News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: COTIER IPC-631 - Boot via serial  (Read 5430 times)

  • No avatar
  • *
June 27, 2015, 07:31:02 pm
Hi guy's !!

I have a COTIER IPC-631 camera, i need to access the linux system for use my own firmware instead of COTIER FW (partially bugued, like the most parts of chinese firmwares)

So, I have access to the serial line with that configuration: 115200, 8, N, 1

Here is the start dump:

Quote
U-Boot 2010.06 (Apr 25 2014 - 16:45:30)

Check spi flash controller v350... Found
Spi(cs1) ID: 0xC8 0x40 0x17 0xC8 0x40 0x17
Spi(cs1): Block:64KB Chip:8MB Name:"GD25Q64"
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  1  0
8192 KiB hi_sfc at 0:0 is now current device

## Booting kernel from Legacy Image at 81000000 ...
   Image Name:   Linux-3.0.8
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1162816 Bytes = 1.1 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Linux version 3.0.8 (root@localhost.localdomain) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #8 Tue Apr 29 10:40:41 CST 2014
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: hi3518
Memory policy: ECC disabled, Data cache writeback
AXI bus clock 200000000.
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 7620
Kernel command line: mem=30M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=hi_sfc:256K(boot),1280k(kernel),512K(dataBlock),6144K(rootfs)
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 30MB = 30MB total
Memory: 27500k/27500k available, 3220k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    DMA     : 0xffc00000 - 0xffe00000   (   2 MB)
    vmalloc : 0xc2000000 - 0xfe000000   ( 960 MB)
    lowmem  : 0xc0000000 - 0xc1e00000   (  30 MB)
    modules : 0xbf000000 - 0xc0000000   (  16 MB)
      .init : 0xc0008000 - 0xc001f000   (  92 kB)
      .text : 0xc001f000 - 0xc02b6000   (2652 kB)
      .data : 0xc02b6000 - 0xc02c80a0   (  73 kB)
       .bss : 0xc02c80c4 - 0xc02d49f0   (  51 kB)
SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:32 nr_irqs:32 32
sched_clock: 32 bits at 100MHz, resolution 10ns, wraps every 42949ms
Calibrating delay loop... 218.72 BogoMIPS (lpj=1093632)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 5) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 5) is a PL011 rev2
bio: create slab <bio-0> at 0
SCSI subsystem initialized
Switching to clocksource timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.16)
msgmni has been set to 53
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
TS82 driver for HI3518C
Can not pass authentication ... ...
Can not pass authentication ... ...
brd: module loaded
Spi id table Version 1.22
Spi(cs1) ID: 0xC8 0x40 0x17 0xC8 0x40 0x17
SPI FLASH start_up_mode is 3 Bytes
Spi(cs1):
Block:64KB
Chip:8MB
Name:"GD25Q64"
spi size: 8MB
chip num: 1
4 cmdlinepart partitions found on MTD device hi_sfc
Creating 4 MTD partitions on "hi_sfc":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000180000 : "kernel"
0x000000180000-0x000000200000 : "dataBlock"
0x000000200000-0x000000800000 : "rootfs"
Fixed MDIO Bus: probed
himii: probed
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
TCP cubic registered
NET: Registered protocol family 17
registered taskstats version 1
\F8SQUASHFS error: Xattrs in filesystem, these will be ignored
SQUASHFS error: unable to read xattr id index table
VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
Freeing init memory: 92K

init started: BusyBox v1.16.1 (2014-04-15 00:12:41 CST)

starting pid 237, tty '': '/etc/init.d/rcS'

            _ _ _ _ _ _ _ _ _ _ _ _
            \  _  _   _  _ _ ___
            / /__/ \ |_/
           / __   /  -  _ ___
          / /  / /  / /
  _ _ _ _/ /  /  \_/  \_ ______
___________\___\__________________

[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S01udev
udevd (249): /proc/249/oom_adj is deprecated, please use /proc/249/oom_score_adj instead.
*** Board tools : ver0.0.1_20120501  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0008: 0x00000000 --> 0x00000001
[END]
*** Board tools : ver0.0.1_20120501  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0018: 0x00000000 --> 0x00000001
[END]
*** Board tools : ver0.0.1_20120501  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f001c: 0x00000000 --> 0x00000001
[END]
*** Board tools : ver0.0.1_20120501  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0124: 0x00000000 --> 0x00000000
[END]
*** Board tools : ver0.0.1_20120501  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20140400: 0x00000038 --> 0x00000002
[END]
*** Board tools : ver0.0.1_20120501  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x201403fc: 0x00000030 --> 0x00000002
[END]
Hisilicon Watchdog Timer: 0.01 initialized. default_margin=30 sec (nowayout= 0, nodeamon= 1)
ADC_CH0 driver ADC detect
Init IRCUT ADC
ts800_init set default sn ......
key_pos = 19, data_pos = 37
create device inode...
hi_i2c init is ok!

