Lost password of wifi endoscope cam

[diy3d]

Hi,

I bought myself a Wifi endoscope camera. The main module is a Wi-Fi accesspoint and with an App, the images can be received on your phone. I was satisfied this device was working well until I changed the default wifi password.  Yes I lost it, I can not remember it anymore. I tried to reset the device so I could use the default 12345678 password...but no way I asked the the supplier, searched the internet, tried the reset button in all possible combination with the powerbutton, I tried make a USB connect with Putty, I removed the wifi and memory module from the power pcb .. no success.
I guess the Wi-Fi configuration and password stored in the program memory of the Ralink RT5350.

So the big question, how do I reset the device?

Therefore, I decided to investigate the device further.

Wifi Endoscoop Module: ZCF99
Os: Linux 2.6.32
Port: 23 tcp open telnet BusyBox telnetd 

WiFi module: Ralink RT5350
Memory module: Etrontech EM63A165TS-6G 16M X 16 Bit Synchronous DRAM (SDRAM)
Serial interface: Macronix  MX25L3206E

Attached pictures show the various components.

Kind Regards

[RobertHolcombe]

How did you change the password originally?

[joao2004]

Have you tried password 88888888 ?

[alexanderbrevig]

Take a deep look inside yourself and ask if maybe it's worth it just to get a new one...?  Yes, there's a joke there somewhere.

[cstratton]

With a RT5350, what you have is basically a little router that think's it's a camera.

Compare something like this: https://wiki.openwrt.org/toh/hootoo/tripmate-nano

Password will be in the SPI flash, yes.  But likely holding down the reset button for a while will get it to wipe the writable overlay partition and revert to the underlying read only state - typically that's a jffs2 near the end that mounts over the top of a squashfs filling the middle of the chip.

Or look for a UART hearder and see if you can get into U-Boot.

Or hold the CPU in reset and have at the flash with some other access device and micrograbber leads - though do pay attention to the designed voltage.

[diy3d]

How did you change the password originally?

There is an APP called WiFi_View, you can configure the the resolution, SSID, clear or modify password etc.

Have you tried password 88888888 ?

Sure, no results

Take a deep look inside yourself and ask if maybe it's worth it just to get a new one...?  Yes, there's a joke there somewhere.

Do you mean the price is a joke I agree

@cstratton, thanks for the advice

[polli]

Since you own this thing, I think this tool should be legal to use for you: https://www.aircrack-ng.org/
I never actually had to use it, but I think that if your password is really basic (like just numbers or just lowercase digits) and you use the appropriate options, you should be able to find it fairly quickly.

Again, I never used this so I can't give you a command ready to execute, but you should be able to find something in the docs or on a tutorial.

[diy3d]

Hi thank you, that is an interesting tool. 

[Mechatrommer]

Take a deep look inside yourself and ask if maybe it's worth it just to get a new one...?  Yes, there's a joke there somewhere.

Do you mean the price is a joke I agree

dont change default password if there is no good reason. and dont forget your password. those are among the jokes... if its easy to reset your device, it will be equally easy to reset other people's device.

[NiHaoMike]

if its easy to reset your device, it will be equally easy to reset other people's device.

I think the intent of the password is to prevent hackers from breaking into the connection, not to render a stolen device unusable.

[polli]

if its easy to reset your device, it will be equally easy to reset other people's device.

this is not correct, because when resetting your device you usually have physical access. There are devices where security is an issue in case of physical access from an attacker, but this is not such a device. If you have physical access to a laptop, even if it was encrypted correctly, you can just "reset" it by booting from an usb drive and installing a fresh OS. If you steal a phone you can still wipe it and use it with your stuff.

[KingVidiot]

Have you tried password 88888888 ?

thanks, worked perfectly for me on my XJ_wifibox :-)
I should have guessed that since the Chinese really love the number 8

[soldar]

Since you own this thing, I think this tool should be legal to use for you: https://www.aircrack-ng.org/

I do not think that will help. I think the way it works is that you need to have a valid handshake from someone who logged in with the correct password. Then aircrack tries whatever passwords you tell it to try and it will see if one matches the existing handshake.

In other words, you cannot do anything unless you have a valid handshake.

[n8henrie]

I ran into this same issue with a similar endoscope and did a writeup of how I figured out the WiFi password, the telnet account and password, and how to configure the endoscope by sending some UDP packets.

The writeup begins here: https://n8henrie.com/2019/02/reverse-engineering-my-wifi-endoscope-part-1/

The short answer is that you'll need to connect to the TX2 and RX2 serial debug ports at 57600 baud, it will print out your WiFi password. (Without that, unfortunately you obviously wouldn't be able to connect by telnet or send any commands over UDP.)

Ran into this post while I was googling for an answer, so thought I'd register to post my solution!