Hacking IP Camera Coolcam NIP-09 NIP-02

Info about this ipcam:

Firmware: 81.2.0.142
Web UI: 19.2.1.2.17

cam.jpg

On Board:

CPU: Ralink RT5350F
Flash: YD7815K130719 81.2.0.133
Printed: NIP02 & 090 _M V4 , Jun 26 2013
JTag, below cpu board, JTAG

Nmap:

PORT     STATE SERVICE
23/tcp   open  telnet
81/tcp open  unknown
8600/tcp open  asterix
MAC Address: 00:6E:06:1D:2C:8C (Unknown)

Telnet password is secret.

Examining the firmware with binwalk:

binwalk 81.2.0.142.bin
DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------
36        	0x24      	Zip archive data, at least v1.0 to extract, name: "system/"  
101       	0x65      	Zip archive data, at least v1.0 to extract, name: "system/www/"  
170       	0xAA      	Zip archive data, at least v1.0 to extract, name: "system/system/"  
242       	0xF2      	Zip archive data, at least v1.0 to extract, name: "system/system/bin/"  
318       	0x13E     	Zip archive data, at least v2.0 to extract, compressed size: 24737, uncompressed size: 106032, name: "system/system/bin/daemon.v5.5"  
25142     	0x6236    	Zip archive data, at least v2.0 to extract, compressed size: 246060, uncompressed size: 794720, name: "system/system/bin/encoder"  
271285    	0x423B5   	Zip archive data, at least v2.0 to extract, compressed size: 3106, uncompressed size: 8372, name: "system/system/bin/gmail_thread"  
274479    	0x4302F   	Zip archive data, at least v1.0 to extract, name: "system/system/lib/"  
274555    	0x4307B   	Zip archive data, at least v1.0 to extract, name: "system/system/drivers/"  
274635    	0x430CB   	Zip archive data, at least v1.0 to extract, name: "system/Wireless/"  
274709    	0x43115   	Zip archive data, at least v1.0 to extract, name: "system/init/"  
274779    	0x4315B   	Zip archive data, at least v2.0 to extract, compressed size: 99, uncompressed size: 203, name: "system/init/ipcam.sh"  
276040    	0x43648   	End of Zip archive 

So, we can extract a image with dd:

dd bs=1 skip=36  if=81.2.0.142.bin of=image.zip
unzip image.zip
   creating: system/
   creating: system/www/
   creating: system/system/
   creating: system/system/bin/
  inflating: system/system/bin/daemon.v5.5  
  inflating: system/system/bin/encoder  
  inflating: system/system/bin/gmail_thread  
   creating: system/system/lib/
   creating: system/system/drivers/
   creating: system/Wireless/
   creating: system/init/
  inflating: system/init/ipcam.sh

I don’t know what’s gmail_thread, but it’s suspicious. Encoder seems like the main program of the IP camera, and daemon.v5.5 contains interesting information. If we examine it with a hex editor we can find a hashed password for root. Specifically:

/etc/passwd.wb
root:LSiuY7pOmZG2s:0:0:Adminstrator:/:/bin/sh

If we use john the ripper on it to try to decrypt it, the answer is immediate:123456, and this is de password for telnet with user root.
We are inside.

UPDATE:

Connected to JTAG

JTAG
Board
Bus Pirate

Booting

boot.txt

UPDATE 2:

Installing Ralink SDK and a Toolchain(*) for cross compiling in Linux Debian 7 I’ve achieved to build some binaries for the camera:

hello Hello World program
dbclient Dropbear SSH Client
dropbear Dropbear SSH Server

In order to upload files to the camera, an easy way is through telnet. The camera has a ftp client in path: /system/system/bin/. After configuring an external FTP server one can access with command

./ftp -n IP Port

Inside FTP one must login with ‘user’ command, set transfer mode to ‘binary’, and use ‘put’ and ‘get’ commands to upload files or download.

(*) I’ve found the appropiate toolchain for Ralink with this GIT:

git clone git://gitorious.org/asusn56u/asusn56u.git

Only the folder toolchain is necessary. About the Ralink SDK 4 itself, required for RT5350 SoC, it is possible to download it from https://github.com/stevenylai/ralink_sdk.

