Telnet and Root on the Sercomm iCamera2

by @edent | # # # # # | 10 comments | Read ~4,928 times.


  • URL http://[IP]/adm/file.cgi?todo=inject_telnetd
  • Telnet username root
  • Telnet password Aq0+0009


Four years ago to the day, I wrote an exposé of the hideous security failings of Sercomm IP Cameras. The blog has since attracked 200 comments – as people try to unlock their cameras, and find out what flaws they have.

Despite my best efforts at contacting Sercomm – the OEM who manufactures the cameras – and the “security” resellers who irresponsibly sell them to unsuspecting customers, the flaws remain unpatched.

Factory Reset

Most of the Sercomm cameras have a custom firmware which locks them down. As documented in my previous blog post, resetting the cameras is depressingly easy.

  1. Stick paperclip in the reset hole for a few seconds.
  2. The default login name is “administrator“.
  3. There is no password set!

Turning on Telnet

The process for enabling Telnet was first published in 2011. It depends on the firmware that Sercomm have pre-loaded, but you just need to visit the specially crafted URl: http://[IP]/adm/file.cgi?todo=inject_telnetd

A web browser displaying the message "Open Telnet Daemon successfully!"

Firmware Trickery

Over on my GitHub repo of Sercomm API commands, you’ll find a copy of the firmware for the iCamera 1000.

A contributor to the blog, Paul Chambers, describes how he deciphered the firmware.

The firmware is a modified SquashFS filesystem.
Inside, it contains a symlink from /etc/passwd -> /mnt/ramdisk/tmp/passwd

/etc/rc.sethost contains the string passwd

Running rc.sethost does various things including writing a passwd file to /mnt/ramdisk/tmp/passwd

Inside that, I saw root:9sXicXdz8JrVk:0:0:root:/root:/bin/sh

The string 9sXicXdz8JrVk is a traditional DES based hash

I patched rc.sethost to skip the call to crypt. Then I got:


I double-checked it was correct by running

squashfs-root$python -c "import crypt;print crypt.crypt('Aq0+0009', '9s')"

So the username is root and the password is Aq0+0009

There you have it. Different cameras may have different firmwares with different passwords – but I’d guess that they all follow a similar pattern. This particular password works on Firmware version V3.0.01.29


10 thoughts on “Telnet and Root on the Sercomm iCamera2

  1. Dennis A Vitali says:

    Thanks , Was on the same hunt for my ebay NV412a, justb wanted to get Zoom function to work via FW upgrade from later Sercomm camera!!

  2. ArcAiN6 says:

    I would be very interested in learning how he managed to unpack, modify, and repack the firmware. I’ve been wracking my brain trying to figure it out for the iCamera-1000 model, and unfortunately, the pre-loaded comcast firmware doesn’t dump the full FW image when you do a dump from the device. That means my only recourse is to find an original full sercomm firmware for it, or hack around with the partial images being shoved out by comcast.

  3. Robert Monsen says:

    I just tried your telnet enable + root username/password pair on my iCamera2 from xfinity, and was able to get in. Sigh. What a bunch of losers. It’s January, 2019

    1. akzorz says:

      This root user name and password works, however you can generate your own and it works just fine.

  4. Richard Amiss says:

    Hello there! Thank you for the blog posts. I was wondering, in all your travels have you ever found any version of firmware for the iCamera2 ? I am able to get into the web interface on the modded ones either way, but I have 8 of them, some new with non modded firmware and some from old xfinity accounts and it would be so nice to get them all on the same firmware. Any leads, hints or links to the dark web are welcome!


  5. prince noor says:

    hi bro if you know about the upgrade version of rc4551 oc821 rc8221 so please let me inform i have 3000 thousand cameras in stock all have the F/W version problem please some body help me thanks to every one

  6. Aseem Patnaik says:

    Hello everyone
    I need some help. I have 2 of these cameras that i purchased thinking i could hook them up. I was able to connect both cameras to my router (hardwire and via wifi). However i do not see an IP address assigned to them to get in and get this thing figured out. From the little bit i know , without an IP i do not think i can do much. Are there any options for me or are these just paper weights?

    1. Akzorz says:

      You need to hold the button on the back for about 5 seconds then press wps on your router.

  7. Akzorz says:

    Just wanted to add that the CA cert installed on the camera is still good till next year!
    Common Name: XMPP
    Organization: iControl
    Organization Unit: OpenHome
    Locality: Redwood City
    State: CA
    Country: US
    Valid From: November 18, 2011
    Valid To: November 15, 2021
    Issuer: XMPP, iControl

    Thanks for sharing

Leave a Reply

Your email address will not be published. Required fields are marked *