Dahua config backup encrypted?

@Speed666 From you knowledge, do you think there is a chance to crack dahua's firmware signing mechanism?
All VDP user would love to modify prompts in actual firmwares like we did with the good old Dahua-Firmware-Mod-Kit
 
Hi all,
My need is different but somehow related.
I need to make a script to automatically upload a set of .backup configuration files to several cameras. I did it for other brandsof cameras by busing API. However it seems that Dahua ipcam does not have such api.
There is the following one
http://<ip>/cgi-bin/configManager.cgi?action=setConfig&<paramName>=<paramValue>[&<paramName>=<paramValue>...]
but its use is only for updating chosen parameters and not uploading a config file.
Moreover VDP tool allows to do parallel firmware upgrades but not .backup config file upload.
Any ideas?
Thanks
 
Not an expert, but what-if you would translate an existing "getConfig" from 1 cam, and build the cgi scripts around it with SetConfig to distribute it to other cams.
In any way, some things DO need to be changed otherwise (eg IP addresses etc). So I would only export the things you actually would like to replicate further down the line.
Good luck / bonne chance!
CC
 
This is Indeed a clever Idea to use a combination of get config API with set config API and only manage parameters that change from une cam to another.
Thanks for your support.
This would much easier if config file upload API was possible as such but it seems not documented in Dahua APIs, contrarily to the other brands of cameras i worked on before. Thanks anyway!
 
I use Dahua-JSON-Debug-Console-v2 to extract the configuration file
But how to convert to backup import?
 
Backup's created via webif are encrypted. This crypting mechanism is not yet cracked, at least not public (but I know of someone who has the knowledge of doing it...).
Only if you know how this crypting mechanism works, you might be able to create backup's manually that can be restored again.

With @bashis dahau debug console you can display complete config in clear text and set almost every setting manually. This is what I need. If I want to backup/restore full settings I use dahua's official functionality.
 
I am able to do this. Config is firstly gzipped and then crypted using AES. Key is type of camera. IPC for still cams and SD for PTZ. Rest is padded with zeros.
 
Speed666 said:
I am able to do this. Config is firstly gzipped and then crypted using AES. Key is type of camera. IPC for still cams and SD for PTZ. Rest is padded with zeros.
Click to expand...
The config is off an entry NVR, the 4116. Do you know what the key might be or should I just throw a few at it and see if I can get lucky?

I don't have a Linux distro set up... is it possible to use 7zip on Windows?

Cheers, Steve
 
Did anyone do it with this information?
Tried it with the config of my IPC-HDW4631 but get "bad magic number" with openssl.
Code: 
root@HPHOST:/home/rio# openssl enc -d -aes-256-ecb -in DeviceConfig.backup -out unenc_DeviceConfig.backup -pass pass:4950433030303030303030303030303030303030303030303030303030303030
bad magic number
 
Some feedback on this excellent script.



For the IPC, another way to get the HWID is the device type from version page but caveat.
Device Type IPC-HDW5541H-AS-PV

Mine is PAL, so HWID is actually: IPC-HDW5541HP-AS-PV
Tried this for several cams and works but sure it wont be all of them!



It's not working with my NVR, I get an error of: Data must be aligned to block boundary in ECB mode
Noted the file for NVR is 144Kb and IPC it's 140Kb.

Noted my file is 1 bytes too long so tried both subtracting that byte and adding another 15.
But neither seems to work with what I think my HWID is.

Added a file from another NVR, this one is smaller than IPC or first NVR. Same problem.

DHI-NVR5216-8P-I
V4.001.0000000.3, Build Date: 2020-10-22


Also, curious, where did "dh_string" come from ?
 

Attachments

  • Like
Reactions: iTuneDVR
cctv-dave said:
Some feedback on this excellent script.



For the IPC, another way to get the HWID is the device type from version page but caveat.
Device Type IPC-HDW5541H-AS-PV

Mine is PAL, so HWID is actually: IPC-HDW5541HP-AS-PV
Tried this for several cams and works but sure it wont be all of them!



It's not working with my NVR, I get an error of: Data must be aligned to block boundary in ECB mode
Noted the file for NVR is 144Kb and IPC it's 140Kb.

Noted my file is 1 bytes too long so tried both subtracting that byte and adding another 15.
But neither seems to work with what I think my HWID is.

Added a file from another NVR, this one is smaller than IPC or first NVR. Same problem.

DHI-NVR5216-8P-I
V4.001.0000000.3, Build Date: 2020-10-22


Also, curious, where did "dh_string" come from ?
Click to expand...

Thanks, appreciated.

Well, I could not find any logic into the key's either, the only thing I could find so far is the HWID, but then my "SD-xxx" with "SD" key came along and... yeah..
Not working on my NVR either, seems not to share same key generation (but did not spend so much time on that), I see your attachment has base64 encoded backup as well.

"dh_string" comes from Sonia, search for that the first word and you will find two identical strings, and you will end up in one of the keygeneration code.
The first char 'y' int the string was appended to the md5 in all cases what I have seen so far, and since it's a string, I just assuming it may use 0x01 after 'MWPZWJGS' (1 in the NVR base64 encoded) - but it does look the 'y' is fixed for most part where this encryption/decryption are used (not only backup config).
Note: This string do not exist in NVR 'Challenge".

Anyway, credit shall also go to riogrande75, as he made me curious about this. (Thx Rio !)
 
  • Like
  • Haha
Reactions: iTuneDVR, riogrande75, kuzco and 1 other person
hi
I'm new here.
how to use this script with my exported backup config file ?

I have DHI-NVR608-32-4KS2 NVR

when I run the .py script in IDLE I have "invaiid decimal literal" error message on this line 111

<title>Tools/DahuaConfigBackupDecEnc.py at 9a8e7d8a72d3831f552c1b51c9334d94e7785108 · mcw0/Tools · GitHub</title>

please help !

thx
 
Last edited:
You must log in or register to reply here.
Top Bottom