Info about this ipcam:
Firmware: 81.2.0.142
Web UI: 19.2.1.2.17
On Board:
CPU: Ralink RT5350F
Flash: YD7815K130719 81.2.0.133
Printed: NIP02 & 090 _M V4 , Jun 26 2013
JTag, below cpu board, JTAG
Nmap:
PORT STATE SERVICE
23/tcp open telnet
81/tcp open unknown
8600/tcp open asterix
MAC Address: 00:6E:06:1D:2C:8C (Unknown)
Telnet password is secret.
Examining the firmware with binwalk:
binwalk 81.2.0.142.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
36 0x24 Zip archive data, at least v1.0 to extract, name: "system/"
101 0x65 Zip archive data, at least v1.0 to extract, name: "system/www/"
170 0xAA Zip archive data, at least v1.0 to extract, name: "system/system/"
242 0xF2 Zip archive data, at least v1.0 to extract, name: "system/system/bin/"
318 0x13E Zip archive data, at least v2.0 to extract, compressed size: 24737, uncompressed size: 106032, name: "system/system/bin/daemon.v5.5"
25142 0x6236 Zip archive data, at least v2.0 to extract, compressed size: 246060, uncompressed size: 794720, name: "system/system/bin/encoder"
271285 0x423B5 Zip archive data, at least v2.0 to extract, compressed size: 3106, uncompressed size: 8372, name: "system/system/bin/gmail_thread"
274479 0x4302F Zip archive data, at least v1.0 to extract, name: "system/system/lib/"
274555 0x4307B Zip archive data, at least v1.0 to extract, name: "system/system/drivers/"
274635 0x430CB Zip archive data, at least v1.0 to extract, name: "system/Wireless/"
274709 0x43115 Zip archive data, at least v1.0 to extract, name: "system/init/"
274779 0x4315B Zip archive data, at least v2.0 to extract, compressed size: 99, uncompressed size: 203, name: "system/init/ipcam.sh"
276040 0x43648 End of Zip archive
So, we can extract a image with dd:
dd bs=1 skip=36 if=81.2.0.142.bin of=image.zip
unzip image.zip
creating: system/
creating: system/www/
creating: system/system/
creating: system/system/bin/
inflating: system/system/bin/daemon.v5.5
inflating: system/system/bin/encoder
inflating: system/system/bin/gmail_thread
creating: system/system/lib/
creating: system/system/drivers/
creating: system/Wireless/
creating: system/init/
inflating: system/init/ipcam.sh
I don’t know what’s gmail_thread, but it’s suspicious. Encoder seems like the main program of the IP camera, and daemon.v5.5 contains interesting information. If we examine it with a hex editor we can find a hashed password for root. Specifically:
/etc/passwd.wb
root:LSiuY7pOmZG2s:0:0:Adminstrator:/:/bin/sh
If we use john the ripper on it to try to decrypt it, the answer is immediate:123456, and this is de password for telnet with user root.
We are inside.
UPDATE:
Connected to JTAG
JTAG
Board
Bus Pirate
Booting
boot.txt
UPDATE 2:
Installing Ralink SDK and a Toolchain(*) for cross compiling in Linux Debian 7 I’ve achieved to build some binaries for the camera:
hello Hello World program
dbclient Dropbear SSH Client
dropbear Dropbear SSH Server
In order to upload files to the camera, an easy way is through telnet. The camera has a ftp client in path: /system/system/bin/. After configuring an external FTP server one can access with command
./ftp -n IP Port
Inside FTP one must login with ‘user’ command, set transfer mode to ‘binary’, and use ‘put’ and ‘get’ commands to upload files or download.
(*) I’ve found the appropiate toolchain for Ralink with this GIT:
git clone git://gitorious.org/asusn56u/asusn56u.git
Only the folder toolchain is necessary. About the Ralink SDK 4 itself, required for RT5350 SoC, it is possible to download it from https://github.com/stevenylai/ralink_sdk.
