[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

Discussion in 'Hikvision' started by montecrypto, Dec 23, 2016.

Share This Page

  1. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,045
    Likes Received:
    3,490
    Location:
    Scotland
    Interesting - I never thought to try that.
     
  2. leecher

    leecher n3wb

    Joined:
    Jul 5, 2019
    Messages:
    13
    Likes Received:
    14
    Location:
    Vienna
    Code:
    $ ../hik_repack -u digicap_en.dav en
    HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015
    
    *
    + This seems to be a HK30 crypted file, unpacking HK30:
    + This seems to be a 007A0000 device
    + This is HK30 format version 2, no repacking possible (RSA-key protected).
    * _cfgUpgClass
    * uImage
    * initrun.sh
    * r7_app.tar.gz
    * g0_app.tar.gz
    * IEfile.tar.gz
    * help.tar.gz
    * SoftwareLicense.txt
    * cap.json
    * g0_modules.tgz
    * mpp_modules.tgz
    * libr7_isp_ipc.so.tar.gz
    * libcrypto.so.tar.gz
    * libzoomcam_ipc.so.tar.gz
    $ ../hik_repack -u digicap_cn.dav cn
    HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015
    
    *
    + This seems to be a HK30 crypted file, unpacking HK30:
    + This seems to be a 007A0100 device
    HK30 subcrc check error! -1
    + This is HK30 format version 2, no repacking possible (RSA-key protected).
    * _cfgUpgClass
    * uImage
    * initrun.sh
    * r7_app.tar.gz
    * g0_app.tar.gz
    * IEfile.tar.gz
    * help.tar.gz
    * SoftwareLicense.txt
    * cap.json
    * g0_modules.tgz
    * mpp_modules.tgz
    * libr7_isp_ipc.so.tar.gz
    * libcrypto.so.tar.gz
    * libzoomcam_ipc.so.tar.gz
    $ cd en
    $ tar -xzvf g0_app.tar.gz
    libdadsp.so
    hikdsp.lzma
    sound.tar.gz
    libsmart264.so
    r7_isp_config.tar.gz
    pppd
    pppoe
    pppoed
    da_info
    t1
    execSystemCmd
    ss
    GBK
    ASC16
    HZK32
    ASC32.bin
    ptzCfg.bin
    process/
    process/davinci_bak
    process/net_process.lzma
    process/daemon_fsp_app
    process/database_process.lzma
    process/hostapd.lzma
    applib/
    applib/libsqlite3.so.lzma
    applib/libiconv_utf8Gbk.so.lzma
    applib/libipc_unix.so
    applib/libfsp_base.so.lzma
    applib/libosip2.so.lzma
    applib/libosipparser2.so.lzma
    applib/libhikosip.so.lzma
    applib/libispfrontc.so
    applib/libremote_dbg.so
    applib/libsave_alarminfo.so
    applib/libpassenger_info.so
    $ ../../hik_repack -u process/davinci_bak dav
    HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015
    
    *
    + This seems to be a HK30 crypted file, unpacking HK30:
    + This seems to be a 00650100 device
    + This is HK30 format version 2, no repacking possible (RSA-key protected).
    * davinci.lzma
    $ lzma -df dav/davinci.lzma
    
    
    I don't see much sense in repacking though, as Uboot bootloader does RSA verification of firmware and we don't have hik private key to sign the firmware.
     
  3. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    147
    Likes Received:
    4
    Yes and I still search solution...
     
  4. rearanger

    rearanger Getting the hang of it

    Joined:
    Feb 10, 2016
    Messages:
    131
    Likes Received:
    40
    Location:
    Scottish Borders
    unpack then repack the old way pre 5.5? or manually dump the davinci_bak onto the cam.
     
  5. leecher

    leecher n3wb

    Joined:
    Jul 5, 2019
    Messages:
    13
    Likes Received:
    14
    Location:
    Vienna
    But then RSA signature in HK30 V2 header is invalid and firmware file will get rejected. As far as I remember, an older firmware file without RSA signature doesn't get accepted. So there is no way without patching and flashing uboot loader which is quite risky, as upon failure, camera is bricked without a working bootloader,if you don't have an EEPROM flasher available.
     
