Telnet and Root on the Sercomm iCamera2


  • URL http://[IP]/adm/file.cgi?todo=inject_telnetd
  • Telnet username root
  • Telnet password Aq0+0009


Four years ago to the day, I wrote an exposé of the hideous security failings of Sercomm IP Cameras. The blog has since attracked 200 comments - as people try to unlock their cameras, and find out what flaws they have.

Despite my best efforts at contacting Sercomm - the OEM who manufactures the cameras - and the "security" resellers who irresponsibly sell them to unsuspecting customers, the flaws remain unpatched.

Factory Reset

Most of the Sercomm cameras have a custom firmware which locks them down. As documented in my previous blog post, resetting the cameras is depressingly easy.

  1. Stick paperclip in the reset hole for a few seconds.
  2. The default login name is "administrator".
  3. There is no password set!

Turning on Telnet

The process for enabling Telnet was first published in 2011. It depends on the firmware that Sercomm have pre-loaded, but you just need to visit the specially crafted URl: http://[IP]/adm/file.cgi?todo=inject_telnetd

A web browser displaying the message "Open Telnet Daemon successfully!"

Firmware Trickery

Over on my GitHub repo of Sercomm API commands, you'll find a copy of the firmware for the iCamera 1000.

A contributor to the blog, Paul Chambers, describes how he deciphered the firmware.

The firmware is a modified SquashFS filesystem.
Inside, it contains a symlink from /etc/passwd -> /mnt/ramdisk/tmp/passwd

/etc/rc.sethost contains the string passwd

Running rc.sethost does various things including writing a passwd file to /mnt/ramdisk/tmp/passwd

Inside that, I saw root:9sXicXdz8JrVk:0:0:root:/root:/bin/sh

The string 9sXicXdz8JrVk is a traditional DES based hash

I patched rc.sethost to skip the call to crypt. Then I got:


I double-checked it was correct by running

squashfs-root$python -c "import crypt;print crypt.crypt('Aq0+0009', '9s')"

So the username is root and the password is Aq0+0009

There you have it. Different cameras may have different firmwares with different passwords - but I'd guess that they all follow a similar pattern. This particular password works on Firmware version V3.0.01.29


Support this blog

Enjoyed this blog post? You can say thanks to the author in the following ways:

Donate to charity
Give to charity.
Buy me a birthday present
Amazon Wishlist
Get me a coffee
Donate on Ko-Fi.

2 thoughts on “Telnet and Root on the Sercomm iCamera2

  1. Thanks , Was on the same hunt for my ebay NV412a, justb wanted to get Zoom function to work via FW upgrade from later Sercomm camera!!

  2. I would be very interested in learning how he managed to unpack, modify, and repack the firmware. I’ve been wracking my brain trying to figure it out for the iCamera-1000 model, and unfortunately, the pre-loaded comcast firmware doesn’t dump the full FW image when you do a dump from the device. That means my only recourse is to find an original full sercomm firmware for it, or hack around with the partial images being shoved out by comcast.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.