ILDVR INC-MH40D06 or hacking cheap chinese camera

Continuation of ILDVR INC-MH40D06

Since manufacturer will not divulge the super secret telnet password, and not having ability to turn off the telnet from web ui, I have decided to get access to camera via more brute method.

This involves opening the camera, soldering a pin header/wires to RS232 pads on the SoC board:

ildvr_rs232_pads_labels

ildvr_1.27mm_rs232

ildvr_1.27mm_to_2.54mm_rs232

ildvr_1.27mm_rs232_2

ildvr_usb_rs232

The RS232 is connected to a 3.3V (NOT 5V!) USB RS232 TTL adapter (a few bucks on ebay). BTW the ebay sourced USB adapter did not come with instruction/pin-out. It is in fact the following:

Red - 3.3V
Green - TX
White - RX
Black - GND

The pin spacing is 1.27mm. I could not find the connector that would fit so I botched 1.27mm->2.54mm header adapter (since the USB adapter came with 2.54mm sockets):

I disconnected the 3.3V pin as the SoC was using that for power and would not reboot when PoE was disconnected.
I used minicom with following settings:

115200 8N1
ttyUSB0

Once power is applied immediately press any key to interrupt the boot process and get uBoot prompt:

U-Boot 2010.06 (May 18 2015 - 09:40:27)

Check spi flash controller v350... Found
Spi(cs1) ID: 0xC2 0x20 0x18 0xC2 0x20 0x18
Spi(cs1): Block:64KB Chip:16MB Name:"MX25L128XX"
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0 
hisilicon #

To find out correct boot parameters run printenv:

hisilicon # printenv 
bootcmd=sf probe 0;sf read 0x82000000 0x50000 0x2b0000;bootm 0x82000000
bootdelay=1
baudrate=115200
ethaddr=00:00:23:34:45:66
ipaddr=192.168.6.99
serverip=192.168.6.10
netmask=255.255.252.0
bootfile="uImage"
board=hi3516d
bootargs=mem=128M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:320K(boot),2752K(kernel),2M(rootfs),11M(data)
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (May 18 2015 - 09:40:27)

To get root you will need to modify the bootargs variable:

setenv bootargs mem=128M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:320K(boot),2752K(kernel),2M(rootfs),11M(data) init=/bin/sh

It is pretty much exactly the same as original bootargs from printenv except the init is changed to shell (/bin/sh).

To boot, simply run the values from bootcmd variable from printenv:

sf probe 0;sf read 0x82000000 0x50000 0x2b0000;bootm 0x82000000

To continue with boot (to get rest of the mounts and things up and running) run following:

/etc/init.d/rcS

At this stage you can change the root password (via passwd). This will not stick, to make it stick modify Server.tar.xz with desired etc/passwd entry (see below).

Horrible stuff below.
Everything runs as root!

The point of interest is /mnt/flash/Server.tar.xz, I believe init script unpacks it into /mnt/flash/.
It is possible to get the whole file without using tfpt or any other trickery by simply copying it accross into accessible area from webui:

cp /mnt/flash/Server.tar.xz /mnt/flash/web/browse/


From there you can simply type http://${camera_ip}/browse/Server.tar.xz and download the whole thing.

Examining the "server" binary I discovered major security flaw. Specifically in Server/LINUX/webs there are following strings:

name=HANKVISION
password=HANKVISION

I tested it against web ui, and to my horror these credentials allowed me to log in (with admin right nevertheless).

Here is the Server.tar.xz for curious types.

Other things.

The /etc/passwd contained the following:

root:$1$EnVGPLqH$OmqpejDjDsF8NQkcwH/og.:0:0::/root:/bin/sh

I am using JTR with Cuda (on GTX970) against it (at this stage alpha 4-8), but I doubt I will get anywhere. I need to find an exploit to change /etc/passwd without using serial.

