Tenvis JPT3815W-HD root access

!!!ATTENTION!!!

INFORMATION PROVIDED WITHOUT GUARANTEE

YOU MAY BRICK/UNSECURE YOUR CAMERA

 

 

Tested for Device
Hard version V1.0.0.1
Software version V13.1.1.1.5

  • open your camera
  • connect your USB to TTL adapter to the pins below, use Tx to Rx and Rx to Tx (logic level is 3.3V)

 

JPT3815W-HD_txrx

  • connect ground to the boards ground, e.g. to the screw hole of the board
  • DON’T connect anything else (no VCC!)
  • connect an LAN cable to you camera
  • open an terminal and connect to your TTL adapter, I use the linux screen command:
screen /dev/ttyUSB0 115200
  • Now prepare yourself to connect the cameras power and watch your serial terminal
    and as soon as you see any text press enter to interrupt the autoboot. Now you should have an PROMPT: (if not and boot continues, unplug power,try again)
hisilicon # 
  • Lets display the bootargs:
hisilicon # printenv 
bootdelay=1
baudrate=115200
bootfile="uImage"
phyaddru=0
phyaddrd=1
mdio_intf=rmii
bootcmd=sf probe 0;sf read 0x82000000 0x80000 0x280000;bootm 0x82000000
ethaddr=00:ab:e3:f6:89:02
filesize=A1CF04
fileaddr=82000000
gatewayip=192.168.8.1
netmask=255.255.255.0
ipaddr=192.168.8.88
serverip=192.168.8.8
bootargs=mem=44M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:512K(boot),2560K(kernel),13M(rootfs)
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (Mar 18 2014 - 03:42:32)
Environment size: 524/262140 bytes
  • Lets change the bootargs and add „init=/bin/sh“ to the end:
hisilicon # setenv bootargs mem=44M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:512K(boot),2560K(kernel),13M(rootfs) init=/bin/sh
  • Now boot the system, you should end with an prompt #, ignore the „sh: can’t access tty; job control turned off“ message
hisilicon # sf probe 0;sf read 0x82000000 0x80000 0x280000;bootm 0x82000000
  • Do some stuff:
# mount -t proc defaults /proc
# mount -o remount,rw /
  • Now we need an armv5 /bin/busybox binary. I found one in this gentoo archive:
    ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo/releases/arm/autobuilds/20151027/stage3-armv5tel-20151027.tar.bz2
  • Set up an ftp-server. Put the busybox binary in the ftp root.
  • get the busybox via ftpget on the camera:
# cd /root
# ftpget -v -u USER -p PASS SERVERIP busybox busybox
  • Now change the root password by calling the busybox binary with:
# ./busybox passwd root

reboot the camera and dont interrupt the autoboot. You should end with „IPCamera login:“. Login with root and your new password.

# reboot -f

Enable Telnet access on the camera:

  • Create an new telnet service file: (vi usage: press „I“ to insert text, press ESC to exit insert mode,save the file by pressing „:wq“ ENTER)
# vi /etc/init.d/S81telnetd
#!/bin/sh
busybox telnetd -S
    • Make the file executable:
      chmod 766 /etc/init.d/S81telnetd
    • Add „pts/0“ entry to the end of „/etc/securetty“ to enable root login:
# vi /etc/securetty
console
tty1
tty2
tty3
tty4
tty5
ttyS000
pts/0
  • reboot the camera and you should now be able to telnet to you camera via LAN
    reboot

Thanx to astroza for help!
Usefull links:
http://felipe.astroza.cl/hacking-hi3518-based-ip-camera/
https://wiki.maemo.org/Modifying_the_root_image

Advertisements

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s