[MCPAT] IPC_R6_EN_STD_5.5.53_180730 repack +SSH -PSH +BUSYBOX *** UPDATE 2019 ***

mcpat

n3wb
May 15, 2018
17
5
Europe
Source firmware:
----------------
IPC_R6_EN_STD_5.5.53_180730 (Update 26.04.2019)

Changes in repacked firmware:
-----------------------------
* Full-featured busybox v1.28.4 - patched with integraded psh
* PSH (protected shell) is now part of busybox (ash)
* Dropbearmulti v2018.76
* mount.cifs added
* mount.nfs(4) added
* Kernel fs modules added (ext2, ext3, ext4) - see below why
* sqlite3 added (for modifications in the config)
* ldd added
* SSH access enabled (via sqlite3 - tested and working)
* Dropbear host key persists between reboots
* Customizable init script
* Customizable late_init script
* Customizable fstab
* Customizable profile
* Customizable crontab


Also, no Hikvision backdoor in this one. Only 5.4.4 and earlier versions contain the backdoor. :)

IPC_R6_EN_STD_5.5.53_180730

Thank you to @montecrypto for his hikpack and great ideas. I don't have his knowledge, so I had to go on some points another way (e.g. I can't patch davinci for ssh access enabled or modify header_30 file to add additional files)...

Why kernel modules (ext2, ext3, ext4)?
I have a DS-2CD2442FWD-IW with integraded SD slot. But this SD is formated in vfat, which is useless for me with the planned "opt-ware", means I cannot make links. So I made a binary image file in ext2, which I can mount if I have the kernel module loaded (e.g. use command "modprobe ext2").

The history of making this patch:
With the helping post from here I compiled the suitable toolchain (its an armv7) and the latest dropbear with scp.

Maybe I make a repository, so apt-get for everyone...

If someone need's it, below the links to the toolchains, and here the link to "convert-to-echo".

If you don't want to reflash the firmware, you can "echo" the contend of the file to "/bin", then "chmod 755 scp" and you have a working scp. But don't use putty, it is too fast, I used ZOC7 for this. Remember, after a reboot this file is gone.

If someone is interested on the r6 installed files and toolchain, here some data...

r6:
Linux 3.10.73+
Glibc (linaro) 2.18-2013.09
Dropbear 2016.74

Toolchain, build with crosstool-ng (1.21.0), download here:
Linux 3.10.79
Binutils 2.25
glibc (linaro) 2.20-2014.11
GCC 5.1.0 (needs LDFLAGS "-static-libstdc++" to compile, otherwise some apps not running)
for target little endian, hard-float compiled on virtualbox with Debian Jessi with GCC 4.9.2-10+deb8u1

Toolchain, build with crosstool-ng (1.21.0), download here:
Linux 3.10.79
Binutils 2.25
glibc (linaro) 2.20-2014.11
GCC 4.8.3 (run apps linked to libstdc++.so.6 directly)
for target little endian, hard-float compiled on virtualbox with Debian Jessi with GCC 4.9.2-10+deb8u1

Regards
MCPat

login.PNG
 
Last edited:
Interesting!
You are really getting into this, as you say, attacking it from a sideways as opposed to a head-on method.
With the helping post from here I compiled the suitable toolchain (its an armv7) and the latest dropbear with scp.
Didn't you find that dropbear is already running in that firmware? Just filtered?
If you want persistent changes you can amend initrun.sh though you also need to update it's hash in new_10.bin manifest if you don't want periodic integrity check reboots.
This fragment was the last tweak of initrun.sh I did to an R6 camera (a while back, I don't have any now, sold on eBay)
(using @montecrypto method bypassing psh - better than my ln back to busybox method)
Code:
#-------
[ -f /bin/psh.old ] || mv /bin/psh /bin/psh.old
[ -f /bin/psh.old ] && echo -e '#!/bin/sh\nexec /bin/sh $*' > /bin/psh
[ -f /bin/psh ] && chmod +x /bin/psh
/sbin/iptables -L
/sbin/iptables -F
echo "flushed:"
/sbin/iptables -L
echo "repacked" > /etc/motd
#-------

echo "And now to kill off the network_deamon network checker."
NWD=`ps | awk ' NF == 11 && /deamon/ {print $1}'`;kill $NWD
 
