March Networks 3030 Multimedia Security Gateway (w/Caddx NX-8e & PC)

[racerx90@xxxxxxxxx]

I posted a message about this towards the end of last year in the hopes
that someone might be able to help me hack into the PC portion of the
March Networks 3030 Multimedia Security Gateway that comes with the
Caddx NX-8e security system.

Well, about a year later, I finally got around to working on hacking in
to it. Surprisingly it was pretty simple since it's essentially just a
Linux box. The hard part was figuring out how to get to the console of
the system than to do the actual "hacking" work.

Here's a little bit of background information on the system:

The motherboard is a custom layout based on the requirements of March
Networks (most of the options have been removed even though the traces
on the board show the board was originally designed for many other
components.) It uses a Geode SC1100 (233 MHz) processor with 128MB of
PC133 Memory. The only connector on the motherboard is a single IDE
port which seems to work as I had a compactflash to IDE adapter plugged
into it and Linux was able recognized it when it booted up. The
operating system is some variant of an embedded Linux based on a
2.4.18cmp kernel all stored on an M-Systems DiskOnChip ASIC right on
the motherboard. It's connected to a custom backplane (resembles a SBC
design) which has a network interface, two serial intefaces, and video
inputs for multiple cameras (additionally it has the input for ATX
power supply.)

The serial port next to the ethernet jack is the one which is tied into
the console for the system. The second serial port is used for
communication to the Caddx NX-8e (I mistakenly spent a lot of time
trying to hack into this port since I was getting output from it, but
after some googling I some realized the "01212223" I was seeing was
meant to be used to address the NX-8e.) Both ports are 9600 Baud 8-n-1
(VT100 or better). I've used both a straight pin to pin DB9 as well as
a null-modem cable and each cable seemed to work equally fine.

Now the "hacking" part.. While I never did figure out how to access the
BIOS yet (FWIW, the BIOS is from General Software www.gensw.com -
there's a sticker on the motherboard), I was able to "catch" the LILO
boot line. If you watch the screens go by (they're rather quick) and if
you're fast enough you stop the boot process by just pressing a key
(like the spacebar.) Once you stop it, you can write your own boot line
parameters.

At the LILO prompt, write the boot image name (just press tab and it
will show you the name) - congress4.dvr (I think it's called) then add
the word "single" after it. This will boot single user for Linux which
will allow you to re-write the root password as well as all the other
accounts.

When it's done booting, remount the file system read/write:

# mount -o rw,remount /

Now you can use "passwd" to change the root passwd and "passwd
<username>" to change the password for the other accounts. Admin is a
local account (over serial) while Radmin & Rview are the network login
accounts. "Sync" the file system and then you can now safely reboot and
relogin.

To setup the network IP defaults, login to the admin account and use
the "setip" command. It's all pretty self-explanatory - just type help
if you need more assistance.

Now once you have everything setup the way you want over serial and now
you probably want to do network logins - you'll need to do a few things
first. To simply things, you can login as root (over serial) then edit
the /etc/ssh/sshd_config and change "ChallengeResponseAuthentication"
to no (otherwise you'll need to use the key information from the
/usr/local/etc/skeykeys file I believe.)

Additionally, you'll need to edit the pam security file
(/etc/pam.d/sshd) if you want to login as root and comment out the line
with pam_securetty.so (it's written in the file, just follow the
directions.)

Anyhow, I'm still working on hacking this more and will probably figure
out more as I go but I thought this might be useful for those of you
who own this Security system and would like to use the PC portion of
it.

Good luck!