ezviz firmware

[matthewj]

Hi, I've got an Ezviz X5C-8 DVR and a couple of C3Ws cams. They're all Chinese models and their firmware is all Chinese. Is it a bad idea (or even possible) to connect them to the ezviz cloud?

I have them blocked from the internet at the moment and am accessing them via RTSP. I can connect to the UART of the DVR but it seems to be password protected as I get a `
password error, pls try again` when I try to type anything.

Further, u-boot is seemingly closed off as ctrl-u merely brings up an update screen. Accessing via RTSP is okay but I'd at least have access to the motion log so I can poll that instead of having to watch the stream 24/7 (the HTTP endpoints that were seemingly accessible on older models return nothing, only /System/deviceInfo). Is there any way to change the firmware to English or even bypass the password-protected UART and gain root? Thanks.

 

[alastairstevenson]

u-boot is seemingly closed off as ctrl-u merely brings up an update screen.

Try a 'b' command at that screen.

 

[matthewj]

Yes! The 'b' command worked! Just curious - is there any documentation on this sort of thing or do you know from experience ?

I ran setenv bootargs mem=180M console=ttyS1,115200 init=/bin/sh, saveenv, and reset but I still run into the password once booted. My printenv output right now looks like:

HKVS # printenv
bootdelay=1
baudrate=115200
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
bootargs_end=255.255.255.0:Hik-eth:eth0:none
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
sec=tftp 0x80400000 uImage_sec;tftp 0x80800000 ramdisk.gz;bootm 0x80400000 0x80800000;
default=fsload 0x80400000 uImage;fsload 0x80800000 ramdisk.gz;bootm 0x80400000 0x80800000;
phyaddr0=9
rgmii_enable=n
serverip=192.0.0.128
update_source=net
ipaddr=192.168.0.61
stdin=serial
stdout=serial
stderr=serial
verify=y
ethaddr=64:db:8b:c5:e1:3a
bootargs=mem=180M console=ttyS1,115200 init=/bin/sh
ver=U-Boot 2010.06-svn (May 06 2017 - 15:30:45)

Environment size: 624/4092 bytes

Is init being ignored somehow or is it not directly booting the Linux kernel and instead some sort of other utility?

Additionally, here is the help command output if that helps at all:

HKVS # help
?       - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bubt - Burn an boot image on the Boot Flash.

cmp - memory compare
cp - memory copy
cpld - write cpld info to encrypt media

crc32 - checksum calculation
fsload - load binary file from a filesystem image
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
tftp - tftp - download or upload image via network using TFTP protocol
update - Update the digicap of the device.

version - print monitor version

My (hopeful) goals are: a root shell would be good, but better still would be the ability to change the interface to English (but not really required as it'll probably be shut away somewhere).

I also tried adding single debug=9 to the bootargs with no luck.

 

[matthewj]

I'm trying another approach: seeing if I can work out how the serial connection is being blocked.

I think maybe this device has 16MB flash, so I ran:

sf probe 0
sf read 0x82000000 0x0 0x1000000
#setenv for the ip stuff
tftp 0x82000000 flash.bin 0x1000000

but every time tftp seemed to crash with the error TFTP error: 'Expected block 10000, got DATA for block 999'. I'm not sure what's causing this, if it's the tftp server's end, or the device's, but instead I ran tftp 0x82000000 flash_part1.bin 0x800000 and tftp 0x82800000 flash_part2.bin 0x800000 to try and split the firmware in RAM into two parts for the upload. This worked, and so I ran cat flash_part1.bin flash_part2.bin > flash_parts.bin to get (what I hope) is the full firmware image.

From then I ran binwalk flash_parts.bin but seem to get a CRC32 polynomial table, little endian, a JFFS2 filesystem, little endian after the CRC table, and then a load of Zlib compressed data, compressed with a few more JFFS2s here and there. I'm not really sure what this means so I just ran binwalk -Me flash_parts.bin to see what I could find. The full binwalk output is here:
Binwalk seemed to have merged the JFFS2s as I ended up with a combined jffs2-root made out of 13 subparts. Inside here I found:

app.tar.lzma
AP.tar.lzma
devCfg.bin
dev_id
dev_info
dev_masterkey
dvrCmd.tar.gz
hicore.tar.lzma
hisi.tar.lzma
microKernel.tar.lzma
ptzCfg.bin
ramdisk.gz
SmartManageCfg.txt
start.sh
udhcpd.leases
uImage
versionctr.tar.lzma

A brief look at start.sh showed that the first thing the script does is extract the .lzma files and copy them into /home/app and /usr/bin/dvrCmd. I replicated this. dvrCmd seemed mostly uninteresting, I don't really know what service runs these commands, and it doesn't really help me achieve anything. /home/app seemed much more interesting and seemed to contain some of the core programs that the DVR uses to run, hicore seemingly being the most interesting. Again, though, I have no idea what to do here. I ran find . -type f -exec strings {} \; | grep 'password error, pls try again' in the directory to see if I could find a program causing the message password error, pls try again but had no luck.

