This article contains some examples of hacks that enable telnet, load an alternate ftp daemon, extract
information, etc...
If keeping the camera under guarantee is no longer a concern for you, please read on... (-:
Important Notice:
Before performing any firmware change, make a backup of firmware files, including the board.dat file,
and make yourself familiar with recovery options. Proceed at your own risks, or don't...
and make yourself familiar with recovery options. Proceed at your own risks, or don't...
This post is based on the information found in macmpi's post on forum.hardware.fr
Basics:
The /app folder contains typically 3 files loaded when the camera is powered on:
cs -> the main firmware application file
cs.def.ini -> the default config file
cs.ini -> the current config file loaded by cs
A universal way to talk to the camera is to replace its cs file with another one containing a valid script, such as the following that loads the telnetd daemon:
#!/bin/sh
cp /etc_ro/rcS /tmp/eye/app/.cd /bintelnetd&
Once a terminal access is possible via telnet, the possibilities are endless: change the services loading at startup (including telnetd itself) via the file /etc_ro/rcS, use a different ftp deamon (MayGion unlimited fd, or restricted ftpd)
Hackmaster...
The hacks below are an extension of this simple idea.
The files must be first renamed as app.bin to be installed like normal application updates from the IP Camera interface. Each file has a specific purpose and the System Information panel will show which ones are active.
inject.bin: This is the "Hackmaster" module, which opens the camera to further hacking via the other files below. It is based on fw v.5.60 but will remain active after a traditional firmware update. It is reversible thanks to a clean-up file also provided.
tnt.bin: This enable the telnet daemon.
bbx.bin: Installs the latest full Busybox which provides a more completes set of linux commands. It requires an Internet access to work. Check the log under /tmp to verify if the installation was successful.
ocx.bin: Removes the ocx2.exe file from /www (saving 600KB of space), and provides an Internet access to this file instead.
mSD.bin: Mounts the SD Card for access via FTP (e.g. ftp://user:pass@IP/app/SD). The status of the SD mount is logged under /tmp.
ftM.bin: Enables the unrestricted MayGion FTP daemon (login: MayGion, password: maygion.com).
ftB.bin: Enables the basic FTP daemon which uses the admin login
log.bin: Generates a log file in /app. Can be helpful for troubleshooting. Since it's only occasionaly needed, it will self-destruct on restart.
no_hack.bin: Removes all the hacks but leave the enabler intact (i.e. Hackmaster).
clean-up.bin: Cleans up all traces of hacks (including the Hackmaster), and restores the camera in its normal state.
The HackMaster files can also be obtained from the original article: Forum.hardware.fr