starting pid 286, tty '': '/bin/login'
(none) login: *** Board tools : ver0.0.1_20120501  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20030030: 0x00000000 --> 0x00000001
[END]
reset sensor ov9712 finish ...
*** Board tools : ver0.0.1_20120501  ***
[debug]: {source/utils/cmdshedriver[board_ctl] : set_board_type_handle() : set board type to 13
ll.c:166}cmdstr:1111, set ircut to night mod
himm
0x20030030: 0x00000001 --> 0x00000001
[END]
reset sensor ov9712 finish ...
the sensor of the board is gc1004 ......
open /dev/adc success, product_type=13
2222, set ircut to day mod
3333, ircut init
detected sensor type is 13
rmmod: module 'hi_i2c' not found
Hisilicon Media Memory Zone Manager
hi3518_base: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Hisilicon UMAP device driver interface: v3.00
pa:81e00000, va:c2240000
load sys.ko for Hi3518...OK!
load viu.ko for Hi3518...OK!
ISP Mod init!
load vpss.ko ....OK!
load vou.ko ....OK!
load venc.ko for Hi3518...OK!
load group.ko for Hi3518...OK!
load chnl.ko for Hi3518...OK!
load h264e.ko for Hi3518...OK!
load jpege.ko for Hi3518...OK!
load rc.ko for Hi3518...OK!
load region.ko ....OK!
load vda.ko ....OK!
hi_i2c init is ok!
Kernel: ssp initial ok!
acodec inited!
insert audio
==== Your input Sensor type is ov9712 ====
is going to run load_cmem.sh
CMEMK module: built on Mar  6 2013 at 16:34:50
  Reference Linux version 3.0.8
  File /AppData/his/sdk/Hi3518_SDK_V1.0.3.0/drv_test/cmem/src/module/cmemk.c
allocated heap buffer 0xc3000000 of size 0x800000
cmemk initialized
/
/
encode_mon enter main loop...
sys_montor enter main loop...
tcp_mon start main loop...
sys_daemon mount /dev/mtdblock2 success
sys_daemon disable console
driver[board_ctl] : set_ircut_default_handle() : Set IR-CUT default
driver[board_ctl] : set_ircut_default_handle() : Set IR-CUT default finish
SET IRCUT PASSIVE MODE
driver[board_ctl] : ipc_board_ioctl() : get cmd to enable adc printk
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
+++++++++++++++++++++SET_IRCUT_NIGHTMODE
IRCUT STOP
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1

IPNC login: PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1

IPNC login:
IPNC login:
IPNC login: PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0
22222, g_passive_counter=-1, g_passive_threshHold=1
PASSIVE-mode : get cmd from LED board is : 0

I arrive to acces the U-BOOT console by interupting the "auto boot" at startup.

In U-BOOT, i have this options :

Quote
U-Boot 2010.06 (Apr 25 2014 - 16:45:30)

Check spi flash controller v350... Found
Spi(cs1) ID: 0xC8 0x40 0x17 0xC8 0x40 0x17
Spi(cs1): Block:64KB Chip:8MB Name:"GD25Q64"
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  1  0
hisilicon # h ?
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
ext2load- load binary file from a Ext2 filesystem
ext2ls  - list files in a directory (default /)
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
getinfo - print hardware information
go      - start application at address 'addr'
help    - print command description/usage
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
tftp    - tftp   - download or upload image via network using TFTP protocol
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor version
hisilicon # printenv
bootdelay=1
baudrate=115200
ethaddr=00:00:23:34:45:66
netmask=255.255.255.0
bootfile="uImage"
serverip=192.168.66.170
ipaddr=192.168.66.39
gatewayip=192.168.66.1
bootargs=mem=30M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=hi_sfc:256K(boot),1280k(kernel),512K(dataBlock),6144K(rootfs)
bootcmd=sf probe 0;sf read 0x81000000 0x40000 0x140000;bootm 0x81000000
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (Apr 25 2014 - 16:45:30)

Environment size: 479/65532 bytes
hisilicon #

My main problem is :
If i wait afther the U-BOOT message, when he start the linux.
When i try to log in i have a result fail,

Is the root password always empty by default ?

But that i see is "if i type enter **Before the application start**" i doesn't have the same message for login than if i try to log afther the application start :

Quote
//Before application start
(none) login:
(none) login:
//Afther application start
IPNC login:
IPNC login:

Maybe they have set another password, or i have to write "root" at the right moment?, so my idea is to extract the firmware witch is in the board, and put it on my computer, then uncompress it, find the files /etc/passwd and try to see if the password is easy to crack.

The problem is: From U-BOOT how can i save the firmware in my computer ? Maybe with tftp command, but when i run it it seems to work on client, and it try to GET a file from my computer (uimage...)
Before briking the device i want to be able to save it..