UPDATE Aug 08 AUTOMATIC SCREEN ORIENTATION (based on HDAPS Orientation Sensor)
(See Below).
This document describes the process of configuring Linux, Ubuntu 8.04 Hardy (release 2008) on a IBM ThinkPad X41 Tablet, with my scripts and patches to download.
ENABLE STYLUS
/etc/X11/xorg.conf
#Uncomment if you have a wacom tablet
InputDevice "stylus" "SendCoreEvents"
InputDevice "cursor" "SendCoreEvents"
InputDevice "eraser" "SendCoreEvents"
#InputDevice "Synaptics Touchpad"
apt-get install wacom-tools
To download xorg.conf, for reference.
FINGERPRINT READER AND HDAPS SENSOR
/etc/modules
Add:
#Required for Fingerprint Reader
uinput
#Thinkpad access to the embedded controller. Battery
tp_smapi
#IBM Active Protection System and Orientation Sensor
hdaps_ec
For Fingerprint sensor see How_to_enable_the_fingerprint_reader_with_ThinkFinger and my entry.
To try orientation sensor, apt-get install hdapsd hdaps-utils, then use hdaps-gl.
Add this to /etc/modprobe.d/options to correct orientation.
#Hdaps Orientation
options hdaps invert=3
options hdaps_ec invert=3
SCRIPT TO ROTATE SCREEN, ACPI SWIVEL EVENTS AND TABLET BUTTONS
I have made this script in /usr/local/bin/rotatetablet (it’s is based on a script by Saikat Guha found here). It rotates screen, rotates stylus, changes tablet page down/up keys, and deactivate compiz if active (Because Compiz freezes with xrand )*. Arguments are [left|right|inverted|normal] or empty for next.
#!/bin/bash
#STATUS_FILE=~/.rotate-status
STATUS_FILE=/tmp/.rotate-status
################## Compiz Prevention
function compiz_on {
USER=`ps -ef |grep metacity |grep -v grep|awk -F" " '{print $1}'`
#if [ "$(pidof metacity)" ]
if [ "$USER" ]
then
echo 'Activating Compiz...'
#DISPLAY=":0.0" sudo -H -u $USER /usr/bin/compiz --replace &
#DISPLAY=":0.0" sudo -H -u $USER /usr/bin/emerald --replace &
fi
}
function compiz_off {
USER=`ps -ef | grep compiz.real | grep -v grep | awk -F" " '{print $1}'`
#if [ "$(pidof compiz.real)" ]
if [ "$USER" ]
then
echo 'Compiz Active. Deactivating...'
DISPLAY=":0.0" sudo -H -u $USER /usr/bin/metacity --replace &
fi
}
##################################################
######################## Keycodes PgUp/PgDown
function keymap() {
USER=`who |grep tty7 |awk -F" " '{print $1}'`
if [ "$USER" ]
then
case "$1" in
1)
echo 'Modifying xmodmap ...'
DISPLAY=":0.0" sudo -H -u $USER xmodmap -e 'keycode 105 = Prior'
DISPLAY=":0.0" sudo -H -u $USER xmodmap -e 'keycode 99 = Next'
;;
*)
echo 'xmodmap normal ...'
DISPLAY=":0.0" sudo -H -u $USER xmodmap -e 'keycode 105 = Next'
DISPLAY=":0.0" sudo -H -u $USER xmodmap -e 'keycode 99 = Prior'
;;
esac
fi
}
###############################
function rotate() {
case "$1" in
3|right) N=3; T=cw ; compiz_off ; keymap 0 ;;
1|left) N=1; T=ccw ; compiz_off ; keymap 1 ;;
2|inverted) N=2; T=half ; compiz_off; keymap 0 ;;
0|normal) N=0; T=none ; compiz_on ; keymap 0 ;;
*)
echo -e "Usage:n $(basename $0) [left|right|inverted|normal]";
echo -e "if no option is given, rotates the screen 90 degrees to the right.n";
exit 1
;;
esac
#xrandr -o $N &
#More secure
if [ "`/usr/bin/xrandr -o $N -v | grep -i 'randr' | wc -l`" -ne "1" ]
then
echo '!! Something went wrong...'
export DISPLAY=":0.0"
export XAUTHORITY=/var/lib/gdm/:0.Xauth
#/usr/bin/xset -display $DISPLAY dpms
echo 'Trying to unrotate again...'
