- Telnet username
- Telnet password
Four years ago to the day, I wrote an exposé of the hideous security failings of Sercomm IP Cameras. The blog has since attracked 200 comments – as people try to unlock their cameras, and find out what flaws they have.
Despite my best efforts at contacting Sercomm – the OEM who manufactures the cameras – and the “security” resellers who irresponsibly sell them to unsuspecting customers, the flaws remain unpatched.
Most of the Sercomm cameras have a custom firmware which locks them down. As documented in my previous blog post, resetting the cameras is depressingly easy.
- Stick paperclip in the reset hole for a few seconds.
- The default login name is “
- There is no password set!
Turning on Telnet
The process for enabling Telnet was first published in 2011. It depends on the firmware that Sercomm have pre-loaded, but you just need to visit the specially crafted URl:
A contributor to the blog, Paul Chambers, describes how he deciphered the firmware.
The firmware is a modified SquashFS filesystem.
Inside, it contains a symlink from
/etc/passwd -> /mnt/ramdisk/tmp/passwd
/etc/rc.sethostcontains the string
Running rc.sethost does various things including writing a passwd file to
Inside that, I saw
9sXicXdz8JrVkis a traditional DES based hash
rc.sethostto skip the call to
crypt. Then I got:
I double-checked it was correct by running
squashfs-root$python -c "import crypt;print crypt.crypt('Aq0+0009', '9s')"
So the username is
rootand the password is
There you have it. Different cameras may have different firmwares with different passwords – but I’d guess that they all follow a similar pattern. This particular password works on Firmware version