Didn't you find that dropbear is already running in that firmware? Just filtered?
Sure, but scp was missing, so I was not able to copy in and out files. So I made a dropbearmulti (to save space) and got the missing scp.
If you want persistent changes you can amend initrun.sh
I used hikpack with modified initrun.sh and your mentioned changes. I saw the changes for Busybox at a repacked firm from monthecrypto, so I used some parts to get the fully Busybox and to be able to use sqlite3 to enable ssh. Maybe there is a better way to get it enabled?!?

How did monthecrypto enabled it and how did you add his Busybox in header_30?
 
How did monthecrypto enabled it and how did you add his Busybox in header_30?
I didn't look at what @montecrypto did with dropbear (eg making the keys persistent).
For the full busybox (on NVRs, I haven't bothered on cameras) I added a generic busybox to the cramfs.img in the firmware and dynamically installed it with a modified start.sh so the change is permanent - fragment below:
I did have to strip out the Hikvision 'player' file to make enough space for the firmware to fit the flash size.
Code:
# Add in the fuller busybox, which has telnetd in it and more.
mv /home/app/busybox-armv7l /bin
chmod +x /bin/busybox-armv7l
/bin/busybox-armv7l --install -s /bin
/bin/busybox-armv7l telnetd

And is there a way to make changes directly in the rootfs and exchange eg the Busybox permanent?
The rootfs in uImage?
I did try this once but decided that repacking a modded uImage manually was too messy and tedious, not being coder myself.
There is the uncompressor and all the bundled file system and other stuff to be handled.
Easier to tweak the other parts of the system.
 
  • Like
Reactions: kkk2018a
I solved it with this initstart.sh (copied everything in help.tar.gz, because I don't know how to add files with hikpack?!?!?):
Code:
#-------
kill $(ps |awk '/[d]ropbear/ { print $1}')
rm -f /sbin/dropbear*
[ -f /home/webLib/help/dropbearmulti ] && chmod +x /home/webLib/help/dropbearmulti
if [ -x /home/webLib/help/dropbearmulti ]; then
    cp /home/webLib/help/dropbearmulti /sbin/dropbearmulti
    rm /home/webLib/help/dropbearmulti
    [ -e /sbin/dropbearmulti ] && ln -sf /sbin/dropbearmulti /bin/scp
    [ -e /sbin/dropbearmulti ] && ln -sf /sbin/dropbearmulti /sbin/dropbear
    [ -e /sbin/dropbearmulti ] && ln -sf /sbin/dropbearmulti /bin/dbclient
    [ -e /sbin/dropbearmulti ] && ln -sf /sbin/dropbearmulti /bin/dropbearconvert
    [ -e /sbin/dropbearmulti ] && ln -sf /sbin/dropbearmulti /bin/dropbearkey
fi
[ -f /home/webLib/help/ldd ] && chmod +x /home/webLib/help/ldd
if [ -x /home/webLib/help/ldd ]; then
    cp /home/webLib/help/ldd /bin/
    rm /home/webLib/help/ldd
fi
[ -f /home/webLib/help/sqlite3 ] && chmod +x /home/webLib/help/sqlite3
if [ -x /home/webLib/help/sqlite3 ]; then
    cp /home/webLib/help/sqlite3 /bin/
    rm /home/webLib/help/sqlite3
    output=$( sqlite3 /davinci/ipc_db "SELECT ssh_enable FROM security_config WHERE 1;" 2>&1 )
    if [ "$output" == "0" ]; then
        sqlite3 /davinci/ipc_db "UPDATE security_config SET ssh_enable='1' WHERE rowid = 1;"
    fi
fi
cp /home/webLib/help/netconfig /etc/
rm /home/webLib/help/netconfig
cp /home/webLib/help/protocols /etc/
rm /home/webLib/help/protocols
cp /home/webLib/help/motd /etc/
rm /home/webLib/help/motd
[ -f /home/webLib/help/libtirpc.so.3 ] && chmod +x /home/webLib/help/libtirpc.so.3
if [ -x /home/webLib/help/libtirpc.so.3 ]; then
    cp /home/webLib/help/libtirpc.so.3 /lib/
    rm /home/webLib/help/libtirpc.so.3
fi
[ -f /home/webLib/help/mount.cifs ] && chmod +x /home/webLib/help/mount.cifs
if [ -x /home/webLib/help/mount.cifs ]; then
    cp /home/webLib/help/mount.cifs /sbin/
    rm /home/webLib/help/mount.cifs
fi
[ -f /home/webLib/help/mount.nfs ] && chmod +x /home/webLib/help/mount.nfs
if [ -x /home/webLib/help/mount.nfs ]; then
    cp /home/webLib/help/mount.nfs /sbin/
    rm /home/webLib/help/mount.nfs
    ln -sf /sbin/mount.nfs /sbin/mount.nfs4
    ln -sf /sbin/mount.nfs /sbin/umount.nfs
    ln -sf /sbin/mount.nfs /sbin/umount.nfs4
   
