How to get root on your K9608-2W 8-channel Network Video Recorder

K9608-2W.md

Rooting K9608-2W

Let's say you have one of these and you want shell access for some reason, like setting the date & time programatically. By adding a couple magic files to a USB mass storage device, connecting it to your NVR and rebooting, you will be able to login via telnet.

How to know this will work for you

Login to the web user interface of your NVR, go to Settings (wrench and screwdriver icon). If you see the following info listed in the DevInfo tab, then these instructions should work for you. This may work with other software versions too but no promises.

Dev model	K9608-2W
HW version	2.1.0
SW version	2.7.13.0_22922330
Reldatetime	2018/10/26 10:58

Hack

Grab a thumb drive or whatever USB mass storage device is handy. Make sure the partition table is simple and has fat32 as the first primary partition. This is usually the default setup for a new device so you probably don't have to do anything. Mount it and get started making the three files as below in the top level directory.

me@here:/media/me/SANDISK$ echo 1000000001 > enable_log_forever
me@here:/media/me/SANDISK$ cat <<EOF>dvr_app
#!/bin/sh
/usr/sbin/telnetd &
exec /media/usb1/dvr_app_chain "\$@"
EOF
me@here:/media/me/SANDISK$ cat <<EOF>dvr_app_chain
#!/bin/sh
umount /root/dvr_app/dvr_app
exec /root/dvr_app/dvr_app "\$@"
EOF
me@here:/media/me/SANDISK$ 

Unmount/eject, pop it in the NVR, reboot the NVR, wait a bit and then telnet to it using the same IP or hostname you used to get to the web interface. Login with username root and password j1/_7sxw

me@here:~$ telnet nvr-host
Trying 192.168.31.337...
Connected to nvr-host.
Escape character is '^]'.
(none) login: root
Password:
Welcome to HiLinux.
# uptime
 05:42:38 up  2:35,  1 users,  load average: 13.88, 12.32, 11.89
# ls /
a.out    bin      etc      linuxrc  mnt      oem      root     sys      usr
a2.out   dev      lib      media    nfsroot  proc     sbin     tmp      var
# 

Why does this work?

One of the startup scripts contains the following snippet:

if [ -e $MOUNT_DIR/enable_log_forever ];then
                echo "enable log2 found."
                rv=$(cat $MOUNT_DIR/enable_log_forever)
                if [ "$rv" == "1000000001" ];then
                        if [ -e $MOUNT_DIR/dvr_app ];then
                                echo "mount bind dvr_app."
                                mount --bind $MOUNT_DIR/dvr_app /root/dvr_app/dvr_app
                        fi

In short, if the file enable_log_forever exists and contains 1000000001 then bind-mount dvr_app from the USB device over the top of the normal /root/dvr_app/dvr_app before running it later in the same startup script.

The shell won't allow us to unmount dvr_app from inside of the script running as that name, so we pass off execution to an arbitrary script called dvr_app_chain directly from the USB mountpoint. From there, we can unmount our dvr_app and run the orriginal with the arguments that were passed along the way. Any additional commands that we want to run can be added to either script.

One side effect is that logs will be written to your USB device. Rebooting without this USB device present will revert to running normally without telnetd.

Other suggestions

• Kill run_IOTDaemon.sh. It's the script responsible for spawning IOTDaemon once a minute. This service reaches out to ngw.dvr163.com offering remote access to your video along with all sorts of other controls, including a reverse shell.
• Change the root password. Using bind-mount, you can set up a passwd file on your USB mass storage device.
• Run dropbear instead of telnetd.
• Update the squashfs with all of your changes so that you don't depend on the USB mass storage device any more. For extra credit, add an NFS mount to hold larger packages.
• Run ntpd. The clock drift on this thing is terrible. The built in mechanism for ntp is to stop recording, update clock, then start recording again. This is appropriate for a big time shift, but not so hot for regularly maintaining time sync.

