Serial Connection to Module

[PTZ Freak]

Forgive my ignorance here, but I've got these diagrams for a module I have. I'm trying to dump a copy of the internal Linux and make backup copies of the MTD files. I've tried to Telnet but cannot seem to crack the password. So I'm attempting to try doing it with a serial connection (USB to UART/TTL/RS485/RS232 adapter). Though these diagrams are quite sloppy, for lack of better words, It seems I'm able to make out on port CN2 (top middle) that pins 1 and 2 is transmit and receive for UART1 and pins 3 and 4 are for UART2...Those UART2 wires are connected to a Pelco-D pan/tilt bracket (RS485; Baud: 9600) and it pans and tilts on command as expected. Checking these pins against the ground with a tester gives 3.3v...My question is, should I be able to connect my USB adapter to these UART ports to access the camera's internal flash? I gave it a try on both the UART1 and the UART2 pins and connected with Putty, but all I get is a bunch of illegible characters...The characters do briefly change a bit when I click one of the pan/tilt buttons on the cam's web user interface, so I assume I'm just seeing an ASCII translation stream of the Hex Pelco-D commands...

I'm just wondering if this is the type of UART port that I'm looking for, or is this some special type of UART port that's only for sending/receiving Pelco commands? If it should work, any advice on how to get to a usable command prompt instead of a constant stream of unreadable characters (I've tried reversing pins, different baud rates, shorting the TX/RX pins on start up, etc and it doesn't help)..If these are special ports and not the UART that I'm looking for, any tips on where I may be able to find the correct one?

Thanks for any help! I'm a rookie at this stuff and this particular cam has proven to be a pain in the rear to "hack" into.

 

[tangent]

So I'm attempting to try doing it with a serial connection (USB to UART/TTL/RS485/RS232 adapter)

Can you provide a link to the serial adapter (or camera module for that matter) or at least a model number / mfg? What are you using for a serial console (you likely need something different that can display binary / hexidecimal data in a useful way.)?

Looking at the images in your post if looks like UART1 is using the VISCA protocol at 9600 baud and UART2 is using the Pelco D or P protocol. Neither of these resembles the serial console you were hoping for. Doubt either can flash the camera. It's possible holding the reset button when you apply power might enable tftp or a serial console but don't bet on it.

CN7 could have some potential but you'd have to level shift the usb to 5v. There are also a couple unlabeled connectors in the diagram that could be an ICSP or another UART serving up a console you'd likely need some form of basic logic analyzer to chase that.

 

[PTZ Freak]

Can you provide a link to the serial adapter (or camera module for that matter) or at least a model number / mfg? What are you using for a serial console (you likely need something different that can display binary / hexidecimal data in a useful way.)?

Looking at the images in your post if looks like UART1 is using the VISCA protocol at 9600 baud and UART2 is using the Pelco D or P protocol. Neither of these resembles the serial console you were hoping for. Doubt either can flash the camera. It's possible holding the reset button when you apply power might enable tftp or a serial console but don't bet on it.

CH340G :

https://www.ebay.com/itm/382643159433

That's the USB adapter I'm using. On the software side, I've tried Putty and also HTerm (which can display it in either ASCII, HEX, DEC, or BIN)

So it sounds like my best bet would be to search for another UART port on another circuit board inside the module? I wasn't sure if any UART port would work equally as well for connecting to the flash or if one UART port may let me access the flash while others will not.

 

[tangent]

So it sounds like my best bet would be to search for another UART port on another circuit board inside the module? I wasn't sure if any UART port would work equally as well for connecting to the flash or if one UART port may let me access the flash while others will not.

Your best bet is just buying a better camera.

 

[PTZ Freak]

Your best bet is just buying a better camera.

True! I stick with Hikvision for my serious cameras. This is just a cheap module for me to play with and practice programming, creating custom firmware, etc. There's lots of fun stuff I can do with these cheap modules once I gain access to the internal flash. This one has proven to be extra difficult to find a path into. Especially since I'm not very well versed on UART serial connections. But I'm determined not to be defeated by a generic module

 

[tangent]

True! I stick with Hikvision for my serious cameras. This is just a cheap module for me to play with and practice programming, creating custom firmware, etc. There's lots of fun stuff I can do with these cheap modules once I gain access to the internal flash. This one has proven to be extra difficult to find a path into. Especially since I'm not very well versed on UART serial connections. But I'm determined not to be defeated by a generic module

UARTS aren't that complicated but can be frustrating. If it isn't obvious, TX on your USB adapter has to connect to RX on the camera and vice versa.

