Dahua config backup encrypted?

riogrande75

Pulling my weight
Joined
Oct 19, 2017
Messages
378
Reaction score
131
Location
AUSTRIA
@Speed666 From you knowledge, do you think there is a chance to crack dahua's firmware signing mechanism?
All VDP user would love to modify prompts in actual firmwares like we did with the good old Dahua-Firmware-Mod-Kit
 
Joined
Jan 10, 2021
Messages
2
Reaction score
0
Location
France
Hi all,
My need is different but somehow related.
I need to make a script to automatically upload a set of .backup configuration files to several cameras. I did it for other brandsof cameras by busing API. However it seems that Dahua ipcam does not have such api.
There is the following one
http://<ip>/cgi-bin/configManager.cgi?action=setConfig&<paramName>=<paramValue>[&<paramName>=<paramValue>...]
but its use is only for updating chosen parameters and not uploading a config file.
Moreover VDP tool allows to do parallel firmware upgrades but not .backup config file upload.
Any ideas?
Thanks
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,664
Reaction score
1,189
Not an expert, but what-if you would translate an existing "getConfig" from 1 cam, and build the cgi scripts around it with SetConfig to distribute it to other cams.
In any way, some things DO need to be changed otherwise (eg IP addresses etc). So I would only export the things you actually would like to replicate further down the line.
Good luck / bonne chance!
CC
 
Joined
Jan 10, 2021
Messages
2
Reaction score
0
Location
France
This is Indeed a clever Idea to use a combination of get config API with set config API and only manage parameters that change from une cam to another.
Thanks for your support.
This would much easier if config file upload API was possible as such but it seems not documented in Dahua APIs, contrarily to the other brands of cameras i worked on before. Thanks anyway!
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
117
FYI, EZIP seems not to contain full Dahua set. In fact, after done some quick research, EZIP are actually Huawei and using Huawei LiteOS
 

kobebeef

Pulling my weight
Joined
Mar 13, 2016
Messages
192
Reaction score
195
I use Dahua-JSON-Debug-Console-v2 to extract the configuration file
But how to convert to backup import?
 

riogrande75

Pulling my weight
Joined
Oct 19, 2017
Messages
378
Reaction score
131
Location
AUSTRIA
Backup's created via webif are encrypted. This crypting mechanism is not yet cracked, at least not public (but I know of someone who has the knowledge of doing it...).
Only if you know how this crypting mechanism works, you might be able to create backup's manually that can be restored again.

With @bashis dahau debug console you can display complete config in clear text and set almost every setting manually. This is what I need. If I want to backup/restore full settings I use dahua's official functionality.
 

Speed666

Getting the hang of it
Joined
Sep 19, 2015
Messages
158
Reaction score
82
I am able to do this. Config is firstly gzipped and then crypted using AES. Key is type of camera. IPC for still cams and SD for PTZ. Rest is padded with zeros.
 

Barboots

Pulling my weight
Joined
Mar 15, 2018
Messages
369
Reaction score
205
Location
Perth, Western Australia
I am able to do this. Config is firstly gzipped and then crypted using AES. Key is type of camera. IPC for still cams and SD for PTZ. Rest is padded with zeros.
The config is off an entry NVR, the 4116. Do you know what the key might be or should I just throw a few at it and see if I can get lucky?

I don't have a Linux distro set up... is it possible to use 7zip on Windows?

Cheers, Steve
 

riogrande75

Pulling my weight
Joined
Oct 19, 2017
Messages
378
Reaction score
131
Location
AUSTRIA
Did anyone do it with this information?
Tried it with the config of my IPC-HDW4631 but get "bad magic number" with openssl.
Code:
root@HPHOST:/home/rio# openssl enc -d -aes-256-ecb -in DeviceConfig.backup -out unenc_DeviceConfig.backup -pass pass:4950433030303030303030303030303030303030303030303030303030303030
bad magic number
 

cctv-dave

Getting the hang of it
Joined
Mar 25, 2021
Messages
118
Reaction score
79
Location
yes
Tried and failed here too. Speed666 could you please advise ?
 

cctv-dave

Getting the hang of it
Joined
Mar 25, 2021
Messages
118
Reaction score
79
Location
yes
Some feedback on this excellent script.



For the IPC, another way to get the HWID is the device type from version page but caveat.
Device Type IPC-HDW5541H-AS-PV

Mine is PAL, so HWID is actually: IPC-HDW5541HP-AS-PV
Tried this for several cams and works but sure it wont be all of them!



It's not working with my NVR, I get an error of: Data must be aligned to block boundary in ECB mode
Noted the file for NVR is 144Kb and IPC it's 140Kb.

Noted my file is 1 bytes too long so tried both subtracting that byte and adding another 15.
But neither seems to work with what I think my HWID is.

Added a file from another NVR, this one is smaller than IPC or first NVR. Same problem.

DHI-NVR5216-8P-I
V4.001.0000000.3, Build Date: 2020-10-22


Also, curious, where did "dh_string" come from ?
 

Attachments

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
117
Some feedback on this excellent script.



For the IPC, another way to get the HWID is the device type from version page but caveat.
Device Type IPC-HDW5541H-AS-PV

Mine is PAL, so HWID is actually: IPC-HDW5541HP-AS-PV
Tried this for several cams and works but sure it wont be all of them!



It's not working with my NVR, I get an error of: Data must be aligned to block boundary in ECB mode
Noted the file for NVR is 144Kb and IPC it's 140Kb.

Noted my file is 1 bytes too long so tried both subtracting that byte and adding another 15.
But neither seems to work with what I think my HWID is.

Added a file from another NVR, this one is smaller than IPC or first NVR. Same problem.

DHI-NVR5216-8P-I
V4.001.0000000.3, Build Date: 2020-10-22


Also, curious, where did "dh_string" come from ?
Thanks, appreciated.

Well, I could not find any logic into the key's either, the only thing I could find so far is the HWID, but then my "SD-xxx" with "SD" key came along and... yeah..
Not working on my NVR either, seems not to share same key generation (but did not spend so much time on that), I see your attachment has base64 encoded backup as well.

"dh_string" comes from Sonia, search for that the first word and you will find two identical strings, and you will end up in one of the keygeneration code.
The first char 'y' int the string was appended to the md5 in all cases what I have seen so far, and since it's a string, I just assuming it may use 0x01 after 'MWPZWJGS' (1 in the NVR base64 encoded) - but it does look the 'y' is fixed for most part where this encryption/decryption are used (not only backup config).
Note: This string do not exist in NVR 'Challenge".

Anyway, credit shall also go to riogrande75, as he made me curious about this. (Thx Rio !)
 
Joined
Jan 28, 2022
Messages
4
Reaction score
0
Location
france
hi
I'm new here.
how to use this script with my exported backup config file ?

I have DHI-NVR608-32-4KS2 NVR

when I run the .py script in IDLE I have "invaiid decimal literal" error message on this line 111

<title>Tools/DahuaConfigBackupDecEnc.py at 9a8e7d8a72d3831f552c1b51c9334d94e7785108 · mcw0/Tools · GitHub</title>

please help !

thx
 
Last edited:
Top