3518 Telnet Passwords

osman

n3wb
Joined
Jan 2, 2017
Messages
14
Reaction score
0
Hi Dear IPCAMTalk'ers,

I am stucked login HI3518 processor ipcam through telnet. I don't have root username and pass. I tried whole possibilities mentioned on google but no help. Does anyone help me how to find root username and password..

Warm Regards!
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
451
Reaction score
166
Telling us the name/model of camera may help too
 

hilo

n3wb
Joined
Apr 11, 2017
Messages
5
Reaction score
0
firmware version S2L55M_IMX124_X_5.1.35.2 longse...anybody has any idea?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,776
Location
Scotland
firmware version S2L55M_IMX124_X_5.1.35.2 longse...anybody has any idea?
They don't seem to be publishing a download of that version of firmware any more - it's been superseded by the 6.1.44.3 version.
Do you have a copy you could attach?

Each of the Herospeed firmware versions that I've looked at has a different telnet password.
And the newer 7.x series of firmware has a new 'telnet switch' facility to enable telnet access, via a camera-specific-derived password.
 

hilo

n3wb
Joined
Apr 11, 2017
Messages
5
Reaction score
0
They don't seem to be publishing a download of that version of firmware any more - it's been superseded by the 6.1.44.3 version.
Do you have a copy you could attach?

Each of the Herospeed firmware versions that I've looked at has a different telnet password.
And the newer 7.x series of firmware has a new 'telnet switch' facility to enable telnet access, via a camera-specific-derived password.
I'll try to get the copy and will send as soon as will get one.
 

hilo

n3wb
Joined
Apr 11, 2017
Messages
5
Reaction score
0
Wh
They don't seem to be publishing a download of that version of firmware any more - it's been superseded by the 6.1.44.3 version.
Do you have a copy you could attach?

Each of the Herospeed firmware versions that I've looked at has a different telnet password.
And the newer 7.x series of firmware has a new 'telnet switch' facility to enable telnet access, via a camera-specific-derived password.
When you said "the newer 7.x series of firmware has a new 'telnet switch' facility to enable telnet access, via a camera-specific-derived password."
are you referring to web-based config of the camera or is it a hardware switch to enable telnet?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,776
Location
Scotland
The program is called TelnetSwitch and it listens on port 787 for any HTTP access, where it pops up a login dialogue that's required to start the telnet daemon.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,776
Location
Scotland
Bypass PoC, by making new pwd and then start telnetd.
So much for their updated security protection. Dohh - overflow carelessness.
Well done for finding that.
Have you been in contact with Herospeed about this vulnerability? Their firmware is used on quite a few brands of camera.

There is another simple way to permanently disable the Lucky787 security mechanism that you might like to try for fun.
On power-up, the telnet daemon is active for several seconds before TelnetSwitch is started up and kills it.
That gives plenty of time to login over telnet as root with the cracked password from the hash in the published firmware.
Then just 'mv' TelnetSwitch' or replace with your own and it never kills telnetd again.
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
So much for their updated security protection. Dohh - overflow carelessness.
Well done for finding that.
Have you been in contact with Herospeed about this vulnerability? Their firmware is used on quite a few brands of camera.

There is another simple way to permanently disable the Lucky787 security mechanism that you might like to try for fun.
On power-up, the telnet daemon is active for several seconds before TelnetSwitch is started up and kills it.
That gives plenty of time to login over telnet as root with the cracked password from the hash in the published firmware.
Then just 'mv' TelnetSwitch' or replace with your own and it never kills telnetd again.
Not reported, you still need the telnet login/pwd to enter.

besides, they can't spell either.

[edit]
# strings /opt/app/bin/TelnetSwitch | grep telneted
killall -9 telneted;telnetd &
killall -9 telneted &
#
 

vasycara

Getting the hang of it
Joined
Jun 22, 2015
Messages
227
Reaction score
48
Wanscam HW0041-2 Two Way Audio Alarm 2 Megapixel 1080P IP Camera

This comes with telnet disabled. I was able to activate telnet, but I do not know the user and the telnet password. I tried several variants, but none is good.
Please if anyone knows the user and password for telnet to HW0041-2 Two Way Audio Alarm 2 Megapixel 1080P.
Has the hi3516c processor
This is firmware from Wanscam HW0041-2 :
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,776
Location
Scotland
Please if anyone knows the user and password for telnet to HW0041-2 Two Way Audio Alarm 2 Megapixel 1080P.
That firmware doesn't have the rootfs or kernel in it, so the telnet password isn't available as far as I can see.
It just looks like there is a debug mode with telnet enabled on port 12990
 

vasycara

Getting the hang of it
Joined
Jun 22, 2015
Messages
227
Reaction score
48
Defolt does not have telnet enabled, with command http://192.168.1.142:8987/cgi-bin/hi3510/printscreenrequest.cgi
telnet is enabled, and next responds in putty on port 23.
With root login
say - login incorrectly - does not wait to get password.
With another login I can put the password, but I tried many pairs without a positive result.
I tried on port 12990 not responding in putty.
 

Attachments

vasycara

Getting the hang of it
Joined
Jun 22, 2015
Messages
227
Reaction score
48
No, I do not have any other firmware. I received this firmware from Wanscam and I updated my ip camera with it.
 
Top