Installing Linux, Ubuntu 8.04 Hardy, on a IBM Thinkpad X41 Tablet

UPDATE Aug 08 AUTOMATIC SCREEN ORIENTATION (based on HDAPS Orientation Sensor)
(See Below).

This document describes the process of configuring Linux, Ubuntu 8.04 Hardy (release 2008) on a IBM ThinkPad X41 Tablet, with my scripts and patches to download.

ENABLE STYLUS

/etc/X11/xorg.conf

#Uncomment if you have a wacom tablet
        InputDevice     "stylus"        "SendCoreEvents"
        InputDevice     "cursor"        "SendCoreEvents"
        InputDevice     "eraser"        "SendCoreEvents"
        #InputDevice    "Synaptics Touchpad"

apt-get install wacom-tools

To download xorg.conf, for reference.

FINGERPRINT READER AND HDAPS SENSOR

x41hdaps_t.jpg

/etc/modules

Add:

#Required for Fingerprint Reader
uinput  
#Thinkpad access to the embedded controller. Battery
tp_smapi  
#IBM Active Protection System and Orientation Sensor
hdaps_ec  

For Fingerprint sensor see How_to_enable_the_fingerprint_reader_with_ThinkFinger and my entry.

To try orientation sensor, apt-get install hdapsd hdaps-utils, then use hdaps-gl.
Add this to /etc/modprobe.d/options to correct orientation.

#Hdaps Orientation
options hdaps invert=3
options hdaps_ec invert=3

SCRIPT TO ROTATE SCREEN, ACPI SWIVEL EVENTS AND TABLET BUTTONS

x41rot_t.jpg

I have made this script in /usr/local/bin/rotatetablet (it’s is based on a script by Saikat Guha found here). It rotates screen, rotates stylus, changes tablet page down/up keys, and deactivate compiz if active (Because Compiz freezes with xrand )*. Arguments are [left|right|inverted|normal] or empty for next.

#!/bin/bash

#STATUS_FILE=~/.rotate-status
STATUS_FILE=/tmp/.rotate-status

################## Compiz Prevention
function compiz_on {
   USER=`ps -ef |grep metacity |grep -v grep|awk -F" " '{print $1}'`
   #if [ "$(pidof metacity)" ]
   if [ "$USER" ]
   then
      echo 'Activating Compiz...'
      #DISPLAY=":0.0" sudo -H -u $USER /usr/bin/compiz --replace &
      #DISPLAY=":0.0" sudo -H -u $USER /usr/bin/emerald --replace &
   fi
}

function compiz_off {
   USER=`ps -ef | grep compiz.real | grep -v grep | awk -F" " '{print $1}'`
   #if [ "$(pidof compiz.real)" ]
   if [ "$USER" ]
   then
      echo 'Compiz Active. Deactivating...'
      DISPLAY=":0.0" sudo -H -u $USER /usr/bin/metacity --replace &
   fi
}
##################################################

######################## Keycodes PgUp/PgDown
function keymap() {
   USER=`who |grep tty7 |awk -F" " '{print $1}'`
   if [ "$USER" ]
   then
      case "$1" in
      1)
         echo 'Modifying xmodmap ...'
         DISPLAY=":0.0" sudo -H -u $USER xmodmap -e 'keycode 105 = Prior'
         DISPLAY=":0.0" sudo -H -u $USER xmodmap -e 'keycode 99 = Next'
         ;;
      *)
         echo 'xmodmap normal ...'
         DISPLAY=":0.0" sudo -H -u $USER xmodmap -e 'keycode 105 = Next'
         DISPLAY=":0.0" sudo -H -u $USER xmodmap -e 'keycode 99 = Prior'
         ;;
      esac
   fi
}
###############################
function rotate() {

    case "$1" in
        3|right) N=3; T=cw ; compiz_off ; keymap 0 ;;
        1|left) N=1; T=ccw ; compiz_off ; keymap 1 ;;
        2|inverted) N=2; T=half ; compiz_off; keymap 0 ;;
        0|normal) N=0; T=none ; compiz_on ; keymap 0 ;;
        *)
           echo -e "Usage:n  $(basename $0) [left|right|inverted|normal]";
 echo -e "if no option is given, rotates the screen 90 degrees to the right.n";

