Dahua Firmware Mod Kit + Modded Dahua Firmware

[VorlonFrog]

@cor35vet I noticed today the Themis firmware on my IPC-HDW4421C-A camera does not include any Audio settings. I presume this is simply a configuration option in some file somewhere. Would you happen to know which file or setting this may be? The 4421C hardware definitely includes a built-in microphone. I found a firmware screen from an AliExpress vendor, which is attached. Hopefully, I can tweak something to get the audio working in the firmware. Thanks!!

FYI: There appears to be a much later v600 firmware for Themis dated 2016-12-19 at this link:
ftp://ftp.asm.cz/Dahua/kamerove_systemy/_Firmware/04IPC/IPC-HX4X2X-Themis/General/20161219/General_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.bin

 

[VorlonFrog]

The good news is, @cor35vet provided a hacked version of the .600.0005 firmware for me to test today. The better news is, it successfully loaded and rebooted on my 4421C-A camera. Not so good is the mic/audio is still missing on the web pages. I'm going to have to take one of these cameras down this weekend and disassemble it, to verify whether or not there is actually a microphone installed. There's SUPPOSED to be one, and the pinhole is there on the camera, but you just never know.

Thanks, @cor35vet !!!

 

[cor35vet]

Quoting my PM with him:

Okay, here it is: https://i.botox.bz/DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.bin

However they have added a sign.img to cryptographically sign the releases from now on.
This means that you can't flash modified firmware anymore.
I have replaced the key they use for signing in the firmware with my own: https://p.botox.bz/view/raw/8299e9ed
BUT the check is not being done on port 3800 when using ConfigTool, so that is good.
They have also updated the bootloader, I have excluded that update from the .bin because I am afraid they might have removed the possibility to do recovery via TFTP.

So yeah good luck, I hope it won't kill your camera :V

I also found the signing code in sonia, could sign my own firmware kek.
Just going to disable it on the next version. Fucking Dahua.

Bad news for new cameras though, with the new firmware upgraded is not running by default, only after sonia exits.
So we need to find a way to exit/crash sonia in order to upgrade the firmware on a camera that is running the unmodified new firmware.
They have also updated the bootloader, I did not look into the changes but it could be that they made our life harder there too :/

Edit: I forgot to add that I don't have a Themis camera so I can't play with this too much.
They haven't added this to Eos yet. They did on the latest chinese 20170313, guess I will look at it!

 

[VorlonFrog]

Still pursuing the missing Audio in the web interface, I found the Dahua HTTP API document, and used this URL to get the audio config information:

http://192.168.1.108:80/cgi-bin/configManager.cgi?action=getConfig&name=Encode

table.Encode[0].ExtraFormat[0].Audio.Bitrate=64
table.Encode[0].ExtraFormat[0].Audio.Compression=G.711A
table.Encode[0].ExtraFormat[0].Audio.Depth=16
table.Encode[0].ExtraFormat[0].Audio.Frequency=44000
table.Encode[0].ExtraFormat[0].Audio.Pack=DHAV
table.Encode[0].ExtraFormat[0].AudioEnable=false

So it appears the audio is simply not enabled. I seriously wish telnet/ssh access were available, so I could do more research on the running camera. Now I'm going to have to bring it inside and connect to the console port to research it. Well, I was planning on bringing it down anyway. Now I have two reasons for doing so.

 

[cor35vet]

Still pursuing the missing Audio in the web interface, I found the Dahua HTTP API document, and used this URL to get the audio config information:

http://192.168.1.108:80/cgi-bin/configManager.cgi?action=getConfig&name=Encode

table.Encode[0].ExtraFormat[0].Audio.Bitrate=64
table.Encode[0].ExtraFormat[0].Audio.Compression=G.711A
table.Encode[0].ExtraFormat[0].Audio.Depth=16
table.Encode[0].ExtraFormat[0].Audio.Frequency=44000
table.Encode[0].ExtraFormat[0].Audio.Pack=DHAV
table.Encode[0].ExtraFormat[0].AudioEnable=false

So it appears the audio is simply not enabled. I seriously wish telnet/ssh access were available, so I could do more research on the running camera. Now I'm going to have to bring it inside and connect to the console port to research it. Well, I was planning on bringing it down anyway. Now I have two reasons for doing so.

telnet is on port 2300

 

[VorlonFrog]

telnet is on port 2300

Trying to use putty to open a telnet session on port 2300, the window simply closes.

