Mjsxj10cm Firmware Review

# In /etc/init.d/rcS telnetd -l /bin/sh & For persistent access, add to /etc/profile or a custom startup script. 6.1 Modifying RootFS # After unsquashfs cd squashfs-root echo "admin:your_encrypted_password" > etc/passwd # use openssl passwd echo "::respawn:/usr/sbin/telnetd -l /bin/sh" >> etc/inittab 6.2 Repacking mksquashfs squashfs-root/ new_rootfs.squashfs -comp xz -b 256k cat original_uImage_header.bin new_rootfs.squashfs > modified_firmware.bin (Extract uImage header from original using dd if=original.bin of=uImage_header.bin bs=64 count=1 ) 6.3 Flashing Modified Firmware sudo flashrom -p ch341a_spi -w modified_firmware.bin Or via bootloader (U-Boot):

binwalk -e firmware_update.bin cat /dev/mtdblock0 > /tmp/mtd0.bin 4. Firmware Structure Analysis Using binwalk on a typical dump: Mjsxj10cm Firmware

$ binwalk mjsxj10cm_original.bin DECIMAL HEXADECIMAL DESCRIPTION 0 0x0 uImage header (ARM Linux) 0x40 0x40 LZMA compressed data 0x400000 0x400000 Squashfs filesystem (little endian) # In /etc/init

Extract Squashfs:

Alternatively, inject via LD_PRELOAD or modify the main ipcam binary. The firmware may have telnetd but disabled. Enable: The firmware may have telnetd but disabled