News:

Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Author Topic: Hacking Hi3512 Camera from Szanyuan  (Read 17132 times)

July 01, 2011, 07:58:24 am
We got camera from: Szanyuan

It has everything one dreams of: SD,USB,Mic internal ext, Wifi, optional POE, RTSP, H264

However the cam misses Internal FTP Server and Crossplattform webinterface, only IE. And no international languages, only english and chinese.

I want to hack into the camera. It has Telnet like most Hi3512 Cameras but I don't the passwort and they won't provide it.

However I have firmware files, maybe someone can help to decript. I don't know how to decript them

http://www.megaupload.com/?d=4GO96C13

The model is called: AY-IP9642M-W

Getting into telnet would be enough for me so i can change all the files. I will reward a few $$$ if you can provide the telnet-password. So feel free to contact me through PM.

Edit attached the photos of the internals. Maybe someone can identify the jtag, rs232 or something similar. I don't get any diagnostic output on the RS485 connector. There are two jumpers don't know what the purpose is of those.

The board and the camera a build in good quality the cables are glued to the connectors so they cannot get out during transport. I had many cameras which did not have this quality. Price is around 160$ for this cam.

« Last Edit: July 01, 2011, 09:51:31 am by Borsti92 »

  • No avatar
  • *****
July 01, 2011, 09:43:34 am
I can have a go, but you need to put them elsewhere, can't get to most of the upload sites as they're blocked in China.

  • No avatar
  • *****
July 01, 2011, 02:29:20 pm
From a look at the firmware, the webui one is more fun to look into as it looks harder hehe

web_2308.uwe

First 4 bytes are obviously filesize (not including suffix)

32bit unsigned we get 0x00125231
Skip forward to the end of the file at that position, and we have:
00 80 2A 00 48 48 44 56 FE 40 . . * . HHDV˛@

HHDV looks like a file identifier.  HiVision is the chipset, so looking significant. Last 2 bytes probably checksum or length for something.

Also some curiously repeated byte sequences toward the end to -

9F FE A7 FF E9 7F repeats a few times



--

Second file -  romfs one?

similar format, first file is psuedo flat packed, file, file, file ...
small 4 byte header in front.

51 7A 3D 00 - repeated again in the file at offset 3d7b49
Could be length, but then the location is diff to first file

can manually extract or make a tool.

mostly it contains elf files.

Also has that HHDV at the end, plus same 2 byte post HHDV.

If I extract an elf file from it, I get valid results.

 ELF 32-bit LSB executable, ARM, version 1, dynamically linked (uses shared libs), stripped

Going back to the file. I can see at offset 3d7b7d (the 4 bytes preceeding HHDV) we have 21 43 65 87, which in 32bit unsigned = 0x87654321
Unfortunately in the other file nothing so legible - its 0x002A8000 there.  This might be a location to put the data for that file.


So, now we know something about the structure - lets take another look at the webui

4 bytes header length.
then a file.
Lets look at our file. - looks garbage right?  Whats the header 1F8B0800.
Ooh, a gzip file because the bytes match.

Lets check.

zcat webui_large  |more
./en/


<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>公网IP邮件通知</title>
<link href="css/styleset.css" rel="stylesheet" type="text/css">
<META  HTTP-EQUIV="pragma"  CONTENT="no-cache"> 
<META  HTTP-EQUIV="Cache-Control"  CONTENT="no-cache,  must-revalidate"> 
<META  HTTP-EQUIV="expires"  CONTENT="Wed,  26  Feb  1997  08:21:57  GMT">
<script type="text/javascript" language="ja


Yup.

So extractable too.

Piece of cake.

July 02, 2011, 01:59:04 am
I try to follow your instructions for web_2308.uwe

wow got it.

