EZViz Camera: CS-CV110-A1, photos, passwords...

I recently bought a couple sets of these Ezviz cameras and nvrs, hoping to use the cameras on other existing ip cam systems. Now I realize that they are not the typical ONVIF ip cameras. Does anyone know the login details like ip address, ports, user name, password, ect.? Thanks
 
Wait, where's that firmware from? The one on the web I saw was for the NVR (referencing the 3535). Did you find something else???

And yeah, the cramfs is right there in front of me- but again the one I grabbed off of hikvision's site appears to be for the NVR. Or is that really for the camera and I'm just slow again?

I only unpacked the link you posted, never looked to see what it was for or what it did.(just noticed you put it was for nvr..my bad lol )
 
Last edited:
  • Like
Reactions: Purduephotog
There are other firmware's on these cams, as the nvr's say they have been tested on lower camera firmware versions.

You could contact ezviz ask them for a copy of your current firmware, stating you are on an older version than you actually are.

below was in one of the docs for nvr , I would assume a similar cam.


CS-CV110 (A1-54R) (4mm) (overseas neutral) single camera
Version: V5.4.1 build 160906
 
I only unpacked the link you posted, never looked to see what it was for or what it did.(just noticed you put it was for nvr..my bad lol )

That's OK- I want to upgrade the NVR too. Since they were selling the package for 700$ (discounted to 200$) I didn't imagine it was that 'dumb' of a system- and sheesh, did they.

Does it look like any of the other cam chip series?
 
Does it look like any of the other cam chip series?

I have only played with the hik G0 and G1's. The u-boot method looks similar to the G1. I assume you cam has A MINISYTEM on the "rcvy" partition. If hik has stuck to same method then there are a lot less checks/verification done on the mImage compared to the digicap.dav. The minisys on a G1 will also easily take a modified hImage.

Pulling that nand and copying it would allow you to take a copy of the mImage (if that is the boot method on this cam.). Modifiy the mImage and you have an uprotected cam. (I have avoided desoldering or using chip clips)

You could really do with a digicap.dav or a mImage from any source for the cam . the uboot commands are naf. you may be able to create standalone binaries if you had a the sdk for loading from uboot.

I can't really help you anymore than this unless you get a breakthrough. I am currently working on hImages and mImages on the G1 cams , it may help you if the cams are similar.
 
  • Like
Reactions: Purduephotog
edit: Well DUH. It says... u-boot_g1.bin . If I could only figure out what type of camera it is...
I should go to bed I'm so friggin slow. Got a cheap g1 uboot for a bum?

I have only played with the hik G0 and G1's. The u-boot method looks similar to the G1. I assume you cam has A MINISYTEM on the "rcvy" partition. If hik has stuck to same method then there are a lot less checks/verification done on the mImage compared to the digicap.dav. The minisys on a G1 will also easily take a modified hImage.

Pulling that nand and copying it would allow you to take a copy of the mImage (if that is the boot method on this cam.). Modifiy the mImage and you have an uprotected cam. (I have avoided desoldering or using chip clips)

You could really do with a digicap.dav or a mImage from any source for the cam . the uboot commands are naf. you may be able to create standalone binaries if you had a the sdk for loading from uboot.

I can't really help you anymore than this unless you get a breakthrough. I am currently working on hImages and mImages on the G1 cams , it may help you if the cams are similar.

You're being an incredible help just as it is. When you can only focus 30 minute snippets on things to get it working, it's hard to deep dive. But the suggestions you have are very worthwhile and, having learned your way up, you've got a feel for what can and can't be done.

There is a minisystem indeed- I just booted into it. It's triggered when updatebusb, and:

Code:
HKVS # help upfusb
Help for 'upfusb':
update firmware, format and update from usbnet (factory use)
HKVS # help updateb
Help for 'updateb':
update u-boot to nand flash
HKVS # help gos
Help for 'gos':
HKVS # help updateub
HKVS # help updatebusb
Help for 'updatebusb':
update u-boot in mini_system from usbnet
HKVS # updatebusb
Starting udev:      [ OK ]
create static device nodes under /dev dir
modprobe: chdir(): No such file or directory
iptables v1.4.18: can't initialize iptables table `filter': Table does not exist                               (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
>>>run pre_app_hook
find net_node, loop : 1
[ INFO][MIN]TFTP: TFTP from server 192.168.2.102
[ INFO][MIN]TFTP: Filename: u-boot_g1.bin
tftp: server error: (1) File not found
[ INFO][MIN]TFTP: Download File [FAIL] error: tftp.
!!!!! UPDATE FAIL !!!!!

BusyBox v1.2.1 Protect Shell (psh)
Enter 'help' for a list of davinci system commands.

# help

The other one that piqued my interest was

Code:
HKVS # help upbs
Help for 'upbs':
load binary file(u-boot_g1.bin) over serial line (xmodem mode) and update
HKVS # help upfusb
Help for 'upfusb':
update firmware, format and update from usbnet (factory use)

Do you know if an image is sent down over xmodem or tftp, does it specifically have to be saved? Or can it just be executed from that (assuming it loads to the correct point).

