using the cms can be adjusted
telnet port 80
root: $ 6 $ msTRRedr $ e7Fw3JVflNlRZrIbR1f0qlKLpDnbvd4OuyEJEKBIYs04vylb9IrSKUO4Ldg56tdR1Qk5YPUeV / 8PjFLiUFRVM1: 0: 0 :: / root: / bin / sh
but I could not find - not on anything.
probably my native software is not configured because it is necessary to 34567 tcp port forwadring customize or ddns
Posted on 11/26/2017, 20:36: So I poked around and learned this a GM8136 device.
I noticed that an SDK for a similar chip was available on openipcam, so I used that filename as an example of the naming convention and searched for "GM8136 SDK release v1.0.rar" and discovered dozens of download links. I had to guess what a download button looks like in Chinese, but I figured it out.
Following the instructions in the SDK, I was able to crosscompile a full copy of busybox and get it into my / tmp / directory and it works beautifully.
Poking around, I've learned the following:
Essentially all of the application code lives in an encrypted (blowfish-448) ELF which uses a common unix command as its filename (possibly to make googling harder). The encrypted ELF has formatted the SD card to the WFS0.4 encrypted filesystem so it can no longer be mounted and used to store my own application data between reboots. Also, whenever I try to kill the encrypted ELF process, the camera promptly reboots after a short delay.
So the punchline is that I have root over telnet, but I can not access the camera output, my images, or my videos. I can run my own code, but I'm stuck for now with this mystery app that may or may not be adequately secured and could conceivably already be compromised with no way for me to tell.
One bit of good news is that /proc/config.gz is present if I decided to try to roll my own kernel.
Attached files
config.txt(38.08 KB)
Post has been editedxor2003 - 26.11.17, 21:18