So all we need to do to extract is:

remove the 4byte header
remove the HHDV,@

rename to gz extract

now have web_2308

I can extract the last file with zip. Seems uncompressed. How would we repack this, i mean the last step. It's not actually zip is it?
« Last Edit: July 02, 2011, 02:27:57 am by Borsti92 »

July 05, 2011, 04:34:16 am
Got telnet and Serial Console:

Bootlog:
Quote
U-Boot 1.1.4 (Sep  8 2008 - 19:23:48)

U-Boot code: E0500000 -> E0517480  BSS: -> E051DCFC
HI_VERSION=U_BOOT_1_1_4-M05C0303B0103 @Hi3511v100_OSDrv_1_1_0_2 2008-07-18 16:28
:25
RAM Configuration:
Bank #0: e0000000 128 MB
Flash: 16 MB
In:    serial
Out:   serial
Err:   serial
MAC:   00-A0-70-04-00-08
Hit any key to stop autoboot:  0
## Booting image at 34080000 ...
   Image Name:   hilinux
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1268832 Bytes =  1.2 MB
   Load Address: e0a00000
   Entry Point:  e0a00000
OK
initrd_start 0x       0,initrd_end 0x       0
Starting kernel ...

Uncompressing Linux.............................................................
..................... done, booting the kernel.
Kernel Early-Debug on Level 5
Linux version 2.6.14-hi3511v100dmeb-release (root@redhat) (gcc version 3.4.3 (re
lease) (CodeSourcery ARM Q3cvs 2004)) #6 Thu Jun 11 21:57:09 CST 2009
CPU: ARM926EJ-Sid(wb) [41069265] revision 5 (ARMv5TEJ)
Machine: Hi3511v100
Memory policy: ECC disabled, Data cache writeback
CPU0: D VIVT write-back cache
CPU0: I cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
CPU0: D cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
Built 1 zonelists
Kernel command line: mem=64M console=ttyAMA0,115200 pcimod=host pciclksel=16 roo
t=1f01 rootfstype=jffs2 mtdparts=phys_mapped_flash:2M(boot),14M(rootfs)
PID hash table entries: 512 (order: 9, 8192 bytes)
Console: colour dummy device 80x30
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 64MB = 64MB total
Memory: 62080KB available (2141K code, 422K data, 84K init)
Mount-cache hash table entries: 512
HI_VERSION=LINUX_2_6_14-M06C0303B0103 @Hi3511v110_OSDrv_1_0_0_7 2009-03-18 20:50
:52
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
Hisilicon clock system V0.01
PCI: device 0000:00:00.0 has unknown header type 25, ignoring.
PCI: device 0000:00:01.0 has unknown header type 25, ignoring.
PCI: device 0000:00:02.0 has unknown header type 25, ignoring.
PCI: device 0000:00:03.0 has unknown header type 25, ignoring.
PCI: device 0000:00:04.0 has unknown header type 25, ignoring.
PCI: device 0000:00:05.0 has unknown header type 25, ignoring.
PCI: device 0000:00:06.0 has unknown header type 25, ignoring.
PCI: device 0000:00:07.0 has unknown header type 25, ignoring.
PCI: device 0000:00:08.0 has unknown header type 25, ignoring.
PCI: device 0000:00:09.0 has unknown header type 25, ignoring.
PCI: device 0000:00:0a.0 has unknown header type 25, ignoring.
PCI: device 0000:00:0b.0 has unknown header type 25, ignoring.
PCI: device 0000:00:0c.0 has unknown header type 25, ignoring.
PCI: device 0000:00:0d.0 has unknown header type 25, ignoring.
PCI: device 0000:00:0e.0 has unknown header type 25, ignoring.
PCI: device 0000:00:0f.0 has unknown header type 25, ignoring.
PCI: device 0000:00:10.0 has unknown header type 25, ignoring.
PCI: device 0000:00:11.0 has unknown header type 25, ignoring.
PCI: device 0000:00:12.0 has unknown header type 25, ignoring.
PCI: device 0000:00:13.0 has unknown header type 25, ignoring.
PCI: device 0000:00:14.0 has unknown header type 25, ignoring.
PCI: device 0000:00:15.0 has unknown header type 25, ignoring.
PCI: device 0000:00:16.0 has unknown header type 25, ignoring.
PCI: device 0000:00:17.0 has unknown header type 25, ignoring.
PCI: device 0000:00:18.0 has unknown header type 25, ignoring.
PCI: device 0000:00:19.0 has unknown header type 25, ignoring.
PCI: device 0000:00:1a.0 has unknown header type 25, ignoring.
PCI: device 0000:00:1b.0 has unknown header type 25, ignoring.
PCI: device 0000:00:1c.0 has unknown header type 25, ignoring.
PCI: device 0000:00:1d.0 has unknown header type 25, ignoring.
PCI: device 0000:00:1e.0 has unknown header type 25, ignoring.
PCI: device 0000:00:1f.0 has unknown header type 25, ignoring.
PCI: bus0: Fast back to back transfers enabled
NetWinder Floating Point Emulator V0.97 (double precision)
devfs: 2004-01-31 Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x0
JFFS2 version 2.2. (NAND) (C) 2001-2003 Red Hat, Inc.
Initializing Cryptographic API
Serial: AMBA PL011 UART driver
ttyAMA0 at MMIO 0x101f1000 (irq = 12) is a AMBA/PL011
ttyAMA1 at MMIO 0x101f2000 (irq = 13) is a AMBA/PL011
ttyAMA2 at MMIO 0x101f3000 (irq = 14) is a AMBA/PL011
io scheduler noop registered
RAMDISK driver initialized: 4 RAM disks of 8192K size 1024 blocksize
PPP generic driver version 2.4.2
NET: Registered protocol family 24
SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256).
physmap flash device: 4000000 at 34000000
phys_mapped_flash: Found 1 x16 devices at 0x0 in 8-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
phys_mapped_flash: CFI does not contain boot bank location. Assuming top.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
2 cmdlinepart partitions found on MTD device phys_mapped_flash
Creating 2 MTD partitions on "phys_mapped_flash":
0x00000000-0x00200000 : "boot"
0x00200000-0x01000000 : "rootfs"
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 2, 16384 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
VFS: Mounted root (jffs2 filesystem).
Freeing init memory: 84K
init started:  BusyBox v1.1.2 (2008.07.18-08:25+0000) multi-call binary