fi

instmodules(){
    until [ ! -d /home/modules/3.10.73+/ ]
    do   
        sleep 1
    done
    mkdir -p /home/modules/3.10.73+/kernel/fs/ext2
    mkdir -p /home/modules/3.10.73+/kernel/fs/ext3
    mkdir -p /home/modules/3.10.73+/kernel/fs/ext4
    mkdir -p /home/modules/3.10.73+/kernel/fs/jbd
    mkdir -p /home/modules/3.10.73+/kernel/fs/jbd2
    cp /home/webLib/help/modules.dep /home/modules/3.10.73+/
    rm /home/webLib/help/modules.dep
    cp /home/webLib/help/ext2.ko /home/modules/3.10.73+/kernel/fs/ext2/
    rm /home/webLib/help/ext2.ko
    cp /home/webLib/help/ext3.ko /home/modules/3.10.73+/kernel/fs/ext3/
    rm /home/webLib/help/ext3.ko
    cp /home/webLib/help/ext4.ko /home/modules/3.10.73+/kernel/fs/ext4/
    rm /home/webLib/help/ext4.ko
    cp /home/webLib/help/jbd.ko /home/modules/3.10.73+/kernel/fs/jbd/
    rm /home/webLib/help/jbd.ko
    cp /home/webLib/help/jbd2.ko /home/modules/3.10.73+/kernel/fs/jbd2/
    rm /home/webLib/help/jbd2.ko
    cp /home/webLib/help/mbcache.ko /home/modules/3.10.73+/kernel/fs/
    rm /home/webLib/help/mbcache.ko
}
instmodules &

[ -f /davinci/extra_init ] || echo "" > /davinci/extra_init

mkdir -p /davinci/dropbear
rm -rf /etc/dropbear
ln -sf /davinci/dropbear /etc/dropbear

[ -f /bin/psh.old ] || mv /bin/psh /bin/psh.old

[ -f /home/webLib/help/busybox ] && chmod +x /home/webLib/help/busybox
if [ -x /home/webLib/help/busybox ]; then
    cp -f /home/webLib/help/busybox /bin/
    rm /home/webLib/help/busybox
    busybox --install -s
    rm /bin/psh.old
fi

if [ ! -e /davinci/profile ]; then
    echo "#!/bin/sh" > /davinci/profile
    echo "" >> /davinci/profile
    echo "PATH=.:/usr/bin:/bin:/sbin:/usr/sbin:/opt/bin:/opt/sbin:/opt/usr/bin:/opt/usr/sbin" >> /davinci/profile
    echo "LD_LIBRARY_PATH=/lib:/usr/lib:/opt/lib" >> /davinci/profile
    echo "" >> /davinci/profile
    echo "source /etc/sh_tmo" >> /davinci/profile
    chmod 755 /davinci/profile
fi
rm /etc/profile
ln -s /davinci/profile /etc/profile

