IP camera nearly Hikvision

Discussion in 'Hikvision' started by bagel, Jan 10, 2019.

Share This Page

  1. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    Good day. There is such a camera (DS-2CD2345F-IS) branded by the Rostelecom company, how can you install a normal firmware here? I can lay out the dump if someone will be interested in doing this is not a simple matter.
     

    Attached Files:

    • rt.png
      rt.png
      File size:
      175.1 KB
      Views:
      30
  2. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    U-Boot 2010.06 (Dec 06 2017 - 13:10:35)

    Check Nand Flash Controller v610 ... found
    Special NAND id table Version 1.36
    Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
    Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit/512
    Nand total size: 128MB
    *** Warning - bad CRC or NAND, using default environment

    In: serial
    Out: serial
    Err: serial
    Hit any key to stop autoboot: 0
    hi3516-vc # help
    ? - alias for 'help'
    base - print or set address offset
    bootm - boot application image from memory
    bootp - boot image via network using BOOTP/TFTP protocol
    cmp - memory compare
    cp - memory copy
    crc32 - checksum calculation
    ddr - ddr training function
    fatinfo - print information about filesystem
    fatload - load binary file from a dos filesystem
    fatls - list files in a directory (default /)
    getinfo - print hardware information
    go - start application at address 'addr'
    help - print command description/usage
    hi_gpio - set hisilicon gpio states
    loadb - load binary file over serial line (kermit mode)
    loady - load binary file over serial line (ymodem mode)
    loop - infinite loop on address range
    md - memory display
    mii - MII utility commands
    mm - memory modify (auto-incrementing address)
    mtest - simple RAM read/write test
    mw - memory write (fill)
    nand - NAND sub-system
    nboot - boot from NAND device
    nm - memory modify (constant address)
    ping - send ICMP ECHO_REQUEST to network host
    printenv- print environment variables
    rarpboot- boot image via network using RARP/TFTP protocol
    reset - Perform RESET of the CPU
    saveenv - save environment variables to persistent storage
    setenv - set environment variables
    tftp - tftp - download or upload image via network using TFTP protocol
    version - print monitor version
    hi3516-vc #
     
  3. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    U-Boot 2010.06 (Dec 06 2017 - 13:10:35)

    Check Nand Flash Controller v610 ... found
    Special NAND id table Version 1.36
    Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
    Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:4bit/512
    Nand total size: 128MB
    *** Warning - bad CRC or NAND, using default environment

    In: serial
    Out: serial
    Err: serial
    Hit any key to stop autoboot: 0
    Set gpio: 142->0
    Set gpio: 130->1
    Set gpio: 131->1

    NAND read: device 0 offset 0x200000, size 0x400000
    4194304 bytes read: OK
    ## Booting kernel from Legacy Image at 82000000 ...
    Image Name: Linux-3.4.35
    Image Type: ARM Linux Kernel Image (uncompressed)
    Data Size: 2552288 Bytes = 2.4 MiB
    Load Address: 80008000
    Entry Point: 80008000
    Loading Kernel Image ... OK
    OK

    Starting kernel ...

