WinBook Security IPCam: Difference between revisions
From HacDC Wiki
(ok) |
(→Important Configs: hacks) |
||
Line 65: | Line 65: | ||
login.cgi has the login for the webservice. | login.cgi has the login for the webservice. | ||
There is no shadow file but the passwd file appears to have a password hash in base64. | There is no shadow file but the passwd file appears to have a password hash in base64. This is probably easily bruteforceable. | ||
Here is the initial root password hash: OYZVRABjiXqqQ | |||
Here is the hash for 'hacdc': ZnfPmQ6KIvlTA | |||
And after a reboot, here is the hash for 'hacdc': 4.n5RnxbkaMcU | |||
==Pictures== | ==Pictures== |
Revision as of 00:55, 19 May 2017
This page documents teardown and reverse engineering project on A WinBook Security IPCam. Winbook is MicroCenter's store brand of IP Camera.
Introduction
We'd love to have some nice open source IP Cameras, who wouldn't? Unfortunately we've just got a shitty proprietary one. Fortunately, it's easy to hack.
The Winbook IP Cam in the space uses an RALINK RA5350 (datasheet). The board we have includes holes for a UART serial pinout. We had success with a TTL USB serial adapter at 57600 baud. Root is available on serial with no password. The stock password is unknown at this time but can be reset to allow more comfortable remote telnet access; however, it resets every time we boot.
Filesystem
# ls / var usr tmp system sys sbin proc param mnt media lib init home etc_ro etc dev bin # ls system/ system daemon Wireless init www # ls param sysmacreset vstarparam.bin alarmlog.bin alarmlog1.bin systemindex.txt systemlog.txt login.cgi date.bin # df Filesystem 1k-blocks Used Available Use% Mounted on rootfs 3008 3008 0 100% / /dev/root 3008 3008 0 100% / /dev/mtdblock6 3072 2608 464 85% /system /dev/mtdblock7 512 260 252 51% /param
/ is read only, /system and /param appear to be writeable and persist across boots. Files may be downloaded for comfortable reverse engineering via copy to webroot.
Init
# ls /system/init/ ipcam.sh # cat /system/init/ipcam.sh export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH export PATH=/system/system/bin:$PATH telnetd chmod a+x /system/system/bin/daemon.vstar.v13 chmod a+x /system/system/bin/encoder /system/system/bin/daemon.vstar.v13 & /system/system/bin/cmd_thread & /system/system/bin/gmail_thread &
System/System
# ls /system/system/* /system/system/lib: /system/system/drivers: /system/system/bin: unzip1 cmd_thread upnpc-static ssmtp jpeg daemon.vstar.v13 gmail_thread encoder mailx ftp #
Webroot
/system/www # ls
Important Configs
/etc/passwd /etc/passwd- /etc/login.cgi
login.cgi has the login for the webservice.
There is no shadow file but the passwd file appears to have a password hash in base64. This is probably easily bruteforceable.
Here is the initial root password hash: OYZVRABjiXqqQ Here is the hash for 'hacdc': ZnfPmQ6KIvlTA And after a reboot, here is the hash for 'hacdc': 4.n5RnxbkaMcU
Pictures
HowTO stream video over H264?
It seems that the encoder binary binds to 8600 and streams H.264; as of yet I'm not sure how to access that.