Reverse Engineering DVR firmware

DVR
DVR

Its almost 2:00AM, and I’m tired as hell. I’ve gotten so close to the point of giving up, that I decided to write this article about my struggles.

I have an Identivision DVR which has a password set, which of course has been forgotten. I have taken the entire thing apart, removed the battery, but the user password still remains. There is no option that I can find for a factory reset, that doesn’t require me knowing the admin password. I ran nmap on it, and discovered quite a few open ports, as well as… yes you guessed it: Telnet 🙂 That sounds fun! Anyway this telnet option is not documented anywhere, so I have no idea what to type in, when it asks for my login credentials. (It is not the same as the password for the DVR, I know this because I recovered the password and tried the same for telnet) I think I should be able to avoid future hassles of forgetting passwords if I could somehow get into that telnet. Well, I downloaded a firmware update from the support website, the file looks like this: “ICR-DVR_H41_H81_firmware_V4.00.R10.20130104.zip” I extracted the zip, and I got this: “6204&08-S_V4.00.R10.20130104.bin”. I booted up my trusty Backtrack in VMWare and got to work.

First I tried this: (I renamed the firmware file to dvr.bin, so it would be easier to type)

Well if this .bin file is just another zip, we better extract it:

Well the “InstallDesc” file is just ASCII text, looks like this:

Looks to me like the commands for flashing this “img” files to system ROM. Anyway, what I am interested in, is what those other img files contain. I’m guessing the logo-x would probably contain a bitmap image or some other kind of image with the IDENTIVISION logo, and the other imgs probably contain the Linux OS itself.

Running file against the img files.

Now I’ve searched all over to try and decompress or extract .cramfs.img files, but have found nothing.

Some forums say to use this: (after installing cramfs support)

But I get this:

running dmesg | tail  gives me cramfs: wrong magic.

Running  cramfsck   gives me ramfsck: superblock magic not found .

So I have a few cramfs.img files, which I have no idea what to do with.

I ran  strings  on romfs and got some interesting stuff:

So there is definitely something inside, I can see the filenames, so its not encrypted or anything. I need to extract this somehow.

So I talked with Domonkos Tomcsányi, and he suggested that the .cramfs.img file is not actually a cramfs file, but instead as  file  suggests a u-boot/PPCBoot image .

But how do we extract a u-boot/PPCBoot image? Time to google again. Google returns some interesting results. The first link was http://boundarydevices.com/hacking-ram-disks/ saying something about mkimage adding 64 bytes of header, and stripping it with dd would reveal some gzipped data. Lets try this!

Okay, now lets run file , and see what it says.

Cool! 121 files sounds nice! Now lets mount up the img with the stripped header!

Now lets see whats inside!

Cool! We successfully mounted img file. Now its time to dig around and look for that telnet password!

Whats this in romfs-x? at /etc/passwd 🙂
we have a line like this:

then there is another file called passwd- (have no idea what this is for…)

Okay, so we see from these files, that they are not shaddowed… Instead of looking like this: username:x: they have some kind of hash in the place of “x”

Now this the part  where I realized that this entire process has already been done by some russian guys 🙂 My friend Domonkos Tomcsányi googled the hash 😉 Seems to be the same for a lot of IP-Cameras and DVRs. I downloaded hash-identifier and it identified it as a DES hash. So now we basically just need to crack this hash somehow. I used John-the-ripper for this task! By the way, john also immediatly identified the hash as DES128.
The hash in passwd- was cracked immediately, the one in passwd took a few hours.

I also took a look at a firmware for a CP-Plus DVR (A lot more complex than the Identivison) It has a similar structure, except the bin file is not just a zip archive, its more complex. Now this is the part, where I realized again, that instead of doing everything manually, I could just binwalk, and have this entire process automated 😉 Try this: binwalk -Me firmware.bin and watch the magic happen 🙂 Binwalk is awesome!!! Oh, and the hash in the CP-Plus was a little different, it used a FreeBSD MD5 [32/32] hash according to john. John is currently cracking the hash 🙂

Security differences between the Identivision DVR and the CP-Plus DVR are actually quite big. For example the Identivison can make use of only numbers 0-9 and a “_” character for a 6 character long password. This gives us 11 to the power of 6 number of combinations. While the CP-Plus makes use of the entire alphanumerical range including special characters. Although this does not affect the login security via the VGA frontend, when using the exact same password for a WebUI which is often thrown out on the internet, and bruteforce protection not implemented, it is a big security risk!

 

Note: I’m going to rewrite this article soon, with much more precise information, including modifying the firmware images, and structure of the 64byte uImage header.

