Is mac id cipher by some des256 or sth?
To be honest I couldn't be bothered to map out the code they used to create the password - it wasn't any recognised standard, it was easier to just go past it.
It was a combination of the MAC address, the firmware version, and some "if this then that" byte shuffling.
If you have the .fls file you should be able to easily unpack it once you've inspected it for the boundaries between the files from the manifest.
But in reality you only need to do that to be sure where to patch, after that you can just hexedit the main firmware file.
These is my aide-memoire from the last one, where I'd bought 5 IMX307 low-light VF cameras to install at my local Men's Shed and didn't like that there was no telnet access :
It looks like HeroSpeed have removed the 'window of opportunity' that I
discovered could be used to shut down TelnetSwitch by having telnet enabled
for several seconds at bootup before TelnetSwitch became active and shut it down.
This allowed TelnetSwitch to be renamed, given the telnet root password.
So in this version of the firmware, I had to tweak the firmware and update with it
in order to enable telnet.
The changes made in the .FLS file were :
Uncomment "#telnetd &" in LongSeStart at 0x0171c6
touch /tmp/sddrives_ok
#telnetd &
ifconfig eth0 192.168.1.168 netmask 255.255.255.0
Comment out "/hisi/TelnetSwitch &" at 0x0176d0
sleep 1
/hisi/Main &
/hisi/TelnetSwitch &
Replace the root password hash in passwd and passwd- at 0x0176e5 and 0x01770b
with that for ls123 LHjQopX4yjf1Q
With no tamper checking, the firmware applies OK, and telnet is always available.
An easy change.
And here was the simple unpack script so I could inspect the contents :
Code:
#!/bin/sh
# This is a simple 'split out some of the components' script based on a manual inspection
# of the original 3516CV300_IMX307_BASE_W_8.1.30.4.FLS firmware.
# It looks like the firmware is organised as a simple manifest front section, giving name,
# location and size for each component.
# The driver behind extracting the components is to gain telnet access to a root shell
# by circumventing the Lucky787 TelnetSwitch password and then the telnet password.
#
# It looks like HeroSpeed have closed off the 'window of opportunity' where telnet was
# initially active on bootup until TelnetSwitch was activated, which had briefly allowed
# telnet access to swap out TelnetSwitch and use a cracked telnet password.
#
#
dd if=orig_fw.FLS of=libHi3516CV300IspDev.so bs=1 skip=$((0x0C18)) count=$((0xD140))
dd if=orig_fw.FLS of=Device.ini bs=1 skip=$((0xdd58)) count=$((0x41))
dd if=orig_fw.FLS of=DeviceIdentify bs=1 skip=$((0xdd99)) count=$((0x8ec8))
dd if=orig_fw.FLS of=LongSeStart bs=1 skip=$((0x016c61)) count=$((0x06ec))
dd if=orig_fw.FLS of=sdcard_hotplug.sh bs=1 skip=$((0x01734d)) count=$((0x025e))
dd if=orig_fw.FLS of=startapp bs=1 skip=$((0x0175ab)) count=$((0x013a))
dd if=orig_fw.FLS of=passwd bs=1 skip=$((0x0176e5)) count=$((0x26))
dd if=orig_fw.FLS of=passwd- bs=1 skip=$((0x01770b)) count=$((0x26))
dd if=orig_fw.FLS of=Ver.ini bs=1 skip=$((0x017731)) count=$((0x2d))
dd if=orig_fw.FLS of=config.ini bs=1 skip=$((0x01775e)) count=$((0x0747))
dd if=orig_fw.FLS of=isp.ini bs=1 skip=$((0x017ea5)) count=$((0x87c6))
#
# This is actually the start of the app SQUASHFS partition.
dd if=orig_fw.FLS of=app.squashfs bs=1 skip=$((0x02066b))
# Which we can unpack into the default folder.
unsquashfs app.squashfs
# End
Warning - please be aware that messing around with the internals like this does present the risk of bricking the camera.
