3518 Telnet Passwords

O

osman

n3wb
Jan 2, 2017
14
0
Hi Dear IPCAMTalk'ers,

I am stucked login HI3518 processor ipcam through telnet. I don't have root username and pass. I tried whole possibilities mentioned on google but no help. Does anyone help me how to find root username and password..

Warm Regards!
 
hilo said:
firmware version S2L55M_IMX124_X_5.1.35.2 longse...anybody has any idea?
Click to expand...
They don't seem to be publishing a download of that version of firmware any more - it's been superseded by the 6.1.44.3 version.
Do you have a copy you could attach?

Each of the Herospeed firmware versions that I've looked at has a different telnet password.
And the newer 7.x series of firmware has a new 'telnet switch' facility to enable telnet access, via a camera-specific-derived password.
 
alastairstevenson said:
They don't seem to be publishing a download of that version of firmware any more - it's been superseded by the 6.1.44.3 version.
Do you have a copy you could attach?

Each of the Herospeed firmware versions that I've looked at has a different telnet password.
And the newer 7.x series of firmware has a new 'telnet switch' facility to enable telnet access, via a camera-specific-derived password.
Click to expand...

I'll try to get the copy and will send as soon as will get one.
 
Wh
alastairstevenson said:
They don't seem to be publishing a download of that version of firmware any more - it's been superseded by the 6.1.44.3 version.
Do you have a copy you could attach?

Each of the Herospeed firmware versions that I've looked at has a different telnet password.
And the newer 7.x series of firmware has a new 'telnet switch' facility to enable telnet access, via a camera-specific-derived password.
Click to expand...

When you said "the newer 7.x series of firmware has a new 'telnet switch' facility to enable telnet access, via a camera-specific-derived password."
are you referring to web-based config of the camera or is it a hardware switch to enable telnet?
 
The program is called TelnetSwitch and it listens on port 787 for any HTTP access, where it pops up a login dialogue that's required to start the telnet daemon.
 
bashis said:
Bypass PoC, by making new pwd and then start telnetd.
Click to expand...
So much for their updated security protection. Dohh - overflow carelessness.
Well done for finding that.
Have you been in contact with Herospeed about this vulnerability? Their firmware is used on quite a few brands of camera.

There is another simple way to permanently disable the Lucky787 security mechanism that you might like to try for fun.
On power-up, the telnet daemon is active for several seconds before TelnetSwitch is started up and kills it.
That gives plenty of time to login over telnet as root with the cracked password from the hash in the published firmware.
Then just 'mv' TelnetSwitch' or replace with your own and it never kills telnetd again.
 
alastairstevenson said:
So much for their updated security protection. Dohh - overflow carelessness.
Well done for finding that.
Have you been in contact with Herospeed about this vulnerability? Their firmware is used on quite a few brands of camera.

There is another simple way to permanently disable the Lucky787 security mechanism that you might like to try for fun.
On power-up, the telnet daemon is active for several seconds before TelnetSwitch is started up and kills it.
That gives plenty of time to login over telnet as root with the cracked password from the hash in the published firmware.
Then just 'mv' TelnetSwitch' or replace with your own and it never kills telnetd again.
Click to expand...

Not reported, you still need the telnet login/pwd to enter.

besides, they can't spell either.

[edit]
# strings /opt/app/bin/TelnetSwitch | grep telneted
killall -9 telneted;telnetd &
killall -9 telneted &
#
 
Wanscam HW0041-2 Two Way Audio Alarm 2 Megapixel 1080P IP Camera

This comes with telnet disabled. I was able to activate telnet, but I do not know the user and the telnet password. I tried several variants, but none is good.
Please if anyone knows the user and password for telnet to HW0041-2 Two Way Audio Alarm 2 Megapixel 1080P.
Has the hi3516c processor
This is firmware from Wanscam HW0041-2 :
 

Attachments

vasycara said:
Please if anyone knows the user and password for telnet to HW0041-2 Two Way Audio Alarm 2 Megapixel 1080P.
Click to expand...
That firmware doesn't have the rootfs or kernel in it, so the telnet password isn't available as far as I can see.
It just looks like there is a debug mode with telnet enabled on port 12990
 
  • Like
Reactions: vasycara
Defolt does not have telnet enabled, with command http://192.168.1.142:8987/cgi-bin/hi3510/printscreenrequest.cgi
telnet is enabled, and next responds in putty on port 23.
With root login
say - login incorrectly - does not wait to get password.
With another login I can put the password, but I tried many pairs without a positive result.
I tried on port 12990 not responding in putty.
 

Attachments

  • wanscam port 23.PNG
    wanscam port 23.PNG
    334.3 KB · Views: 57
  • wanscan-port 12990.PNG
    wanscan-port 12990.PNG
    475.3 KB · Views: 48
No, I do not have any other firmware. I received this firmware from Wanscam and I updated my ip camera with it.
 
You must log in or register to reply here.
Top Bottom