            _ _ _ _ _ _ _ _ _ _ _ _
            \  _  _   _  _ _ ___
            / /__/ \ |_/
           / __   /  -  _ ___
          / /  / /  / /
  _ _ _ _/ /  /  \_/  \_ ______
___________\___\__________________

[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S10mpp
Hisilicon Media Memory Zone Manager
Generic PHY: Registered new driver
HIETHV100-M03C0301 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:19:38
Hisilicon ETHv100 net controler.
Hisilicon ETHv100 MDIO Bus: probed
Invalid HW-MAC Address: 00:00:00:00:00:00
Set Random MAC address: CE:3C:C2:DB:D4:2C
HIDMAC-MDC030002 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:18:49
SCSI subsystem initialized
SDIO-M05C0302 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:18:56
SDIO-M05C0302 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:18:56
[RCS]: /etc/init.d/S80network
Card stack initializing, please wait ................................

No card connected.
Check card stack end,now you can do your job......................
[RCS]: /etc/init.d/S99hhWork
HiStream ... ...
go ------------ Ver(2011.02.22)
Auto login as root ...
Jan  1 00:00:04 login[192]: root login  on `<NULL>0'



BusyBox v1.1.2 (2008.07.18-08:25+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

Welcome to HiLinux.
-sh: nfsroot: not found
~ $ [smtpclient.c:444]Enter main
Hi3511 IO driver init start(newboard = 0 0 0 0)(2010.07.19)
set_rs485_rtx(dvs = 0) == 0
Hi3511 IO driver init successful!
Hisilicon Watchdog Timer: 0.01 initialized. default_margin=60 sec (nowayout= 0,
nodeamon= 0)
HISI_WDT-MDC030001 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:19:31<6>HISI_WDT-MDC0
30001 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:19:31
count == 1(/usr/hh5800)
memsize 262144 logMode 0 logPri 3 FileNum 5
umount: Couldn't umount /syslog: Invalid argument
ln: /web/en/log0.asp: File exists
ln: /web/en/log1.asp: File exists
ln: /web/en/log2.asp: File exists
ln: /web/en/log3.asp: File exists
ln: /web/en/log4.asp: File exists
rmmod: mt_9d131: No such file or directory
rmmod: ov7710: No such file or directory
rmmod: adv7180: No such file or directory
rmmod: tlv320: No such file or directory
rmmod: tw_2864: No such file or directory
rmmod: advc385: No such file or directory
IO driver remove successful!
rmmod: hhrtc: No such file or directory
rmmod: hirtc: No such file or directory
rmmod: gpioi2c: No such file or directory
rmmod: hhi2c: No such file or directory
rmmod: hi3511_jpegd.ko: No such file or directory
rmmod: hi3511_jpege.ko: No such file or directory
rmmod: hi3511_h264e.ko: No such file or directory
rmmod: hi3511_chnl.ko: No such file or directory
rmmod: hi3511_ao.ko: No such file or directory
rmmod: hi3511_ai.ko: No such file or directory
rmmod: hi3511_sio.ko: No such file or directory
rmmod: hi3511_md.ko: No such file or directory
rmmod: hi3511_vdec.ko: No such file or directory
rmmod: hi3511_group.ko: No such file or directory
rmmod: hi3511_venc.ko: No such file or directory
