Custom initrun.sh? Firmware tools not working

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
I want to cusomize the firmware to add '/bin/busybox telnetd' to initrun.sh in order to enable telnet on reboot

I followed the instructions here:
Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

However, after I do the 'split' command, all I get is a folder with app.img instead of a directory of files

app.img is read-only, I can see initrun.sh in there but cant modify it

Any ideas?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I want to cusomize the firmware to add '/bin/busybox telnetd' to initrun.sh in order to enable telnet on reboot
On a camera, an NVR, what model, and more importantly what firmware version?
app.img is read-only, I can see initrun.sh in there but cant modify it
That sounds like it may be from some R2 firmware.
It's only read-only if you let it be.

For unpacking and repacking Hikvision firmware, check out the really useful tool from @montecrypto here : [MCR] Hikvision packer/unpacker for 5.3.x and newer firmware
 

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
I was able to edit the files inside app.img by opening on Linux with unsquashfs, now I am trying to figure out how to squash it again back to an img file and then run the tool to repack it
 

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
Ok I think I figured it out

Here are all the steps for the next person who might want to modify this Momentum cam firmware

1. Download MCR] Hikvision packer/unpacker for 5.3.x and newer firmware onto your Linux PC
2. Download the current firmware file
3. ./hipack -t r0 -x digicap.dav -o newfw
- digicap.dav is the current firmware
- newfw is the directory where it will be extracted to
4. cd newfw
5. unsquashfs app.img
6. cd squashfs-root
7. <make whatever changes you want>
8. cd ..
9. mksquashfs squashfs-root/ app2.img -noappend -always-use-fragments
10. rm -rf app.img
- (delete old firmware)
11. rm -rf squashfs-root
- (delete extracted files, not needed now)
12. mv app2.img app.img
13. ./hipack -t r0 -p newfw -o digicap-new.dav

Now use digicap-new.dav to upgrade

Haven't actually tested it yet so I will post a follow up after
 
Last edited:

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
@alastairstevenson do you know how the checksum is calculated? In the firmware download response it includes a checksum that looks like this

6e702d6b27b61d3d1af9f5daf974e7197d88054ceb927a98c033616f7a09a309

when I do an md5sum it looks like this:

02aa9617949ee6d8fc0a00e9a7b941ef

So I know its not md5
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
It sounds like you've got it all figured out.
Let's see if the result is accepted by the camera.

Is this a Hikvision OEM model?
 

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
Not sure, Momentum is either its own brand using Hikvision built cameras or its a shell brand for Hikvision

I couldnt get it to take the firmware. I setup a DNS server and HTTPS server, then changed /etc/resolv.conf to my DNS server, so when it automatically checked for new firmware it asked my HTTPS server for it, but the SSL verification failed

Even if I TFTP the firmware to the device, there is no command that I have found which would allow me to manually trigger an upgrade

Is there a secret upgrade command baked into davinci or something that I could use?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Fascinating!
I took a look at the firmware that you linked to.
It looks like a hybrid of a trimmed-down Hikvision R2 series camera firmware with a bunch of cloud-linked stuff from Ozvision.
The firmware appears to lack Hikvision's pointless obfuscation by encryption approach, and the usual anti-tamper facilities. Though I didn't look very far.

A google search shows that Ozvision is a fairly new US IoT startup with labs in Israel.
Curious what the tie-up with Hikvision is. They clearly have access to source code and a lot of Hikvision IP.
Their blurb also mentions partnering with Dahua.

Is there a secret upgrade command baked into davinci or something that I could use?
If the bootloader is from Hikvision, then it may well have an 'update' or 'upgrade' command.
But take care if experimenting - there may well also be more serious update-type commands that also erase flash partitions.
 

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
yeah I was reading about Ozvision too, its kind of funny:

Check this out:

- Camera is made by "Momentum"
- Momentum has no employees on LinkedIn, and I wasn't able to identify anyone on the internet associated with them
- Momentum has a parent company called Apollo Tech USA, also a non-existent company online
- Camera identifies itself in multiple places as being Hikvision with some kind of mangled Hikvision/Ozvision firmware
- The app frontends say "powered by pepper" which leads to this small VC backed IoT dev company: http://pepper.me
- Backend cloud storage and control powered by Ozvision OZVISION | Cloud Based Video Platform


It doesn't have update or upgrade commands, the only way I have found to upgrade it is to put the firmware on the SD card, then reboot and press CTRL U to get to HKVS# menu, then update from there.

Would like to be able to upgrade without console connection but seems to be a dead end. Was fun hacking around tho

I noticed its bootloader is U-boot though, so now I am looking into that.

My idea is this - save a shell file like "runatstart.sh" in a dir that doesnt get overwritten each boot time like /devinfo (device info dir)

set U-boot to run this bash file after finishes booting?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
It doesn't have update or upgrade commands, the only way I have found to upgrade it is to put the firmware on the SD card, then reboot and press CTRL U to get to HKVS# menu, then update from there.
Yes, that's the bootloader.
I noticed its bootloader is U-boot though, so now I am looking into that.
Usually well customised if from Hikvision.
My idea is this - save a shell file like "runatstart.sh" in a dir that doesnt get overwritten each boot time like /devinfo (device info dir)
Most run-time files such as the root file system and the app files will have been copied to a ramfs at bootup, so they are not so much over-written as re-created.
To make permanent changes, you need to modify the flash-stored archives that hold the origin of these files.
 

Securame

Pulling my weight
Joined
Mar 25, 2014
Messages
664
Reaction score
214
Location
Barcelona, Spain
These threads make this forum much more interesting to visit, I don't have the time to play much around but I love this experimenting! Thank you both! :)
 

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
For sure I find it very interesting too

hey @alastairstevenson do you know much about "davinci"? It seems to be the brain-program of the entire camera.

davinci is what is listening on all 3 of the open ports - 80, 8080, and 554

I didnt find much info about it, this might be related:
TI's DM8168 DaVinci™ digital media processor enables Hikvision to quickly develop a new generation of enhanced DVR products

I wish I could see the code to learn how it works, but it is compiled. I am going to try binwalking it, never done binary analysis before but I am curious what I can learn
 

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
I want to know what commands it takes for example from the "cloud server", however I have not been able to decrypt the traffic because it is all SSL.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
do you know much about "davinci"? It seems to be the brain-program of the entire camera.
Yes, davinci is the primary application in the camera.
I am going to try binwalking it, never done binary analysis before but I am curious what I can learn
Realistically, that will do nothing useful. Binwalk is good for figuring out archives and file systems - not for executables.
Davinci is an ARM executable, an ELF program.
Not to pour cold water on your obvious enthusiasm, but to make sense of what it does you'd need a disassembler and a considerable amount of time and patience.
In this instance, the davinci program is about a fifth of it's more usual size.
Even though - consider this scale:
It's 2.3MB
Assuming it's been compiled in 32-bit mode as opposed to 16-bit 'thumb' mode, and that around 50% of the bytes are code.
And that there is maybe a 4:1 relationship between a line of the original C source code and the assembled code (I'm guessing a bit here - it will vary a lot with the type of code).
That means there may be about 70 or 80 thousand lines of original source code to delve into.
Quite a thought!
 

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
hey @alastairstevenson so I found 2 ways to upgrade the firmware --

1. Put "ezviz.dav" on an SD card, it will try to upgrade from this file on reboot
2. Change resolv.conf to point to my DNS server, then I setup a fake webserver and served the firmware to it while pretending to be "firmwareservice.momenutm-cam.com" lol. It checks for a firmware update once every 10 minutes automatically


so I modified app.img with my new initrun.sh, however it fails when upgrading. I was able to unbrick it luckily by restoring the original firmware via method #1

Here is the error it hits

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.22.1 (2017-08-04 12:25:23 CST)
ifconfig: SIOCGIFFLAGS: No such device
mount: mounting /dev/mtdblock5 on /mnt failed: Invalid argument
APP partition is broken!
cp: can't stat '/mnt/initrun.sh': No such file or directory
No initrun.sh on flash!
umount: can't umount /mnt: Invalid argument
Not find initrun.sh!


"APP partition is broken"

I am thinking there is a checksum somewhere in app.img, or the two files it has with it also which are uImage and dav_header

Any ideas?
 

rchase

n3wb
Joined
Apr 18, 2018
Messages
19
Reaction score
0
Location
Grand Rapids, MI
the fact that it boots into Linux but isnt able to copy settings out is weird tho, if it was a problem with the .dav file or even app.img then it shouldnt boot at all right?
 
Last edited:
Top