Getting a Shell
So far we haven't been successfully getting access to a shell. That's good for manufacturers, but a complete shame for us pentesters!
Thankfully the community has a long history of pentesting / modding TP-Link products, and there are some useful information you can find on the internet. To be more specific - Access U-Boot shell.
At first we thought the U-Boot console of C200 is locked, as there is no classic "Press any button to stop boot process" message in the boot log..
But after looking a bit on the internet, we found that TP-link actually has a secrete passphrase to enter U-Boot shell. In some product it's
in some it's
slp . In the case of C200, you will need to enter
slp when you see "Autobooting in 1 seconds"
in the boot log.
Beware that C200 cameras actually have two stages of booting. First stage is to verify
romfs partition. Then it will reset and enter the "real" boot process.[*]
slp on second "Autobooting in 1 seconds", we will be granted the U-Boot command prompt
From there on, we can issue
printenv to check various U-Boot environment variables.
The two important variables we are interested in are
bootargs=console=ttyS1,57600 root=/dev/mtdblock6 rts-quadspi.channels=dual
bootcmd=sf probe;sf read 0x82000000 0x60000 0x300000;bootm 0x82000000
This poses a huge problem for us, as many critical commands and functions that can help for information gathering[*] actually collect information from these directories.
The first and most important thing we need is to populate
mount -t proc none /proc manually to ask the kernel to populate
/proc is populated, commands like
properly. However they still won't give much useful information because again, no init process is executed if we use
to get a shell.
There is no easy way to execute
/sbin/init, as PID 1 is assigned to
By now it may seem that we haven't really made any progress. But with the information we can get in
/proc, the best is yet to come.
By the way, here is a python script I wrote to automate this process, if you are feeling too lazy to do these steps manually :p