  • No avatar
  • *
June 28, 2015, 08:36:18 am
Well actualy i have change the bootargs argument, like this :

Quote
setenv bootargs mem=30M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=hi_sfc:256K(boot),1280k(kernel),512K(dataBlock),6144K(rootfs) single
saveenv

Now I can access as root by serial connexion to the camera without password.
I am watching for enable a telnet/ssh access and find the root password.
I can't change the password root because he is in read only FS (/etc/passwd)


  • No avatar
  • *
June 28, 2015, 05:15:32 pm
Quote
# echo $USER
root

Here is the full starting log :

Quote
U-Boot 2010.06 (Apr 25 2014 - 16:45:30)

Check spi flash controller v350... Found
Spi(cs1) ID: 0xC8 0x40 0x17 0xC8 0x40 0x17
Spi(cs1): Block:64KB Chip:8MB Name:"GD25Q64"
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0
8192 KiB hi_sfc at 0:0 is now current device

## Booting kernel from Legacy Image at 81000000 ...
   Image Name:   Linux-3.0.8
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1162816 Bytes = 1.1 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Linux version 3.0.8 (root@localhost.localdomain) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #8 Tue Apr 29 10:40:41 CST 2014
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: hi3518
Memory policy: ECC disabled, Data cache writeback
AXI bus clock 200000000.
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 7620
Kernel command line: mem=30M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=hi_sfc:256K(boot),1280k(kernel),512K(dataBlock),6144K(rootfs) single
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 30MB = 30MB total
Memory: 27500k/27500k available, 3220k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    DMA     : 0xffc00000 - 0xffe00000   (   2 MB)
    vmalloc : 0xc2000000 - 0xfe000000   ( 960 MB)
    lowmem  : 0xc0000000 - 0xc1e00000   (  30 MB)
    modules : 0xbf000000 - 0xc0000000   (  16 MB)
      .init : 0xc0008000 - 0xc001f000   (  92 kB)
      .text : 0xc001f000 - 0xc02b6000   (2652 kB)
      .data : 0xc02b6000 - 0xc02c80a0   (  73 kB)
       .bss : 0xc02c80c4 - 0xc02d49f0   (  51 kB)
SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:32 nr_irqs:32 32
sched_clock: 32 bits at 100MHz, resolution 10ns, wraps every 42949ms
Calibrating delay loop... 218.72 BogoMIPS (lpj=1093632)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 5) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 5) is a PL011 rev2
bio: create slab <bio-0> at 0
SCSI subsystem initialized
Switching to clocksource timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.16)
msgmni has been set to 53
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
TS82 driver for HI3518C
Can not pass authentication ... ...
Can not pass authentication ... ...
brd: module loaded
Spi id table Version 1.22
Spi(cs1) ID: 0xC8 0x40 0x17 0xC8 0x40 0x17
SPI FLASH start_up_mode is 3 Bytes
Spi(cs1):
Block:64KB
Chip:8MB
Name:"GD25Q64"
spi size: 8MB
chip num: 1
4 cmdlinepart partitions found on MTD device hi_sfc
Creating 4 MTD partitions on "hi_sfc":
0x000000000000-0x000000040000 : "boot"
0x000000040000-0x000000180000 : "kernel"
0x000000180000-0x000000200000 : "dataBlock"
0x000000200000-0x000000800000 : "rootfs"
Fixed MDIO Bus: probed
himii: probed
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
TCP cubic registered
NET: Registered protocol family 17
registered taskstats version 1
�SQUASHFS error: Xattrs in filesystem, these will be ignored
SQUASHFS error: unable to read xattr id index table
VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
Freeing init memory: 92K
init started: BusyBox v1.16.1 (2014-04-15 00:12:41 CST)
starting pid 237, tty '': '-/bin/sh'


BusyBox v1.16.1 (2014-04-15 00:12:41 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

Welcome to HiLinux.
#

That i do was changing the u-boot bootargs for add "single", with it it doesn't run the program, and i have access to the shell *as root*

I need to set my FS in RW because he is RO so can't change root password for exemple.
But maybe it's impossible since it's a squashfs part. So i am looking for export the fs via tftp on uboot to my computer, do the changes manually in /etc/passwd and some things and then re upload this.
« Last Edit: June 29, 2015, 02:15:17 am by caipiblack »

  • No avatar
  • *
June 28, 2015, 06:01:05 pm
Maybe the problem is here

Quote
# mount -f
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime,size=1M)
tmpfs on /tmp type tmpfs (rw,sync,relatime)

But we can't do lots of things for it. Squashfs is by nature read only isn't it ?

I will check if in uboot we can change the type.

  • No avatar
  • *****
June 29, 2015, 03:02:34 am
do you know this blog:
http://felipe.astroza.cl/hacking-hi3518-based-ip-camera/

seems share your interest

  • No avatar
  • *
June 30, 2015, 06:32:29 am
Yes i have see this blog, but i have something curious on my FW or idk what happend:

I doesn't have nothing in /dev/ i dont have the mtdblocks to cpy Maybe it's device specific but i don't have nothing in /dev

So i am watching what i can do ..

From uboot i have export the uImage to my computer but it's a "compiled" image so can't realy extract it .

That i do was :

Quote
tftp 0x81000000 image 0x140000

any ideas ?

This is the adress of what is booted by uboot.