  6. rearanger

    rearanger Getting the hang of it

    Joined:
    Feb 10, 2016
    Messages:
    131
    Likes Received:
    40
    Location:
    Scottish Borders
    I can go up and down 5.3 all the way to 5.5 manually(and back). by dumping uImage/dav onto the mtdparts. (I have trashed the came a few times lol)

    Are you saying at certain point of a normal update to 5.5 it would have updated the signature in uboot?

    And if so I have a 5.3 G0 cam here I could dump the uboot nand partition for ?
     
  7. leecher

    leecher n3wb

    Joined:
    Jul 5, 2019
    Messages:
    13
    Likes Received:
    14
    Location:
    Vienna
    Hm, directly dumping the files onto the the MTD might work fine. But if you do that, there is no sense in creating digicap.dav file, as you won't need it with your method anyway, if I understand correctly? So repacking digicap.dav itself would still be useless?
    I just once had a cam where the firmware flashing mechanism refused to take the file, as it wasn't properly signed.
    I must admit that I don't have any G0 camera available.
     
  8. rearanger

    rearanger Getting the hang of it

    Joined:
    Feb 10, 2016
    Messages:
    131
    Likes Received:
    40
    Location:
    Scottish Borders
    My current issue at this time is, I cannot repack davinci_bak. if I can do that I can get a method to cleanly making the cam ML. Current modification is messy.(but does work)

    From what you have said that issue is solved using your new re-pack? (eg davinci_bak can be unpacked and repacked correctly for the cams daemon_fsp_app)


    moving on a step. It would be nice to do a full update either with a full re-pack or to disable protection. Either via web interface or via uboot.(web interface does not currently let you downgrade).
     
    Last edited: Jul 5, 2019
  9. leecher

    leecher n3wb

    Joined:
    Jul 5, 2019
    Messages:
    13
    Likes Received:
    14
    Location:
    Vienna
    Well, davinci_bak also uses firmware pack format which contains RSA signature and daemon_fsp_app verifies it against this signature. So you need to patch daemon_fsp_app to let firm_data_verify return 0 and the nrepack daemon_fsp_app
    That should work, but it still involves patching of course.
     
    Last edited: Jul 5, 2019
  10. rearanger

    rearanger Getting the hang of it

    Joined:
    Feb 10, 2016
    Messages:
    131
    Likes Received:
    40
    Location:
    Scottish Borders
    I don't know at this time lol ... the current situation is I have a davinci that is modified for ML on 5.5+ firmware. it works but is injected in a bad way. I do not know what daemon_fsp_app actually does other than unpack. Every firmware version would need that davinci and of course the daemon_fsp_app modified to make a Chinese cam ML.

    if daemon_fsp_app is only an unpacker then turning off RSA would do no harm, possibly an easier option. This would make manipulating davinci easier.

    Currently many of these grey market G0's are sitting with the original ML firmware that was supplied so any progress is something lol


    BTW G1 has been modded for unsigned firmwares Unrestricted root shell on G1 cameras

    I have some of the hisilicon SDK's for the cams but not looked at u-boot's yet.
     
  11. leecher

    leecher n3wb

    Joined:
    Jul 5, 2019
    Messages:
    13
    Likes Received:
    14
    Location:
    Vienna
    What do you mean by: "injected in a bad way"?
     
  12. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,045
    Likes Received:
    3,490
    Location:
    Scotland
    I have a recollection that when daemon_fsp_app issues the ioctl to request the decryption key, the kernel does an integrity check on daemon_fsp_app such that patching it causes an abort. I didn't spend much time exploring that, on older firmware, need to check what version.
     
