{"id":50337331,"url":"https://github.com/fdb/reverse-engineering-ip-camera","last_synced_at":"2026-05-29T14:30:44.359Z","repository":{"id":351495450,"uuid":"1211166711","full_name":"fdb/reverse-engineering-ip-camera","owner":"fdb","description":"Reverse engineering a cheap Chinese Kalay / CS2 PPPP IP camera — MITM pipeline, protocol documentation, and a privacy-preserving alternative to the vendor app.","archived":false,"fork":false,"pushed_at":"2026-04-15T07:44:40.000Z","size":147,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-15T09:38:21.795Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fdb.png","metadata":{"files":{"readme":"docs/README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-15T06:08:30.000Z","updated_at":"2026-04-15T07:44:44.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fdb/reverse-engineering-ip-camera","commit_stats":null,"previous_names":["fdb/reverse-engineering-ip-camera"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/fdb/reverse-engineering-ip-camera","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdb%2Freverse-engineering-ip-camera","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdb%2Freverse-engineering-ip-camera/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdb%2Freverse-engineering-ip-camera/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdb%2Freverse-engineering-ip-camera/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fdb","download_url":"https://codeload.github.com/fdb/reverse-engineering-ip-camera/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fdb%2Freverse-engineering-ip-camera/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33657690,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-29T14:30:43.745Z","updated_at":"2026-05-29T14:30:44.350Z","avatar_url":"https://github.com/fdb.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cloudbirds IP Cam — Reverse Engineering Documentation\n\nThis directory is the **living knowledge base** for the project. Update it\nwhenever you learn something new. Nothing here is final; every file should\ngrow over time as the picture gets clearer.\n\n## About this project\n\nThis is **security research on a device I own**, performed on **my own\nnetwork**, for **my own use**. The goal is to understand and control a\ncheap commercial IP camera so that it doesn\u0026rsquo;t send my Wi-Fi credentials\nand video stream to a Chinese cloud I have no trust relationship with.\n\nThings this project deliberately does **not** do:\n\n- Redistribute vendor binaries (the APK, decompiled sources, and native\n  `.so` files are all `.gitignore`'d — reproduce from the publicly\n  available APK if you want them)\n- Attack devices or cloud services owned by others\n- Publish vendor secrets beyond what\u0026rsquo;s needed to explain the attack\n- Aid in mass exploitation of cameras in the wild\n\nThe code and documentation are shared so that other people investigating\nthe Qianniao / Kalay / CS2 PPPP OEM family — which ships in dozens of\nbrands — have a reference to work from. Everything here applies, with\nvarying degrees of adaptation, to Yoosee, Sricam, V380, YI, HapSee, and\nmany other app brands that share the same backend stack.\n\n## How to build the static site\n\nThe `docs/*.md` files are plain markdown. Run:\n\n```sh\npython3 build_docs.py\n```\n\nfrom the project root, which writes `dist/*.html` — a VuePress-style\nstatic site you can open in any browser. Every time you change anything\nin `docs/`, rebuild.\n\n## Who this is for\n\n## Who this is for\n\nAnyone (including a future you, or a new Claude session) picking up the\nproject from cold. The goal is that reading `docs/` in order should teach\nthe reader:\n\n1. What we are trying to do and why\n2. What the camera actually is (hardware + software stack)\n3. Which cloud services it talks to and what it asks them\n4. The exact wire format of every protocol it speaks (with provenance\n   tags on every claim so you can tell observation from inference)\n5. How our MITM interception works, end to end\n6. Which scripts do what, and how to run them\n7. Chronological history of what we\u0026rsquo;ve learned so far\n8. What we still don\u0026rsquo;t know and the next things to try\n9. How to debug when the pipeline misbehaves\n10. What parts of this work transfer to other cams in the same OEM family\n\n## Reading order\n\nThe files are numbered in a suggested reading order. You can skip around\nfreely — each file stands alone as a reference — but if you\u0026rsquo;re new to\nthe project, read them in sequence.