IoT Hacking: Momentum IP Camera - Custom Firmware

April 13, 2018 in Hacking
https://rchase.com/static/img/momentum-custom-firmware.png

IoT Hacking: Momentum IP Camera - Custom Firmware

Table of Contents

This post is part of a series:

I. Intro

II. Passive Recon

III. Active Recon

IV. Getting Root

V. Custom Firmware

VI. The Penetration Test Report

Custom Firmware

One of the first things I wanted to do after getting root login through the console, was to enable network access over telnet or SSH. I found out that I could enable telnet using Busybox command - ‘/bin/busybox telnetd’. This allowed me to login to the camera using Putty over telnet, that way I could ditch the console connection. But I found that if the camera rebooted, its configuration was restored to default and telnet went away.

I tried to figure out why that was happening, and after some research I found out that it was common for IoT devices to compress their configurations to save space in storage, uncompressing and overwriting the old configuration upon each reboot. In order to get telnet to ‘stick’ I was going to have to figure out how to modify the firmware, and load my customized firmware onto the camera.

I discovered two methods to load the firmware, which I wrote about in the penetration test report.

Although I was able to load my own custom firmware, I still haven’t got it working yet. The firmware was easy to extract and modify using binwalk for example, but putting the firmware back together after modification seems to be the problem. When the device reboots with the new firmware, it is not able to mount it.

There is a community of IP camera firmware hackers who have been helpful in trying to help me get it working, and we are still trying to figure it out.

https://ipcamtalk.com/threads/custom-initrun-sh-firmware-tools-not-working.28054/#post-266717

Subscribe for updates

comments powered by Disqus

Latest Posts

IoT Hacking: Momentum IP Camera - Penetration Test Report
Apr 23, 2018
IoT Hacking: Momentum IP Camera - Penetration Test Report
Read More
IoT Hacking: Momentum IP Camera - Getting Root
Apr 12, 2018
IoT Hacking: Momentum IP Camera - Getting Root
Read More
IoT Hacking: Momentum IP Camera - Active Recon
Apr 11, 2018
IoT Hacking: Momentum IP Camera - Active Recon
Read More