  13. leecher

    leecher n3wb

    Joined:
    Jul 5, 2019
    Messages:
    13
    Likes Received:
    14
    Location:
    Vienna
    Correct, daemon_fsp_app gets verified via RSA key in kernel (by matching on name /home/process/daemon_fsp_app),so modification of it will get detected,if kernel isn't patched. Grep for string /(/-e/0r/#%s3/$!em/ etc. in kernel to find the routine. This routine also does the decryption of it.
    That's why I think that repacking doesn't make any sense on RSA crypted firmware versions, you'd have to patch everything anyway and cannot produce a valid firmware image file that would be accepted by unpatched firmware.
     
    alastairstevenson likes this.
  14. rearanger

    rearanger Getting the hang of it

    Joined:
    Feb 10, 2016
    Messages:
    131
    Likes Received:
    40
    Location:
    Scottish Borders
    original davinci is killed in initrun.sh after decryption/execution by daemon_fsp_app . Then modified davinci is then started up.

    see below(I did think about patching it while it was an active process in memory, but thought it would be difficult)
     
    Last edited: Jul 6, 2019
  15. mrpeenut24

    mrpeenut24 n3wb

    Joined:
    Jun 7, 2019
    Messages:
    4
    Likes Received:
    9
    Location:
    Everywhere
    Awesome! Thanks very much leecher! Found your tool, got a 32bit libssl/libcrypto build env, and modified initrun.sh to replace psh with sh. I have a working busybox /bin/sh shell. :)

    Code:
    # help
    Built-in commands:
    ------------------
        . : [ [[ alias bg break cd chdir command continue echo eval exec
        exit export false fg getopts hash help jobs kill let local printf
        pwd read readonly return set shift source test times trap true
        type ulimit umask unalias unset wait
    
    # ls /bin
    CloseLaser                getMenuBufErrInfo         setAgingMode
    EnlargeCur                getMenuInfo               setAgingTime
    InitAutoLens              getModuleVer              setAlarm
    InqCurMotDirect           getMotion                 setAppwebDebug
    InqCurrent                getMtu                    setBrightnessInhibition
    InqSwitch                 getNetConnInfo            setCamlowtempthrethold
    InqWaveLen                getOperationLog           setCurAngleV
    InquireFanSwitch          getPacketType             setDebug
    LaserMotDirect            getPort                   setDevOldTest
    LaserMotReset             getPreviewStatus          setDevcmd
    LaserTeleOffset           getPreviewStatus_inner    setFanMode
    LaserWideOffset           getPsLen                  setFanPwm
    ReduceCur                 getQP                     setFanTemp
    SetCur                    getRevertTime             setFtpService
    SetMotorKeySpeed          getRtcpStatus             setGateway
    StartLaser                getRtpLen                 setHeatTemp
    TestCurve                 getSelfCheck              setHighTempProtect
    TestOver                  getSelfcheckResult        setIp
    [                         getSerUsingWays           setIrMode
    [[                        getShutterLevel           setIrcmd
    aflibDebug                getSlaveInfo              setIvsKeyParam
    ash                       getSpecialIris            setLBS
    awk                       getSubRtpLen              setLaserMode
    bash                      getTmpCtrlInfo            setLowDelayMode
    btools                    getUserOnlineInfo         setMcuPrtLevel
    busybox                   getVCAVersion             setMtu
    camCmd                    getVehiclePos             setOpenSdkLogLevel
    cat                       getWifiInfo               setPacketType
    check_rs232               getWifiStat               setPatternCorrect
    chmod                     getisp                    setPort
    cloudService              gunzip                    setPsLen
    copyAlarmInfo             gzip                      setQP
    cp                        help                      setRectFrame
    da_info                   hiddrs                    setRevertTime
    date                      hier                      setRoute
    dayICR                    hiew                      setRtcpStatus
    debugLog                  hil2s                     setRtpLen
    df                        himc                      setSelfCheck
    diagnose                  himd                      setSerial485Status
    dm365                     himd.l                    setShutterLevel
    dmesg                     himm                      setSignalMode
    dspStatus                 iostat                    setSignalVoData1
    du                        iperf                     setSpecialIris
    echo                      itfDbg                    setSubRtpLen
    env                       jxsorel                   setTempCtrlMode
    execSystemCmd             kill                      setTestSpeed
    false                     ln                        setUpgradeTime
    free                      login                     setV6ip
    frontlib_isp_cmd_test     ls                        setVehiclePos
    fsync                     lzcat                     setWifiEnable
    gcovTest                  lzma                      setWlan
    gdbcfg                    mkdir                     setYTLock
    getAEWindow               mknod                     setisp
    getAgingMode              mount                     sh
    getAgingTime              mpstat                    showDefence
    getAlarmHandleInfo        mv                        showKey
    getAlarmStatus            netstat                   showServer
    getAppwebCallocReport     network_deamon            showStatus
    getAppwebStatus           nightICR                  showUpnp
    getBrightnessInhibition   outputClose               sleep
    getCamDbgPara             outputOpen                ss
    getCamLowtempState        ping                      startSaveAlarmInfo
    getCamVer                 ping6                     stopSaveAlarmInfo
    getCapaInfo               pmap                      stty
    getCorrInfo               pppd                      superOpt
    getCurAngle               pppoe                     sync
    getDebug                  pppoed                    sysflg
    getDevInfo                printPart                 syslog
    getDevVer                 printPartFile             t1
    getFrontlibDspVersion     prtHardInfo               tail
    getFrontlibVersion        prtLensCurve              tar
    getHighTempProtectConfig  prtLockList               taskShow
    getIp                     prtMenuTestInfo           test
    getIrMode                 ps                        testDspFun
    getIrstate                psh                       testOneKey
    getIvsKeyParam            pwd                       testOneKeyStart
    getLaserMode              recover_mtd               top
    getLensCurve              resetParam                touch
    getLowDelayMode           resetPasswd               true
    getMDInfo                 rm                        umount
    getMcuInfo                rtw_cal                   unlzma
    getMcuStateInfo           sdDataCheck               wifi.sh
    getMcuVer                 sed                       wl
    getMemInfo                semShow                   zcat
    #
    
