Developing xm530ai board cams, you wanna help me?

moykky

n3wb
Joined
Sep 8, 2020
Messages
12
Reaction score
4
Location
Finland
Hi all.

What I got was piece of shit software and it became 2 bricked cameras.
I've now decided to do something about it and I was able to make a firmware with SDK and cross compile busybox with more applets.

I got cam boot up with my kernel and rootfs, etc.


Someone interested to take part in it?
Adding rtsp/onvif/etc..

I will put more on github when I'll have the time.

moykky/xm530ai_ipcam
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
What I got was piece of shit software and it became 2 bricked cameras.
Not quite the same board - but this may be something to play with :
Code:
Added the extapp.sh to the custom-x.cramfs.img and applying it to the flash memory.
The offsets worked out from the bootargs parameters in the absence yet of any kernel logs.

Fingers crossed it enables a serial console, and telnet.
It does, both.
But the getty gets killed, presumably, as no response after a short while after the initial prompts.
But the telnet access goes straight to a root shell, no login.
Google suggests that the hash is xmhdipc
And using 'login' at the telnet prompt confirms this.



extapp.sh holds this :
-----------------------------------------------------
#! /bin/sh
# An extra startup script to gain access to the internals of this DVR
# Need the delay to avoid dvrhelper killing telnetd when launching sofia
/sbin/getty -L ttyS000 115200 vt100 -l /bin/sh -I "Auto login as root ..." &
sleep 5
/bin/busybox telnetd -l /bin/sh &
exit 0
-----------------------------------------------------


-----------------------------------------------------

U-Boot>
U-Boot>
U-Boot>
U-Boot>
U-Boot>
U-Boot> sf probe
U-Boot> sf probe 0
U-Boot> printenv
appCloudExAbility=0v4Vrsys2co=
baudrate=115200
bootargs=mem=35M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=cramfs mtdparts=xm_sfc:256K(boot),1536K(kernel),1280K(romfs),4544K(user),256K(custom),320K(mtd)
bootcmd=sf probe 0;sf read 80007fc0 40000 180000;bootm 80007fc0
bootdelay=1
cramfsaddr=0x60040000
da=mw.b 0x81000000 ff 800000;tftp 0x81000000 u-boot.bin.img;sf probe 0;flwrite
dc=mw.b 0x81000000 ff 800000;tftp 0x81000000 custom-x.cramfs.img;sf probe 0;flwrite
dd=mw.b 0x81000000 ff 800000;tftp 0x81000000 mtd-x.jffs2.img;sf probe 0;flwrite
dr=mw.b 0x81000000 ff 800000;tftp 0x81000000 romfs-x.cramfs.img;sf probe 0;flwrite
du=mw.b 0x81000000 ff 800000;tftp 0x81000000 user-x.cramfs.img;sf probe 0;flwrite
dw=mw.b 0x81000000 ff 800000;tftp 0x81000000 web-x.cramfs.img;sf probe 0;flwrite
ethact=dwmac.10010000
ethaddr=00:12:31:29:4f:97
fileaddr=81000000
filesize=20000
ipaddr=192.168.1.10
netmask=255.255.255.0
ptzsupport=0
serverip=192.168.1.99
stderr=serial
stdin=serial
stdout=serial
tk=mw.b 0x81000000 ff 800000;tftp 0x81000000 uImage; bootm 0x81000000
ua=mw.b 0x81000000 ff 800000;tftp 0x81000000 upall_verify.img;sf probe 0;flwrite
up=mw.b 0x81000000 ff 800000;tftp 0x81000000 update.img;sf probe 0;flwrite
verify=n

