unbranded chinese type cam bricked

cr0wm4n

n3wb
Joined
Mar 6, 2016
Messages
5
Reaction score
0
Hi,

I have a 3 year old camera that stopped working. when I tried a factory reset it has lost all access with the exception of telnet there does not appear to be any ports open except telnet.
I cannot find any of the web interface files on it any more either.

the camera looks identical to this one without the red logo
http://img.dxcdn.com/productimages/sku_221355_1.jpg

i have found the rx / tx pins and can login using a serial fttdi adapter :)

I believe it is a HIKvision camera

I guess i need replacement firmwares for it so hope someone can help..


Below is a copy of the bootup of the camera and a couple of other bits of info that may help, there is also a segmentation fault during bootup that i see, and also a taint of the kernel which I guess wont help none either :)


Many thanks for any info or help
Mike




/proc # cat version
Linux version 2.6.21 (root@sky) (gcc version 3.4.2) #788 Thu Aug 22 14:32:15 CST 2013
/


/proc # cat cpuinfo
system type : Ralink SoC
processor : 0
cpu model : MIPS 24K V4.12
BogoMIPS : 239.61
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes
ASEs implemented : mips16 dsp
VCED exceptions : not available
VCEI exceptions : not available


/proc # cat partitions
major minor #blocks name


31 0 8192 mtdblock0
31 1 192 mtdblock1
31 2 64 mtdblock2
31 3 64 mtdblock3
31 4 4096 mtdblock4
31 5 3776 mtdblock5
/proc #



cat mtd
dev: size erasesize name
mtd0: 00800000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00400000 00010000 "Kernel"
mtd5: 003b0000 00010000 "file system"
/proc #




/proc # cat filesystems
nodev sysfs
nodev rootfs
nodev bdev
nodev proc
nodev sockfs
nodev usbfs
nodev pipefs
nodev futexfs
nodev tmpfs
nodev eventpollfs
nodev devpts
nodev ramfs
msdos
vfat
nodev jffs2
/proc #



/mnt/spinand/sif # ls -al
-rw-r--r-- 1 0 0 0 wifi.cfg
-rw-r--r-- 1 0 0 244 net.cfg
-rwxr-xr-x 1 0 0 2363 wudhcpc.conf
-rw-rw-rw- 1 0 0 138 video.cfg
-rw-rw-rw- 1 0 0 131 emalarm.conf
-rwxr-xr-x 1 0 0 2012 udhcpcc.conf
-rw-rw-rw- 1 0 0 11 time.cfg
-rwxr-xr-x 1 0 0 3046 udhcpd.conf
-rwxr-xr-x 1 0 0 2058 udhcpc.conf
-rw-rw-rw- 1 0 0 89 neck.cfg
-rw-r--r-- 1 0 0 9 hkclient.conf
-rw-r--r-- 1 0 0 0 ftpbakup.conf
-rwxr-xr-x 1 0 0 89 sdvideo.cfg
drwxr-xr-x 2 0 0 0 cron
drwxr-xr-x 2 0 0 0 bin
drwxr-xr-x 9 0 0 0 ..
drwxr-xr-x 4 0 0 0 .
/mnt/spinand/sif # cd bin
/mnt/spinand/sif/bin # ls -al
-rwxr-xr-x 1 0 0 1689 runhkipc
-rwxr-xr-x 1 0 0 2343 hk-update
-rwxr-xr-x 1 0 0 53 first-check-update.sh
-rwxr-xr-x 1 0 0 2845 PreConf
-rwxr-xr-x 1 0 0 263 hk-watch.sh
-rwxr-xr-x 1 0 0 106 reset.sh
-rwxr-xr-x 1 0 0 107 runglobefish
-rwxr-xr-x 1 0 0 756 hk-check-update.sh
-rwxr-xr-x 1 0 0 85264 globefish
-rwxr-xr-x 1 0 0 159 scc_start.sh
-rwxr-xr-x 1 0 0 38208 ftpserver
-rwxr-xr-x 1 0 0 12288 hkipc
drwxr-xr-x 4 0 0 0 ..
drwxr-xr-x 2 0 0 0 .
















U-Boot 1.1.3 (Oct 31 2012 - 23:46:19)


Board: Ralink APSoC DRAM: 32 MB
relocate_code Pointer at: 81fb4000
sysctl:40200300
spi_wait_nsec: 42
spi device id: c2 20 17 c2 20 (2017c220)
find flash: MX25L6405D
raspi_read: from:30000 len:1000
.raspi_read: from:30000 len:1000
.============================================
Ralink UBoot Version: 3.5.3.0
--------------------------------------------
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping
DRAM_TYPE: SDRAM
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Oct 31 2012 Time:23:46:19
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384


##### The CPU freq = 360 MHZ ####
estimate memory size =32 Mbytes


Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP. 0


3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40
. Image Name: Linux Kernel Image
Created: 2013-08-22 6:32:25 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 3556947 Bytes = 3.4 MB
Load Address: 80000000
Entry Point: 802eb000
raspi_read: from:50040 len:364653
....................................................... Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802eb000) ...
## Giving linux memsize in MB, 32


Starting kernel ...




