Unrestricted root shell on G1 cameras

[montecrypto]

Attached is PSH-free minisystem image for G1. You can use it to get full filesystem access.

• The image comes with a full-featured busybox.
• The image allows loading unsigned firmware

The image will work with U-Boot 3.1.6-279309 (May 11 2017-13:36:13) or earlier.

to install rooted minisystem:
- put mImage_g1 in the root of tftp server
- put digicap.dav for G1 in the root of tftp server
- run "upf" from uboot
- run "update" from uboot to get root shell

recover to stock minisystem:
- rename mImage_g1.original to mImage_g1
- put it in the root of tftp server
- put digicap.dav for G1 in the root of tftp server (upf formats flash, you need this to restore camera firmware)
- run "upf"

 

[alastairstevenson]

Well, that's going to be pretty useful for a G1 item that's on its way, many thanks.
Tweaking here we come!

Is this the equivalent of the contents of 'mtdblock8' in the R0 series? The one I switch out with the 'brick-fix tool'?

 

[montecrypto]

New file attached to OP. The minisystem can now load unsigned firmware, for example this one:

IPC_G1_EN_STD_5.4.5_170124_mc.zip — RGhost — файлообменник

This is IPC_G1_EN_STD_5.4.5_170124 modified to disable PSH. No other changes.

 

[alastairstevenson]

I bought a DS-2CD2335FWD-I as part of the move to using h.265, and to improve low-light images.
I'm pretty impressed with the camera, it's going to get swapped in to replace a DS-2CD2332-I
It came with firmware 5.5.3 installed, so I can't use the modded 5.4.5 due to the downgrade block.
But it does seem that, even via the serial console, Hikvision have tightened up a bit on the usual ways in to have a look around.
'bootargs' is no longer supported, so you can't use 'debug single' to init to an ash shell.
dbg=9 still goes into a debug mode, but drops into psh.

So I thought I'd try @montecrypto's modded min-system - despite that the bootloader is newer than the one he tested / created mImage_g1 under.
Unfortunately the newer bootloader doesn't like it.
A pity.
But at least the upf code doesn't shoot first and complain later.

HKVS #
HKVS #
HKVS #
HKVS # printenv
ipaddr=192.168.1.64
serverip=192.168.1.99
gatewayip=0.0.0.0
netmask=255.255.255.0
ethaddr=b4:a3:82:2f:b2:a7
loadaddr=0x00208000
bootfile=hImage
bootcmd=null
bootargs=console=ttyS0
bootdelay=2
dbg=8
chip_id=1
HKVS
Type 'help setenv' for help
HKVS #
HKVS # help
The following commands are supported:
boot    erase   help    reset
saveenv printenv        setenv  upbs
format  update  upfusb  upf
updatebusb      updateb gos     go
mii     gpio    ping
Use 'help' to get help on a specific command
HKVS #
HKVS # upf
'upf' is a ambiguous command! Exec the shortest command
***** UPDATE START *****
MAC: b4:a3:82:2f:b2:a7
TFTP from server 192.168.1.99; our IP address is 192.168.1.64
Filename: 'mImage_g1'
Load address: 0x02000000
do_tftp_load:bld_udp_recv RRQ ok,opcode=6
tftp transfer block size is set to 1468 bytes
############################################################# got 4513976 bytes (4408 KB)
[ INFO][BLD]TFTP: Download File [OK]
version2 error.
hdr->crc32=0xcdd7acc7
hdr->img_len=4513720
hdr->mem_addr=0xffffffff
hdr->magic=0x4d535953
build_time:Fri Oct 13 00:12:34 2017
username:  montecrypto
hostname:  localhost
verify data failed! error: upm.
update mini system [FAIL]!error: upf.
!!!!! UPDATE FAIL !!!!!
HKVS #
HKVS # reset

U-Boot 3.1.6-297597 (Aug 30 2017-21:48:30)
boards:310094
Boot From: NAND 2048 RC BCH 6bit
SYS_CONFIG: 0x00070053 POC: 001
Cortex freq: 816000000
ENET freq: 50000000
iDSP freq: 348000000
Dram freq: 840000000
Core freq: 360000000
AHB freq: 180000000
APB freq: 90000000
UART freq: 24000000
SD freq: 50000000
SDXC freq: 50000000
dev_model:DS-2CD2335FWD-I
[Uboot] In release mode!
Hit Ctrl+u to stop autoboot: 2
HKVS #

 

[alastairstevenson]

Just in case there was something in the modified mImage_g1 that it didn't like, I tried the original version that @montecrypto published.
No joy with that either.

HKVS #
HKVS #
HKVS # printenv
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=0.0.0.0
netmask=255.255.255.0
ethaddr=b4:a3:82:2f:b2:a7
loadaddr=0x00208000
bootfile=hImage
bootcmd=null
bootargs=console=ttyS0
bootdelay=2
dbg=8
chip_id=1
HKVS # setenv ipaddr 192.168.1.64
HKVS # setenv serverip 192.168.1.99
HKVS #
HKVS #
HKVS # upf
'upf' is a ambiguous command! Exec the shortest command
***** UPDATE START *****
MAC: b4:a3:82:2f:b2:a7
TFTP from server 192.168.1.99; our IP address is 192.168.1.64
Filename: 'mImage_g1'
Load address: 0x02000000
do_tftp_load:bld_udp_recv RRQ ok,opcode=6
tftp transfer block size is set to 1468 bytes
############################################################# got 4513976 bytes (4408 KB)
[ INFO][BLD]TFTP: Download File [OK]
version2 error.
hdr->crc32=0xc4aa24aa
hdr->img_len=4513720
hdr->mem_addr=0xffffffff
hdr->magic=0x4d535953
build_time:Thu May 11 13:40:48 2017
username:  zhoufeng3
hostname:  Cpl-Frt-BSP
verify data failed! error: upm.
update mini system [FAIL]!error: upf.
!!!!! UPDATE FAIL !!!!!
HKVS #

 

[rearanger]

Any chance of full upgrade/full English upgrade on the G1's similar to the R0 cams?

 

[alastairstevenson]

I think it will depend on what version of bootloader is present in the camera.
Normally you can get into a debug mode where you can get at a command shell - at that point the firmware can be modded or swapped out.
In this camera that I just bought, that route isn't open.