alastairstevenson
Staff member
Well, I've been away from this forum for a while due to a need to service a higher-level interrupt. But that's pretty well OK now, so I have a bit of time to play again.
I thought I'd take a break from unpicking Hikvision's ongoing efforts to trip up their customers and have a root around inside the Longse / Cantonk offerings.
Being an engineer by inclination and training I like to know 'how things work'.
This is probably just for the techies amongst us, and might be only of academic interest with limited practical value.
After all, unlike the Hikvision firmware, the Herospeed firmware has no encryption to break, no obfuscation to figure out, no tripwires to defeat, no tamper or integrity protection to sidestep.
It's not the world's most sophisticated IP camera firmware, though. It would be really good if Herospeed would add some advanced analytics beyond simple motion detection.
So this is the 'Longse S500' camera, as brought to our attention by @klasipka and has deservedly received quite a lot of attention for image quality and low-light performance.
Let's have a look at what's running on the pretty good H3516a / IMX178 hardware combo.
Quite a current version of the Linux kernel, and the very capable 1.2GHz 32-bit ARMv7 CPU.
Not overly generous with the RAM though at 64MB.
The camera is currently providing 2 RTSP streams, and the CPU is almost idling.
What about storage?
Nothing unusual in the size or the layout.
When analysing embedded Linux, exploring the internals, trying out changes, it can be really useful to have external storage available, avoiding the need to shuffle files back and forward with tftp etc, so an NFS mount is almost mandatory.
As there is no 'NetHDD' facility in the web GUI, this can be done via terminal.
It's interesting to note that, as Hikvision also do to some extent, there are hooks left in place in the system initiallisation to support an NFS based rootfs, an essential part of the development and analysis environment.
The NFS mount makes it easy to pull out the flash contents, and anything else, to see how things are organised. And to change things experimentally.
Here is an interesting folder - what's in it?
It's the system configuration, in a binary file, and the 'factory defaults' settings.
Parts of the layout are self-explanatory from the contents, and much of the organisation can be determinined empirically by adjusting web GUI settings and observing the result.
That's probably enough for now. Well done if you managed to read this far ...
More later.
I thought I'd take a break from unpicking Hikvision's ongoing efforts to trip up their customers and have a root around inside the Longse / Cantonk offerings.
Being an engineer by inclination and training I like to know 'how things work'.
This is probably just for the techies amongst us, and might be only of academic interest with limited practical value.
After all, unlike the Hikvision firmware, the Herospeed firmware has no encryption to break, no obfuscation to figure out, no tripwires to defeat, no tamper or integrity protection to sidestep.
It's not the world's most sophisticated IP camera firmware, though. It would be really good if Herospeed would add some advanced analytics beyond simple motion detection.
So this is the 'Longse S500' camera, as brought to our attention by @klasipka and has deservedly received quite a lot of attention for image quality and low-light performance.
Let's have a look at what's running on the pretty good H3516a / IMX178 hardware combo.
Quite a current version of the Linux kernel, and the very capable 1.2GHz 32-bit ARMv7 CPU.
Not overly generous with the RAM though at 64MB.
Code:
alastair@PC-I5 ~ $ telnet 192.168.1.168
Trying 192.168.1.168...
Connected to 192.168.1.168.
Escape character is '^]'.
(none) login: root
Password:
Welcome to HiLinux.
None of nfsroot found in cmdline.
