Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Embedded Devices - Hacking Crappy Chinese IP Cameras
#1
I got a Tenvis IP camera from eBay. It is just a clone of the foscam, but inside a different casing. The guts are the same, and so the same firmware runs.

When we run nmap on the camera, we can see that telnet is running and you can connect to it.

Code:
~ % telnet 192.168.1.50
Trying 192.168.1.50...
Connected to 192.168.1.50.
Escape character is '^]'.

(none) login: root
Password:
Login incorrect

This isn't documented anywhere and the manufacturer will not give me the password, so I tried to find it myself.

Firstly, I downloaded the firmware from the Tenvis website and then unzipped it.

Running "file" on the file didn't help at all

Code:
firm % file IPC_TVS_V1.7.25.bin
IPC_TVS_V1.7.25.bin: data

Using a script named binwalk, I located all of the different blocks of data and their offset.

Code:
8             0x8             uImage header, header size: 64 bytes, header CRC: 0xD8AC4C3A, created: 2014-02-18 10:30:08, image size: 3538880 bytes, Data Address: 0x80000000, Entry Point: 0x8026C000, data CRC: 0xAEA2D227, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
72            0x48            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2642856 bytes
917512        0xE0008         Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 2618211 bytes, 515 inodes, blocksize: 65536 bytes, created: 2014-02-18 10:30:03

I'm not certain, but I'm quite sure that the block of LZMA is the Linux kernel .config. I would check but there isn't really a reason to do so.

Using the information from binwalk, I used dd to dump that block into a new file.

Code:
firm % dd if=IPC_TVS_V1.7.25.bin of=fs.bin bs=1 skip=917512
2621442+0 records in
2621442+0 records out
2621442 bytes (2.6 MB) copied, 4.06328 s, 645 kB/s

It was already reported by binwalk that this is a squashfs filesystem, so we can use unsquashfs to get at the files.

Code:
firm % unsquashfs fs.bin
Parallel unsquashfs: Using 8 processors
451 inodes (560 blocks) to write
[...]
created 317 files
created 64 directories
created 71 symlinks
created 0 devices
created 0 fifos
firm % cd squashfs-root/
squashfs-root % ls
bin  dev  etc  etc_ro  home  init  lib  media  mnt  proc  sbin  sys  tmp  usr  var

Highfive

After some poking around, I found the file "internet.sh" which adds the user to passwd.

Code:
17 genSysFiles()
18 {
19     #login=`nvram_get 2860 Login`
20     #pass=`nvram_get 2860 Password`
21     login="admin"
22     pass="ipcam_rt5350"
23     if [ "$login" != "" -a "$pass" != "" ]; then
24     echo "$login::0:0:Adminstrator:/:/bin/sh" > /etc/passwd
25     echo "$login:x:0:$login" > /etc/group
26         chpasswd.sh $login $pass
27     fi
28     #if [ "$CONFIG_PPPOL2TP" == "y" ]; then
29     #echo "l2tp 1701/tcp l2f" > /etc/services
30     #echo "l2tp 1701/udp l2f" >> /etc/services
31     #fi
32 }

Looks like the login credentials are admin:ipcam_rt5350

And it works :-)

Code:
~ % telnet 192.168.1.50
Trying 192.168.1.50...
Connected to 192.168.1.50.
Escape character is '^]'.

(none) login: admin
Password:
# uname
-sh: uname: not found
# free
              total         used         free       shared      buffers
  Mem:        13076        11996         1080            0            0
Swap:            0            0            0
Total:        13076        11996         1080
#

You get BusyBox, some wireless drivers, camera drivers, a web server and an abysmal amount of RAM.
[Image: 7rL6Nl0.png]
Reply
 


Forum Jump:


Users browsing this thread: 2 Guest(s)




About The Bytecode Club

We're a community focused on Reverse Engineering, we try to target Java/Android but we also include other langauges/platforms. We pride ourselves in supporting and free and open sourced applications.