WinBook Security IPCam
From HacDC Wiki
This page documents teardown and reverse engineering project on A WinBook Security IPCam. Winbook is MicroCenter's store brand of IP Camera.
Introduction
We'd love to have some nice open source IP Cameras, who wouldn't? Unfortunately we've just got a shitty proprietary one. Fortunately, it's easy to hack.
The Winbook IP Cam (I believe it's a T7838 in the space uses an RALINK RA5350 (datasheet). The board we have includes holes for a UART serial pinout. We had success with a TTL USB serial adapter at 57600 baud. Root is available on serial with no password. The stock password is unknown at this time but can be reset to allow more comfortable remote telnet access; however, it resets every time we boot.
Buy
They seem to be available used/new from $40-$60 on ebay and amazon. Maybe they can be got from MicroCenter as well.
Filesystem
# ls / var usr tmp system sys sbin proc param mnt media lib init home etc_ro etc dev bin # ls system/ system daemon Wireless init www # ls param sysmacreset vstarparam.bin alarmlog.bin alarmlog1.bin systemindex.txt systemlog.txt login.cgi date.bin # df Filesystem 1k-blocks Used Available Use% Mounted on rootfs 3008 3008 0 100% / /dev/root 3008 3008 0 100% / /dev/mtdblock6 3072 2608 464 85% /system /dev/mtdblock7 512 260 252 51% /param
/ is read only, /system and /param appear to be writeable and persist across boots. Files may be downloaded for comfortable reverse engineering via copy to webroot.
Init
# ls /system/init/ ipcam.sh # cat /system/init/ipcam.sh export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH export PATH=/system/system/bin:$PATH telnetd chmod a+x /system/system/bin/daemon.vstar.v13 chmod a+x /system/system/bin/encoder /system/system/bin/daemon.vstar.v13 & /system/system/bin/cmd_thread & /system/system/bin/gmail_thread &
System/System
# ls /system/system/* /system/system/lib: /system/system/drivers: /system/system/bin: unzip1 cmd_thread upnpc-static ssmtp jpeg daemon.vstar.v13 gmail_thread encoder mailx ftp #
Webroot
/system/www # ls
Important Configs and Auth
/etc/passwd /etc/passwd- /param/login.cgi
login.cgi has the login/auth for the webservice.
There is no shadow file but the passwd file appears to have a password hash in base64. This is probably easily bruteforceable.
Here is the initial root password hash: OYZVRABjiXqqQ
Here is the hash for 'hacdc': ZnfPmQ6KIvlTA
And after a reboot, here is the hash for 'hacdc': 4.n5RnxbkaMcU
Change Password for remote access
Since the password is unknown, to obtain easy telnet access, you can append something like
echo 'sleep 40 && /sbin/chpasswd.sh root xxxx' >> /system/init/ipcam.sh
Probably good to backup ipcam.sh before clobbering it with echo >.
Pictures
HowTO stream video over H264?
It seems that the encoder binary binds to 8600 and streams H.264; as of yet I'm not sure how to access that.