Jump to content
seeker45

night owl dvr telnet default logon & password?????????

Recommended Posts

Recently purchased a LTE-DVR8 nightowldvr 8 channel,Can remote view,and somewhat remote admin via netviewer and CMS. I am trying to telnet with the embedded OS but to no avail,can not find correct logon and password.Is anybody aware of a default logon and password for the night owl dvr's? Via Putty and Windows telnet I get this logon:

(none)logon:

password:

 

Been at this a few days, any suggestions will be greatly appreciated.

Share this post


Link to post
Share on other sites

I ran a password cracker against mine via telnet for numbers 0-999999, nothing. Grabbed a firmware update and pulled out all the strings in it, found two that were root followed by a hash, cracked the first one, think it was changeit or something. Ran the second one for a month on a quad core box and got nothing, so its a pretty good password.

Share this post


Link to post
Share on other sites

There are the two that I extracted from the firmware.

 

root:$1$$hHm1qD.DyK9Xigb1sbKph.:0:0::/root:/bin/sh

root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

 

If you want I can send you my john output, it'll buy you a month.... but it could take years.....

Share this post


Link to post
Share on other sites

Thankyou for hash but afraid I have very limited skills,one of the reasons I am pursuing this so I can I educate myself further.

Thanks for the help

Share this post


Link to post
Share on other sites

How did you establish your hash's in the firmware,is it based upon a language? or is this just a simple text file?

Thankyou for the link to Johnrip

Share this post


Link to post
Share on other sites

I used a common unix program called strings to get all the printable ascii information from the firmware binary file.

Share this post


Link to post
Share on other sites

Thanks for that...I will be checking out Strings....I am too much Windows and need a huge better understanding of Linux and its parent Unix.

Share this post


Link to post
Share on other sites

if it's the same internals as the swann dvr (I suspect it might be since those password hashes match the ones in the swann firmware) I have a method to get a login, albeit relying on opening the box:-

https://twitter.com/velotester/status/282308635139395584

 

The swann dvr has a ttl-serial interface (115200-8-n) on the board (see above). I connected up to this and you are able to break into the boot process with ctrl-c as soon as it starts.

From there you can invoke runlevel one by:

 

setenv bootargs mem=68M console=ttyAMA0,115200 root=1f01 rootfstype=jffs2 mtdparts=physmap-flash.0:4M(boot),12M(rootfs),14M(app),2M(para) busclk=220000000 1

and then boot with

bootm 0x80100000

 

you might need to check those two lines for different boxes, if you issue the command printenv you'll see the bootargs and the boot address.

 

You'll now have a root login.

From here you can either call passwd to change the password, or if you want to retain the old one you can copy passwd to passwd~ and rename passwd- to passwd which will leave you with the weak broken password "helpme"

You can now reboot and ssh in!

Share this post


Link to post
Share on other sites

I'm struggling with the same thing. I had an idea that I'm too scared to try. We know that the hash of the passwd- file is for "helpme". What if we just change the hash in the firmware upgrade .sw file to the hash with "helpme"? I'm just not sure how .sw files work. I'm guessing the length at least has to match, but one of the other partitions of the passwd file could be used as padding to make the files the same length. Anyone know if there's a chance this would work? I don't want to hose my dvr trying. In the meantime I'll be running john.

 

Also, has anyone tried calling their manufacturer and asking for the password? I doubt that would work, but it's a lot easier than these other methods.

Share this post


Link to post
Share on other sites
if it's the same internals as the swann dvr (I suspect it might be since those password hashes match the ones in the swann firmware) I have a method to get a login, albeit relying on opening the box:-

https://twitter.com/velotester/status/282308635139395584

 

The swann dvr has a ttl-serial interface (115200-8-n) on the board (see above). I connected up to this and you are able to break into the boot process with ctrl-c as soon as it starts.

From there you can invoke runlevel one by:

 

setenv bootargs mem=68M console=ttyAMA0,115200 root=1f01 rootfstype=jffs2 mtdparts=physmap-flash.0:4M(boot),12M(rootfs),14M(app),2M(para) busclk=220000000 1

and then boot with

bootm 0x80100000

 

you might need to check those two lines for different boxes, if you issue the command printenv you'll see the bootargs and the boot address.

 

You'll now have a root login.