~ # uname -a
Linux (none) 3.4.35 #4 Thu Jan 22 15:23:55 CST 2015 armv7l GNU/Linux
~ # pwd
/root
~ # cat /proc/cpuinfo
Processor : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 1196.85
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
Hardware : hi3516a
Revision : 0000
Serial : 0000000000000000
~ # free
total used free shared buffers
Mem: 59552 53440 6112 0 0
-/+ buffers: 53440 6112
Swap: 0 0 0
Code:
Mem: 58076K used, 1476K free, 0K shrd, 0K buff, 28416K cached
CPU0: 10.5% usr 1.9% sys 0.0% nic 87.4% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 4.49 4.45 4.66 1/113 1291
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
849 1 root S 163m279.8 0 10.8 /usr/AVServer
1116 1 root S 229m392.5 0 0.4 /boaServer/boa
854 1 root S 128m219.9 0 0.4 /usr/SystemServer
1114 1 root S 88408147.8 0 0.4 /usr/freep2p_server
1118 1 root S 36088 60.3 0 0.1 /usr/DeviceSearch
1291 1287 root R 1772 2.9 0 0.1 top
3 2 root SW 0 0.0 0 0.1 [ksoftirqd/0]
1287 844 root S 1784 2.9 0 0.0 -sh
844 1 root S 1772 2.9 0 0.0 telnetd
841 1 root S 1768 2.9 0 0.0 /bin/login
1 0 root S 1764 2.9 0 0.0 init
1123 1 root S 1268 2.1 0 0.0 /usr/WatchDog
593 1 root S < 1068 1.7 0 0.0 udevd --daemon
670 593 root S < 1068 1.7 0 0.0 udevd --daemon
661 593 root S < 1068 1.7 0 0.0 udevd --daemon
845 1 root S 848 1.4 0 0.0 /usr/Main
1080 1 root S 840 1.4 0 0.0 /usr/HWatchDog
579 2 root SWN 0 0.0 0 0.0 [jffs2_gcd_mtd2]
249 2 root SW 0 0.0 0 0.0 [kworker/0:1]
161 2 root DW 0 0.0 0 0.0 [kusbotg]
~ #Nothing unusual in the size or the layout.
Code:
~ # df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 12.0M 9.3M 2.7M 78% /
tmpfs 29.1M 4.0K 29.1M 0% /dev
nome 4.0M 4.0M 20.0K 100% /boaServer
~ # cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00010000 "boot"
mtd1: 00300000 00010000 "kernel"
mtd2: 00c00000 00010000 "rootfs"
~ # ls -al /
total 2
drwxr-xr-x 25 root root 0 Jan 1 1970 .
drwxr-xr-x 25 root root 0 Jan 1 1970 ..
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 bin
drwxrwxrwt 2 root root 60 Jul 1 20:59 boaServer
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 boot
drwxrwxrwt 6 root root 3320 Jan 1 1970 dev
drwxr-xr-x 2 1000 1000 0 Feb 5 2015 disk
drwxrwxr-x 5 1000 1000 0 Apr 16 16:25 etc
drwxrwxr-x 3 1000 1000 0 Feb 5 2015 home
lrwxrwxrwx 1 1000 1000 9 Feb 5 2015 init -> sbin/init
drwxr-xr-x 3 1000 1000 0 Apr 16 16:25 ko
drwxrwxr-x 2 1000 1000 0 Apr 16 16:25 lib
lrwxrwxrwx 1 1000 1000 11 Feb 5 2015 linuxrc -> bin/busybox
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 lost+found
-rwxrwxr-x 1 1000 1000 431 Feb 5 2015 mknod_console
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 mnt
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 nfsroot
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 opt
drwxr-xr-x 2 1000 1000 0 Jan 1 1970 param
dr-xr-xr-x 65 root root 0 Jan 1 1970 proc
drwxrwxr-x 2 1000 1000 0 Jun 29 19:59 root
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 sbin
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 share
dr-xr-xr-x 12 root root 0 Jan 1 1970 sys
drwxrwxr-x 2 1000 1000 0 Jan 1 1970 tmp
drwxrwxr-x 6 1000 1000 0 Jun 24 20:41 usr
drwxrwxr-x 3 1000 1000 0 Feb 5 2015 varAs there is no 'NetHDD' facility in the web GUI, this can be done via terminal.
It's interesting to note that, as Hikvision also do to some extent, there are hooks left in place in the system initiallisation to support an NFS based rootfs, an essential part of the development and analysis environment.
The NFS mount makes it easy to pull out the flash contents, and anything else, to see how things are organised. And to change things experimentally.
Code:
~ # ls -al /mnt
total 0
drwxrwxr-x 2 1000 1000 0 Feb 5 2015 .
drwxr-xr-x 25 root root 0 Jan 1 1970 ..
