Unpacking, editing and packaging of DVR firmware and IP cameras from Xiong Mai

Prehistory

I recently purchased an IP camera (Hi3516 chip 53H20L platform) and a 16-channel hybrid video recorder (Hi3521 chip MBD6508E) on Aliexpress. Both are made on the HiSilicon chipset, so there are no compatibility problems between them.

Of course, not without glitches. The first, and the most important - WiFi worked crookedly at the camera - it was impossible to connect to the network if the key was specified in the HEX form, and there was a problem with the default gateway from time to time.



The firmware was old, still June. I got some fresh firmware and tried it. Some were buggy, but one worked fine.

There was another problem - the default password for telnet connection was changed. This I could not stand and began to look for ways to return it back.

Immediately I will warn you that this method was tested on DVRs and cameras on HiSilicon chips, but it should work on a different platform, as the Chinese use the U-boot bootloader extensively.

Unpacking

The unpacking instructions are described in some detail in this article , but the packing process is not described anywhere, which prompted me to write this post.

I painted in steps to not miss anything:

We put Linux, I chose ubuntu.

Check the type of firmware file:

root@xc:~/firmware# file General_HZXM_IPC_HI3516C_53H20L_V4.02.R11.20131108_ALL.bin General_HZXM_IPC_HI3516C_53H20L_V4.02.R11.20131108_ALL.bin: Zip archive data, at least v2.0 to extract 

Unpack:

 root@xc:~/firmware# unzip General_HZXM_IPC_HI3516C_53H20L_V4.02.R11.20131108_ALL.bin Archive: General_HZXM_IPC_HI3516C_53H20L_V4.02.R11.20131108_ALL.bin inflating: Install inflating: u-boot-all.bin.img inflating: web-x.cramfs.img inflating: custom-x.cramfs.img inflating: user-x.cramfs.img inflating: romfs-x.cramfs.img inflating: logo-x.cramfs.img inflating: InstallDesc 

Look at the contents of Install:

 { "Commands" : [ "burn custom-x.cramfs.img custom", "burn romfs-x.cramfs.img romfs", "burn user-x.cramfs.img user", "burn logo-x.cramfs.img logo", "burn web-x.cramfs.img web" ], "Devices" : [ [ "53H20L", "1.00" ] ] } 

InstallDesc:

  "UpgradeCommand" : [ { "Command" : "Burn", "FileName" : "u-boot-all.bin.img" }, { "Command" : "Burn", "FileName" : "custom-x.cramfs.img" }, { "Command" : "Burn", "FileName" : "romfs-x.cramfs.img" }, { "Command" : "Burn", "FileName" : "user-x.cramfs.img" }, { "Command" : "Burn", "FileName" : "web-x.cramfs.img" }, { "Command" : "Burn", "FileName" : "logo-x.cramfs.img" } ], "Hardware" : "53H20L", "Vendor" : "General" } 

The word u-boot-all suggests that img files are images of a U-boot bootloader, so we put the appropriate package:

 root@xc:~/firmware# apt-get install u-boot-tools 

We look at the files we had in the archive:

 root@xc:~/firmware# file u-boot-all.bin.img u-boot-all.bin.img: u-boot legacy uImage, linux, Linux/ARM, Firmware Image (gzip), 524288 bytes, Fri Nov 8 05:15:49 2013, Load Address: 0x00000000, Entry Point: 0x00080000, Header CRC: 0x8A551AA8, Data CRC: 0x8290AD90 root@xc:~/firmware# file romfs-x.cramfs.img romfs-x.cramfs.img: u-boot legacy uImage, linux, Linux/ARM, OS Kernel Image (gzip), 4100096 bytes, Fri Nov 8 05:16:04 2013, Load Address: 0x00080000, Entry Point: 0x00580000, Header CRC: 0xD16AC90F, Data CRC: 0x54CDD868 root@xc:~/firmware# file user-x.cramfs.img user-x.cramfs.img: u-boot legacy uImage, linux, Linux/ARM, OS Kernel Image (gzip), 7602112 bytes, Fri Nov 8 05:16:02 2013, Load Address: 0x00580000, Entry Point: 0x00CC0000, Header CRC: 0x106C19AD, Data CRC: 0x6D54ADA7 root@xc:~/firmware# file web-x.cramfs.img web-x.cramfs.img: u-boot legacy uImage, linux, Linux/ARM, Standalone Program (gzip), 1572800 bytes, Fri Nov 8 05:15:51 2013, Load Address: 0x00CC0000, Entry Point: 0x00E40000, Header CRC: 0x87611FE5, Data CRC: 0x6BD90EBD root@xc:~/firmware# file custom-x.cramfs.img custom-x.cramfs.img: u-boot legacy uImage, linux, Linux/ARM, Standalone Program (gzip), 262080 bytes, Fri Nov 8 05:15:49 2013, Load Address: 0x00E40000, Entry Point: 0x00E80000, Header CRC: 0xF7C82692, Data CRC: 0x5A27F74C root@xc:~/firmware# file logo-x.cramfs.img logo-x.cramfs.img: u-boot legacy uImage, linux, Linux/ARM, Standalone Program (gzip), 262080 bytes, Fri Nov 8 05:15:47 2013, Load Address: 0x00E80000, Entry Point: 0x00EC0000, Header CRC: 0x4FE4A821, Data CRC: 0xF6671BD1 

