Good day. There is such a camera (DS-2CD2345F-IS) branded by the Rostelecom company, how can you install a normal firmware here? I can lay out the dump if someone will be interested in doing this is not a simple matter.
IP camera nearly Hikvision
- Thread starter bagel
- Start date
U-Boot 2010.06 (Dec 06 2017 - 13:10:35)
Check Nand Flash Controller v610 ... found
Special NAND id table Version 1.36
Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit/512
Nand total size: 128MB
*** Warning - bad CRC or NAND, using default environment
In: serial
Out: serial
Err: serial
Hit any key to stop autoboot: 0
hi3516-vc # help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr - ddr training function
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
hi_gpio - set hisilicon gpio states
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
tftp - tftp - download or upload image via network using TFTP protocol
version - print monitor version
hi3516-vc #
Check Nand Flash Controller v610 ... found
Special NAND id table Version 1.36
Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit/512
Nand total size: 128MB
*** Warning - bad CRC or NAND, using default environment
In: serial
Out: serial
Err: serial
Hit any key to stop autoboot: 0
hi3516-vc # help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr - ddr training function
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
hi_gpio - set hisilicon gpio states
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
tftp - tftp - download or upload image via network using TFTP protocol
version - print monitor version
hi3516-vc #
U-Boot 2010.06 (Dec 06 2017 - 13:10:35)
Check Nand Flash Controller v610 ... found
Special NAND id table Version 1.36
Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit/512
Nand total size: 128MB
*** Warning - bad CRC or NAND, using default environment
In: serial
Out: serial
Err: serial
Hit any key to stop autoboot: 0
Set gpio: 142->0
Set gpio: 130->1
Set gpio: 131->1
NAND read: device 0 offset 0x200000, size 0x400000
4194304 bytes read: OK
## Booting kernel from Legacy Image at 82000000 ...
Image Name: Linux-3.4.35
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2552288 Bytes = 2.4 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0
Linux version 3.4.35 (root@runner-8e7d6cd8-project-22-concurrent-0) (gcc version 4.8.3 20131202 (prerelease) (Hisilicon_v300) ) #1 Wed Dec 6 13:08:54 UTC 2017
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: hi3516a
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 15240
Kernel command line: mem=60M console=ttyAMA0,115200 rootfstype=ramfs mtdparts=hinand:1024K(boot),1024K(tech),4096K(kernel),8192K(app),-(config) hw_type=608
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 60MB = 60MB total
Memory: 53980k/53980k available, 7460k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
vmalloc : 0xc4000000 - 0xff000000 ( 944 MB)
lowmem : 0xc0000000 - 0xc3c00000 ( 60 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.text : 0xc0008000 - 0xc03f8000 (4032 kB)
.init : 0xc03f8000 - 0xc0675b24 (2551 kB)
.data : 0xc0676000 - 0xc06a3d00 ( 184 kB)
.bss : 0xc06a3d24 - 0xc06b8e98 ( 85 kB)
SLUB: Genslabs=11, HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
sched_clock: 32 bits at 49MHz, resolution 20ns, wraps every 86767ms
Console: colour dummy device 80x30
Calibrating delay loop... 1196.85 BogoMIPS (lpj=5984256)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
Initializing cgroup subsys freezer
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x802fda60 - 0x802fdab8
dummy:
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 40) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 41) is a PL011 rev2
bio: create slab <bio-0> at 0
SCSI subsystem initialized
hi-spi-master hi-spi-master.0: with 1 chip select slaves attached
hi-spi-master hi-spi-master.1: with 3 chip select slaves attached
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource timer0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 105
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
Spi id table Version 1.22
Found Nand Flash Controller V610.
Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
Nand: MXIC NAND 128MiB 3,3V 8-bit
Nand(HW-Auto): Block:128KB Page:2KB OOB:64B ECC:4bit/512 Chip:128MB*1
5 cmdlinepart partitions found on MTD device hinand
5 cmdlinepart partitions found on MTD device hinand
Creating 5 MTD partitions on "hinand":
0x000000000000-0x000000100000 : "boot"
0x000000100000-0x000000200000 : "tech"
0x000000200000-0x000000600000 : "kernel"
0x000000600000-0x000000e00000 : "app"
0x000000e00000-0x000008000000 : "config"
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
hiusb-ehci hiusb-ehci.0: HIUSB EHCI
hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1
hiusb-ehci hiusb-ehci.0: irq 53, io mem 0x100b0000
hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
hisi_i2c hisi_i2c.0: Hisilicon [i2c-0] probed!
hisi_i2c hisi_i2c.1: Hisilicon [i2c-1] probed!
hisi_i2c hisi_i2c.2: Hisilicon [i2c-2] probed!