From here you can either call passwd to change the password, or if you want to retain the old one you can copy passwd to passwd~ and rename passwd- to passwd which will leave you with the weak broken password "helpme"

You can now reboot and ssh in!

Hey, Ivor. I'm trying to get a login to my Zmodo box and stumbled across this post after hammering away at the telnet login with Hydra for quite a while. I just got through taking the board out to see if I could identify the processor and come across pinouts to trace to the UART leads and can't seem to find any info on it, but it looks like my Zmodo board is very similar to the one you show.

 

Where did you get the TTL-to-USB adapter you're using? I have been following the advice in this guide as I am a software guy and have little experience in embedded systems:

http://www.linuxconf.eu/2007/papers/Sirotkin.pdf

 

He mentions this site, but I'm not quite certain what to look for:

http://www.compsys1.com/workbench/On_top_of_the_Bench/Max233_Adapter/max233_adapter.html

 

I suppose this will work:

http://www.amazon.com/Micro-SATA-Cables-Module-Converter/dp/B006JKNWLE/ref=sr_1_1?ie=UTF8&qid=1357011585&sr=8-1&keywords=ttl+to+usb

 

Thanks for any info. I think this board is a cool little specimen to mess around with embedded linux and maybe I can do something about the crappy web front end that requires ActiveX, but at a minimum, shell access to make backups of video vs. the crappy GUI interface will be great.

Share this post


Link to post
Share on other sites

I don't want to rain too much on you parade, but even with telnet access, you might not be able to get what you want. I found my way into my Dahua, not much to look at once there. That said, the Dahuas have an SDK for Windows and Unix and Rory has made some great utilities that made me forget why I wanted to get in anyway.

Share this post


Link to post
Share on other sites

Well, I got my hands on another zmodo/Raysharp firmware upgrade (they don't seem to publish any for my DVR) and although the image only contained upgrades to their software and lacked the full OS, strings in the app bin showed includes of some uclinux libs so I thought I might stand a chance at retrieving the existing image with UART and start hacking away.

 

If not, at least I can access the file system using telnet. Be much easier to copy videos over to a USB drive that way. Like I mentioned, the GUI makes that process really slow if you have a large set of files to retrieve.

Share this post


Link to post
Share on other sites

I took apart the Lorex NVR280, there isn't a port like the one pictured in the Swann.

But there are two tiny ports, anyone know the pin outs of these, if they are serial ports?

Share this post


Link to post
Share on other sites

I got my hands on a Zmodo DVR that also had UART console blocked, I'm guessing they've done it at the kernel level because I can't seem to get it enabled by any means. I did however get into the telnet server, basically to cut a long story short, you need to just make an update file that sends a new /etc/passwd with your own MD5 hash as the root password and then boom, you're in. This is super easy for the DVR's that use a tar.gz update, but the ones that do a full jffs/yaffs2 flash are a bit trickier I imagine, but its surely not impossible, I just don't have one to test and come up with a proper procedure on how to do it. None of the images use any sort of update signing...so even if they did try to patch this method and just get rid of the telnet server, it would be possible to still put it back via a patched update.

 

If you guys are still interested I'd be willing to write a tutorial/blog on how to do it.

 

The best part is, I was able to give myself http access to the raw DVR recordings & now im working on a smb fix so the file sharing works with Windows 7, no wonder it doesn't work - the samba binaries look to be abou 8 years out of date...

Share this post


Link to post
Share on other sites

So I shelved this project for a while and am just getting back to it.

...you need to just make an update file that sends a new /etc/passwd with your own MD5 hash as the root password and then boom, you're in.

I think I was part way there before as I had retrieved an update file and installed some utilities to extract and mount it (can't recall specifics given it was months back), but I wasn't able to find an update file for my exact model. Maybe one will be present now. There was a pretty nasty exploit that they really should be releasing an update for anyway. If you even, want to call it an exploit, the web front end was sending all the passwords in the system in plain text to that awful activeX plugin you're forced to use with IE 3 or whatever.

If you guys are still interested I'd be willing to write a tutorial/blog on how to do it.

That'd be great if you still have time, etc.

The best part is, I was able to give myself http access to the raw DVR recordings & now im working on a smb fix so the file sharing works with Windows 7, no wonder it doesn't work - the samba binaries look to be abou 8 years out of date...

