Dahua config backup encrypted?

riogrande75

Pulling my weight
Oct 19, 2017
413
142
AUSTRIA
I'm running some VTO2000A devices. For some specific hacks I modified the "DeviceConfig.backup" file (actually just a simple xml file) and uploaded it to the device again. This was working fine until Dahua started to sign it's new firmware files (>2017).
Now the config backup is much bigger but even worse, it is somehow encrypted.
The header of the (now binary) file starts with the charactes "MWPZWJGS".

Any idea, if this can be decrypted?
 
I'm running some VTO2000A devices. For some specific hacks I modified the "DeviceConfig.backup" file (actually just a simple xml file) and uploaded it to the device again. This was working fine until Dahua started to sign it's new firmware files (>2017).
Now the config backup is much bigger but even worse, it is somehow encrypted.
The header of the (now binary) file starts with the charactes "MWPZWJGS".

Any idea, if this can be decrypted?
did u have any result in your search to extract the backup file?
 
Just an idea (not tested myself yet): what happens if you "backup configuration" in VDPConfig? Is that one also encrypted? If I remember correctly, you could mass-deploy stuff to multiple VTO's at the same time through VDPConfig, so I would expect that that one could read out config files too?
 
Can you open the first block of the encrypted backup file in any hex editor, snapshot the screen, and post that image here?

hexdump -C common/dahua/DeviceConfig-cam061.backup

00000000 4d 57 50 5a 57 4a 47 53 01 d1 d7 f9 ab 43 e0 28 |MWPZWJGS.....C.(|
00000010 e0 f4 c3 f0 c7 c2 d5 8f 15 c9 e1 96 6f 7b 0f 6b |............o{.k|
00000020 c5 e0 77 fe 0c 51 97 fc 9d f9 63 a9 83 28 8a d6 |..w..Q....c..(..|
00000030 59 96 b0 37 8e 0f 19 05 f6 ab 21 eb e7 b8 80 79 |Y..7......!....y|
00000040 69 bd 2c 8d 69 65 3d 5c 22 18 c2 2f f2 cc 25 f8 |i.,.ie=\"../..%.|
00000050 f0 51 40 70 9f ff 8f cd a2 e4 b5 5c aa 9e 8f 1c |.Q@p.......\....|
00000060 36 80 89 f8 3a dc 29 3f 45 31 47 aa 6f 8a 09 84 |6...:.)?E1G.o...|
00000070 e3 ff 0b 35 82 74 56 55 bf fb 6c cb 19 3e f6 3c |...5.tVU..l..>.<|
00000080 58 d5 19 32 fb fb 42 5d b9 b1 50 36 e0 51 25 ea |X..2..B]..P6.Q%.|
00000090 57 9a e2 0b b1 cc 6b 28 87 6f b1 6f cd bb 4a 3c |W.....k(.o.o..J<|
000000a0 1f bc 6c 4a c6 1c 8b 54 21 23 75 00 42 57 40 15 |..lJ...T!#u.BW@.|
000000b0 f1 4d ae d0 f9 fb 6e 15 fb 3c 5e 85 44 96 53 fa |.M....n..<^.D.S.|
000000c0 b3 16 29 ca e4 cf 93 d2 8d dd ef 35 c4 fe 63 7a |..)........5..cz|
000000d0 93 f0 cb ee 8a 3e 3d da 66 98 3b 2f 23 3d c0 11 |.....>=.f.;/#=..|
000000e0 ba d7 80 a4 8d 3c 8d d2 16 18 e1 87 d7 86 aa c1 |.....<..........|
000000f0 55 a4 45 d2 b1 01 e3 8f e2 bd 86 8e 81 9f c4 a7 |U.E.............|
00000100 5c 0f 93 69 56 19 8a 1f a6 41 41 06 38 ca 75 1f |\..iV....AA.8.u.|
00000110 16 1b 7f d4 bc 34 f6 2e 0b 21 91 f5 b9 56 ab 31 |.....4...!...V.1|
00000120 64 c3 54 63 f4 4f 0d 5f b0 1c d5 45 dd c5 21 ad |d.Tc.O._...E..!.|
00000130 8b 4d 36 c2 2c fd aa f7 75 ab e3 88 9a bf 21 53 |.M6.,...u.....!S|
00000140 f3 a7 c4 81 0d 05 08 8a 57 bf 86 ad 86 ba 9e 74 |........W......t|
00000150 ea 42 0f 19 86 1f 33 50 63 58 11 72 99 d1 32 9a |.B....3PcX.r..2.|
00000160 e0 4d 65 cc 6a 19 61 87 cd 7e 84 91 10 db 0d 45 |.Me.j.a..~.....E|
00000170 1e c5 5a fd fe 6a 19 49 49 31 ee c3 0a b8 58 ba |..Z..j.II1....X.|
00000180 6b 2d 4e 47 98 2f 93 f4 99 cf 95 8e 3e 19 a9 b9 |k-NG./......>...|
00000190 85 ff d9 5f a1 44 71 20 3a 8b 5c 03 01 47 89 90 |..._.Dq :.\..G..|
000001a0 31 00 ef b3 28 62 26 91 2d 5c bd e3 2d 2f ce a0 |1...(b&.-\..-/..|
000001b0 60 1c cf 84 e8 3d aa 66 af 16 e1 95 3d ae 12 45 |`....=.f....=..E|
000001c0 e0 eb 9a df ea 6b 28 f1 54 85 8e 1c 82 65 32 e8 |.....k(.T....e2.|
000001d0 dd d6 8a d3 4d 0e e5 c5 20 32 80 8f e2 3b 7b cb |....M... 2...;{.|
000001e0 74 8c b7 32 1e 9c 4e 82 ed 3d bf 2d 0b f0 20 1e |t..2..N..=.-.. .|
000001f0 a1 84 fb 52 43 43 72 93 06 09 6e e7 af 26 4a c7 |...RCCr...n..&J.|
 
I found the part in the disassambled sonia code.
Maybe somebody with assembler knowledge can read anything out of that:
Code:
text:001AFF64 ; ---------------------------------------------------------------------------
.text:001AFF64
.text:001AFF64 loc_1AFF64                              ; CODE XREF: sub_1AFE5C+C0?j
.text:001AFF64                 ADD             R7, SP, #0x78+var_34
.text:001AFF68                 MOV             R0, R7
.text:001AFF6C                 BL              sub_A651BC
.text:001AFF70                 LDR             R3, =aMwpzwjgs ; "MWPZWJGS"
.text:001AFF74                 ADD             R12, SP, #0x78+var_4C
.text:001AFF78                 LDMIA           R3, {R0-R2} ; "MWPZWJGS"
.text:001AFF7C                 STMIA           R12!, {R0,R1}
.text:001AFF80                 MOV             R1, R4  ; c
.text:001AFF84                 STRB            R2, [R12]
.text:001AFF88                 ADD             R4, SP, #0x78+var_4C
.text:001AFF8C                 MOV             R2, #7  ; n
.text:001AFF90                 ADD             R0, SP, #0x78+s ; s
.text:001AFF94                 BL              memset
.text:001AFF98                 MOV             R0, R4  ; s
.text:001AFF9C                 BL              strlen
.text:001AFFA0                 LDR             R5, [SP,#0x78+s1]
.text:001AFFA4                 MOV             R2, R0  ; n
.text:001AFFA8                 MOV             R1, R4  ; s2
.text:001AFFAC                 MOV             R0, R5  ; s1
.text:001AFFB0                 BL              strncmp
.text:001AFFB4                 CMP             R0, #0
.text:001AFFB8                 BEQ             loc_1AFFF8
.text:001AFFBC                 LDR             R1, =a23097 ; "23097"
.text:001AFFC0                 LDR             R0, =0x163
.text:001AFFC4                 LDR             R2, =aSrcSecurityime_0 ; "Src/SecurityImExport/ConfigCompatibleIm"...
.text:001AFFC8                 LDR             R3, =aDecryptfile ; "decryptFile"
.text:001AFFCC                 STR             R1, [SP,#0x78+var_74]
.text:001AFFD0                 LDR             R1, =aErrorHappenSSD ; "error happen %s::%s:%d \n"
.text:001AFFD4                 STR             R0, [SP,#0x78+var_64]
.text:001AFFD8                 STR             R1, [SP,#0x78+var_70]
.text:001AFFDC                 STR             R0, [SP,#0x78+var_78]
.text:001AFFE0                 STR             R2, [SP,#0x78+var_6C]
.text:001AFFE4                 STR             R3, [SP,#0x78+var_68]
.text:001AFFE8                 MOV             R0, #2
.text:001AFFEC                 LDR             R1, =aVdpfunc ; "VDPFunc"
.text:001AFFF0 ;   try {
.text:001AFFF0                 BL              sub_A5B65C
.text:001AFFF4                 B               loc_1B00F4
.text:001AFFF8 ; ---------------------------------------------------------------------------
.text:001AFFF8
.text:001AFFF8 loc_1AFFF8                              ; CODE XREF: sub_1AFE5C+15C?j
.text:001AFFF8                 LDRB            R3, [R5,#8]
.text:001AFFFC                 ADD             R1, R5, #9
.text:001B0000                 STR             R3, [SP,#0x78+var_78]
.text:001B0004                 MOV             R2, R10
.text:001B0008                 ADD             R0, SP, #0x78+var_21
.text:001B000C                 MOV             R3, R7
.text:001B0010                 BL              sub_1AFB84
.text:001B0014                 SUBS            R4, R0, #0
.text:001B0018                 BNE             loc_1B005C
.text:001B001C                 LDR             R1, =a23097 ; "23097"
.text:001B0020                 LDR             R0, =0x16A
.text:001B0024                 LDR             R2, =aSrcSecurityime_0 ; "Src/SecurityImExport/ConfigCompatibleIm"...
.text:001B0028                 LDR             R3, =aDecryptfile ; "decryptFile"
.text:001B002C                 STR             R1, [SP,#0x78+var_74]
.text:001B0030                 LDR             R1, =aErrorHappenSSD ; "error happen %s::%s:%d \n"
.text:001B0034                 STR             R0, [SP,#0x78+var_64]
.text:001B0038                 STR             R1, [SP,#0x78+var_70]
.text:001B003C                 STR             R0, [SP,#0x78+var_78]
.text:001B0040                 STR             R2, [SP,#0x78+var_6C]
.text:001B0044                 STR             R3, [SP,#0x78+var_68]
.text:001B0048                 SUB             R0, R0, #0x168
.text:001B004C                 LDR             R1, =aVdpfunc ; "VDPFunc"
.text:001B0050                 BL              sub_A5B65C
.text:001B0054                 MOV             R6, R4
.text:001B0058                 B               loc_1B00F8
.text:001B005C ; ---------------------------------------------------------------------------
 
