Momentum Axel-720P

From Exploitee.rs
Revision as of 20:00, 24 April 2018 by Rchase (talk | contribs) (Root: Custom Firmware with Telnet)

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Alarm.com ADC-v520IR.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Alarm.com ADC-v520IR.

About

The Alarm.com ADC-v520IR is a network (Wifi/Ethernet) camera w/ IR LEDs provided by alarm.com

Disassembly

UART

Root: Custom Firmware with Telnet

Telnet to root shell can be enabled by creating a custom firmware, naming it 'ezviz.dav', placing it on the SD card, and rebooting:


1. Download Hikvision packer/unpacker (to Linux PC):

https://ipcamtalk.com/threads/mcr-hikvision-packer-unpacker-for-5-3-x-and-newer-firmware.15710/

2. Download original firmware:

https://prod-peq-a-firmware-uploads.s3.amazonaws.com/firmware/Hikvision/MOCAM-720-01/V5.1.8%20build%20170829/digicap.dav?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI3CJ5PEMTCV2KBOA/20180422/us-east-1/s3/aws4_request&X-Amz-Date=20180422T154301Z&X-Amz-Expires=604799&X-Amz-SignedHeaders=host&X-Amz-Signature=830a05ea9c676973fb282c53f70c6442eed9ba8894afbf0902652fd475ca0252

3. ./hikpack -t r0 -x digicap.dav -o newfw

4. cd newfw

5. unsquahsfs app.img

6. cd squashfs-root

7. nano initrun.sh and add '/bin/busybox telnetd &' to the end to enable telnet (or make any changes you want)

8. cd ..

9. mksquashfs squashfs-root/ app.img -comp xz -b 256K -noappend -force-uid 4145 -force-gid 4148

10. rm -rf squashfs-root

11. ./hikpack -t r0 -p ezviz.dav -o newfw

12. Copy ezviz.dav to SD card

13. Insert SD card to camera

14. Reboot camera

15. Log in to telnet with root/EHLGVG

  • NOTE: This works because the current version of the firmware checks for the existence of 'ezviz.dav' when booting up. Also, the root password is hard-coded to all devices.