Hacking IP-Camera Digoo BB-M2 – Part 3 – Getting root access


After getting access to the serial interface of the IP-Camera the next step is to get a root shell.


By pressing any key during the start-up of the IP-Camera it is possible to get into U-Boot.
Here the bootargs can be extended to bring up a shell with “init=/bin/sh”.
After the adjustment of the boot arguments the Linux operating system should be started with “boot”.

isvp# setenv bootargs 'console=ttyS1,115200n8 mem=39M@0x0 ispmem=5M@0x2700000 rmem=20M@0x2C00000 init/linuxrc rootfstype=squashfs init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:256k(boot),2176k(kernel),3584k(rootfs),2176k(system) init=/bin/sh'
isvp# boot

After the successful boot up a root shell should be prompted.

/ # whoami
root

With the root shell it is possible to print out the “/etc/passwd” file with the hashed root password.

/ # cat /etc/passwd 
root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh

Structure of the /etc/passwd file
Theoretically it would be possible to compare rainbow tables with the hashed password of the “/etc/passwd”.
But at the moment it did not worked.

  • root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh
  • Name:Password:User-ID:Group-ID:Comment:Directory:Shell
  • Furthermore the available busybox commands could be listed.
    Now the IP-Camera operating system could be analyzed.

    / # busybox 
    BusyBox v1.22.1 (2014-05-13 08:27:59 CST) multi-call binary.
    BusyBox is copyrighted by many authors between 1998-2012.
    Licensed under GPLv2. See source distribution for detailed
    copyright notices.
    
    Usage: busybox [function [arguments]...]
       or: busybox --list[-full]
       or: busybox --install [-s] [DIR]
       or: function [arguments]...
    
            BusyBox is a multi-call binary that combines many common Unix
            utilities into a single executable.  Most people will create a
            link to busybox for each function they wish to use and BusyBox
            will act like whatever it was invoked as.
    
    Currently defined functions:
            [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash,
            awk, base64, basename, beep, blkid, blockdev, bootchartd, brctl,
            bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod,
            chown, chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm,
            conspy, cp, cpio, crond, crontab, cryptpw, cttyhack, cut, date, dc, dd,
            deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff,
            dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
            dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, ether-wake,
            expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,
            fdisk, fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk,
            fsck, fsck.minix, fstrim, fsync, ftpd, ftpget, ftpput, fuser, getopt,
            getty, grep, groups, gunzip, gzip, halt, hd, hdparm, head, hexdump,
            hostid, hostname, httpd, hush, hwclock, id, ifconfig, ifdown,
            ifenslave, ifplugd, ifup, inetd, init, insmod, install, ionice, iostat,
            ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel,
            kbd_mode, kill, killall, killall5, klogd, last, less, linux32, linux64,
            linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread,
            losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat,
            lzma, lzop, lzopcat, makedevs, makemime, man, md5sum, mdev, mesg,
            microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix,
            mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more,
            mount, mountpoint, mpstat, mt, mv, nameif, nanddump, nandwrite,
            nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od,
            openvt, passwd, patch, pgrep, pidof, ping, ping6, pipe_progress,
            pivot_root, pkill, pmap, popmaildir, poweroff, powertop, printenv,
            printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev,
            readahead, readlink, readprofile, realpath, reboot, reformime,
            remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod, route, rpm,
            rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir, rx, script,
            scriptreplay, sed, sendmail, seq, setarch, setconsole, setfont,
            setkeycodes, setlogcons, setserial, setsid, setuidgid, sh, sha1sum,
            sha256sum, sha3sum, sha512sum, showkey, slattach, sleep, smemcap,
            softlimit, sort, split, start-stop-daemon, stat, strings, stty, su,
            sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync, sysctl,
            syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp,
            tftpd, time, timeout, top, touch, tr, traceroute, traceroute6, true,
            tty, ttysize, tunctl, ubiattach, ubidetach, ubimkvol, ubirmvol,
            ubirsvol, ubiupdatevol, udhcpc, udhcpd, udpsvd, umount, uname,
            unexpand, uniq, unix2dos, unlzma, unlzop, unxz, unzip, uptime, users,
            usleep, uudecode, uuencode, vconfig, vi, vlock, volname, wall, watch,
            watchdog, wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes,
            zcat, zcip
    
    19 comments on “Hacking IP-Camera Digoo BB-M2 – Part 3 – Getting root access
    1. YGator says:

      I’ve tried passwords of length 0 to 5. My computer is not fast enough to try further as it says it will take ~42 days just to try passwords of length 6. Are you getting anywhere with it?