Last edited:
  • Like
Reactions: VorlonFrog
The assembly code you've pasted looks like that's just the top level function that loads the file, compares the header, and makes sure that the config matches the model/version. Looks like there are two similar-but-subtly-different-file-formats or variants of the format based on the conditional branch (i.e. "if" statement) on line 001AFFB8. That line either keeps going with the next few lines if the result of a string comparison is a match (i.e. strncmp returns TRUE) or jumps down to loc_1AFFF8 if it's FALSE. Both segments of code seem to eventually both have roughly the same sequence of calls for decryption.

I would surmise that the real magic happens in sub_A5B65C. The code leading up to that point in both segments looks like it's setting up an error handler and the arguments for decryption.
 
  • Like
Reactions: riogrande75
I don't suppose there's any way to run this in a debugger or via an emulator? Would be great to step through these instructions as they're executed. Eventually the data is going to end up in memory un-encrypted as part of the call flow.
 
I'll need lots of time more to run this in a emulator - but I'm working on that.
Here is the subroutine, maybe you can read out more from this:
Code:
.text:00A5B65C
.text:00A5B65C ; =============== S U B R O U T I N E =======================================
.text:00A5B65C
.text:00A5B65C
.text:00A5B65C sub_A5B65C                              ; CODE XREF: sub_C3B10+48?p
.text:00A5B65C                                         ; sub_C4130+140?p ...
.text:00A5B65C
.text:00A5B65C var_20D8        = -0x20D8
.text:00A5B65C var_20D4        = -0x20D4
.text:00A5B65C var_20D0        = -0x20D0
.text:00A5B65C var_20C4        = -0x20C4
.text:00A5B65C var_20C0        = -0x20C0
.text:00A5B65C var_20BC        = -0x20BC
.text:00A5B65C var_20B8        = -0x20B8
.text:00A5B65C var_20B4        = -0x20B4
.text:00A5B65C var_20A8        = -0x20A8
.text:00A5B65C var_D8          = -0xD8
.text:00A5B65C var_98          = -0x98
.text:00A5B65C var_58          = -0x58
.text:00A5B65C var_18          = -0x18
.text:00A5B65C
.text:00A5B65C ; __unwind { // __gxx_personality_v0
.text:00A5B65C                 STMFD           SP!, {R4-R11,LR}
.text:00A5B660                 LDR             R7, =(_GLOBAL_OFFSET_TABLE_ - 0xA5B670)
.text:00A5B664                 LDR             R12, =(dword_11D33DC - 0x11A6278)
.text:00A5B668                 ADD             R7, PC, R7 ; _GLOBAL_OFFSET_TABLE_
.text:00A5B66C                 SUB             SP, SP, #0x2080
.text:00A5B670                 LDR             R12, [R7,R12] ; dword_11D33DC
.text:00A5B674                 SUB             SP, SP, #0x34
.text:00A5B678                 STR             R0, [SP,#0x20D8+var_20C0]
.text:00A5B67C                 CMP             R0, R12
.text:00A5B680                 ADD             R0, SP, #0x20D8+var_D8
.text:00A5B684                 MOV             R9, R1
.text:00A5B688                 MOV             R8, R2
.text:00A5B68C                 STR             R3, [SP,#0x20D8+var_20C4]
.text:00A5B690                 LDR             R10, [R0,#0xDC]
.text:00A5B694                 BGT             loc_A5BE98
.text:00A5B698                 LDR             R3, =(dword_11D33E4 - 0x11A6278)
.text:00A5B69C                 LDR             R3, [R7,R3] ; dword_11D33E4
.text:00A5B6A0                 CMP             R3, #0
.text:00A5B6A4                 BEQ             loc_A5BE98
.text:00A5B6A8                 CMP             R3, #1
.text:00A5B6AC                 BNE             loc_A5B74C
.text:00A5B6B0                 LDR             R3, =(byte_125E71C - 0x11A6278)
.text:00A5B6B4                 LDRB            R3, [R7,R3] ; byte_125E71C
.text:00A5B6B8                 CMP             R3, #0
.text:00A5B6BC                 BEQ             loc_A5B74C
.text:00A5B6C0                 CMP             R1, #0
.text:00A5B6C4                 BEQ             loc_A5B74C
.text:00A5B6C8                 BL              sub_A577FC
.text:00A5B6CC                 ADD             R4, SP, #0x20D8+var_58
.text:00A5B6D0                 ADD             R4, R4, #0x28
.text:00A5B6D4                 ADD             R2, SP, #0x20D8+var_58
.text:00A5B6D8                 MOV             R6, R0
.text:00A5B6DC                 MOV             R1, R9
.text:00A5B6E0                 MOV             R0, R4
.text:00A5B6E4                 ADD             R2, R2, #0x2F
.text:00A5B6E8 ;   try {
.text:00A5B6E8                 BL              _ZNSsC1EPKcRKSaIcE ; std::string::string(char const*,std::allocator<char> const&)
.text:00A5B6E8 ;   } // starts at A5B6E8
.text:00A5B6EC                 MOV             R0, R6
.text:00A5B6F0                 MOV             R1, R4
.text:00A5B6F4                 LDR             R3, =0x5CD8
.text:00A5B6F8 ;   try {
.text:00A5B6F8                 MOV             LR, PC
.text:00A5B6FC                 LDR             PC, [R7,R3] ; std::map<std::string,bool,std::less<std::string>,std::allocator<std::pair<std::string const,bool>>>::find(std::string const&)
.text:00A5B6FC ;   } // starts at A5B6F8
.text:00A5B700                 MOV             R5, R0
.text:00A5B704                 MOV             R0, R4  ; this
.text:00A5B708 ;   try {
.text:00A5B708                 BL              _ZNSsD1Ev ; std::string::~string()
.text:00A5B708 ;   } // starts at A5B708
.text:00A5B70C                 B               loc_A5B728
.text:00A5B710 ; ---------------------------------------------------------------------------
.text:00A5B710 ;   cleanup() // owned by A5B6F8
.text:00A5B710                 MOV             R4, R0
.text:00A5B714                 ADD             R0, SP, #0x20D8+var_58
.text:00A5B718                 ADD             R0, R0, #0x28
.text:00A5B71C                 B               loc_A5BE78
.text:00A5B720 ; ---------------------------------------------------------------------------
.text:00A5B720 ;   cleanup() // owned by A5B6E8
.text:00A5B720 ;   cleanup() // owned by A5B708
.text:00A5B720                 MOV             R4, R0
.text:00A5B724                 B               loc_A5BE7C
.text:00A5B728 ; ---------------------------------------------------------------------------
.text:00A5B728
.text:00A5B728 loc_A5B728                              ; CODE XREF: sub_A5B65C+B0?j
.text:00A5B728                 MOV             R0, R6
.text:00A5B72C                 LDR             R3, =0x1128
.text:00A5B730                 MOV             LR, PC
.text:00A5B734                 LDR             PC, [R7,R3] ; std::map<std::string,bool,std::less<std::string>,std::allocator<std::pair<std::string const,bool>>>::end(void)
.text:00A5B738                 CMP             R5, R0
.text:00A5B73C                 BEQ             loc_A5B74C
.text:00A5B740                 LDRB            R0, [R5,#0x14]
.text:00A5B744                 CMP             R0, #0
.text:00A5B748                 BEQ             loc_A5B750
.text:00A5B74C
.text:00A5B74C loc_A5B74C                              ; CODE XREF: sub_A5B65C+50?j
.text:00A5B74C                                         ; sub_A5B65C+60?j ...
.text:00A5B74C                 MOV             R0, #1
.text:00A5B750
.text:00A5B750 loc_A5B750                              ; CODE XREF: sub_A5B65C+EC?j
.text:00A5B750                 CMP             R10, #0
.text:00A5B754                 STREQ           R10, [SP,#0x20D8+var_20BC]
.text:00A5B758                 BEQ             loc_A5B774
.text:00A5B75C                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5B760                 ADD             R3, R7, R3 ; byte_125E75C
.text:00A5B764                 LDRB            R3, [R3,#(byte_125E761 - 0x125E75C)]
.text:00A5B768                 RSBS            R3, R3, #1
.text:00A5B76C                 MOVCC           R3, #0
.text:00A5B770                 STR             R3, [SP,#0x20D8+var_20BC]
.text:00A5B774
.text:00A5B774 loc_A5B774                              ; CODE XREF: sub_A5B65C+FC?j
.text:00A5B774                 CMP             R0, #0
.text:00A5B778                 BEQ             loc_A5BE98
.text:00A5B77C                 ADD             R0, SP, #0x20D8+var_58
.text:00A5B780                 ADD             R2, SP, #0x20D8+var_58
.text:00A5B784                 MOV             R1, R8
.text:00A5B788                 ADD             R0, R0, #0x24
.text:00A5B78C                 ADD             R2, R2, #0x2E
.text:00A5B790 ;   try {
.text:00A5B790                 BL              _ZNSsC1EPKcRKSaIcE ; std::string::string(char const*,std::allocator<char> const&)
