Busybox root for IPC-G42P-IMOU, Firmware version Eng_P_V2.680.0000000.24.R.20210309 [+Modded Firmware]

drebsdorf

drebsdorf

n3wb
Jul 9, 2021
6
18
Earth
Hello,

Recently got myself a Dahua / IMOU camera, and since I got so much fine information from here I figured i'd give some back.
model: IPC-G42P-IMOU
fw : Eng_P_V2.680.0000000.24.R.20210309

So here's how you can get into a busybox shell on these.


# Step 1
Attach to serial hardware, thanks to the FCC for providing these photos. You open the camera by popping off the front black bezel around the lense.
fcc-serial.png
# Step 2
Smash '*' during boot to get to u-boot console

# Step 3 run these commands (to enable single user mode)
Code: 
printenv    (you should save this output in a safe place)

setenv appauto 0
setenv dh_keyboard 0
setenv bootargs mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M single
saveenv

# Step 4 (might be a smarter way to do this)
Smash the HWID environment variable
Note, this is just something i stumbled on, not sure what you actually need to put on the end for it to crash.

NOTE : There's a space after the last chars \&\"
Code: 
setenv  HWID IPC-G42P-IMOU:01:02:03:73:30:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:100\"\& ls \&\" 
boot

Boot procedure uses the HWID to lookup bootargs, if HWID isnt found it will default to using u-boot bootargs.
The default bootargs can be found in partition-x.cramfs\bootargsParameters.txt

Code: 
#每行参数以\结束 每行以回车结束
#bootargs参数放在""中
#hwid     bootargs参数
IPC-TF26-S2:01:02:0F:60:2B:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-TD26-S2:01:02:0F:60:2B:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-TG26E:01:02:02:60:2B:00:01:10:01:01:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"

IPC-D1B20P-W:01:02:05:7F:2B:00:01:00:00:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-B1B20P-W:01:02:03:7F:2B:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-TG26C:01:02:03:7F:2B:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-D1B40P-W:01:02:05:73:30:00:01:00:00:00:04:320:00:02:00:00:00:00:00:00:100\    "mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M"
IPC-B1B40P-W:01:02:03:73:30:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:100\    "mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M"
IPC-TG46C:01:02:03:73:30:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:100\    "mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M"

IPC-G22N-IMOU:01:02:03:7F:2B:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-D22P-IMOU:01:02:05:7F:2B:00:01:00:00:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-G42P-IMOU:01:02:03:73:30:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:100\    "mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M"
IPC-D42P-IMOU:01:02:05:73:30:00:01:00:00:00:04:320:00:02:00:00:00:00:00:00:100\    "mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M"
IPC-G22MP-0280B:01:02:03:7F:2B:00:01:10:00:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-G42MP-0280B:01:02:03:73:30:00:01:10:00:00:04:320:00:02:00:00:00:00:00:00:100\    "mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M"

IPC-G26E:01:02:02:60:2B:00:01:10:01:01:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-HFW1235S-W:01:02:01:7F:2B:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"

IPC-HDBW1235E-W-S2:01:02:05:60:2B:00:01:00:00:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-HDBW1435E-W-S2:01:02:05:73:30:00:01:00:00:00:04:320:00:02:00:00:00:00:00:00:100\    "mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M"
IPC-HFW1235S-W-S2:01:02:03:60:2B:00:01:10:00:00:04:320:00:02:00:00:00:00:00:00:80\    "mem=128M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=50M"
IPC-HFW1435S-W-S2:01:02:03:73:30:00:01:10:00:00:04:320:00:02:00:00:00:00:00:00:100\    "mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs cma=106M"


You will be dropped into a nice signed securebooted busybox shell. (I cant get it to run any unsigned binaries)

To stop the watchdog from resetting the device you can go through the boot process with these commands:

Code: 
/bin/mount -t proc /proc /proc
/etc/init.d/dnode
/etc/init.d/rcS

/usr/bin/sonia --help

Running Sonia with parameters seems to allow it to boot properly
Once Sonia has booted, you can exit it with Ctrl+C

And thats it, root, and you wont get reset automaticly.