TCP: cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 17
NET: Registered protocol family 15
lib80211: common routines for IEEE802.11 drivers
Registering the dns_resolver key type
VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
Freeing init memory: 2548K
Check Nand Flash Controller v610 ... found
Special NAND id table Version 1.36
Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit/512
Nand total size: 128MB
*** Warning - bad CRC or NAND, using default environment
In: serial
Out: serial
Err: serial
Hit any key to stop autoboot: 0
Set gpio: 142->0
Set gpio: 130->1
Set gpio: 131->1
NAND read: device 0 offset 0x200000, size 0x400000
4194304 bytes read: OK
## Booting kernel from Legacy Image at 82000000 ...
Image Name: Linux-3.4.35
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2552288 Bytes = 2.4 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0
Linux version 3.4.35 (root@runner-8e7d6cd8-project-22-concurrent-0) (gcc version 4.8.3 20131202 (prerelease) (Hisilicon_v300) ) #1 Wed Dec 6 13:08:54 UTC 2017
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: hi3516a
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 15240
Kernel command line: mem=60M console=ttyAMA0,115200 rootfstype=ramfs mtdparts=hinand:1024K(boot),1024K(tech),4096K(kernel),8192K(app),-(config) hw_type=608
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 60MB = 60MB total
Memory: 53980k/53980k available, 7460k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
vmalloc : 0xc4000000 - 0xff000000 ( 944 MB)
lowmem : 0xc0000000 - 0xc3c00000 ( 60 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.text : 0xc0008000 - 0xc03f8000 (4032 kB)
.init : 0xc03f8000 - 0xc0675b24 (2551 kB)
.data : 0xc0676000 - 0xc06a3d00 ( 184 kB)
.bss : 0xc06a3d24 - 0xc06b8e98 ( 85 kB)
SLUB: Genslabs=11, HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
sched_clock: 32 bits at 49MHz, resolution 20ns, wraps every 86767ms
Console: colour dummy device 80x30
Calibrating delay loop... 1196.85 BogoMIPS (lpj=5984256)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
Initializing cgroup subsys freezer
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x802fda60 - 0x802fdab8
dummy:
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 40) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 41) is a PL011 rev2
bio: create slab <bio-0> at 0
SCSI subsystem initialized
hi-spi-master hi-spi-master.0: with 1 chip select slaves attached
hi-spi-master hi-spi-master.1: with 3 chip select slaves attached
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource timer0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 105
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
Spi id table Version 1.22
Found Nand Flash Controller V610.
Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
Nand: MXIC NAND 128MiB 3,3V 8-bit
Nand(HW-Auto): Block:128KB Page:2KB OOB:64B ECC:4bit/512 Chip:128MB*1
5 cmdlinepart partitions found on MTD device hinand
5 cmdlinepart partitions found on MTD device hinand
Creating 5 MTD partitions on "hinand":
0x000000000000-0x000000100000 : "boot"
0x000000100000-0x000000200000 : "tech"
0x000000200000-0x000000600000 : "kernel"
0x000000600000-0x000000e00000 : "app"
0x000000e00000-0x000008000000 : "config"
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
hiusb-ehci hiusb-ehci.0: HIUSB EHCI
hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1
hiusb-ehci hiusb-ehci.0: irq 53, io mem 0x100b0000
hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
hisi_i2c hisi_i2c.0: Hisilicon [i2c-0] probed!
hisi_i2c hisi_i2c.1: Hisilicon [i2c-1] probed!
hisi_i2c hisi_i2c.2: Hisilicon [i2c-2] probed!
