logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Shenzhen Pinmei / Linklemo A9 Mini Camera with Beken BK7252NQN481 – Photos, Boot Log, Flash Backup

divadiow 6903 110
ADVERTISEMENT
Report a violation of the law
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
  • #91 21719419
    Paver3109
    Level 3  
    Additional info on how this camera works and how communications between the servers and the devices is done, can be found there: https://fusetim.me/posts/20251005-the-insecurity-camera/
    The encryption of the packets is actually broken, and we could try to recover the camera traffic from there. Unfortunately, the AV packet description has already changed since the last available commit on the PPRPC/core project.

    Added after 18 [minutes]:

    >>21708767
    The recently uploaded XCThings_Linklemo_A9_INO-IPC-V2.3_(BluePCB) firmware contains the exact same "secret" and is likely to use the exact same encryption scheme.
  • ADVERTISEMENT
  • #92 21719501
    divadiow
    Level 36  
    very interesting!

    How insecure these cheap cams are became real a few months ago when I went into one of the apps (one of the FTYCamPro, YsxLite types, can't remember which) to find I was viewing someone else's live cam! It was of a bedroom and someone walked past the doorway. Another session and I saw some kitchen cabinets.

    I'm hopeful one day a working alternative firmware can be developed to replace stock entirely.

    On the subject of Linklemo, An interesting device arrived today with a BK7252UQN48 inside. I imagine it'll be a similar story to the other XCThings based cams

    Mini WiFi camera, USB cable, and packaging with device illustrationDisassembled small camera interior with circuit board and microSD slotClose-up of circuit board with BEKEN BK7252 chip and small microphone component

    Added after 17 [minutes]:

    all dumps containing 'xcthings'

    List of BIN files and folders related to BK7252N and A13 devices
  • #93 21720023
    Laloshifrin
    Level 9  
    >>21719419 Very interesting. Ghidra can't reliably analyze my firmware (or maybe it's me that's unable) but my firmware (on INO-A10N-V2.3) has that "secret" too. The article was written yesterday! Is it you fusetim?
  • #94 21720517
    Paver3109
    Level 3  
    divadiow wrote:
    all dumps containing 'xcthings'

    Just looked for the "shared secret" found in the `INO-IPC-A9-V2.4` in those firmware dumps, it appears that:
    - `Cam_INO-A13N-V2.2_readResult_BK7252N_QIO_7252n_square_2025-28-9-17-39-25.bin`
    - `Cam_readResult_BK7252N_QIO_7252n_2025-28-9-17-10-56.bin`
    - `INO-A13-48B-V1.0.AK02_MiniCam_XT25F16B/raw_bk7252QFN48.bin` -> definitely using the same encryption scheme (verified using ghidra)
    all contain the same secret A2r0...

    This is not the case of:
    - `Naxclow_MiniCam_A11-A9_B-V2.7_240426.bin`
    - `BK7252-A9-20211124.bin`
    - `INO-A13-48B-V1.0.AK02_MiniCam_XT25F16B/A13_WiFi_Camera_Firmware.bin`

    Laloshifrin wrote:
    ery interesting. Ghidra can't reliably analyze my firmware (or maybe it's me that's unable) but my firmware (on INO-A10N-V2.3) has that "secret" too.

    Is that firmware dump available somewhere? I could take a look at it. Otherwise, did you select the correct binary architecture in Ghidra. For those cameras, firmware are made for ARMv5T Little Endian (make sure the endianness is correct)

    * * *

    Also tools available there if anyone want to test decryption on his/her own camera: https://github.com/fusetim/insecurity-camera-tools
  • ADVERTISEMENT
  • #95 21720655
    Laloshifrin
    Level 9  
    I'm really unprepared for this purpose though I'm trying to learn something. Thanks for the hint, I was using big endian.
    Actually I didn't find the secret. I only found this text: "%s,ID:%d-SEQ:%d-RPC:%d" but it's not inside any function nor ghidra can find any referencing function. ☹️
  • #96 21720745
    divadiow
    Level 36  
    >>21635815

