Momentum Axel-720P

From Exploitee.rs
Revision as of 20:08, 24 April 2018 by Rchase (talk | contribs)

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong." [[File:|100px|left|thumb]] This page will be dedicated to a general overview, descriptions, and information related to the Momentum Axel 720P.

About

The Momentum Axel 720P is a Wi-Fi camera with a built in microphone, speaker, motion detection. Comes with free iPhone/Android app for control of the device. Recordings can be stored on micro SD card (not included) or cloud storage with a subscription. Sold at Walmart and Target. For more information, see https://www.momentumcam.com

Disassembly

UART

Root: Custom Firmware Upgrade via SD Card

Root shell over telnet can be enabled by creating a custom firmware, naming it 'ezviz.dav', placing it on the SD card, and rebooting:


1. Download Hikvision packer/unpacker (to Linux PC):

https://ipcamtalk.com/threads/mcr-hikvision-packer-unpacker-for-5-3-x-and-newer-firmware.15710/

2. Download original firmware:

https://prod-peq-a-firmware-uploads.s3.amazonaws.com/firmware/Hikvision/MOCAM-720-01/V5.1.8%20build%20170829/digicap.dav?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI3CJ5PEMTCV2KBOA/20180422/us-east-1/s3/aws4_request&X-Amz-Date=20180422T154301Z&X-Amz-Expires=604799&X-Amz-SignedHeaders=host&X-Amz-Signature=830a05ea9c676973fb282c53f70c6442eed9ba8894afbf0902652fd475ca0252

3. ./hikpack -t r0 -x digicap.dav -o newfw

4. cd newfw

5. unsquahsfs app.img

6. cd squashfs-root

7. nano initrun.sh and add '/bin/busybox telnetd &' to the end to enable telnet (or make any changes you want)

8. cd ..

9. mksquashfs squashfs-root/ app.img -comp xz -b 256K -noappend -force-uid 4145 -force-gid 4148

10. rm -rf squashfs-root

11. ./hikpack -t r0 -p ezviz.dav -o newfw

12. Copy ezviz.dav to SD card

13. Insert SD card to camera

14. Reboot camera

15. Log in to telnet with root/EHLGVG


  • NOTE: The root password is hard-coded to all devices.