Getting Root On A Chinese IP Camera

December 12, 2022 by Maya Posch 65 Comments

With so many cheap network-connected devices out there being Linux-powered, it’s very tempting to try and hack into them, usually via a serial interface. This was the goal of [Andrzej Szombierski] when he purchased a cheap Chinese IP camera using an XM530 ARM-based SoC to explore and ultimately get root access on. This camera’s firmware provides the usual web interface on its network side, but it also has a UART on its PCB, courtesy of the unpopulated four-pin header.

Merely firing up a serial terminal application and connecting to this UART is not enough to get access, of course. The first obstacle that [Andrzej] struggled with was that U-Boot was configured to not output Linux kernel boot messages. After tackling that issue with some creative hacking, the next challenge was to figure out the root password, using a dump of the firmware image, which led to even more exploration of the firmware and the encoding used for the root password.

Even if some part of these challenges were possibly more accidental than on purpose by the manufacturer, it shows how these SoC-based Linux devices can put up quite a fight. This then leaves the next question, of what to do with such an IP camera after you have gained root access?

Oculus Go VR Headset Gets Root Access, No Jailbreak Needed

October 21, 2021 by Donald Papp 16 Comments

The Oculus Go, Facebook’s first generation standalone VR headset, hit the market back in 2018 but it’s taken until now for owners to get an official unlocked OS build. The release was hinted at by former Oculus CTO John Carmack in a recent Tweet as something he had been pushing for years. This opens the hardware completely, allowing root access without the need for an unofficial jailbreak.

Oculus Go headset [image: WikiMedia Commons]

The Oculus Go is Android-based and has specifications that are not exactly cutting edge by VR standards, especially since head tracking is limited to three degrees of freedom (DoF). This makes it best suited to seated applications like media consumption. That said, it’s still a remarkable amount of integrated hardware that can be available for a low price on the secondary market. Official support for the Go ended in December 2020, and the ability to completely unlock the device is a positive step towards rescuing the hardware from semi-hoarded tech junk piles where it might otherwise simply gather dust.

When phone-based VR went the way of the dodo, millions of empty headsets went obsolete with it for a variety of reasons, but at least this way perfectly-good (if dated) hardware might still get some use in clever projects. Credit where credit is due; opening up root access to old but still perfectly functional hardware is the right thing to do, and it’s nice to see it happening.

Rooting The Atari VCS 800

July 27, 2021 by Lewin Day 9 Comments

The Atari VCS 800 is a modern product, a hybrid of a PC and a games console. Fundamentally, its a bunch of modern chips in a box running Linux that will let you browse the web or emulate some old games. Now, thanks to [ArcadeHustle], you can have persistent root access to the VCS 800 at your leisure.

The trick is simple, and begins by interrupting the systemd startup scripts on boot. One can then merge files into the /etc directory to achieve root access, either by the tty terminal or over TCP. It’s all wrapped up in the script available at the Github link above.

You can actually run a variety of OSs on the hardware, as it’s powered by an AMD Ryzen R1606G CPU and runs straightforward PC architecture. However, if you want to customize the existing OS to do your bidding, this hack is the way to go.

Hacking to get root access is key if you want to get anywhere with a system. We’ve seen it done on thin clients as well as car infotainment systems to give the owner full control over the hardware they own. If you’ve got your own root exploit you’d like to share, do drop us a line, won’t you?