Hi /g/ I've recently had my house raided by dindus and well long story short had to install an alarm system. The provider gave me an NVR for the cameras. M-2 BOX $50 at Alibaba when I last checked (Fully aware its garbage but well its "free") anyway . I've recently seen the UART or TTL to USB threads and decided to give this a try since im clueless and you /g/entoomen seem pretty savy about it.
My goal is to extract the firmware or access the console in order to change the root password. I've been trying to crack it since telnet is open but not even the "rockyou.txt" dictionary seems to have a go at it. Now I've attached a picture of the board to confirm if the holes to the right are the correct ones to attach pins into. I'll appreciate it if anyone can point me in the right direction here or at least supply me with some reading. Thanks.
>>57194735
Can you take a picture that's less blurry and has better lighting?
>>57194862
Sure things sorry for that my camera was out of battery ill take it apart again I really need to root this since im sure it has botnet allover it.
>>57194862
>Error: You must wait 2 minutes 52 seconds before posting a duplicate reply.
wut?
>>57195074
info on the chip
intersil
tw2984
na2-cr
y1535aaa8
>>57194735
Did you try the list of passwords that the Mirai botnet uses?
>>57195229
>Mirai botnet
huh....thanks for this I will get to it.
Ill keep posting pics and info about my findings.
Here is my nmap scan in case you are interested.
PORT STATE SERVICE VERSION
23/tcp open telnet security DVR telnetd (many brands)
80/tcp open http WCY_WEBServer/2.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: WCY_WEBServer/2.0
|_http-title: IVSWeb 2.0 - Welcome
554/tcp open rtsp D-Link DCS-2130 or Pelco IDE10DN webcam rtspd
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER
8000/tcp open http-alt?
49152/tcp open upnp Intel UPnP reference SDK 1.2 (Linux 2.6.5-it0; UPnP 1.0)
1900/udp open upnp?
>>57195229
So far no success but thanks for the info again.
>>57194735
>>57194735
The board says its HI2530D,I've tried all the combinations from the Mirai botnet ... although I found this quite odd.
root hi3518
ill keep trying anyone welcome for suggestions.
>>57196310
Did you try with empty password?
>>57194735
If you find a JTAG pinout you can dump the firmware with binwalk and then probably unpack it since it's probably packed with LZMA.
>>57196667
ofcourse, but nothing
>>57196753
Thanks for this m8.
I'm currently scanning it with DirBuster to look for hidden directories, so far /cgi-bin/ , /cgi-bin2/ , /fcgi-bin/ , /pcgi-bin/ and /scgi-bin/ have been found.
also in case any of you anons get this box in the future the string for rtsp is:
rtsp://ipaddress:554/H264?ch=1&subtype=1&authbasic=admin:123456 <-(default credentials) took me a while to figure this one out.
tinyCam works wonders with it.
post a pic of the plastic box, too. someone might be able to recognze it. remember to remove all identifiable info (mac address, etc)
>>57196881
did you try the usual (php) exploits?
>>57196907
err, I mean vulns. things like ...ch[]=1... or ch=`pwd` or ch=;ls; or ch=phpinfo() , etc
>>57196888
/ChinkShitGeneral/ Sponsored URL: https://www.aliexpress.com/store/product/M2-BOX-Mini-CCTV-DVR-8-Channel-Digital-Video-Recorder-Full-D1-Support-P2P-Cloud-HDMI/1768063_32344555526.htm
Part Number on the box: VP-DVR-B0400
>>57196907
>>57196954
I dont think its running php but why not let me give it a go. Thanks
>>57195074
>>57194735
I speculate it may have something to do with the female header with j12 under it
>>57197026
Most likely yes but still clueless on how to even approach it to find the pin layout. Any other suggestions are completely welcomed. If anyone needs better pictures or more feel free to ask.
>>57196907
Wait you bought a cctv system and the fitter didn't give you a password to log into the fucking thing?
I'm good with NVRs but I'm struggling to see why you can't log in with any credentials in the first place
>>57197171
Web interface login details != the device's root login. OP says exactly what he wants to do. He wants to change the device's root password. Smart considering the wave of "IoT" exploits out there.
>>57197250
It's almost surely going to be easier to hide it inside a private network and expose only HTTP access through a reverse proxy on a well-secured system, using whatever authentication mechanisms you deem acceptable
>>57197250
He should be able to see it from the web interface. They have a list of all accounts capable of accessing it including root
>>57197282
Also, this is something you should do even if you *can* change the password. Because god knows how many trivial exploits are sitting in that thing's public-facing programming?
>>57197171
chinks botnets m8 , my alarm provider probably just bought these way cheaply and well sold it to their customers as a "free" gift. The reality here is that chinks are smart and take advantage of this by installing backdoors that will later use in attacks that will come from "ALL OVER THE WORLD" such as the one from yesterday. I know and wish to remove it before it takes place.
>>57197282
Its working as such but I wish to control it.
>>57197139
try these things >>57196954 in the URLs you find