Environment size: 1290/65532 bytes
U-Boot> sf probe 0
U-Boot> sf read 0x81000000 0x770000 0x40000
SF: 262144 bytes @ 0x770000 Read: OK
U-Boot>
U-Boot>
U-Boot>
U-Boot>
U-Boot>
U-Boot> md 0x81000000 0x40
81000000: 28cd3d45 0002c000 00000003 00000000    E=.(............
81000010: 706d6f43 73736572 52206465 53464d4f    Compressed ROMFS
81000020: a0abfa1b 00000000 00000061 0000002e    ........a.......
81000030: 706d6f43 73736572 00006465 00000000    Compressed......
81000040: 027a41fd 7a000070 000004c0 027a41ed    .Az.p..z.....Az.
81000050: 7a0000b8 00000bc3 74737543 6f436d6f    ...z....CustomCo
81000060: 6769666e 027a41ed 7a000014 00001741    nfig.Az....zA...
81000070: 00746f44 027a81ed 7a000175 00009ac3    Dot...z.u..z....
81000080: 6d726946 65726177 6f666e49 027a81b4    FirmwareInfo..z.
81000090: 7a000215 0000a985 646f7250 44746375    ...z....ProductD
810000a0: 6e696665 6f697469 0000006e 027a41fd    efinition....Az.
810000b0: 7a000028 00001881 61746164 027a81ed    (..z....data..z.
810000c0: 7a001001 000042c3 6e455641 75632e63    ...z.B..AVEnc.cu
810000d0: 6d6f7473 027a81ed 7a000080 00006203    stom..z....z.b..
810000e0: 69766544 6a2e6563 006e6f73 027a81ed    Device.json...z.
810000f0: 7a000271 00006943 6f636e45 6a2e6564    q..zCi..Encode.j
U-Boot> sf probe 0
U-Boot> tftp 0x81000000 custom-x.cramfs_mod.img
Speed: 100, full duplex
Using dwmac.10010000 device
TFTP from server 192.168.1.99; our IP address is 192.168.1.10
Filename 'custom-x.cramfs_mod.img'.
Load address: 0x81000000
Loading: ##################################################
2.4 MiB/s
done
Bytes transferred = 180224 (2c000 hex)
U-Boot> sf update 0x81000000 0x770000 0x40000
FLASH_ERASE-------[100%]
FLASH_WRITE-------[100%]
FLASH_ERASE-------[100%]LASH_ERASE-------[6%]
FLASH_WRITE-------[100%]
FLASH_ERASE-------[100%]LASH_ERASE-------[6%]
FLASH_WRITE-------[100%]
196608 bytes written, 65536 bytes skipped in 3.958s, speed 67786 B/s
U-Boot>
U-Boot> reset
resetting ...


U-Boot 2014.04 (Mar 15 2019 - 11:11:02)

CPU: XM530
DRAM:  64 MiB
MMC:   arasan: 0
In:    serial
Out:   serial
Err:   serial
Net:   dwmac.10010000
Press Ctrl+C to stop autoboot
SF: 1572864 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80007fc0 ...
   Image Name:   Linux-3.10.103+
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1450240 Bytes = 1.4 MiB
   Load Address: 80008000
   Entry Point:  80008000
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
ŠAuto login as root ...
(none) login:
Logi
 

Attachments

moykky

n3wb
Joined
Sep 8, 2020
Messages
12
Reaction score
4
Location
Finland
Not quite the same board - but this may be something to play with :
Code:
Added the extapp.sh to the custom-x.cramfs.img and applying it to the flash memory.
The offsets worked out from the bootargs parameters in the absence yet of any kernel logs.

Fingers crossed it enables a serial console, and telnet.
It does, both.
But the getty gets killed, presumably, as no response after a short while after the initial prompts.
But the telnet access goes straight to a root shell, no login.
Google suggests that the hash is xmhdipc
And using 'login' at the telnet prompt confirms this.



extapp.sh holds this :
-----------------------------------------------------
#! /bin/sh
# An extra startup script to gain access to the internals of this DVR
# Need the delay to avoid dvrhelper killing telnetd when launching sofia
/sbin/getty -L ttyS000 115200 vt100 -l /bin/sh -I "Auto login as root ..." &
sleep 5
/bin/busybox telnetd -l /bin/sh &
exit 0
-----------------------------------------------------


