Custom initrun.sh? Firmware tools not working

rchase

n3wb
Apr 18, 2018
19
0
Grand Rapids, MI
I want to cusomize the firmware to add '/bin/busybox telnetd' to initrun.sh in order to enable telnet on reboot

I followed the instructions here:
Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

However, after I do the 'split' command, all I get is a folder with app.img instead of a directory of files

app.img is read-only, I can see initrun.sh in there but cant modify it

Any ideas?
 
I want to cusomize the firmware to add '/bin/busybox telnetd' to initrun.sh in order to enable telnet on reboot
On a camera, an NVR, what model, and more importantly what firmware version?
app.img is read-only, I can see initrun.sh in there but cant modify it
That sounds like it may be from some R2 firmware.
It's only read-only if you let it be.

For unpacking and repacking Hikvision firmware, check out the really useful tool from @montecrypto here : [MCR] Hikvision packer/unpacker for 5.3.x and newer firmware
 
I was able to edit the files inside app.img by opening on Linux with unsquashfs, now I am trying to figure out how to squash it again back to an img file and then run the tool to repack it
 
Ok I think I figured it out

Here are all the steps for the next person who might want to modify this Momentum cam firmware

1. Download MCR] Hikvision packer/unpacker for 5.3.x and newer firmware onto your Linux PC
2. Download the current firmware file
3. ./hipack -t r0 -x digicap.dav -o newfw
- digicap.dav is the current firmware
- newfw is the directory where it will be extracted to
4. cd newfw
5. unsquashfs app.img
6. cd squashfs-root
7. <make whatever changes you want>
8. cd ..
9. mksquashfs squashfs-root/ app2.img -noappend -always-use-fragments
10. rm -rf app.img
- (delete old firmware)
11. rm -rf squashfs-root
- (delete extracted files, not needed now)
12. mv app2.img app.img
13. ./hipack -t r0 -p newfw -o digicap-new.dav

Now use digicap-new.dav to upgrade

Haven't actually tested it yet so I will post a follow up after
 
Last edited:
@alastairstevenson do you know how the checksum is calculated? In the firmware download response it includes a checksum that looks like this

6e702d6b27b61d3d1af9f5daf974e7197d88054ceb927a98c033616f7a09a309

when I do an md5sum it looks like this:

02aa9617949ee6d8fc0a00e9a7b941ef

So I know its not md5
 
Not sure, Momentum is either its own brand using Hikvision built cameras or its a shell brand for Hikvision

I couldnt get it to take the firmware. I setup a DNS server and HTTPS server, then changed /etc/resolv.conf to my DNS server, so when it automatically checked for new firmware it asked my HTTPS server for it, but the SSL verification failed

Even if I TFTP the firmware to the device, there is no command that I have found which would allow me to manually trigger an upgrade

Is there a secret upgrade command baked into davinci or something that I could use?
 
Fascinating!
I took a look at the firmware that you linked to.
It looks like a hybrid of a trimmed-down Hikvision R2 series camera firmware with a bunch of cloud-linked stuff from Ozvision.
The firmware appears to lack Hikvision's pointless obfuscation by encryption approach, and the usual anti-tamper facilities. Though I didn't look very far.

A google search shows that Ozvision is a fairly new US IoT startup with labs in Israel.
Curious what the tie-up with Hikvision is. They clearly have access to source code and a lot of Hikvision IP.
Their blurb also mentions partnering with Dahua.

Is there a secret upgrade command baked into davinci or something that I could use?
If the bootloader is from Hikvision, then it may well have an 'update' or 'upgrade' command.
But take care if experimenting - there may well also be more serious update-type commands that also erase flash partitions.
 
yeah I was reading about Ozvision too, its kind of funny:

Check this out:

- Camera is made by "Momentum"
- Momentum has no employees on LinkedIn, and I wasn't able to identify anyone on the internet associated with them
- Momentum has a parent company called Apollo Tech USA, also a non-existent company online
- Camera identifies itself in multiple places as being Hikvision with some kind of mangled Hikvision/Ozvision firmware
- The app frontends say "powered by pepper" which leads to this small VC backed IoT dev company: http://pepper.me
- Backend cloud storage and control powered by Ozvision OZVISION | Cloud Based Video Platform


It doesn't have update or upgrade commands, the only way I have found to upgrade it is to put the firmware on the SD card, then reboot and press CTRL U to get to HKVS# menu, then update from there.

