This video demonstrates hacking a VStarcam CB73 security camera to discover a hardcoded root password. The process involves firmware extraction (from a previous video), gaining U-console access, bootloader access, and finally, reverse engineering the firmware to uncover the password.
strings and Ghidra to analyze the firmware, identifying a program that generates the password file.This video details the process of compromising a VStarcam CB73 security camera to reveal a hardcoded root password. Building upon a previous video where firmware extraction was performed, this demonstration focuses on gaining access to the device's Uart, exploiting the bootloader, and meticulously reverse-engineering the firmware to ultimately unveil the hidden password. The presenter utilizes various hardware and software tools to accomplish this, showcasing a comprehensive approach to IoT device security analysis.
Accessing the UART Interface: A Precise Hardware Connection: The initial step involves gaining physical access to the security camera's UART (Universal Asynchronous Receiver/Transmitter) interface. This is achieved not through direct soldering, which could damage the board, but through the precise placement of PC bite probes onto the tiny test pads on the PCB. The presenter carefully locates the RX (receive) and TX (transmit) pins on the board using a datasheet for the camera's CPU (a chip from Entic). This datasheet provides a pinout diagram that helps in visually identifying the location of UART0 on the PCB. The presenter emphasizes the importance of precision, as these test pads are extremely small. A ground connection is also established using a readily available, larger ground point on the board rather than attempting to use a smaller, less accessible ground test pad. This practical approach avoids unnecessary complexities and ensures a stable connection. Once connected, the probes are linked to a USB-to-UART converter cable to enable communication between the computer and the security camera's internal system. This meticulous hardware interaction demonstrates the importance of physical access and precise manipulation in hardware hacking.
Exploiting the U-Boot Bootloader for Root Shell Access: After establishing a connection to the UART, the presenter leverages the security camera's U-Boot bootloader. This bootloader is a small program that initializes the system before loading the operating system. Crucially, it's found to be unlocked and readily accessible. Instead of attempting to bypass the login screen directly, the presenter uses the U-boot's printenv command to view the environmental variables. One critical variable, bootargs, defines how the system boots. This variable is currently configured to start the standard Linux boot process leading to the login prompt. The presenter cleverly modifies this bootargs variable using the U-boot's setenv command. This action changes the boot process to start directly into a bin sh (Bourne shell) instead, thereby bypassing the login process entirely and providing immediate root shell access. This is a temporary change; the next time the device boots, it will revert to the default configuration unless this setenv command is executed again. This technique illustrates the vulnerability of unsecured bootloaders, a common entry point for attackers.
Firmware Reverse Engineering with Strings and Ghidra: Uncovering Password Generation: With root shell access (albeit a limited one at first), the presenter moves to reverse engineer the firmware. He uses the strings command to search for relevant keywords like "password" within the extracted firmware files. This leads to the discovery of a binary executable called encoder. Further examination of encoder using the strings command reveals strings matching the username ("vstarcam2017") and parts of the /etc/passwd entry. The presenter observes a format string (%s) indicating that a C function likely constructs the password file content dynamically. At this point, the powerful reverse engineering tool Ghidra is introduced to analyze the encoder binary in more detail. This detailed analysis allows the presenter to identify the function responsible for generating the password and constructing the /etc/passwd file. The use of both strings (a quick initial scan) and Ghidra (in-depth analysis) represents a systematic approach to uncovering hidden information within the firmware.
Deciphering the Hardcoded Password: From Reverse Engineering to Crack: Analyzing the encoder binary with Ghidra, the presenter pinpoints the function responsible for creating the password hash. The code reveals that the password is hardcoded, albeit indirectly. He identifies a variable containing the password’s numeric representation (7102 and 2190). He hypothesizes, and subsequently proves, that this numeric representation is actually the ASCII values of the password in little-endian format, reading it as "20170912" (year and month). The presenter doesn't directly extract the password as plain text. Instead, he generates candidate password strings based on his findings in Ghidra. These candidate passwords are then tested using the hashcat tool against the password hash extracted from /etc/passwd. Hashcat successfully cracks the password confirming the presenter's interpretation. This sophisticated process highlights the importance of understanding not just the data present, but also how it's processed and represented within the binary.
Verification and Practical Implications: Securing the Access: The final step involves verifying the discovered credentials. The presenter unmounts the file system for safety, reboots the camera without interrupting the boot process (since the bootloader modifications were temporary), and successfully logs in using the discovered username ("vstarcam2017") and password ("20170912"). The presenter also notes that the default console output of the device is quite verbose, suggesting using SSH (by running inetd) as a cleaner way to interact with the device remotely. This successful login proves the accuracy of the reverse engineering process. This demonstration underscores the critical security implications of hardcoded credentials in IoT devices, emphasizing the need for stronger security practices in their design and development. The discovery and successful use of this hardcoded password highlight a significant vulnerability that could be exploited for malicious purposes.
Based on the transcript, the following tools were used:
Hardware tools: PC bite probes, alligator clip, USB-to-UART converter cable, and a microscope. The magnetic PCB holders included with the PC bite kit are also mentioned.
Software tools:
encoder binary.printenv, setenv, boot, mount, strings, grep, file, and others used within the Linux environment and U-boot.The transcript mentions that firmware extraction was performed in a previous video, but the specific tools used for that process are not detailed in this transcript.
The transcript doesn't use a single, specific term to describe gaining complete root access. The process is described in stages:
Therefore, while no single term is explicitly used, the overall achievement could be described as gaining complete root access, achieving full root privilege, or obtaining full system control. The presenter doesn't use a technical term like "root shell" to refer to the entire process but to a specific phase.