LINUX started...


THIS IS ASIC
Linux version 2.6.21 (root@sky) (gcc version 3.4.2) #788 Thu Aug 22 14:32:15 CST 2013
Initrd not found or empty - disabling initrd
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
Memory: 26848k/32768k available (2274k kernel code, 5920k reserved, 709k data, 2552k init, 0k highmem)
NET: Registered protocol family 16
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Time: MIPS clocksource has been installed.
Creating 6 MTD partitions on "raspi":
0x00000000-0x00800000 : "ALL"
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Config"
0x00040000-0x00050000 : "Factory"
0x00050000-0x00450000 : "Kernel"
0x00450000-0x00800000 : "file system"
NET: Registered protocol family 2
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=1048576,origSize=10201088
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com>............................................................................................................................................................RT3xxx EHCI/OHCI init.
JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096
N_HDLC line discipline registered.
Ralink APSoC Hardware Watchdog Timer
Serial: 8250/16550 driver $Revision: 1.9 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
loop: loaded (max 8 devices)
PROC INIT OK!
PPP generic driver version 2.4.2
PPP BSD Compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V0.17
PPTP driver version 0.8.1
Linux video capture interface: v2.00
usbcore: registered new interface driver uvcvideo
USB Video Class driver (SVN r209)
block2mtd: version $Revision: 1.1.1.1 $
rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
i2c /dev entries driver
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Freeing unused kernel memory: 2552k freed
init started: BusyBox v1.12.1 (2013-07-08 11:00:25 CST)
starting pid 640, tty '': '/etc_ro/rcS'
devpts: called with bogus options
Welcome to
_______ _______ ___ __ ____ _ _ralink_gpio: irq number(10) out of range
___
| ___ \| __ || | |__|| \ | || | / /
| |___| || |__| || |__ __ | \| || |/ /
| _ /| _ || || || |\ || \
|__| \__\|__| |__||______||__||_| \____||_|\___\


=System Architecture Department=


ln: /etc/init.d: File exists
ln: /srv/: No such file or directory
$$$$HU$$$$$ exec /etc/init.d/01env.sh !!!!!
$$$$HU$$$$$ exec /etc/init.d/01env_ext.sh !!!!!
$$$$HU$$$$$ exec /etc/init.d/02wdt.sh !!!!!
$$$$HU$$$$$ exec /etc/init.d/03net.sh !!!!!
Started WatchDog Timer.
mknod: /dev/i2s0: File exists
Password for 'admin' changed
rt2860v2_sta: module license 'unspecified' taints kernel.
switch reg write offset=14, value=5555
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1001
switch reg write offset=4c, value=1
switch reg write offset=50, value=2001
switch reg write offset=70, value=ffffffff
switch reg write offset=98, value=7f7f
switch reg write offset=e4, value=7f
done.
udhcpc (v1.12.1) started
Sending select for 192.168.1.10...
Lease of 192.168.1.10 obtained, lease time 36000
deleting routers
route: ioctl 0x890c failed: No such process
!!!!!!!!!!!!!!!!globefish!!!!!!!!!!!!!!!!!!!
$$$$HU$$$$$ exec /etc/init.d/08telnet.sh !!!!!
$$$$HU$$$$$ exec /etc/init.d/12chkupdate.sh !!!!!
$$$$HU$$$$ check loop back
$$$$HU$$$$ extern con loop back [0x881017ac]
no loop back
download update.sh !!!!
download from 192.168.1.13:/update.sh to /tmp/update.sh
tftp -g 192.168.1.13 -l /tmp/update.sh -r /update.sh
tftp: timeout
!!!!!!!update.sh download faild !!!!!!!!!
$$$$HU$$$$$ exec /etc/init.d/55hk.sh !!!!!
Jan 1 00:00:31 crond[852]: crond (busybox 1.12.1) started, log level 8


starting pid 857, tty '/dev/ttyS1': '-/bin/sh'




BusyBox v1.12.1 (2013-07-08 11:00:25 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.


$$$$$$$$$$$$$$$exec profile$$$$$$$$$$$$$$$$$$$$
~ # Segmentation fault
Jan 1 00:00:46 crond[897]: crond (busybox 1.12.1) started, log level 8


Jan 1 00:01:01 crond[852]: USER admin pid 898 cmd /mnt/sif/bin/hk-watch.sh


Jan 1 00:01:01 crond[897]: USER admin pid 916 cmd /mnt/sif/bin/hk-watch.sh


mkdir: cannot create directory '/tmp/hkipc/u/': File exists
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
That's not a Hikvision camera, neither in firmware content nor appearance.
rt2860v2_sta: module license 'unspecified' taints kernel.
This is informational, not fatal.
~ # Segmentation fault
But this is fatal - a program or module has crashed. Cause unknown, possibly corruption. The flash may have grown an unhandled bad block.
To get an idea which program has bombed, you could follow the (many) scripts and programs called out by init.d and see which ones are a couple after 55hk.sh
But it may all be a bit academic.
 