rmmod: hi3511_vpp.ko: No such file or directory
rmmod: hi3511_dsu.ko: No such file or directory
rmmod: hi3511_vou.ko: No such file or directory
rmmod: hi3511_viu.ko: No such file or directory
rmmod: hi3511_sys.ko: No such file or directory
rmmod: hi3511_base.ko: No such file or directory
rmmod: tde.ko: No such file or directory
rmmod: /komod/bsd_comp.ko: No such file or directory
rmmod: /komod/ppp_deflate.ko: No such file or directory
rmmod: /komod/usbserial.ko: No such file or directory
rmmod: /komod/option.ko: No such file or directory
rmmod: /komod/cdc-acm.ko: No such file or directory
Changing password for root
Password for `root' changed by user `admin'
Password changed.
GPIO_I2C-MDC030001 @Hi3511v100_OSDrv_1_1_0_2 2008-07-18 16:31:31-------(50)
Hisilicon Watchdog Timer: 0.01 initialized. default_margin=60 sec (nowayout= 0,
nodeamon= 0)
HISI_WDT-MDC030001 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:19:31<6>HISI_WDT-MDC0
30001 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:19:31
HISI_RTC-MDC030001 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:19:34hh_rtc driver in
it successful(2009.04.23-1)!
insmod: cannot open module `/komod/hhi2c.ko': No such file or directory
tde: module license 'Copyright(c)' taints kernel.
TDE_MAIN_VERSION[v1.0.0.1] Build Time[Apr  2 2009, 15:00:28]
TDE_ADP_VERSION[hi3511 adp v1.0.0.3] Build Time[Apr  2 2009, 15:00:28]
Hisilicon UMAP device driver interface: v1.00
Chip Version: Hi35110110
load vpp.ko ....OK!
load vdec.ko ....OK
load md.ko....OK!
Hi3511 IO driver init start(newboard = 0 0 0 0)(2010.07.19)
set_rs485_rtx(dvs = 0) == 0
Hi3511 IO driver init successful!
usbcore: registered new driver usbfs
usbcore: registered new driver hub
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
ctrlpipe_nak_limit=3, bulkpipe_nak_limit=3
hiusb-hcd hiusb-hcd.0: Hisilicon USB host controller
hiusb-hcd hiusb-hcd.0: new USB bus registered, assigned bus number 1
hiusb-hcd hiusb-hcd.0: irq 23, io base 0x80090000
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
USB1_1-M0001C030002 @Hi3511v110_OSDrv_1_0_0_1 2008-09-08 14:18:53
Clock to USB host has been enabled
hisilicon-ohci hisilicon-ohci.0: hisilicon OHCI
hisilicon-ohci hisilicon-ohci.0: new USB bus registered, assigned bus number 2
hisilicon-ohci hisilicon-ohci.0: irq 20, io mem 0xa0000000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
mkdir: Cannot create directory `/etc/evdo': File exists
mkdir: Cannot create directory `/var/lock': File exists
PPP BSD Compression module registered
PPP Deflate Compression module registered
usbcore: registered new driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial support registered for Generic
usbcore: registered new driver usbserial_generic
drivers/usb/serial/usb-serial.c: USB Serial Driver core v2.0
drivers/usb/serial/usb-serial.c: USB Serial support registered for Option 3G dat
a card
usbcore: registered new driver option
drivers/usb/serial/option.c: Option Card (PC-Card to) USB to Serial Driver: v0.4

