v380-ipcam-firmware-patch icon indicating copy to clipboard operation
v380-ipcam-firmware-patch copied to clipboard

Published 20 hours ago verified publisher icon bcaller

writteable /etc/passwd done!

Open leonelhs opened this issue 3 years ago • 8 comments

I have installed dropbear ssh server to get a remote shell. To be able to change pasword on demand without patch again and again, I just I have moved passwd and shadow files to jffs2 rw partition and making a symbolic link pointing to the original files.

leonelhs avatar Nov 20 '21 11:11 leonelhs

I have installed dropbear ssh server to get a remote shell. To be able to change pasword on demand without patch again and again, I just I have moved passwd and shadow files to jffs2 rw partition and making a symbolic link pointing to the original files.

And how do you these exactly? Can you provide shell commands which you used?

rezamarzban avatar Apr 18 '23 04:04 rezamarzban

Ok let say you already have your mtd partitions dumped to your Desktop enviroment. In my case I have named my partitions like this:

mtd4_rfs read only partition (root file system) mtd5_usr read only partition (user files) mtd6_mvs read only partition (camera system) mtd7_ext read only partition (extended applications) mtd8_jsf writtable partition (configuration and settings files)

Browsing the mtd4_rfs partition whe can see the structure. Password are stored at passwd and shadow files.

shell prompt$ ls -1hl mtd4_rfs/etc/ drwxr-xr-x 1 99 99 14 abr 20 2022 bak drwxr-xr-x 1 99 99 7 nov 1 2021 dropbear -rwxr--r-- 1 99 99 826 may 29 2018 fstab -rw-r--r-- 1 99 99 46 feb 9 2017 group -rw-r--r-- 1 99 99 84 feb 9 2017 host.conf -rw-r--r-- 1 99 99 46 feb 9 2017 hosts drwxr-xr-x 1 99 99 4 nov 7 2021 init.d -rw-r--r-- 1 99 99 657 feb 9 2017 inittab lrwxr-xr-x 1 99 99 9 may 29 2018 jffs2 -> /mnt/mtd/ -rw-r--r-- 1 99 99 23 may 30 2018 ld.so.conf -rw-r--r-- 1 99 99 1022 feb 9 2017 mdev.conf -rw-r--r-- 1 99 99 349 feb 9 2017 nsswitch.conf lrwxr-xr-x 1 99 99 15 nov 7 2021 passwd -rw-r--r-- 1 99 99 1.3K nov 8 2021 profile lrwxr-xr-x 1 99 99 17 nov 22 2017 resolv.conf -> jffs2/resolv.conf lrwxr-xr-x 1 99 99 15 nov 7 2021 shadow drwxr-xr-x 1 99 99 3 jun 6 2018 sysconfig

Camera linux system will mount mtd8_jsf partition as /mnt/mtd/ move passwd and shadow files to your mtd8_jsf partition so we need to recreate the structure folder over our desktop machine.

At the same level as mtd4_rfs/ shell prompt$ mkdir -p mnt/mtd/ shell prompt$ cp -r mtd4_rfs/ mnt/mtd/

Next copy password files to our new location.

shell prompt$ mv mtd4_rfs/etc/passwd mnt/mtd/passwd shell prompt$ mv mtd4_rfs/etc/shadow mnt/mtd/shadow

Nex we have to create a symbolic links pointing to the writable partition.

shell prompt$ cd mtd4_rfs/etc shell prompt$ ln -s /mnt/mtd/passwd passwd shell prompt$ ln -s /mnt/mtd/shadow shadow

Patch your new mtd4 and mtd8(aka /mnt/mtd) to your firmware. Whe don't need to preserve the whole path "/mnt/mtd", just patch mtd/* as mtd8, later linux system will mount mtd8 as /mnt/mtd

For the next boot, system will found their passwd and shadow files as writeable files, allowing to change the password.

