Just a quick update on the Grain Media supplied firmware for the new Sunluxy DVR. Unsurprisingly for a cheap bit of kit like this, the security is rather wanting. Everything runs as root and of course telnet is available.
Escape character is '^]'.
GM login: root
Password:
Welcome to
_____ __ ___ __ ___ _ _ _
| ___| / \ / __ \ / \ | _ \ / \ \ \ / /
| |___ / /\ \ | /__\ \ / /\ \ | | \ | / /\ \ \ V /
| ___|| |__| | | _ / | |__| | | | | | | |__| | \ /
| | | __ | | | \ \ | __ | | |_/ / | __ | | |
|_| |_| |_| |_| \_\|_| |_| |___ / |_| |_| |_|
For further information check:
http://www.faraday.com/
BusyBox v1.19.4 (2014-05-28 09:56:23 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
[root@GM]# cat /etc/passwd
root:N.lbMktxdQ76A:0:0:root:/:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
[root@GM]#
Escape character is '^]'.
GM login: root
Password:
Welcome to
_____ __ ___ __ ___ _ _ _
| ___| / \ / __ \ / \ | _ \ / \ \ \ / /
| |___ / /\ \ | /__\ \ / /\ \ | | \ | / /\ \ \ V /
| ___|| |__| | | _ / | |__| | | | | | | |__| | \ /
| | | __ | | | \ \ | __ | | |_/ / | __ | | |
|_| |_| |_| |_| \_\|_| |_| |___ / |_| |_| |_|
For further information check:
http://www.faraday.com/
BusyBox v1.19.4 (2014-05-28 09:56:23 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
[root@GM]# cat /etc/passwd
root:N.lbMktxdQ76A:0:0:root:/:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
[root@GM]#
The root password is trivial to crack using John the Ripper. Now, it would be irresponsible for me to post the password here, but I can't help what people put in the comments ;-) Suffice to say, the password wasn't a surprise and consisted of two upper case letters (hmm I wonder what those could be, eh Grain Media?) followed by four numbers.
At least with this version of the Sunluxy it is feasible to start making modifications to the file system and make it more secure. In the next post I'll look into updating the firmware by resetting the password and possibly a few other tweaks. I might even see if I can make the process simpler than I did in the last post.
i have a very cheap DVR 8ch 720p. On telnet connection i see:
ReplyDeleteEscape character is '^]'.
GM login:
I think that the firmware is very similar to yours. Unfortunately I can not find the password. GM followed by "common" four number does not work. I also have another dvr (previous version) even then I could not find the password.
On previous dvr I also tried to connect to serial port, unfortunately after the boot screen of u-boot does not get other characters, even if the dvr start normally.
On this new DVR, I can not find the serial port. I wish I could add support RTSP to make dvr more usable.
Could you help me?
Anyway great blog ;-)
Ok... i found it ;-)
DeleteWhich one did you find? The serial port or the password? Or both? :)
Deletethe password on new dvr :-)
Deleteon old dvr now i try to dump the memory.
BTW, for your older dvr, not sure if you've seen this post? http://reversatronics.blogspot.co.uk/2013/10/sunluxy-dvr-backdoor.html - check the comments for the password ;-)
DeleteGI EM and the four numbers are? 1 to four?
DeleteThis comment has been removed by the author.
ReplyDeletei bought 300 of them in stock
ReplyDeletei have the same hash but john is taking to much time
can you help me
that wold be a huge help
where the telnet password please ?
ReplyDeletewhere the telnet password please ?
ReplyDeleteI have 8286_8AHD_V1.0 model, same prompt with your. Trying older password does not work. Could you please share what is the password ? My John still running for checking your hash.
ReplyDeleteFinally, my John got the password after 5 days.
DeleteAnd now i can recover the 'admin' password from telnet access. Thanks for the hash!
This comment has been removed by the author.
Deletewould you please tell me what the gm password is ????? i tried everything still cant guess it
ReplyDeletemy 8ch sunluxy is "root" and "juantech" hope this helps
DeletePlease, how to use john the ripper on linux embedded? Thanks...
ReplyDeleteWHAT IS Password telnet in GM LOGIN ??
ReplyDeletePLEASE I NEED IT NECESSARY
Conseguiu a senha do root?
DeleteSe alguém tenha a senha e usuario dvr Pyxel h264 om login telnet "GM LOGIN", para resetar a senha
ReplyDeletePOR FAVOR, compartilhe estou precisando e muito
hey man, você conseguiu a senha do telnet desse "gm Login"
Deletewhat is the telnet root password for GM LOGIN??????
ReplyDeleteGM8182
ReplyDeletePlease Send Me The Password Of Telnet ( GM Login ) it's Not GM8182 or juantech . i need it badly
ReplyDelete