.text:00A5B790 ;   } // starts at A5B790
.text:00A5B794                 B               loc_A5B79C
.text:00A5B798 ; ---------------------------------------------------------------------------
.text:00A5B798
.text:00A5B798 loc_A5B798                              ; CODE XREF: sub_A5B65C+824?j
.text:00A5B798 ;   cleanup() // owned by A5B790
.text:00A5B798                 BL              __cxa_end_cleanup
.text:00A5B79C ; ---------------------------------------------------------------------------
.text:00A5B79C
.text:00A5B79C loc_A5B79C                              ; CODE XREF: sub_A5B65C+138?j
.text:00A5B79C                 ADD             R4, SP, #0x20D8+var_58
.text:00A5B7A0                 LDR             R1, =(aGet+4 - 0x11A6278)
.text:00A5B7A4                 ADD             R4, R4, #0x24
.text:00A5B7A8                 ADD             R1, R7, R1 ; "/" ; char *
.text:00A5B7AC                 MOV             R0, R4  ; this
.text:00A5B7B0                 MOV             R2, #0xFFFFFFFF ; unsigned int
.text:00A5B7B4 ;   try {
.text:00A5B7B4                 BL              _ZNKSs5rfindEPKcj ; std::string::rfind(char const*,uint)
.text:00A5B7B8                 CMN             R0, #1
.text:00A5B7BC                 BEQ             loc_A5B80C
.text:00A5B7C0                 ADD             R5, SP, #0x20D8+var_58
.text:00A5B7C4                 ADD             R5, R5, #0x20
.text:00A5B7C8                 ADD             R2, R0, #1 ; unsigned int
.text:00A5B7CC                 MOV             R1, R4  ; unsigned int
.text:00A5B7D0                 MOV             R0, R5  ; this
.text:00A5B7D4                 MOV             R3, #0xFFFFFFFF
.text:00A5B7D8                 BL              _ZNKSs6substrEjj ; std::string::substr(uint,uint)
.text:00A5B7D8 ;   } // starts at A5B7B4
.text:00A5B7DC                 MOV             R0, R4
.text:00A5B7E0                 MOV             R1, R5
.text:00A5B7E4 ;   try {
.text:00A5B7E4                 BL              _ZNSsaSERKSs ; std::string::operator=(std::string const&)
.text:00A5B7E4 ;   } // starts at A5B7E4
.text:00A5B7E8                 B               loc_A5B800
.text:00A5B7EC ; ---------------------------------------------------------------------------
.text:00A5B7EC ;   cleanup() // owned by A5B7E4
.text:00A5B7EC                 MOV             R4, R0
.text:00A5B7F0                 ADD             R0, SP, #0x20D8+var_58
.text:00A5B7F4                 ADD             R0, R0, #0x20 ; this
.text:00A5B7F8                 BL              _ZNSsD1Ev ; std::string::~string()
.text:00A5B7FC                 B               loc_A5BE70
.text:00A5B800 ; ---------------------------------------------------------------------------
.text:00A5B800
.text:00A5B800 loc_A5B800                              ; CODE XREF: sub_A5B65C+18C?j
.text:00A5B800                 ADD             R0, SP, #0x20D8+var_58
.text:00A5B804                 ADD             R0, R0, #0x20 ; this
.text:00A5B808 ;   try {
.text:00A5B808                 BL              _ZNSsD1Ev ; std::string::~string()
.text:00A5B80C
.text:00A5B80C loc_A5B80C                              ; CODE XREF: sub_A5B65C+160?j
.text:00A5B80C                 LDR             R3, =(dword_11D33DC - 0x11A6278)
.text:00A5B810                 LDR             R2, [SP,#0x20D8+var_20C0]
.text:00A5B814                 LDR             R3, [R7,R3] ; dword_11D33DC
.text:00A5B818                 CMP             R3, R2
.text:00A5B81C                 BLT             loc_A5BE84
.text:00A5B820                 ADD             R5, SP, #0x20D8+var_98
.text:00A5B824                 MOV             R3, #0
.text:00A5B828                 ADD             R12, SP, #0x20D8+var_D8
.text:00A5B82C                 ADD             R5, R5, #0x3C
.text:00A5B830                 MOV             R1, R3  ; c
.text:00A5B834                 STRB            R3, [R12,#0x2B]
.text:00A5B838                 MOV             R0, R5  ; s
.text:00A5B83C                 MOV             R2, #0x20 ; n
.text:00A5B840                 BL              memset
.text:00A5B844                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5B848                 ADD             R3, R7, R3 ; byte_125E75C
.text:00A5B84C                 LDRB            R6, [R3,#(byte_125E766 - 0x125E75C)]
.text:00A5B850                 CMP             R6, #0
.text:00A5B854                 BEQ             loc_A5B89C
.text:00A5B858                 ADD             R0, SP, #0x20D8+var_D8
.text:00A5B85C                 ADD             R0, R0, #0x2C
.text:00A5B860                 BL              sub_A60FDC
.text:00A5B864                 ADD             LR, SP, #0x20D8+var_D8
.text:00A5B868                 LDR             R3, [LR,#0x2C]
.text:00A5B86C                 LDR             R0, [LR,#0x44]
.text:00A5B870                 STR             R3, [LR,#0x7C]
.text:00A5B874                 LDR             R3, [LR,#0x30]
.text:00A5B878                 LDR             R2, [LR,#0x40]
.text:00A5B87C                 STR             R3, [LR,#0x80]
.text:00A5B880                 LDR             R5, [LR,#0x48]
.text:00A5B884                 LDR             R3, [LR,#0x34]
.text:00A5B888                 LDR             R11, [LR,#0x3C]
.text:00A5B88C                 STR             R0, [SP,#0x20D8+var_20B8]
.text:00A5B890                 STR             R2, [SP,#0x20D8+var_20B4]
.text:00A5B894                 STR             R3, [LR,#0x84]
.text:00A5B898                 B               loc_A5B8D4
.text:00A5B89C ; ---------------------------------------------------------------------------
.text:00A5B89C
.text:00A5B89C loc_A5B89C                              ; CODE XREF: sub_A5B65C+1F8?j
.text:00A5B89C                 ADD             R4, SP, #0x20D8+var_98
.text:00A5B8A0                 ADD             R4, R4, #0x1C
.text:00A5B8A4                 MOV             R0, R4
.text:00A5B8A8                 BL              sub_A61A28
.text:00A5B8AC                 MOV             LR, R5
.text:00A5B8B0                 MOV             R12, R4
.text:00A5B8B4                 LDMIA           R12!, {R0-R3}
.text:00A5B8B8                 STMIA           LR!, {R0-R3}
.text:00A5B8BC                 LDMIA           R12, {R0-R3}
.text:00A5B8C0                 STMIA           LR, {R0-R3}
.text:00A5B8C4                 MOV             R5, R6
.text:00A5B8C8                 STR             R6, [SP,#0x20D8+var_20B8]
.text:00A5B8CC                 STR             R6, [SP,#0x20D8+var_20B4]
.text:00A5B8D0                 MOV             R11, R6
.text:00A5B8D4
.text:00A5B8D4 loc_A5B8D4                              ; CODE XREF: sub_A5B65C+23C?j
.text:00A5B8D4                 LDR             R3, =(byte_11D33E0 - 0x11A6278)
.text:00A5B8D8                 LDRB            R0, [R7,R3] ; byte_11D33E0
.text:00A5B8DC                 CMP             R0, #0
.text:00A5B8E0                 MOVEQ           R6, R0
.text:00A5B8E4                 BEQ             loc_A5BD74
.text:00A5B8E8                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5B8EC                 ADD             R6, R7, R3 ; byte_125E75C
.text:00A5B8F0                 LDRB            R4, [R6,#(byte_125E75D - 0x125E75C)]
.text:00A5B8F4                 CMP             R4, #0
.text:00A5B8F8                 BNE             loc_A5B918
.text:00A5B8FC                 LDR             R3, =(unk_F7E6FC - 0x11A6278)
.text:00A5B900                 LDR             R12, [SP,#0x20D8+var_20C0]
.text:00A5B904                 ADD             R3, R7, R3 ; unk_F7E6FC
.text:00A5B908                 LDR             R0, [R3,R12,LSL#2]
.text:00A5B90C                 BL              sub_A576D4
.text:00A5B910                 LDR             R3, =(byte_11D33E8 - 0x11A6278)
.text:00A5B914                 STRB            R4, [R7,R3] ; byte_11D33E8
.text:00A5B918
.text:00A5B918 loc_A5B918                              ; CODE XREF: sub_A5B65C+29C?j
.text:00A5B918                 LDRB            R0, [R6,#(byte_125E767 - 0x125E75C)]
.text:00A5B91C                 CMP             R0, #0
.text:00A5B920                 BEQ             loc_A5B93C
.text:00A5B924                 LDR             R2, =(aT - 0x11A6278)
.text:00A5B928                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5B92C                 SUB             R0, R0, #4 ; s
.text:00A5B930                 ADD             R2, R7, R2 ; "|T:"
.text:00A5B934                 LDR             R1, =0x1FFF ; maxlen
.text:00A5B938                 BL              snprintf
.text:00A5B93C