-----------------------------------------------------

U-Boot>
U-Boot>
U-Boot>
U-Boot>
U-Boot>
U-Boot> sf probe
U-Boot> sf probe 0
U-Boot> printenv
appCloudExAbility=0v4Vrsys2co=
baudrate=115200
bootargs=mem=35M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=cramfs mtdparts=xm_sfc:256K(boot),1536K(kernel),1280K(romfs),4544K(user),256K(custom),320K(mtd)
bootcmd=sf probe 0;sf read 80007fc0 40000 180000;bootm 80007fc0
bootdelay=1
cramfsaddr=0x60040000
da=mw.b 0x81000000 ff 800000;tftp 0x81000000 u-boot.bin.img;sf probe 0;flwrite
dc=mw.b 0x81000000 ff 800000;tftp 0x81000000 custom-x.cramfs.img;sf probe 0;flwrite
dd=mw.b 0x81000000 ff 800000;tftp 0x81000000 mtd-x.jffs2.img;sf probe 0;flwrite
dr=mw.b 0x81000000 ff 800000;tftp 0x81000000 romfs-x.cramfs.img;sf probe 0;flwrite
du=mw.b 0x81000000 ff 800000;tftp 0x81000000 user-x.cramfs.img;sf probe 0;flwrite
dw=mw.b 0x81000000 ff 800000;tftp 0x81000000 web-x.cramfs.img;sf probe 0;flwrite
ethact=dwmac.10010000
ethaddr=00:12:31:29:4f:97
fileaddr=81000000
filesize=20000
ipaddr=192.168.1.10
netmask=255.255.255.0
ptzsupport=0
serverip=192.168.1.99
stderr=serial
stdin=serial
stdout=serial
tk=mw.b 0x81000000 ff 800000;tftp 0x81000000 uImage; bootm 0x81000000
ua=mw.b 0x81000000 ff 800000;tftp 0x81000000 upall_verify.img;sf probe 0;flwrite
up=mw.b 0x81000000 ff 800000;tftp 0x81000000 update.img;sf probe 0;flwrite
verify=n

Environment size: 1290/65532 bytes
U-Boot> sf probe 0
U-Boot> sf read 0x81000000 0x770000 0x40000
SF: 262144 bytes @ 0x770000 Read: OK
U-Boot>
U-Boot>
U-Boot>
U-Boot>
U-Boot>
U-Boot> md 0x81000000 0x40
81000000: 28cd3d45 0002c000 00000003 00000000    E=.(............
81000010: 706d6f43 73736572 52206465 53464d4f    Compressed ROMFS
81000020: a0abfa1b 00000000 00000061 0000002e    ........a.......
81000030: 706d6f43 73736572 00006465 00000000    Compressed......
81000040: 027a41fd 7a000070 000004c0 027a41ed    .Az.p..z.....Az.
81000050: 7a0000b8 00000bc3 74737543 6f436d6f    ...z....CustomCo
81000060: 6769666e 027a41ed 7a000014 00001741    nfig.Az....zA...
81000070: 00746f44 027a81ed 7a000175 00009ac3    Dot...z.u..z....
81000080: 6d726946 65726177 6f666e49 027a81b4    FirmwareInfo..z.
81000090: 7a000215 0000a985 646f7250 44746375    ...z....ProductD
810000a0: 6e696665 6f697469 0000006e 027a41fd    efinition....Az.
810000b0: 7a000028 00001881 61746164 027a81ed    (..z....data..z.
810000c0: 7a001001 000042c3 6e455641 75632e63    ...z.B..AVEnc.cu
810000d0: 6d6f7473 027a81ed 7a000080 00006203    stom..z....z.b..
810000e0: 69766544 6a2e6563 006e6f73 027a81ed    Device.json...z.
810000f0: 7a000271 00006943 6f636e45 6a2e6564    q..zCi..Encode.j
U-Boot> sf probe 0
U-Boot> tftp 0x81000000 custom-x.cramfs_mod.img
Speed: 100, full duplex
Using dwmac.10010000 device
TFTP from server 192.168.1.99; our IP address is 192.168.1.10
Filename 'custom-x.cramfs_mod.img'.
Load address: 0x81000000
Loading: ##################################################
2.4 MiB/s
done
Bytes transferred = 180224 (2c000 hex)
U-Boot> sf update 0x81000000 0x770000 0x40000
FLASH_ERASE-------[100%]
FLASH_WRITE-------[100%]
FLASH_ERASE-------[100%]LASH_ERASE-------[6%]
FLASH_WRITE-------[100%]
FLASH_ERASE-------[100%]LASH_ERASE-------[6%]
FLASH_WRITE-------[100%]
196608 bytes written, 65536 bytes skipped in 3.958s, speed 67786 B/s
U-Boot>
U-Boot> reset
resetting ...


