{"id":1226,"date":"2019-01-20T20:16:45","date_gmt":"2019-01-21T02:16:45","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1226"},"modified":"2019-01-20T23:13:16","modified_gmt":"2019-01-21T05:13:16","slug":"sricam-ap001-uart","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2019\/01\/sricam-ap001-uart\/","title":{"rendered":"SRICAM AP001 – UART"},"content":{"rendered":"

Please see the original post on IP Camera Security<\/a> before reading the rest of this post.<\/p>\n

Based on comment #2<\/a> by Carlo UART has been identified for my SRICAM AP001. Carlo stated that the board looks very similar to the NixCore <\/a>and this is correct. I was not able to identify UART with JTAGulator because I never soldered any wires to pins 39 and 40!
\n
\n<\/a>
\nI soldered wires to RX2 (pin 39), TX2 (pin 40), and GND (pin 37) and connected them to a UART to USB adapter. Fired up minicom at 57600 8n1 and we have access!<\/p>\n

<\/a>

\nU-Boot 1.1.3 (Dec 26 2012 - 17:31:39)                                        \n\nBoard: Ralink APSoC DRAM:  32 MB                                             \nrelocate_code Pointer at: 81fb4000                          \nsysctl:40200300                                             \nspi_wait_nsec: 42                                           \nspi device id: ef 40 17 0 0 (40170000)                      \nfind flash: W25Q64BV                                        \nraspi_read: from:30000 len:1000                             \n.raspi_read: from:30000 len:1000 \n.============================================ \nRalink UBoot Version: 3.5.3.0\n--------------------------------------------                                    \nASIC 5350_MP (Port5<->None)                                                     \nDRAM_CONF_FROM: Boot-Strapping                                                  \nDRAM_TYPE: SDRAM                                                                \nDRAM_SIZE: 256 Mbits                                                            \nDRAM_WIDTH: 16 bits                                                             \nDRAM_TOTAL_WIDTH: 16 bits                                                       \nTOTAL_MEMORY_SIZE: 32 MBytes                                                    \nFlash component: SPI Flash                                                      \nDate:Dec 26 2012  Time:17:31:39  \n. . . SNIP . . .<\/code><\/pre><\/p>\n
You can get the complete boot log here<\/a>. Looking at \/etc\/passwd<\/kbd> shows a DES encrypted hash where the plaintext is “123456”.  
# cat \/etc\/passwd\nroot:LSiuY7pOmZG2s:0:0:Adminstrator:\/:\/bin\/sh# <\/code><\/pre>Doing a Google search for the unsalted hash reveals another site<\/a> about IP Camera security. These things are just too fun to crack open. The boot log shows the flash is W25Q64BV (datasheet<\/a>).<\/p>\n
In researching the NixCore I also came across a blog post<\/a> from almost three (3) years ago the delves into an almost identical camera.<\/p>\n
Looking at the PINOUT of the NixCore I’m going to see if this camera has JTAG enabled.  BACK TO THE JTAGULATOR! Note that another site<\/a> from the Google search of the unsalted hash shows that they were able to identify JTAG…but this board, while similar to the NixCore, is not the same as the AP001.<\/p>\n
Okay I couldn’t wait and soldered up pins 1,2,3,5,6 and connected them to my BusBlaster v4 according to the NixCore documentation. No need for JTAGulator as the pinout was already documented.<\/p>\n
<\/a><\/p>\n
So JTAG exists right when the device boots but then the GPIOs are reassigned.  I assume to drive the motors to move the camera.  I didn’t delve that far into it as i was only curious as to the existence of JTAG. The resources below include links to documentation on the Ralink RT5350 (datasheet<\/a>) and configuration for OpenOCD.  Maybe we can reach out to the creators of NixCore for an OpenOCD configuration file.<\/p>\n
root@KALI:~# openocd -f \/usr\/share\/openocd\/scripts\/interface\/ftdi\/dp_busblaster.cfg -c "adapter_khz 100; transport select jtag"\nOpen On-Chip Debugger 0.10.0+dev-00622-g322d2fa1 (2018-12-17-06:47)\nLicensed under GNU GPL v2\nFor bug reports, read\n  http:\/\/openocd.org\/doc\/doxygen\/bugs.html\nInfo : If you need SWD support, flash KT-Link buffer from https:\/\/github.com\/bharrisau\/busblaster\nand use dp_busblaster_kt-link.cfg instead\nadapter speed: 100 kHz\njtag\nInfo : Listening on port 6666 for tcl connections\nInfo : Listening on port 4444 for telnet connections\nInfo : clock speed 100 kHz\nWarn : There are no enabled taps.  AUTO PROBING MIGHT NOT WORK!!\nInfo : JTAG tap: auto0.tap tap\/device found: 0x1535024f (mfg: 0x127 (MIPS Technologies), part: 0x5350, ver: 0x1)\nWarn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 5 -expected-id 0x1535024f"\nWarn : gdb services need one or more targets defined<\/code><\/pre><\/p>\n
Resources<\/strong>
\nhttp:\/\/linuxgizmos.com\/tiny-30-wifi-enabled-openwrt-module-runs-on-1-watt\/<\/a>
\n
\nhttps:\/\/jelmertiete.com\/2016\/03\/14\/IoT-IP-camera-teardown-and-getting-root-password\/<\/a>
\nhttps:\/\/blog.tho.ms\/hacks\/2016\/08\/28\/openwrt-on-logilink-wc0030a.html<\/a>
\nhttps:\/\/www.pentestpartners.com\/security-blog\/hacking-the-ip-camera-part-1\/<\/a>
\nhttps:\/\/www.pentestpartners.com\/security-blog\/hacking-the-ip-camera-part-1\/<\/a>
\nhttp:\/\/liken.otsoa.net\/blog\/?x=entry:entry140322-183809<\/a>
\nhttps:\/\/wikidevi.com\/wiki\/Ralink_RT5350<\/a>
\nhttps:\/\/openwrt-devel.openwrt.narkive.com\/e5kS1C19\/openocd-and-rt3050-5350<\/a>
\nhttp:\/\/www.jedge.com\/docs\/W25Q64BVSFIG-Winbond.pdf<\/a>
\nhttp:\/\/www.jedge.com\/docs\/RT5350.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Please see the original post on IP Camera Security before reading the rest of this post. Based on comment #2 by Carlo UART has been identified for my SRICAM AP001. Carlo stated that the board looks very similar to the NixCore and this is correct. I was not able to identify UART with JTAGulator because […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[114],"tags":[],"class_list":["post-1226","post","type-post","status-publish","format-standard","hentry","category-hardware-hacking"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1226"}],"version-history":[{"count":11,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1226\/revisions"}],"predecessor-version":[{"id":1238,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1226\/revisions\/1238"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}