.text:00A5B93C loc_A5B93C                              ; CODE XREF: sub_A5B65C+2C4?j
.text:00A5B93C                 LDR             R4, =(byte_125E75C - 0x11A6278)
.text:00A5B940                 MOV             R6, R0
.text:00A5B944                 ADD             R8, R7, R4 ; byte_125E75C
.text:00A5B948                 LDRB            R3, [R8,#(byte_125E765 - 0x125E75C)]
.text:00A5B94C                 CMP             R3, #0
.text:00A5B950                 BEQ             loc_A5B990
.text:00A5B954                 ADD             LR, SP, #0x20D8+var_D8
.text:00A5B958                 LDR             R12, [LR,#0x80]
.text:00A5B95C                 LDR             R3, [LR,#0x7C]
.text:00A5B960                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5B964                 STR             R12, [SP,#0x20D8+var_20D8]
.text:00A5B968                 LDR             R2, =(a04d02d02d - 0x11A6278)
.text:00A5B96C                 RSB             R1, R6, #0x1FC0
.text:00A5B970                 LDR             R12, [LR,#0x84]
.text:00A5B974                 SUB             R0, R0, #4
.text:00A5B978                 ADD             R0, R0, R6 ; s
.text:00A5B97C                 ADD             R1, R1, #0x3F ; maxlen
.text:00A5B980                 ADD             R2, R7, R2 ; "%04d-%02d-%02d "
.text:00A5B984                 STR             R12, [SP,#0x20D8+var_20D4]
.text:00A5B988                 BL              snprintf
.text:00A5B98C                 ADD             R6, R6, R0
.text:00A5B990
.text:00A5B990 loc_A5B990                              ; CODE XREF: sub_A5B65C+2F4?j
.text:00A5B990                 LDRB            R3, [R7,R4] ; byte_125E75C
.text:00A5B994                 CMP             R3, #0
.text:00A5B998                 BNE             loc_A5BA18
.text:00A5B99C                 LDRB            R3, [R8,#(byte_125E766 - 0x125E75C)]
.text:00A5B9A0                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5B9A4                 RSB             R4, R6, #0x1FC0
.text:00A5B9A8                 CMP             R3, #0
.text:00A5B9AC                 SUB             R0, R0, #4
.text:00A5B9B0                 ADD             R4, R4, #0x3F
.text:00A5B9B4                 BEQ             loc_A5B9E4
.text:00A5B9B8                 LDR             R2, =(a02d02d02d3d - 0x11A6278)
.text:00A5B9BC                 LDR             R12, [SP,#0x20D8+var_20B4]
.text:00A5B9C0                 LDR             LR, [SP,#0x20D8+var_20B8]
.text:00A5B9C4                 ADD             R0, R0, R6 ; s
.text:00A5B9C8                 MOV             R1, R4  ; maxlen
.text:00A5B9CC                 ADD             R2, R7, R2 ; "%02d:%02d:%02d:%3d|"
.text:00A5B9D0                 MOV             R3, R11
.text:00A5B9D4                 STMEA           SP, {R12,LR}
.text:00A5B9D8                 STR             R5, [SP,#0x20D8+var_20D0]
.text:00A5B9DC                 BL              snprintf
.text:00A5B9E0                 B               loc_A5BA14
.text:00A5B9E4 ; ---------------------------------------------------------------------------
.text:00A5B9E4
.text:00A5B9E4 loc_A5B9E4                              ; CODE XREF: sub_A5B65C+358?j
.text:00A5B9E4                 ADD             R12, SP, #0x20D8+var_D8
.text:00A5B9E8                 LDR             R3, [R12,#0x8C]
.text:00A5B9EC                 LDR             R12, [R12,#0x90]
.text:00A5B9F0                 LDR             R2, =(a02d02d02d - 0x11A6278)
.text:00A5B9F4                 STR             R12, [SP,#0x20D8+var_20D8]
.text:00A5B9F8                 ADD             LR, SP, #0x20D8+var_D8
.text:00A5B9FC                 LDR             R12, [LR,#0x94]
.text:00A5BA00                 ADD             R0, R0, R6 ; s
.text:00A5BA04                 MOV             R1, R4  ; maxlen
.text:00A5BA08                 ADD             R2, R7, R2 ; "%02d:%02d:%02d|"
.text:00A5BA0C                 STR             R12, [SP,#0x20D8+var_20D4]
.text:00A5BA10                 BL              snprintf
.text:00A5BA14
.text:00A5BA14 loc_A5BA14                              ; CODE XREF: sub_A5B65C+384?j
.text:00A5BA14                 ADD             R6, R6, R0
.text:00A5BA18
.text:00A5BA18 loc_A5BA18                              ; CODE XREF: sub_A5B65C+33C?j
.text:00A5BA18                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BA1C                 ADD             R2, R7, R3 ; byte_125E75C
.text:00A5BA20                 LDRB            R3, [R2,#(byte_125E75E - 0x125E75C)]
.text:00A5BA24                 CMP             R3, #0
.text:00A5BA28                 BNE             loc_A5BA74
.text:00A5BA2C                 LDRB            R3, [R2,#(byte_125E767 - 0x125E75C)]
.text:00A5BA30                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BA34                 RSB             R4, R6, #0x1FC0
.text:00A5BA38                 CMP             R3, #0
.text:00A5BA3C                 SUB             R0, R0, #4
.text:00A5BA40                 ADD             R4, R4, #0x3F
.text:00A5BA44                 BEQ             loc_A5BA58
.text:00A5BA48                 LDR             R2, =(aMS - 0x11A6278)
.text:00A5BA4C                 ADD             R0, R0, R6
.text:00A5BA50                 MOV             R1, R4
.text:00A5BA54                 B               loc_A5BA64
.text:00A5BA58 ; ---------------------------------------------------------------------------
.text:00A5BA58
.text:00A5BA58 loc_A5BA58                              ; CODE XREF: sub_A5B65C+3E8?j
.text:00A5BA58                 LDR             R2, =(aS_2 - 0x11A6278)
.text:00A5BA5C                 ADD             R0, R0, R6 ; s
.text:00A5BA60                 MOV             R1, R4  ; maxlen
.text:00A5BA64
.text:00A5BA64 loc_A5BA64                              ; CODE XREF: sub_A5B65C+3F8?j
.text:00A5BA64                 ADD             R2, R7, R2 ; "M:%s|" ...
.text:00A5BA68                 MOV             R3, R9
.text:00A5BA6C                 BL              snprintf
.text:00A5BA70                 ADD             R6, R6, R0
.text:00A5BA74
.text:00A5BA74 loc_A5BA74                              ; CODE XREF: sub_A5B65C+3CC?j
.text:00A5BA74                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BA78                 ADD             R2, R7, R3 ; byte_125E75C
.text:00A5BA7C                 LDRB            R3, [R2,#(byte_125E761 - 0x125E75C)]
.text:00A5BA80                 CMP             R3, #0
.text:00A5BA84                 BNE             loc_A5BB00
.text:00A5BA88                 LDRB            R3, [R2,#(byte_125E767 - 0x125E75C)]
.text:00A5BA8C                 CMP             R3, #0
.text:00A5BA90                 BEQ             loc_A5BAC4
.text:00A5BA94                 LDR             R0, [SP,#0x20D8+var_20BC]
.text:00A5BA98                 CMP             R0, #0
.text:00A5BA9C                 BNE             loc_A5BAA8
.text:00A5BAA0                 LDR             R3, =(aErrorHappenFil+0x2C - 0x11A6278)
.text:00A5BAA4                 ADD             R10, R7, R3 ; ""
.text:00A5BAA8
.text:00A5BAA8 loc_A5BAA8                              ; CODE XREF: sub_A5B65C+440?j
.text:00A5BAA8                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BAAC                 SUB             R0, R0, #4
.text:00A5BAB0                 RSB             R1, R6, #0x1FC0
.text:00A5BAB4                 LDR             R2, =(aVS - 0x11A6278)
.text:00A5BAB8                 ADD             R0, R0, R6
.text:00A5BABC                 ADD             R1, R1, #0x3F
.text:00A5BAC0                 B               loc_A5BAF0
.text:00A5BAC4 ; ---------------------------------------------------------------------------
.text:00A5BAC4
.text:00A5BAC4 loc_A5BAC4                              ; CODE XREF: sub_A5B65C+434?j
.text:00A5BAC4                 LDR             R2, [SP,#0x20D8+var_20BC]
.text:00A5BAC8                 CMP             R2, #0
.text:00A5BACC                 BNE             loc_A5BAD8
.text:00A5BAD0                 LDR             R3, =(aErrorHappenFil+0x2C - 0x11A6278)
.text:00A5BAD4                 ADD             R10, R7, R3 ; ""
.text:00A5BAD8
.text:00A5BAD8 loc_A5BAD8                              ; CODE XREF: sub_A5B65C+470?j
.text:00A5BAD8                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BADC                 SUB             R0, R0, #4
.text:00A5BAE0                 RSB             R1, R6, #0x1FC0
.text:00A5BAE4                 LDR             R2, =(aVerS - 0x11A6278)
.text:00A5BAE8                 ADD             R0, R0, R6 ; s
.text:00A5BAEC                 ADD             R1, R1, #0x3F ; maxlen
