Hacking IP Camera Coolcam NIP-09 NIP-02
Info about this ipcam:
Firmware: 81.2.0.142
Web UI: 19.2.1.2.17
On Board:
CPU: Ralink RT5350F
Flash: YD7815K130719 81.2.0.133
Printed: NIP02 & 090 _M V4 , Jun 26 2013
JTag, below cpu board, JTAG
Nmap:
PORT STATE SERVICE 23/tcp open telnet 81/tcp open unknown 8600/tcp open asterix MAC Address: 00:6E:06:1D:2C:8C (Unknown)
Telnet password is secret.
Examining the firmware with binwalk:
binwalk 81.2.0.142.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 36 0x24 Zip archive data, at least v1.0 to extract, name: "system/" 101 0x65 Zip archive data, at least v1.0 to extract, name: "system/www/" 170 0xAA Zip archive data, at least v1.0 to extract, name: "system/system/" 242 0xF2 Zip archive data, at least v1.0 to extract, name: "system/system/bin/" 318 0x13E Zip archive data, at least v2.0 to extract, compressed size: 24737, uncompressed size: 106032, name: "system/system/bin/daemon.v5.5" 25142 0x6236 Zip archive data, at least v2.0 to extract, compressed size: 246060, uncompressed size: 794720, name: "system/system/bin/encoder" 271285 0x423B5 Zip archive data, at least v2.0 to extract, compressed size: 3106, uncompressed size: 8372, name: "system/system/bin/gmail_thread" 274479 0x4302F Zip archive data, at least v1.0 to extract, name: "system/system/lib/" 274555 0x4307B Zip archive data, at least v1.0 to extract, name: "system/system/drivers/" 274635 0x430CB Zip archive data, at least v1.0 to extract, name: "system/Wireless/" 274709 0x43115 Zip archive data, at least v1.0 to extract, name: "system/init/" 274779 0x4315B Zip archive data, at least v2.0 to extract, compressed size: 99, uncompressed size: 203, name: "system/init/ipcam.sh" 276040 0x43648 End of Zip archive
So, we can extract a image with dd:
dd bs=1 skip=36 if=81.2.0.142.bin of=image.zip unzip image.zip creating: system/ creating: system/www/ creating: system/system/ creating: system/system/bin/ inflating: system/system/bin/daemon.v5.5 inflating: system/system/bin/encoder inflating: system/system/bin/gmail_thread creating: system/system/lib/ creating: system/system/drivers/ creating: system/Wireless/ creating: system/init/ inflating: system/init/ipcam.sh
I don’t know what’s gmail_thread, but it’s suspicious. Encoder seems like the main program of the IP camera, and daemon.v5.5 contains interesting information. If we examine it with a hex editor we can find a hashed password for root. Specifically:
/etc/passwd.wb root:LSiuY7pOmZG2s:0:0:Adminstrator:/:/bin/sh
If we use john the ripper on it to try to decrypt it, the answer is immediate:123456, and this is de password for telnet with user root.
We are inside.
UPDATE:
Connected to JTAG
Booting
UPDATE 2:
Installing Ralink SDK and a Toolchain(*) for cross compiling in Linux Debian 7 I’ve achieved to build some binaries for the camera:
hello Hello World program
dbclient Dropbear SSH Client
dropbear Dropbear SSH Server
In order to upload files to the camera, an easy way is through telnet. The camera has a ftp client in path: /system/system/bin/. After configuring an external FTP server one can access with command
./ftp -n IP Port
Inside FTP one must login with ‘user’ command, set transfer mode to ‘binary’, and use ‘put’ and ‘get’ commands to upload files or download.
(*) I’ve found the appropiate toolchain for Ralink with this GIT:
git clone git://gitorious.org/asusn56u/asusn56u.git
Only the folder toolchain is necessary. About the Ralink SDK 4 itself, required for RT5350 SoC, it is possible to download it from https://github.com/stevenylai/ralink_sdk.
