Long-shot help request - Hikvision DS-2CD3335D - G0 series IPC.

@montecrypto / @alastairstevenson
My 2CD2145F-IS (G0, CN) and firmware version 5.4.21 and shows Chinese UI (no enable SSH access available on the UI)
I have wired RS232 access to the camera- but shell has limited options available (no dd, ls etc.,)
Any help in getting full shell access, or another means of setting to EN language?

Thanks in advance
 
Hi @alastairstevenson,

Yes, I can confirm following command restarts the camera.

Thanks
- Nithin
setenv bootargs console=ttyAMA0,115200 init=/bin/sh rootfs=0x82000000 rootfstype=initrd debug single loglevel=9
saveenv

reset
 
@alastairstevenson

It goes back to psh (restrictive shell, without cd, dd, cat etc...)

Also,
the u-boot enforces the signature verification and rolling back the firmware below 5.4
u-boot version is - U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03)

Pressing CTRL+U gives the boot prompt with following options:

<p>
HKVS # help
erase - erase flash except bootloader area
go - start application at address 'addr'
help - print command description/usage
loadk - load kernel to DRAM
update - update digicap.dav
updateb - update bootloader
upf - update firmware, format and update (factory use)
ddr - ddr training function
mii - MII utility commands
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
</p>

trying
HKVS # updateb

gives the following messages (I have tftp server running on 192.168.1.128)

TFTP from server 192.168.1.128; our IP address is 192.168.1.64
Download Filename 'u-boot_g0.bin'.
Download to address: 0x82000000
Downloading: *
TFTP error: 'No such file or directory' (0)
Starting again

It seems to me like there is a way we can load older u-boot version (without signature check).
Is it possible to share older u-boot_g0.bin?

Thanks
-NKS
 
Hi @JAFO
I have tried your trick to sideload sec.bin with go command from Watchdata EMV chips in R6, G0 and other cameras
but nothing happens (see logs below)

HKVS # go.
ETH0: PHY(phyaddr=3, mii) link UP: DUPLEX=FULL : SPEED=100M
MAC: 54-C4-15-27-F6-29
TFTP from server 192.168.1.128; our IP address is 192.168.1.64
Download Filename 'sec.bin'.
Download to address: 0x81fffed8
Downloading: # [ Connected ]
##########
done
Bytes transferred = 333192 (51588 hex)
Exit1!
HKVS #

Any insights? Thanks
 
I also tried renaming sec.bin to u-boot_g0.bin and issued the update boot loader command (updateb)
NO LUCK


HKVS # updateb
*******************************************************
* ATTENTION: PLEASE READ THIS NOTICE CAREFULLY! *
* DO NOT reset the device, or disrupt this process. *
* If this process fails, the device might be unusable.*
* If you find this too risky, power off device now. *
* or press the SPACE key to start the process now *
*******************************************************
ETH0: PHY(phyaddr=3, mii) link UP: DUPLEX=FULL : SPEED=100M
MAC: 54-C4-15-27-F6-29
TFTP from server 192.168.1.128; our IP address is 192.168.1.64
Download Filename 'u-boot_g0.bin'.
Download to address: 0x82000000
Downloading: # [ Connected ]
##########
done
Bytes transferred = 333192 (51588 hex)
set public key failed.
ver failed!
resetting ...

Going back to older boot-loader version seems to be much harder with this locked-down u-boot.
I am sure there is a glaring loophole to circumvent this.
Any help appreciated.
Thanks
 
Last edited:
nithin said:
Going back to older boot-loader version seems to be much harder with this locked-down u-boot.
Click to expand...
Well that's a bummer! It looks like I was fortunate in my camera fix by having an older version of the bootloader.
The command list as you have posted seems to have shrunk somewhat.
No tftp command to load external files into memory?
And it looks like it's either sanitising the bootargs or the kernel is ignoring them.
That was the really useful way to boot an older kernel.
 
alastairstevenson said:
Well that's a bummer! It looks like I was fortunate in my camera fix by having an older version of the bootloader.
The command list as you have posted seems to have shrunk somewhat.
No tftp command to load external files into memory?
And it looks like it's either sanitising the bootargs or the kernel is ignoring them.
That was the really useful way to boot an older kernel.
Click to expand...

I am not sure if the bootloader U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03) came with the camera or if it was later updated when I tried updating the firmware to 5.4x. Do you know if a regular firmware update (digicap.dav) file contains u-boot update as well?
I decrypted few firmware versions and did not find any u-boot binaries in them.
 