[ -x /davinci/extra_init ] && /davinci/extra_init

if [ -x /davinci/late_init ]; then
    /bin/sh /davinci/late_init > /dev/null &
fi
if [ ! -e /davinci/late_init ]; then
    echo "#!/bin/sh" > /davinci/late_init
    echo "#change sleep to a suitable value, for me at least 40 seconds necessary" >> /davinci/late_init
    echo "#sleep 40" >> /davinci/late_init
    echo "#start some commands here, e.g." >> /davinci/late_init
    echo "#mount --bind /mnt/mmc01/apt /opt" >> /davinci/late_init
    echo "#mount -a" >> /davinci/late_init
    echo "#/opt/etc/init.d/init.sh" >> /davinci/late_init
    chmod 755 /davinci/late_init
fi

mkdir -p /var/spool/cron/
if [ ! -d /davinci/crontabs ]; then
    mkdir /davinci/crontabs
    touch /davinci/crontabs/admin
fi
ln -s /davinci/crontabs /var/spool/cron/crontabs

if [ -e /davinci/fstab ]; then
    ln -sf /davinci/fstab /etc/fstab
else
    touch /davinci/fstab
fi

dropbear -R
#-------

Do you know how do unpack the hImage? What kind of file is it? I saw in the internet something about ubifs and binwalk to extract files, and and and...

Thank you for your patience!
 
Last edited:
Do you know how do unpack the hImage?
It's a uImage with instead a Hikvision-specific header.
binwalk is a powerful tool to establish start points of interest for the different sections.
I've found that the -e (extract) option is a bit hit and miss, but handy for getting info on the contents.
Each case needs some inspection - is the kernel compressed, does it include an initfs, what type of compression is used, what type of file systems are used for the data, what sections are there beside the kernel etc

I do have a boiler-plate shell script that I use for various flavours of uImage or hImage.
It's as much a memory-jogger as anything, with remnants from all over, and I make zero claims about the style or technical content. As I said - I'm not a coder.
And there is nothing in it that can't be easily deduced from the original firmware.
See attached a couple of samples.
 

Attachments

Wow! Thank you! Ok, I think I'm also not a coder... Maybe I leave it as it is with the initscript. It works and it was easy to made... But next week I have some sparetime, maybe I try something. Thank you again!
 
APT-GET/DPKG(-DEB)
Everyone (I hope) knows apt-get from the big players like debian. I am testing this on my cam, what should I say, it works...

Open points:
*test download/install/update/remove from repository
*test installation from officical debian repository (max. jessie, oder versions are to new, because we are limited with the installed libc6 and and and)

Tested:
* read repository
* checks repository key via gpgv successfully
* tar v1.30 (needed for apt)
* bash v4.4 (needed for dehydrated = get SSL certificates from letsencrypt)
* gpg and gpgv v1.4.23 (needed for apt)
* openssl v1.1.0h (needed for dehydrated)
* apt (apt-get, apt-cache, apt-mark) v1.0.10.2ubuntu1 (partly tested)
* dpkg v1.16.18 (partly tested, needed for apt)

apt-get.png
 
Last edited:
@mcpat - your work is impressive, I like Lets Encrypt support like cherry on the top :) respect!

can you please advise upgrade path, from which Hikvision firmware version should I flash to your version?
 
Thank you!

can you please advise upgrade path, from which Hikvision firmware version should I flash to your version?

I got my cam already with 5.5.0, so I suggest to upgrade with offical 5.5.0 and then with my patched firmware. For letsencrypt you need a couple of files which I didn‘t released right now (some tests are outstanding).

For upgrading the patch I used the tools from Hikvision and did a batch update and selected there my cam.

For letsencrypt you need curl, bash and OpenSSL and a place where you store the files (either a nfs mount, or a binary ext2 image located on the SD, or maybe if there is enough space then /davinci).

I bricked my cam during try and error, then you need tftpd (search here in the forum) and the offical firmware with same version printed on the sticker on the cam.

My patch should be safe, so I don‘t expect a brick...
 
You can try to mount any „sharepoint“ to /opt, and copy the files from here to opt. edit the files in /opt/etc/dehydrated, then run „dehydrated —cron“. Please report If it is working.
 
