btw. you know this trick about going to http://<CAMERA_IP>:10081/OwnUserInfo.txt ?
Sure, but it isn't really helpful as the HANKVISION user doesn't seem to work (which, in a security context, is good).
Yesterday I gained access via UART to the camera. Unfortunately the root file system is read-only and so seems the Server.tar.gz which seems to hold the /etc/passwd file, so it is no easily possible to change the root password. Browsed through the folders and files and also found the encrypted / hashed root password:
root:
$1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m.:0:0::/root:/bin/sh/etc
The hash shows up in google search, but it seems no one found the password yet.
I also found out that you can run custom commands that you put into a file called
debug_run.sh - the file needs to be placed on a FAT32 formatted SD card. Somehow after executing the commands in debug_run.sh the bootup script seems to stop, so maybe there needs to be some addition into the debug_run.sh like an exit code or else in order to let the bootup script do the rest of its job. You can also put some binaries on it and let the script execute them, like dropbear (SSH daemon, i got it from here:
https://github.com/ant-thomas/zsgx1hacks), but it still needs the root password to connect via SSH.
If you want to try for yourself, here are some pictures and description of the UART port. Just use some USB-to-UART dongle and connect accordingly. I used Putty as terminal, you need to set COM speed in Putty to 115200. When closing the camera up please watch out for the insulation rubber that lines the camera on the inside. Fit it into the spacing that surrounds the camera casing, so that when closing the camera the insulation rubber will seal the inside from water.
Don'f forget to disconnect both motor cables on the board (to identify them: they both comprise of a blue cable and lead to the sides of the cameras casing) so the cam doesn't move around when powering on!
When you power the camera you almost immedately need to hit a key on your keyboard, as otherwise autoboot will take place around 2-3 seconds after powering on. When you interrupted the boot process by hitting a key you can enter "
printenv". Copy the line with "bootargs", then enter "
setenv bootargs mem=......" (
use the values printenv provided you). Note that you need to remove the = between bootargs and mem. At the end of the bootargs line you need to add "init=/bin/sh". Hit enter and then copy the values behind "bootcmd=", paste it and hit enter.
After a short boot process you are in the shell as root
In order to have the filesystems mounted etc. you need to enter "/etc/init.d/rcS" which runs the whole bunch of bootup scripts. Then you can browse through the filesystem, where /mnt/flash seems to hold all the interesting stuff.
Here are the values of my camera (could be different from yours!):
bootargs=mem=48M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=sfc:192K(boot),64K(bootargs),1920K(kernel),1408K(rootfs),384K(config),11392K(data),1024K(huiyun)
bootcmd=sf probe 0;sf read 0x41000000 0x40000 0x1E0000;bootm 0x41000000
--> so in order to make it boot to root shell (remember, could be different from yours!)
1. setenv bootargs mem=48M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=sfc:192K(boot),64K(bootargs),1920K(kernel),1408K(rootfs),384K(config),11392K(data),1024K(huiyun) init=/bin/sh
2. sf probe 0;sf read 0x41000000 0x40000 0x1E0000;bootm 0x41000000
3. (after a short boot) /etc/init.d/rcS
An example for the whole process is here, but
please use the values "printenv" provides you and not the ones in the example:
https://sergei.nz/ildvr-inc-mh40d06-or-hacking-cheap-chinese-camera/
Motorcables (disconnect before powering on!)