cr0wm4n

n3wb
Joined
Mar 6, 2016
Messages
5
Reaction score
0
Thankyou for the reply,
the reason i thought it was a hk camera is because it has files like hkclient.conf on theere.
its a plug2vision and the barcode on it takes me to scc21.net if thats any more help identifying it.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
download from 192.168.1.13:/update.sh to /tmp/update.sh
tftp -g 192.168.1.13 -l /tmp/update.sh -r /update.sh
tftp: timeout
!!!!!!!update.sh download faild !!!!!!!!!
Interesting that it has a built-in auto-update on startup.
If you could get a copy of the system firmware and an update worked, maybe the re-write might fix the problem.
 

cr0wm4n

n3wb
Joined
Mar 6, 2016
Messages
5
Reaction score
0
i have dumped all areas using dd and including MTD0 ALL
I cannot in any area find the correct files but what I did do is from the MTD0 area I managed to separate the 5 other area and wrote back areas 4 and 5 (kernel and filesystem )
It did solve some of the issues i originally had, but I still only have telnet and serial access.
I still cannot find any of the web files.

As for the update.sh that is called from a cron job which the command can be seen below.
the update server variable used to be blank but i put in one of my local addresses while trying to work out what was happening
I cannot find in any of the scripts is the address of any other update server.

Mike



ln: /etc/init.d: File exists
ln: /srv/: No such file or directory
$$$$HU$$$$$ exec /etc/init.d/01env.sh !!!!!
$$$$HU$$$$$ exec /etc/init.d/01env_ext.sh !!!!!
$$$$HU$$$$$ exec /etc/init.d/02wdt.sh !!!!!
Started WatchDog Timer.
$$$$HU$$$$$ exec /etc/init.d/03net.sh !!!!!
mknod: /dev/i2s0: File exists
Password for 'admin' changed
rt2860v2_sta: module license 'unspecified' taints kernel.
switch reg write offset=14, value=5555
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1001
switch reg write offset=4c, value=1
switch reg write offset=50, value=2001
switch reg write offset=70, value=ffffffff
switch reg write offset=98, value=7f7f
switch reg write offset=e4, value=7f
done.
InitWifi
sta_connection(start!)
doSystem: wan.sh
udhcpc (v1.12.1) started
!!!!!!!!!!!!!!!!globefish!!!!!!!!!!!!!!!!!!!
$$$$HU$$$$$ exec /etc/init.d/08telnet.sh !!!!!
$$$$HU$$$$$ exec /etc/init.d/12chkupdate.sh !!!!!
$$$$HU$$$$ check loop back
$$$$HU$$$$ extern con loop back [0x881017ac]
no loop back
download update.sh !!!!
download from 192.168.1.13:/update.sh to /tmp/update.sh
tftp -g 192.168.1.13 -l /tmp/update.sh -r /update.sh
 

cr0wm4n

n3wb
Joined
Mar 6, 2016
Messages
5
Reaction score
0
Thanks again for the reply,
I have emailed Bluestork to try and get a copy of the firmware but again that one is different as mine does not have their logo either

I have found this one that does appear to be identical And have emailed them too.

Hopefully one or the other will come back with a copy of the firmware :)

Regards
Mike
 

cr0wm4n

n3wb
Joined
Mar 6, 2016
Messages
5
Reaction score
0
As yet I have had no reply from either supplier,

but i have now identified where the segmentation fault is coming from
its a binary

/mnt/spinand/sif/bin/hkipc

-rwxr-xr-x 1 0 0 12288 hkipc

Sooo, if i can find this binary somewhere it may help :)


regards
Mike
 

hmonteiro

n3wb
Joined
May 24, 2016
Messages
1
Reaction score
1
Hello Mike. I have a similar camera. It's an Avidsen Öga. http://www.avidsenstore.com/produit.asp?Ref=123211

# file hkipc
hkipc: ELF 32-bit LSB executable, MIPS, MIPS-II version 1 (SYSV), dynamically linked (uses shared libs), stripped
# md5sum hkipc
a25b7713643b003c700d489defec04de hkipc
# ls -l hkipc
-rw-r--r-- 1 nobody nogroup 543652 May 26 15:48 hkipc


will this help?

My camera software has tftp built into busybox and that's what i used to transfer stuff in/out of the camera.
Check http://lists.busybox.net/pipermail/busybox/2003-February/007972.html on how to do it.

Finally, the link for the binary:
https://drive.google.com/open?id=0B00ZZh0Kg65iZnJZWmtmb0dDaUE

Good luck!
 
Last edited by a moderator:
Top