Sunluxy DVR mkII - telnet & root password

Just a quick update on the Grain Media supplied firmware for the new Sunluxy DVR. Unsurprisingly for a cheap bit of kit like this, the security is rather wanting. Everything runs as root and of course telnet is available.

Escape character is '^]'.

GM login: root
Password:
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.faraday.com/

Sunluxy DVR mkII - quick firmware mod investigation

The last post in this series saw the firmware being dumped from the device. This post looks at the format of the data and some annoyances that were encountered while trying to write a modified image back to the device.

One of the first thing I tend to do whenever I'm investigating a file is to generate an entropy plot. This habit developed from years of reverse engineering malware samples where a simple entropy plot would give you a lot of information about the next steps you'd probably be taking. For instance, packed executables would look significantly different to non-packed samples and files with appended data (think self-extracting archives or tools such as AutoIT) would have the interesting functionality contained in appended data (data that resides outside of the section tables). These are just two basic examples, but I can't stress how useful these graphs can be.

Back to the task at hand, the dumped firmware. The entropy plot looks like this:

New Sunluxy DVR

A while ago I picked up a cheapo Sunluxy DVR but quickly discovered that it had a couple of nasty security issues. The device actually worked reasonably well as a DVR so I was keen to try and patch the issues by modifying the OS. Sunluxy didn't offer any firmware updates so modifying an existing update wasn't an option.

Cutting a long story short, I basically ended up breaking the device by manually writing to (apparently the wrong bit of) flash. U-boot is available so there is still a chance to recover the situation if I can find the correct flash image.

Sunluxy DVR backdoor

A couple of news items that recently caught my attention discussed backdoors found in network routers [1] [2]. I'll throw in something similar in case anyone is keeping track.

I picked up a Sunluxy CCTV DVR from ebay at the start of the year to record bluetits nesting in one of my bird boxes. Unfortunately both parents apparently succumbed to predation and the chicks perished but that is beside the point. The product itself was pretty good and unsurprisingly it has quite a few positive reviews on Amazon. Nothing unusual so far.

One thing that did annoy me slightly though was the way videos had to be exported. You had to manually export videos (to USB) on a day by day basis, which isn't really what I was after. I'd rather pull recordings for the last week or so over the network in one go but this didn't seem like an existing feature. Oh well, time to have a poke around!