Based on recent reveal of the trivial backdoor in the firmware (see this thread Backdoor found in Hikvision cameras) Full Disclosure: Access control bypass in Hikvision IP Cameras, I am hoping Hikvision will reconsider their policy of denying the gray market cameras bug-fixes they deserve. The negative publicity they are getting combined with their denial about the true nature of these backdoors can only make their customers question their motives. I am sure their actions will be viewed with suspicion in their intended target market (govt. state&local agencies, cities and corporations). It is not easy to gain the customers trust back once lost. But it is easy to loose the trust and become irrelevant in this industry where trust is cornerstone of their video surveillance products, that are so intrusive in nature. I hope Hikvison listens and comes out clean with customer focused and open.
 
  • Like
Reactions: mitnickhun and alastairstevenson
nithin said:
Do you know if a regular firmware update (digicap.dav) file contains u-boot update as well?
Click to expand...
Code: 
IPC_G0_CN_STD_5.3.1_150424 has a uImage 4415352 bytes MD5- 2acac6d008d36c05699a01e26ec46bf0
IPC_G0_CN_STD_5.3.3_150624 has a uImage 4415656 bytes MD5- 71a57eb513459bae089fc4067bd13181
IPC_G0_CN_STD_5.3.5_150925 has a uImage 3909032 bytes MD5- 50ac2a0774b3e35c2b23f494831f5865
IPC_G0_CN_STD_5.4.20_160726 has a uImage 3923960 bytes MD5- aa3266c181d3face0e53cafc2e817cfc
IPC_G0_CN_STD_5.4.24_170510 has a uImage 4038800 bytes MD5- e91720b6eb411ed146b25f9e949fdae9

I cant tell you what they look like when the execute - as my USB TTL still hasn't arrived :(
 
Gul-Dukat said:
Code: 
IPC_G0_CN_STD_5.3.1_150424 has a uImage 4415352 bytes MD5- 2acac6d008d36c05699a01e26ec46bf0
IPC_G0_CN_STD_5.3.3_150624 has a uImage 4415656 bytes MD5- 71a57eb513459bae089fc4067bd13181
IPC_G0_CN_STD_5.3.5_150925 has a uImage 3909032 bytes MD5- 50ac2a0774b3e35c2b23f494831f5865
IPC_G0_CN_STD_5.4.20_160726 has a uImage 3923960 bytes MD5- aa3266c181d3face0e53cafc2e817cfc
IPC_G0_CN_STD_5.4.24_170510 has a uImage 4038800 bytes MD5- e91720b6eb411ed146b25f9e949fdae9

I cant tell you what they look like when the execute - as my USB TTL still hasn't arrived :(
Click to expand...

I think uImage is kernel image, not the u-boot binary. :(

Here is my RS232 setup for 2CD2145F-IS

IMG_4624.jpg IMG_4622.jpg

RED - RX (TX on RS232 Adapter)
BLACK - TX ( RX on RS232 Adapter)
WHITE - GND
 
nithin said:
Do you know if a regular firmware update (digicap.dav) file contains u-boot update as well?
Click to expand...
Certainly the davinci program has code to do a u-boot update, it's handled using ioctl calls.
nithin said:
I decrypted few firmware versions and did not find any u-boot binaries in them.
Click to expand...
I did also and didn't find any - though I wouldn't claim it was an exhaustive search.
I'd assumed it would be a separate firmware file as opposed to being, for example, buried in the rootfs.
 
alastairstevenson said:
I did also and didn't find any - though I wouldn't claim it was an exhaustive search.
I'd assumed it would be a separate firmware file as opposed to being, for example, buried in the rootfs.
Click to expand...

I also noticed attached firmware file contains a file named ant_army (without extension). Any idea what this file is and its purpose?
This file can be unachieved and contains 6 parts, could this be u-boot embedded in the digicap.dav ?
Thanks
 