/usr/bin/xrandr -o $N &
fi
xsetwacom set stylus Rotate $T &
echo $N > $STATUS_FILE
}
if [ "$#" == "0" ]; then
rotate $(((3+0$(cat $STATUS_FILE 2>/dev/null))%4))
else
rotate $1
fi
To download rotatetablet script. (Make it executable with chmod +x )
Then create these 4 files to call it in response to acpi events:
/etc/acpi/events/x41t-swivel-down
# /etc/acpi/events/x41t-swivel-down
# called when tablet head swivels down
event=ibm/hotkey HKEY 00000080 00005009
action=/etc/acpi/x41tsdown.sh
/etc/acpi/events/x41t-swivel-up
# /etc/acpi/events/x41t-swivel-up
# called when tablet head swivels up
event=ibm/hotkey HKEY 00000080 0000500a
action=/etc/acpi/x41tsup.sh
/etc/acpi/x41tsdown.sh (with chmod +x)
#!/bin/sh
#/etc/acpi/x41tsdown.sh
echo 'Rotating Tablet...'
/usr/local/bin/rotatetablet right
/etc/acpi/x41tsup.sh (with chmod +x)
#!/bin/sh
#/etc/acpi/x41tsup.sh
echo 'Unrotating Tablet...'
/usr/local/bin/rotatetablet normal
I use keylaunch (apt-get install keylaunch) to enable tablet buttons. It can be automatically started in Gnome Session programs. First button calls previous rotatetablet script and second one calls cellwriter program for tablets (apt-get install cellwriter) .
In $HOME/.keylaunchrc
key=...XF86RotateWindows:/usr/local/bin/rotatetablet
key=...F21:cellwriter
In $HOME/.Xmodmap
! back and forward browser keys
keycode 234 = F19
keycode 233 = F20
!Thinkpad Tablet Rotate
keycode 203 = XF86RotateWindows
!Thinkpad Tablet Menu
keycode 193 = F21
!Thinkpad Access IBM
keycode 159 = F22
!Thinkpad Tablet Reset
keycode 146 = F23
————-
[*] It’s possible to deactivate Compiz windows manager by default, edit /usr/share/gnome/default.session, and replace line:
0,RestartCommand=gnome-wm --sm-client-id default0
by
0,RestartCommand=gnome-wm --default-wm /usr/bin/metacity --sm-client-id default0
—————
BOOT IN CONSOLE MODE, AND WITH COLORS. [OPTIONAL]
For boot in console mode:
/boot/grub/menu.lst
Add to kernel options vga=0×317 and remove splash.
kernel /boot/vmlinuz-2.6.24-19-generic root=... ro quiet vga=0x317 nohz=off
Then grub-install /dev/sda
In /etc/modprobe.d/blacklist-framebuffer, comment #blacklist vesafb to enable vesa framebuffer.
In /etc/initramfs-tools/modules, add
#Framebuffer modules
fbcon
vesafb
Then update-initramfs.
To activate colors I have done a patch for file /etc/lsb-base-logging.sh.
