Szsinocam SN-IPC-5542SW

[NazarSurm]

I got this camera and the motion detection on it does not record files to the SD card. The motion detection works and triggers an encode event, but never writes motion detected files to the SD card. Manual and scheduled recording works fine, so I assume this is sort of a bug in the firmware for this camera. I found this project and by looking at my camera I have determined it is an Ingenic T20 MIPS device.

I do not have serial access at this time, but I've located the trace points on the board and ordered a usb adapter+pin headers. In the mean time, I've been trying to get shell access through other means, without success.

The following ports/services are running on it 80 - (sending GET request to this returns an error from thttpd 2.25b 29dec2003 webserver) - works as intended 443 - https - works as intended 554 - rtsp - works as intended 9999 - abyss (connecting with web to this port shows a "[Error] Failure of authentication" page, so it does look like it's running a secondary webserver?) 12345 - Port is open, but I don't think anything is running.

The camera does not have telnet or ssh running. I've tried getting shell access through ping command injection in the webUI, but they have some sort of sensitization that doesn't let you append commands or line break, which was really surprising.

Zip archive is attached with the firmware upgrade .tgz as it comes from the manufacturer. I've upgraded my camera to this firmware. The firmware comes as a tgz from the manufacturer, but I wasn't able to extract it through normal means. Using binwalk on T20.fisheye_ap.DANALE.htaf.zh.201812041.IPC.tgz let me partially get some of the data. I was able to extract a squashfs file system. A few interesting things in there, but I couldn't figure out any way to do much with it. There is also some sort of upgrader tool called "upTools" in lzma compressed data that seems to be responsible for the upgrade process.

I also had an idea of adding my own .asp file in the web folder with a page letting me run shell commands, but I not sure how to repackage firmware for this camera since it's packaged in such an unusual way.

Appreciate any advice/questions

T20.fisheye_ap.DANALE.htaf.zh.201812041.IPC.zip

[NazarSurm]

The file system for this camera's firmware:

squashfs-root.zip

bin/lzbox has a list of functions, inluding fn_telnet which starts telnet on port 24, and fn_ffw, which seems to be responsible for the firmware upgrade process the camera uses. I have a few older version's of the camera's firmware and noticed that while I could upgrade the firmware on the camera, I could never downgrade to the a lower version. The timestamp checks in fn_ffw explain that.

There's also some possible interesting stuff in etc/auto_run.sh, including some checks on the SDcard (/opt/media/mmcblk0p1/) for a file called force_dbg.txt. This might be a way to enable some sort of a factory debug mode, but I'm not really sure what it's expecting.

[NazarSurm]

Got an ttl hooked up to it. Data sheet for the board here shows which pins are the interface. 5ba1a95a1a4701.06317608.pdf

Here's a bootlog: putty.log

We can pause uboot with any key and do printenv to get an echo of the environment settings, output below.

T20# printenv baudrate=115200 bootargs=console=ttyS1,115200n8 mem=38M@0x0 ispmem=8M@0x2600000 rmem=18M@0x2E00000 init=/linuxrc rootfstype=squashfs root=/dev/mtdblock3 flash=SF sensor=JXF22 maxheight=1080 device_id=30104635015 ethaddr=00:88:01:46:B9:87 devinfo=jcoxa201408217u140a2b0aa47d951f13fb661d6ec3f8cb21n9258qc cpu=T20 ddr=64M mtdparts=jz_sfc:256K@0K(sf-bootloader),32K@256K(sf-bootenv),1472K@288K(sf-kernel),1152K@1760K(sf-rootfs),4576K@2912K(sf-ipcfs),704K@7488K(sf-miscfs) bootcmd=sf probe;sf read 0x80600000 0x48000 0x280000; bootm 0x80600000 bootdelay=1 device_id=30104635015 devinfo=jcoxa201408217u140a2b0aa47d951f13fb661d6ec3f8cb21n9258qc ethact=Jz4775-9161 ethaddr=00:88:01:46:B9:87 gatewayip=192.168.2.1 ipaddr=192.168.2.84 loads_echo=1 netmask=255.255.255.0 serverip=192.168.2.81 stderr=serial stdin=serial stdout=serial

Environment size: 856/32764 bytes T20#

If we add a init=bin/sh we can spawn a root shell.

I can't change the root password since that's read only, but I got the encrypted hash for it. I tried running it through some hashcat / johntheripper with word lists/brute force and wasn't able to get anything after a few hours. I suspect, though can't confirm, this is because the password is "secure". My suspicions come from the fact that when I do a passwd with my root shell and try to change the password, it won't even attempt a write unless the password meets the following criteria, at least 8 characters, must contain at least 1 lowercase, 1 uppercase, and 1 numerical character.

The hash is root:xS9s/ZAwVmkig:0:0:root:/root:/bin/sh if anyone wants to try cracking it so I can get root access over telnet.

Also, when I am in the root shell that I spawn, there is nothing in proc/mtd so I'm not sure how I'd go about dumping the firmware.

If the firmware could be dumped, I suppose the passwd file could be modified to set our own root password, and reflash it.

Any guidance on how to proceed?

[NazarSurm]

Cracked the root password with hashcat and some guessing on the wordmask.

xS9s/ZAwVmkig:jco66688 Session..........: 2019-02-28 Status...........: Cracked Hash.Type........: descrypt, DES (Unix), Traditional DES Hash.Target......: xS9s/ZAwVmkig Time.Started.....: Thu Feb 28 21:11:57 2019 (9 mins, 1 sec) Time.Estimated...: Thu Feb 28 21:20:58 2019 (0 secs) Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8] Guess.Charset....: -1 ?u?d?l, -2 Undefined, -3 Undefined, -4 Undefined Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 838.3 MH/s (5.87ms) @ Accel:1 Loops:1024 Thr:256 Vec:1 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 455154524160/218340105584896 (0.21%) Rejected.........: 0/455154524160 (0.00%) Restore.Point....: 1909760/916132832 (0.21%) Restore.Sub.#1...: Salt:0 Amplifier:0-1024 Iteration:0-1024 Candidates.#1....: sarIonon -> 6bc46169 Hardware.Mon.#1..: Temp: 82c Fan: 91% Util: 95% Core:1860MHz Mem:4513MHz Bus:16 Started: Thu Feb 28 21:11:53 2019 Stopped: Thu Feb 28 21:20:59 2019

[EliasKotlyar]

Hello @NazarSurm ,

According to the information which you have provided, your camera has a T20 with 64Mb Ram(according to the bootline). First, please try to make a backup of your devices full firmware for the recovery case. Afterwards, you can try flashing the dafang_64mb_v1.bin bootloader into it. Here is a tutorial: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/flashinguboot.md After you have flashed a custom bootloader, it will allow you to boot the rootfs: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/install_sdcard.md

Attention: It may brick your device, so be prepared for that case. You can restore the flash using a Raspi or a Ch341.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.