Please post comments with suggestions or requests for this document. Have a device you want root on and don't mind sending one to me? Tweet at @octosavvi.

Hello Again :-D
I have one question, did someone have foud a way to switch from 8 cams to 16 cams?
I have seen that the CPU is the same so i think it's only a software limitation.
Some suggestion?
Best Regards
Stefano

the telnet port is closed, so no telnet :(

Mine is also a Victure NK200 CCTV, and my cameras also only seem to have port 80 open, although my cameras appear to be different to the one you listed. So no telnet on mine either.

@salfordfred, it looks like the TTL UART has a getty running from inittab, so you should be able to physically open up the camera and get root that way. Root password in the firmware image is j1/_7sxw as mentioned by @wes1993. Also in the firmware image you linked, I see that telnetd is available and is even started by /etc/init.d/rcS so maybe something kills it later in the boot process? Maybe try spamming connections to port 23 during boot and see if telnet is ever open. There are plenty of other issues with the firmware including custom binaries that have shell execs like /usr/bin/anyka_ipc, /usr/bin/IOTDaemon and /sbin/nk_upgrade. Not to mention all the various shell scripts running as root with unsanitized input, like DHCP lease parsers, etc. But I'm lazy, so I would just open up a camera and go straight for UART. If nothing else, this would accelerate identifying vulnerabilities which can be accessed remotely across the same model.

Other interesting strings in /usr/bin/anyka_ipc:

/mnt/tf/debug.ini
telnetd &

Which could hint that if the debug.ini file exists on the TF storage, then telnetd will be started. Does your model camera have a Micro-SD card slot? Seems likely to be a dev feature not in production, but worth checking.

Thanks for the hints, I also noticed telnetd in rcS, but of course its not running afterwards. There is no micro SD slot, perhaps internally there is? I'll see if I can crack one open without breaking it!

I was able to use these instructions to get into a similar whitelabel DVR from Amazon https://www.amazon.co.uk/gp/aw/d/B06VTHXDY7/
branded as Sannce.

I'm looking to find the Main Stream so I can create a mobile-friendly user interface for it. The app is horrible and slow :)

Does anyone know where I might find the 1080p stream for this thing? The app uses port 10000 and the Web UI is on port 80. Haven't found anything like an RTSP stream. Just a low-quality snapshot.cgi ;)

Unfortunately for me no... :(
But if you will find a way please write here or tell me :)

Best Regards
Stefano

Aww that's a shame... My other idea was to figure out how to get that 172 subnet routed so that devices on my LAN can access the cameras individually. And hope that the camera IP addresses stay the same :D

As you mentioned earlier, iptables doesn't exist on this box so that might prove tricky :(

The only way for me is connect the camera via the Ethernet cable so i have the IP of my lan then connect the cameras with NVR.
But you won't use the WiFi only ethernet
Bye
Stefano

Just a thought, would it be possible to route the log files to /dev/null or something? Just to avoid the log files growing and potentially getting too big, and avoiding clutter on the USB?

For this I have created a script I will attach the script tomorrow but the root is not so useful because the NVR gui is really limited... :(

Ah awesome cheers, that'll be handy. I think the root is very useful because it gives us an extra level of control, and it lets us poke around and look for things like stream URLs :))

I'm sure I'll think of plenty of other ways to put this root shell to good use :)

I hope you could find a way and please write here if you find something.
From what I have seen there is an app and Everything in inside this app.
I can’t find the stream etc and the software is JavaScript (shit) that works only with explorer.. I have also tried with wireshark but nothing.... only the camera I have found the stream link but with a custom html header not simple and is H265 only so you couldn’t use wit normal browser

I'll keep poking and prodding and I'll log my findings here. I've spoken to Sannce support and they have been as useful as a chocolate teapot... They said there's no way to view the stream directly in VLC... I'm still determined to find a way :D

Interesting stuff in one of the log files:

�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/moo"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/snapshot"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/cgi-bin/flv.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/bubble/live"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/cgi-bin/jscript.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/cgi-bin/gw.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/cgi-bin/snapshot.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/cgi-bin/sp.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/cgi-bin/upload.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/cgi-bin/upgrade_rate.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/cgi-bin/online_upgrade.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/index.cgi"
�[1;31m[     httpd.c:  43]�[0m Add a new cgi "/debug.cgi"

I'm particularly interested in /bubble/live, jscript.cgi and debug.cgi

Bubble/live and jscript.cgi seems to hang with their responses, maybe they want specific parameters before they sends a reply.

debug.cgi is telling me username or password mismatch. even when supplying the admin username and password with the u and p parameters

Another interesting tidbit in the same log file:

ENVIRONMENT: RtspServer default disable

Maybe there is an RTSP server, it's just disabled by default 🤔

You speak about cameras o NVR?
For cameras you should see also here:
https://gist.github.com/maxious/c8915a436b532ab09e61bf937295a5d2
I have also seen a file where we can enable the RTSP but my cameras won’t have the RTSP library... :(

Keep me updated
Best regards
Stefano

I'm talking about the NVR. I have not been able to access the cameras via the NVR IP range. (And I don't want to connect to the cameras directly because they are already attached to the wall :D)

I'm looking at getting dropbear running on the NVR. From what I understand, it needs to be compiled for uClibc. Still researching it :)

Keep me updated

Fo the log add this line to the app.out_chain before launch the app.out
rm -rf /media/usb1/app_*

From what i have seen the eseecloud app use the port 10000 to connect to the NVR but after that i can't find else... :-(

Attempting to build dropbear for the NVR using my shitey Linux laptop. Takes hours to build lol. Both attempts so far have resulted in dropbear throwing a segfault when I try to launch the binary. Maybe I haven't configured my buildroot correctly?

Maybe @aSmig would be able to shine a light on this?

My current buildroot settings:

Target Architecture: ARM (little endian)
Target Binary Format: ELF
Target Architecture Variant: cortex-A7
Target ABI: I have tried both EABI and EABIhf
Floating point strategy: NEON/VFPv4
ARM instruction set: ARM

Another interesting tidbit in the same log file:

ENVIRONMENT: RtspServer default disable

Maybe there is an RTSP server, it's just disabled by default 🤔

Sorry,
Where is the path of this log?
P.s. I have also sent and email here:
[email protected]
It’s the developer of this shit... no success for me, but you could try regarding to RTSP stream he write this:

Sorry, the FTP function of the recorder has been eliminated, and the RTSP of the recorder needs to be customized

I hope you will find a way

Damn it, that's no fun :(

With regards to the log file, I found it inside the log beginning with app_

In other news, I have managed to compile dropbear and I can verify that it prints the version string and even starts a daemon when supplied with the -R argument. However, when you try to connect it crashes with cannot resolve symbol 'getrandom'

It looks like the version of uClibc bundled with the NVR is quite old or missing some component. Perhaps there's a way I can bundle the dropbear binary with its own version of uClibc? Or maybe I need to bind-mount the newer uClibc libraries. I'll investigate :)

Thanks for the update :)
Sorry but I’m not so expert... I don’t know but we can try to copy the library to the usb?

bye
Stefano

Please don't be mistaken, I'm not an expert either :)

Maybe we can, but first I'm trying to static link the dropbear binary, then it will not need any external library :)))

Okay, static-linking the binary worked! Now when I connect, dropbear wants to create a file inside /etc/dropbear/ but it cannot (for obvious reasons)

Do you by any chance know how to create a NEW mount point within /etc rather than binding one? Then we can redirect this folder to the USB and then dropbear should work :DDDDDD

Alternatively, I could try to modify the source code of dropbear to place the files in /tmp instead :)

I don’t know because the FS is only write, I could try with mount but from what I remember won’t work... :( i this the best thing is to redirect to /tmp

P.s. goooooooddd workkkkkk!! :)