Root password for Planet ICA-150 - nw38R87EEnbZA

In autumn 2007 I bought Planet ICA-150 and discover it running on Linux. Through flaw in the web interface I get /etc/passwd file and so for curiosity I take spare machine and run John The Ripper on it. And ...

837:09:30:43 - Switching to length 8
837:09:30:43 - Expanding tables for length 8 to character count 61
837:09:30:43 - Trying length 8, fixed @3, character count 61
839:19:41:01 + Cracked root
... after 839 days password was cracked.

I used John with MPI patch on Intel(R) Xeon(R) CPU 3050 @ 2.13GHz which is dual core CPU and I get ~3.5 mio/s DES keys. After 839 days John tried 253 713 600 000 000 hashes from 281 474 976 710 656 (2^48) total. So ~90% key space searched.

Camera have nice backdoor for opening telnet daemon, try this in browser:

And you get: Open Telnet Daemon successfully! So now you can telnet on it.
[root@server ~]# telnet cam
Connected to cam.
Escape character is '^]'.

PL010203 login: root
Password: 2xVpIAk6
root login  on `ttya0'
ASH is running

Mission done.

Create custom firmware would be faster but no firmware for ICA-150 was released and simply run John is not 'eating my time' task. And of course, I do not really need root access on my camera, but I like possibilities :-)