drwxr-xr-x 1 99 99 14 abr 20 2022 bak drwxr-xr-x 1 99 99 7 nov 1 2021 dropbear -rwxr--r-- 1 99 99 826 may 29 2018 fstab -rw-r--r-- 1 99 99 46 feb 9 2017 group -rw-r--r-- 1 99 99 84 feb 9 2017 host.conf -rw-r--r-- 1 99 99 46 feb 9 2017 hosts drwxr-xr-x 1 99 99 4 nov 7 2021 init.d -rw-r--r-- 1 99 99 657 feb 9 2017 inittab lrwxr-xr-x 1 99 99 9 may 29 2018 jffs2 -> /mnt/mtd/ -rw-r--r-- 1 99 99 23 may 30 2018 ld.so.conf -rw-r--r-- 1 99 99 1022 feb 9 2017 mdev.conf -rw-r--r-- 1 99 99 349 feb 9 2017 nsswitch.conf lrwxr-xr-x 1 99 99 15 nov 7 2021 passwd -> /mnt/mtd/passwd -rw-r--r-- 1 99 99 1.3K nov 8 2021 profile lrwxr-xr-x 1 99 99 17 nov 22 2017 resolv.conf -> jffs2/resolv.conf lrwxr-xr-x 1 99 99 15 nov 7 2021 shadow -> /mnt/mtd/shadow drwxr-xr-x 1 99 99 3 jun 6 2018 sysconfig

leonelhs avatar Apr 20 '23 21:04 leonelhs

Thank you very much for your guides, It will be better if patching is not needed. Because flashing the firmware by using patched files is High Risk procedure and may cause brick the device due to any incompatibility.

I think to hide the device (V380 cam) behind NAT against online hackers which know its default username and password (root, gzhongshi), The best way is remote port forwarding to an online VPS by using "ssh -R ..." command with BusyBox or dropbear.

rezamarzban avatar Apr 21 '23 05:04 rezamarzban

I have installed dropbear ssh server to get a remote shell. To be able to change pasword on demand without patch again and again, I just I have moved passwd and shadow files to jffs2 rw partition and making a symbolic link pointing to the original files.

Again, How do you installed dropbear ssh server at armv5tej (V380) exactly? I ask this question because I searched the web for cross compiling the dropbear but not found any useful thing!

rezamarzban avatar Apr 23 '23 04:04 rezamarzban

Finally I compiled and made a release of statically linked OpenVPN binary for V380 camera:

Repository: https://github.com/marzban2030/armv5tej-OpenVPN

Release: https://github.com/marzban2030/armv5tej-OpenVPN/releases/download/armv5tej-bin/openvpn

Its file size is 5MB approximately and need an inserted microSD card with V380 cam.

With OpenVPN anyone can setup private network over internet and access all features of V380 camera.

rezamarzban avatar Apr 23 '23 20:04 rezamarzban

Also I released OpenSSH for V380 cam:

Screenshot_2023-04-24-18-17-05-247_com server auditor ssh client-edit

https://github.com/marzban2030/armv5-OpenSSH

rezamarzban avatar Apr 24 '23 15:04 rezamarzban

@marzban2030 In order to compile dropbear, I build a toolchain using https://buildroot.org. I don't remember if I had to patch the sources, let me know if you have problems to build it, here is my repo with dropbear armv5tej binary also the toolchain is there: https://github.com/mucephi/anyka_ak3918_kernel.

I think its not feasible firmware customization without patching the rom because squashfs file systems its designed for only read.

BTW. I will try your OpenVPN release later, I think its a wonderful idea to have a VPN running on the camera.

leonelhs avatar Apr 24 '23 18:04 leonelhs

Very good, There are useful things at your repository: dropbear, edge, tun.ko, ... . And I will try these later, because my brain is tiered for past two days cross compiling OpenVPN and OpenSSH for armv5 devices. OpenSSH cross compiling will bang the brain against wall! But it is useful thing and has no limit to working with read-only squashfs firmwares.

OpenSSH is more stable and faster than dropbear, Also OpenSSH is great project with too many things and options.

OpenVPN has more limitations to working with read-only squashfs firmwares. Anyway if you want to try my OpenVPN release don't forget that to cross compile it with newer versions of OpenSSL library, Because my release of OpenVPN is cross compiled with oldest version of OpenSSL library.

Recently, I interested in wolfSSH which is a small, fast, portable SSH and used by Air Force.

rezamarzban avatar Apr 24 '23 19:04 rezamarzban