Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - sudoninjas

Pages: [1]
Hacking & Modding / Re: Telnet password and username for IPC
« on: May 18, 2014, 09:31:32 pm »
I took a couple pictures and labeled the serial connection on mine.  Turns out it's much more different than I first thought.  But I hope some of this info at least adds to the pool of knowledge on these cameras.

Hacking & Modding / Re: Telnet password and username for IPC
« on: May 18, 2014, 08:35:56 pm »
I have a similar one, but the board layout is different. Just by looking at your board, the likely candidates for the serial are either the 2 or 3 pad groupings next to the Hi3518 IC.

If it's the 2 pad pair, you can pull GND from one of the holes for the standoffs.
Mine had a 3pad grouping close to the edge of the board.

I've only made slight progress. (dumped flash, extracted the firmware's fs partitions, and mounted the on a linux box)
I've also been trying to get the telnet password, but so far I've come to the conclusion that the password has to be reset in the firmware and re-flashed onto the camera.  I haven't gotten that far yet.  But I was able to view the /etc/passwd & /etc/passwd- files and here's what they have  (I've tried some rainbowtables with no luck).

Code: [Select]
Code: [Select]
For mine re-flashing  to get telnet looks to be the only option for terminal access.  Because the serial connection stops after the kernel is loaded.  Which makes me think that either the kernel wasn't compile with tty support - or something is missing in the config.

Here's what I get during boot:
Code: [Select]
U-Boot 2010.06 (Jun 26 2013 - 09:59:34)

DRAM:  256 MiB
Check spi flash controller v350... Found
Spi(cs1) ID: 0xEF 0x40 0x17 0x00 0x00 0x00
Spi(cs1): Block:64KB Chip:8MB Name:"W25Q64FV"
MMC:   MMC FLASH INIT: No card on slot!
envcrc 0xcbb66e64
ENV_SIZE = 0xfffc
In:    serial
Out:   serial
Err:   serial
Press Ctrl+C to stop autoboot
8192 KiB hi_sfc at 0:0 is now current device

### boot load complete: 2382412 bytes loaded to 0x82000000
### SAVE TO 80008000 !
## Booting kernel from Legacy Image at 82000000 ...
   Image Name:   linux
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2382348 Bytes = 2.3 MiB
   Load Address: 80008000
   Entry Point:  80008000

   Loading Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

Pages: [1]