If you could read Chinese you might be able to find something that documents it more, but good luck with that. If you can identify the SoC and seek out documentation on it that would be a place to start.

 

[PTZ Freak]

UARTS aren't that complicated but can be frustrating. If it isn't obvious, TX on your USB adapter has to connect to RX on the camera and vice versa.

I've got the TX goes to RX and RX to TX down. Bigger issues for me is 1. Finding the ports, 2. Actually figuring a way to connect wire to these 1.25mm pitch pins that I almost need a microscope to even see. and 3. Interrupting the boot loader where I can get a usable command prompt

If you could read Chinese you might be able to find something that documents it more, but good luck with that. If you can identify the SoC and seek out documentation on it that would be a place to start.

The board is Anjoy Vision (Anjvision) MC800S. The SoC is MSTAR/Sigmastar ssc338q ....To which, by some miracle, I just found some English documentation for it that may prove to be helpful. Including this diagram:



Shows UART on the top right and In the specs description below this has a line:

• Three generic UARTs and one fast UART with flow control

Maybe we're on to something here? I'll have to disassemble the module and see if I can locate this board. Thanks for the tidbit on looking up the SoC as this looks like a step in the right direction.

 

[PTZ Freak]

Well, I think I found that board...Unfortunately, it's the same board whose ports are sticking out the top of the unit that I've been using. I found one other place on the back of the board that I believe to be a UART but I get the same kind of output that I've been getting:

 

[tangent]

No idea if these cameras use this method, but one fairly common method to stop the boot loader (have to know what UART if any is listening) is to set a brick on your spacebar and reboot the embedded device. You may still need a bootloader password to do anything. read uboot documentation...
The USB interface has some potential but could be difficult. It's probably set up for TFTP, I'd focus on that.

Terminal output like your image above is fairly meaningless.

See Introduction - OpenIPC
SigmaStar Tool Usage - SigmaStarDocs

 

[alastairstevenson]

I get the same kind of output that I've been getting:

Dumb question - presumably you've tried a selection of different baud rate settings?
Most common on a serial console is 115,200 N81

 

[PTZ Freak]

Dumb question - presumably you've tried a selection of different baud rate settings?
Most common on a serial console is 115,200 N81

Yeah, unfortuantely still a stream of unreadable characters.

Attached are some pictures of the top, side and bottom of the SoC board. I've labeled what I know.

 

[PTZ Freak]

Also, for the record, I did a loopback test on my USB adapter and it properly echos what I type, so I'm assuming there's no problem with it. Did a port scan and confirmed that port 23 Telnet is open, but no known telnet passwords seem to work. Was hoping the UART connection would let me dump the flash so I could view the password hash. Then I could attempt to crack it.

 

[PTZ Freak]

Update: While I still haven't gotten the serial connection to work, I was able to binwalk a firmware copy and in the /etc folder is a file "passwd_sys" that has this root hash

root:$1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1:0:0:root:/root:/bin/sh
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/usr/sbin:
sys:*:3:3:sys:/dev:
adm:*:4:4:adm:/var/adm:
lp:*:5:7:lp:/var/spool/lpd:
sync:*:6:8:sync:/bin:/bin/sync
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
halt:*:8:10:halt:/sbin:/sbin/halt
mail:*:9:11:mail:/var/spool/mail:
news:*:10:12:news:/var/spool/news:
uucp:*:11:13:uucp:/var/spool/uucp:
operator:*:12:0:operator:/root:
games:*:13:100:games:/usr/games:
ftp:*:15:14:ftp:/var/ftp:
man:*:16:100:man:/var/cache/man:
telnetd:*:17:100:telnetd:/var/tmp:
nobody:*:65534:65534:nobody:/home:/bin/sh

Been running an unmodified john on it all day but it's yet to crack the root password.

Would be great if I could edit that file to a known hash and reflash the edited firmware, but not sure how to repack it. The original file is a .bin file with the following binwalk results:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1620          0x654           xz compressed data
2085116       0x1FD0FC        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 11135812 bytes, 1327 inodes, blocksize: 262144 bytes, created: 2022-10-24 10:06:08

So I've got some progress toward getting into this thing, but still not a success.

