Custom initrun.sh? Firmware tools not working

[rchase]

This is the command inside of initrun.sh that causes the error:

mount -t squashfs /dev/mtdblock5 /dav

 

[rchase]

The problem is the checksum of app.img:

Requesting system reboot


System startup


U-Boot 2010.06-19073 (Jun 15 2017 - 14:11:13)

DRAM: 64 MiB
Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xc2 0x20 0x18
Block:64KB Chip:16MB Name:"MX25L128XX"
SPI Nor total size: 16MB
MMC:
EMMC/MMC/SD controller initialization.
MMC/SD Card:
MID: 0x3
Read Block: 512 Bytes
Write Block: 512 Bytes
Chip Size: 7580M Bytes (High Capacity)
Name: "SL08G"
Chip Type: SD
Version: 2.0
Speed: 50000000Hz
Bus Width: 4bit
Boot Addr: 0 Bytes
In: serial
Out: serial
Err: serial
device name mmc!
Interface: MMC
Device 0: Vendor: Man 035344 Snr 8564417a Rev: 8.0 Prod: SL08G
Type: Removable Hard Disk
Capacity: 7580.0 MB = 7.4 GB (15523840 x 512)
Partition 1: Filesystem: FAT32 "NO NAME "
reading ezviz.dav
Find 1 packet
file_pos is 0x81000098
app.img checksum is fail
checksum is 682704412, but file original checksum is 681896039
update file startOffset = 152
update file len = 5300224
update_single_file fail
Net: No ethernet found.
(Re)start USB...
USB: scanning bus for devices... 1 USB Device(s) found
scanning usb for ethernet devices... 0 Ethernet Device(s) found
Hit Ctrl+u to stop autoboot: 0
load kernel to 0x80007fc0 ...
check backup upgrade flag
Done!
## Booting kernel from Legacy Image at 80007fc0 ...
Image Name: Linux-3.4.35
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2445872 Bytes = 2.3 MiB
Load Address: 80008000
Entry Point: 80008000
XIP Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.22.1 (2017-08-04 12:25:23 CST)
ifconfig: SIOCGIFFLAGS: No such device
mount: mounting /dev/mtdblock5 on /mnt failed: Invalid argument
APP partition is broken!
cp: can't stat '/mnt/initrun.sh': No such file or directory
No initrun.sh on flash!
umount: can't umount /mnt: Invalid argument
Not find initrun.sh!
/ #​

 

[alastairstevenson]

This is the command inside of initrun.sh that causes the error:

mount -t squashfs /dev/mtdblock5 /dav

This does suggest that your app.img is somehow invalid.

however it fails when upgrading.

Do you mean that the camera fails after the upgrade?
Or did the upgrade process fail? Did you watch on the serial console?

 

[rchase]

yeah watching serial. I think its just the checksum of app.img. Do you know where to change that?

 

[rchase]

I used rampageX/firmware-mod-kit

by the way.. and it warned me that checksums would not be good:

Remaining free bytes in firmware image: 2451376
Processing 1 header(s) from /root/Desktop/firmware-mod-kit-master/fmk/new-firmware.bin...
Processing header at offset 5300376...sorry, this file type is not supported.
checksum update(s) failed!
CRC update failed.

Firmware header not supported; firmware checksums may be incorrect.
New firmware image has been saved to: /root/Desktop/firmware-mod-kit-master/fmk/new-firmware.bin​

 

[rchase]

GOT IT WORKING

Here are instructions to get ROOT telnet connection to a Momentum cam (Home - Security Cameras for your Smartphone)

1. Download Hikvision packer/unpacker (to Linux PC):

[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

2. Download original firmware:

https://prod-peq-a-firmware-uploads.s3.amazonaws.com/firmware/Hikvision/MOCAM-720-01/V5.1.8 build 170829/digicap.dav?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI3CJ5PEMTCV2KBOA/20180422/us-east-1/s3/aws4_request&X-Amz-Date=20180422T154301Z&X-Amz-Expires=604799&X-Amz-SignedHeaders=host&X-Amz-Signature=830a05ea9c676973fb282c53f70c6442eed9ba8894afbf0902652fd475ca0252

3. ./hikpack -t r0 -x digicap.dav -o newfw
4. cd newfw
5. unsquahsfs app.img
6. cd squashfs-root
7. nano initrun.sh and add '/bin/busybox telnetd &' to the end to enable telnet (or make any changes you want)
8. cd ..
9. mksquashfs squashfs-root/ app.img -comp xz -b 256K -noappend -force-uid 4145 -force-gid 4148
10. rm -rf squashfs-root
11. ./hikpack -t r0 -p ezviz.dav -o newfw
12. Copy ezviz.dav to SD card
13. Insert SD card to camera
14. Reboot camera
15. Log in to telnet with root/EHLGVG

*NOTE: This works because the current version of the firmware checks for the existence of 'ezviz.dav' when booting up. Also, the root password is hard-coded to all devices.

