[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

Configuration files seem to be handled in various ways, including tagging with MAC address and other camera-specific data.
If your sample file is handled in a similar way to configuration files from other series, the original Sqllite3 files is AES encrypted (was aes-128-ecb, now presumably improved after this NVD - CVE-2017-7923), XOR-encoded and some sort of expansion.

Though it's not something I've looked into much - maybe it should be a subject of interest.
After all, the 'crown jewels' are in the configuration file - plaintext everything, passwords, settings, the lot.

Attached is a decrypted copy of your file.
 

Attachments

  • Like
Reactions: haoxiaopang
Thanks @montecrypto for this tool - have had it working on some IPC's we have been fiddling about with which is nice.

.... however, we're having issues getting it to work on the following firmware: Bazeline Firmware_DVR_71_72_73_81HQH-FN__72_76HUH-FN series, which is found here (6th one down): Hikvision Australia

The following command:
root@ash-Dell-1464:~/DVR_FW/pass2# ./hikpack -t r1 -x digicap.dav -o tmp

Returns the following:
Magic : 484b5753
hdr_crc : 00001cad (OK)
lang_id : 00000001
Date : -00001
version : ffffffff
frm_flg :
File: cramfs.img, CRC OK
WARN: File size mismatch, expected: 14651904, actual: 45340160
Extra tail at the end of dav, 30688256 bytes


I am very keen to get this particular FW unpacked/repacked so am wondering if anyone can shed some light on this .... or are we simply attempting to unpack an (as yet, but soon to be I hope!) unsupported version of firmware?

... and if this is indeed the case, what, if anything, can be done to help with getting it supported?
 
Last edited:
I am very keen to get this particular FW unpacked/repacked so am wondering if anyone can shed some light on this .... or are we simply attempting to unpack an (as yet, but soon to be I hope!) unsupported version of firmware?
It's one of those weird firmware images that consist of multiple instances of what would normally be the whole thing, I've no idea why, unless there are multiple independant processing facilities in the NVR with their own versions.
But there is much more to it than unpacking the firmware - the component files in the cramfs.img are encrypted and there is an encrypted manifest file with digests as anti-tamper protection.

But if you want to start exploring, you could split the digicap.dav down into its 3 components like so, which can then be handled with hikpack :
Code:
head -c 14651904 digicap.dav > FWpart1
tail -c 30688256 digicap.dav | head -c 14656000 > FWpart2
tail -c 16032256 digicap.dav > FWpart3
 
  • Like
Reactions: VorlonFrog
Configuration files seem to be handled in various ways, including tagging with MAC address and other camera-specific data.
If your sample file is handled in a similar way to configuration files from other series, the original Sqllite3 files is AES encrypted (was aes-128-ecb, now presumably improved after this NVD - CVE-2017-7923), XOR-encoded and some sort of expansion.

Though it's not something I've looked into much - maybe it should be a subject of interest.
After all, the 'crown jewels' are in the configuration file - plaintext everything, passwords, settings, the lot.

Attached is a decrypted copy of your file.
I decrypted the configuration file use AES-128-ECB AND a key 7AC66C0F148DE9519B8BD264312C4D64 (md5(abcdefg)) and XOR-decoded the file,but i don't known what to do next.
I open the Attachment, but i don't find plaintext.
Can you show some source code?
Thank you.
 
If it was decoded successfully, the result will be a SQLite3 database file, which can be opened with a database browser. The plaintext items are in the contents of the database.
 
I decrypted the configuration file use AES-128-ECB AND a key 7AC66C0F148DE9519B8BD264312C4D64 (md5(abcdefg)) and XOR-decoded the file,but i don't known what to do next.
I open the Attachment, but i don't find plaintext.

Show your decode script and attach your config files.
 
Sorry. Fix some problem on server with call whis function in php.
output file is diff than sql db file from ipc

from what ipc your file?
firmware version?
 
Last edited:
Sorry. Fix some problem on server with call whis function in php.
output file is diff than sql db file from ipc

from what ipc your file?
firmware version?
<model>DS-2CD3145F-IS</model>
<firmwareVersion>V5.3.9</firmwareVersion>
<firmwareReleasedDate>build 160612</firmwareReleasedDate>
<bootVersion>V1.3.4</bootVersion>
<bootReleasedDate>100316</bootReleasedDate>
<hardwareVersion>0x0</hardwareVersion>
 
It's one of those weird firmware images that consist of multiple instances of what would normally be the whole thing, I've no idea why, unless there are multiple independant processing facilities in the NVR with their own versions.
But there is much more to it than unpacking the firmware - the component files in the cramfs.img are encrypted and there is an encrypted manifest file with digests as anti-tamper protection.

But if you want to start exploring, you could split the digicap.dav down into its 3 components like so, which can then be handled with hikpack :
Code:
head -c 14651904 digicap.dav > FWpart1
tail -c 30688256 digicap.dav | head -c 14656000 > FWpart2
tail -c 16032256 digicap.dav > FWpart3


OK, so we had a go at this, and got a win and a loss.....


