| عنوان | yitechnology YI Home Camera 2 2.1.1_20171024151200 Hardcoded WPA/WPS |
|---|
| الوصف | ## Firmware Identification
The latest firmware file `2.1.1_20171024151200home` was downloaded from YI Technology's official page.
https://www2.yitechnology.com/support/firmware_home/id/9
SHA-256 hashes for independent verification at each extraction stage:
```
$ sha256sum 2.1.1_20171024151200home
a5fef3fda624f77dc4369f64b85e9cba79df02eb6298460eca8e7304db418fb0 2.1.1_20171024151200home
$ file 2.1.1_20171024151200home
2.1.1_20171024151200home: data
$ hexdump -C 2.1.1_20171024151200home | head -3
00000000 41 4e 54 53 49 4d 47 00 a0 4e 02 00 10 c9 33 01 |ANTSIMG..N....3.|
00000010 00 01 00 00 01 00 00 00 00 01 00 00 00 02 00 00 |................|
00000020 00 00 00 02 00 00 00 00 1b 8a f5 c2 32 2e 31 2e |............2.1.|
$ binwalk 2.1.1_20171024151200home
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
512 0x200 UBI erase count header, version: 1, EC: 0x0 [..]
```
The UBI image at offset 0x200 was extracted with `binwalk -Me` and the UBIFS volume unpacked with `ubireader_extract_files`, yielding a 672-file filesystem.
The shell scripts `usr/local/bin/wifi_setup.sh` and `usr/local/bin/hostap.sh` were reviewed directly as part of the filesystem script enumeration phase. Both scripts are plaintext and readable without any binary analysis tools. When the camera enters Access Point (AP) mode for initial WiFi configuration or after a factory reset, it creates a WiFi network using hardcoded, publicly known credentials. The same credentials are set identically in two independent scripts, confirming this is not an isolated configuration error but a deliberate cross-component design decision.
`wifi_setup.sh` (line 503):
```sh
echo "ap_pin=12345670" >> ${HOST_CONFIG}
```
The WPS PIN is hardcoded to `12345670` in wifi_setup.sh. The WPA passphrase in this script uses a `${passwd}` variable (line 517), but falls back to the same `hostap.sh` configuration when the default AP mode is used.
`hostap.sh` (lines 65-67):
```sh
echo "wpa_passphrase=12345670" >> $CONFIG
echo "ap_pin=12345670" >> $CONFIG
```
In `hostap.sh`, both the WPA passphrase and WPS PIN are hardcoded to the same value `12345670`. This specific value is universally present in WPS brute-force dictionaries and is the first PIN attempted by automated WPS cracking tools. It is not a generated, randomized, or per-device value.
```
$ grep -n "12345670\|ap_pin\|wpa_passphrase" usr/local/bin/wifi_setup.sh usr/local/bin/hostap.sh
usr/local/bin/wifi_setup.sh:503: echo "ap_pin=12345670" >> ${HOST_CONFIG}
usr/local/bin/wifi_setup.sh:517: echo "wpa_passphrase=${passwd}" >> ${HOST_CONFIG}
usr/local/bin/hostap.sh:65: echo "wpa_passphrase=12345670" >>$CONFIG
usr/local/bin/hostap.sh:67: echo "ap_pin=12345670" >>$CONFIG
```
This vulnerability is exploitable during two conditions: first-time device setup and after any factory reset. All YI Home Camera 2 devices share these identical setup-mode credentials, meaning the attack requires no per-device preparation. |
|---|
| المصدر | ⚠️ https://www2.yitechnology.com/support/firmware_home/id/9 |
|---|
| المستخدم | 0rbitingZer0 (UID 96146) |
|---|
| ارسال | 05/03/2026 06:21 PM (3 أشهر منذ) |
|---|
| الاعتدال | 19/03/2026 09:46 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 351767 [Yi Technology YI Home Camera 2 2.1.1_20171024151200 WPA/WPS تشفير ضعيف] |
|---|
| النقاط | 20 |
|---|