.text:00A5BAF0
.text:00A5BAF0 loc_A5BAF0                              ; CODE XREF: sub_A5B65C+464?j
.text:00A5BAF0                 ADD             R2, R7, R2 ; "V:%s|" ...
.text:00A5BAF4                 MOV             R3, R10
.text:00A5BAF8                 BL              snprintf
.text:00A5BAFC                 ADD             R6, R6, R0
.text:00A5BB00
.text:00A5BB00 loc_A5BB00                              ; CODE XREF: sub_A5B65C+428?j
.text:00A5BB00                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BB04                 ADD             R2, R7, R3 ; byte_125E75C
.text:00A5BB08                 LDRB            R3, [R2,#(byte_125E75F - 0x125E75C)]
.text:00A5BB0C                 CMP             R3, #0
.text:00A5BB10                 BNE             loc_A5BB78
.text:00A5BB14                 LDRB            R3, [R2,#(byte_125E767 - 0x125E75C)]
.text:00A5BB18                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BB1C                 CMP             R3, #0
.text:00A5BB20                 RSB             R4, R6, #0x1FC0
.text:00A5BB24                 SUB             R0, R0, #4
.text:00A5BB28                 ADD             R4, R4, #0x3F
.text:00A5BB2C                 LDR             R3, =(off_119C700 - 0x11A6278)
.text:00A5BB30                 BEQ             loc_A5BB54
.text:00A5BB34                 LDR             R12, [SP,#0x20D8+var_20C0]
.text:00A5BB38                 ADD             R3, R7, R3 ; off_119C700
.text:00A5BB3C                 LDR             R2, =(aLS - 0x11A6278)
.text:00A5BB40                 LDR             R3, [R3,R12,LSL#2]
.text:00A5BB44                 ADD             R0, R0, R6
.text:00A5BB48                 MOV             R1, R4
.text:00A5BB4C                 ADD             R2, R7, R2 ; "L:%s|"
.text:00A5BB50                 B               loc_A5BB70
.text:00A5BB54 ; ---------------------------------------------------------------------------
.text:00A5BB54
.text:00A5BB54 loc_A5BB54                              ; CODE XREF: sub_A5B65C+4D4?j
.text:00A5BB54                 LDR             LR, [SP,#0x20D8+var_20C0]
.text:00A5BB58                 ADD             R3, R7, R3 ; off_119C700
.text:00A5BB5C                 LDR             R2, =(aCupgraderUpgra_14+0x28 - 0x11A6278)
.text:00A5BB60                 LDR             R3, [R3,LR,LSL#2]
.text:00A5BB64                 ADD             R0, R0, R6 ; s
.text:00A5BB68                 MOV             R1, R4  ; maxlen
.text:00A5BB6C                 ADD             R2, R7, R2 ; "%s" ; format
.text:00A5BB70
.text:00A5BB70 loc_A5BB70                              ; CODE XREF: sub_A5B65C+4F4?j
.text:00A5BB70                 BL              snprintf
.text:00A5BB74                 ADD             R6, R6, R0
.text:00A5BB78
.text:00A5BB78 loc_A5BB78                              ; CODE XREF: sub_A5B65C+4B4?j
.text:00A5BB78                 ADD             R0, SP, #0x20D8+var_D8
.text:00A5BB7C                 LDR             R0, [R0,#0xD8]
.text:00A5BB80                 CMP             R0, #0
.text:00A5BB84                 BLE             loc_A5BBF4
.text:00A5BB88                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BB8C                 ADD             R2, R7, R3 ; byte_125E75C
.text:00A5BB90                 LDRB            R3, [R2,#(byte_125E763 - 0x125E75C)]
.text:00A5BB94                 CMP             R3, #0
.text:00A5BB98                 BNE             loc_A5BBF4
.text:00A5BB9C                 LDRB            R3, [R2,#(byte_125E767 - 0x125E75C)]
.text:00A5BBA0                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BBA4                 RSB             R4, R6, #0x1FC0
.text:00A5BBA8                 CMP             R3, #0
.text:00A5BBAC                 SUB             R0, R0, #4
.text:00A5BBB0                 ADD             R4, R4, #0x3F
.text:00A5BBB4                 BEQ             loc_A5BBD4
.text:00A5BBB8                 LDR             R2, =(aFS_0 - 0x11A6278)
.text:00A5BBBC                 ADD             R12, SP, #0x20D8+var_D8
.text:00A5BBC0                 LDR             R3, [R12,#0xA4]
.text:00A5BBC4                 ADD             R0, R0, R6
.text:00A5BBC8                 MOV             R1, R4
.text:00A5BBCC                 ADD             R2, R7, R2 ; "F:%s|"
.text:00A5BBD0                 B               loc_A5BBEC
.text:00A5BBD4 ; ---------------------------------------------------------------------------
.text:00A5BBD4
.text:00A5BBD4 loc_A5BBD4                              ; CODE XREF: sub_A5B65C+558?j
.text:00A5BBD4                 LDR             R2, =(aMconfigwlanIsS+0x10 - 0x11A6278)
.text:00A5BBD8                 ADD             LR, SP, #0x20D8+var_D8
.text:00A5BBDC                 LDR             R3, [LR,#0xA4]
.text:00A5BBE0                 ADD             R0, R0, R6 ; s
.text:00A5BBE4                 MOV             R1, R4  ; maxlen
.text:00A5BBE8                 ADD             R2, R7, R2 ; "%s " ; format
.text:00A5BBEC
.text:00A5BBEC loc_A5BBEC                              ; CODE XREF: sub_A5B65C+574?j
.text:00A5BBEC                 BL              snprintf
.text:00A5BBF0                 ADD             R6, R6, R0
.text:00A5BBF4
.text:00A5BBF4 loc_A5BBF4                              ; CODE XREF: sub_A5B65C+528?j
.text:00A5BBF4                                         ; sub_A5B65C+53C?j
.text:00A5BBF4                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BBF8                 ADD             R2, R7, R3 ; byte_125E75C
.text:00A5BBFC                 LDRB            R3, [R2,#(byte_125E762 - 0x125E75C)]
.text:00A5BC00                 CMP             R3, #0
.text:00A5BC04                 BNE             loc_A5BC50
.text:00A5BC08                 LDRB            R3, [R2,#(byte_125E767 - 0x125E75C)]
.text:00A5BC0C                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BC10                 RSB             R4, R6, #0x1FC0
.text:00A5BC14                 CMP             R3, #0
.text:00A5BC18                 SUB             R0, R0, #4
.text:00A5BC1C                 ADD             R4, R4, #0x3F
.text:00A5BC20                 BEQ             loc_A5BC34
.text:00A5BC24                 LDR             R2, =(aFS - 0x11A6278)
.text:00A5BC28                 ADD             R0, R0, R6
.text:00A5BC2C                 MOV             R1, R4
.text:00A5BC30                 B               loc_A5BC40
.text:00A5BC34 ; ---------------------------------------------------------------------------
.text:00A5BC34
.text:00A5BC34 loc_A5BC34                              ; CODE XREF: sub_A5B65C+5C4?j
.text:00A5BC34                 LDR             R2, =(aMconfigwlanIsS+0x10 - 0x11A6278)
.text:00A5BC38                 ADD             R0, R0, R6 ; s
.text:00A5BC3C                 MOV             R1, R4  ; maxlen
.text:00A5BC40
.text:00A5BC40 loc_A5BC40                              ; CODE XREF: sub_A5B65C+5D4?j
.text:00A5BC40                 ADD             R2, R7, R2 ; "%s " ...
.text:00A5BC44                 LDR             R3, [SP,#0x20D8+var_20C4]
.text:00A5BC48                 BL              snprintf
.text:00A5BC4C                 ADD             R6, R6, R0
.text:00A5BC50
.text:00A5BC50 loc_A5BC50                              ; CODE XREF: sub_A5B65C+5A8?j
.text:00A5BC50                 ADD             R0, SP, #0x20D8+var_D8
.text:00A5BC54                 LDR             R0, [R0,#0xD8]
.text:00A5BC58                 CMP             R0, #0
.text:00A5BC5C                 BLE             loc_A5BCCC
.text:00A5BC60                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BC64                 ADD             R2, R7, R3 ; byte_125E75C
.text:00A5BC68                 LDRB            R3, [R2,#(byte_125E764 - 0x125E75C)]
.text:00A5BC6C                 CMP             R3, #0
.text:00A5BC70                 BNE             loc_A5BCCC
.text:00A5BC74                 LDRB            R3, [R2,#(byte_125E767 - 0x125E75C)]
.text:00A5BC78                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BC7C                 RSB             R4, R6, #0x1FC0
.text:00A5BC80                 CMP             R3, #0
.text:00A5BC84                 SUB             R0, R0, #4
.text:00A5BC88                 ADD             R4, R4, #0x3F
.text:00A5BC8C                 BEQ             loc_A5BCAC
.text:00A5BC90                 LDR             R2, =(aLD - 0x11A6278)
.text:00A5BC94                 ADD             R12, SP, #0x20D8+var_D8
.text:00A5BC98                 LDR             R3, [R12,#0xD8]