Would like to be able to upgrade without console connection but seems to be a dead end. Was fun hacking around tho

I noticed its bootloader is U-boot though, so now I am looking into that.

My idea is this - save a shell file like "runatstart.sh" in a dir that doesnt get overwritten each boot time like /devinfo (device info dir)

set U-boot to run this bash file after finishes booting?
 
It doesn't have update or upgrade commands, the only way I have found to upgrade it is to put the firmware on the SD card, then reboot and press CTRL U to get to HKVS# menu, then update from there.
Yes, that's the bootloader.
I noticed its bootloader is U-boot though, so now I am looking into that.
Usually well customised if from Hikvision.
My idea is this - save a shell file like "runatstart.sh" in a dir that doesnt get overwritten each boot time like /devinfo (device info dir)
Most run-time files such as the root file system and the app files will have been copied to a ramfs at bootup, so they are not so much over-written as re-created.
To make permanent changes, you need to modify the flash-stored archives that hold the origin of these files.
 
  • Like
Reactions: rchase
These threads make this forum much more interesting to visit, I don't have the time to play much around but I love this experimenting! Thank you both! :)
 
For sure I find it very interesting too

hey @alastairstevenson do you know much about "davinci"? It seems to be the brain-program of the entire camera.

davinci is what is listening on all 3 of the open ports - 80, 8080, and 554

I didnt find much info about it, this might be related:
TI's DM8168 DaVinci™ digital media processor enables Hikvision to quickly develop a new generation of enhanced DVR products

I wish I could see the code to learn how it works, but it is compiled. I am going to try binwalking it, never done binary analysis before but I am curious what I can learn
 
do you know much about "davinci"? It seems to be the brain-program of the entire camera.
Yes, davinci is the primary application in the camera.
I am going to try binwalking it, never done binary analysis before but I am curious what I can learn
Realistically, that will do nothing useful. Binwalk is good for figuring out archives and file systems - not for executables.
Davinci is an ARM executable, an ELF program.
Not to pour cold water on your obvious enthusiasm, but to make sense of what it does you'd need a disassembler and a considerable amount of time and patience.
In this instance, the davinci program is about a fifth of it's more usual size.
Even though - consider this scale:
It's 2.3MB
Assuming it's been compiled in 32-bit mode as opposed to 16-bit 'thumb' mode, and that around 50% of the bytes are code.
And that there is maybe a 4:1 relationship between a line of the original C source code and the assembled code (I'm guessing a bit here - it will vary a lot with the type of code).
That means there may be about 70 or 80 thousand lines of original source code to delve into.
Quite a thought!
 
hey @alastairstevenson so I found 2 ways to upgrade the firmware --

1. Put "ezviz.dav" on an SD card, it will try to upgrade from this file on reboot
2. Change resolv.conf to point to my DNS server, then I setup a fake webserver and served the firmware to it while pretending to be "firmwareservice.momenutm-cam.com" lol. It checks for a firmware update once every 10 minutes automatically


so I modified app.img with my new initrun.sh, however it fails when upgrading. I was able to unbrick it luckily by restoring the original firmware via method #1

Here is the error it hits

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.22.1 (2017-08-04 12:25:23 CST)
ifconfig: SIOCGIFFLAGS: No such device
mount: mounting /dev/mtdblock5 on /mnt failed: Invalid argument
APP partition is broken!
cp: can't stat '/mnt/initrun.sh': No such file or directory
No initrun.sh on flash!
umount: can't umount /mnt: Invalid argument
Not find initrun.sh!


"APP partition is broken"

I am thinking there is a checksum somewhere in app.img, or the two files it has with it also which are uImage and dav_header

Any ideas?
 
the fact that it boots into Linux but isnt able to copy settings out is weird tho, if it was a problem with the .dav file or even app.img then it shouldnt boot at all right?
 
Last edited: