Gaining Root Access on Philips B120N Babycam

Update, I have a new philips babycam, and rooted it again, so I added some more info.

This is an older post, and after having contacted philips, they told me they had received a report of this issue months prior to my report. In the new firmware these problems don’t exist anymore, this doesn’t mean that the b120n is flaweless, because when you reset the babycam it reverts back to the old firmware, and you can root it.

I wanted to try rooting my B120N cam, and tried to follow Paul Prices Owning Philips In.Sight IP Cameras But unfortunately Philips decided to close all interesting ports in the firmware version my cam was running.

I did find a way to gain root access, and I wanted to add a recording of the process so you can try it yourself..

I setup my linux box as ‘router’ with mitmproxy and a hotspot, connecting my ethernet port and directing traffic trough hotspot -> mitmproxy -> internet
In short the steps you need to do:

  1. Install mitmproxy on your pc / notebook (plenty of good tutorials available online), to be able to capture traffic and alter responses
  2. Setup a hotspot, where you will connect your phone and camera
  3. connect your phone, run the insight app, and configure your cam / scan the qrcode
  4. Now your camera will connect to the wifi, once the insight app asks you if you want to ipgrade press i in mitmproxy and set the filter to .* to capture all traffic and halt on every request
  5. click yes on the upgrade prompt in the insight app
  6. press ‘a’ key to allow the requests per line, untill you reach the upgrade_fw.sh line (don’t press a on that line, we want to modify this request)
  7. hit enter on the upgrade_fw.sh and press ‘e’ to edit the request
  8. there will be an option to edit the url (I think it’s ‘u’) then point the request url to ‘http://yoururl.com/upgrade_fw.sh) where you set your own shellscript and ssh_config gile) and press enter, and hit ‘a’ to allow the request to complete.
  9. Your now have rootaccess to your camera.

    below you can find a sample upgrade_fw.sh and sshd_config you can use to complete the rooting.

For this setup I used mitmproxy to capture the traffic from the B120N when it was freshly connected to my wifi network.

When opening the mobile application I immediately got a message to update my cams firmware, when I hit update I saw multiple requests passing through:

http://philips.iv-cdn.com/upgrade_fw.sh

So I noticed, no https request, ok.. makes my life a little easier.

To get root access I needed to replace the current sshd_config with my own, to open up an ssh port.

 

 

I captured the request for upgrade_fw.sh and redirected it to my own sh file, where I reset the password of root (yes root user is downloading the updates, and no, there is no check on validity of the file or origin with hashing) and copy my sshd_config to the system, to open up port 22

And you are in 🙂

Some more digging

Excerpt from file source code:

Looking at the highlighted part, I see some files are being downloaded, looks like camera firmware & ivideon server code. Always nice to browse and look around 🙂

http://philips.iv-cdn.com/b120/fw_updates_release.tar.gz
http://philips.iv-cdn.com/b120/ivideon-server_release_philips-m120.tar.gz

This update script is being downloaded, and runs: