Gaining Root Access on Philips B120N Babycam

 

I wanted to try rooting my B120N cam, and tried to follow Paul Prices Owning Philips In.Sight IP Cameras But unfortunately Philips decided to close all interesting ports in the firmware version my cam was running.

I did find a way to gain root access, and I wanted to add a recording of the process, but I dropped my cam while resetting it, rendering it useless 🙁 So I can only give you the steps I took, to root it (I have ran the rooted cam for 14 days without problems) so you can try it yourself.

For this setup I used mitmproxy to capture the traffic from the B120N when it was freshly connected to my wifi network.

When opening the mobile application I immediately got a message to update my cams firmware, when I hit update I saw multiple requests passing through:

http://philips.iv-cdn.com/upgrade_fw.sh

So I noticed, no https request, ok.. makes my life a little easier.

To get root access I needed to replace the current sshd_config with my own, to open up an ssh port. I just captured the request for upgrade_fw.sh and redirected it to my own sh file, where I reset the password of root (yes root user is downloading the updates, and no, there is no check on validity of the file or origin with hashing).

And you are in 🙂

Some more digging

Excerpt from file source code:

Looking at the highlighted part, I see some files are being downloaded, looks like camera firmware & ivideon server code. Always nice to browse and look around 🙂

http://philips.iv-cdn.com/b120/fw_updates_release.tar.gz
http://philips.iv-cdn.com/b120/ivideon-server_release_philips-m120.tar.gz

This update script is being downloaded, and runs: