+- The Bytecode Club - Reverse Engineering Forum (https://the.bytecode.club)
+-- Forum: Lobby (https://the.bytecode.club/forumdisplay.php?fid=1)
+--- Forum: Programming (https://the.bytecode.club/forumdisplay.php?fid=86)
+--- Thread: Embedded Devices - Hacking Crappy Chinese IP Cameras (/showthread.php?tid=1503)
Embedded Devices - Hacking Crappy Chinese IP Cameras - zooty - 11-29-2015
I got a Tenvis IP camera from eBay. It is just a clone of the foscam, but inside a different casing. The guts are the same, and so the same firmware runs.
When we run nmap on the camera, we can see that telnet is running and you can connect to it.
Code:
~ % telnet 192.168.1.50
Trying 192.168.1.50...
Connected to 192.168.1.50.
Escape character is '^]'.
(none) login: root
Password:
Login incorrectThis isn't documented anywhere and the manufacturer will not give me the password, so I tried to find it myself.
Firstly, I downloaded the firmware from the Tenvis website and then unzipped it.
Running "file" on the file didn't help at all
Code:
firm % file IPC_TVS_V1.7.25.bin
IPC_TVS_V1.7.25.bin: dataUsing a script named binwalk, I located all of the different blocks of data and their offset.
Code:
8 0x8 uImage header, header size: 64 bytes, header CRC: 0xD8AC4C3A, created: 2014-02-18 10:30:08, image size: 3538880 bytes, Data Address: 0x80000000, Entry Point: 0x8026C000, data CRC: 0xAEA2D227, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
72 0x48 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2642856 bytes
917512 0xE0008 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 2618211 bytes, 515 inodes, blocksize: 65536 bytes, created: 2014-02-18 10:30:03I'm not certain, but I'm quite sure that the block of LZMA is the Linux kernel .config. I would check but there isn't really a reason to do so.
Using the information from binwalk, I used dd to dump that block into a new file.
Code:
firm % dd if=IPC_TVS_V1.7.25.bin of=fs.bin bs=1 skip=917512
2621442+0 records in
2621442+0 records out
2621442 bytes (2.6 MB) copied, 4.06328 s, 645 kB/sIt was already reported by binwalk that this is a squashfs filesystem, so we can use unsquashfs to get at the files.
Code:
firm % unsquashfs fs.bin
Parallel unsquashfs: Using 8 processors
451 inodes (560 blocks) to write
[...]
created 317 files
created 64 directories
created 71 symlinks
created 0 devices
created 0 fifos
firm % cd squashfs-root/
squashfs-root % ls
bin dev etc etc_ro home init lib media mnt proc sbin sys tmp usr var
After some poking around, I found the file "internet.sh" which adds the user to passwd.
Code:
17 genSysFiles()
18 {
19 #login=`nvram_get 2860 Login`
20 #pass=`nvram_get 2860 Password`
21 login="admin"
22 pass="ipcam_rt5350"
23 if [ "$login" != "" -a "$pass" != "" ]; then
24 echo "$login::0:0:Adminstrator:/:/bin/sh" > /etc/passwd
25 echo "$login:x:0:$login" > /etc/group
26 chpasswd.sh $login $pass
27 fi
28 #if [ "$CONFIG_PPPOL2TP" == "y" ]; then
29 #echo "l2tp 1701/tcp l2f" > /etc/services
30 #echo "l2tp 1701/udp l2f" >> /etc/services
31 #fi
32 }Looks like the login credentials are admin:ipcam_rt5350
And it works :-)
Code:
~ % telnet 192.168.1.50
Trying 192.168.1.50...
Connected to 192.168.1.50.
Escape character is '^]'.
(none) login: admin
Password:
# uname
-sh: uname: not found
# free
total used free shared buffers
Mem: 13076 11996 1080 0 0
Swap: 0 0 0
Total: 13076 11996 1080
#You get BusyBox, some wireless drivers, camera drivers, a web server and an abysmal amount of RAM.
RE: Embedded Devices - Hacking Crappy Chinese IP Cameras - Pop Alexandra - 07-21-2017
That should indeed do the trick but you need a powerful processor too.