Momentum axel-720p

From Exploitee.rs
Revision as of 19:52, 24 April 2018 by Rchase (talk | contribs)
Jump to navigationJump to search

Telnet to Root via SD card custom firmware upgrade

1. Download Hikvision packer/unpacker (to Linux PC):

https://ipcamtalk.com/threads/mcr-hikvision-packer-unpacker-for-5-3-x-and-newer-firmware.15710/

2. Download original firmware:

https://prod-peq-a-firmware-uploads.s3.amazonaws.com/firmware/Hikvision/MOCAM-720-01/V5.1.8%20build%20170829/digicap.dav?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI3CJ5PEMTCV2KBOA/20180422/us-east-1/s3/aws4_request&X-Amz-Date=20180422T154301Z&X-Amz-Expires=604799&X-Amz-SignedHeaders=host&X-Amz-Signature=830a05ea9c676973fb282c53f70c6442eed9ba8894afbf0902652fd475ca0252

3. ./hikpack -t r0 -x digicap.dav -o newfw

4. cd newfw

5. unsquahsfs app.img

6. cd squashfs-root

7. nano initrun.sh and add '/bin/busybox telnetd &' to the end to enable telnet (or make any changes you want)

8. cd ..

9. mksquashfs squashfs-root/ app.img -comp xz -b 256K -noappend -force-uid 4145 -force-gid 4148

10. rm -rf squashfs-root

11. ./hikpack -t r0 -p ezviz.dav -o newfw

12. Copy ezviz.dav to SD card

13. Insert SD card to camera

14. Reboot camera

15. Log in to telnet with root/EHLGVG


  • NOTE: This works because the current version of the firmware checks for the existence of 'ezviz.dav' when booting up. Also, the root password is hard-coded to all devices.