Please pay attention to the two parameters Load Address and Entry Point. When I first assembled, I forgot to specify them, they became zero by default, and this is the address of the bootloader, which was erased after the firmware! Because of this, I spent an extra hour on the restoration - I had to remove the camera from the street, disassemble, and restore the firmware on the programmer. (Although it was not in vain to disassemble the camera, I added a bag of silica gel to the casing to remove possible moisture from the air.)



Now a little explanation: the .img image from this firmware is a slightly modified image of the cramfs file system. Here you can read in more detail. To bring the image to a normal form, you need to cut off 64 bytes of the header.

 root@xc:~/firmware# dd bs=1 skip=64 if=logo-x.cramfs.img of=logo-x.cramfs 262080+0   262080+0    262080  (262 kB), 0,891322 c, 294 kB/c 

For the remaining command files are similar.

Look what happened:

 root@xc:~/firmware# file logo-x.cramfs logo-x.cramfs: Linux Compressed ROM File System data, little endian size 28672 version #2 sorted_dirs CRC 0xe29e6340, edition 0, 199 blocks, 2 files 

Already looks like cramfs. To work with cramfs images, install or update the corresponding package:

 root@xc:~/firmware# apt-get install cramfsprogs 

Unpack the images:

 root@xc:~/firmware# cramfsck -x logo logo-x.cramfs root@xc:~/firmware# cramfsck -x user user.cramfs root@xc:~/firmware# cramfsck -x romfs romfs-x.cramfs root@xc:~/firmware# cramfsck -x web web-x.cramfs root@xc:~/firmware# cramfsck -x custom custom-x.cramfs 

I do not create directories, they will be created automatically.

Do not unpack the loader, this is not a cramfs image, but you don’t need to touch it.

What's inside

I’ll quickly run through the contents of each file inside the firmware archive:

• InstallDesc - describes the actions to be performed with these files when updating the firmware, install script.
• logo-x.cramfs.img - 800x600 image with the manufacturer's logo, which appears when the device is loaded.
• romfs-x.cramfs.img - the actual linux operating system itself under the ARM architecture
• u-boot-all.bin.img - U-boot bootloader
• custom-x.cramfs.img - contains the name of the platform and additional settings
• user-x.cramfs.img - application software, including Sofia - the DVR program itself
• web-x.cramfs.img - web-interface pictures, web.cab - plug-in for Internet Explorer with localization, manufacturer’s logos.

We are interested in romfs-x.cramfs.img, since this is where the passwd file is located, in which the password is stored. Here are the contents, anyone can try to pull off:

 root:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh 

I just generated a new hash on the site and changed it in the file.

')

Putting it back

After the changes you made, you need to pack everything back:

 root@xc:~/firmware# mkcramfs romfs romfs-x.cramfs Directory data: 3624 bytes Everything: 4004 kilobytes Super block: 76 bytes CRC: 28c62b9b 

Remember, I focused on the values ​​of Load Address and Entry Point? It's time to remember them and add to the team.

Create a U-boot image:

 root@xc:~/firmware# mkimage -A arm -O linux -T ramdisk -n "linux" -e 0x00580000 -a 0x00080000 -d romfs-x.cramfs romfs-x.cramfs.img Image Name: linux Created: Fri Feb 21 14:27:38 2014 Image Type: ARM Linux RAMDisk Image (gzip compressed) Data Size: 4100096 Bytes = 4004.00 kB = 3.91 MB Load Address: 00080000 Entry Point: 00580000 

By the way, in order to update one module it is not necessary to flash all the firmware, it is enough to put only the necessary one, and edit the Install and InstallDesc files, leaving only the necessary lines.

We add the received files in a separate directory, let it be new. We give the command:

 root@xc:~/new# zip -D -X firmware.bin * adding: Install (deflated 22%) adding: InstallDesc (deflated 30%) adding: romfs-x.cramfs.img (deflated 0%) 

Everything, the firmware is ready. It remains only to flash it through the web-interface through the update item

Warning

By following the recommendations in this article, you do so at your own peril and risk. The author is not responsible for your actions. Having made a mistake when modifying the firmware, you can easily get a brick that can be restored only on the programmer. Therefore, if you are not sure of your actions, do not do it.

Links

Burn-in rutovy shell in Vesta IP cameras and not only

GNU / Linux and the device on Rockchip 2918

Hacking RAM disks