Hikvison E3 and gaining access to /bin/sh | find key unpack, repack.

hatoan

n3wb
Joined
Aug 13, 2019
Messages
8
Reaction score
1
Location
ha noi
I bought IP CAM Hikvision DS-2CD2T21G0-1 and I have information as:
+ Production Name: DS-2CD2T21G0-1
+ Platfrom: E3 (Download Firmware). I have update down firmware 5.5.4 .
+ Uboot -version and function.



+ DUMP Nand flash chip w25n01xxIG - file_dump, Log dmesg and It give info of partitions:

SPI Nand ID Table Version 2.4
[ 1.602149] SPI Nand(cs 0) ID: 0xef 0xaa 0x21
[ 1.606622] nand: device found, Manufacturer ID: 0xef, Chip ID: 0xaa
[ 1.612980] nand: Winbond W25N01GV
[ 1.616460] nand: 128MiB, SLC, page size: 2048
[ 1.620901] Nand(Auto): OOB:64B ECC:4bit/512
[ 1.625111] nand: ECC provided by Flash Memory Controller
[ 1.630824] Creating 14 MTD partitions on "hinand":
[ 1.635761] 0x000000000000-0x000000100000 : "bld"
[ 1.642993] 0x000000100000-0x000000180000 : "env"
[ 1.649935] 0x000000180000-0x000000200000 : "enc"
[ 1.657018] 0x000000200000-0x000000280000 : "sysflg"
[ 1.664148] 0x000000280000-0x000000380000 : "dpt"
[ 1.671242] 0x000000380000-0x000000b80000 : "rcvy"
[ 1.681896] 0x000000b80000-0x000001380000 : "sys0"
[ 1.692478] 0x000001380000-0x000001b80000 : "sys1"
[ 1.703118] 0x000001b80000-0x000003d80000 : "app0"
[ 1.727432] 0x000003d80000-0x000005f80000 : "app1"
[ 1.752781] 0x000005f80000-0x000006580000 : "cfg0"
[ 1.764507] 0x000006580000-0x000006b80000 : "cfg1"
[ 1.775091] 0x000006b80000-0x000007780000 : "syslog"
[ 1.788864] 0x000007780000-0x000007f80000 : "resv"

* I try ways :
+ modifile env in uboot bootargs,... as seem it was protected and not write and save.
+ load sec.bin (platform G0) to have functon as tftp, excute comand, ..., . But it is not woking when excute `go 0xadress` I was not seem any thing happing ....



I want run function in sec.bin : tftp, ... or run command of OS /bin/sh or find key unpack, repack firmware.

Can you help me?. Thank you!
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
sec.bin is unique to the u-boot version. sec.bin is a stand alone program that is often used to add additional commands to u-boot. I have only seen it for the g0 family.

What is the output with "printenv" and have you tried altering and saving them?
 

hatoan

n3wb
Joined
Aug 13, 2019
Messages
8
Reaction score
1
Location
ha noi
sec.bin is unique to the u-boot version. sec.bin is a stand alone program that is often used to add additional commands to u-boot. I have only seen it for the g0 family.

What is the output with "printenv" and have you tried altering and saving them?
I have ...
Code:
HKVS # printenv
bootargs=console=ttyAMA0,115200
bootcmd=loadk;bootm
baudrate=115200
ipaddr=192.168.1.64
serverip=192.168.1.128
netmask=255.255.255.0
bootfile="uImage"
filesize=1598
fileaddr=81FFFA90
bootdelay=5
stdin=serial
stdout=serial
stderr=serial
verify=n
mdio_intf=rmii
phy_addr=3
ethaddr=f8:4d:fc:d7:5f:7e
ver=U-Boot 2010.06-403449 (Jun 27 2018 - 14:29:28)

Environment size: 348/65532 bytes
HKVS #
What do I fix env in `printenv`?.

example:
+ setenv bootargs console=ttyAMA0,115200 init=/bin/sh single loglevel=9
+ setenv bootargs console=ttyAMA0,115200 init=/bin/sh rootfs=0x82000000 rootfstype=initrd debug single loglevel=9
+ ....

Can you give me variable env to fix?
 
Last edited:

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
setenv bootargs console=ttyAMA0,115200 init=/bin/sh single loglevel=9
saveenv

then printenv to make sure it was saved.

If it has reboot see what happens
 

hatoan

n3wb
Joined
Aug 13, 2019
Messages
8
Reaction score
1
Location
ha noi
sec.bin is unique to the u-boot version. sec.bin is a stand alone program that is often used to add additional commands to u-boot. I have only seen it for the g0 family.

What is the output with "printenv" and have you tried altering and saving them?
How to build sec.bin to E3 platform with my u-boot version.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
For a stand alone sec.bin you would compile the commands that are missing from the u-boot and some commands to mount you partitions. (do a search on google for u-boot standalone)

Also your cam has a "rcvy" partition. Is it running a minisytem like the G1 cams?

What cpu is in the E3?
 

hatoan

n3wb
Joined
Aug 13, 2019
Messages
8
Reaction score
1
Location
ha noi
For a stand alone sec.bin you would compile the commands that are missing from the u-boot and some commands to mount you partitions. (do a search on google for u-boot standalone)

Also your cam has a "rcvy" partition. Is it running a minisytem like the G1 cams?

What cpu is in the E3?
Exactly, CAM E3 platform is running a minisytem.
Code:
[ERROR][MIN]MOUNT: mount app primary partition failed!
[ERROR][MIN]MOUNT: please format and re-mount.
[ERROR][MIN]MOUNT_APP: mount app failed!
route: resolving
================================================
= !!  the  minisys  is  used  for  [ ipc ]  !! =
================================================
[ INFO][MIN]TFTP: TFTP from server 192.168.1.1
[ INFO][MIN]TFTP: Filename: 'digicap.dav'
[ INFO][MIN]TFTP: ################################################################################
[
To run a another minisystem, sec.bin. I need build minisystem, sec.bin so do you have tutorial help me build it?

The CPU of my CAM:
Code:
[    0.000000] Linux version 3.18.20 (root@HIK-RD-CI-Frontend) (gcc version 4.9.4 20150629 (prerelease) (Hisilicon_v500_20150831) ) #2 Wed Jun 27 14:39:16 CST 2018
[    0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=0005317f
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Hisilicon 500 SDK is floating around on the web

On the G1 the mImage(minisys/rcvy) does not have many validation checks. (however be careful if you do not have a dump/backup)

I have NO tutorial for building any sec.bin or minisys.
Minisys is just a mini Linux image. The G1 will also take a renamed hImage as a mImage.

The sdk may help you create a minisys. (I can only make a comparison to a G1 as I do not have an E3)
 
Top