Code: 
BusyBox v1.18.4 (2021-01-30 16:34:43 CST) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: busybox --list[-full]
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, arp, arping, ash, awk, bash, brctl, cat, chgrp, chmod, chown,
        chroot, cp, cut, date, df, dhcprelay, dmesg, du, dumpleases, echo,
        egrep, eject, env, fdisk, fgrep, find, flash_eraseall, free, fsync,
        getty, grep, halt, head, ifconfig, ifenslave, inetd, init, insmod, ip,
        ipaddr, iplink, iproute, iprule, iptunnel, kill, killall, killall5,
        less, linuxrc, ln, login, ls, lsmod, lspci, lsusb, lzcat, lzma, mdev,
        mkdir, mknod, modinfo, more, mount, mv, netstat, nice, ping, ping6,
        pkill, poweroff, printenv, ps, pwd, reboot, rm, rmdir, rmmod, route,
        sed, seq, sh, sleep, stat, sync, tail, tcpsvd, test, top, touch,
        ubiattach, ubidetach, ubimkvol, ubirmvol, ubirsvol, ubiupdatevol,
        udhcpd, udpsvd, umount, uname, unlzma, unzip, vi, who, whoami

/bin # help
Built-in commands:
------------------
        . : alias bg break cd chdir continue eval exec exit export false
        fg hash help jobs kill let local pwd read readonly return set
        shift source times trap true type ulimit umask unalias unset
        wait


Notes :
dd has been removed from busybox

Mount SDCard:
Code: 
insmod /usr/lib/modules/fat.ko
insmod /usr/lib/modules/vfat.ko
insmod /usr/lib/modules/sdcard.ko
mount -t vfat -o rw,nodev,noatime,nodiratime,fmask=0020,dmask=0020,allow_utime=0002,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro /dev/mmc0p1 /mnt/sd

Mount NFS share:
# On raspbian or other distro

# Install nfs service
sudo apt-get install nfs-kernel-server
# Configuring nfs
sudo vim /etc/exports
# Create data directory
mkdir /home/pi/rootfs
# Add the following line to export and exit the save
/home/pi/rootfs *(rw,sync,no_root_squash,no_subtree_check)

# Restart nfs service (may need to reboot first)
sudo /etc/init.d/nfs-kernel-server restart


# In camera busybox console
mount -t nfs -o nolock 192.168.1.104:/home/pi/rootfs/ /mnt/tmp
Click to expand...

Read all U-boot environment variables:

Code: 
# Read all
/usr/sbin/systools armbenv -r

# Write HWID to flash
/usr/sbin/systools armbenv -s HWID IPC-G42P-IMOU:01:02:03:73:30:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:100


Now from here, I can't really see any options to get further. Bootloader and Kernel seem impenetrable.
 
Last edited:
  • Like
Reactions: iTuneDVR, sina55555, kobebeef and 2 others
As it turns out, once booted the firmware isnt running any verification, other than verifying the signature of the flash on boot.

So I extracted the filesystem from the identical Dahua branded version of the camera, which you can download the firmware for.
DH_IPC-Consumer-Web-Mao-Eris2_EngSpnPrt_P_V2.680.0000000.24.R.210309

And I placed it on my PI as an NFS filesystem as described above. (you just extract the .binwith 7zip and then unsquash the rootfs with sudo unsquashfs on the pi to preserve unix file permissions)

Once you've changed the bootargs, and get to the busybox shell, you can do this to chroot into the NFS filesystem, where you can replace the binaries and do a nanddump / dd of the flash (which ive done)

You then run these commands to boot up into chroot
Code: 
/etc/init.d/dnode

# Mounts UbiFS
cat /proc/BootInfo/fsmountcmd >> /var/script
chmod 777 /var/script
/var/script
rm /var/script

ln -s /dev/ttyS0 /dev/mytty

mkdir -p /var/tmp

mkdir -p /mnt/mtd/Config /mnt/mtd/Log /mnt/backup/Config /mnt/mtd/Config/ppp /mnt/mtd/3A /var/tmp
mkdir -p /mnt/backup/debug
mkdir -p /var/tmp/autoFix

touch /mnt/mtd/Config/ppp/options
touch /mnt/mtd/Config/ppp/pppoe-enable
touch /mnt/mtd/Config/ppp/pap-secrets
touch /mnt/mtd/Config/ppp/pppoesessionctx
touch /mnt/mtd/Config/ppp/pppoe-redial_time
touch /mnt/mtd/Config/dial-ip

