Wednesday, 11 March 2015

Sunluxy DVR mkII - telnet & root password

Just a quick update on the Grain Media supplied firmware for the new Sunluxy DVR. Unsurprisingly for a cheap bit of kit like this, the security is rather wanting. Everything runs as root and of course telnet is available.

Escape character is '^]'.

GM login: root
Password:
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.faraday.com/





BusyBox v1.19.4 (2014-05-28 09:56:23 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

[root@GM]# cat /etc/passwd
root:N.lbMktxdQ76A:0:0:root:/:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
[root@GM]#

The root password is trivial to crack using John the Ripper. Now, it would be irresponsible for me to post the password here, but I can't help what people put in the comments ;-) Suffice to say, the password wasn't a surprise and consisted of two upper case letters (hmm I wonder what those could be, eh Grain Media?) followed by four numbers. 

At least with this version of the Sunluxy it is feasible to start making modifications to the file system and make it more secure. In the next post I'll look into updating the firmware by resetting the password and possibly a few other tweaks. I might even see if I can make the process simpler than I did in the last post

18 comments:

  1. i have a very cheap DVR 8ch 720p. On telnet connection i see:

    Escape character is '^]'.

    GM login:

    I think that the firmware is very similar to yours. Unfortunately I can not find the password. GM followed by "common" four number does not work. I also have another dvr (previous version) even then I could not find the password.

    On previous dvr I also tried to connect to serial port, unfortunately after the boot screen of u-boot does not get other characters, even if the dvr start normally.

    On this new DVR, I can not find the serial port. I wish I could add support RTSP to make dvr more usable.

    Could you help me?

    Anyway great blog ;-)

    ReplyDelete
    Replies
    1. Which one did you find? The serial port or the password? Or both? :)

      Delete
    2. the password on new dvr :-)

      on old dvr now i try to dump the memory.

      Delete
    3. BTW, for your older dvr, not sure if you've seen this post? http://reversatronics.blogspot.co.uk/2013/10/sunluxy-dvr-backdoor.html - check the comments for the password ;-)

      Delete
    4. GI EM and the four numbers are? 1 to four?

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. i bought 300 of them in stock
    i have the same hash but john is taking to much time
    can you help me
    that wold be a huge help

    ReplyDelete
  4. where the telnet password please ?

    ReplyDelete
  5. where the telnet password please ?

    ReplyDelete
  6. I have 8286_8AHD_V1.0 model, same prompt with your. Trying older password does not work. Could you please share what is the password ? My John still running for checking your hash.

    ReplyDelete
    Replies
    1. Finally, my John got the password after 5 days.
      And now i can recover the 'admin' password from telnet access. Thanks for the hash!

      Delete
    2. This comment has been removed by the author.

      Delete
  7. would you please tell me what the gm password is ????? i tried everything still cant guess it

    ReplyDelete
    Replies
    1. my 8ch sunluxy is "root" and "juantech" hope this helps

      Delete
  8. Please, how to use john the ripper on linux embedded? Thanks...

    ReplyDelete
  9. WHAT IS Password telnet in GM LOGIN ??
    PLEASE I NEED IT NECESSARY

    ReplyDelete
  10. Se alguém tenha a senha e usuario dvr Pyxel h264 om login telnet "GM LOGIN", para resetar a senha
    POR FAVOR, compartilhe estou precisando e muito

    ReplyDelete