News:

Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Author Topic: Hacking SRICam Password PRINT PASSWORD TO SCREEN  (Read 17046 times)

  • No avatar
  • *
June 29, 2015, 08:44:16 am
Hello everyone.....

I have figured out how to get the password from the SRICAM in about 5 minutes..... It is quick and easy.  I will help anyone if you want to know.  I have a SRICAM that I worked on for about 5-6 hrs and was amazed how easy it really was. 

After you telnet in

Go to system/init

You will see a file ipcam.sh

if you run this file ./ipcam.sh  it will print some output on the screen but will reboot after it hits the wirless parat and disconnect.

Example:



Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

(none) login: root
Password:


BusyBox v1.12.1 (2013-03-02 13:26:40 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.


# ls
var     tmp     sys     proc    mnt     lib     home    etc     bin
usr     system  sbin    param   media   init    etc_ro  dev
# cd /system/init/
# ls
ipcam.sh
# ./ipcam.sh
# Watchdog device not enabled.
 InitSystemParam 0
=========================read system param from file==================================
mac:00:B6:B6:14:06:C7 30
wifimac:00:B6:B6:14:06:C8 30
wifimac:00:B6:B6:14:06:C8
zqh socket fd=3
bind failuredie param ppid 3285
zqh socket fd=3
bind failuredie param ppid 3287
daemon:===== wifi.c, line 71, WifiConfig():     SSID=ChinaNet
daemon:===== wifi.c, line 347, WifiDriversInit():       insmod From kernal
insmod: cannot insert '/lib/modules/2.6.21/kernel/drivers/net/wireless/rt2860v2_sta/rt2860v2_sta.ko': Success
daemon:===== wifi.c, line 355, WifiDriversInit():       [insmod /lib/modules/2.6.21/kernel/drivers/net/wireless/rt2860v2_sta/rt2860v2_sta.ko mac=00:B6:B6:14:06:C8] OK
EthMacInit2
ifconfig: SIOCSIFHWADDR: Device or resource busy
EthMacInit3
EthMacInit4
brctl: bridge br0: File exists
switch reg write offset=14, value=5555
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1001
switch reg write offset=4c, value=1
switch reg write offset=50, value=2001
switch reg write offset=70, value=ffffffff
switch reg write offset=98, value=7f7f
switch reg write offset=e4, value=7f
done.
EthMacInit5
EthMacInit5
switch reg write offset=14, value=5555
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1001
switch reg write offset=4c, value=1
switch reg write offset=50, value=2001
switch reg write offset=70, value=ffffffff
switch reg write offset=98, value=7f7f
switch reg write offset=e4, value=7f
done.
eth is start
=====InitNetDrivers=======
======dns failed===========:
pid 3274
NetThreadProc


_______________________________________________________


However if you ...... at root just type /system/init/ipcam.sh

it will dump the password to the screen.
Example:


Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

(none) login: root
Password:


BusyBox v1.12.1 (2013-03-02 13:26:40 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls
var     tmp     sys     proc    mnt     lib     home    etc     bin
usr     system  sbin    param   media   init    etc_ro  dev
# /system/init/ipcam.sh
# Watchdog device not enabled.
zqh socket fd=3
zqh socket fd=3
 InitSystemParam 0
=========================read system param from file==================================
mac:00:B6:B6:14:06:C7 30
wifimac:00:B6:B6:14:06:C8 30
wifimac:00:B6:B6:14:06:C8
bind failuredie param ppid 276
bind failuredie param ppid 279
daemon:===== wifi.c, line 71, WifiConfig():     SSID=ChinaNet
daemon:===== wifi.c, line 347, WifiDriversInit():       insmod From kernal
insmod: cannot insert '/lib/modules/2.6.21/kernel/drivers/net/wireless/rt2860v2_sta/rt2860v2_sta.ko': Success
daemon:===== wifi.c, line 355, WifiDriversInit():       [insmod /lib/modules/2.6.21/kernel/drivers/net/wireless/rt2860v2_sta/rt2860v2_sta.ko mac=00:B6:B6:14:06:C8] OK
EthMacInit2
ifconfig: SIOCSIFHWADDR: Device or resource busy
EthMacInit3
EthMacInit4
brctl: bridge br0: File exists
switch reg write offset=14, value=5555
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1001
switch reg write offset=4c, value=1
switch reg write offset=50, value=2001
switch reg write offset=70, value=ffffffff
switch reg write offset=98, value=7f7f
switch reg write offset=e4, value=7f
done.
EthMacInit5
EthMacInit5
switch reg write offset=14, value=5555
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1001
switch reg write offset=4c, value=1
switch reg write offset=50, value=2001
switch reg write offset=70, value=ffffffff
switch reg write offset=98, value=7f7f
switch reg write offset=e4, value=7f
done.
eth is start
=====InitNetDrivers=======
======dns failed===========:
pid 270
NetThreadProc
Error: Watchdog device not enabled.
netstatsem post
Daemon...=======network change=======
Daemon...netok -1 link 2
net is work on eth
enter ethernet  dhcp mode
EthStart1
route: ioctl 0x890c failed: No such process
EthStart2
EthStart3
EthStart4
route: ioctl 0x890b failed: File exists
EthStart5
Error: Watchdog device not enabled.
netstatsem post end
start app update thread
start sys update thread
zqh socket fd=6
bind failured=======mac=======
00-b6-b6-14-06-c7-
ipc param ppid 273
update socket init
update  socket is failed
update Socket proc is start
=========================read alarm param=========================(1)
==== sysparam.c      , line  530, InitSystemParam         :read system.ini
user1: , pwd1:
user2: , pwd2:
user3: someusernam, pwd3: Atwwmfjn114
zqh socket fd=3
bind failuredzqh socket fd=3
bind failuredzqh socket fd=3
bind failuredzqh socket fd=3
bind failuredzqh socket fd=3
bind failuredmac:00:B6:B6:14:06:C7 30
wifimac:00:B6:B6:14:06:C8 30
wifimac:00:B6:B6:14:06:C8
sys_ver 1a040087
write date ok
curtime 1435952427
audiofd failed
ie param ppid 362
ie param ppid 362
==== encrypt.c       , line  809, CheckAudioChip          :iRet=0, rdat=0xfd
==== encrypt.c       , line  839, CheckAudioChip          :=============Audio Chip Check FAILED!!!!!!!
=======mac=======
00-b6-b6-14-06-c7-
audio capture:368
============autio init=========
==== stream.c        , line  564, VideoEnable             :---VideoEnable(bysize=0)---Initing...
Ethnet Dhcp
udhcpc (v1.12.1) started
Sending select for 192.168.1.151...
Lease of 192.168.1.151 obtained, lease time 86400
deleting routers
route: ioctl 0x890c failed: No such process
adding dns 192.168.1.1
Unable to set format: Device or resource busy.
init thread ok
capture video:399
Socket proc is start pid=403
send live jpeg:404
send live jpeg:405
send live jpeg:406
send live jpeg:407
send video jpeg:408
send video jpeg:409
send video jpeg:410
send video jpeg:411
send live audio:412
send live audio:413
send live audio:414
send live audio:415
AudioPlayProc:416
send record file:417
send record file:418
send record file:419
send record file:420
iRet 0 upnp:/system/system/bin/upnpc-static -a 192.168.1.151 81 81 TCP
iRet 0
start gpio check
start motion check
start alarm proc
==== dns.c           , line  179, DnsSendAlarmProc        :start alarm to DNS server...

=============Error grabbing=-3, nCount = 1
web pid:435
init thread ok
========ipaddr 192.168.1.151===========
========port 81===========
FrameRate proc:436
p2p init proc
P2P cmd thread is start...
P2P media thread is start...
P2P play thread is start...
P2P media thread is start...
==== moto-new.c      , line 5381, InitMoto                :Init, alarminhappen = 1
==== moto-new.c      , line 1945, ReadVertSteps           :Read maxverttime = 180
==== moto-new.c      , line 1999, GetVertTime             :get vertime 78

==== moto-new.c      , line 5604, MotoThreadStart         :=========Start, verttime = 78, maxverttime=180======
==== moto-new.c      , line 1636, ReadLevelSteps          :Read maxleveltime = 1710
==== moto-new.c      , line 1663, GetLevelTime            :get levelime 900

P2P cmd thread is start...
[ error: /mnt/hgfs/vm_share-2/svn-down/app-jpg_V2.0/func/lens_moto.c, 1468]=>   !!! ERROR : GetLensMotoSitStoreInfo !!!

dhcp is start...=0
daemon:===== network.c, line 601, DhcpStart():  Set DNS 1 and 2 to NULL
daemon:===== network.c, line 627, DhcpStart():  2 = []
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[0] = 1
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[1] = 9
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[2] = 2
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[3] = .
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[4] = 1
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[5] = 6
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[6] = 8
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[7] = .
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[8] = 1
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[9] = .
daemon:===== network.c, line 632, DhcpStart():  Change DNS2[10] = 1
daemon:===== network.c, line 660, DhcpStart():  1 = []
daemon:===== network.c, line 661, DhcpStart():  2 = [192.168.1.1]
run route by zqh
==== network.c       , line 3436, Networkhread            :Create Thread WfiCheckProc
==== network.c       , line 3342, WfiCheckProc            :===wifi check status===
==== capture.c       , line  370, SetBrightness           :size iRet=0, value=31
==== capture.c       , line  393, SetContrast             :size iRet=0 value=16
sat1
sat2
==== video.c         , line  994, VideoParamInit          :--------------VideoParamInit----------
set mirr flip=4
==== video.c         , line 1122, VideoParamInit          :set mirr flip, Param = 4, Saturation = 4