.text:00A5BC9C                 ADD             R0, R0, R6
.text:00A5BCA0                 MOV             R1, R4
.text:00A5BCA4                 ADD             R2, R7, R2 ; "l:%d|"
.text:00A5BCA8                 B               loc_A5BCC4
.text:00A5BCAC ; ---------------------------------------------------------------------------
.text:00A5BCAC
.text:00A5BCAC loc_A5BCAC                              ; CODE XREF: sub_A5B65C+630?j
.text:00A5BCAC                 LDR             R2, =(aTidD+4 - 0x11A6278)
.text:00A5BCB0                 ADD             LR, SP, #0x20D8+var_D8
.text:00A5BCB4                 LDR             R3, [LR,#0xD8]
.text:00A5BCB8                 ADD             R0, R0, R6 ; s
.text:00A5BCBC                 MOV             R1, R4  ; maxlen
.text:00A5BCC0                 ADD             R2, R7, R2 ; "%d " ; format
.text:00A5BCC4
.text:00A5BCC4 loc_A5BCC4                              ; CODE XREF: sub_A5B65C+64C?j
.text:00A5BCC4                 BL              snprintf
.text:00A5BCC8                 ADD             R6, R6, R0
.text:00A5BCCC
.text:00A5BCCC loc_A5BCCC                              ; CODE XREF: sub_A5B65C+600?j
.text:00A5BCCC                                         ; sub_A5B65C+614?j
.text:00A5BCCC                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BCD0                 ADD             R2, R7, R3 ; byte_125E75C
.text:00A5BCD4                 LDRB            R3, [R2,#(byte_125E760 - 0x125E75C)]
.text:00A5BCD8                 CMP             R3, #0
.text:00A5BCDC                 BNE             loc_A5BD3C
.text:00A5BCE0                 LDRB            R3, [R2,#(byte_125E767 - 0x125E75C)]
.text:00A5BCE4                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BCE8                 RSB             R4, R6, #0x1FC0
.text:00A5BCEC                 CMP             R3, #0
.text:00A5BCF0                 SUB             R0, R0, #4
.text:00A5BCF4                 ADD             R4, R4, #0x3F
.text:00A5BCF8                 BEQ             loc_A5BD18
.text:00A5BCFC                 ADD             R5, R0, R6
.text:00A5BD00                 BL              sub_A5D4B0
.text:00A5BD04                 LDR             R2, =(aTD - 0x11A6278)
.text:00A5BD08                 MOV             R3, R0
.text:00A5BD0C                 MOV             R1, R4
.text:00A5BD10                 MOV             R0, R5
.text:00A5BD14                 B               loc_A5BD30
.text:00A5BD18 ; ---------------------------------------------------------------------------
.text:00A5BD18
.text:00A5BD18 loc_A5BD18                              ; CODE XREF: sub_A5B65C+69C?j
.text:00A5BD18                 ADD             R5, R0, R6
.text:00A5BD1C                 BL              sub_A5D4B0
.text:00A5BD20                 LDR             R2, =(aTidD - 0x11A6278)
.text:00A5BD24                 MOV             R3, R0
.text:00A5BD28                 MOV             R1, R4  ; maxlen
.text:00A5BD2C                 MOV             R0, R5  ; s
.text:00A5BD30
.text:00A5BD30 loc_A5BD30                              ; CODE XREF: sub_A5B65C+6B8?j
.text:00A5BD30                 ADD             R2, R7, R2 ; "t:%d|" ...
.text:00A5BD34                 BL              snprintf
.text:00A5BD38                 ADD             R6, R6, R0
.text:00A5BD3C
.text:00A5BD3C loc_A5BD3C                              ; CODE XREF: sub_A5B65C+680?j
.text:00A5BD3C                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BD40                 ADD             R3, R7, R3 ; byte_125E75C
.text:00A5BD44                 LDRB            R3, [R3,#(byte_125E767 - 0x125E75C)]
.text:00A5BD48                 CMP             R3, #0
.text:00A5BD4C                 BEQ             loc_A5BD74
.text:00A5BD50                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BD54                 LDR             R2, =(aRealm_4+4 - 0x11A6278)
.text:00A5BD58                 RSB             R1, R6, #0x1FC0
.text:00A5BD5C                 SUB             R0, R0, #4
.text:00A5BD60                 ADD             R0, R0, R6 ; s
.text:00A5BD64                 ADD             R1, R1, #0x3F ; maxlen
.text:00A5BD68                 ADD             R2, R7, R2 ; "m:" ; format
.text:00A5BD6C                 BL              snprintf
.text:00A5BD70                 ADD             R6, R6, R0
.text:00A5BD74
.text:00A5BD74 loc_A5BD74                              ; CODE XREF: sub_A5B65C+288?j
.text:00A5BD74                                         ; sub_A5B65C+6F0?j
.text:00A5BD74                 ADD             R4, SP, #0x20D8+var_20A8
.text:00A5BD78                 ADD             R12, SP, #0x20D8+var_18
.text:00A5BD7C                 ADD             R12, R12, #0x24
.text:00A5BD80                 SUB             R4, R4, #4
.text:00A5BD84                 ADD             R0, SP, #0x20D8+var_D8
.text:00A5BD88                 ADD             LR, SP, #0x20D8+var_D8
.text:00A5BD8C                 RSB             R1, R6, #0x1FC0
.text:00A5BD90                 ADD             R1, R1, #0x3F ; maxlen
.text:00A5BD94                 LDR             R2, [R0,#0xE0] ; format
.text:00A5BD98                 MOV             R3, R12 ; arg
.text:00A5BD9C                 ADD             R0, R4, R6 ; s
.text:00A5BDA0                 STR             R12, [LR,#0x9C]
.text:00A5BDA4                 BL              vsnprintf
.text:00A5BDA8                 MOV             R1, R4
.text:00A5BDAC                 ADD             R5, R0, R6
.text:00A5BDB0                 LDR             R0, [SP,#0x20D8+var_20C0]
.text:00A5BDB4                 BL              sub_A57C90
.text:00A5BDB8                 LDR             R3, =0x1FFF
.text:00A5BDBC                 CMP             R5, R3
.text:00A5BDC0                 MOVGT           R2, #1
.text:00A5BDC4                 BGT             loc_A5BDF8
.text:00A5BDC8                 CMP             R5, #0
.text:00A5BDCC                 MOVLE           R2, #0
.text:00A5BDD0                 BLE             loc_A5BDF8
.text:00A5BDD4                 ADD             R0, SP, #0x20D8+var_58
.text:00A5BDD8                 ADD             R0, R0, #0x30
.text:00A5BDDC                 ADD             R3, R0, R5
.text:00A5BDE0                 SUB             R3, R3, #0x2080
.text:00A5BDE4                 SUB             R3, R3, #4
.text:00A5BDE8                 LDRB            R3, [R3,#-1]
.text:00A5BDEC                 CMP             R3, #0xA
.text:00A5BDF0                 MOVNE           R2, #0
.text:00A5BDF4                 MOVEQ           R2, #1
.text:00A5BDF8
.text:00A5BDF8 loc_A5BDF8                              ; CODE XREF: sub_A5B65C+768?j
.text:00A5BDF8                                         ; sub_A5B65C+774?j
.text:00A5BDF8                 LDR             R3, =(byte_11D33E0 - 0x11A6278)
.text:00A5BDFC                 CMP             R2, #0
.text:00A5BE00                 STRB            R2, [R7,R3] ; byte_11D33E0
.text:00A5BE04                 BEQ             loc_A5BE3C
.text:00A5BE08                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BE0C                 ADD             R3, R7, R3 ; byte_125E75C
.text:00A5BE10                 LDRB            R3, [R3,#(byte_125E75D - 0x125E75C)]
.text:00A5BE14                 CMP             R3, #0
.text:00A5BE18                 BEQ             loc_A5BE2C
.text:00A5BE1C                 LDR             R3, =(byte_11D33E8 - 0x11A6278)
.text:00A5BE20                 LDRB            R3, [R7,R3] ; byte_11D33E8
.text:00A5BE24                 CMP             R3, #0
.text:00A5BE28                 BNE             loc_A5BE3C
.text:00A5BE2C
.text:00A5BE2C loc_A5BE2C                              ; CODE XREF: sub_A5B65C+7BC?j
.text:00A5BE2C                 BL              sub_A57E74
.text:00A5BE30                 LDR             R3, =(byte_11D33E8 - 0x11A6278)
.text:00A5BE34                 MOV             R2, #1
.text:00A5BE38                 STRB            R2, [R7,R3] ; byte_11D33E8
.text:00A5BE3C
.text:00A5BE3C loc_A5BE3C                              ; CODE XREF: sub_A5B65C+7A8?j
.text:00A5BE3C                                         ; sub_A5B65C+7CC?j
.text:00A5BE3C                 LDR             R3, =(byte_125E75C - 0x11A6278)
.text:00A5BE40                 ADD             R3, R7, R3 ; byte_125E75C
.text:00A5BE44                 LDRB            R3, [R3,#(byte_125E768 - 0x125E75C)]
.text:00A5BE48                 CMP             R3, #0
.text:00A5BE4C                 BNE             loc_A5BE88
.text:00A5BE50                 ADD             R0, SP, #0x20D8+var_20A8
.text:00A5BE54                 ADD             R2, SP, #0x20D8+var_98
.text:00A5BE58                 SUB             R0, R0, #4
.text:00A5BE5C                 MOV             R1, R5
.text:00A5BE60                 ADD             R2, R2, #0x3C
.text:00A5BE64                 BL              sub_A582CC
.text:00A5BE64 ;   } // starts at A5B808
.text:00A5BE68                 B               loc_A5BE88
.text:00A5BE6C ; ---------------------------------------------------------------------------
.text:00A5BE6C ;   cleanup() // owned by A5B7B4
.text:00A5BE6C ;   cleanup() // owned by A5B808
.text:00A5BE6C                 MOV             R4, R0
.text:00A5BE70
.text:00A5BE70 loc_A5BE70                              ; CODE XREF: sub_A5B65C+1A0?j
.text:00A5BE70                 ADD             R0, SP, #0x20D8+var_58
.text:00A5BE74                 ADD             R0, R0, #0x24 ; this
.text:00A5BE78
.text:00A5BE78 loc_A5BE78                              ; CODE XREF: sub_A5B65C+C0?j
.text:00A5BE78                 BL              _ZNSsD1Ev ; std::string::~string()
.text:00A5BE7C
.text:00A5BE7C loc_A5BE7C                              ; CODE XREF: sub_A5B65C+C8?j
.text:00A5BE7C                 MOV             R0, R4
.text:00A5BE80                 B               loc_A5B798
.text:00A5BE84 ; ---------------------------------------------------------------------------
.text:00A5BE84
.text:00A5BE84 loc_A5BE84                              ; CODE XREF: sub_A5B65C+1C0?j
.text:00A5BE84                 MOV             R5, #0
.text:00A5BE88
.text:00A5BE88 loc_A5BE88                              ; CODE XREF: sub_A5B65C+7F0?j
.text:00A5BE88                                         ; sub_A5B65C+80C?j
.text:00A5BE88                 ADD             R0, SP, #0x20D8+var_58
.text:00A5BE8C                 ADD             R0, R0, #0x24 ; this
.text:00A5BE90                 BL              _ZNSsD1Ev ; std::string::~string()
.text:00A5BE94                 B               loc_A5BE9C
.text:00A5BE98 ; ---------------------------------------------------------------------------
.text:00A5BE98
.text:00A5BE98 loc_A5BE98                              ; CODE XREF: sub_A5B65C+38?j
.text:00A5BE98                                         ; sub_A5B65C+48?j ...
.text:00A5BE98                 MOV             R5, #0
.text:00A5BE9C
.text:00A5BE9C loc_A5BE9C                              ; CODE XREF: sub_A5B65C+838?j
.text:00A5BE9C                 MOV             R0, R5
.text:00A5BEA0                 ADD             SP, SP, #0xB4
.text:00A5BEA4                 ADD             SP, SP, #0x2000
.text:00A5BEA8                 LDMFD           SP!, {R4-R11,PC}
.text:00A5BEA8 ; End of function sub_A5B65C
.text:00A5BEA8
.text:00A5BEA8 ; ---------------------------------------------------------------------------
.text:00A5BEAC off_A5BEAC      DCD _GLOBAL_OFFSET_TABLE_ - 0xA5B670
.text:00A5BEAC                                         ; DATA XREF: sub_A5B65C+4?r
.text:00A5BEB0 off_A5BEB0      DCD dword_11D33DC - 0x11A6278
.text:00A5BEB0                                         ; DATA XREF: sub_A5B65C+8?r
.text:00A5BEB0                                         ; sub_A5B65C:loc_A5B80C?r
.text:00A5BEB4 off_A5BEB4      DCD dword_11D33E4 - 0x11A6278
.text:00A5BEB4                                         ; DATA XREF: sub_A5B65C+3C?r
.text:00A5BEB8 off_A5BEB8      DCD byte_125E71C - 0x11A6278
.text:00A5BEB8                                         ; DATA XREF: sub_A5B65C+54?r
.text:00A5BEBC dword_A5BEBC    DCD 0x5CD8              ; DATA XREF: sub_A5B65C+98?r
.text:00A5BEC0 dword_A5BEC0    DCD 0x1128              ; DATA XREF: sub_A5B65C+D0?r
.text:00A5BEC4 off_A5BEC4      DCD byte_125E75C - 0x11A6278
.text:00A5BEC4                                         ; DATA XREF: sub_A5B65C+100?r
.text:00A5BEC4                                         ; sub_A5B65C+1E8?r ...
.text:00A5BEC8 off_A5BEC8      DCD aGet+4 - 0x11A6278  ; DATA XREF: sub_A5B65C+144?r
.text:00A5BEC8                                         ; "/"
.text:00A5BECC off_A5BECC      DCD byte_11D33E0 - 0x11A6278
.text:00A5BECC                                         ; DATA XREF: sub_A5B65C:loc_A5B8D4?r
.text:00A5BECC                                         ; sub_A5B65C:loc_A5BDF8?r
.text:00A5BED0 off_A5BED0      DCD unk_F7E6FC - 0x11A6278
.text:00A5BED0                                         ; DATA XREF: sub_A5B65C+2A0?r
.text:00A5BED4 off_A5BED4      DCD byte_11D33E8 - 0x11A6278
.text:00A5BED4                                         ; DATA XREF: sub_A5B65C+2B4?r
.text:00A5BED4                                         ; sub_A5B65C+7C0?r ...
.text:00A5BED8 off_A5BED8      DCD aT - 0x11A6278      ; DATA XREF: sub_A5B65C+2C8?r
.text:00A5BED8                                         ; "|T:"
.text:00A5BEDC ; size_t dword_A5BEDC
.text:00A5BEDC dword_A5BEDC    DCD 0x1FFF              ; DATA XREF: sub_A5B65C+2D8?r
.text:00A5BEDC                                         ; sub_A5B65C+75C?r
.text:00A5BEE0 off_A5BEE0      DCD a04d02d02d - 0x11A6278
.text:00A5BEE0                                         ; DATA XREF: sub_A5B65C+30C?r
.text:00A5BEE0                                         ; "%04d-%02d-%02d "
.text:00A5BEE4 off_A5BEE4      DCD a02d02d02d3d - 0x11A6278
.text:00A5BEE4                                         ; DATA XREF: sub_A5B65C+35C?r
.text:00A5BEE4                                         ; "%02d:%02d:%02d:%3d|"
.text:00A5BEE8 off_A5BEE8      DCD a02d02d02d - 0x11A6278
.text:00A5BEE8                                         ; DATA XREF: sub_A5B65C+394?r
.text:00A5BEE8                                         ; "%02d:%02d:%02d|"
.text:00A5BEEC off_A5BEEC      DCD aMS - 0x11A6278     ; DATA XREF: sub_A5B65C+3EC?r
.text:00A5BEEC                                         ; "M:%s|"
.text:00A5BEF0 off_A5BEF0      DCD aS_2 - 0x11A6278    ; DATA XREF: sub_A5B65C:loc_A5BA58?r
.text:00A5BEF0                                         ; "[%s] "
.text:00A5BEF4 off_A5BEF4      DCD aErrorHappenFil+0x2C - 0x11A6278
.text:00A5BEF4                                         ; DATA XREF: sub_A5B65C+444?r
.text:00A5BEF4                                         ; sub_A5B65C+474?r
.text:00A5BEF4                                         ; ""
.text:00A5BEF8 off_A5BEF8      DCD aVS - 0x11A6278     ; DATA XREF: sub_A5B65C+458?r
.text:00A5BEF8                                         ; "V:%s|"
.text:00A5BEFC off_A5BEFC      DCD aVerS - 0x11A6278   ; DATA XREF: sub_A5B65C+488?r
.text:00A5BEFC                                         ; "[ver:%s] "
.text:00A5BF00 off_A5BF00      DCD off_119C700 - 0x11A6278
.text:00A5BF00                                         ; DATA XREF: sub_A5B65C+4D0?r
.text:00A5BF04 off_A5BF04      DCD aLS - 0x11A6278     ; DATA XREF: sub_A5B65C+4E0?r
.text:00A5BF04                                         ; "L:%s|"
.text:00A5BF08 off_A5BF08      DCD aCupgraderUpgra_14+0x28 - 0x11A6278
.text:00A5BF08                                         ; DATA XREF: sub_A5B65C+500?r
.text:00A5BF08                                         ; "%s"
.text:00A5BF0C off_A5BF0C      DCD aFS_0 - 0x11A6278   ; DATA XREF: sub_A5B65C+55C?r
.text:00A5BF0C                                         ; "F:%s|"
.text:00A5BF10 off_A5BF10      DCD aMconfigwlanIsS+0x10 - 0x11A6278
.text:00A5BF10                                         ; DATA XREF: sub_A5B65C:loc_A5BBD4?r
.text:00A5BF10                                         ; sub_A5B65C:loc_A5BC34?r
.text:00A5BF10                                         ; "%s "
.text:00A5BF14 off_A5BF14      DCD aFS - 0x11A6278     ; DATA XREF: sub_A5B65C+5C8?r
.text:00A5BF14                                         ; "f:%s|"
.text:00A5BF18 off_A5BF18      DCD aLD - 0x11A6278     ; DATA XREF: sub_A5B65C+634?r
.text:00A5BF18                                         ; "l:%d|"
.text:00A5BF1C off_A5BF1C      DCD aTidD+4 - 0x11A6278 ; DATA XREF: sub_A5B65C:loc_A5BCAC?r
.text:00A5BF1C                                         ; "%d "
.text:00A5BF20 off_A5BF20      DCD aTD - 0x11A6278     ; DATA XREF: sub_A5B65C+6A8?r
.text:00A5BF20                                         ; "t:%d|"
.text:00A5BF24 off_A5BF24      DCD aTidD - 0x11A6278   ; DATA XREF: sub_A5B65C+6C4?r
.text:00A5BF24                                         ; "tid:%d "
.text:00A5BF28 off_A5BF28      DCD aRealm_4+4 - 0x11A6278
.text:00A5BF28                                         ; DATA XREF: sub_A5B65C+6F8?r
.text:00A5BF28 ; } // starts at A5B65C                 ; "m:"
.text:00A5BF2C
.text:00A5BF2C ; =============== S U B R O U T I N E =======================================
 
