IoT Hacking: Momentum IP Camera - Custom Firmware
Table of Contents
This post is part of a series:
II. Passive Recon
III. Active Recon
IV. Getting Root
V. Custom Firmware
One of the first things I wanted to do after getting root login through the console, was to enable network access over telnet or SSH. I found out that I could enable telnet using Busybox command - ‘/bin/busybox telnetd’. This allowed me to login to the camera using Putty over telnet, that way I could ditch the console connection. But I found that if the camera rebooted, its configuration was restored to default and telnet went away.
I tried to figure out why that was happening, and after some research I found out that it was common for IoT devices to compress their configurations to save space in storage, uncompressing and overwriting the old configuration upon each reboot. In order to get telnet to ‘stick’ I was going to have to figure out how to modify the firmware, and load my customized firmware onto the camera.
I discovered two methods to load the firmware, which I wrote about in the penetration test report.
Although I was able to load my own custom firmware, I still haven’t got it working yet. The firmware was easy to extract and modify using binwalk for example, but putting the firmware back together after modification seems to be the problem. When the device reboots with the new firmware, it is not able to mount it.
There is a community of IP camera firmware hackers who have been helpful in trying to help me get it working, and we are still trying to figure it out.