TCP: cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 17
NET: Registered protocol family 15
lib80211: common routines for IEEE802.11 drivers
Registering the dns_resolver key type
VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
Freeing init memory: 2548K
Suddenly it will be interesting to you, here I am putting the dump
hik2345.bin
hik2345.bin
alastairstevenson
Staff member
The camera pictures look similar to Hikvision - but the firmware does not.
The file is blank - an erased flash dump.
I didn't make much of a mistake
,the dump was two-piece,since I couldn't take it off in one piece,and by mistake I sent an empty one.here is the first slice of putting0hik2345.bin
That's a firmware image file. Open it as an archive using 7-Zip to review the contents.
which file should I open?
This contains the following top-level directories: bin, etc, lib, share. 7-Zip reports some extra data following, so exploring the file with the 'binwalk' python script would probably reveal more information.
for those who understand this, of course, it will give, for me personally, nothing: (, I was only enough for this and then by chance
Attachments
Paging @alastairstevenson, the staff firmware wizard.
alastairstevenson
Staff member
Here is a simple script to split down the flash dump that was attached earlier, based on the partition scheme in the bootlog earlier.
Here are the resulting flash partitions, which seem valid :
And there are multiple references in the (very large) config.part partition to familiar Hikvision configuration options such as smart events
And multiple references to DS-2CD2345FB
Use something like
strings -8 config.part > config_strings.txt
to see the metadata within.
So this is quite intriguing.
Is this Hikvision hardware, but with non-Hikvision firmware?
Code:
#!/bin/sh
# This script holds the steps to unpack the Rostelecom 0hik2345.bin flash dump.
# The offsets will very likely be specific to that version of firmware. There is no attempt to
# use logic to make it universal - it's as much a memory-jogger as anything.
#
# The assumption is the the flash dump follows this partition scheme from the bootlog that @bagel
#posted in the ipcamtalk forum.
# Creating 5 MTD partitions on "hinand":
# 0x000000000000-0x000000100000 : "boot"
# 0x000000100000-0x000000200000 : "tech"
# 0x000000200000-0x000000600000 : "kernel"
# 0x000000600000-0x000000e00000 : "app
# 0x000000e00000-0x000008000000 : "config"
#
dd if=../0hik2345.bin of=boot.part bs=1 count=$((0x100000))
dd if=../0hik2345.bin of=tech.part bs=1 count=$((0x200000-0x100000)) skip=$((0x100000))
dd if=../0hik2345.bin of=kernel.part bs=1 count=$((0x600000-0x200000)) skip=$((0x200000))
dd if=../0hik2345.bin of=app.part bs=1 count=$((0xe00000-0x600000)) skip=$((0x600000))
dd if=../0hik2345.bin of=config.part bs=1 count=$((0x8000000-0xe00000)) skip=$((0xe00000))
#
# The app partition is a squashfs so can be extracted
[ -d app_contents ] && rm -r app_contents/* && rmdir app_contents
unsquashfs -d app_contents app.part
#
#
Code:
file *.part
app.part: Squashfs filesystem, little endian, version 4.0, 5863701 bytes, 115 inodes, blocksize: 65536 bytes, created: Wed Dec 6 13:10:33 2017
boot.part: data
config.part: ISO-8859 text, with very long lines, with no line terminators
kernel.part: u-boot legacy uImage, Linux-3.4.35, Linux/ARM, OS Kernel Image (Not compressed), 2552288 bytes, Wed Dec 6 13:09:00 2017, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x43246FA8, Data CRC: 0x018A4EC9
tech.part: dataAnd multiple references to DS-2CD2345FB
Use something like
strings -8 config.part > config_strings.txt
to see the metadata within.
Code:
"firmware_version":"v0.9.8-b2442 171206","hardware_version":"","mac":"64:db:8b:37:56:15","model":"DS-2CD2345FB","serial":"161082471","soft_meta_version":"","vendor":"Hikvision"}},"device_name":{"value":{"name":"161082471"}}Is this Hikvision hardware, but with non-Hikvision firmware?
Thanks for helping, sir. I don't have binwalk or python set up anywhere at the moment.
yes, yes, yes ... I wanted to convey this to you.....
alastairstevenson
Staff member
Attachments
alastairstevenson
Staff member
That's a pity.
He's been around, and knows a lot - although he is usually reluctant to share the detail ...
... this is his business, he is as close as you
, only speaks Russian.