  • Like
Reactions: VorlonFrog
today, for my camera i discovered by using google chrome and easy viewer the export function delivers me again an ASCII file which can be manipulated for bulk transfers.
strange enough, the user accounts is not written in it, what a shame.
 
Unfortunately no. For deeper analysis we need to run that firmware in an emulator (qemu).
So far I did not find time to start that task.
 
Due the fact, there is a script available that allows reading and even modifying the internal config of dahua devices (Dahua-DHIP-JSON-Debug-Console) this issue seems to be obsolete now.

Try to modify PTZ speed level ratios via this method :) Good luck...
 
Unfortunately that method does not work for my EZ-IP camera, it display empty config ?!
[+] [System]
Vendor: EZIP, Build: 2018-09-18 21:57:52, Version: 2.622.0000000.4.R
Web: 3.2.1.16089, OEM: 0000000, Package: EZIP_IPC-XXBXX-Leto_EngSpnPrt_P

[*] [Dahua JSON Debug Console 2019,2020 bashis <mcw noemail eu>]
[+] Opening connection to 192.168.22.155 on port 80: Done
[+] Dahua JSON Console: Dump config
[+] Login: Success
[+] Started keepAlive thread
[*] Remote device: IPC-D2B20-ZS
{
"params": {}
}
[*] All done