Going back to the filesystem I extracted ramdisk.gz and got a root filesystem! It contained:

bin
etc
lib
linuxrc
sbin
usr
var

sbin contained quite a few utilities, notably hik_echo (is this causing the password prompt?).
bin had your normal utilities, notably sh.
etc contained a passwd and a shadow for the users root and guest, both had the passwords 12345 when decrypted. It also contained a init.d/rc5 which contained a script that seemed to do various configuration things, such as running start.sh forever in a loop.

I am once again stuck, not sure what I really hoped to achieve, I was sort of hoping for a sbin/telnetd as it seems that's what some other devices have (some even enabled by default!) I guess hikvision/ezviz realised that it wasn't such a great idea. Even if it had such a utility short of reflashing the firmware I'm not sure how I could run it. Reflashing may be a route but I don't think I have a good copy of the firmware from my tftp methodology and it seems like an easy way to brick the device. Anybody got any pointers or information to help?

EDIT: The flash chip on the board seems to be 25q128jvsq which is indicated by the datasheet here to be a "128M-bit" chip so I'm think my assumption about it being 16MB in size is correct.

EDIT 2: Oops, there is telnet, at usr/sbin/telnetd. Still, to get it running I'd have to do some sort of firmware reflashing which I'm not sure I can do with this (incomplete?) extracted firmware, and I'm not sure how I would repackage it.

EDIT 3: Through a brief skim of 海康萤石智能门锁的网关分析 (translated) which seems vaguely similar in terms of firmware I think the dev files are mostly useless for my uses.

EDIT 4: Just noticed in the startup output it says telnetd: applet not found from the rcS script. Maybe I can do something with this? Probably should've noticed that earlier, oops.

