DroneView WiFi Camera, Part 3

Written 2017-01-01

Tags:DroneView UART Serial WiFi 

This one time, I just took the darned thing apart

A third pass at the previous two posts.

Serial Config

Felipe says the default baudrate for HiSilicon Hi3518 IP Cams is 115200 Baud, 8N1


Only connect RX, TX, and GND. Additionally, the PCB test points are not quite 0.1 inch pitch, so I had to bend some pins to get it to connect. Additionally, the 3.3V port does not seem very useful, as it appears the device will become confused if supplied directly with 3.3V without 3.7V from the lithium battery pack. I suspect the WiFi radio is powered from 3.7v. After a little solder and knifework, I have a functional serial port.

Serial Port Mod

Sadly I did not photograph it before reassembly. It is simply solder and hot glue for strain relief.

Rooting the Device Locally

Stop the device very early during startup, and append init=/bin/sh to the boot arguments, then do the normal SPI boot.

Hit any key to stop autoboot: 1 ^H^H^H 0
hisilicon #
hisilicon # setenv bootargs mem=42M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:1M(boot),2944K(kernel),10112K(rootfs),1280K(config),64K(key) init=/bin/sh
hisilicon # sf probe 0;sf read 0x82000000 0x100000 0x300000;bootm 0x82000000
...system boots here...
# cat /etc/passwd

Preparing a backdoor

In UNIX, a second user account may be added with the same user-ID. This is easily prepared using openssl

rsaxvc@x220:~$ openssl passwd -1
Verifying - Password:

Adding a backdoor

Previously, we created our backdoor, now we install it using pipes. I show a demo yoursalt - 1111 hash, but you should use the result from OpenSSL.

# cat /etc/passwd
# echo 'rsaxvc:$1$yoursalt$1111111111111111111111:0:0::/root:/bin/sh' >> /etc/passwd
# cat /etc/passwd
# mount / -o remount,ro
# sync

Cracking the network password

rsaxvc@rsaxvc:~/code/john-1.8.0/run$ nice nice ./john ~/passwd
Loaded 1 password hash (md5crypt [MD5 32/64 X2])
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ev1324 (root)
1g 0:00:20:12 3/3 0.000824g/s 104157p/s 104157c/s 104157C/s ev199c..ev1r10
Use the "--show" option to display all of the cracked passwords reliably
Session completed
rsaxvc@rsaxvc:~/code/john-1.8.0/run$ telnet
Connected to
Escape character is '^]'.
ipc login: root
Welcome to HiLinux.
None of nfsroot found in cmdline.

Next Steps