I’m also gonna be giving a speech about this topic at Hacktivity. I’ll be sure to upload the video and powerpoint soon after.

  71 comments for “Reverse Engineering DVR firmware

  1. Tozman
    June 16, 2014 at 13:40

    Great work, but even after finding the password with JTR, I can enter the busybox, and then, there is no real way to interact with the dvr itself, except rebooting it which can somehow be a security flaw…
    What other things did you do from there ? (you can email me as I understand it may not be a good idea to expose those flaws to everyone)

    • halftome
      June 16, 2014 at 14:49

      On the contrary, you can do quite a bit from busybox. For example, you can cd to /mnt/ and access the footage. Most of the system is read-only, but mnt is rw, and I think there is one more partition which can be modified. using this, you could install a backdoor, etc. I don’t remember which binaries come preloaded with that version of the firmware, but if you wget, you could easily download and run malware. (Of course you would have to compile for that platform)
      I don’t have the hardwear anymore, but if I have some time this summer, I will try running some code on it, I doubt it has code-signing check enabled…
      But feel free to ask me, if you have any questions, and snoop around in busybox, go to the /bin dir, and see what kind binaries are available. Also the system uses some kind proprietary software called Sofia (If I can remember correctly), which handles the systemGUI etc. Now, that is on a read-only partition, but if you can modify the memory with something, you should be able to pretty much do anything from there on.
      You can also check out my video on this, here: https://www.youtube.com/watch?v=A9ea9fllnME

      • January 1, 2017 at 16:26

        i want change logo on my dvr
        please help me

  2. lenon leverson
    July 1, 2014 at 04:51

    good night, Benjamin.

    I wonder if you have to pass the information on how to modify the firmware (such as logo and images), and then rebuild and upgrade the DVR

    thank you

    • halftome
      July 1, 2014 at 10:38

      I haven’t tried modifying the firmware yet, but I plan to make a custom firmware for the device sometime this summer. I will let you know, when I have succeeded 🙂 I will probably write a post about it, similar to this one.

      • Josh
        December 8, 2015 at 01:07

        Do you know how to modify it now? I want to dvr’s logo image
        .

        • halftome
          December 10, 2015 at 14:33

          Sure! extract the the logo partition from the firmware or the device’s flash, then unpack with cramfstools. Make your changes, repack it with cramfstools.
          When your packed image is finished, just use dd to write it back to the device: dd if=yourimage.crmfs of=/dev/mtdblockn. Replace ‘n’ with whatever partition your logo is at.
          (To be safe, unmount the partition before you write to it) When you are done, the new logo should be there 🙂

          • Name123
            July 26, 2019 at 11:53

            I wonder that ppl want to replace the Bootlogo.
            The first thing i would patch is the sick unusable
            8 Bit/8000 HZ sound while the Hardware can do 16Bit/32000 HZ
            (nvp6114). Or the Bootup Time 40 seconds cause it boot
            twice. I seen the System unrar another System and require
            a reboot. Maybe low Flash space.
            Tryed to change “AVEnc” File Audio Bitrate&SampleRate to 00,01,20,11,15,14
            but it has no effect. I had the idea to set the NVP6114 with
            an addional controller to better Audio but the Processor use the
            I2C interface all the time, so it doesnt work.
            Do you made a Custom Firmare already? Could you make
            a Audio fix?

  3. lenon leverson
    July 1, 2014 at 14:50

    Can you at least give me the how I can extract and compress this file type cramfs.img

    thank you

    • halftome
      July 2, 2014 at 09:57

      Info on how to extract it, is written in the post. We remove the header with dd, then extract. To re-construct, we need to know a bit more about that header. Can we just pack, and put the same header back on? Or maybe it has some kind of checksum, we need to calculate. Sorry, I don’t have info on the PPC boot image header, but if you google it, you can find out about the structure. Or you can wait a bit, probably in a week I will try to make some mods, and let you know how it works.

  4. halftome
    July 9, 2014 at 13:39
  5. dvr MBD6308T
    July 23, 2014 at 19:12

    Org version (buid117):
    General_General_AHB7004T-EL_V4.02.R11.20140709
    Here:
    http://www.mediafire.com/download/4ay2os51else1ud/General_General_AHB7004T-EL_V4.02.R11.20140709.bin

    unzip ,with notepad++ del first 64bytes save and unzip again.