cd /usr/lib/modules

insmod osa.ko
insmod log.ko

insmod binder.ko r0size=16 r2size=320

insmod prc.ko
insmod mxml.ko

mkdir -p /var/custom/pdcConfig
unzip -o /mnt/pd/pdcConfig.zip -d /var/custom/pdcConfig > /dev/null
#unzip -o /usr/data/pdcConfig.zip -d /var/custom/pdcConfig > /dev/null  # cant open, same as normal
cp -f /var/custom/pdcConfig/IPC-G42P-IMOU/* /var/custom/pdcConfig/

cp -f /var/custom/pdcConfig/IPC-HFW1435S-W-S2/* /var/custom/pdcConfig/

insmod pdc.ko
rm -r /var/custom/pdcConfig/*/

touch /tmp/enc2app_data
touch /tmp/enc2app_cmd
touch /tmp/cmd_shmarea
touch /tmp/myencodemsg

/sbin/syshelper 300 mlock &
/usr/bin/RPCserver &

insmod /usr/lib/modules/mii.ko
insmod /usr/lib/modules/kdrv_emac.ko

mkdir -p /dev/socket

# Property and uEventd services
/usr/sbin/property_service & /usr/sbin/ueventd &
#init: Unable to open persistent property directory /data/property errno: 2  <this is normal for boot or broken boot>

# Bring up ethernet now that we have modules loaded to read macaddress
ifconfig lo up
netinit if=eth0 default
netinit6 if=eth0

# Mount NFS filesystem to the fittingly provided nfs folder
mount -t nfs -o nolock 192.168.1.104:/home/pi/rootfs/ /nfs
# CHROOT into NFS filesystem on network
mount -t proc none /nfs/squashfs-root/proc
mount -o bind /dev /nfs/squashfs-root/dev
mount -o bind /dev/root /nfs/squashfs-root/dev/root
mount -o bind /sys /nfs/squashfs-root/sys
mount -o bind /dev/pts /nfs/squashfs-root/dev/pts
mount -o bind /var /nfs/squashfs-root/var
mount -o bind /mnt/pd /nfs/squashfs-root/mnt/pd
mount -o bind /mnt/web /nfs/squashfs-root/mnt/web
mount -o bind /mnt/syslog /nfs/squashfs-root/mnt/syslog
mount -o bind /mnt/mtd /nfs/squashfs-root/mnt/mtd
mount -o bind /mnt/backup /nfs/squashfs-root/mnt/backup
mount -o bind /nfs /nfs/squashfs-root/nfs
chroot /nfs/squashfs-root/

There's no flow control, so they can be tricky to copy paste, no copy pasting of newlines is allowed.
And you only have a limited time before the watchdog resets the system
So I made a powershell script that will do it for me without fucking it up.

Use a serial console to get into uboot, then close it.
Edit the script and change the port to whatever your Serial runs on, then run it
Press enter slowly, wait for the previous one to stop running.
Script will exit once its put you into chroot

Once there I've put a file called 'loadcam' into the nfs filesystem under '/etc/init.d/'
This will bring up everything but Sonia, which you can just uncomment.

Run the script with

ash -x /etc/init.d/loadcam

Code: 
#! /bin/sh
mkdir -p /dev/graphics
ln -sf /dev/fb0  /dev/graphics/fb0
ln -sf /dev/fb1  /dev/graphics/fb1  
ln -sf /dev/fb2  /dev/graphics/fb2

setprop mi.vi.src 0
setprop mi.osd.gop.use 0
setprop mi.vi.img.autoflash 0
setprop mi.vi.bufcnt 3
setprop mi.venc.bufcnt 1

#fix dmem
echo 0 > /sys/class/mstar/msys/dmem_realloc

setprop mi.venc.bufratiofhd 40
setprop mi.venc.img.bufratio 40

echo 0 > /var/tmp/JiLian_cab
echo 1000000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

setprop mi.vi.sub.width 704
setprop mi.vi.sub.height 576

setprop mi.venc.bufratio3m 40
setprop mi.venc.bufratio4m 35
setprop mi.venc.bufcnt 10
setprop mi.vi.bufcnt 4
setprop mi.vi.sub.bufcnt 4
setprop mi.vi.img.sub 0

echo 4 > /sys/class/mstar/mmfe/clk

echo performance > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
      
setprop mi.venc.disable.dec.sei 1

setprop mstar.omx.avqe.stereomode 1

echo 0 > /var/tmp/wifi_cab

unzip -o -d /var/tmp /mnt/pd/product.zip > /dev/null
mkdir /var/Cameras
cp -f /mnt/pd/Cameras/* /var/Cameras