U-Boot 2014.04 (Mar 15 2019 - 11:11:02)

CPU: XM530
DRAM:  64 MiB
MMC:   arasan: 0
In:    serial
Out:   serial
Err:   serial
Net:   dwmac.10010000
Press Ctrl+C to stop autoboot
SF: 1572864 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80007fc0 ...
   Image Name:   Linux-3.10.103+
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1450240 Bytes = 1.4 MiB
   Load Address: 80008000
   Entry Point:  80008000
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
ŠAuto login as root ...
(none) login:
Logi
Thank you, I'll look into that. What board you have?

Setting u boot env:
setenv xmuart 0
gave me serial login with root:xmhdipc
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
What board you have?
This is the board, I think it's a little older than the one you are using :
Code:
PRODUCT_NAME=XM530_80X20_DSSIA_PED_NetIPONVIFHIK_General_General_SQUASHFS_V1.000.00.0.R
CHIP_ID=XM530
DEVICE_ID=80X20
EXTENFUNC_PRE=DSS,IA_PED
NET_PROTOCOL=NetIP,ONVIF,HIK
VSP=General
ISP=General
CompMode=SQUASHFS
NET_UPGRADE_FILE=General_IPC_XM530_80X20.Nat.dss.OnvifS.HIK_V5.00.R02.20190327_all.bin
BURN_FILE=upall_General_IPC_XM530_80X20.Nat.dss.OnvifS.HIK.20190327.bin
Attached is the firmware currently loaded.
And a split script :
Code:
#bin/sh
#! A simple shell script to extract the image files from the u-boot files as distributed within
# the General_IPC_XM530_80X20.Nat.dss.OnvifS.HIK_V5.00.R02.20190327_all.bin xiongmaitech firmware.
mkdir extracted
dumpimage -i custom-x.cramfs.img extracted/custom-x.cramfs
[ ! -d extracted/custom-x_contents ] && mkdir extracted/custom-x_contents
sudo mount -t cramfs extracted/custom-x.cramfs ~/tmp
cp -r ~/tmp/* extracted/custom-x_contents
sudo umount ~/tmp
#
dumpimage -i romfs-x.cramfs.img extracted/romfs-x.cramfs
[ ! -d extracted/romfs-x_contents ] && mkdir extracted/romfs-x_contents
sudo mount -t cramfs extracted/romfs-x.cramfs ~/tmp
cp -r ~/tmp/* extracted/romfs-x_contents
sudo umount ~/tmp
#
dumpimage -i u-boot.bin.img extracted/u-boot.bin
dumpimage -i u-boot.env.img extracted/u-boot.env
strings -8 extracted/u-boot.env > extracted/strings_u-boot.env.txt
#
dumpimage -i user-x.cramfs.img extracted/user-x.cramfs
unsquashfs -d extracted/user-x_contents extracted/user-x.cramfs
#
dumpimage -i uImage.img extracted/zImage
#
 

Attachments

moykky

n3wb
Joined
Sep 8, 2020
Messages
12
Reaction score
4
Location
Finland
Any suggestions what should be used to RTSP?
Definatedly would not like to use Sofia.
 

moykky

n3wb
Joined
Sep 8, 2020
Messages
12
Reaction score
4
Location
Finland
Code:
bootargs=mem=35M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=cramfs mtdparts=xm_sfc:256K(boot),1536K(kernel),1280K(romfs),4544K(user),256K(custom),320K(mtd)
Code:
bootargs=mem=38M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=cramfs mtdparts=xm_sfc:256K(boot),1536K(kernel),2560K(romfs),2816K(user),1024K(mtd)
I have bit different bootargs with image built with SDK.

Also with xmuart=0 I got serial console working.
 

moykky

n3wb
Joined
Sep 8, 2020
Messages
12
Reaction score
4
Location
Finland
Well this project has not been going too well lately.

I bought 3 new cam modules from aliexpress, xm550ai with sd card, wifi and ethernet.
There was no telnet open so I tried this PoC and I was able to enable backport on a camera module.
I got mtdblocks dumped on a sd card.

Now when trying to extract firmware dumps with firmware-mod-kit I get:
Code:
Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake

Scanning firmware...