 

[AKalm]

Trying to use putty to open a telnet session on port 2300, the window simply closes.

Should be port 23, if the same happens, it must be sonia crashing all the time. What I did I logged in very fast and typed appauto 0 and hit enter (did succesfully after 30 tries), so when next time boots, it won't try to start sonia. When you've done what you wanted, don't forget to enter appauto 1

 

[VorlonFrog]

Should be port 23, if the same happens, it must be sonia crashing all the time. What I did I logged in very fast and typed appauto 0 and hit enter (did succesfully after 30 tries), so when next time boots, it won't try to start sonia. When you've done what you wanted, don't forget to enter appauto 1

Thanks for that pointer. I've run nmap against it, and there's no telnet ports open at any time.

 

[AKalm]

Thanks for that pointer. I've run nmap against it, and there's no telnet ports open at any time.

I see, my cam had telnet open all the time. Keep in mind it might have a reboot-loop so you'll kind of have to catch it. Otherwise you're cam's firmware is not running telnet by default - your next step would be serial connection

 

[VorlonFrog]

I see, my cam had telnet open all the time. Keep in mind it might have a reboot-loop so you'll kind of have to catch it. Otherwise you're cam's firmware is not running telnet by default - your next step would be serial connection

Definitely. I don't believe it's in a reboot loop, because the video is constant. I'm going to have to take it down eventually, to investigate the lack of audio. At that time, I'll use the serial port to connect and review the kernel messages and device hierarchy. Also, whether or not there's actually a microphone element connected inside the camera. Never can be too certain when buying NOS 2015 cameras from AliExpress.

 

[AKalm]

Definitely. I don't believe it's in a reboot loop, because the video is constant. I'm going to have to take it down eventually, to investigate the lack of audio. At that time, I'll use the serial port to connect and review the kernel messages and device hierarchy. Also, whether or not there's actually a microphone element connected inside the camera. Never can be too certain when buying NOS 2015 cameras from AliExpress.

Have you tried this to enable telnet?
Enter to the browser:

http://<ip-address>/cgi-bin/configManager.cgi?action=setConfig&Telnet.Enable=true

 

[VorlonFrog]

Have you tried this to enable telnet?
Enter to the browser:

http://<ip-address>/cgi-bin/configManager.cgi?action=setConfig&Telnet.Enable=true

Yup, been there, done that, still no port 23 or 2300 or 2323.
I suspect Sonia is killing any telnetd process it finds, often.

 

[cor35vet]

Yup, been there, done that, still no port 23 or 2300 or 2323.
I suspect Sonia is killing any telnetd process it finds, often.

I think they might have just killed /bin/login
I made utelnetd open /bin/sh instead, try it out: https://i.botox.bz/DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.INSECURE.bin

 

[VorlonFrog]

I think they might have just killed /bin/login
I made utelnetd open /bin/sh instead, try it out: https://i.botox.bz/DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.INSECURE.bin

Loaded okay using the Dahua Config Tool, the configManager call to enable Telnet returned 'OK', but still unable to connect. Tried ports 23, 2300, and 2323. No successful connections, unfortunately. I'll definitely have to bring the camera indoors and connect to the console/serial port to see what's going on.

 

[beingaware]

Looks like most of the issues people are having is when they use the config tool to upload the firmware.

Was going to suggest trying it from the Camera web gui rather then via the config tool next time.