The good news : Was able to try the instructions and got no failures with hikpack.
The bad news: The files inside the cramfs.img are unreadable for all the 3 FWParts.

Logs for the bad news:

ashutosh@ashutosh-Inspiron-1464:~/DVR_FW/pass3/tmp1/mnt1$ tar --lzma -xvf gui_res.tar.lzma
xz: (stdin): File format not recognized
tar: Child returned status 1
tar: Error is not recoverable: exiting now
ashutosh@ashutosh-Inspiron-1464:~/DVR_FW/pass3/tmp1/mnt1$ file gui_res.tar.lzma
gui_res.tar.lzma: data


Logs for the successful unpack

ashutosh@ashutosh-Inspiron-1464:~/DVR_FW/pass3$ ./hikpack -t r1 -x FWpart1 -o tmp
Magic : 484b5753
hdr_crc : 00001cad (OK)
lang_id : 00000001
Date : -00001
version : ffffffff
frm_flg :
File: cramfs.img, CRC OK

ashutosh@ashutosh-Inspiron-1464:~/DVR_FW/pass3$ ./hikpack -t r1 -x FWpart2 -o tmp2
Magic : 484b5753
hdr_crc : 00001d7a (OK)
lang_id : 00000001
Date : -00001
version : ffffffff
frm_flg :
File: cramfs.img, CRC OK

ashutosh@ashutosh-Inspiron-1464:~/DVR_FW/pass3$ ./hikpack -t r1 -x FWpart3 -o tmp3
Magic : 484b5753
hdr_crc : 00001d5e (OK)
lang_id : 00000001
Date : -00001
version : ffffffff
frm_flg :
File: cramfs.img, CRC OK

I'm assuming that the unreadable files is a result of them being encrypted .... any ideas on how we can decrypt them and make them useful?

Thanks.
 
I'm assuming that the unreadable files is a result of them being encrypted .... any ideas on how we can decrypt them and make them useful?
That is correct. Most of the files are encrypted with the DES_ecb3 cipher.
Fortunately, hikpack has the facility to handle that encryption, and has the key built in.
A worked example using one of the extracted firmware files :
Code:
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ ll
total 14320
drwxr-xr-x 2 alastair alastair     4096 Oct  2 09:18 ./
drwxr-xr-x 5 alastair alastair     4096 Sep 23 20:21 ../
-rw-r--r-- 1 alastair alastair 14651796 Sep 23 14:18 cramfs.img
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ mkdir ~/tmpmnt
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ sudo mount -t cramfs cramfs.img ~/tmpmnt
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ file ~/tmpmnt/*
/home/alastair/tmpmnt/gui_res.tar.lzma:  data
/home/alastair/tmpmnt/new_10.bin:        data
/home/alastair/tmpmnt/player.zip:        Zip archive data, at least v2.0 to extract
/home/alastair/tmpmnt/start.sh:          data
/home/alastair/tmpmnt/sys_app.tar.lzma:  data
/home/alastair/tmpmnt/uImage:            u-boot legacy uImage, Linux-3.10.0, Linux/ARM, OS Kernel Image (Not compressed), 3096056 bytes, Thu Jan  5 03:25:07 2017, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0xA1F39057, Data CRC: 0x870572D4
/home/alastair/tmpmnt/WebComponents.exe: PE32 executable (GUI) Intel 80386, for MS Windows
/home/alastair/tmpmnt/webs.tar.lzma:     data
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ hikpack_2.5 -t k41 -d ~/tmpmnt/start.sh -o dec_start.sh
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ ll
total 14328
drwxr-xr-x 2 alastair alastair     4096 Oct  2 09:20 ./
drwxr-xr-x 5 alastair alastair     4096 Sep 23 20:21 ../
-rw-r--r-- 1 alastair alastair 14651796 Sep 23 14:18 cramfs.img
-rw-r--r-- 1 alastair alastair     4184 Oct  2 09:20 dec_start.sh
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ head dec_start.sh
#!/bin/sh
sdbg=$(/usr/bin/awk -F 'sdbg=' '{print substr($2,1,1)}' /proc/cmdline)
who=$(/usr/bin/awk -F 'who=' '{print substr($2,1,9)}' /proc/cmdline)
serverip=$(/usr/bin/awk -F: '{print $2}' /proc/cmdline)
echo "sdbg:$sdbg serverip:$serverip"

if [ "$sdbg" == "d" ];then
    echo  "DSP..........";
    exit;
fi
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ file *
cramfs.img:   Linux Compressed ROM File System data, little endian size 14651392 version #2 sorted_dirs CRC 0xaa380e31, edition 0, 3575 blocks, 9 files
dec_start.sh: POSIX shell script executable (binary data)
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $
 
small additive ;)
 

Attachments