached to the Wi-Fi, you can connect to the FTP service on the camera and wipe all the files.
  4. Once you’re attached to the Wi-Fi, you can view the video stream without any further authentication.
  5. Once you’re attached to the Wi-Fi, the RTSP service can be very easily crashed by sending a single, slightly malformed packet.
  6. Since there’s no way to change the password, there’s no way to protect yourself from spirits.

Any one of these issues might be leveraged by a malicious spirit, and lead to disruptions of ghost hunting activity.

We also now know that the internals of this particular “Ghost Pro” action camera are physically exactly the same as an off-the-shelf Eken H9.

There’s also full review of ghost hunting device No.2, the Boo Buddy, and  ghost hunting device No.3, the Ghost Rover.