    # ls /dav
    MOTOR_APP          _cfgUpgClass       initrun.sh         sound
    MOTOR_APP1         cap.json           lost+found         sysVersion.bin
    MOTOR_APP2         hik_ar9331.bin     r7_app.tar.gz      webLib
    WebComponents.exe  hik_ar9331_1.bin   r7_modules.tgz
    # ls /home
    applib              pidfile             ptzCfg.bin          sound
    flash_eraseall      pppoe               r7_isp_config       spiflash_read_file
    info.json           pppoed              r7_module           ss
    initrun.sh          process             serialCom           t1
    #
    
     
    rearanger and alastairstevenson like this.
  16. leecher

    leecher n3wb

    Joined:
    Jul 5, 2019
    Messages:
    13
    Likes Received:
    14
    Location:
    Vienna
    Thanks, hik_repack 0.8 now added support for G1 cams.
    Repacking-support for these RSA-crypted models was now also added, but as mentioned above, it doesn't make any real sense, as RSA signature cannot be calculcated due to unknown RSA public key.
     
  17. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    147
    Likes Received:
    4
    Where we can download it ?
     
  18. rearanger

    rearanger Getting the hang of it

    Joined:
    Feb 10, 2016
    Messages:
    131
    Likes Received:
    40
    Location:
    Scottish Borders


    v0.7 of your unpacker unpacks 5.5.81 or 82 fine but below on PRE IPC_G0_CN_STD_5.5.53_180716 ….unsure IF ITS A BUG

    just doing some work on PC_G0_EN_STD_5.5.82_190130 your unpacker does GREAT job on that.

    Thanks
     
  19. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    147
    Likes Received:
    4
    But is any chance to unpack and modified FW to write it in china camera G0 platform ?
     
  20. rearanger

    rearanger Getting the hang of it

    Joined:
    Feb 10, 2016
    Messages:
    131
    Likes Received:
    40
    Location:
    Scottish Borders