Alarm.com ADC-v520IR​​

From Exploitee.rs
Revision as of 12:05, 8 June 2015 by Zenofex (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Alarm.com ADC-v520IR.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Alarm.com ADC-v520IR.

About

The Alarm.com ADC-v520IR is a network (Wifi/Ethernet) camera w/ IR LEDs provided by alarm.com

Disassembly

UART

A Login Console is presented on UART (3.3v) at 38400 baud. The pinout for UART can be found below.

Exploitation

This device ships with an open U-boot installation meaning that with a UART adapter hooked up we have access to modify the default boot parameters. This opens the device to an technique called "Kernel Init Hijacking". This technique involves modifying the "init" boot argument which when passed to the kernel specifies which script will handle the boot-up process after the kernel is loaded. By defining this variable as "/bin/sh" we tell the kernel after booting to drop to a shell over UART. This allows us temporary root access to the file system.

Kernel init Hijacking Instructions

  1. Connect USB-to-TTL adapter to camera UART, pinout is available on Exploitee.rs
  2. Press any key at correct moment (during u-boot startup) to enter u-boot shell
  3. Modify kernel boot args:
    setenv bootargs root=/dev/mtdblock1 mem=80M console=1 rootfstype=squashfs user_debug=31 init=/bin/sh
    run bootcmd
  4. Finish its bootup manually:
    /etc/init.d/rcS
  5. Add a new user with:
    adduser -h /mnt/ramdisk -s /bin/sh -g "" -H username
  6. Modify user and group to root uid/gid. (set 1000:1000 to 0:0 in passwd for new user)
  7. Reboot!

Kernel init Hijacking Demo