{"id":1239,"date":"2019-01-21T20:21:27","date_gmt":"2019-01-22T02:21:27","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1239"},"modified":"2019-01-21T20:21:27","modified_gmt":"2019-01-22T02:21:27","slug":"escam-qf100-uart","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2019\/01\/escam-qf100-uart\/","title":{"rendered":"ESCAM QF100 – UART"},"content":{"rendered":"

Please see the original post on IP Camera Security<\/a> before reading the rest of this post.<\/p>\n

Based on comment #1<\/a> by Carlo UART exists on his Hi3518 wifi cameras. He also mentions the default password of “zg2014” for both of his cameras. A Google search for that password reveals other Hi3518 cameras including the Mustcam H809P which has detailed images posted on a forum. This camera board is very different from the ESCAM QF100 but examining the traces from the SoC to the documented TX\/RX on the Mustcam shows potential UART on the QF100. I was off by a couple pins based on my attempt in the original post<\/a>.
\n
\nThe forum describing the Mustcam H809P has two HiRes images of the camera’s board (front <\/a>and back<\/a>). Examining and comparing the traces leading from the SoC on the H809P to the UART and the same traces on the QF100 shows that they lead under the MicroSD card reader. Before I removed the reader I examined the bottom of the QF100 board and saw a potential header. I soldered four wires and connected them to the JTAGulater. Using the JTAGulator is a bit overkill since you can easily identify GND via a continuity test and VCC with the same voltmeter. After that it is just swapping the other two options for RX and TX with your UART to USB adapter. But I do have a JTAGulator and it is simple to use.

. . . SNIP . . .\n> v\nCurrent target I\/O voltage: Undefined\nEnter new target I\/O voltage (1.2 - 3.3, 0 for off): 3.3\nNew target I\/O voltage set: 3.3\nEnsure VADJ is NOT connected to target!\n\n> u\n. . . SNIP . . .\nUART> u\nUART pin naming is from the target's perspective.\nEnter text string to output (prefix with \\x for hex) [CR]:\nEnter starting channel [0]:\nEnter ending channel [2]:\nPossible permutations: 6\n. . . SNIP . . .\nTXD: 0\nRXD: 1\nBaud: 115200\nData: ..Unknown comman [ 0D 0A 55 6E 6B 6E 6F 77 6E 20 63 6F 6D 6D 61 6E ]\n------\nUART scan complete.<\/code><\/pre>Full JTAGulator log<\/a>.
\nThis images shows UART on the ESCAM QF100.
\n<\/a>
\nConnecting RX\/TX\/GND to your UART to USB adapter at 115200,8n1 and you have root access to the device.
\n
U-Boot 2010.06 (May 17 2014 - 15:03:14)\n\nCheck spi flash controller v350... Found\nSpi(cs1) ID: 0xC2 0x20 0x18 0xC2 0x20 0x18\nSpi(cs1): Block:64KB Chip:16MB Name:"MX25L128XX"\nIn:    serial\nOut:   serial\nErr:   serial\nHit any key to stop autoboot:  0 \n16384 KiB hi_sfc at 0:0 is now current device\n\n## Booting kernel from Legacy Image at 82000000 ...\n   Image Name:   Linux-3.0.8\n   Image Type:   ARM Linux Kernel Image (uncompressed)\n   Data Size:    2134796 Bytes = 2 MiB\n   Load Address: 80008000\n   Entry Point:  80008000\n   Loading Kernel Image ... OK\nOK\n\nStarting kernel ...\n\nUncompressing Linux... done, booting the kernel.\nLinux version 3.0.8 (root@ubuntu) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #30 Tue May 27 21:58:10 CST 2014\nCPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177\nCPU: VIVT data cache, VIVT instruction cache\nMachine: hi3518\n. . . SNIP . . .<\/code><\/pre>
\nThe full boot log can be found here<\/a>. Examining the log shows that the device spits out the HTTP username and password in cleartext as well as the the WiFi ESSID and passphrase. NICE! Cracking the DES password hash for the root account found in \/etc\/passwd<\/kbd> is “123456” just like so many of these devices.<\/p>\n
Thank you Carlo for the hint!<\/p>\n
Resources<\/strong>
\nhttps:\/\/ipcamtalk.com\/threads\/mustcam-h809p-720p-pan-tilt-wifi-camera-serial-pinout-and-investigation.11843\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Please see the original post on IP Camera Security before reading the rest of this post. Based on comment #1 by Carlo UART exists on his Hi3518 wifi cameras. He also mentions the default password of “zg2014” for both of his cameras. A Google search for that password reveals other Hi3518 cameras including the Mustcam […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[163],"tags":[],"class_list":["post-1239","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1239"}],"version-history":[{"count":6,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1239\/revisions"}],"predecessor-version":[{"id":1245,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1239\/revisions\/1245"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}