    would you be willing to share the factory firmware backup of your INO-A10N-V2.3? I can flash, reset, join to test AP, reset, backup if you're worried about it containing credentials. PM it me if this is the case?
  • #97 21720897
    Laloshifrin
    Level 9  
    I backed up after using camera, I noticed at least my wifi credentials in cleartext inside backup (I can remove them) but I'm afraid there's something else... :(
  • ADVERTISEMENT
  • #98 21720900
    divadiow
    Level 36  
    OK. I've ordered one from the Ali link you posted. Maybe I'll get the same.
  • #99 21720914
    Laloshifrin
    Level 9  
    What credentials could be inside backup? Linklemo account? Could it be a risk exposing device ID?
  • ADVERTISEMENT
  • #100 21721247
    divadiow
    Level 36  
    not sure to be honest. depends if linklemo was signed into, if even an option, I don't recall. I guess deviceID would be unique (or should be), but then maybe that's only useful if you can associate that with other records internally to whoever manages the cloud for these devices
  • #101 21721441
    Laloshifrin
    Level 9  
    It seems that every sensible data ("MAC_ADDR", "PRODUCT_KEY", "PRODUCT_SECRET", "DEVICE_NAME", "DEVICE_SECRET" and wifi credentials) is after 0x001E1000. Asap I'll remove or alter and post firmware. Just to point out... those partitions don't have CRC. I suppose file won't work if flashed but can be studied.
  • #102 21721539
    divadiow
    Level 36  
    @Paver3109
    divadiow wrote:
    On the subject of Linklemo, An interesting device arrived today with a BK7252UQN48 inside. I imagine it'll be a similar story to the other XCThings based cams


    dumps below posted for something unrelated. I'll make a thread dedicated to device at some point with pics and boot log

    https://www.elektroda.com/rtvforum/viewtopic.php?p=21721526#21721526

    all in zip identical apart from readResult_BK7252_UA_2025-15-10-20-04-35.bin which should be ignored
  • #105 21723242
    Paver3109
    Level 3  
    >>21721547 Your device, INO-A10N-V2.3, uses the same secret and encryption scheme.
  • #106 21723294
    Laloshifrin
    Level 9  
    Can you share a ghidra screenshot regarding the implied function(s)? I can't find it :(. I use Ghidra 11.4.1 and Java 21.0.8 but there's no referencing function to this text "%s,ID:%d-SEQ:%d-RPC:%d" actually found.
  • #107 21724228
    Paver3109
    Level 3  
    >>21723294
    Sure, here you go! I'm using Ghidra 11.0.3.
    Screenshot of binary analysis software showing assembly code and string references.
    Screenshot of Ghidra reverse engineering tool showing assembly code and decompiled C code
    IDA Pro interface showing ARM disassembly, decompiled C code, and symbol tree.
  • #108 21724462
    Laloshifrin
    Level 9  
    Great! Thanks a lot! My problem was I was using ltchiptool to decrc but it didn't work correctly when it reached partitions without CRC. Using uncrc.py works better and now there's the referencing function and my Ghidra listing and decompile are as yours. Secret key is there! :). Now I'll take a ride on github.com/fusetim/insecurity-camera-tools and try to decrypt some packets i captured. Thanks again!!! :)
    PS
    Are you fusetim?
  • #109 21725471
    Laloshifrin
    Level 9  
    Quite impressive!!! Had to trim python code a little bit but it works like a charm. Had confirmation that 2610 RPC command is VideoPlay. Would be great if could also decrypt stream packets... ...I'll keep on playing... :)
  • #111 21729829
    Laloshifrin
    Level 9  
    Found stupid telnet password but it was disappointing that though at connection a welcome banner says "CLI" it's not a cli at all. :(
    It only scrolls data similar (but less) to the ones of uart. Some kind of useless log. I'll keep on searching and posting. :(
    Also noticed that trying to enter a password longer than 180 characters causes a stack overflow with subsequent reboot.
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
Report a violation of the law

Topic summary

The discussion focuses on the Shenzhen Pinmei / Linklemo A9 Mini Wi-Fi Camera featuring the Beken BK7252NQN481 chipset. This budget smart camera, often sold for around $1 USD, is marketed with exaggerated claims such as 4K resolution and advanced AI features. Technical analysis reveals the device uses a BK7252N chip, with bootloader and firmware characteristics similar to BK7231 series but distinct in memory mapping and encryption behavior. The camera sensor identified is the GC0329C (GalaxyCore 0.3MP, 640x480@15fps). Firmware dumping and boot log extraction have been performed via serial pads and SPI interfaces, with attempts to flash BK7238 binaries unsuccessful. The device broadcasts an access point (SSID: LLM_H0A9_xxxxxx) with default key, assigning IP 192.168.9.252, exposing several open TCP/UDP ports. Local video stream access is possible without firmware modification, but pairing requires cloud interaction via the Linklemo app, which demands registration and communicates with external servers. Efforts to bypass cloud dependency have been limited by pairing timeouts and app restrictions. OpenBK7231T firmware support for BK7252N is in development, with recent successful OTA flashing and boot logs indicating stable operation. Memory management issues such as realloc instability on BK7252N are under investigation. The community is exploring creating development boards from these cameras and expanding device support tags for better cataloging. Overall, the device is a low-cost, partially hackable smart camera with limited local control and ongoing firmware development efforts.
Summary generated by the language model.
Popular Topics
ADVERTISEMENT