Alarm.com ADC-v520IR kernel init hijacking to gain root privileges on your network camera.

Hijacking the kernel init on the ADC-v520IR
By: Exploitee.rs
###################################
1.) Connect USB-to-TTL adapter to camera UART, pinout is available on Exploitee.rs
2.) Press any key at correct moment (during u-boot startup) to enter u-boot shell
3.) Modify kernel boot args:
setenv bootargs root=/dev/mtdblock1 mem=80M console=1 rootfstype=squashfs user_debug=31 init=/bin/sh
run bootcmd
4.) Finish its bootup manually:
/etc/init.d/rcS
5.) Add a new user with:
adduser -h /mnt/ramdisk -s /bin/sh -g "" -H username
6.) Modify user and group to root uid/gid. (set 1000:1000 to 0:0 in passwd for new user)
7.) Reboot!

More info at:
https://www.exploitee.rs/index.php/Al...
More hacks at: https://Exploitee.rs