 

[tangent]

You might try to figure out if the hashes are salted first.

Ophtcrack is likely much faster than JTR.

 

[PTZ Freak]

You might try to figure out if the hashes are salted first.

Ophtcrack is likely much faster than JTR.

How would I be able to tell if they're salted or not? A web search gave me a forum post stating that MD5crypt was formatted $1$Salt$Checksum

So if that's the case, in my code:
" root:$1$yFuJ6yns$33Bk0I91Ji0QMujkR/DPi1:0:0:root:/root:/bin/sh "

blue part would be salt and the red part would be checksum. But I'm not very skilled at this stuff, so I'm really not sure exactly what I'm doing lol

 

[PTZ Freak]

Also, in case anyone wants to see what I'm working with, I've attached the firmware. The first is the original .bin file...Second file is a .zip of the files that were extracted from this .bin using binwalk (a program like 7z will let you click on the squashfs to view all the linux directories and files, including the "etc" folder where I found the password hash.) Maybe someone more experienced with this stuff can find something useful that would lead me in the right direction.

My goal here is to get the Telnet password so I can first make an emergency backup of the MTDblocks in case I ever brick the thing by screwing around with it...Then I can use my website-building experience to modify some of the HTML, Javascript and CSS files to make the web browser user interface a little more user friendly and such. Then take it from there to see what else productive I can accomplish. Never dreamed it would be this much of a challenge to get into this thing, though. On one hand, it's too frustrating, yet on the other hand, I can't seem to let myself give up on it and accept defeat.

 

[maffay]

This should be the UART connector:


Once you have a working connection with the uboot shell, you can boot into linux and create a backup.
You probably need to modify and repack the rootfs to have a known password for telnet.

 

[tangent]

This should be the UART connector:
View attachment 154827

Once you have a working connection with the uboot shell, you can boot into linux and create a backup.
You probably need to modify and repack the rootfs to have a known password for telnet.

If that's accurate, note that you'd need to identify which is tx and which is rx and provide a good ground. probably best to solder on wires.

 

[python1320]

If that's accurate, note that you'd need to identify which is tx and which is rx and provide a good ground. probably best to solder on wires.

Here is a bootlog but without cam: github gist
Board sending data on the pin close to center. Do not have time to test further for now.

 

[da77ro]

Forgive my ignorance here, but I've got these diagrams for a module I have. I'm trying to dump a copy of the internal Linux and make backup copies of the MTD files. I've tried to Telnet but cannot seem to crack the password. So I'm attempting to try doing it with a serial connection (USB to UART/TTL/RS485/RS232 adapter). Though these diagrams are quite sloppy, for lack of better words, It seems I'm able to make out on port CN2 (top middle) that pins 1 and 2 is transmit and receive for UART1 and pins 3 and 4 are for UART2...Those UART2 wires are connected to a Pelco-D pan/tilt bracket (RS485; Baud: 9600) and it pans and tilts on command as expected. Checking these pins against the ground with a tester gives 3.3v...My question is, should I be able to connect my USB adapter to these UART ports to access the camera's internal flash? I gave it a try on both the UART1 and the UART2 pins and connected with Putty, but all I get is a bunch of illegible characters...The characters do briefly change a bit when I click one of the pan/tilt buttons on the cam's web user interface, so I assume I'm just seeing an ASCII translation stream of the Hex Pelco-D commands...

I'm just wondering if this is the type of UART port that I'm looking for, or is this some special type of UART port that's only for sending/receiving Pelco commands? If it should work, any advice on how to get to a usable command prompt instead of a constant stream of unreadable characters (I've tried reversing pins, different baud rates, shorting the TX/RX pins on start up, etc and it doesn't help)..If these are special ports and not the UART that I'm looking for, any tips on where I may be able to find the correct one?

Thanks for any help! I'm a rookie at this stuff and this particular cam has proven to be a pain in the rear to "hack" into.

Hello, I see that you have activated the P/T unit control, hence my question. I have the same camera, but after connecting the P/T unit (Videotec Ullise) with the Pelco-D protocol set to pin 3 and pin 4 of the camera and trying to control it, nothing happens. The P/T unit is certainly technically efficient because I can control it from the test monitor via RS485, Baudrate 9600 and the Pelco-D protocol. Is the Pelco-D protocol enabled by default in this camera or do I have to change it somewhere? How did you deal with it?