mkdir -p /var/tmp/pd

cp -f /var/tmp/product/ProductTransform /var/tmp/pd/

insmod /usr/lib/modules/fat.ko
insmod /usr/lib/modules/vfat.ko
insmod /usr/lib/modules/sdcard.ko

eval product="IPC-G42P-IMOU"
eval aewcfg="IPC-B1B40-OV4689"
eval wifi=2

insmod /usr/lib/modules/cfg80211.ko
insmod /usr/lib/modules/usb-common.ko
insmod /usr/lib/modules/usbcore.ko
insmod /usr/lib/modules/ehci-hcd.ko
  
insmod /usr/lib/modules/8188fu.ko rtw_channel_plan=0x05

echo 256 > /var/tmp/memsize

cp -f /usr/data/2Acfg/IPC-B1B40-OV4689/isp_para.bin /var/tmp/isp_para.bin
cp -f /usr/data/2Acfg/IPC-B1B40-OV4689/awb_wgt_para.bin /var/tmp/awb_wgt_para.bin
cp -f /usr/data/2Acfg/IPC-B1B40-OV4689/icr_para.bin /var/tmp/icr_para.bin
cp -f /usr/data/2Acfg/IPC-B1B40-OV4689/ae_eyeBot_para.bin /var/tmp/ae_eyeBot_para.bin

cp -f /var/tmp/product/IPC-G42P-IMOU/*  /var/tmp/pd/
cp -f /var/tmp/product/IPC-HFW1435S-W-S2/*  /var/tmp/pd/

rm -rf /var/tmp/product

echo 100 > /proc/sys/vm/dirty_writeback_centisecs
echo 500 > /proc/sys/vm/dirty_expire_centisecs
echo 50 > /proc/sys/vm/vfs_cache_pressure
echo 30 > /proc/sys/vm/swappiness
echo 5 > /proc/sys/vm/dirty_background_ratio
echo 10 > /proc/sys/vm/dirty_ratio
echo "/home/core-%e-%p-%t" > /proc/sys/kernel/core_pattern
echo 90 > /proc/sys/vm/overcommit_ratio
echo 1 > /proc/sys/vm/overcommit_memory
echo 2 >  /proc/sys/net/ipv4/tcp_early_retrans
echo 1 >  /proc/sys/net/ipv4/tcp_mtu_probing
echo  512 > /proc/sys/vm/min_free_kbytes
echo "256 512 32" > /proc/sys/vm/lowmem_reserve_ratio

echo 3145728 >/proc/sys/net/core/wmem_default
echo 4194304 >/proc/sys/net/core/wmem_max
echo 4096 3145728 4194304 >/proc/sys/net/ipv4/tcp_wmem

echo f > /proc/osa_root/pdc/pdcWdt

setprop mstar.omx.avqe.aecsupmodeband "12 24 36 48 60 72"
setprop mstar.omx.avqe.aecmode "8 8 8 8 8 8 8"

mount -t vfat -o rw,nodev,noatime,nodiratime,fmask=0020,dmask=0020,allow_utime=0002,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro /dev/mmc0p1 /mnt/sd


# Interactive
# /usr/bin/sonia AEWB

#/usr/bin/sonia AEWB & /bin/busybox ash

# Non-Interactive
#/usr/bin/sonia AEWB 2>/dev/null 1>/dev/null

# super Non-Interactive

#/usr/bin/sonia AEWB 2>/dev/null 1>/dev/null &

Attached i've put a busybox that ive just compiled on my raspberry pi, with no recard for toolchains or anything. But you can grab one thats been compiled for the MSTAR cpu somewhere around this forum.
It works fine for dumping the nand, but not all symlinks are present, think its 'busybox --listall' to get a list of all the commands compiled

Code: 
# Read
busybox nanddump -f /nfs/mtd4test.bin /dev/mtd4

# Write
busybox nandwrite /dev/mtd4 /nfs/mtd4test.bin

I've tested the above with no issues.

What I would like to do now, is to reverse engineer sonia, so make a valid request to download a copy of the current firmware binary.

