News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: FI9820 Enable telnet.  (Read 33012 times)

October 16, 2012, 02:01:38 pm
Hello,

I found a way to have a telnet access to the FOSCAM FI9820 by exploiting the backup restore function.
It's preaty simple and it help me to dump the firmware and start my investigations on this nice product (for the firmware/code quality it's another story, quality is not the right word ...).

You just have to unzip the files and load the desired one via the backup restore function in the web interface.
If you want to verify the file before importing it to your IP Cam just rename the .bin file to .tar.gz and inspect the two files.

File : /etc/boottab


I just uncomment the lines below to avoid starting all the stuff each time you open a session.

----------------------------------------------
bootflag="`ps | grep boottab | wc -l`"
if [ $bootflag -gt 3 ]
then
   echo "boottab has been start!"
   exit 1
fi
----------------------------------------------

File : /etc/init.d/S99telnet

It's just a starting script for the telnet service.

----------------------------------------------
#!/bin/sh

#telnet
telnetd&
----------------------------------------------

Attached to this Post the two backups that enable and disable Telnet access. They apply only to this firmware : V3.2.6.1.1-20120807 (actually the lastest one).

There is no password for root account, it's horrible than that's why i made a backup to disable telnet when you want to secure the access. Don't change the ROOT password as the /etc/profile load all the modules and needed stuff to run the camera. If you put a password you will brake all their horrible starting script ....

I just made a dump of the 16MB flash. It's composed of 3 parts (based on 128KB blocks).
  • /dev/mtdblock0 (2MB) contain U-boot in it's first Meg and the kernel at address 0x100000 up to the end of the file (1 more Meg).
  • /dev/mtdblock1 13MB contain the ROOT File System JFF2
  • /dev/mtdblock2 1MB contain the /mnt File System JFF2 - All config files you get when you do a backup via the web interface

Have fun with the telnet access and share your investigations with all of us ;).

Regards,
MiNuS

  • ***
October 16, 2012, 08:03:15 pm
Wow, is all I can say. Speechless. I assume enabling FTP would be equally as easy, from reviewing your methods?

Not sure if you know about a current exploit out with these Hi35xx cameras, many different brands and models.

More here about that: http://www.openipcam.com/forum/index.php/topic,413.0.html

If someone were to install this using that expolit, It would be BAD news. Worse. if someone could do that and somehow manage to make it survive new firmware upgrades, it would be even worse news. I do understand the remote access limitations involved, even if this were to take place and that generally, it would be confined to local network access and not remote WAN access without also specific port forwarding, of any Telnet port being required to also take place.

That said, great and excellent job for personal use, using your own cameras. I know that an abuse like the above is or never has been your intent.

Questions. You say works with the lastest version of firmware ("Only").

I assume if you build any .tar.gz rename it to .bin and use the restore function, using the same methods, that this will work and replace any files you include in the folders you include and leave the other files in those folder, already in the camera, as is?

Say with custom UI changes. Personally, I cannot see why it would not.

Am I wrong about this?

Also, that your current files here can and could be used with older versions of firmware as they are today, as well. Am I missing something? I don't see why this would not be the case?

Don
« Last Edit: October 16, 2012, 10:35:05 pm by TheUberOverLord »

October 17, 2012, 04:06:57 am
Wow, is all I can say. Speechless. I assume enabling FTP would be equally as easy, from reviewing your methods?

Yes FTP can be easily enabled with a simple cross compilation.
I would recommand you to compile an SSH seerver (for console and file transfert) instead of installing an FTP server.
One more thing the kernel have NFS modules enables than if you want to mount another volume to transfert files you can use NFS.

Not sure if you know about a current exploit out with these Hi35xx cameras, many different brands and models.

Yes a know it and that's why i take a look to my CAM in order to see what's inside the firmware.
And I discover horrible scripts and programs.

I know that an abuse like the above is or never has been your intent.

Yes it was initially just for me to check the system of my CAM and i just share it with all of you.

I assume if you build any .tar.gz rename it to .bin and use the restore function, using the same methods, that this will work and replace any files you include in the folders you include and leave the other files in those folder, already in the camera, as is?

Yes I just add a couple of files to the Camera without touching the other files.
The script overwrite /etc/boottab than that's why i recommand to use a specific firmware. I don't know if this file is the same on the other firmware.

Also, that your current files here can and could be used with older versions of firmware as they are today, as well. Am I missing something? I don't see why this would not be the case?

If you have the original firmware mount it in RAM on a linux box and check if the files i'm overwriting are exactly the same. If not it will not work and probably brake your Camera (you can still recover with U-Boot but you need to open the camera and connect an RS232-3.3v cable).

MiNuS
« Last Edit: October 17, 2012, 06:11:44 am by MiNuS »

October 17, 2012, 06:19:46 am
I'm dreaming of an OpenWRT distribution on my camera. There is a lot of available package to do whatever you want and a very active team to maintain the distribution.

The first missing thing to generate a new firmware is the kernel patch for this  CPU. The second thing is the source code and documentations on PTZ and Video Chip functionnalities. If someone have informations on how PTZ and video stream works I'm interested by it (maybe there is a post on that in the forum but i don't found it).

MiNuS

October 24, 2012, 09:42:37 pm
Hello,

I found a way to have a telnet access to the FOSCAM FI9820 by exploiting the backup restore function.
It's preaty simple and it help me to dump the firmware and start my investigations on this nice product (for the firmware/code quality it's another story, quality is not the right word ...).


Thanks MiNuS for that one. I still didn't tried it, but I will try with my FI9820W with the latest firmware installed.

I have 2 problems with this cam I suppose I can fix through telnet:

1) when it sends e-mail, it uses the wrong mime-type (application/octet-stream) instead of image/jpeg. If they use a script to send the e-mail, maybe it's easy to fix that.

2) when it records lots of videos in the SD card, I get:

500 Internal Error
There was an unusual problem serving the requested URL '/sd/'.
thttpd/2.25b 29dec2003

So I have to click on unplug SD and reboot, so I can access again the sd card...

Of course through telnet (or even ssh as you suggested) it would be much easier than use the ugly web interface.


October 24, 2012, 10:01:39 pm
Ok, I already tested it here and it worked perfectly. Thanks MiNuS:

Connected to foscam.
Escape character is '^]'.
hisilicon login: root
Password:


BusyBox v1.1.2 (2009.04.24-06:05+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

Welcome to HiLinux.
boottab has been start!
-sh: nfsroot: not found
~ $

Now I'll play a bit more ;)

November 27, 2012, 09:09:58 pm
Hello,

I found a way to have a telnet access to the FOSCAM FI9820 by exploiting the backup restore function.


MiNuS, do you know a way to enable ftpd?

The problem is that whe I try to browse the video files recorded in the sd card, thttpd returns the following:

500 Internal Error
There was an unusual problem serving the requested URL '/sd/'.
thttpd/2.25b 29dec2003


Did you experience that too? Thanks.