Scan Time:     2020-11-24 20:53:50
Target File:   /nas4free/6TB/IPCam/Uudet_xm550_wifi/dump/mtdblock2.img
MD5 Checksum:  7ab826672e930f11174b1d39553ef826
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             CramFS filesystem, little endian, size: 1060864 version 2 sorted_dirs CRC 0xB6842E7F, edition 0, 555 blocks, 159 files

Extracting 0 bytes of cramfs header image at offset 0
ERROR: No supported file system found! Aborting...
I can put dumps out there if someone would like to take a look on them?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Now when trying to extract firmware dumps with firmware-mod-kit I get:
So much easier to use the native commands as opposed to the 'canned' firmware-mod-kit.

Example :
Code:
alastair@PC-I5 ~/cctv/other/xm550ai $ ll
total 29712
drwxrwxr-x  2 alastair alastair     4096 Nov 27 15:39 ./
drwxr-xr-x 51 alastair alastair     4096 Nov 27 15:28 ../
-rw-rw-r--  1 alastair alastair 13374272 Nov 27 15:27 full_dump_xm550ai.zip
-rw-r--r--  1 alastair alastair  8650752 Nov  8 12:30 full.img
-rw-r--r--  1 alastair alastair   262144 Nov  8 12:30 mtdblock0.img
-rw-r--r--  1 alastair alastair  1572864 Nov  8 12:30 mtdblock1.img
-rw-r--r--  1 alastair alastair  1310720 Nov  8 12:30 mtdblock2.img
-rw-r--r--  1 alastair alastair  4653056 Nov  8 12:30 mtdblock3.img
-rw-r--r--  1 alastair alastair   262144 Nov  8 12:30 mtdblock4.img
-rw-r--r--  1 alastair alastair   327680 Nov  8 12:30 mtdblock5.img
alastair@PC-I5 ~/cctv/other/xm550ai $ file *
full_dump_xm550ai.zip: Zip archive data, at least v?[0x314] to extract
full.img:              AmigaOS bitmap font
mtdblock0.img:         AmigaOS bitmap font
mtdblock1.img:         u-boot legacy uImage, Linux-3.10.103+, Linux/ARM, OS Kernel Image (Not compressed), 1465240 bytes, Fri Jul 19 09:47:15 2019, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x8361EFB7, Data CRC: 0x60C9755F
mtdblock2.img:         Linux Compressed ROM File System data, little endian size 1060864 version #2 sorted_dirs CRC 0xb6842e7f, edition 0, 555 blocks, 159 files
mtdblock3.img:         Squashfs filesystem, little endian, version 1024.0, compressed, -1554522524698542080 bytes, 889257984 inodes, blocksize: 256 bytes, created: Tue May 24 11:43:25 2016
mtdblock4.img:         Linux Compressed ROM File System data, little endian size 180224 version #2 sorted_dirs CRC 0xfebe7249, edition 0, 103 blocks, 51 files
mtdblock5.img:         Linux jffs2 filesystem data little endian
alastair@PC-I5 ~/cctv/other/xm550ai $ mkdir tmp
alastair@PC-I5 ~/cctv/other/xm550ai $ sudo mount -t cramfs mtdblock2.img tmp
alastair@PC-I5 ~/cctv/other/xm550ai $ ll tmp
total 6
drwxr-xr-x 1 549 operator 1100 Jan  1  1970 bin/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 boot/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 dev/
drwxr-xr-x 1 549 operator  184 Jan  1  1970 etc/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 home/
drwxr-xr-x 1 549 operator  940 Jan  1  1970 lib/
lrwxrwxrwx 1 549 operator   11 Jan  1  1970 linuxrc -> bin/busybox*
drwxr-xr-x 1 549 operator   68 Jan  1  1970 mnt/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 proc/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 root/
drwxr-xr-x 1 549 operator  516 Jan  1  1970 sbin/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 sys/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 tmp/
drwxr-xr-x 1 549 operator   48 Jan  1  1970 usr/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 var/
alastair@PC-I5 ~/cctv/other/xm550ai $ unsquashfs -d tmp1 mtdblock3.img
Parallel unsquashfs: Using 4 processors
296 inodes (397 blocks) to write

