Image Type: ARM Linux Kernel Image (gzip compressed) # Booting kernel from Legacy Image at 81ffffc0.
Writing to SPI flash, offset 0x00060000 size 64K. Some part of console boot log, if it's useful: Uncompress.OkĮrasing SPI flash, offset 0x00060000 size 64K. My guess for now is decryption is done in uboot and other stuff is handled by Huawei LiteOS powering this device, but in order to do further research I will need to first extract these two and the binaries in use from the firmware.Ĭan anyone share how I might achieve my goal? Any advice is appreciated.
#Hikvision tftp test tftpserver password#
(The provided firmware file is dumped after I edited admin password to "HikHiktest", so the entry "admin:12345" in ipc_db is not the correct one which web interface is looking for authentication.)Īnd there are also a lot of cryptic stuff happening in this firmware. Web interface password is not stored in ipc_db as most other Hikvision products do. The camera's web service is running on Angular (yet another unusual feature in embedded device.) but there are no Angular binaries to be found in the firmware even after binwalk extraction. I really want to know how I can process this data at 0x8E28 so I can do some RE on IDA or ghidra and sort out how this device works internally. The bootloader is located in the decompressed LZMA data at 0x8E28 (Known by comparing what I see from UART console output and output of strings 8E28)īut again it's not a usual U-boot program as binwalk failed to detect U-boot when I used binwalk to analyze it. The first thing I noticed is that there is no uboot header or uImage header that's often seen in other embedded device firmware. Here's the output of binwalk: DECIMAL HEXADECIMAL DESCRIPTIONģ6392 0x8E28 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: -1 bytesġ0092544 0x9A0000 JFFS2 filesystem, little endianġ6318544 0xF90050 Zlib compressed data, compressedġ6318764 0xF9012C Zlib compressed data, compressedġ6319000 0xF90218 Zlib compressed data, compressedġ6319136 0xF902A0 Zlib compressed data, compressedġ6319592 0xF90468 Zlib compressed data, compressedġ6320424 0xF907A8 Zlib compressed data, compressedġ6320864 0xF90960 Zlib compressed data, compressedġ6321796 0xF90D04 Zlib compressed data, compressedġ6322380 0xF90F4C Zlib compressed data, compressedġ6322560 0xF91000 Zlib compressed data, compressedġ6323100 0xF9121C Zlib compressed data, compressedġ6324028 0xF915BC Zlib compressed data, compressedġ6324556 0xF917CC Zlib compressed data, compressedġ6325336 0xF91AD8 Zlib compressed data, compressedġ6326072 0xF91DB8 JFFS2 filesystem, little endianġ6326276 0xF91E84 Zlib compressed data, compressedġ6327348 0xF922B4 JFFS2 filesystem, little endianġ6328220 0xF9261C Zlib compressed data, compressedġ6328684 0xF927EC JFFS2 filesystem, little endianġ6329344 0xF92A80 Zlib compressed data, compressedġ6329840 0xF92C70 JFFS2 filesystem, little endianġ6330528 0xF92F20 Zlib compressed data, compressedġ6330992 0xF930F0 JFFS2 filesystem, little endianġ6331632 0xF93370 Zlib compressed data, compressedġ6332212 0xF935B4 JFFS2 filesystem, little endianġ6332416 0xF93680 Zlib compressed data, compressedġ6332680 0xF93788 JFFS2 filesystem, little endianġ6333240 0xF939B8 Zlib compressed data, compressedġ6333528 0xF93AD8 JFFS2 filesystem, little endianġ6334148 0xF93D44 Zlib compressed data, compressedġ6334188 0xF93D6C JFFS2 filesystem, little endianġ6334896 0xF94030 Zlib compressed data, compressedġ6335076 0xF940E4 Zlib compressed data, compressedġ6335412 0xF94234 Zlib compressed data, compressedġ6335520 0xF942A0 Zlib compressed data, compressedġ6335708 0xF9435C Zlib compressed data, compressedġ6335984 0xF94470 Zlib compressed data, compressedġ6336320 0xF945C0 Zlib compressed data, compressedġ6336888 0xF947F8 Zlib compressed data, compressedġ6337540 0xF94A84 Zlib compressed data, compressedġ6337852 0xF94BBC Zlib compressed data, compressedġ6338032 0xF94C70 Zlib compressed data, compressedġ6338288 0xF94D70 Zlib compressed data, compressedġ6339092 0xF95094 Zlib compressed data, compressedġ6339748 0xF95324 Zlib compressed data, compressedġ6339792 0xF95350 JFFS2 filesystem, little endian
Almost like they are trying to hide things.
)Īfter dumping firmware from its flash and analyze it with binwalk, I found it intriguingly difficult to understand how its working. (Model DFI6257E, looks like a Taiwan exclusive model. I have a Hikvision IP camera that I'm doing security research on.
0 kommentar(er)