Spoiler: the boot log if it at all is helpful

```
2010.06 (Mait ctrl+u tooot: 1 MAC_PORT : phy status ch=UP : DUPLEX|NUL ethaddr| TFTP server not found
16384 KiB hi_sfc at 0:0 is now current d## Booting kernel from Legacy Image at 80400000 ...
Verifying Checksum ... K
## om Legacy Image at 80800000 ...
Verifying Checksum ... K
Loading Kernel Image ... OK
OK

Uncompressing Linux... done, booting the kernel.

init started: BusyBox v1.16.1 '
echo: applet not found
echo: applet not found
1 00:17:41 UTC 1970
telnetd: applet not found
scriptCmd: ./load3520D -i 512M.
echo: applet not found
Can't open parameter file on flash, errno=0x2.
getPPPOECfg: from /home/hik/devCfg.bin ok.
bond card eth0 to pppoed
==================enablePPPoE failed!!!
core Build(Feb 26 2018/15:40:15)**us:1.
The ds = 1
devHardInfo.decodeChans = 8
ze = 0
devHardInfo.softwareBuildDaevHardInfo.softwareVersion = 0x0
devModel =
prodNo = C22481672
magicNumber = 1212897107
voNums = 2
ipcChans = 0
paraChecksum = 2982
paraLength = 244
language = 2
d= 2
zone = videoMaxtrix = 0
extendedDecoder =tendedAlarmOut = 0
devType = 0xf00f
ubootAdrs = 0x0
uboyKernelAdrs = 0x0
tinyKernelSize = 0
tinyKernelCheckSum = 0
rand_code = WMMNDB
[ERR][net/netUtil/net_util.c #1334]: eth0 mac address is: 64:db:8b:c5:e1:3a
x v1.16.1 (2017-08-16 1 built-in shell (ash)
Enter 'help' for a list of built-in commands.

su: applet not found
[32m[root[0m@[31mdsystem/param/paramLib.c #3933]: readDevParam from /home/hik/devCfg.bin OK
[CRIT][system/param/paramLib.c #3940]: cfg is ok, and sys cfg patched
bConfigurat open RFKILL control device
nl80211: Could not re-add multicast membE
sh: you need to spec [Jan 20 2018 19:00:28] *** viType=31 aiType=0, support720:0
--bSupportZeroEncoChanCnt:0 dispChanCnt:3bEnableCache=0
[InitSttreamPackType:0x80 subPacketType:0x80 rtpPackLen=1376
----------HI_MPomplete init stream pool
nitAudio aoTrack=1 TrackCnt=1 a00
aoChan=2 aoDev=1 aoTrack=1 aoTrackCnt=2 aoTrack=1 sampleRate=32000
src_sample_rate=8000 dst_sample_rate=32
--aacMemTab size=168520 base=0x1bd9a00 alignment=128
-----------Init g726 dec audio,mem sic OK
Func: InitVo, viType:31,dispMode:4 start
[InitVoDev] voDev 0,ype 111
Func: GetVoCfg_HD, voDev 0, u32Width 1920, u32Height 1080
-----------start hdmi ----------------------------------
Func: InitFb, layer 0, u32PicWidht 1920, u32PicHeight 1080
Func SetLayer 0, return
Func: InitFb, layer 3, u32PicWidht 32, u32PicHeight 32_GfxLayerBindDev-cusorLayer=1 voDev=0
stImageSize u32Width=480 u32Height=270
Enable pip video layer failed with errno 0xa00f800c!
Func: InitVo, start OK
initVpss Grp:0 w:1920 h:1200
initVp0 h:1200
i h:1200
initVpss Grp:7 w:1920 h:1200
decChanCnt=8 maxVdecChn=9 dec_chan_1080p_start=0,dec_chan_1080p_end==4,d
CreatDecChan:VdecChn=8
* InitDecoder * chan 0, malloc me1048576
* InitDecoder * chan 1, malloc memory form arm
jointBuf phy 0x4894e000 vit 0x9d3f** InitDecoder *** chan 2, malloc memory form arm
jointBuf phy 0x49643000 vit 0x9d6fb000 len 1048576
* I chan 3, malloc memory form arm
jointBuf phy 0x4a281000 vit 0x9d9fb000 len 10*** InitDecoder *** chan 4, malloc memory form arm
jointBuf phy 0x4afc5000 vit 0x9dcfb000 len 1048576
ry form arm
jointBuf phy 0x4bc80000 vit 0x9dffb000 len 1048576
** *** chan 6,hy 0x4c93c000 vit 0x9e2fb000 len 1048576
*nitDecoder *ipcDecBufLen:0
initVpspDecOrg->pOr3d008
chan = 10, pDecOrg->pOr4ae008,0x484ae008
decchan = 11, pDecOrg->pOrgBuf = 0x48a4e008,0x48a4e008
decchan = 12, d10008,0x48d10008
decchan = 139ddd008,0x49ddd008
decchan = 14, pDecOrg->pOrgBuf = 0x4a381008,0x4a381008
7a008
dpDecOrg->pOrgBuf = 0x4ccfb008,0x4ccfb008
ecchan = 21,JpgCfg(370):1080 srch=0!
GetJpgCf X5_C *
=8194,cmdIdx=158
[ERR][interface/dsp/dm_cmd_if.c #5479]: setVoBrightness
[ERR][net/netUtiltu[1480] OK!!!===========
init_stor_system maxEnChanNo = 0 maxIPCount 8
[ERR][src/fs/stor_record_file_system.c #1700]: part:/dev/sda file 931 db key 931.
HostAp send sta deauFhanForPlayBack[0]
Func: HostSetIptype = 1
[Hccess!
set17] key [WMMNDB] type [stSetIpcAesEncrypt, chan = 9, mode pcAesEncryp, mode = 15, type = 1
success!
snForPlayBack[0]
Func: sEncrypt, chan = 10, mode = 15, typncrypt] success!
setAeetIpcAesEncrypt, chan = 18, mode = 1
[HostsetIpcAesEncrypt] success!ype [1] ipcChanForPlayBack[0]
Func: HostSetIpcAesEncrypt, chan = 11, mode = 15, type = 1
[uccess!
setAesKey chan[12] key [WMMNDB] type [1] ipcChanForPlayBack[0]
Func: HostSetIpcAesEncrypt, chan = 19, mode = 15, typeey chan[20] key [WMMNDBhan[13] key [WMMNDB] tyccess!
