In the previous post I’ve praised the Basler BIP2 IP cameras for their great hardware and software. But sometimes using the build in software is not enough and the hacker in me always wants to have administrator (root) access to all Linux systems I own, be it my Laptop, Router or just my ebook reader.
Finding a hole
The firmware of the camera is not intended to be accessed by the user. So there is no telnet/ssh interface.
Finding a serial port
First I hoped to find a serial port, which would allow me to communicate with the u-boot bootloader. Sadly, there is only a RS-485 interface in the back of the camera which I could not connect to my laptop. I also tried to probe the PCB which has a 4 pin connector, but there is no serial signal on it.
Probing the firmware update mode
My next step was to investigate firmware updates which can be uploaded via the web interface of the camera. Luckily Basler provides a firmware update for its BIP2 cameras on their webpage.
Cracking the ZIP file
The update file is called FW-3.5.0.bin and is a password encrypted ZIP archive.
$ unzip -l -v FW-3.5.0.bin
Length Method Date Time Name
-------- ------ ---------- ----- ----
260 Defl:X 2011-10-24 17:19 compcheck.sh
0 Stored 2011-10-24 17:19 data/
16 Stored 2011-10-24 17:19 data/bf.version
32768 Defl:X 2011-10-24 17:19 data/image.b_53.ubl.bin
849 Defl:X 2011-10-24 17:19 data/bf.sh
294912 Defl:X 2011-10-24 17:19 data/image.b_60.u-boot.bin
32768 Defl:X 2011-10-24 17:19 data/image.b_51.ubl.bin
1323 Defl:X 2011-10-24 17:19 data/check.awk
25436160 Defl:X 2011-10-24 17:19 data/usr.ubifs
32768 Defl:X 2011-10-24 17:19 data/image.b_55.ubl.bin
425984 Defl:X 2011-10-24 17:19 data/image.b_25.u-boot.bin
393216 Defl:X 2011-10-24 17:19 data/image.b_1.ubl.bin
1307 Defl:X 2011-10-24 17:19 data/info.txt
294912 Defl:X 2011-10-24 17:19 data/image.b_78.u-boot.bin
32768 Defl:X 2011-10-24 17:19 data/image.b_57.ubl.bin
294912 Defl:X 2011-10-24 17:19 data/image.b_96.u-boot.bin
9 Stored 2011-10-24 17:19 info.txt
244 Defl:X 2011-10-24 17:19 Readme.txt
63490 Defl:X 2011-10-24 17:19 ReleaseNotes.txt
4957 Defl:X 2011-10-24 17:19 update.sh
27343623 20 files
The above investigation yields the structure of the encrypted zip archive. Unfortunately the password used to encrypt this file was vision01 which was to long to break via Brute-Force (it would have taken 10 days to check up to 8 characters even with GPU support).
Building our own firmware
Knowing that it was impossible to crack the password in reasonable time, I resorted to a new strategy: If we cannot crack the firmware update, why don’t we write a new unencrypted one?
It turns out that this is indeed possible! After some experimentation I found the minimal requirements for a BIP2 firmware upgrade:
- /info.txt Holds information which is displayed on firmware update
- /update.sh Shell script which is invoked on uploading the firmware and upgrade. The output of the script is printed on the web page.
- Some padding file which inflates the zip file size since the firmware upgrade web interface will complain if the file is too small.
Enable SSH via firmware update
This allows us to execute any command as root user. So after some experimentation I used this way to enable the Dropbear SSH client on camera. The required steps are:
- Resetting the root password to a known value to allow remote logins
- Enable dropbear in /etc/default/dropbear
- Start dropbear service
Unfortunately it is not trivial to reset the root password since the passwd command reads from stdin, so there is no simple way to replace the password. For now, I’ve chosen the simplest way: Replacing /etc/passwd with a new file with known password.
If we incorporate all theses steps, update.sh looks like the following:
echo "This is a hacked update.sh script to enable Dropbear SSH"
echo "Arguments given to update.sh are:"
for ARG in $*
if . "/etc/bip.model"; then
echo "Failed to read environment"
# Reject non-root callers
if [ `id -u` != "0" -o `id -g` != "0" ]; then
echo "Script must be called by root:root\n"
# Save zip file name
[ -n "$2" ] && FWFILENAME="$2"
# Print out current ZIP file password
echo Firmware password: `cat /etc/fw_pwd`
echo "Old passwd content was:"
echo "Set root password to 'pass' by copying new password file..."
unzip -P "$FWP" -qo "$FWFILENAME" "passwd.new"
cp passwd.new /etc/passwd
echo "New passwd content is:"
echo "Activate SSH in config file..."
echo "NO_START=0" > /etc/default/dropbear
echo "Run dropbear SSH server..."
echo "Reenable camera application"
echo "Finished update script, close this window and reconnect to your camera now."
Generated firmware for SSH access
An example firmware can be found here.
Note that all changes made from this script are temporary because the root file system is mounted in RAM. So the camera goes back to normal after one power cycle.
Now you can ssh into your camera and play with it via
The authenticity of host '172.16.0.180 (172.16.0.180)' can't be established.
RSA key fingerprint is 88:24:f0:60:a6:a8:5c:a0:b6:5a:98:03:66:d4:63:3c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.180' (RSA) to the list of known hosts.
firstname.lastname@example.org's password: pass
BusyBox v1.17.3 (2010-11-15 09:01:13 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
Now go forth and play with your new camera. You mostly don’t have to fear to corrupt anything because the root file system is loaded from NAND to RAM during bootup.
root@Geutebrueck-xxxxxxx:~# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 215.44
Features : swp half fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Hardware : DaVinci DM368 BIP
Revision : 0000
Serial : 0000000000000000