Actions

WinBook Security IPCam

From HacDC Wiki

Revision as of 01:57, 19 May 2017 by 96.88.198.77 (talk) (echo clobber and price)

WinBook Security IPCam

This page documents teardown and reverse engineering project on A WinBook Security IPCam. Winbook is MicroCenter's store brand of IP Camera.

Introduction

We'd love to have some nice open source IP Cameras, who wouldn't? Unfortunately we've just got a shitty proprietary one. Fortunately, it's easy to hack.

The Winbook IP Cam (I believe it's a T7838 in the space uses an RALINK RA5350 (datasheet). The board we have includes holes for a UART serial pinout. We had success with a TTL USB serial adapter at 57600 baud. Root is available on serial with no password. The stock password is unknown at this time but can be reset to allow more comfortable remote telnet access; however, it resets every time we boot.

Buy

They seem to be available used/new from $40-$60 on ebay and amazon. Maybe they can be got from MicroCenter as well.

Filesystem

# ls /
var     usr     tmp     system  sys     sbin    proc    param   mnt     media   lib     init    home    etc_ro  etc     dev     bin
# ls system/
system    daemon    Wireless  init      www
# ls param
sysmacreset      vstarparam.bin   alarmlog.bin     alarmlog1.bin    systemindex.txt  systemlog.txt    login.cgi        date.bin
# df
Filesystem           1k-blocks      Used Available Use% Mounted on
rootfs                    3008      3008         0 100% /
/dev/root                 3008      3008         0 100% /
/dev/mtdblock6            3072      2608       464  85% /system
/dev/mtdblock7             512       260       252  51% /param

/ is read only, /system and /param appear to be writeable and persist across boots. Files may be downloaded for comfortable reverse engineering via copy to webroot.

Init

# ls /system/init/
ipcam.sh
# cat /system/init/ipcam.sh
export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH
export PATH=/system/system/bin:$PATH
telnetd
chmod a+x /system/system/bin/daemon.vstar.v13
chmod a+x /system/system/bin/encoder
/system/system/bin/daemon.vstar.v13 &
/system/system/bin/cmd_thread &
/system/system/bin/gmail_thread &

System/System

# ls /system/system/*   
/system/system/lib:

/system/system/drivers:

/system/system/bin:
unzip1            cmd_thread        upnpc-static      ssmtp             jpeg
daemon.vstar.v13  gmail_thread      encoder           mailx             ftp
#

Webroot

/system/www
# ls 

Important Configs and Auth

/etc/passwd
/etc/passwd-
/param/login.cgi

login.cgi has the login/auth for the webservice.

There is no shadow file but the passwd file appears to have a password hash in base64. This is probably easily bruteforceable.

Here is the initial root password hash: OYZVRABjiXqqQ

Here is the hash for 'hacdc': ZnfPmQ6KIvlTA

And after a reboot, here is the hash for 'hacdc': 4.n5RnxbkaMcU

Change Password for remote access

Since the password is unknown, to obtain easy telnet access, you can append something like

echo 'sleep 40 && /sbin/chpasswd.sh root xxxx' >> /system/init/ipcam.sh

Probably good to backup ipcam.sh before clobbering it with echo >.

Pictures

HowTO stream video over H264?

It seems that the encoder binary binds to 8600 and streams H.264; as of yet I'm not sure how to access that.