Skip to content

DLink 6100LH Ethical Hacking Documentation

Initially planned to use TCL and Expect for brute-force script creation for pin-code discovery, which ultimately wasn't necessary.

Hardware Used

  • Arduino SA Uno R3 (CDC ACM)
  • D-LINK 6100LH IPCam
  • System: Gentoo Linux

About/Info/Reason

Disassembling the Dlink camera was necessitated by the lack of access to its password. The Dlinks app mandates connection to the camera's wifi for adding the device, prompting the disassembly in pursuit of root access to resolve the issue.

Disassembly and Access

The process involved unscrewing three screws and disconnecting three contacts: TXD, RXD, and GND. These were located to the left of the micro-USB input. Access to the camera's AP was achieved as the password is printed in stdout during serial console reading.

Challenge with PIN Code

Upon configuration, a PIN code was required for the final settings, necessitating a workaround to bypass the login. This task has since been completed.

Some Photos Taken During the Process

DLink Camera Disassembly Internal View

Observation on Manufacturing

The camera's internals included Chinese characters, hinting at its manufacturing origins. This suggests that D-Link, like many companies, may source cheaper hardware from China, rebranding and selling at a markup.

Chinese Characters on Hardware

Technical Insights

Odd Info

Notably, the board of this camera has a reference to the year 2034, a curious detail for tech enthusiasts.

2034 Reference

Serial Communication Monitoring

Script for Reading Serial Communication

#!/bin/bash

while true; do 
    tty=/dev/ttyACM0
    exec 4<$tty 5>$tty
    stty -F $tty 115200 -echo >&5
    read r <&4
    echo "$r"
done | tee dc_6200lh.txt

This script establishes a monitoring loop for the serial communication, useful for tasks like brute-forcing the login.

Brute Force Script Example with TCL

set baud 115200
if { $argc >= 1 } {
  set tty [lindex $argv 0]
}
if { $argc >= 2 } {
  set baud [lindex $argv 1]
}
spawn screen /dev/ttyACM0 $baud
send \r
expect {
    "DCS-6100LH login: " {
        send admin\r
        expect "Password: "
        send $pin-codes\r
    }
    "#"
}
interact

WiFi Password Extraction

Real-time monitoring and specific data extraction from dc_6200lh.txt is possible, as shown in the following bash commands:

tail -f dc_6200lh.txt | egrep -i "Wifi_ap_pwd"

tail -f dc_6200lh.txt | egrep -o 'user=admin,pass=......'

Pin-Code Discovery

Boot Process Visualization

For a detailed view of the boot process, refer to the following image.

Boot Process

Network Information

IP...: 192.168.0.20
Ports: 554,8080,7000,6000

U-Boot Details

U-Boot 2016.11 (Jul 01 2020 - 17:46:25 +0800)
 mips-linux-uclibc-xgcc (Realtek RSDK-6.4.1 Build 3029) 6.4.1 20180425
 GNU ld (Realtek RSDK-6.4.1 Build 3029) 2.27.90.20161222

 => help
 ?   - alias for 'help'
 base - print or set address offset
 bdinfo  - print Board Info structure
 boot- boot default, i.e., run 'bootcmd'
 bootd - boot default, i.e., run 'bootcmd'
 bootelf - Boot from an ELF image in memory
 bootm - boot application image from memory
 bootvx - Boot vxWorks from an ELF image
 cmp - memory compare
 coninfo - print console devices and information
 cp  - memory copy
 crc32   - checksum calculation
 dma - dma copy
 editenv - edit environment variable
 env - environment handling commands
 fatinfo - print information about filesystem
 fatload - load binary file from a dos filesystem
 fatls   - list files in a directory (default /)
 fatsize - determine a file's size
 fephy   - fephy read/write
 go - start application at address 'addr'
 help - print command description/usage
 iminfo  - print header information for application image
 imls- list all images found in flash
 imxtract- extract a part of a multi-image
 md - memory display
 mm - memory modify (auto-incrementing address)
 mmc - MMC sub system
 mmcinfo - display MMC info
 mw  - memory write (fill)
 nfs - boot image via network using NFS protocol
 nm  - memory modify (constant address)
 ping - send ICMP ECHO_REQUEST to network host
 printenv - print environment variables
 reset - Perform RESET of the CPU
 run - run commands in an environment variable
 saveenv - save environment variables to flash
 setenv - set environment variables
 setethaddr - set eth address
 setipaddr - set ip address
 sf - SPI flash sub-system
 sleep - delay execution for some time
 tftpboot - boot image via network using TFTP protocol
 tftpput - TFTP put command, for uploading files to a server
 tftpsrv - act as a TFTP server and boot the first received file
 update  - update xxx
 version - print monitor, compiler and linker version

 => printenv
 baudrate=57600
 bootaddr=0xBC000000 + 0x50000
 bootargs=console=ttyS1,115200 root=/dev/mtdblock3 rts-quadspi.channels=dual mtdparts=18030000.spic:16384k@0(global),320k@0k(boot),2304k@320k(kernel),3584k@2624k(rootfs),7744k@6208k(userdata),2048k@13952k(userdata2),384k@16000k(userdata3)
 bootcmd=bootm 0xbc050000
 bootdelay=2
 ethact=r8168#0
 oadaddr=0x80010000
 netretry=yes
 stderr=serial
 stdin=serial
 stdout=serial

Accessing U-Boot

Access U-Boot by pressing any key within 5 seconds of booting. Use the printenv command to view environment variables. To modify bootargs, use:

setenv bootargs console=ttyS0,115200...............

To bypass the login prompt, use:

setenv bootargs $(BOOTARGS) init=/bin/sh
boot

Note: Modifying bootargs should be done with caution. In case of a boot issue, reset to defaults in the U-Boot menu:

env default -a
saveenv
reset

073 006