Wednesday 11 March 2015

Sunluxy DVR mkII - telnet & root password

Just a quick update on the Grain Media supplied firmware for the new Sunluxy DVR. Unsurprisingly for a cheap bit of kit like this, the security is rather wanting. Everything runs as root and of course telnet is available.

Escape character is '^]'.

GM login: root
Password:
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.faraday.com/


Sunday 1 March 2015

Sunluxy DVR mkII - quick firmware mod investigation

The last post in this series saw the firmware being dumped from the device. This post looks at the format of the data and some annoyances that were encountered while trying to write a modified image back to the device.

One of the first thing I tend to do whenever I'm investigating a file is to generate an entropy plot. This habit developed from years of reverse engineering malware samples where a simple entropy plot would give you a lot of information about the next steps you'd probably be taking. For instance, packed executables would look significantly different to non-packed samples and files with appended data (think self-extracting archives or tools such as AutoIT) would have the interesting functionality contained in appended data (data that resides outside of the section tables). These are just two basic examples, but I can't stress how useful these graphs can be.

Back to the task at hand, the dumped firmware. The entropy plot looks like this: