Unpacking and decryption of Compressed ROMFS image file (cramfs.img) for intercom indoor monitors based on H5 platform:
1. Cramfs.img can be opened by the cramfs
tools or by 7zip.
It contains next files:
- app.tar.lzma -> encrypted file
- audio.tar.lzma -> encrypted file
- dec
- digicapkeyArm.ko
- dvrCmd.tar.gz
- dvrCmd2.tar.gz
- hicore.tar.lzma -> encrypted file
- hisi.tar.lzma -> encrypted file
- logo.tar.gz
- logo.tar.lzma -> encrypted file
- misc.tar.lzma -> encrypted file
- overseas.tar.lzma
- ramdisk.gz
- showlogo
- start.sh -> encrypted file
- uImage
- version
There are several encrypted files.
The Triple DES ECB Cipher algorithm is used for another HIKVISION devices, so it is also used for this image.
2. Locking into dec file, it can be found next strings:
"Usage: ./dec FILEin FILEout", "/dev/decryptkey", "set key err %d"
The IDA interactive disassemble is needed to analyse the dec file.
This file contains several functions: "decrypt_sec", "des3_ede_setkey".
These functions are part of Cryptographic API.
The link to the Cryptographic API source code (
Linux source code: crypto/des_generic.c (v5.1.5) - Bootlin,
Linux source code: include/crypto/des.h (v5.1.5) - Bootlin)
static void des3_ede_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen);
The 3DES key lenght is 24 bytes.
Disassembled code:
.text:0000D304 loc_D304 ; CODE XREF: decrypt_abstract_api+54j
.text:0000D304 SUB R3, R11, #-var_194
.text:0000D308 MOV R0, R3 ; struct crypto_tfm *tfm
.text:0000D30C LDR R1, [R11,#var_1A0] ; const u8 *key
.text:0000D310 LDR R2, [R11,#var_1A4] ; unsigned int keylen
.text:0000D314 BL des3_ede_setkey
.text:0000D318 MOV R3, R0
.text:0000D31C STR R3, [R11,#var_14]
.text:0000D320 LDR R3, [R11,#var_14]
.text:0000D324 CMP R3, #0
.text:0000D328 BEQ loc_D340
.text:0000D32C LDR R3, =aSetKeyErrD ; "set key err %d"
.text:0000D330 MOV R0, R3 ; format
.text:0000D334 LDR R1, [R11,#var_14]
.text:0000D338 BL printf
.text:0000D33C B loc_D3D0
The DES key is read by ioctrl function, so DES key is not part of the image.
3. Extracting the DES key:
Dec file is not encrypted and can be patched to read key over UART interface (by using printf function).
Some programming skills and understanding of the ARM instruction set are needed to create this patch.
To create DAV file with patched dec file:
- Create cramfs.img file: mkfs.cramfs -v img cramfs.img
- Set Chinese language attibute in the header file (header offset 0x10: set byte = 0x02)
- Pack dagicap.dav file by using repackFirmwareH5.py
Load DAV file by using
TFTP tool.
The link to description how to set UART connection to Hik cameras
UART connection to recover Hik cameras
The same is applicable for intercom indoor monitors (the UART connector is hidden under the sticker at back side of the monitor).
The USB-to-UART_TTL converter with 3V logical levels and PuTTY software are needed.
UART settings:
- speed: 115200 baud
- data bits: 8
- stop bits: 1
- Parity: None
- Flow control: None
The UART log, if everything is correctly done:
hisfc300_spi_probe:Block protect enabled!
Hit any key to stop autoboot: 0
### CRAMFS load complete: 2289552 bytes loaded to 0x80400000
### CRAMFS load complete: 1206447 bytes loaded to 0x80800000
timeout for link [5000]!
## Booting kernel from Legacy Image at 80400000 ...
## Loading init Ramdisk from Legacy Image at 80800000 ...
Loading Kernel Image ... OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.16.1 (2016-08-19 14:10:59 CST)
Fri May 17 23:16:16 UTC 2019
Starting udev: [ OK ]
DES key 1292042785
DES key 303108950
DES key 1292042753
DES key 303108182
DES key 1292042753
DES key 487658070
The full 3DES_KEY: 2102034D561311120102034D561011120102034D5612111D
4. Files decryption:
openssl can be used to decrypt/encrypt the files.
It suppports des-ede3 (Triple DES EDE in ECB mode).
Notes:
The DES algorithm works with 64 bits (8 bytes) blocks, so the files have to be aligned by 8 bytes before decryption.
The lenght of all encrypted files are not aligned by 8 bytes.
The last byte of each encrypted file in the image contains information about the alignment (number of unused bytes at the end of decrypted file).
The decryption sequence:
- remove last byte from the encrypted file (this byte defines the number of unused bytes at the end of decrypted file)
- decrypt file:
openssl des-ede3 -d -in in_filename -out out_filename -K 2102034D561311120102034D561011120102034D5612111D -nopad
- Remove unused bytes at the end of decrypted file
Decrypted start.sh file is attached.
5.
Files encryption sequence:
- if file is not aligned by 8 bytes -> add bytes (0x00) to the end of file to fix it.
- if file is aligned by 8 bytes -> add 8 bytes (0x00) to the end of file!!!
- encrypt file:
openssl des-ede3 -e -in in_filename -out out_filename -K 2102034D561311120102034D561011120102034D5612111D -nopad
- add one byte with the number of unused bytes to the end of encrypted file