\n\n| # | File | Topic |\n|---|---|---|\n| 00 | [overview.md](00-overview.md) | Goals, current state, headline results |\n| 01 | [hardware.md](01-hardware.md) | Device identity, OEM family, DID encoding |\n| 02 | [architecture.md](02-architecture.md) | Software stack, native libraries |\n| 03 | [cloud-topology.md](03-cloud-topology.md) | Hostnames, IPs, cloud services |\n| 04 | [wire-format-kalay.md](04-wire-format-kalay.md) | Kalay UDP protocol — every type we\u0026rsquo;ve seen |\n| 05 | [wire-format-cbs.md](05-wire-format-cbs.md) | CBS HTTPS control plane |\n| 06 | [state-machine.md](06-state-machine.md) | Cam lifecycle from boot to idle |\n| 07 | [defenses.md](07-defenses.md) | Vendor security features and what we break |\n| 08 | [attack-chain.md](08-attack-chain.md) | Full interception architecture |\n| 09 | [router-setup.md](09-router-setup.md) | UDM dnsmasq + iptables, ephemeral script-shaped setup |\n| 10 | [mitm-mac-side.md](10-mitm-mac-side.md) | Starting, verifying, and stopping the Mac-side MITM proxies |\n| 11 | [tooling.md](11-tooling.md) | Every script, flag, and log location |\n| 12 | [session-log.md](12-session-log.md) | Chronological RE progress |\n| 13 | [open-questions.md](13-open-questions.md) | Known unknowns, ordered by priority |\n| 14 | [next-steps.md](14-next-steps.md) | Concrete actions to take next |\n| 15 | [glossary.md](15-glossary.md) | Terms, acronyms, external references |\n| 16 | [debugging.md](16-debugging.md) | Debug cookbook: symptom → diagnosis → fix |\n| 17 | [portability.md](17-portability.md) | What transfers to other cams in the OEM family |\n| 18 | [aiseebling-investigation.md](18-aiseebling-investigation.md) | OSINT money-trail: identifying the entity behind `payment.aiseebling.com` |\n| — | [ERRATA.md](ERRATA.md) | Log of corrections and claim updates |\n\n## How to update\n\n- **Small corrections**: edit inline, commit with a one-liner message.\n- **New findings**: append to the relevant file; if the finding invalidates\n  an earlier claim, update that claim AND add a `session-log.md` entry with\n  the date and what changed.\n- **New protocols / message types**: add to `wire-format-kalay.md` as its\n  own subsection with the full byte layout.\n- **New scripts**: add an entry to `tooling.md` explaining purpose and usage.\n- **Resolved unknowns**: move the item from `open-questions.md` to the\n  appropriate reference doc, and leave a pointer in session-log.md.\n\n## Conventions\n\n- **Hex bytes** are lowercase with spaces: `f1 20 00 24`.\n- **Port numbers** are decimal unless prefixed with `0x`.\n- **IPs** are written verbatim; if we are referring to a \"real\" public\n  address that\u0026rsquo;s sensitive, sanitize it to `37.x.x.178` style.\n- **Quoting actual wire data** use triple backticks with language `text`\n  so it doesn\u0026rsquo;t get mangled.\n- **Demangled C++ names** — prefer the friendly name like\n  `Proto_Send_P2PReq` over the full Itanium mangling.\n- **Offsets into structs** use `[start..end)` half-open notation. Example:\n  `[4..12)` means \"bytes 4, 5, 6, 7, 8, 9, 10, 11\" — 8 bytes total.\n- **Provenance tags** — in reference docs, claims are tagged as\n  _observed_, _disassembled_, _inferred_, or _guessed_. See\n  [`04-wire-format-kalay.md`](04-wire-format-kalay.md) for the legend.\n\n_Last updated: 2026-04-15 — Session 6_\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffdb%2Freverse-engineering-ip-camera","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffdb%2Freverse-engineering-ip-camera","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffdb%2Freverse-engineering-ip-camera/lists"}