I should probably screw around with another camera first, but since this is in pieces on my desk...

See, I wouldn't mind throwing u-boot images at it if I knew they weren't written to flash. The command to write to flash is separate so I'm not sure if that's the case or not.
 
Last edited:
Apparently "Help" doesn't get you what you need...

Code:
# setV6ip
Commands Usage

help      :  Printf the command usage list
getIp     :  Get the device's IP address
setIp     :  Set the device's IP address.
             Usage: setIp [IP ADDRESS]:[SUBNET MASK]
               e.g. setIp 192.168.1.10:255.255.255.0
setPort   :  Set the device's command PORT
             Usage: setPort [PORT NUMBER]
               e.g. setPort 8000
setGateway:  Set the device's gateway
             Usage: setGateway [GATEWAY ADDRESS]
               e.g. setGateway 192.168.1.1
setPacketType: Set the stream packet type
             Usage: setPacketType [PACKET TYPE]
               e.g.  setPacketType ps;  setPacketType rtp
getRtpLen :  Get the main stream rtp packet length.
setRtpLen :  Set the main stream rtp packet length.
             Usage: setRtpLen [packet len].
               e.g. setRtpLen 1000.
setDebug : Set debug parm.
              e.g. setDebug -l 2 -m rtsp -d 111
                   setDebug -h
getDebug : Get debug parm.
              e.g. getDebug
                   getDebug -h
debugLog : Print all debuginfo before.
              e.g. debugLog
                   debugLog -h
setV6ip  : Set the device's IP address
             Usage: setIp [IP ADDRESS]/[SUBNET LEN]
               e.g. setIp 2000:1:2:3:4:5:6:7/64
setFanMode : Set Fan Mode.value(0-2)
             Usage: setFanMode [mode]
               e.g. setFanMode 1
getFanMode : Get Fan Mode.
setTempCtrlMode : Set Heat Mode.value(0-2)
             Usage: setTempCtrlMode [mode]
               e.g. setTempCtrlMode 1
getTempCtrlMode : Get Heat Mode.
getAgingMode :  Get the aging mode.
setAgingMode :  Set the aging mode.
                Usage: setAgingMode [aging mode].
                e.g. setAgingMode 1.
getAgingTime :  Get the aging time.
setAgingTime :  Set the aging time.
                Usage: setAgingTime [aging time].
                e.g. setAgingTime 60.
setRectFrame: Set the autotrack rectangle frame.
              Usage: setRectFrame [ENABLE].
              e.g.   setRectFrame 1.
setIrcmd  : Set the IR PWM value(0-100)
             Usage: setIrcmd [near] [mid] [far]
               e.g. setIrcmd 100 100 100
setYTLock  : set the yt current lock mode
      Usage: setYTLock 1
getIrstate  : Get the IR PWM value(0-100)
getMcuInfo  : Get the information of Mcu
setFtpService :  Set ftp service state.(start/stop).
setItsMode  : Restart ITS lib after changing scene.              Usage: setItsMode [ENABLE](0/1).
InquireFanSwitch:       send Laser Cmd.
                e.g.   InquireFanSwitch .
StartLaser:     Start Laser.
CloseLaser:     Close Laser.
LaserMotReset:  Reset Motor of Laser.
EnlargeCur:     Enlarge electric current of Laser.
ReduceCur:      Reduce electric current of Laser.
SetCur:             Set electric current of Laser.(0~255)
                e.g.   SetCur 150.
LaserMotDirect: Set Motor Direct of Laser.(1~36)
                e.g.   LaserMotDirect 36.
LaserTeleOffset:Tele Offset.(0~255)
                e.g.   LaserTeleOffset 150.
setLaserMode:setLaserMode (0-auto,1-mannual.
                e.g.   setLaserMode 1.
getLaserMode:Laser control mode is 0 (0-auto, 1-mannual)
                e.g.   getLaserMode.
LaserWideOffset:Wide Offset.(0~255)
                e.g.   LaserWideOffset 150.
InqSwitch:  Inquiry Switch of Laser.
InqCurrent: Inquiry Current of Laser.
InqCurMotDirect: Inquiry Current Motor Direct of Laser.
setIrMode:setIrMode (0-auto,1-mannual.
                e.g.   setIrMode 1.
getIrMode:Ir control mode is 0 (0-auto, 1-mannual)
                e.g.   getIrMode.
setBeltHeat :  Set Belt Heat Mode.value(0-2)
getBeltHeat : Get Belt Heat.
setFocuslaserMode:setFocuslaserMode (0-auto,1-mannual.
                e.g.   setFocuslaserMode 1.
getFocuslaserMode:Focuslaser control mode is 0 (0-auto, 1-mannual)
                e.g.   getFocuslaserMode.
setFocusArea:set focus area(0-default,1~16-window number)
setExposureArea:set exposure area(0-default,1~16-window number)

