New G1 camera root status

[watchful_ip]

OK so the update script in the minisys looks to only deal with TFTP digicap,dav and updating it. That means the bootloader has to be updating the minisys so that's good.

There are RSA signing checks in the minisys updating binary, so if it will accept unsigned then it must be patched so that's all good.

Ideally I'd dump the original minisys before changing it, but of course if it's easy to do that then might not need to change it in the first place!

Sorted.

 

[rearanger]

It's likely possible to add nfs support to the minisys but like you say not really needed. And you can probably just copy files via ssh (not scp) as an alternative.

montecrypto's minisys has an updated busybox so there are some extra network commands in there


I modified this script to unpack hImage [script] repack-zImage.sh: Unpack and repack a zImage without kernel source, V. 5 (filenames of extracted files will need changed,it does handle the cpio))

Not looked at the workings of G1 for a little while. There is a DS-2CD2385FWD-I2018 just arrived. will have look at it over the next few days.

 

[watchful_ip]

Yeah I used something like that a few years ago when I was making my own images, and changed it to package and alter to be accepted by the target.

Also I think I may have used relevant SDKs for a few - can't remember I'm too old

 

[Purduephotog]

Wait, so in theory I can patch up the ezviz cameras as they were based on the G1? Ooooh that'll make me very happy. I can order new NAND, flash it on the computer, then solder it back down.

Unless anyone knows any flex/breakout cables I can use to make a socketed NAND chip?

 

[watchful_ip]

Got my 2 cameras today:

U-Boot 3.1.6-371476 (May 11 2018-21:35:18)
boards:378780

Boot 3.1.6-540659 (Jun  4 2019-17:55:37)
boards:518302

Both accepted the mini_sys rearanger posted fine and I've alterred the camera accordingly for a root shell over SSH. Off to play thanks again for the help!

 

[watchful_ip]

Unless the kernel has been compiled to make the partition read-only.

Just for info the recovery partition is writeable from normal boot environment whilst things like the bootloader are RO (usually for the best!).

 

[rearanger]

I just trashed cfg_pri / sec(mtd12/13) also mtdblock10 /11(full erase). Nightmare to recover lol

cam is on firmware 5.6.3

never mucked around with the bootloader

 

[alastairstevenson]

Take a look at the contents of mtdblock3.

 

[rearanger]

Take a look at the contents of mtdblock3.

the serial number ????


BTW I think minisys update can be run from ASH prompt. So no need for TTL if you have ASH

 

[alastairstevenson]

the serial number ????

And all the other camera-specific values such as language, region, MAC address, options etc.
The same data layout that Hikvision use across many IP cameras and NVRs, though usually held in a security chip.
I'm wondering if they have gone back to how this was handled in the R0 series, but tamper protected.

 

[rearanger]

lol test it lol

I noticed the serial number was there(assumed it was just a copy). But did not notice davinci checking env for region. Thought that was stored on the security chip.

 

[watchful_ip]

I've not got there yet as still building my own mini_sys but pretty sure this cam does have EMV chip.

 

[watchful_ip]

Seems silly minisys formats partitions without TFTP digicap.dav successfully first. Just change it so it happens only on good TFTP first.

Ooh and we use dbg partition for unpacked web files. How things change - good for boot time though.

And they've put GPL license text there - nice one Hikvision! Always hated you didn't before. Wonder if you respond to GPL requests these days (which you are supposed to).

And camera is from the future! From /dev/mtd1

Amboot(R) Ambarella(R) Copyright (C) 2004-2024