[===================================================================================================================|] 397/397 100%

created 295 files
created 13 directories
created 1 symlinks
created 0 devices
created 0 fifos
alastair@PC-I5 ~/cctv/other/xm550ai $ ll tmp1
total 32
drwxrwxr-x 8 alastair alastair 4096 Jul 29  2019 ./
drwxrwxr-x 4 alastair alastair 4096 Nov 27 15:39 ../
drwxrwxr-x 3 alastair alastair 4096 Jul 29  2019 bin/
drwxrwxr-x 2 alastair alastair 4096 Jul 29  2019 etc/
drwxrwxr-x 3 alastair alastair 4096 Jul 29  2019 lib/
drwxrwxr-x 2 alastair alastair 4096 Jul 29  2019 sbin/
drwxrwxr-x 4 alastair alastair 4096 Jul 29  2019 share/
drwxrwxr-x 2 alastair alastair 4096 Jul 29  2019 web/
alastair@PC-I5 ~/cctv/other/xm550ai $
 

moykky

n3wb
Joined
Sep 8, 2020
Messages
12
Reaction score
4
Location
Finland
moykky
You can read and participate in the activities of our team if you wish
some details of our work
Thank you, I've looked in your teams work and I support your work at opencollective.
You have made awesome work!

So much easier to use the native commands as opposed to the 'canned' firmware-mod-kit.

Example :
Code:
alastair@PC-I5 ~/cctv/other/xm550ai $ ll
total 29712
drwxrwxr-x  2 alastair alastair     4096 Nov 27 15:39 ./
drwxr-xr-x 51 alastair alastair     4096 Nov 27 15:28 ../
-rw-rw-r--  1 alastair alastair 13374272 Nov 27 15:27 full_dump_xm550ai.zip
-rw-r--r--  1 alastair alastair  8650752 Nov  8 12:30 full.img
-rw-r--r--  1 alastair alastair   262144 Nov  8 12:30 mtdblock0.img
-rw-r--r--  1 alastair alastair  1572864 Nov  8 12:30 mtdblock1.img
-rw-r--r--  1 alastair alastair  1310720 Nov  8 12:30 mtdblock2.img
-rw-r--r--  1 alastair alastair  4653056 Nov  8 12:30 mtdblock3.img
-rw-r--r--  1 alastair alastair   262144 Nov  8 12:30 mtdblock4.img
-rw-r--r--  1 alastair alastair   327680 Nov  8 12:30 mtdblock5.img
alastair@PC-I5 ~/cctv/other/xm550ai $ file *
full_dump_xm550ai.zip: Zip archive data, at least v?[0x314] to extract
full.img:              AmigaOS bitmap font
mtdblock0.img:         AmigaOS bitmap font
mtdblock1.img:         u-boot legacy uImage, Linux-3.10.103+, Linux/ARM, OS Kernel Image (Not compressed), 1465240 bytes, Fri Jul 19 09:47:15 2019, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x8361EFB7, Data CRC: 0x60C9755F
mtdblock2.img:         Linux Compressed ROM File System data, little endian size 1060864 version #2 sorted_dirs CRC 0xb6842e7f, edition 0, 555 blocks, 159 files
mtdblock3.img:         Squashfs filesystem, little endian, version 1024.0, compressed, -1554522524698542080 bytes, 889257984 inodes, blocksize: 256 bytes, created: Tue May 24 11:43:25 2016
mtdblock4.img:         Linux Compressed ROM File System data, little endian size 180224 version #2 sorted_dirs CRC 0xfebe7249, edition 0, 103 blocks, 51 files
mtdblock5.img:         Linux jffs2 filesystem data little endian
alastair@PC-I5 ~/cctv/other/xm550ai $ mkdir tmp
alastair@PC-I5 ~/cctv/other/xm550ai $ sudo mount -t cramfs mtdblock2.img tmp
alastair@PC-I5 ~/cctv/other/xm550ai $ ll tmp
total 6
drwxr-xr-x 1 549 operator 1100 Jan  1  1970 bin/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 boot/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 dev/
drwxr-xr-x 1 549 operator  184 Jan  1  1970 etc/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 home/
drwxr-xr-x 1 549 operator  940 Jan  1  1970 lib/
lrwxrwxrwx 1 549 operator   11 Jan  1  1970 linuxrc -> bin/busybox*
drwxr-xr-x 1 549 operator   68 Jan  1  1970 mnt/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 proc/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 root/
drwxr-xr-x 1 549 operator  516 Jan  1  1970 sbin/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 sys/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 tmp/
drwxr-xr-x 1 549 operator   48 Jan  1  1970 usr/
drwxr-xr-x 1 549 operator    0 Jan  1  1970 var/
alastair@PC-I5 ~/cctv/other/xm550ai $ unsquashfs -d tmp1 mtdblock3.img
Parallel unsquashfs: Using 4 processors
296 inodes (397 blocks) to write

