I posted a message about this towards the end of last year in the hopes that someone might be able to help me hack into the PC portion of the March Networks 3030 Multimedia Security Gateway that comes with the Caddx NX-8e security system.
Well, about a year later, I finally got around to working on hacking in to it. Surprisingly it was pretty simple since it's essentially just a Linux box. The hard part was figuring out how to get to the console of the system than to do the actual "hacking" work.
Here's a little bit of background information on the system:
The motherboard is a custom layout based on the requirements of March Networks (most of the options have been removed even though the traces on the board show the board was originally designed for many other components.) It uses a Geode SC1100 (233 MHz) processor with 128MB of PC133 Memory. The only connector on the motherboard is a single IDE port which seems to work as I had a compactflash to IDE adapter plugged into it and Linux was able recognized it when it booted up. The operating system is some variant of an embedded Linux based on a
2.4.18cmp kernel all stored on an M-Systems DiskOnChip ASIC right on the motherboard. It's connected to a custom backplane (resembles a SBC design) which has a network interface, two serial intefaces, and video inputs for multiple cameras (additionally it has the input for ATX power supply.)The serial port next to the ethernet jack is the one which is tied into the console for the system. The second serial port is used for communication to the Caddx NX-8e (I mistakenly spent a lot of time trying to hack into this port since I was getting output from it, but after some googling I some realized the "01212223" I was seeing was meant to be used to address the NX-8e.) Both ports are 9600 Baud 8-n-1 (VT100 or better). I've used both a straight pin to pin DB9 as well as a null-modem cable and each cable seemed to work equally fine.
Now the "hacking" part.. While I never did figure out how to access the BIOS yet (FWIW, the BIOS is from General Software
At the LILO prompt, write the boot image name (just press tab and it will show you the name) - congress4.dvr (I think it's called) then add the word "single" after it. This will boot single user for Linux which will allow you to re-write the root password as well as all the other accounts.
When it's done booting, remount the file system read/write:
# mount -o rw,remount /
Now you can use "passwd" to change the root passwd and "passwd " to change the password for the other accounts. Admin is a local account (over serial) while Radmin & Rview are the network login accounts. "Sync" the file system and then you can now safely reboot and relogin.
To setup the network IP defaults, login to the admin account and use the "setip" command. It's all pretty self-explanatory - just type help if you need more assistance.
Now once you have everything setup the way you want over serial and now you probably want to do network logins - you'll need to do a few things first. To simply things, you can login as root (over serial) then edit the /etc/ssh/sshd_config and change "ChallengeResponseAuthentication" to no (otherwise you'll need to use the key information from the /usr/local/etc/skeykeys file I believe.)
Additionally, you'll need to edit the pam security file (/etc/pam.d/sshd) if you want to login as root and comment out the line with pam_securetty.so (it's written in the file, just follow the directions.)
Anyhow, I'm still working on hacking this more and will probably figure out more as I go but I thought this might be useful for those of you who own this Security system and would like to use the PC portion of it.
Good luck!