G0 baremetal app for a limited u-boot ver

This is a fascinating thread. I'm trying to get up to where ya'll have gotten from- steep learning curve recovering from openwrt firmware hacking years ago...

Specifically I'm trying to get into this set
ezviz 8-Channel 4K UHD NVR with 2TB HDD & 4 4K Outdoor Night Vision Bullet Cameras

All I want is the cameras to write out to my NAS, instead of the DVR. I'd keep the DVR if I could get it to work, but since it insists on being 'cloud' based and nothing else is binding to those cameras, I'm kinda hosed.
 
alastairstevenson said:
Use 'help' to find what commands are available.
They vary a lot with the model and date of the NVR.

What do you need to do / what problem needs to be solved?
Click to expand...

I want to run command of os or /bin/sh. and I do along GUI.
* run go -> load sec.bin on memory as picture 0x81fffa90. after run command
* go 0x81fffa90 (comand is not hapenning any thing...)

rearanger said:
What u-boot version are you using?
What camera are you trying to use sec.bin on ?
Click to expand...
Info uboot version and command:

upload_2019-9-11_19-13-50.png

and I dump Nand 128MB to find key unpack firmware. I have use Pi3(raberry) connect pin of chip nand flash but seam as it only data of app (not sure).

Info Cam Hikvision DS-2CD2X21G0.
I dump 128MB from chip flash winbond W25N01xxIG. but i don't know where key was save.

I have alot infomations from chipflash:

strings file_flash_dump :
....
The length of key must be less than or equal to 16!
Error! efuse write key time out!
Error! efuse load key out!
%s,%d: invalid key len 0x%x.
%s,%d: Hmac key initial failed!
%s,%d: hash i_key_pad and message start failed!
%s,%d: hash i_key_pad and message update failed!
%s,%d: Hash Final i_key_pad+message failure, ret=%d
,%d: Hash Init o_key_pad+hash_sum_1 failure, ret=%d
%s,%d: Hash Update o_key_pad failure, ret=%d
%s,%d: Hash Final o_key_pad+hash_sum_1 failure, ret=%d
%s,%d: RSA padding mode error, mode = 0x%x. public key encryption operation, the block type shall be 02.
%s,%d: For a private key decryption operation, the block type shall be 02.
%s,%d: key is null.
%s,%d: For a private- key encryption operation, the block type shall be 00 or 01.
%s,%d: For a public key decryption operation, the block type shall be 00 or 01
....

I know partitions:

SPI Nand ID Table Version 2.4
[ 1.602149] SPI Nand(cs 0) ID: 0xef 0xaa 0x21
[ 1.606622] nand: device found, Manufacturer ID: 0xef, Chip ID: 0xaa
[ 1.612980] nand: Winbond W25N01GV
[ 1.616460] nand: 128MiB, SLC, page size: 2048
[ 1.620901] Nand(Auto): OOB:64B ECC:4bit/512
[ 1.625111] nand: ECC provided by Flash Memory Controller
[ 1.630824] Creating 14 MTD partitions on "hinand":
[ 1.635761] 0x000000000000-0x000000100000 : "bld"
[ 1.642993] 0x000000100000-0x000000180000 : "env"
[ 1.649935] 0x000000180000-0x000000200000 : "enc"
[ 1.657018] 0x000000200000-0x000000280000 : "sysflg"
[ 1.664148] 0x000000280000-0x000000380000 : "dpt"
[ 1.671242] 0x000000380000-0x000000b80000 : "rcvy"
[ 1.681896] 0x000000b80000-0x000001380000 : "sys0"
[ 1.692478] 0x000001380000-0x000001b80000 : "sys1"
[ 1.703118] 0x000001b80000-0x000003d80000 : "app0"
[ 1.727432] 0x000003d80000-0x000005f80000 : "app1"
[ 1.752781] 0x000005f80000-0x000006580000 : "cfg0"
[ 1.764507] 0x000006580000-0x000006b80000 : "cfg1"
[ 1.775091] 0x000006b80000-0x000007780000 : "syslog"
[ 1.788864] 0x000007780000-0x000007f80000 : "resv"

Can you help me unpack Firmware "E3 platform"
Nand flash w25n01xxIG - file_dump
 
is that a G0 cam or an E3. If its an E3 then THIS sec.bin will not work. Your u-boot is also newer than the u-boots I have used sec.bin on.

On the plus side your u-boot has more commands than the u-boot's I have used sec.bin on.(unsure if any are any use)

I do not have an E3 cam. However I have found that hikvision have used similar methods to stop people accessing the diferent models of cams.

IF THIS IS A AN E3 , start NEW THREAD "E3 and gaining access to ASH" . Ill pop on and throw ideas around lol



Unpacking firmware's or gaining access to the raw files is not really an issue. Doing anything to them or re-flashing the cam with modified firmware is an issue.
 
  • Like
Reactions: hatoan and alastairstevenson
BTW on the g0 , you did not need to repack or unpack digicap.dav as there was ASH access and files could be copied back and forth on the fly live on the cam.

And on the G1 after installing minisys , again you have root/ash so you don't actually need to repack/unpack.
 
  • Like
Reactions: hatoan
You must log in or register to reply here.
Top Bottom