Yeah, I've been interested in playing with some embedded Linux hacking and this would be a great piece of hardware for it. I'd like to take a shot at completely replacing said activeX web UI with something more modern and standard, but that would definitely be a long term project for me, having little experience with video codecs, etc., and being very rusty in C (not to mention being busy w/ the day job).

 

It's be a super fun project to start with a fresh, up-to-date ucLinux install and attempting to piece together my own front end.

 

Short-term, simply getting better access to the files as you mention would be great.

 

I'll check on obtaining a proper firmware upgrade for my machine. I was expecting to have to use a uart to get a root login and use dd to write out the existing image. I did get a serial-to-usb interface for that purpose, but didn't find the pinouts. I'm pretty n00b when it comes to electronics/hardware, though. My background is in software. There are a couple more likely spots I need to probe before calling UART a wash on it.

 

EDIT: Found the firmware image. Searching their knowledge base for my SKU turned up jack. I ended up finding a page describing the firmware update for another model:

http://kb.zmodo.com/index.php?action=artikel&cat=2&id=38&artlang=en

 

And was able to find a firmware image update for my machine (9108V) that was recently added at a parent dir I stripped from the other model's firmware URL:

http://files.zmodo.com/Firmwares/DVRs/

Share this post


Link to post
Share on other sites
...This is super easy for the DVR's that use a tar.gz update, but the ones that do a full jffs/yaffs2 flash are a bit trickier I imagine, but its surely not impossible

It looks like my zmodo falls into that category. Strangely, I had a script that simplified mounting a jffs image here in my home folder from where I was mounting that other model's image months back, and I thought I arrived at that fs type by using disktype, but it didn't identify this image as such.

 

Anyway, I successfully mounted it and used john to quickly verify that the backup passwd- file uses "helpme" for root on this zmodo. Got john cranking w/ its default word lists for ****s and giggles on the real passwd file, but I don't expect much. I might leave it over night and throw some different word lists at it tomorrow, because I'd really like to crack the stock pw to simplify this for others.

 

I think I'll go ahead and try flashing this sucker w/ the modifed image now. Assuming jffs is supported read/write and there's no risk there. If I brick it, oh well, been sitting here disassembled for months anyway.

Share this post


Link to post
Share on other sites
There are the two that I extracted from the firmware.

 

root:$1$$hHm1qD.DyK9Xigb1sbKph.:0:0::/root:/bin/sh

root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

 

If you want I can send you my john output, it'll buy you a month.... but it could take years.....

 

FWIW, that 2nd one from passwd- is "helpme". So you brute forced for a month with no luck? What word lists, etc?

Share this post


Link to post
Share on other sites

I dont mean to hijack the thread, so let me know if I should start my own thread.

 

I have a Zmodo DVR-9114V-4CH that I have been trying to setup in iSpyConnect, but cant seem to find a URL that will work to display the feed. My hopes were to try and reverse engineer the websever on the DVR. I came across this thread because I just realized that telnet is enabled on the device but I too cannot access it (dont know what the password is). Any luck on cracking it? What about the update with just a password change, did that work? I'm kind of a novice when it comes to linux but with google I can usually figure it out.

 

Would there be any other way to reverse engineer the server? I notice that it runs minihttpd 1.19 and seems old enough that there might be some exploits that I could use to gain access too. If my best route in getting the webroot stuff cracking the telnet password? I also have tried to find a full firmware file that contains the whole OS, but cannot seem to find it on the web.

Share this post


Link to post
Share on other sites

Hello everyone! I have a DVR Zmodo D9104BH SKU: DVR-H9104V in the DVR does not work the mouse and so I can not enter menu I have firmware to restore but i don't know how to do! I tested these codes: but don't work too

please helpme

 

Code:

setenv bootargs mem=68M console=ttyAMA0,115200 root=1f01 rootfstype=jffs2 mtdparts=physmap-flash.0:4M(boot),12M(rootfs),14M(app),2M(para) busclk=220000000 1

 

Code:

bootm 0x80100000

Share this post


Link to post
Share on other sites

 

If you guys are still interested I'd be willing to write a tutorial/blog on how to do it.

 

The best part is, I was able to give myself http access to the raw DVR recordings & now im working on a smb fix so the file sharing works with Windows 7, no wonder it doesn't work - the samba binaries look to be abou 8 years out of date...

 

 

Could you tell us more about this? I have the SBN8 and I would like to enable streaming like you did, did you ever make a tutorial?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×