Jump to content

supa

Members
  • Content Count

    3
  • Joined

  • Last visited

Everything posted by supa

  1. Can you post a picture of the DVR motherboard? There may be another way to get into it without flashing the firmware, plus it may reveal the OEM board number. While they do use similar boards, I've tried on my Zmodo DVR to run an alternative firmware and have failed at doing so, it seems there are slight changes between brands and due to the way the DVR firmware is written, a lot of stuff is hardcoded and if there is even the simplest difference it will fail to work. I've rooted my zmodo dvr but can't seem to get RTSP to work, but I'm getting closer... all i want is RTSP so I can get rid of that stupid ActiveX ****.
  2. supa

    Which DVR for getting shell access?

    Mind posting what DVR/NVR model numbers you are looking into getting as well as if you can find some type of firmware update image for them? Also, be aware that there are many IP camera's that run the EXACT same ARM CPU's as the DVR's, using the same insecure HighEasy Linux distro/SDK, not only that they inherit some of the same instability issues as the Chinese DVR's sold. I'd be curious to look at the firmware and see if I can find a method to get into them. Out of the 4 different brand DVR's I've tried, I was able to obtain root on all 4 using similar methods, one of them was just a pathetic oversight, it allowed updating by sending the correct commands to the DVR's remote command server to imitate an ftp_get of a file named update.tar.gz and then extract it to / and reboot the DVR automatically. All i had to do was make a file update.tar.gz with /etc/passwd in it and bingo, I had telnet access. I'd rather not specify what model/manufacturer it is, I have contacted them and have a fixed firmware update for it that they will be releasing, so I'm not going to reveal too much for the sake people with the DVR as I know people love messing with DVR's (4chan, etc).
  3. I got my hands on a Zmodo DVR that also had UART console blocked, I'm guessing they've done it at the kernel level because I can't seem to get it enabled by any means. I did however get into the telnet server, basically to cut a long story short, you need to just make an update file that sends a new /etc/passwd with your own MD5 hash as the root password and then boom, you're in. This is super easy for the DVR's that use a tar.gz update, but the ones that do a full jffs/yaffs2 flash are a bit trickier I imagine, but its surely not impossible, I just don't have one to test and come up with a proper procedure on how to do it. None of the images use any sort of update signing...so even if they did try to patch this method and just get rid of the telnet server, it would be possible to still put it back via a patched update. If you guys are still interested I'd be willing to write a tutorial/blog on how to do it. The best part is, I was able to give myself http access to the raw DVR recordings & now im working on a smb fix so the file sharing works with Windows 7, no wonder it doesn't work - the samba binaries look to be abou 8 years out of date...
×