usbcore: registered new driver cdc_acm
drivers/usb/class/cdc-acm.c: v0.23:USB Abstract Control Model driver for USB mod
ems and ISDN adapters
mt9d131 mirror_data = 0x300
mt9d131 iic write err(reg: 0d f1  ---- wr: 00 21  rd: 00 01)
mt9d131 iic write err(reg: 21 f1  ---- wr: 03 00  rd: 00 00)
mt9d131 iic write err(reg: 36 f1  ---- wr: 13 08  rd: 13 00)
mt9d131 iic write err(reg: 08 f1  ---- wr: 01 fc  rd: 00 00)
mt9v131 driver init successful(2009.02.11)!
Hi3511 Audio Codec Driver Init Ok v2.0(2010.04.15)
***set_vout_mode  ---> PAL
***set_vout_mode  ---> PAL
***set_vout_mode  ---> PAL
SAA7121 driver init success (2009.4.8)!
data1 = 1c data2 = ff
Load driver err: reg0 = 1c, reg1 = ff

0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x
ff, 0xff, 0xff,

adv7393 driver init fail for device init error 2!
insmod: cannot insert `/komod/adv7393.ko': Operation not permitted (-1): Operati
on not permitted
hh0153_init driver init ......
hh0153 driver init fail......(2009.3.20)!
insmod: cannot insert `/komod/hh0153.ko': Operation not permitted (-1): Operatio
n not permitted
hh0104 driver init successful(2008.11.22)!
hh0104_ioctl cmd: 1 data: 0
@@@@@@@@@@@@@@@@@@ SysInit OK!
delayed to setup 512 skb queue items.
route: SIOC[ADD|DEL]RT: File exists
@@@@@@@@hh0104_ioctl cmd: 1 data: 0
@@@@@@@@@@ SysInit OK!
@@@@@@@@@@@@@@@@@@ Check Data ok!
PHY: 0:02 - Link is Up - 100/Full
VI_AD_CRTL_SET_SATURATION ===== h:4b
VI_AD_CRTL_SET_SATURATION ===== h:4b
VI_AD_CRTL_SET_FLIP -------------close
VI_AD_CRTL_SET_MIRROR -------------close
VI_AD_CRTL_SET_50HZ -------------
***set_vout_mode  ---> PAL
***set_vout_mode  ---> PAL
***set_vout_mode  ---> PAL
tlv320_switch_mode = mic
tlv320 set sample rate = 8k
tlv320 set volume = 18
tlv320 set volume = 18
tlv320 set sample rate = 8k
tlv320 set volume = 18
set_rs485_rtx(dvs = 0) == 0
irq_cfg = 80000000 bEnableIrq = 80000000  0 0 0 0
set_filter_ctrl == 1
mt9d131 write(page1): reg = 97 data = 0
mt9d131 read(page1) : reg = 97 data = 0
set_filter_ctrl == 1
net: listening to (null) port 554
websOpenServer ihh0104_ioctl cmd: 1 data: 0
n
@@@@@@@@@@@@@@@@@@ SysInit OK!
@@@@@@@@@@@@@@@@@@ Check Data ok!







set_filter_ctrl == 0
mt9d131 write(page1): reg = 97 data = 0
mt9d131 read(page1) : reg = 97 data = 0
set_filter_ctrl == 0
*** Board tools : ver0.0.1_20060106  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x101500b0: 0x00000007 --> 0x00010405
*** Board tools : ver0.0.1_20060106  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x101500a0: 0x00000002 --> 0x00010702
*** Board tools : ver0.0.1_20060106  ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x101500a4: 0x00000003 --> 0x00010703
mkdir: Cannot create directory `/mempic': File exists
set_filter_ctrl == 1
mt9d131 write(page1): reg = 97 data = 0
mt9d131 read(page1) : reg = 97 data = 0
set_filter_ctrl == 1
mkdir: Cannot create directory `/memrec': File exists

~ $ Jul  5 16:15:53 login[662]: root login  on `pts/0'


~ $ eth0      Link encap:Ethernet  HWaddr 00:4A:20:A6:49:BE
          inet addr:192.168.1.161  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2538 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4177 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:201633 (196.9 KiB)  TX bytes:3907197 (3.7 MiB)
          Interrupt:15

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)