Thanks @alastairstevenson for all of your help and also thanks to oscardagrach at Exploitee.rs IRC channel who reverse engineered how to pack app.img back together in the way the camera wanted it

 

[alastairstevenson]

Thanks @alastairstevenson for all of your help

In truth I didn't actually do anything but watch the energetic way you just went at it - and from a zero base too.
Well done!

 

[rosenere]

GOT IT WORKING

Here are instructions to get ROOT telnet connection to a Momentum cam (Home - Security Cameras for your Smartphone)

1. Download Hikvision packer/unpacker (to Linux PC):

[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

2. Download original firmware:

https://prod-peq-a-firmware-uploads.s3.amazonaws.com/firmware/Hikvision/MOCAM-720-01/V5.1.8 build 170829/digicap.dav?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI3CJ5PEMTCV2KBOA/20180422/us-east-1/s3/aws4_request&X-Amz-Date=20180422T154301Z&X-Amz-Expires=604799&X-Amz-SignedHeaders=host&X-Amz-Signature=830a05ea9c676973fb282c53f70c6442eed9ba8894afbf0902652fd475ca0252

3. ./hikpack -t r0 -x digicap.dav -o newfw
4. cd newfw
5. unsquahsfs app.img
6. cd squashfs-root
7. nano initrun.sh and add '/bin/busybox telnetd &' to the end to enable telnet (or make any changes you want)
8. cd ..
9. mksquashfs squashfs-root/ app.img -comp xz -b 256K -noappend -force-uid 4145 -force-gid 4148
10. rm -rf squashfs-root
11. ./hikpack -t r0 -p ezviz.dav -o newfw
12. Copy ezviz.dav to SD card
13. Insert SD card to camera
14. Reboot camera
15. Log in to telnet with root/EHLGVG

*NOTE: This works because the current version of the firmware checks for the existence of 'ezviz.dav' when booting up. Also, the root password is hard-coded to all devices.

Thanks @alastairstevenson for all of your help and also thanks to oscardagrach at Exploitee.rs IRC channel who reverse engineered how to pack app.img back together in the way the camera wanted it

help, I can't unquashfs cramfs.img
Can't find a SQUASHFS superblock on cramfs.img

 

[alastairstevenson]

That's because CRAMFS is a 'compressed ROM file system' and not SQUASHFS file system - two different types of file system.
You need to mount it as CRAMFS.

 

[alastairstevenson]

Here is an example of the two different file systems - the cramfs.img is from Hikvision NVR firmware, the files within are encrypted :

alastair@PC-I5 ~/cctv/CameraFirmware/Ozvision/contents $ ll
total 23512
drwxr-xr-x 2 alastair alastair     4096 Apr 25 08:59 ./
drwxr-xr-x 4 alastair alastair     4096 Apr 22 21:14 ../
-rw-r--r-- 1 alastair alastair  5300224 Apr 19 19:50 app.img
-rw-r--r-- 1 alastair alastair 16318464 Oct 21  2017 cramfs.img
-rw-r--r-- 1 alastair alastair  2445936 Apr 19 19:50 uImage
alastair@PC-I5 ~/cctv/CameraFirmware/Ozvision/contents $ file *
app.img:    Squashfs filesystem, little endian, version 4.0, 5298437 bytes, 63 inodes, blocksize: 262144 bytes, created: Tue Aug 29 11:56:45 2017
cramfs.img: Linux Compressed ROM File System data, little endian size 16318464 version #2 sorted_dirs CRC 0x6aff3f91, edition 0, 3974 blocks, 7 files
uImage:     u-boot legacy uImage, Linux-3.4.35, Linux/ARM, OS Kernel Image (Not compressed), 2445872 bytes, Mon Aug  7 02:31:49 2017, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0xFD561771, Data CRC: 0x7367A54B
alastair@PC-I5 ~/cctv/CameraFirmware/Ozvision/contents $ sudo mount -t cramfs cramfs.img ~/tmp
alastair@PC-I5 ~/cctv/CameraFirmware/Ozvision/contents $ ll ~/tmp
total 15882
-rw-r--r-- 1 root root 2425872 Jan  1  1970 gui_res.tar.lzma
-rwxr-xr-x 1 root root     616 Jan  1  1970 new_10.bin*
-rwxr-xr-x 1 root root    2968 Jan  1  1970 start.sh*
-rw-r--r-- 1 root root 6867720 Jan  1  1970 sys_app.tar.lzma
-rwxr-xr-x 1 root root 3183432 Jan  1  1970 uImage*
-rw-r--r-- 1 root root 3780896 Jan  1  1970 webs.tar.lzma
alastair@PC-I5 ~/cctv/CameraFirmware/Ozvision/contents $ file ~/tmp/*
/home/alastair/tmp/gui_res.tar.lzma: data
/home/alastair/tmp/new_10.bin:       data
/home/alastair/tmp/start.sh:         data
/home/alastair/tmp/sys_app.tar.lzma: data
/home/alastair/tmp/uImage:           u-boot legacy uImage, Linux-3.4.35_hi3535, Linux/ARM, OS Kernel Image (Not compressed), 3183368 bytes, Thu Aug 17 08:00:50 2017, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x3C770749, Data CRC: 0x77286D97
/home/alastair/tmp/webs.tar.lzma:    data
alastair@PC-I5 ~/cctv/CameraFirmware/Ozvision/contents $