setAesKey chan[21] key [WMMy chan[14] success!
setAesKey chan[22] key [WMMNDB] type [1] ipcChancrypt] success!
setAesKey chan[15] key [WMMNDB] type [1] ipcChanForPlayBack[0]
Func: HostSetIpcAesEncrypt, chan !
setAesKeyy [WMMNDB] tAesKey chan[1] ipcChanForPlayBackan = 23, mode = 15, type = 1
[HostsetIpcAesEncrypt] succe key [WMMNDipcChanForPindbyDest err!s32Ret=0xa0028003 VoDev=0 VoChn=0
[ERR][interface/dsp/hisi/dspResCtrl_hisi.c #255]: get_ipc_dec_chan:chan = 1, m-ENABLED
[ERR][interface/dsp/hisi/dspResCtrl_hisi.c #255]: get_ipc_dec_chan:chan = 1, mapChan = 0
[ER[ERR][net/ipc/ipcService/ipcamera.c #14695]: start connect ipc time =Disp>HI_MPI_SYS_GetBindbyDest err!
<HostDecSerr!s32Ret=0xa0028003 Vn=4
<HostDe2Ret=0xa002ol/micro_kernel.cpp #8229]: microkeev.ys7.com
el_common_module_load
[ERR][protocol/micro_kernel.cpp #760]: ezDevSDK_Start
[ERR][protocol/micro_kerne[ERR][protocol/micro_kernel.cpp #155]: ezDevSDK_log_error esdk_error 15, othercode 0, lbs_connect net_work_connect ip error, server:litedep:, port:8666
[ERR][src/sadp_mul.c #170]: mul_sadp_capture ok if_index[0] iSockF0]: multicast init_sadp_capture ok if_index[1] iSockFd[118] Name[wlan0] buf_len[2047]
[ERR][net/netUtil/net_config.c #921]: wlan0 get_netmask ioctl error and errno=99
[_connect ip error, server:litedev.ys7.com, ip:hostap pid:784

wlan0: interface state ENABLED->DISABLED
HostAp send sta deauth, reason 3 ������
wlan0: AP-DIS0 disabled_11b_rates=0
[ERR][protocol/micro_kernel.cpp #155]: ezDevSDK_log_error esdk_error 15, othercode 0, lbs_conver:litedev.ys7.com, ipERR][interface/dsp/dm_cmd_if.c #9507]: getFont
[CRIT][kernel/init.c #3811]: End of InitGUI!!
[CRIT][mycfg/sysinfo.c #1582]: 4There isnfo.c #1762quicknetset_bmp" in window "rightmenu"
[CRIT][mycfg/sysinfo.c #1762]: 8There issel_bmp" in window "rightmenu"
gui_preview_pthread_check_need_ipc_agency: start
gui_preview_pthread_check_need_ipc_agency:ipc bIPC2Cloud enable!
[ERR][net/netUtil/net_config.c #921]: eth0 get_netmask ioctl error and errno=99
[ERR][dataApplication/preview/preview_logo.c #632]: error Couldn't get ARP entry!!
[ERR][protocol/micro_kernel.cpp #155]: ezDevSDK_log_error esdk_error 15, othercode 0, lbs_connecrror, server:litedev.ys7.com, ip:, port:8666
[icro_kernel.cpp #155]: ezDevSDK_log_error esdk_error 15, lbs_connect net_work_co=99
ct net_work_connect ip er:litedev.ys7.com, ip:[ERR][protocol/micro_kernel.cpp #155]: ezDevSDK_log_error esdk_error 15, othercode 0t net_work_connect ip error, server:litedev.ys7.com, ip:, port:8666
lbs_connect[ERR]thercode 0, lbs_connectror, servercol/micro_kernel.cpp #155]: ezDevSr esdk_errorode 0, lbs_connect net_work_connect ip error, server:litedev.ys7.com, ip:, port:8666
[ERR][protocol/micro_kernel.clbs_connect net_work_conrt:8666
[ERRg_error esdk_error 15, othercode 0, lbs_connec:litedev.ys7.com, ip:, port:8666
FKILL control device
nl80211: Could not re-adNo such file or directory)
driver capa flags 1->COUNTRY_UPDATE
[ERR][net/netUtil/net_config.c #1920]====
[ERR][net/netUtil/net_config.c #1920]: =============!!===========
[ERR][net/netUtil/net_config.c #1920]: =============[wlan0]set mt
[ERR][src/sadp_mul.c #170]: multicast init_sadp_capture ok if_index[0] iSockFd[124] Name[br0] buf_len[2047]
[ERR][protoc 0, lbs_connect net_work_connect ip error, server:litedev.ys7.com, ip[ERR][net/netUtil/net_config.c #1920]: ===========mtu[1480] OK!!!===========
[ERR][net/netUtil/net_config.c #1920]: =============[eth0]set mtu[1500] OK!!!===========1920]: =============[wl1500] OK!!!===========
[ERR][protocol/micro_kernel.cpp #155]: ezDevSDK_log_error esdk_error 15, othercode 0, lbs_connect net_workerror, server:litedev.ys7.com, ip:, port:8666
start WsDiscovery Listener!!!!
====== name is: br0
[ERR][protocol/micro_kernel.cpp #155]: ezDevSDK_log_error esdk_error 15, othercodek_connect ipys7.com, ip:, port:8666
and ssid "ssid-1"
im period 2
Send hello message at the starting of device.
wlan0: interface state COUNTRY_UPDATE->ENABLED
wlan0: AP-ENABLED
[ERR][protocol/micro_kernel.cpp #155]: ezDevSDK_log_error esdk_error 15, othercode 0, lbs_connect net_woip error, server:litedermCtrl.c #1761]: chan[1] is disconnect reconneys7.com, ip:, port:8666nel.cpp #15_log_error ek_connect ip error, server:litedevADIUS: starting account 6FCF79688BEise key handshake completed (RSN)
/micro_kerndk_error 15 error, server:litedev.rnel.cpp #15e 0, lbs_connect net_worver:litedev.ys7.com, ip:, port:866og_error esds7.com, ip:,
```