uboot

4 Articles

Hacking An IoT Camera Reveals Hard-Coded Root Password

July 24, 2024 by 24 Comments

Hacking — at least the kind where you’re breaking into stuff — is very much a learn-by-doing skill. There’s simply no substitute for getting your hands dirty and just trying something. But that doesn’t mean you can’t learn something by watching, with this root password exploit on a cheap IP video camera being a good look at the basics.

By way of background on this project, [Matt Brown] had previously torn into a VStarcam CB73 security camera, a more or less generic IP camera that he picked up on the cheap, and identified a flash memory chip from which he extracted the firmware. His initial goal was to see if the camera was contacting sketchy servers, and while searching the strings for the expected unsavory items, he found hard-coded IP addresses plus confirmation that the camera was running some Linux variant.

With evidence of sloppy coding practices, [Matt] set off on a search for a hard-coded root password. The second video covers this effort, which started with finding UART pins and getting a console session. Luckily, the bootloader wasn’t locked, which allowed [Matt] to force the camera to boot into a shell session and find the root password hash. With no luck brute-forcing the hash, he turned to Ghidra to understand the structure of a suspicious program in the firmware called encoder. After a little bit of poking and some endian twiddling, he was able to identify the hard-coded root password for every camera made by this outfit, and likely others as well.

Granted, the camera manufacturer made this a lot easier than it should have been, but with a lot of IoT stuff similarly afflicted by security as an afterthought, the skills on display here are probably broadly applicable. Kudos to [Matt] for the effort and the clear, concise presentation that makes us want to dig into the junk bin and get hacking.

Continue reading “Hacking An IoT Camera Reveals Hard-Coded Root Password”

Obsolete E-Reader Gets New Life

November 13, 2023 by 6 Comments

For those who read often, e-readers are a great niche device that can help prevent eye fatigue with their e-ink displays especially when compared to a backlit display like a tablet or smartphone, all while taking up minimal space unlike a stack of real books. But for all their perks, there are still plenty of reasons to maintain a library of bound paper volumes. For those who have turned back to books or whose e-readers aren’t getting the attention they once did, there are plenty of things to do with them like this e-book picture frame.

The device started life as a PocketBook Basic Touch, or PocketBook 624, a fairly basic e-reader from 2014, but at its core is a decent ARM chip that can do many more things than display text. It also shipped running a version of Linux, which made it fairly easy to get a shell and start probing around. Unlike modern smart phones this e-reader seems to be fairly open and able to run some custom software, and as a result there are already some C++ programs available for these devices. Armed with some example programs, [Peter] was able to write a piece of custom software that displays images from an on-board directory and mounted the new picture display using an old book.

There were a number of options for this specific device that [Peter] explored that didn’t pan out well, like downloading images from the internet to display instead of images on the device, but in the end he went with a simpler setup to avoid feature creep and get his project up and running for “#inktober”, a fediverse-oriented drawing challenge that happened last month. While not strictly in line with a daily piece of hand-drawn artwork, the project still follows the spirit of the event. And, for those with more locked-down e-readers there’s some hope of unlocking the full functionality of older models with this FOSS operating system.

Degrees Of Freedom: Booting ARM Processors

August 12, 2020 by 97 Comments

Any modern computer with an x86 processor, whether it’s Intel or AMD, is a lost cause for software freedom and privacy. We harp on this a lot, but it’s worth repeating that it’s nearly impossible to get free, open-source firmware to run on them thanks to the Intel Management Engine (IME) and the AMD Platform Security Processor (PSP). Without libre firmware there’s no way to trust anything else, even if your operating system is completely open-source.

The IME or PSP have access to memory, storage, and the network stack even if the computer is shut down, and even after the computer boots they run at such a low level that the operating system can’t be aware of what they’re really doing. Luckily, there’s a dark horse in the race in the personal computing world that gives us some hope that one day there will be an x86 competitor that allows their users to have a free firmware that they can trust. ARM processors, which have been steadily increasing their user share for years but are seeing a surge of interest since the recent announcement by Apple, are poised to take over the personal computing world and hopefully allow us some relevant, modern options for those concerned with freedom and privacy. But in the real world of ARM processors the road ahead will decidedly long, windy, and forked.

Even ignoring tedious nitpicks that the distinction between RISC vs CISC is more blurred now than it was “back in the day”, RISC machines like ARM have a natural leg up on the x86 CISC machines built by Intel and AMD. These RISC machines use fewer instructions and perform with much more thermal efficiency than their x86 competitors. They can often be passively cooled, avoiding need to be actively cooled, unlike many AMD/Intel machines that often have noisy or bulky fans. But for me, the most interesting advantage is the ability to run ARM machines without the proprietary firmware present with x86 chips.

Continue reading “Degrees Of Freedom: Booting ARM Processors”

IP camera hack

How To Backup And Restore Your IP Camera Firmware

November 11, 2014 by 8 Comments

[Filipe] has been playing around with custom firmware for inexpensive IP cameras. Specifically, he has been using cameras based on a common HI3815 chip. When you are playing around with firmware like this, a major concern is that you may end up bricking the device and rendering it useless. [Filipe] has documented a relatively simple way to backup and restore the firmware on these cameras so you can hack to your heart’s content.

The first part of this hack is hardware oriented. [Filipe] cracked open the camera to reveal the PCB. The board has labeled serial TX and RX pads. After soldering a couple of wires to these pads, [Filipe] used a USB to serial dongle to hook his computer up to the camera’s serial port.

Any terminal program should now be able to connect to the camera at 115200 baud while the camera is booting up. The trick is to press “enter” during the boot phase. This allows you to log in as root with no password. Next you can reset the root password and reboot the camera. From now on you can simply connect to the phone via telnet and log in as root.

From here, [Filipe] copies all of the camera’s partitions over to an NFS share using the dd command. He mentions that you can also use FTP for this if you prefer. At this point, the firmware backup is completed.

Knowing how to restore the backup is just as important as knowing how to create it. [Filipe] built a simple TFTP server and copied the firmware image to it in two chunks, each less than 5MB. The final step is to tell the camera how to find the image. First you need to use the serial port to get the camera back to the U-Boot prompt. Then you configure the camera’s IP address and the TFTP server’s IP address. Finally, you copy each partition into RAM via TFTP and then copy that into flash memory. Once all five partitions are copied, your backup is safely restored and your camera can live to be hacked another day.