Localize the first line and comment inside lines. Leave it like this:
if [ "$COL" ] & & [ -x "$TPUT" ]; then
#printf "r"
#$TPUT hpa $COL
#if [ "$1" -eq 0 ]; then
# echo "[ OK ]"
#else
# printf '['
# $TPUT setaf 1 # red
# printf fail
# $TPUT op # normal
# echo ']'
#fi
#PATCH
COLS=`$TPUT cols`
if [ -n "$COLS" ]; then
COL=`$EXPR $COLS - 7`
else
COL=73
fi
UP=`$TPUT cuu1`
END=`$TPUT hpa $COL`
START=`$TPUT hpa 0`
RED=`$TPUT setaf 1`
NORMAL=`$TPUT op`
GREEN=`$TPUT setaf 2`
if [ $1 -eq 0 ]; then
echo "$END[${GREEN} OK ${NORMAL}]"
else
echo "$END[${RED}fail${NORMAL}]"
fi
#END PATCH
else
To download patched lsb-base-logging.sh
KEYBOARD IN GDM AND SCREEN LOCK
apt-get install cellwriter
GDM
In /etc/gdm/Init/Default, before exit 0, add:
/usr/bin/cellwriter --keyboard-only --read-only --window-y=600 --window-x=200 &
In /etc/gdm/PostLogin/Default, add:
killall -u root cellwriter &
In /etc/gdm/PostSession/Default, before exit 0, add:
sudo killall -u $USER cellwriter
SCREEN LOCK
Edit Gnome Registry with gconf-editor. In apps/gnome-screensaver
embedded_keyboard_command cellwriter --keyboard-only --xid
embedded_keyboard_enabled [TRUE]
SCREENSHOT, LINUX ON THINKPAD X41 TABLET
/*
UPDATE Aug 08
*/
AUTOMATIC SCREEN ORIENTATION (based on HDAPS Orientation Sensor)
Scripts (and instructions) by Dave Clawson
apt-get install libproc-process-perl (To install Perl module Proc::ProcessTree)
Download…
orientation tool: orient
orientation daemon: orientd
rotatetablet script: rotatetablet
The instructions to do this are as such:
1. Place the attached scripts (’orient’ and ‘orientd’) in /usr/local/bin and make them executable
2. Substitute /etc/acpi/x41tsup.sh and /etc/acpi/x41sdown.sh with these new versions and make sure that they’re executable.
/etc/acpi/x41tsdown.sh (with chmod +x)
#!/bin/sh
#/etc/acpi/x41tsdown.sh
#echo 'Rotating Tablet...'
#/usr/local/bin/rotatetablet right
echo 'Starting orientd...'
/usr/local/bin/orientd start
/etc/acpi/x41tsup.sh (with chmod +x)
#!/bin/sh
#/etc/acpi/x41tsup.sh
echo 'Stopping orientd...'
/usr/local/bin/orientd stop
echo 'Unrotating Tablet...'
/usr/local/bin/rotatetablet normal
3. Put the following line in /etc/rc.local (before the “exit 0” line):
/usr/local/bin/orient reorient
…and that should do it.
NOTE: /usr/local/bin/rotatetablet needs the ‘compiz –replace’ line uncommented if you use compiz.
(Translation into English below)
Los modulos VMWARE no compilan en el Kernel 2.6.24 (No esta aun soportado).
El patch oficial vmware-any-any-update115, ftp://platan.vc.cvut.cz/pub/vmware, resuelve problemas con algunos kernels anteriores pero tampoco compila en el 2.6.24.
Peter Teoh ha creado el patch no oficial vmware-any-any-update-116.tgz que si compila en 2.6.24 modificando el modulo vmmon.tar, tomando como base el patch 115 anterior.
Pero los patch vmware-any-any-update no soportan el modo bridge con tarjetas de red wireless. Se puede leer en el source del modulo vmnet.tar, en smac_linux.x386.c:
KERN_WARNING vmnet: You are trying to use wireless bridged networking together with vmware-any-any-update. This is not supported configuration, and your wireless bridge will probably not work
Tras investigar un poco, el problema es que esta funcion solo la soporta el modulo vmnet.tar que viene con el vmware original, que incluye los binarios precompilados smac_linux.x386.o_shipped y smac_linux.x86_64.o_shipped que dan soporte a esta funcion. Pero los modulos originales no valen porque no funcionan en el kernel 2.6.24.