The /etc/passwd- contained the following:

root:$1$y3A1TsGe$n7RvgOkNPb1PhGPGnh9v5.:0:0::/root:/bin/sh

There are a lot of references to Justin and paths like /home/zhangxq/

Since you can get Server.tar.xz and there is wget, you can modify Server.tar.xz and replace modified version via wget, which opens to plenty of possibilities.

root password is hkvision888

11 thoughts on “ILDVR INC-MH40D06 or hacking cheap chinese camera

  1. Tj

    Did you get any further with the telnetd root password?

    I recently installed an outdoor mast-mounted HD x33 PTZ camera bought via a seller on aliexpress.com. It works well and until recently I’ve not had the need to hack it. Yesterday an nmap scan showed it had port 23 open with the busybox telnetd listening (it is on an isolated VLAN though) so I began to try to figure out how to access it and so far have been unsuccessful. As the device is mounted on a mast 10 meters high I don’t feel inclined to attach a serial cable to its UART port!

    After a lot of research it turns out my device is actually manufactured by SHENZHEN UNITOPTEK ELECTRONICS CO.,LTD who trade outside China as BOAVISION. The web-site is at http://unitoptek.com.

    The web-server returns the same ID as you reported: “Server: Hankvision-Webs” and the Javascript has comments by ‘Justin’ but as I don’t (yet) have access to a firmware update file (have requested one) I can’t investigate if the packages are essentially identical to those on the MH40D06.

    HankVision’s Chinese site is the best place to get more info on them and their download page is: http://www.hankvision.com/kehu/ but the download site they use requires payment for some downloads (including of firmware images for their own-brand devices).

    Email me privately if you remain interested in hacking this or similar devices.

    Reply
    1. iamroot Post author

      I haven’t got anywhere with cracking ssh root password.
      You could always try to exploit it with via update firmware uploader.
      I simply lost interest as I certainly will not be buying this brand or recommend anyone buying it either, unless there is option of opensource firmware (there is none).

      Reply
  2. Mick

    Hi there,

    Have same firmware in my camera, different model with no serial port available.
    Any progress with cracking that salted pass?

    Reply
    1. iamroot Post author

      No success on the hash.
      Are you sure there is no serial port on the board? It would be 4 through holes on the boards where you need solder the connector to.

      Reply
      1. Mick

        Tried every connector with oscilloscope – found only rs485 for PTZ control, no UART or rs232, nothing else than PTZ on rs485.

        Camera I have is: LE-SDM38L

        Perhaps they did use UART for 485…

        I will try to hack it through web interface to temporarly change password on it and log in via telnet once I will find time for that 🙂

        Reply
  3. Mick

    Don’t have fast enough graphic card to crack that password but HASHCAT is much faster than JOHN.

    command for HASHCAT bruteforce is (6 signs long – letters, caps, digits, special): hashcat -a 3 -m 500 password ?a?a?a?a?a?a

    Can you check if hashcat is faster? I’m checking 1-5 long passwords. since 6 long would take me like 140 days.

    Reply
  4. Mick

    All right, found UART it was on the other side behind metal plate, had to open module.

    Way to set own password is:

    in /mnt/flash create 2 files. First one is own passwd file with md5crypt password. Second one is “mountnfs” with this line inside: “sleep 60&&cp /mnt/flash/passwd /etc/passwd&” if you want you can tweak the time – it is needed to wait for rootfs remount. Perhaps 15 sec will do…

    Reply
  5. JASON

    are you still interested in this project. ive copied server.tar.xz and changed the root password also figure out how to change the webui hidden accounT password HANKVISION_2016. I would like to pull the firmware image off the camera and make some permanent changes to the webui?? my camera is the 30x 4mp ptz.

    Reply
    1. iamroot Post author

      Interesting that they still up to no good with hardcoded passwords. I “blacklisted” anything that has boards from Hankvision.

      Reply
  6. Alexander

    Just checked my BOAVISION camera.
    Indeed, it has HANKVISION_2016 user with HANKVISION_2016 password.
    Mailed a message to them.
    Will keep you updated regarding their reaction.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *