Difference between revisions of "Momentum Axel-720P"

From Exploitee.rs
Jump to navigationJump to search
Line 16: Line 16:
Root shell over telnet can be enabled by creating a custom firmware, naming it 'ezviz.dav', placing it on the SD card, and rebooting:
Root shell over telnet can be enabled by creating a custom firmware, naming it 'ezviz.dav', placing it on the SD card, and rebooting:


Instructions to build custom firmware:


1. Download Hikvision packer/unpacker (to Linux PC):
1. Download Hikvision packer/unpacker (to Linux PC):

Revision as of 20:10, 24 April 2018

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Momentum Axel 720P

This page will be dedicated to a general overview, descriptions, and information related to the Momentum Axel 720P.

About

The Momentum Axel 720P is a Wi-Fi camera with a built in microphone, speaker, motion detection. Comes with free iPhone/Android app for control of the device. Recordings can be stored on micro SD card (not included) or cloud storage with a subscription. Sold at Walmart and Target. For more information, see https://www.momentumcam.com

Disassembly

UART

Root: Custom Firmware Upgrade via SD Card

Root shell over telnet can be enabled by creating a custom firmware, naming it 'ezviz.dav', placing it on the SD card, and rebooting:


Instructions to build custom firmware:

1. Download Hikvision packer/unpacker (to Linux PC):

https://ipcamtalk.com/threads/mcr-hikvision-packer-unpacker-for-5-3-x-and-newer-firmware.15710/

2. Download original firmware:

https://prod-peq-a-firmware-uploads.s3.amazonaws.com/firmware/Hikvision/MOCAM-720-01/V5.1.8%20build%20170829/digicap.dav?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI3CJ5PEMTCV2KBOA/20180422/us-east-1/s3/aws4_request&X-Amz-Date=20180422T154301Z&X-Amz-Expires=604799&X-Amz-SignedHeaders=host&X-Amz-Signature=830a05ea9c676973fb282c53f70c6442eed9ba8894afbf0902652fd475ca0252

3. ./hikpack -t r0 -x digicap.dav -o newfw

4. cd newfw

5. unsquahsfs app.img

6. cd squashfs-root

7. nano initrun.sh and add '/bin/busybox telnetd &' to the end to enable telnet (or make any changes you want)

8. cd ..

9. mksquashfs squashfs-root/ app.img -comp xz -b 256K -noappend -force-uid 4145 -force-gid 4148

10. rm -rf squashfs-root

11. ./hikpack -t r0 -p ezviz.dav -o newfw

12. Copy ezviz.dav to SD card

13. Insert SD card to camera

14. Reboot camera

15. Log in to telnet with root/EHLGVG


  • NOTE: The root password is hard-coded to all devices.