Code: 
Host: updatev2.easy4ipcloud.com:443
X-Date: 20210702T192431Z
Content-MD5: MDk2NjM3QjlBMzdEOERFRTU3NjhBQjlDN0FCNjlBQUQ=
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="DHUPGRADE-V1\6K00168PAZ69E96", PasswordDigest="7FmMZaOHlV7Oza6g6YIkP0GjtQnM1OP/2Cnw0vYbQQc=", Nonce="MjAyMTA3MDJUMTkyNDMxWjI=", Created="20210702T192431Z"
Content-Type: application/json
Content-Length: 355
X-LC-Version: 2.1.0

{
   "SWVersion" : "2.680.0000000.24.R.210309",
   "build" : "2021-03-09 18:52:50",
   "class" : "",
   "language" : "EngPrtSpn",
   "serial" : "IPC-G42P-IMOU:01:02:03:73:30:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:100",
   "sn" : "6K00168PAZ69E96",
   "standard" : "P",
   "tag1" : "",
   "tag2" : "",
   "usingLanguage" : "",
   "vendor" : "OEM"
}
(I dont see a reason to censor any serials, this cam will never see the internet)

Or, figure out if the chip verifies the uboot bootloader. Bought an identical camera and ordered a SPI flash reader and a couple of extra nand chips.

I couldnt move the PD partition from one camera to the other, but that might be ECC bad block related. Have yet to try flashscp that was compiled for the unbricking thread.

Anyway, here's wonderwall.

EDIT !!! The firmware dump in the zip file, is from an older version of the firmware that my 2nd camera had, so maybe dont try and flash it anyone
 

Attachments

Last edited:
  • Like
Reactions: iTuneDVR, VorlonFrog and sina55555
Found out you can use from Dahua Firmware Mod Kit + Modded Dahua Firmware to flash the nand without ECC badblock problems,
This just means they're using the same key for signing across versions (and models)

Flashed the pd-x.squashfs (mtd4) nanddump from my 2nd camera onto the one running the latest firmware P_V2.680.0000000.24.R.210309, and boot verified the flash.

Has anyone succesfully downgraded the bootloader on any MSTAR Armv7 board?
Im starting to think maybe they didnt bother with efuses for signing the bootloader, so we could replace the pubkey and just sign our own updates. Or just grab the bootloader from something very similar, say the MStar-Yi ? Which I also grabbed some compiled binaries from to play with.


Attached are the config files for the modkit (obviously dosnt work to create firmwares, cuz signing) it is able to extract and repack the firmware.
I then extract the .bin file and flashed the pd-x.squashfs.img file with uboot : run pd (which tftp's the pd-x.squashfs.img and flashes it)
Change anything and I get an error saying:
Code: 
[ERR0002:]The img header be changed!

So either the CRC or Header or whatever is incorrect, or the error message actually means its checked the signing of it.
Unfortunately, dissasembling the ~800kb uboot image is a steep learning curve so I can't figure out how its actually supposed to work.
 

Attachments

Last edited:
  • Like
Reactions: sina55555
drebsdorf said:
Found out you can use from Dahua Firmware Mod Kit + Modded Dahua Firmware to flash the nand without ECC badblock problems,
This just means they're using the same key for signing across versions (and models)

Flashed the pd-x.squashfs (mtd4) nanddump from my 2nd camera onto the one running the latest firmware P_V2.680.0000000.24.R.210309, and boot verified the flash.

Has anyone succesfully downgraded the bootloader on any MSTAR Armv7 board?
Im starting to think maybe they didnt bother with efuses for signing the bootloader, so we could replace the pubkey and just sign our own updates. Or just grab the bootloader from something very similar, say the MStar-Yi ? Which I also grabbed some compiled binaries from to play with.


Attached are the config files for the modkit (obviously dosnt work to create firmwares, cuz signing) it is able to extract and repack the firmware.
I then extract the .bin file and flashed the pd-x.squashfs.img file with uboot : run pd (which tftp's the pd-x.squashfs.img and flashes it)
Change anything and I get an error saying:
Code: 
[ERR0002:]The img header be changed!

So either the CRC or Header or whatever is incorrect, or the error message actually means its checked the signing of it.
Unfortunately, dissasembling the ~800kb uboot image is a steep learning curve so I can't figure out how its actually supposed to work.
Click to expand...
yes. this modkit tool can not make new crc check and also hwid is important...
but i don't understand that this data signature is on whole of firmware or just one specific partition like pd-x.squashfs...
 
So here's something really fun.

The Dahua Firmware Mod Kit can create valid partition images (or the partition-x.cramfs block isnt validated) This is where the bootargs are stored.