~ # mount -t nfs -o nolock 192.168.1.21:/home/alastair/tftp_root /mnt
~ # ls -al /mnt
total 16
drwxrwxrwx 5 1000 1000 4096 Jul 1 20:38 .
drwxr-xr-x 25 root root 0 Jan 1 1970 ..
drwxr-xr-x 2 1000 1000 4096 Jul 1 20:37 imx178
drwxr-xr-x 2 1000 1000 4096 Jul 1 13:04 imx322
drwxr-xr-x 2 1000 1000 4096 Jun 29 18:33 tmp
~ # cd /mnt/imx178
/mnt/imx178 # dd if=/dev/mtd0 of=mtd0
2048+0 records in
2048+0 records out
1048576 bytes (1.0MB) copied, 0.866129 seconds, 1.2MB/s
/mnt/imx178 # dd if=/dev/mtd1 of=mtd1
6144+0 records in
6144+0 records out
3145728 bytes (3.0MB) copied, 1.096895 seconds, 2.7MB/s
/mnt/imx178 # dd if=/dev/mtd2 of=mtd2
24576+0 records in
24576+0 records out
12582912 bytes (12.0MB) copied, 3.986917 seconds, 3.0MB/s
/mnt/imx178 # ls -al
total 16392
drwxr-xr-x 2 1000 1000 4096 Jul 1 20:46 .
drwxrwxrwx 5 1000 1000 4096 Jul 1 20:38 ..
-rw-r--r-- 1 root root 1048576 Jul 1 20:46 mtd0
-rw-r--r-- 1 root root 3145728 Jul 1 20:46 mtd1
-rw-r--r-- 1 root root 12582912 Jul 1 20:46 mtd2It's the system configuration, in a binary file, and the 'factory defaults' settings.
Parts of the layout are self-explanatory from the contents, and much of the organisation can be determinined empirically by adjusting web GUI settings and observing the result.
Code:
/mnt/imx178 # ls -al /param
total 85
drwxr-xr-x 2 1000 1000 0 Jan 1 1970 .
drwxr-xr-x 25 root root 0 Jan 1 1970 ..
-rwxrwxrwx 1 root root 41 Apr 16 16:25 Ver.ini
-rw-r--r-- 1 root root 528 Jul 1 21:47 cloud_storage.cfg
-rw-r--r-- 1 root root 57604 Jul 1 21:11 logfile.log
-rw-r--r-- 1 root root 45 Jul 1 21:11 net.conf
-rw------- 1 root root 10284 Jul 1 20:59 onvif.cfg
-rw-r--r-- 1 root root 8000 Jul 1 21:11 sysenv.cfg
-rw-r--r-- 1 root root 8000 Jan 1 1970 sysenvcopy.cfg
/mnt/imx178 # cat /param/Ver.ini
[VERSION]
sofvar=3516A_IMX178_X_5.1.51.3
/mnt/imx178 # cp /param/* .
/mnt/imx178 # ls -al
total 16492
drwxr-xr-x 2 1000 1000 4096 Jul 1 20:47 .
drwxrwxrwx 5 1000 1000 4096 Jul 1 20:38 ..
-rwxr-xr-x 1 root root 41 Jul 1 20:47 Ver.ini
-rw-r--r-- 1 root root 528 Jul 1 20:47 cloud_storage.cfg
-rw-r--r-- 1 root root 57604 Jul 1 20:47 logfile.log
-rw-r--r-- 1 root root 1048576 Jul 1 20:46 mtd0
-rw-r--r-- 1 root root 3145728 Jul 1 20:46 mtd1
-rw-r--r-- 1 root root 12582912 Jul 1 20:46 mtd2
-rw-r--r-- 1 root root 45 Jul 1 20:47 net.conf
-rw------- 1 root root 10284 Jul 1 20:47 onvif.cfg
-rw-r--r-- 1 root root 8000 Jul 1 20:47 sysenv.cfg
-rw-r--r-- 1 root root 8000 Jul 1 20:47 sysenvcopy.cfg
/mnt/imx178 #More later.