Tras investigar algo mas, hay una forma de conseguir que el vmware-any-any-update115 soporte esta funcion.
Las instrucciones son:
En /usr/local/lib/vmware/modules/source/ estan los modulos originales tras instalar vmware.
tar xvf vmnet.tar // El original de vmware
mv vmnet.tar vmnet.tar_orig
mv vmnet-only vmnet-only_orig
tar xvf vmnet.tar // El de vmware-any-any-update-115
mv vmnet.tar vmnet.tar_115
rm vmnet-only/smac_linux.x386.c
rm vmnet-only/smac_linux.x86_64.c
cp vmnet-only_orig/smac* vmnet-only //Se pasan los binarios y las cabeceras
tar ccfs vmnet.tar vmnet-only
Con esto generamos el nuevo vmnet.tar con soporte Wireless. Y con el vmmon.tar modificado del 116 podemos regenerar el vmware-any-any-update115 con soporte para Kernel 2.6.24 y Wireles Bridge.
Se puede bajar aqui: vmware-any-any-update-115-K2.6.24-WirelessBridge.tar.gz
Otras consideraciones para instalar VMWARE en kernel nuevos:
nohz=off // Como opcion al kernel para desactivar tickless
/etc/init.d/mountdevsubfs.sh // Descomentar #Magic to make /proc/bus/usb work
Testeado en Vmware Workstation 6.02, Ubuntu 8.04 (Hardy)
—————————————
VMWARE Linux Kernel 2.6.24 and Wireless Bridge
VMware modules do not compile in the Kernel 2.6.24 (Not even supported).
The official patch vmware-any-any-update115, from ftp://platan.vc.cvut.cz/pub/vmware, solves problems with some earlier kernels, but it does not compile in 2.6.24.
Peter Teoh has created the unofficial patch vmware-any-any-update-116.tgz that compiles with 2.6.24 modifying the module vmmon.tar, based on the previous 115 patch.
But vmware-any-any-update patchs do not support bridge networking with wireless network cards. It can be read in the source of module vmnet.tar, smac_linux.x386.c:
KERN_WARNING vmnet: You are trying to use wireless networking bridged together with vmware-any-any-update. This configuration is not supported, and your wireless bridge will probably not work
After investigating a bit, the problem is this function is only supported in vmnet.tar module that comes with the original vmware, which includes precompiled binaries smac_linux.x386.o_shipped and smac_linux.x86_64.o_shipped which support this function. But the original modules are not worth because they do not compile in the kernel 2.6.24.
After investigating something more, there is a way to make the vmware-any-any-update115 support this function.
The instructions are:
In /usr/local/lib/vmware/modules/source/ are vmware original modules after install.
tar xvf vmnet.tar // vmnet.tar original vmware
mv vmnet.tar vmnet.tar_orig
mv vmnet-only vmnet-only_orig
tar xvf vmnet.tar // vmnet.tar from vmware-any-any-update-115
mv vmnet.tar vmnet.tar_115
rm vmnet-only/smac_linux.x386.c
rm vmnet-only/smac_linux.x86_64.c
cp vmnet-only_orig/smac* vmnet-only //copy smac binaries and headers
tar ccfs vmnet.tar vmnet-only
This generates the new vmnet.tar with wireless support. And with modified vmmon.tar from 116 we can regenerate the vmware-any-any-update115 with support for Kernel 2.6.24 and Wireless Bridge.
It can be downloaded here: vmware-any-any-update-115-K2.6.24-WirelessBridge.tar.gz
Other considerations to install VMware in new kernels:
nohz=off // As the kernel option to disable tickless en grub/menu.lst
/etc/init.d/mountdevsubfs.sh // uncomment #Magic to make /proc/bus/usb work
Tested with Vmware Workstation 6.02, Ubuntu 8.04 (Hardy)