Download Firmware From Camera Filesystem??

[yekootmada]

hello board!

I’ll cut to the chase.
Is it possible to access (read and copy) the flash storage on the Hikvision IP Cameras??
When I SSH into my cameras I see it’s running BusyBox but with limited commands available, the mount command for example isn’t supported so I can’t see the directory listings.
Basically I want to download the running firmware from the cams in order to back up and also flash to another camera of the same model.

Any ideas how to access what’s on the camera flash storage itself?

Thanks a lot in advance.

A

 

[Gul-Dukat]

proceed with caution.

depending on the camera model, just having a dump of the raw mtd firmware block isn't enough to flash it to another device, even if identical.

 

[alastairstevenson]

Basically I want to download the running firmware from the cams in order to back up and also flash to another camera of the same model.

What stops you from simply using the stock firmware for the camera? Or is it running hacked firmware?
What model of camera?

Any ideas how to access what’s on the camera flash storage itself?

The first step would be to inhibit or bypass the 'psh' restricted shell that you encountered to gain full access.
This can be done with hacked firmware - or by using the serial console to boot into a debug mode that provides full access.

 

[snovotill]

So if I log into my Chinese camera via RS232 console in debug mode, then will I be able to suck the firmware out and then program it into an identical second camera which is currently running an old English hacked firmware? Or is would it be easier to desolder the TSOP, read it out and then duplicate it into my second camera, again by desoldering? There are a lot of tiny parts on those PCB's so I'd rather do it by serial console if that makes sense. ???

Also, I noticed that the cameras are now able to upgrade themselves directly from HikVision (!) Here is a packet capture I made via my internet router, of a camera directly checking HikVision for an upgrade and not fining any newer version of firmware:

root@zero:~# tcpdump -C 128 -W 100 -i br-lan -w /mnt/drive/lan -n host 192.168.1.235

22:06:50.928976 IP 192.168.1.235.60091 > 183.136.184.46.6802: Flags [P.], seq 1072:1488, ack 929, win 2644, options [nop,nop,TS val 11624045 ecr 2952705458], length 416
22:06:51.096786 IP 183.136.184.46.6802 > 192.168.1.235.60091: Flags [P.], seq 929:1393, ack 1488, win 1432, options [nop,nop,TS val 2952713601 ecr 11624045], length 464
22:06:51.098756 IP 192.168.1.235.60091 > 183.136.184.46.6802: Flags [.], ack 1393, win 2644, options [nop,nop,TS val 11624062 ecr 2952713601], length 0

IP Address 183.136.184.46.6802 belongs to HikVision but some weird port number and possibly weird protocol. I did upgrade one of my cameras this way.
I have not run the above and it's associated payload through WireShark yet. Mostly curious about comments here.

The batch configuration tool has an on-line upgrade feature too and it allows to save the downloaded firmware file locally, but I've never had any success upgrading any of my cameras that way.

Any thoughts?

 

[alastairstevenson]

So if I log into my Chinese camera via RS232 console in debug mode, then will I be able to suck the firmware out

Very likely, after 'psh' is bypassed.

and then program it into an identical second camera which is currently running an old English hacked firmware?

It depends ...
There are some traps and protection against writing data to what are considered sensitive areas, such as those that define the individual camera parameters.
This seems to vary amongst models.
And not all the sensitive data is held in the flash memory.

 

[snovotill]

Well, my R6 cameras are 2CD6414FWD-C1 bodies with interchangeable camera heads, and I just want to upgrade those containing hacked-English 5.4.5 firmware, from another one containing native-Chinese 5.5.0, so I probably don't need to overwrite any "sensitive data" areas since all cameras should be happy to return to Chinese firmware, and so this sounds good:

Very likely, after 'psh' is bypassed.

But then after searching the forums I see this:

it's probably possible to inhibit psh without having to apply hacked firmware, if you're prepared for a short session with the serial console.
Certainly I was able to do that with my 7616NI-K2 which is using yaffs2
There are 2 or 3 tricks needed, which I should not post publicly here as Hikvision have a tendency to block them on the next firmware release.

And so what's a guy to do? Any tips? And hey ... couldn't I just do the whole 9 yard via serial console instead of disabling psh and then using ssh? There seem to be many threads on many related topics here so I suppose I'm just looking for some tips for the best way to get started in the most appropriate way. Thanks

PS, I see this:

3.3V compatible serial TTL to USB convertor PL2303HX. 4-pin 1.5mm micro jst zh connector. Logically will be RX to TX, then TX to RX (cross signals). Putty serial connection 115200, 8N1. You should see U-Boot and all the console log messages. Stop the normal boot process via Ctrl-u to get into the rom bootloader.

Should I just do that and then look for a help or some specific menu? If yes then I'll just build a cable and go, go go. Or maybe I need to follow the "build your own FW" guides?

 

[snovotill]

And so, I desoldered the TSOP from my Chinese camera and duplicated the firmware to my English hack camera, then soldered both chips back on.
Argh! The Chinese camera still works fine, but the English one did NOT become Chinese, rather it pretended to have firmware 4.03 and I can't get into it nor can I reset it to default using the button. Giving up ...back to TaoBao for some real Chinese cameras. I suppose I might desolder the TSOP again and flash it back to hacked English.

 

[alastairstevenson]

That's not good.
I think you've just confirmed that not all the camera individual parameters are held in flash memory.