Actions

WinBook Security IPCam: Difference between revisions

From HacDC Wiki

(OK)
(ok)
Line 7: Line 7:
We'd love to have some nice open source IP Cameras, who wouldn't?
We'd love to have some nice open source IP Cameras, who wouldn't?


The Winbook IP Cam in the space uses an [https://wikidevi.com/wiki/Ralink_RT5350|RALINK RA5350] [(datasheet)|https://drive.google.com/file/d/0B8BpyTY91XfmajRYMWtscHRpbEU/edit]. The board we have includes holes for a UART serial pinout. We had success with a TTL USB serial adapter at 57600 baud. Root is available on serial with no password. The stock password is unknown at this time but can be reset to allow more comfortable remote telnet access; however, it resets every time we boot.
The Winbook IP Cam in the space uses an [https://wikidevi.com/wiki/Ralink_RT5350|RALINK RA5350] ([datasheet|https://drive.google.com/file/d/0B8BpyTY91XfmajRYMWtscHRpbEU/edit]). The board we have includes holes for a UART serial pinout. We had success with a TTL USB serial adapter at 57600 baud. Root is available on serial with no password. The stock password is unknown at this time but can be reset to allow more comfortable remote telnet access; however, it resets every time we boot.


==Filesystem==
==Filesystem==
Line 24: Line 24:
  /dev/mtdblock7            512      260      252  51% /param
  /dev/mtdblock7            512      260      252  51% /param


/ is read only, /system and /param appear to be writeable and persist across boots. Files may be downloaded for comfortable reverse engineering via move to webroot.
/ is read only, /system and /param appear to be writeable and persist across boots. Files may be downloaded for comfortable reverse engineering via copy to webroot.


===Init===
===Init===

Revision as of 00:33, 19 May 2017

Useful Info

This page documents teardown and reverse engineering project on A WinBook Security IPCam. Winbook is MicroCenter's store brand of IP Camera.

Introduction

We'd love to have some nice open source IP Cameras, who wouldn't?

The Winbook IP Cam in the space uses an RA5350 ([datasheet|https://drive.google.com/file/d/0B8BpyTY91XfmajRYMWtscHRpbEU/edit]). The board we have includes holes for a UART serial pinout. We had success with a TTL USB serial adapter at 57600 baud. Root is available on serial with no password. The stock password is unknown at this time but can be reset to allow more comfortable remote telnet access; however, it resets every time we boot.

Filesystem

# ls /
var     usr     tmp     system  sys     sbin    proc    param   mnt     media   lib     init    home    etc_ro  etc     dev     bin
# ls system/
system    daemon    Wireless  init      www
# ls param
sysmacreset      vstarparam.bin   alarmlog.bin     alarmlog1.bin    systemindex.txt  systemlog.txt    login.cgi        date.bin
# df
Filesystem           1k-blocks      Used Available Use% Mounted on
rootfs                    3008      3008         0 100% /
/dev/root                 3008      3008         0 100% /
/dev/mtdblock6            3072      2608       464  85% /system
/dev/mtdblock7             512       260       252  51% /param

/ is read only, /system and /param appear to be writeable and persist across boots. Files may be downloaded for comfortable reverse engineering via copy to webroot.

Init

# ls /system/init/
ipcam.sh
# cat /system/init/ipcam.sh
export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH
export PATH=/system/system/bin:$PATH
telnetd
chmod a+x /system/system/bin/daemon.vstar.v13
chmod a+x /system/system/bin/encoder
/system/system/bin/daemon.vstar.v13 &
/system/system/bin/cmd_thread &
/system/system/bin/gmail_thread &

System/System

# ls /system/system/*   
/system/system/lib:

/system/system/drivers:

/system/system/bin:
unzip1            cmd_thread        upnpc-static      ssmtp             jpeg
daemon.vstar.v13  gmail_thread      encoder           mailx             ftp
#

Webroot

/system/www
# ls 

Important Configs

/etc/passwd
/etc/passwd-
/etc/login.cgi