Hacking IP Camera Coolcam NIP-09 NIP-02

Info about this ipcam:

Firmware: 81.2.0.142
Web UI: 19.2.1.2.17

cam.jpg

On Board:

CPU: Ralink RT5350F
Flash: YD7815K130719 81.2.0.133
Printed: NIP02 & 090 _M V4 , Jun 26 2013
JTag, below cpu board, JTAG

Nmap:

PORT     STATE SERVICE
23/tcp   open  telnet
81/tcp open  unknown
8600/tcp open  asterix
MAC Address: 00:6E:06:1D:2C:8C (Unknown)

Telnet password is secret.

Examining the firmware with binwalk:

binwalk 81.2.0.142.bin
DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------
36        	0x24      	Zip archive data, at least v1.0 to extract, name: "system/"  
101       	0x65      	Zip archive data, at least v1.0 to extract, name: "system/www/"  
170       	0xAA      	Zip archive data, at least v1.0 to extract, name: "system/system/"  
242       	0xF2      	Zip archive data, at least v1.0 to extract, name: "system/system/bin/"  
318       	0x13E     	Zip archive data, at least v2.0 to extract, compressed size: 24737, uncompressed size: 106032, name: "system/system/bin/daemon.v5.5"  
25142     	0x6236    	Zip archive data, at least v2.0 to extract, compressed size: 246060, uncompressed size: 794720, name: "system/system/bin/encoder"  
271285    	0x423B5   	Zip archive data, at least v2.0 to extract, compressed size: 3106, uncompressed size: 8372, name: "system/system/bin/gmail_thread"  
274479    	0x4302F   	Zip archive data, at least v1.0 to extract, name: "system/system/lib/"  
274555    	0x4307B   	Zip archive data, at least v1.0 to extract, name: "system/system/drivers/"  
274635    	0x430CB   	Zip archive data, at least v1.0 to extract, name: "system/Wireless/"  
274709    	0x43115   	Zip archive data, at least v1.0 to extract, name: "system/init/"  
274779    	0x4315B   	Zip archive data, at least v2.0 to extract, compressed size: 99, uncompressed size: 203, name: "system/init/ipcam.sh"  
276040    	0x43648   	End of Zip archive 

So, we can extract a image with dd:

dd bs=1 skip=36  if=81.2.0.142.bin of=image.zip
unzip image.zip
   creating: system/
   creating: system/www/
   creating: system/system/
   creating: system/system/bin/
  inflating: system/system/bin/daemon.v5.5  
  inflating: system/system/bin/encoder  
  inflating: system/system/bin/gmail_thread  
   creating: system/system/lib/
   creating: system/system/drivers/
   creating: system/Wireless/
   creating: system/init/
  inflating: system/init/ipcam.sh

I don’t know what’s gmail_thread, but it’s suspicious. Encoder seems like the main program of the IP camera, and daemon.v5.5 contains interesting information. If we examine it with a hex editor we can find a hashed password for root. Specifically:

/etc/passwd.wb
root:LSiuY7pOmZG2s:0:0:Adminstrator:/:/bin/sh

If we use john the ripper on it to try to decrypt it, the answer is immediate:123456, and this is de password for telnet with user root.
We are inside.

UPDATE:

Connected to JTAG

JTAG
Board
Bus Pirate

Booting

boot.txt

UPDATE 2:

Installing Ralink SDK and a Toolchain(*) for cross compiling in Linux Debian 7 I’ve achieved to build some binaries for the camera:

hello Hello World program
dbclient Dropbear SSH Client
dropbear Dropbear SSH Server

In order to upload files to the camera, an easy way is through telnet. The camera has a ftp client in path: /system/system/bin/. After configuring an external FTP server one can access with command

./ftp -n IP Port

Inside FTP one must login with ‘user’ command, set transfer mode to ‘binary’, and use ‘put’ and ‘get’ commands to upload files or download.

(*) I’ve found the appropiate toolchain for Ralink with this GIT:

git clone git://gitorious.org/asusn56u/asusn56u.git

Only the folder toolchain is necessary. About the Ralink SDK 4 itself, required for RT5350 SoC, it is possible to download it from https://github.com/stevenylai/ralink_sdk.

bz.otsoa.net

AdS

Admin area