[===================================================================================================================|] 397/397 100%

created 295 files
created 13 directories
created 1 symlinks
created 0 devices
created 0 fifos
alastair@PC-I5 ~/cctv/other/xm550ai $ ll tmp1
total 32
drwxrwxr-x 8 alastair alastair 4096 Jul 29  2019 ./
drwxrwxr-x 4 alastair alastair 4096 Nov 27 15:39 ../
drwxrwxr-x 3 alastair alastair 4096 Jul 29  2019 bin/
drwxrwxr-x 2 alastair alastair 4096 Jul 29  2019 etc/
drwxrwxr-x 3 alastair alastair 4096 Jul 29  2019 lib/
drwxrwxr-x 2 alastair alastair 4096 Jul 29  2019 sbin/
drwxrwxr-x 4 alastair alastair 4096 Jul 29  2019 share/
drwxrwxr-x 2 alastair alastair 4096 Jul 29  2019 web/
alastair@PC-I5 ~/cctv/other/xm550ai $
Thank you!
I've now managed to extract and delete everything what's not needed (dvrHelper & upgrader) from dump files and repacked files.
Also I've compiled new busybox with more applets and replaced original one with mine.

Now next thing is how can I flash images back to cam? I have tftp server working but in u-boot write address is always wrong when I try to flash?
Regardless of images flash order.
Code:
da=mw.b 0x81000000 ff 800000;tftp 0x81000000 u-boot.bin.img;sf probe 0;flwrite
dc=mw.b 0x81000000 ff 800000;tftp 0x81000000 custom-x.cramfs.img;sf probe 0;flwrite
dd=mw.b 0x81000000 ff 800000;tftp 0x81000000 mtd-x.jffs2.img;sf probe 0;flwrite
dr=mw.b 0x81000000 ff 800000;tftp 0x81000000 romfs-x.cramfs.img;sf probe 0;flwrite
du=mw.b 0x81000000 ff 800000;tftp 0x81000000 user-x.cramfs.img;sf probe 0;flwrite
dw=mw.b 0x81000000 ff 800000;tftp 0x81000000 web-x.cramfs.img;sf probe 0;flwrite
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Now next thing is how can I flash images back to cam? I have tftp server working but in u-boot write address is always wrong when I try to flash?
Regardless of images flash order.
If that flwrite command works in the same way as the Dahua flwrite bootloader command, it takes the flash offset value for writing from the 'Load address' value of the uImage header.
So you need to contruct the uImage header to specify where in the flash you want flwrite to write the data.

As an example :
This is what an original Dahua user-x.squashfs.img uImage header looks like.
Code:
dumpimage -l user-x.squashfs.img
Image Name:   user
Created:      Wed Aug  7 03:47:22 2019
Image Type:   ARM Linux Standalone Program (uncompressed)
Data Size:    15362232 Bytes = 15002.18 KiB = 14.65 MiB
Load Address: 000f0000
Entry Point:  01000000
And this is how you'd change the extracted files, create a new squashfs image, and package it as a uImage for flwrite to handle :
Code:
Creation commands :
mksquashfs squashfs-root/* modded -comp xz

mkimage -T standalone -C none -O linux -A arm -a 0xf0000 -e 0x1000000 -n user -d modded modded.img

dumpimage -l modded.img
Image Name:   user
Created:      Fri Nov 27 15:05:12 2020
Image Type:   ARM Linux Standalone Program (uncompressed)
Data Size:    15355904 Bytes = 14996.00 KiB = 14.64 MiB
Load Address: 000f0000
Entry Point:  01000000
 

moykky

n3wb
Joined
Sep 8, 2020
Messages
12
Reaction score
4
Location
Finland
If that flwrite command works in the same way as the Dahua flwrite bootloader command, it takes the flash offset value for writing from the 'Load address' value of the uImage header.
So you need to contruct the uImage header to specify where in the flash you want flwrite to write the data.