***********************************************************************************
showKey        : Get all the keys of civil platform
showServer     : Get all the servers of civil platform
showUpnp       : Get the local and nat port and address
showStatus     : Get the device status of civil platform
showDefence    : Get the defence plan
setLBS         : set the lbs address, e.g. setLBS 123.1.1.1 or set dev.ys7.com:8555
setAlarm       : set the alarmserver address. Usage as setLBS
setWlan:       : set the wifi ssid, just for test config. Usage: setWlan SSID
setOpenSdkLogLevel:set ezviz opensdk log level,0-no print,1-print errLevel,2-print-warn-log,3-print-debugsetdefence  : Set the defence plan
             Usage: setDefence [enable:1] [day:*] [start:hh:mm] [end:hh:mm]
               e.g. setDefence enable:1  day:3  start:7:30  end:13:0
setPscanPspeed
setPscanTspeed
setPscanTime
setTscanPspeed
setTscanTspeed
setTscanAngle
setTscanTime
getScan
getTiltAngle

***********************************************************************************
 
edit: Well DUH. It says... u-boot_g1.bin . If I could only figure out what type of camera it is...
I should go to bed I'm so friggin slow. Got a cheap g1 uboot for a bum?
.

u-boot_g1.bin is what is asked for on the hik G1 cams. I do not have a u-boot_g1.bin handy and if I did it would not have any more commands than you already have. it would not help.

if I were you, do not trash u-boot or play with it. The minisys and uboot commands are more or less useless for direct access to the cam

if you trash the u-boot you will need to flash the nand(manually)
if you trash the minisys you still are able to load a new minisys as u-boot is intact.
if you trash the PRI partions you will still be able to use the uboot and minisys.

Really depends on your knowledge and how much risk you want to take. for some pulling the nand is easy peasy lol dump the firmware and reassemble job done.

The minisystem will be the weak point in the cam. there will be minimal checks. if you get or make a minisys it may not boot the cam that's assuming you can get it to take it.

The correct way to root your cam is to backup what you have , so you have a point of return. But that's not always possible based on a persons knowledge.

I never found a use for the usb commands in the minisys. the go or gos interested me but I never had an sdk to make a standalone app. GPIO was also interesting but never found a use for it

Most of these commands alter FLASH. go and gos load apps into user space.

I am working on the images on G1 now but getting a minisys to load and run in user space will be the final thing I attempt. At the moment I am having trouble just re-assembling the main boot image lol

There are size,crc and model checks amongst other things in the minisys header. if its not on correct format the cam will not take it.
 
Last edited:
Commands that say "erase" or "format" always make me nervous.
So obviously given your warnings this is going to be more difficult than the other embedded hardware I've worked with. Oddly enough I was assuming there were resistors or whatnot that hardware locked the camera like they do or did on gpus.
If there was a way to load something to dump firmware I'd be happy. I've also been trying to gather all firmware version for g1. I can see who made the project tho and the date so it helps a little.

Need to get better organized. Wish it was as easy as having bios...
 
Commands that say "erase" or "format" always make me nervous.
So obviously given your warnings this is going to be more difficult than the other embedded hardware I've worked with. Oddly enough I was assuming there were resistors or whatnot that hardware locked the camera like they do or did on gpus.
If there was a way to load something to dump firmware I'd be happy. I've also been trying to gather all firmware version for g1. I can see who made the project tho and the date so it helps a little.

Need to get better organized. Wish it was as easy as having bios...

Hi! I bought same Ezviz cs-cv110-A1-68R-X camera as you, and now try to do something with it. I do not have a hikvision nvr so can't use backdoor what you talking at you post, i has try also bruteforce password with hydra and cameradar but get not luck.
Can you tell me a password what you get with nvr backdoor, and rtsp path for get image from it? I assume what is identical for all cameras that model
 
Software version V5.4.4 build 170621
On other series cameras - that version of firmware has the 'Hikvision backdoor vulnerability' where the configuration file can be extracted without requiring a password.
If so - the configuration file can be decrypted and decoded to extract the password.

Try this URL in the browser against the camera IP address :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

If it extracts a configuration file, zip it up and attach here and I will see if it can be decrypted and decoded for the password.
 
I has try it but got nothing- refused to connect.
To make sure this trick works for me and nothing has block it, I tried the same with my other cameras, and with old Hikvision DS-2CD2035 with firmware v5.3.6b151221 i could got config file succefully.
But with my other ezviz camera - CS-C1C-D0-1D2WFR with older firmware v.5.2.6b190220 i got same as CS-CV110-A1 - "ERR_CONNECTION_REFUSED"
 
Hey @alastairstevenson - the trick works, but only with an 'old' camera when attached to the NVR. You can extract 1 password- which lets you connect to the ONVIF streams. But you can't control it - I hadn't figured out the salt/crypto.
@Pathogen
Ok. It was worth a try.
It sounds like the ISAPI interface has reduced functionality on those models. Pity.

Password to let you see the feeds are: eZV1Z&BunD1E
 
  • Like
Reactions: alastairstevenson
I have decided that dumping the chip off board was easier (aka, didn't want to wait). So I now have a 128mb rom file. Interestingly, it's portions are encrypted. Haven't yet tried to pull it apart yet.
I'm guessing 128mb is a bit too big to post here. Any idea where would be a good spot?