t.ivanauskas
n3wb
- May 1, 2014
- 4
- 0
You can step by step to write the "hikpack" command?Yes, G0 platform. The new version of hikpack supports it. Attachment updated in the OP.
You can step by step to write the "hikpack" command?Yes, G0 platform. The new version of hikpack supports it. Attachment updated in the OP.
We published a report covering the hikpack tool on IPVM today. Here is a link for ipcamtalk readers to view it for free if you'd like : Hikvision Firmware Decrypted
Code:hikpack v2.5 Hikvision firmware packer/unpacker by montecrypto
It's one of those weird firmware images that consist of multiple instances of what would normally be the whole thing, I've no idea why, unless there are multiple independant processing facilities in the NVR with their own versions.I am very keen to get this particular FW unpacked/repacked so am wondering if anyone can shed some light on this .... or are we simply attempting to unpack an (as yet, but soon to be I hope!) unsupported version of firmware?
head -c 14651904 digicap.dav > FWpart1
tail -c 30688256 digicap.dav | head -c 14656000 > FWpart2
tail -c 16032256 digicap.dav > FWpart3
I decrypted the configuration file use AES-128-ECB AND a key 7AC66C0F148DE9519B8BD264312C4D64 (md5(abcdefg)) and XOR-decoded the file,but i don't known what to do next.Configuration files seem to be handled in various ways, including tagging with MAC address and other camera-specific data.
If your sample file is handled in a similar way to configuration files from other series, the original Sqllite3 files is AES encrypted (was aes-128-ecb, now presumably improved after this NVD - CVE-2017-7923), XOR-encoded and some sort of expansion.
Though it's not something I've looked into much - maybe it should be a subject of interest.
After all, the 'crown jewels' are in the configuration file - plaintext everything, passwords, settings, the lot.
Attached is a decrypted copy of your file.
I decrypted the configuration file use AES-128-ECB AND a key 7AC66C0F148DE9519B8BD264312C4D64 (md5(abcdefg)) and XOR-decoded the file,but i don't known what to do next.
I open the Attachment, but i don't find plaintext.
Maybe my code is wrong.Show your decode script and attach your config files.
I'm also trying to work out the decryption, what's the question with mcrypt_decrypt? Do you have a working alternative to the above PHP? I'd really like to study it.mcrypt_decrypt ?
<model>DS-2CD3145F-IS</model>Sorry. Fix some problem on server with call whis function in php.
output file is diff than sql db file from ipc
from what ipc your file?
firmware version?
It's one of those weird firmware images that consist of multiple instances of what would normally be the whole thing, I've no idea why, unless there are multiple independant processing facilities in the NVR with their own versions.
But there is much more to it than unpacking the firmware - the component files in the cramfs.img are encrypted and there is an encrypted manifest file with digests as anti-tamper protection.
But if you want to start exploring, you could split the digicap.dav down into its 3 components like so, which can then be handled with hikpack :
Code:head -c 14651904 digicap.dav > FWpart1 tail -c 30688256 digicap.dav | head -c 14656000 > FWpart2 tail -c 16032256 digicap.dav > FWpart3
That is correct. Most of the files are encrypted with the DES_ecb3 cipher.I'm assuming that the unreadable files is a result of them being encrypted .... any ideas on how we can decrypt them and make them useful?
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ ll
total 14320
drwxr-xr-x 2 alastair alastair 4096 Oct 2 09:18 ./
drwxr-xr-x 5 alastair alastair 4096 Sep 23 20:21 ../
-rw-r--r-- 1 alastair alastair 14651796 Sep 23 14:18 cramfs.img
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ mkdir ~/tmpmnt
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ sudo mount -t cramfs cramfs.img ~/tmpmnt
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ file ~/tmpmnt/*
/home/alastair/tmpmnt/gui_res.tar.lzma: data
/home/alastair/tmpmnt/new_10.bin: data
/home/alastair/tmpmnt/player.zip: Zip archive data, at least v2.0 to extract
/home/alastair/tmpmnt/start.sh: data
/home/alastair/tmpmnt/sys_app.tar.lzma: data
/home/alastair/tmpmnt/uImage: u-boot legacy uImage, Linux-3.10.0, Linux/ARM, OS Kernel Image (Not compressed), 3096056 bytes, Thu Jan 5 03:25:07 2017, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0xA1F39057, Data CRC: 0x870572D4
/home/alastair/tmpmnt/WebComponents.exe: PE32 executable (GUI) Intel 80386, for MS Windows
/home/alastair/tmpmnt/webs.tar.lzma: data
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ hikpack_2.5 -t k41 -d ~/tmpmnt/start.sh -o dec_start.sh
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ ll
total 14328
drwxr-xr-x 2 alastair alastair 4096 Oct 2 09:20 ./
drwxr-xr-x 5 alastair alastair 4096 Sep 23 20:21 ../
-rw-r--r-- 1 alastair alastair 14651796 Sep 23 14:18 cramfs.img
-rw-r--r-- 1 alastair alastair 4184 Oct 2 09:20 dec_start.sh
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ head dec_start.sh
#!/bin/sh
sdbg=$(/usr/bin/awk -F 'sdbg=' '{print substr($2,1,1)}' /proc/cmdline)
who=$(/usr/bin/awk -F 'who=' '{print substr($2,1,9)}' /proc/cmdline)
serverip=$(/usr/bin/awk -F: '{print $2}' /proc/cmdline)
echo "sdbg:$sdbg serverip:$serverip"
if [ "$sdbg" == "d" ];then
echo "DSP..........";
exit;
fi
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $ file *
cramfs.img: Linux Compressed ROM File System data, little endian size 14651392 version #2 sorted_dirs CRC 0xaa380e31, edition 0, 3575 blocks, 9 files
dec_start.sh: POSIX shell script executable (binary data)
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626/part1 $
IPC_G0_CN_STD_5.3.3_150624