I didn't look at what @montecrypto did with dropbear (eg making the keys persistent).
For the full busybox (on NVRs, I haven't bothered on cameras) I added a generic busybox to the cramfs.img in the firmware and dynamically installed it with a modified start.sh so the change is permanent - fragment below:
I did have to strip out the Hikvision 'player' file to make enough space for the firmware to fit the flash size.
Code:
# Add in the fuller busybox, which has telnetd in it and more.
mv /home/app/busybox-armv7l /bin
chmod +x /bin/busybox-armv7l
/bin/busybox-armv7l --install -s /bin
/bin/busybox-armv7l telnetd


The rootfs in uImage?
I did try this once but decided that repacking a modded uImage manually was too messy and tedious, not being coder myself.
There is the uncompressor and all the bundled file system and other stuff to be handled.
Easier to tweak the other parts of the system.

Hi, can you provide start.sh busybox?
 
嗨,你能用xvr NVR DVR打开SSH吗?
[QUOTE =“mcpat,post:279331,member:54815”]源固件:
----------------
IPC_R6_ML_STD_5.5.0_170725

重新包装固件的更改红色更改在2018-06-27更新):
-----------------------------
*功能齐全的busybox v1.28.4 - 使用集成的psh进行修补
* PSH(受保护的shell)现在是busybox(ash)的一部分

* Dropbearmulti v2018.76
* mount.cifs已添加
* mount.nfs(4)添加
*添加了内核fs模块(ext2,ext3,ext4) - 请参阅下面的原因
*添加了sqlite3(用于配置中的修改)
* ldd补充道
*启用SSH访问(通过sqlite3 - 测试和工作)
*重启后,Dropbear主机密钥仍然存在
*可自定义的init脚本
*可自定义的late_init脚本
*可定制的fstab
*可定制的个人资料
*可定制的crontab


此外,没有海康威视这个后门。只有5.4.4及更早版本包含后门。:)

IPC_R6_ML_STD_5.5.0_170725

感谢[USER = 18007] @montecrypto [/ USER]提供的hikpack和好主意。我没有他的知识,所以我不得不采取另一种方式(例如我无法修补davinci启用ssh访问或修改header_30文件以添加其他文件)...

为什么内核模块(ext2,ext3,ext4)?
我有一个带有集成SD插槽的DS-2CD2442FWD-IW。但是这个SD是用vfat格式化的,对我来说对于计划中的“opt-ware”是没用的,这意味着我无法建立链接。所以我在ext2中创建了一个二进制映像文件,如果我加载了内核模块,我可以挂载它(例如使用命令“modprobe ext2”)。

制作此补丁的历史:
通过这里的帮助帖子,我编译了合适的工具链(它的armv7)和最新的带有scp的dropbear。

也许我建立了一个存储库,所以适合所有人...

如果有人需要它, 在工具链的链接下面,这里是“convert-to-echo”的链接。

如果你不想重新刷新固件,你可以将文件的竞争“回显” 为“/ bin”,然后“chmod 755 scp”并且你有一个工作的scp。但是不要使用腻子,它太快了,我用ZOC7就可以了。请记住,重启后此文件消失了。

如果有人对r6安装的文件和工具链感兴趣,这里有一些数据......

R6:
Linux 3.10.73+
Glibc(linaro)2.18-2013.09
Dropbear 2016.74

工具链,使用crosstool-ng(1.21.0)构建,请在此处下载:
Linux 3.10.79
Binutils 2.25
glibc(linaro)2.20-2014.11
GCC 5.1.0(需要LDFLAGS“-static-libstdc ++”进行编译,否则某些应用程序无法运行)
对于目标小端,使用Debian Jessi在Gbox 4.9.2-10 + deb8u1上编译的虚拟框上的hard-float

工具链,使用crosstool-ng(1.21.0)构建,请在此处下载:
Linux 3.10.79
Binutils 2.25
glibc(linaro)2.20-2014.11
GCC 4.8.3(运行直接链接到libstdc ++。so.6的应用程序)
对于目标小端,使用Debian Jessi在Gbox 4.9.2-10 + deb8u1上编译的虚拟框上的hard-float

问候
MCPat

login.PNG
[/引用]



Hi, can you make a xvr NVR DVR open SSH?