 

[iTuneDVR]

user-x.squashfs.img\data\ss\pubkey.pem
from INSECURE firmware

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD6AGTKWZz7rAiqivyooKhhdM3w
NhaXry/BzEbzYGe8DQqTI5FZfRjpMQpS9R/lx48ArQXVAcSrODZdjWwM94k3ee8t
KNtQLcupRQMIafKX83Rdo6wOF+KujCA/W93u5QnaE8sxH85cWAgXxR0klxh2hT2V
1NnHsNwZVDd+q+XeXwIDAQAB
-----END PUBLIC KEY-----

from orifinal DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.bin
Size: 13422612
SHA1: C1ABE2C27BA8241DF66812D4115481F63538DEE5
SHA256: A14D1C20A6F167C1040725D9341251C3189E0F8F703191267F752D1F07586AE6

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC4Y0NDlaRdkzAiiV9xASAS03O
jQ5NZeUGUPaywFOwyzEmONUiv6kqSacdnwMlQdcjrTBoXGyBVnv20WySOUIyvXA2
wynVvW2xbPVB/WhA+bQYNiZH8JvfPEG0fHFtHOPxFqI8i/uu56Oa8Rcj8lLgBOvL
UmrtpAJSWzH8xNHUQwIDAQAB
-----END PUBLIC KEY-----

Comments pls?

 

[cor35vet]

user-x.squashfs.img\data\ss\pubkey.pem
from INSECURE firmware

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD6AGTKWZz7rAiqivyooKhhdM3w
NhaXry/BzEbzYGe8DQqTI5FZfRjpMQpS9R/lx48ArQXVAcSrODZdjWwM94k3ee8t
KNtQLcupRQMIafKX83Rdo6wOF+KujCA/W93u5QnaE8sxH85cWAgXxR0klxh2hT2V
1NnHsNwZVDd+q+XeXwIDAQAB
-----END PUBLIC KEY-----

from orifinal DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.bin
Size: 13422612
SHA1: C1ABE2C27BA8241DF66812D4115481F63538DEE5
SHA256: A14D1C20A6F167C1040725D9341251C3189E0F8F703191267F752D1F07586AE6

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC4Y0NDlaRdkzAiiV9xASAS03O
jQ5NZeUGUPaywFOwyzEmONUiv6kqSacdnwMlQdcjrTBoXGyBVnv20WySOUIyvXA2
wynVvW2xbPVB/WhA+bQYNiZH8JvfPEG0fHFtHOPxFqI8i/uu56Oa8Rcj8lLgBOvL
UmrtpAJSWzH8xNHUQwIDAQAB
-----END PUBLIC KEY-----

Comments pls?

Quoting my PM with him:


I also found the signing code in sonia, could sign my own firmware kek.
Just going to disable it on the next version. Fucking Dahua.

Bad news for new cameras though, with the new firmware upgraded is not running by default, only after sonia exits.
So we need to find a way to exit/crash sonia in order to upgrade the firmware on a camera that is running the unmodified new firmware.
They have also updated the bootloader, I did not look into the changes but it could be that they made our life harder there too :/

Edit: I forgot to add that I don't have a Themis camera so I can't play with this too much.
They haven't added this to Eos yet. They did on the latest chinese 20170313, guess I will look at it!

 

[iTuneDVR]

Cor35vet!
Thanks.
I was inattentive and missed that your message.
When the equipment falls into your hands, you usually find ways to deal with it
The main thing is not to hang your hands!

if the dahua fantasy ends in pdc, then ...

 

[alastairstevenson]

user-x.squashfs.img\data\ss\pubkey.pem
from INSECURE firmware

Maybe I'm being stupid - but what's the deal about finding a 'Public key' ?
It's intended to be public after all.
Now, if it was a 'Private key' that would be different.

 

[cor35vet]

Maybe I'm being stupid - but what's the deal about finding a 'Public key' ?
It's intended to be public after all.
Now, if it was a 'Private key' that would be different.

The public key is used to verify the digital signature in the sign.img file. The proper signature can only be created with the corresponding private key. I swapped out dahuas public key with my own so we can sign our own images in case upgraded and tftp method fail in that guys camera.

He was worried why I've changed the key, it could mean ill intent without knowing what it is used for.