    Uncompressing Linux... done, booting the kernel.
    Booting Linux on physical CPU 0
    Linux version 3.4.35 (root@runner-8e7d6cd8-project-22-concurrent-0) (gcc version 4.8.3 20131202 (prerelease) (Hisilicon_v300) ) #1 Wed Dec 6 13:08:54 UTC 2017
    CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d
    CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
    Machine: hi3516a
    Memory policy: ECC disabled, Data cache writeback
    Built 1 zonelists in Zone order, mobility grouping on. Total pages: 15240
    Kernel command line: mem=60M console=ttyAMA0,115200 rootfstype=ramfs mtdparts=hinand:1024K(boot),1024K(tech),4096K(kernel),8192K(app),-(config) hw_type=608
    PID hash table entries: 256 (order: -2, 1024 bytes)
    Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
    Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
    Memory: 60MB = 60MB total
    Memory: 53980k/53980k available, 7460k reserved, 0K highmem
    Virtual kernel memory layout:
    vector : 0xffff0000 - 0xffff1000 ( 4 kB)
    fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
    vmalloc : 0xc4000000 - 0xff000000 ( 944 MB)
    lowmem : 0xc0000000 - 0xc3c00000 ( 60 MB)
    modules : 0xbf000000 - 0xc0000000 ( 16 MB)
    .text : 0xc0008000 - 0xc03f8000 (4032 kB)
    .init : 0xc03f8000 - 0xc0675b24 (2551 kB)
    .data : 0xc0676000 - 0xc06a3d00 ( 184 kB)
    .bss : 0xc06a3d24 - 0xc06b8e98 ( 85 kB)
    SLUB: Genslabs=11, HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
    NR_IRQS:128
    sched_clock: 32 bits at 49MHz, resolution 20ns, wraps every 86767ms
    Console: colour dummy device 80x30
    Calibrating delay loop... 1196.85 BogoMIPS (lpj=5984256)
    pid_max: default: 32768 minimum: 301
    Mount-cache hash table entries: 512
    Initializing cgroup subsys freezer
    CPU: Testing write buffer coherency: ok
    Setting up static identity map for 0x802fda60 - 0x802fdab8
    dummy:
    NET: Registered protocol family 16
    Serial: AMBA PL011 UART driver
    uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 40) is a PL011 rev2
    console [ttyAMA0] enabled
    uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 41) is a PL011 rev2
    bio: create slab <bio-0> at 0
    SCSI subsystem initialized
    hi-spi-master hi-spi-master.0: with 1 chip select slaves attached
    hi-spi-master hi-spi-master.1: with 3 chip select slaves attached
    usbcore: registered new interface driver usbfs
    usbcore: registered new interface driver hub
    usbcore: registered new device driver usb
    Switching to clocksource timer0
    NET: Registered protocol family 2
    IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
    TCP established hash table entries: 2048 (order: 2, 16384 bytes)
    TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
    TCP: Hash tables configured (established 2048 bind 2048)
    TCP: reno registered
    UDP hash table entries: 256 (order: 0, 4096 bytes)
    UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
    NET: Registered protocol family 1
    RPC: Registered named UNIX socket transport module.
    RPC: Registered udp transport module.
    RPC: Registered tcp transport module.
    RPC: Registered tcp NFSv4.1 backchannel transport module.
    squashfs: version 4.0 (2009/01/31) Phillip Lougher
    jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
    msgmni has been set to 105
    Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
    io scheduler noop registered
    io scheduler deadline registered (default)
    io scheduler cfq registered
    Spi id table Version 1.22
    Found Nand Flash Controller V610.
    Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
    Nand: MXIC NAND 128MiB 3,3V 8-bit
    Nand(HW-Auto): Block:128KB Page:2KB OOB:64B ECC:4bit/512 Chip:128MB*1
    5 cmdlinepart partitions found on MTD device hinand
    5 cmdlinepart partitions found on MTD device hinand
    Creating 5 MTD partitions on "hinand":
    0x000000000000-0x000000100000 : "boot"
    0x000000100000-0x000000200000 : "tech"
    0x000000200000-0x000000600000 : "kernel"
    0x000000600000-0x000000e00000 : "app"
    0x000000e00000-0x000008000000 : "config"
    ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
    hiusb-ehci hiusb-ehci.0: HIUSB EHCI
    hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1
    hiusb-ehci hiusb-ehci.0: irq 53, io mem 0x100b0000
    hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00
    hub 1-0:1.0: USB hub found
    hub 1-0:1.0: 1 port detected
    Initializing USB Mass Storage driver...
    usbcore: registered new interface driver usb-storage
    USB Mass Storage support registered.
    mousedev: PS/2 mouse device common for all mice
    i2c /dev entries driver
    hisi_i2c hisi_i2c.0: Hisilicon [i2c-0] probed!
    hisi_i2c hisi_i2c.1: Hisilicon [i2c-1] probed!
    hisi_i2c hisi_i2c.2: Hisilicon [i2c-2] probed!
    TCP: cubic registered
    Initializing XFRM netlink socket
    NET: Registered protocol family 17
    NET: Registered protocol family 15
    lib80211: common routines for IEEE802.11 drivers
    Registering the dns_resolver key type
    VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
    Freeing init memory: 2548K
     
  4. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    Suddenly it will be interesting to you, here I am putting the dump
    hik2345.bin
     
  5. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    The camera pictures look similar to Hikvision - but the firmware does not.
    The file is blank - an erased flash dump.
     
  6. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    I didn't make much of a mistake :(,the dump was two-piece,since I couldn't take it off in one piece,and by mistake I sent an empty one.here is the first slice of putting
    0hik2345.bin
     
  7. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    too unbearable task from the Chinese brothers?
     
  8. VorlonFrog

    VorlonFrog Known around here

    Joined:
    Aug 3, 2015
    Messages:
    1,000
    Likes Received:
    588
    Location:
    Charlotte
    That's a firmware image file. Open it as an archive using 7-Zip to review the contents.
     
  9. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    which file should I open?
     