           exit 1
           ;;
    esac

    #xrandr -o $N & 

    #More secure
    if [ "`/usr/bin/xrandr -o $N -v | grep -i 'randr' | wc -l`" -ne "1" ]
    then
        echo '!! Something went wrong...'
        export DISPLAY=":0.0"
        export XAUTHORITY=/var/lib/gdm/:0.Xauth
        #/usr/bin/xset -display $DISPLAY dpms
        echo 'Trying to unrotate again...'
        /usr/bin/xrandr -o $N &
    fi

    xsetwacom set stylus Rotate $T & 
    echo $N > $STATUS_FILE
}

if [ "$#" == "0" ]; then
    rotate $(((3+0$(cat $STATUS_FILE 2>/dev/null))%4))
else
    rotate $1
fi

To download rotatetablet script. (Make it executable with chmod +x )

Then create these 4 files to call it in response to acpi events:

/etc/acpi/events/x41t-swivel-down

# /etc/acpi/events/x41t-swivel-down
# called when tablet head swivels down
event=ibm/hotkey HKEY 00000080 00005009
action=/etc/acpi/x41tsdown.sh

/etc/acpi/events/x41t-swivel-up

# /etc/acpi/events/x41t-swivel-up
# called when tablet head swivels up
event=ibm/hotkey HKEY 00000080 0000500a
action=/etc/acpi/x41tsup.sh

/etc/acpi/x41tsdown.sh (with chmod +x)

#!/bin/sh
#/etc/acpi/x41tsdown.sh

echo 'Rotating Tablet...'
/usr/local/bin/rotatetablet right

/etc/acpi/x41tsup.sh (with chmod +x)

#!/bin/sh
#/etc/acpi/x41tsup.sh

echo 'Unrotating Tablet...'
/usr/local/bin/rotatetablet normal

I use keylaunch (apt-get install keylaunch) to enable tablet buttons. It can be automatically started in Gnome Session programs. First button calls previous rotatetablet script and second one calls cellwriter program for tablets (apt-get install cellwriter) .

In $HOME/.keylaunchrc

key=...XF86RotateWindows:/usr/local/bin/rotatetablet
key=...F21:cellwriter

In $HOME/.Xmodmap

! back and forward browser keys
keycode 234 = F19
keycode 233 = F20

!Thinkpad Tablet Rotate
keycode 203 = XF86RotateWindows
!Thinkpad Tablet Menu
keycode 193 = F21
!Thinkpad Access IBM
keycode 159 = F22
!Thinkpad Tablet Reset
keycode 146 = F23

————-
[*] It’s possible to deactivate Compiz windows manager by default, edit /usr/share/gnome/default.session, and replace line:

0,RestartCommand=gnome-wm --sm-client-id default0

by

0,RestartCommand=gnome-wm --default-wm /usr/bin/metacity --sm-client-id default0

—————

BOOT IN CONSOLE MODE, AND WITH COLORS. [OPTIONAL]

x41boot_t.jpg

For boot in console mode:

/boot/grub/menu.lst

Add to kernel options vga=0×317 and remove splash.

kernel   /boot/vmlinuz-2.6.24-19-generic root=... ro quiet vga=0x317 nohz=off 

Then grub-install /dev/sda

In /etc/modprobe.d/blacklist-framebuffer, comment #blacklist vesafb to enable vesa framebuffer.
In /etc/initramfs-tools/modules, add

#Framebuffer modules
fbcon
vesafb

Then update-initramfs.

