Change of the password of telnet and RTSP IP camera

[max1910]

Hello,
I have  bought the camera:
https://www.aliexpress.com/item/4000595164959.html?spm=a2g0s.9042311.0.0.1b474c4dWZd2Gi IP Shenzhen Trolink Technology CO, LTD and after scanning the ports it has open port 23 (telnet), 80 (http) and 554 (RTSP). I have already found the login details for telnet. When I am trying to log in after the camera's IP address, it displays a page error.
I have some questions:
1. How can I change the telnet password? Is there any command to do it?
2. How to set the password for RTSP protocol (554), because now without the authentication it can be intercepted.
3. Is it possible to change the password of RTSP IP camera via telenet?

[digininja]

Did it not come with a manual?

[max1910]

The instructions are just how to connect to the Smart Life app on phone. After scanning ports, I discovered these functions

[digininja]

What do you get when you telnet in? What type of shell do you get?

[max1910]

Logs in to root

[digininja]

What shell? Bash, sh, busy box.

[max1910]

Linux localhost 3.4.43-gk #45 PREEMPT Mon Jun 17 17:06:05 CST 2019 armv6l GNU/Linux
#
 

[digininja]

Looks like sh, what does

ps

Return?

Passwords are usually changed with

passwd

[max1910]

ps command displayed processes
I tried passwd and I have the message:

passwd: / etc / passwd: Read-only file system
passwd: can't update password file / etc / passwd

[digininja]

You might not be able to change things then without being able to mount the filesystem writable which you might not be able to do.

[Boosey]

telnet

root/cxlinux when promted. 

 

RTSP (admin with no pass)

rtsp://admin:@[your IP ADDRESS]:554/live/ch00_1

 

[flipchart]

most of these cheap chinese cameras have limited functionality and are very bad in terms of security... (not saying the more expensive ones are better 🙂 )

What you can do is dumping the memory, usually the firmware is on a SOP8 Chip which you can dump via a BIOS ROM reader (https://s.click.aliexpress.com/e/_dYbO35F ). Then unpack it with binwalk and edit the password which is hardcoded in the firmware. Then simply pack it and write it back to the chip... Boot the camera and there you go!

there are many cool things you can do by editing the firmware this way. Like import additional features or remove the cloud feature of the vendor...

Just always keep a copy of the original firmware, in case things go south 🙂 

[hhammidd]

On 5/6/2020 at 1:25 PM, flipchart said:

most of these cheap chinese cameras have limited functionality and are very bad in terms of security... (not saying the more expensive ones are better 🙂 )

What you can do is dumping the memory, usually the firmware is on a SOP8 Chip which you can dump via a BIOS ROM reader (https://s.click.aliexpress.com/e/_dYbO35F ). Then unpack it with binwalk and edit the password which is hardcoded in the firmware. Then simply pack it and write it back to the chip... Boot the camera and there you go!

there are many cool things you can do by editing the firmware this way. Like import additional features or remove the cloud feature of the vendor...

Just always keep a copy of the original firmware, in case things go south 🙂 

Hi 

Is there any general method to get such a kind of informations from the firmware of cctv cameras?

using binwalk or any others?

thanks

[Shakel]

What was the default user and password for the camera?

[flipchart]

On 11/11/2020 at 7:41 PM, hhammidd said:

Hi 

Is there any general method to get such a kind of informations from the firmware of cctv cameras?

using binwalk or any others?

thanks

binwalk -e helps a lot, often you can simply edit the binary file, as the config is part of the last few bytes and ascii 😉