 

[rosenere]

root@kali:~/Downloads/hikpack_2.5/new# sudo mount -t cramfs cramfs.img ~/tmp
mount: /root/tmp: unknown filesystem type 'cramfs'.

help

 

[alastairstevenson]

Google will tell you that you probably don't have the CRAMFS tools installed. And it will tell you how to get them.

 

[shinonasada]

Help. I can't extract the tar.lzma file

shinon@ubuntu:~/Desktop$ tar --lzma -xvpf logo.tar.lzma
xz: (stdin): File format not recognized
tar: Child returned status 1
tar: Error is not recoverable: exiting now

 

[alastairstevenson]

Help. I can't extract the tar.lzma file

Depending on where it came from, first you have to decrypt it. You can do this using montecrypto hikpack tool.
Snippet from a sample start.sh

echo "show logo $(date)"
ded -d /home/hik/logo.tar.lzma /home/app/logo.tar.lzma
/bin/tar xaf /home/app/logo.tar.lzma -C /home/app
rm -rf /home/app/logo.tar.lzma
/home/app/showlogo

 

[shinonasada]

thanks.How to copy modified file start.sh to the directory ~/tmp

 

[alastairstevenson]

Sorry - I don't understand the question.

 

[shinonasada]

how to copy the Start.sh modify file to the Tmp folder?

shinon@root:~/Downloads/hikpack_2.5/new# sudo mount -t cramfs cramfs.img ~/tmp

 

[alastairstevenson]

how to copy the Start.sh modify file to the Tmp folder?

You can't do that as cramfs is a read-only file system - you cannot change any files inside the mount point.
You will need to copy the files out to a new folder, make any changes you need, and then create a new cramfs.img using 'mkfs.cramfs'

 

[shinonasada]

shinon@ubuntu:~/Desktop/hikpack_2.5$ mkfs.cramfs -v ne cramfs.img
  WebComponents.exe
  gui_res.tar.lzma
  new_10.bin
  player.zip
  start.sh
  sys_app.tar.lzma
  uImage
  webs.tar.lzma
Directory data: 280 bytes
 -0.95% (-19472 bytes)    WebComponents.exe
  0.37% (+5520 bytes)    gui_res.tar.lzma
-54.84% (-408 bytes)    new_10.bin
  0.24% (+1224 bytes)    player.zip
 -7.66% (-316 bytes)    start.sh
  0.37% (+23296 bytes)    sys_app.tar.lzma
  0.23% (+6548 bytes)    uImage
  0.37% (+3828 bytes)    webs.tar.lzma
Everything: 13976 kilobytes
Super block: 76 bytes
CRC: ae93de32
mkfs.cramfs: warning: gids truncated to 8 bits.  (This may be a security concern.)
shinon@ubuntu:~/Desktop/hikpack_2.5$ file *
cramfs.img:  Linux Compressed ROM File System data, little endian size 14311424 version #2 sorted_dirs CRC 0xae93de32, edition 0, 3493 blocks, 9 files
digicap.dav: DOS executable (COM)
hikpack:     ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
ne:          directory
new:         directory
webs1:       directory
shinon@ubuntu:~/Desktop/hikpack_2.5$ ./hikpack -t r0 -p digicap.dav -o new
*** WARNING *** HKWS header is missing firmware flags
File: cramfs.img, CRC OK
Magic   : 484b5753
hdr_crc : 00001c18 (OK)
lang_id : 00000001
Date    : -00001
version : ffffffff
frm_flg :

help upgrade firmware error

 

[alastairstevenson]

help upgrade firmware error

The files in the cramfs.img, and the use of cramfs, suggest you are working with firmware from an NVR.
But the 'pack' operation "./hikpack -t r0 -p digicap.dav -o new" being used is for an R0 camera, not for an NVR.

*edit* Also - it looks like there is some confusion about the location of cramfs.img and the folders ne and new. Unless there are file operations in between the lines in the transcript.