To activate colors I have done a patch for file /etc/lsb-base-logging.sh.
Localize the first line and comment inside lines. Leave it like this:

 if [ "$COL" ] & & [ -x "$TPUT" ]; then
        #printf "r"
        #$TPUT hpa $COL
        #if [ "$1" -eq 0 ]; then
        #    echo "[ OK ]"
        #else
        #    printf '['
        #    $TPUT setaf 1 # red
        #    printf fail
        #    $TPUT op # normal
        #    echo ']'
        #fi

        #PATCH
        COLS=`$TPUT cols`
        if [ -n "$COLS" ]; then
            COL=`$EXPR $COLS - 7`
        else
            COL=73
        fi

        UP=`$TPUT cuu1`
        END=`$TPUT hpa $COL`
        START=`$TPUT hpa 0`
        RED=`$TPUT setaf 1`
        NORMAL=`$TPUT op`
        GREEN=`$TPUT setaf 2`
        if [ $1 -eq 0 ]; then
            echo "$END[${GREEN} OK ${NORMAL}]"
        else
            echo "$END[${RED}fail${NORMAL}]"
        fi
        #END PATCH

 else

To download patched lsb-base-logging.sh

KEYBOARD IN GDM AND SCREEN LOCK

x41keyb_t.jpg

apt-get install cellwriter

GDM

In /etc/gdm/Init/Default, before exit 0, add:

/usr/bin/cellwriter --keyboard-only --read-only --window-y=600 --window-x=200 &

In /etc/gdm/PostLogin/Default, add:

killall -u root cellwriter &

In /etc/gdm/PostSession/Default, before exit 0, add:

sudo killall -u $USER cellwriter

SCREEN LOCK

Edit Gnome Registry with gconf-editor. In apps/gnome-screensaver

embedded_keyboard_command cellwriter --keyboard-only --xid
embedded_keyboard_enabled [TRUE]

SCREENSHOT, LINUX ON THINKPAD X41 TABLET

ubudesk_t.jpg

/*
UPDATE Aug 08
*/

AUTOMATIC SCREEN ORIENTATION (based on HDAPS Orientation Sensor)

Scripts (and instructions) by Dave Clawson

apt-get install libproc-process-perl (To install Perl module Proc::ProcessTree)

Download…
orientation tool: orient
orientation daemon: orientd
rotatetablet script: rotatetablet

The instructions to do this are as such:

1. Place the attached scripts (’orient’ and ‘orientd’) in /usr/local/bin and make them executable
2. Substitute /etc/acpi/x41tsup.sh and /etc/acpi/x41sdown.sh with these new versions and make sure that they’re executable.

/etc/acpi/x41tsdown.sh (with chmod +x)

#!/bin/sh
#/etc/acpi/x41tsdown.sh

#echo 'Rotating Tablet...'
#/usr/local/bin/rotatetablet right

echo 'Starting orientd...'
/usr/local/bin/orientd start

/etc/acpi/x41tsup.sh (with chmod +x)

#!/bin/sh
#/etc/acpi/x41tsup.sh

echo 'Stopping orientd...'
/usr/local/bin/orientd stop 

echo 'Unrotating Tablet...'
/usr/local/bin/rotatetablet normal

3. Put the following line in /etc/rc.local (before the “exit 0” line):

/usr/local/bin/orient reorient

…and that should do it.

NOTE: /usr/local/bin/rotatetablet needs the ‘compiz –replace’ line uncommented if you use compiz.

VMWARE en Linux Kernel 2.6.24 y con Wireless Bridge

(Translation into English below)

Los modulos VMWARE no compilan en el Kernel 2.6.24 (No esta aun soportado).

El patch oficial vmware-any-any-update115, ftp://platan.vc.cvut.cz/pub/vmware, resuelve problemas con algunos kernels anteriores pero tampoco compila en el 2.6.24.

Peter Teoh ha creado el patch no oficial vmware-any-any-update-116.tgz que si compila en 2.6.24 modificando el modulo vmmon.tar, tomando como base el patch 115 anterior.

Pero los patch vmware-any-any-update no soportan el modo bridge con tarjetas de red wireless. Se puede leer en el source del modulo vmnet.tar, en smac_linux.x386.c:

KERN_WARNING vmnet: You are trying to use wireless bridged networking together with vmware-any-any-update. This is not supported configuration, and your wireless bridge will probably not work

Tras investigar un poco, el problema es que esta funcion solo la soporta el modulo vmnet.tar que viene con el vmware original, que incluye los binarios precompilados smac_linux.x386.o_shipped y smac_linux.x86_64.o_shipped que dan soporte a esta funcion. Pero los modulos originales no valen porque no funcionan en el kernel 2.6.24.

Tras investigar algo mas, hay una forma de conseguir que el vmware-any-any-update115 soporte esta funcion.

Las instrucciones son:

En /usr/local/lib/vmware/modules/source/ estan los modulos originales tras instalar vmware.

tar xvf vmnet.tar  // El original de vmware
mv vmnet.tar vmnet.tar_orig
mv vmnet-only vmnet-only_orig
tar xvf vmnet.tar // El de vmware-any-any-update-115
mv vmnet.tar vmnet.tar_115
rm vmnet-only/smac_linux.x386.c
rm vmnet-only/smac_linux.x86_64.c
cp vmnet-only_orig/smac* vmnet-only   //Se pasan los binarios y las cabeceras
tar ccfs vmnet.tar vmnet-only

Con esto generamos el nuevo vmnet.tar con soporte Wireless. Y con el vmmon.tar modificado del 116 podemos regenerar el vmware-any-any-update115 con soporte para Kernel 2.6.24 y Wireles Bridge.

Se puede bajar aqui: vmware-any-any-update-115-K2.6.24-WirelessBridge.tar.gz

Otras consideraciones para instalar VMWARE en kernel nuevos:

nohz=off // Como opcion al kernel para desactivar tickless
/etc/init.d/mountdevsubfs.sh // Descomentar #Magic to make /proc/bus/usb work

Testeado en Vmware Workstation 6.02, Ubuntu 8.04 (Hardy)

—————————————

VMWARE Linux Kernel 2.6.24 and Wireless Bridge

VMware modules do not compile in the Kernel 2.6.24 (Not even supported).

The official patch vmware-any-any-update115, from ftp://platan.vc.cvut.cz/pub/vmware, solves problems with some earlier kernels, but it does not compile in 2.6.24.

Peter Teoh has created the unofficial patch vmware-any-any-update-116.tgz that compiles with 2.6.24 modifying the module vmmon.tar, based on the previous 115 patch.

But vmware-any-any-update patchs do not support bridge networking with wireless network cards. It can be read in the source of module vmnet.tar, smac_linux.x386.c:

KERN_WARNING vmnet: You are trying to use wireless networking bridged together with vmware-any-any-update. This configuration is not supported, and your wireless bridge will probably not work

After investigating a bit, the problem is this function is only supported in vmnet.tar module that comes with the original vmware, which includes precompiled binaries smac_linux.x386.o_shipped and smac_linux.x86_64.o_shipped which support this function. But the original modules are not worth because they do not compile in the kernel 2.6.24.

After investigating something more, there is a way to make the vmware-any-any-update115 support this function.

The instructions are:

In /usr/local/lib/vmware/modules/source/ are vmware original modules after install.

tar xvf vmnet.tar  // vmnet.tar original vmware
mv vmnet.tar vmnet.tar_orig
mv vmnet-only vmnet-only_orig
tar xvf vmnet.tar // vmnet.tar from vmware-any-any-update-115
mv vmnet.tar vmnet.tar_115
rm vmnet-only/smac_linux.x386.c
rm vmnet-only/smac_linux.x86_64.c
cp vmnet-only_orig/smac* vmnet-only   //copy smac binaries and headers
tar ccfs vmnet.tar vmnet-only

This generates the new vmnet.tar with wireless support. And with modified vmmon.tar from 116 we can regenerate the vmware-any-any-update115 with support for Kernel 2.6.24 and Wireless Bridge.

It can be downloaded here: vmware-any-any-update-115-K2.6.24-WirelessBridge.tar.gz

Other considerations to install VMware in new kernels:

nohz=off // As the kernel option to disable tickless en grub/menu.lst
/etc/init.d/mountdevsubfs.sh // uncomment #Magic to make /proc/bus/usb work

Tested with Vmware Workstation 6.02, Ubuntu 8.04 (Hardy)

bz.otsoa.net

AdS

Admin area