=============Error grabbing=-3, nCount = 2
[Biz_API.cpp ?? 2728 ?? ]; pkt_recvTh start!!
[Biz_API.cpp ?? 2741 ?? ]; pkt_recvTh start sucessfully!!
[Biz_API.cpp ?? 2751 ?? ]; sendThread start!!!
[Biz_API.cpp ?? 2764 ?? ]; sendThread create success!!!
[Biz_API.cpp ?? 2774 ?? ]; timerThread start!!!
[Biz_API.cpp ?? 2787 ?? ]; timerThread create success!!!
sat1
sat2
write -1
==== main.c          , line  300, main                    :SystemVerion==================[ 26.4.0.135 ]==============
write -1
==== encrypt.c       , line 1188, CheckEncryptProc        :start CheckEncryptProc !!!
==== encrypt.c       , line 1192, CheckEncryptProc        :CheckEncrypt now
==== encrypt.c       , line 1197, CheckEncryptProc        :CheckEncrypt ok
=============Error grabbing=-3, nCount = 3
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 4
gate way:0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth2

======dns failed===========:
--------------SaveSystemParam----------
bparam.stNetParam.szIpAddr = 192.168.1.151
link:2 status:2
=============Error grabbing=-3, nCount = 5
==== dns.c           , line 1203, FactoryRegisterProc     :Start FactoryRegisterProc
========version:1010907===========
========DeviceID:MEYE-131828-ECFDE=========
=============Error grabbing=-3, nCount = 6
==== moto-new.c      , line 5498, MotoCentProc            :=====moto is start=====

==== moto-new.c      , line 5499, MotoCentProc            :moto start, read moto sit
==== moto-new.c      , line 5500, MotoCentProc            :presend = 0, speed = 10
==== moto-new.c      , line 5507, MotoCentProc            :Set Moto to Center-----
==== moto-new.c      , line 4557, SendMotoCmd             :Motocmd=0
start run ddns
timer sd start is start...600
=============Error grabbing=-3, nCount = 7
=============Error grabbing=-3, nCount = 8
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 9
=============Error grabbing=-3, nCount = 10
iRet 0
bFlagInternet 1
bFlagHostResolved 1
bFlagServerHello 1
NAT_Type 1
PPPP_Share_Bandwidth(1) iRet 0
P2P init =1
def key proc
=============Error grabbing=-3, nCount = 11
==== ntp.c           , line   86, get_udp_arrival_local_timestamp:local time=>Fri Jul  3 19:41:18 2015


==== ntp.c           , line  118, get_new_time            :server time=>Fri Jul  3 19:42:42 2015


==== ntp.c           , line  137, set_local_time          :Set NEW Time
C'write date ok
externwifistatus=1
=============Error grabbing=-3, nCount = 12
=============Error grabbing=-3, nCount = 13
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 14
=============Error grabbing=-3, nCount = 15
=============Error grabbing=-3, nCount = 16
=============Error grabbing=-3, nCount = 17
=============Error grabbing=-3, nCount = 18
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 19
=============Error grabbing=-3, nCount = 20
=============Error grabbing=-3, nCount = 21
=============Error grabbing=-3, nCount = 22
=============Error grabbing=-3, nCount = 23
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 24
=============Error grabbing=-3, nCount = 25
=============Error grabbing=-3, nCount = 26
=============Error grabbing=-3, nCount = 27
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 28
=============Error grabbing=-3, nCount = 29
=============Error grabbing=-3, nCount = 30
=============Error grabbing=-3, nCount = 31
=============Error grabbing=-3, nCount = 32
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 33
=============Error grabbing=-3, nCount = 34
=============Error grabbing=-3, nCount = 35
=============Error grabbing=-3, nCount = 36
=============Error grabbing=-3, nCount = 37
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 38
=============Error grabbing=-3, nCount = 39
=============Error grabbing=-3, nCount = 40
=============Error grabbing=-3, nCount = 41
=============Error grabbing=-3, nCount = 42
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 43
=============Error grabbing=-3, nCount = 44
=============Error grabbing=-3, nCount = 45
==== moto-new.c      , line 3633, MotoCenter              :------verttime = 0
=============Error grabbing=-3, nCount = 46
=============Error grabbing=-3, nCount = 47
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 48
=============Error grabbing=-3, nCount = 49
==== moto-new.c      , line 3669, MotoCenter              :==========Will Center, verttime = 180
dircnt 72 verttime 180
=============Error grabbing=-3, nCount = 50
=============Error grabbing=-3, nCount = 51
=============Error grabbing=-3, nCount = 52
Error: Watchdog device not enabled.
===onstart===1
=============Error grabbing=-3, nCount = 53
on start = 15
on start 15
==== moto-new.c      , line 4719, SendMotoCmd             :Get Position Index = 14, Level = 855, Vert = 72
[ error: /mnt/hgfs/vm_share-2/svn-down/app-jpg_V2.0/func/lens_moto.c, 1679]=>call the preset is NULL
=============Error grabbing=-3, nCount = 54
=============Error grabbing=-3, nCount = 55
=============Error grabbing=-3, nCount = 56
Error: Watchdog device not enabled.
=============Error grabbing=-3, nCount = 57
Connection closed by foreign host.
« Last Edit: July 03, 2015, 03:52:49 pm by keyplaya88 »