    2. Matthias Niedermaier Matthias Niedermaier says:

      I am running “John the Ripper” on a dual core since about a week. No results at the moment. The system has limited power and reaches 5886p/s 5886c/s 5886C/s with 4 forks. I think the chance to get a hit is pretty low, but i will post the results if it will succeed.

    3. Marco says:

      Hi Matthias

      Which keyspace are you trying? With hashcat I quickly tried 1-9 digits, 1-6 lower, 1-6 uppercase and “common” tried passwords from https://www.honeynet.org/node/1328 without luck.

    4. Matthias Niedermaier Matthias Niedermaier says:

      Quick tests and standard logins did not succeed.
      At the moment I am testing with john the ripper incremental mode up to 8 characters.. still about 3 weeks left to complete and no results at this time..

    5. Marco says:

      I’m afraid without powerful friends/luck this hash won’t be cracked.
      7/8 lowercase no results either, 9 lower would take a month with my aging GPU already.. mixed is right out.

    6. Andrei Klaptsov says:

      I’ve tried a wordlist from crackstation.net with John, also without luck.

    7. I got another clone of this webcam. It has the same root password and the ftp telnet trick worked to get root access.

      Played around a bit with it, it seem it uses udp pin hole to open the traffic.

      https://harrygonzalez.me/vz1-hacking/

    8. Andrei Klaptsov says:

      Well, that’s interesting! Will check this tomorrow. Thank you for pointing to the article!

    9. Marco says:

      with telnet access, /system/init/ipcam.sh can be modified for startup scripts, e.g. add “sleep 30 && sh /mnt/startup.sh &” to call a script named startup.sh which resides on the sd card. Helps avoiding boot loops, removing the sd card fixes any fckup. Another goodie, ftp server can be started via “tcpsvd -vE 0.0.0.0 21 ftpd / &”

    10. Alexey Polyakov says:

      Trick with ftp script injection works well for temporary root access.
      Hawe the same camera, still trying to bruteforce it, but it’s seem to be more simple to dump firmware and repack it.

    11. geert says:

      If serial root access is possible then there must be a way to change the root password either via passwd or by creating a known one off-line and editing the /etc/passwd file. Unless of course /etc/passwd is not writable. That I do not know. Has anyone looked at the BB-M1?

    12. Guys, why you would like to do things in a most complicated way? To get a root access, follow these steps:

      1) go to website console of your camera with your username and password
      2) go to Alarm Service Settings / Ftp Service Settings
      3) as FTP server put: $(killall telnetd)
      4) as username put: $(telnetd -l /bin/sh)
      5) click Set up button, then click on Test button, in new window you should get error message (that’s ok)
      6) since now you have got root access via telnet, so just run telnet (port 23) to IP of your camera (LAN IP) and… that’s it

      Screenshot here – https://ctrlv.cz/99bU

    13. Miky says:

      Hi my friend,

      I have this camera, and from one momment to other it stops working. So i tryed to connect the serial port with success and see that the camera boots automatically.

      I stop the boot process and tryed to erase all memory and send a new firmware…my bad… now the camera doesn’t boot, i think the bootloader is missing…

      Could you help me? Any ideia to send the bootloader/firmware using the SD card, the serial port or any othe way?

      Thanks and regards

    14. alex says:

      I have an Digoo M1Q IP camera, who is like yoosee and others, after upgrade via wifi, that not work anymore, it seems boot loader/firmware is broken; on USB is not recognized.
      Have you any tips or idea how to put again the firmware on it ?
      Thank you !

    15. hhrhhr says:

      $1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0 = md5(“ybdHbPDn” + “hslwificam”)

    16. George says:

      Hi nice work. I would like to as if possible a firmware dump of a working one BB-M2 as mine seems to be corrupted and want to write it back… any help would be appreciated.thanks!

    17. Flashy says:

      hhrhhr: you are a true hero, thanks!

      and if anybody knows the root password of the BB-M1, please tell us that also.

    18. Hans Peter says:

      i have a cam with nearly the same hardware:

      / # cat /etc/passwd
      root:Sm.hequiv6Pwk:0:0::/root:/bin/sh

      it is one of these china cams for 20 euros 😉

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    *

    sixteen − nine =