As an example :
This is what an original Dahua user-x.squashfs.img uImage header looks like.
Code:
dumpimage -l user-x.squashfs.img
Image Name:   user
Created:      Wed Aug  7 03:47:22 2019
Image Type:   ARM Linux Standalone Program (uncompressed)
Data Size:    15362232 Bytes = 15002.18 KiB = 14.65 MiB
Load Address: 000f0000
Entry Point:  01000000
And this is how you'd change the extracted files, create a new squashfs image, and package it as a uImage for flwrite to handle :
Code:
Creation commands :
mksquashfs squashfs-root/* modded -comp xz

mkimage -T standalone -C none -O linux -A arm -a 0xf0000 -e 0x1000000 -n user -d modded modded.img

dumpimage -l modded.img
Image Name:   user
Created:      Fri Nov 27 15:05:12 2020
Image Type:   ARM Linux Standalone Program (uncompressed)
Data Size:    15355904 Bytes = 14996.00 KiB = 14.64 MiB
Load Address: 000f0000
Entry Point:  01000000
Thank you!

I was able to flash my modded romfs, user and custom images, now without dvrHelper and upgrader binaries and busybox with extra applets.
Also backdoor was killed and telnetd is enabled with stock root:xmhdipc.

Confirmed to work at this point.
 

Attachments

moykky

n3wb
Joined
Sep 8, 2020
Messages
12
Reaction score
4
Location
Finland
By the way does anyone know how to disable OSD on cameras?
Is this Sofia related feature?
 

ramzes lll

n3wb
Joined
Aug 2, 2022
Messages
8
Reaction score
0
Location
samara
Я прошил на программаторе камеру и теперь у меня чужие mac adress и s/n . Как записать мои mac adress и s/n ? ( я их знаю) Помогите пожалуйста.



U-Boot 2014.04 (May 30 2019 - 09:40:06)



CPU: XM530

DRAM: 64 MiB

MMC: arasan: 0

In: serial

Out: serial

Err: serial

Net: dwmac.10010000

Press Ctrl+C to stop autoboot

U-Boot> printenv

appCloudExAbility=04N2Hd82VKM=

appProducerID=A37

baudrate=115200

bootargs=mem=40M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=cramfs mtdparts=xm_sfc:256K(boot),1536K(kernel),1280K(romfs),4544K(user),256K(custom),320K(mtd)

bootcmd=sf probe 0;sf read 80007fc0 40000 180000;bootm 80007fc0

bootdelay=1

cramfsaddr=0x60040000

da=mw.b 0x81000000 ff 800000;tftp 0x81000000 u-boot.bin.img;sf probe 0;flwrite

dc=mw.b 0x81000000 ff 800000;tftp 0x81000000 custom-x.cramfs.img;sf probe 0;flwrite

dd=mw.b 0x81000000 ff 800000;tftp 0x81000000 mtd-x.jffs2.img;sf probe 0;flwrite

dr=mw.b 0x81000000 ff 800000;tftp 0x81000000 romfs-x.cramfs.img;sf probe 0;flwrite

du=mw.b 0x81000000 ff 800000;tftp 0x81000000 user-x.cramfs.img;sf probe 0;flwrite

dw=mw.b 0x81000000 ff 800000;tftp 0x81000000 web-x.cramfs.img;sf probe 0;flwrite

ethact=dwmac.10010000

ethaddr=00:12:41:31:15:42

ipaddr=192.168.1.10

netmask=255.255.255.0

serverip=192.168.1.107

stderr=serial

stdin=serial

stdout=serial

tk=mw.b 0x81000000 ff 800000;tftp 0x81000000 uImage; bootm 0x81000000

ua=mw.b 0x81000000 ff 800000;tftp 0x81000000 upall_verify.img;sf probe 0;flwrite

up=mw.b 0x81000000 ff 800000;tftp 0x81000000 update.img;sf probe 0;flwrite

verify=n



Environment size: 1259/65532 bytes

U-Boot>
 
Top