  10. VorlonFrog

    VorlonFrog Known around here

    Joined:
    Aug 3, 2015
    Messages:
    1,000
    Likes Received:
    588
    Location:
    Charlotte
    This contains the following top-level directories: bin, etc, lib, share. 7-Zip reports some extra data following, so exploring the file with the 'binwalk' python script would probably reveal more information.
     
  11. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    for those who understand this, of course, it will give, for me personally, nothing: (, I was only enough for this and then by chance
     

    Attached Files:

  12. VorlonFrog

    VorlonFrog Known around here

    Joined:
    Aug 3, 2015
    Messages:
    1,000
    Likes Received:
    588
    Location:
    Charlotte
  13. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    он тут уже был....:(
     
  14. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    Here is a simple script to split down the flash dump that was attached earlier, based on the partition scheme in the bootlog earlier.

    Code:
    #!/bin/sh
    # This script holds the steps to unpack the Rostelecom 0hik2345.bin flash dump.
    # The offsets will very likely be specific to that version of firmware. There is no attempt to
    # use logic to make it universal - it's as much a memory-jogger as anything.
    #
    # The assumption is the the flash dump follows this partition scheme from the bootlog that @bagel
    #posted in the ipcamtalk forum.
    # Creating 5 MTD partitions on "hinand":
    # 0x000000000000-0x000000100000 : "boot"
    # 0x000000100000-0x000000200000 : "tech"
    # 0x000000200000-0x000000600000 : "kernel"
    # 0x000000600000-0x000000e00000 : "app
    # 0x000000e00000-0x000008000000 : "config"
    #
    dd if=../0hik2345.bin of=boot.part bs=1 count=$((0x100000))
    dd if=../0hik2345.bin of=tech.part bs=1 count=$((0x200000-0x100000)) skip=$((0x100000))
    dd if=../0hik2345.bin of=kernel.part bs=1 count=$((0x600000-0x200000)) skip=$((0x200000))
    dd if=../0hik2345.bin of=app.part bs=1 count=$((0xe00000-0x600000)) skip=$((0x600000))
    dd if=../0hik2345.bin of=config.part bs=1 count=$((0x8000000-0xe00000)) skip=$((0xe00000))
    #
    # The app partition is a squashfs so can be extracted
    [ -d app_contents ] && rm -r app_contents/* && rmdir app_contents
    unsquashfs -d app_contents app.part
    #
    #
    
    Here are the resulting flash partitions, which seem valid :
    Code:
    file *.part
    app.part:    Squashfs filesystem, little endian, version 4.0, 5863701 bytes, 115 inodes, blocksize: 65536 bytes, created: Wed Dec  6 13:10:33 2017
    boot.part:   data
    config.part: ISO-8859 text, with very long lines, with no line terminators
    kernel.part: u-boot legacy uImage, Linux-3.4.35, Linux/ARM, OS Kernel Image (Not compressed), 2552288 bytes, Wed Dec  6 13:09:00 2017, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x43246FA8, Data CRC: 0x018A4EC9
    tech.part:   data
    
    And there are multiple references in the (very large) config.part partition to familiar Hikvision configuration options such as smart events
    And multiple references to DS-2CD2345FB

    Use something like
    strings -8 config.part > config_strings.txt
    to see the metadata within.
    Code:
    "firmware_version":"v0.9.8-b2442 171206","hardware_version":"","mac":"64:db:8b:37:56:15","model":"DS-2CD2345FB","serial":"161082471","soft_meta_version":"","vendor":"Hikvision"}},"device_name":{"value":{"name":"161082471"}}
    So this is quite intriguing.
    Is this Hikvision hardware, but with non-Hikvision firmware?
     
    VorlonFrog likes this.
  15. VorlonFrog

    VorlonFrog Known around here

    Joined:
    Aug 3, 2015
    Messages:
    1,000
    Likes Received:
    588
    Location:
    Charlotte
    Thanks for helping, sir. I don't have binwalk or python set up anywhere at the moment.
     
  16. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    yes, yes, yes ... I wanted to convey this to you.....
     
  17. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    @iTuneDVR - what knowledge or comments do you have for this?
    Interesting, yes?
     
  18. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    I have nothing , @iTuneDVR ...,he could not or did not want to help, took a dump and ...... :)
     

    Attached Files:

  19. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,888
    Likes Received:
    3,414
    Location:
    Scotland
    That's a pity.
    He's been around, and knows a lot - although he is usually reluctant to share the detail ...
     
  20. bagel

    bagel n3wb

    Joined:
    Jan 9, 2019
    Messages:
    16
    Likes Received:
    0
    Location:
    Saratov
    ... this is his business, he is as close as you :), only speaks Russian.