Attachments

  • Like
Reactions: Gul-Dukat
nithin said:
I also noticed attached firmware file contains a file named ant_army
Click to expand...
Yes, I noticed that too, and was curious. Google didn't throw up any useful hits and it seemed unlikely it was an 'easter egg'.
It's not a u-boot image, it seems to be a part of the WAN network process, there is a lot of OpenSSL within.
Some sample strings :
Code: 
============= Ant Army ===============
     PDS master : %s
     PDS domain : %s
     CAS domain : %s
     IPC serial : %s
       Net type : %s
        Eth0 IP : %s
       Wlan0 IP : %s
    Internet IP : %s
      Router IP : %s
Client int_port : %d
Client ext_port : %d
Stream int_port : %d
Stream ext_port : %d
========================================
IPC_ANT_CLIENT
IPC_ANT_STREAM
[%s][%s][%d] miniupnpc_init error
[%s][%s][%d] get_extern_ip_addr error
[%s][%s][%d] ant_army_add_port_mapping error
[%s][%s][%d] Router ip chg [%s] or mapping deleted, remap
[%s][%s][%d] set_extern_ip_and_port param error
[%s][%s][%d] start_ant_core param error
[%s][%s][%d] Ant core CreateServer error
[%s][%s][%d] Ant core set_extern_ip_and_port error
[%s][%s][%d] Getting internet ip ...
[%s][%s][%d] Initing miniupnpc ...
[%s][%s][%d] Getting router wan ip ...
[%s][%s][%d] getrlimit error
[%s][%s][%d] ant_heartbeat error
[%s][%s][%d] set_cfg_file_path error
[%s][%s][%d] get_config_data error
[%s][%s][%d] get device serial error
[%s][%s][%d] pthread_create ant_army_monitor error
[%s][%s][%d] Ant Army Ver: %s, Build time: %s %s
1.0.6
Sep 22 2016
20:16:10
[%s][%s][%d] Get internet ip successful: %s
172.7.
[%s][%s][%d] Init miniupnpc successful
[%s][%s][%d] Get router wan ip successful: %s
[%s][%s][%d] Net environment is not support
[%s][%s][%d] Start ant core successful
[%s][%s][%d] ant_regist error
[%s][%s][%d] ant_army_check_port_mapping error
Code: 
[%s][%s][%d] get upnp device list error
[%s][%s][%d] UPNP_GetValidIGD error
[%s][%s][%d] igd_datas.first.servicetype is NULL
[%s][%s][%d] Local ip under router is %s
[%s][%s][%d] get_local_upnp_device_info error
[%s][%s][%d] get_extern_ip_addr param error
[%s][%s][%d] UPNP_GetExternalIPAddress error, ret = %d
[%s][%s][%d] add_port_mapping param error
[%s][%s][%d] UPNP_AddPortMapping error, ret = %d
[%s][%s][%d] Add port mapping %s [%d] -> [%d]
[%s][%s][%d] UPNP_DeletePortMapping error, ret = %d
[%s][%s][%d] Remove port mapping [%d]
[%s][%s][%d] ip = %s, desc = %s
[%s][%s][%d] get_mapped_ports param error
[%s][%s][%d] Need Del port mapping num reach the Max
[%s][%s][%d] Port mapping num reach the Max
[%s][%s][%d] generate_random_port param error
 
  • Like
Reactions: nithin
alastairstevenson said:
Yes, I noticed that too, and was curious. Google didn't throw up any useful hits and it seemed unlikely it was an 'easter egg'.
Click to expand...
I too had a sticky beak look and I found some http addresses which it connects to. The port 8000 one didn't work but the other I loaded into my browser and it responds with a hello world text.

I thought it might be a little more suspicious when I was looking through it... but that's my nature. Assume the worst enjoy the best.
 
Dear @alastairstevenson,

So I decided to give your rescue approach a try.. managed to get my firmware unpacked, serial hooked up & running, uImage transferred and it boots to ash. But I still need a bit of help. If you could help me with these two questions below, it'd be much appreciated!

alastairstevenson said:
In fact after a tiny davinci code (I never did read it ...) tweak (3 bytes out of 9MB) the camera has had a personality change and now talks English instead of Chinese, which is pretty good because the NVR no longer shuns it when it wants to make friends with it.
Click to expand...

Is this using the regular mtd hack? How do I apply it to the unpacked firmware?


alastairstevenson said:
The uImage kernel can be applied to mtdblock5 & 6 (sys0, sys1) and all the remaining files from the unpacked firmware copied into /dav both when it's mounted from mtdblock7 and also mtdblock8 (app0 and app1).
Click to expand...
Which specific commands do I use to do this?

Everything else seems to work like a charm (I did change setenv ipadrs to setenv ipaddr), so hopefully I can get my last camera properly updated to 5.4.41 now as well.
 
You must log in or register to reply here.
Top Bottom