You're just not allowed to flash the image with tftp :p

Unpacked the DH_IPC-Consumer-Web-Mao-Eris2_EngSpnPrt_P_V2.680.0000000.24.R.210309.zip with the modkit


Code: 
sudo python3 ./extract.py -c IPC-G42 ../DH_IPC-Consumer-Web-Mao-Eris2_EngSpnPrt_P_V2.680.0000000.24.R.210309.bin
Changed the bootargs in the textfiles in partition-x.cramfs.img, to the ones from my mtd3 dump.
And built the firmware.bin

Code: 
sudo python3 ./build.py -c IPC-G42 DH_IPC-Consumer-Web-Mao-Eris2_EngSpnPrt_P_V2.680.0000000.24.R.210309.bin.extracted

Grabbed the 'partition-x.cramfs.img.raw' file from the build folder, and flashed it with :
Code: 
flashcp /nfs/partition-x.cramfs.img.raw /dev/mtd3

And now it automaticly boots into busybox. Without having to fiddle with the HWID.
Now its just a matter of building a really good init command and root could be made pseudo permanent.
 

Attachments

  • Like
Reactions: sina55555 and Mike A.
I've done it, persistent root, dropbear, on a 2021 RSA signed firmware

Port : 24
username: dahua
password: passw0rd

bootcmd1.png

Since the "partition" partition isnt verified, ive modified it to split the 32mb romfs partition into two parts.
And changed the mount_cmd's so it will chroot into the second custom filesystem, and continue booting as normal.

It boots, verifies the romfs, loads the kernel, executes init, and then the mount_cmd's take over, mounting the 'hacfs' and booting into it.

bootcmd2.png
RSA.png SSH.png



To install it, you need to follow the above posts, to boot into an NFS copy of the filesystem.
Then run these two commands, and reboot:

Code: 
# Flash partition and mount_cmd's
flashcp -v /nfs/mtd3-partition-x.cramfs_chroot_dropbear_passw0rd.img.raw /dev/mtd3
# Flash 32mb romfs, with two filesystems
flashcp -v /nfs/mtd7-dual-fs-romfs-x.squashfs.img.raw /dev/mtd7

# boot to uboot
setenv appauto 1
saveenv

To build your own filesystem, you can start with one of the mtd7 dumps ive posted above, or use the one attached here, where ive modded the bootscripts a little. And added dropbear and busybox executeables.
You will need to patch it so the passwd and passwd- files are symlinks, and point to somewhere writeable. I put the passwd files into /etc/pw/ and on boot copy them to /var/pw/, or we cant add user and set the password.
I've forked Botox's firmware modkit here GitHub - TAz00/Dahua-Firmware-Mod-Kit: Unpack and repack Dahua IP camera firmware upgrade images. so anyone can use the config file. I wont commit it to branch, because it dosnt produce valid firmwares, only valid .raw flashable files.


Some stats:
76 different .txt files with notes, bootlogs, commands
6 different mstar sdks
11Gb of total collected data
3-4 weeks of spare time spent

Fun times :p
 

Attachments

  • Like
Reactions: iTuneDVR, Fri.K, sina55555 and 3 others
After entering the shell command using SSH.
Enter Dahua employee number again.
There will be a QR Code.
Scan the QR Code with your mobile phone and you will get a URL.
FD34.jpg

Then enter the password of your Dahua employee number.
successfully logged in.

20221101091518.png

Enter "armbenv -r" to view the env value.
a2.jpg

Enter "ps -ef" to see the running process.
a33.png


Enter "debug watchdog 0" to turn off the watchdog.
Enter "debug" again to confirm whether it is disabled.
dog.png


SSH KEY etc.zip
 

Attachments

Last edited:
Just as an FYI, for newer cameras, using ls to break the hardware id does not work, but running busybox directly does. Likewise, rcS hijacks things so you need to manually do some of the things it does but not all of them...too lazy to outline it all.

Code: 
setenv  HWID IPC-G42P-IMOU:01:02:03:73:30:00:01:10:01:00:04:320:00:02:00:00:00:00:00:00:100\"\& bash \&\"

I have an ASH41 which is actually a Dahua (Imou) IPC-A42-D-imou. The chip is supported by openipc but I'm not really willing to port it right now. Does anyone know how to configure the wifi on one of these stupid "cloud" amcrest cameras without using their app and the internet?

I can share rom dumps if anyone needs them.
 
You must log in or register to reply here.
Top Bottom