    Unpacked Here : http://www.mediafire.com/download/u7tll28nv2maa2y/General_General_AHB7004T-EL_V4.02.R11.20140709unpacked.zip

    next question how to repack after mod , zip then add first 64bytes and zip again ? (I use 7zip)

    • halftome
      August 25, 2014 at 15:27

      After mod, you can repack using: uboot-mkimage
      more info here: http://www.isysop.com/unpacking-and-repacking-u-boot-uimage-files/

    • yurius
      March 14, 2015 at 15:14

      how to make “unzip ,with notepad++ del first 64bytes save and unzip again.” – how do you do it?

      • halftome
        April 1, 2015 at 04:27

        instead of notepad++, use a hex-editor, or simply use “dd” like I did.

  6. gasinmars
    December 1, 2014 at 14:34

    could you tell me how to add hebrew language to the tvt dvr (dvr interface)

    thank you gasinmars123456@gmail.com

    • halftome
      December 15, 2014 at 04:51

      Hi, my guess would be to put the Hebrew locale with the other languages, and repack the image… I haven’t tried adding other locales to the img, but will look into it sometime.

  7. Silverrazor
    December 4, 2014 at 11:38

    I really liked your video on CCTV systems for hacking. I’m in the CCTV industry and have used the first try in doing JTR for code extraction…because I had the free time to just let it run. Also tried it on other .bin and .tar files. I’m not to familiar with all the CRC, hashs and linux for that matter as I’m more into the hardware. But i was wondering on how I can extract the data from a romfs-x.ubifs.img file. I first just went ahead and removed 64 from the header. This got me a HIT archive. So i thought it was done. But couldn’t get that out. Then I looked at the header CRC count and got 101. Went through that still didn’t get anything. So I looked up for UBI/UBIFS files. I then removed 76 and got an AIX core fulldump 32bit 64 bit file. This lead me to another chase. No success there. Was wondering if you can give me a bit of guidance on here.

    • halftome
      December 15, 2014 at 04:49

      Could you post a link to the .bin file for me?

      • Silverrazor
        December 16, 2014 at 08:08

        Here is the link for it

        http://tinyurl.com/nlzpk8j

        http://preview.tinyurl.com/nlzpk8j incase you want to check where it goes.
        It will be available for about a week from today

        I got stuck around removing the UBIF headers. apperentlly they are random header at random points? I believe i have to virtual a rom device on linux then i can mount it there then some more stuff that i got confused on. A normal loop mount won’t work on this as this goes to a chip. I’m looking up on how to create this “virtual chip device on linux”

        Thanks for any guidance.

        • halftome
          December 20, 2014 at 13:09

          Just finished up my exams for December, so hopefully I’ll have some time to check it out this month 😉

          • Silverrazor
            January 7, 2015 at 10:02

            I have tried a couple of run around with only some theory behind it. I have had enough time to fiddle around with virtual rom-ing to mount that UBIFS file. either I’m mounting it wrong or somewhere along those lines. I think you might have better luck on this than I would.

  8. Sergey
    January 24, 2015 at 20:56

    Hi!
    Tell me password for root. Hash ab8nBoH3mb8.g

    • halftome
      January 26, 2015 at 13:57

      You can find out the password for yourself with John The Ripper 🙂

  9. daviceva
    March 4, 2015 at 13:25

    excellent work, I need to know how to get the source code to install it on other hardware and also change my taste.

    • halftome
      April 1, 2015 at 04:26

      I doubt you would be able to get the source-code 🙂

  10. BlackDec
    March 4, 2015 at 21:04

    I have a new version of firmware date is 2014.
    you can find it here:
    https://pan.sohu.net/f/MTY3NjEsaGRpZGg.htm

    I have access via telnet to my DVR.
    the hash of the password is the same as your video (xc3511) with root.
    you have some idea on how to download an image or DVR copy of the operating system and to copying it to a new motherboard with all the same features to those of the DVR?

  11. May 8, 2015 at 19:57

    hello i found your article very informative i was wondering about recompiling the files after i changed the logo file i was able to strip the header and mount the file and see what each of the files contained. just wanted to see if it was possible to rebuild then reinstall on box

  12. Anishjain
    September 29, 2015 at 17:37

    Hello,

    Please provide with your email, we want you to reverse engineer our dvr. The DVR needs a logo change & that can only be achieved through accessing backend. We want to replicate the same process for all our existing & new stock.

    Also we will pay you for helping us do this, also we have OEM rights so everything we are doing is completely legal.

    • halftome
      September 29, 2015 at 22:18

      I sent you an email.

      • Peter Mason
        February 14, 2019 at 12:55

        I see this is an older thread. But I am interested in replacing the logo on the DVR brand that I use as well. I have absolutely no experience with Linux and don’t want any. What is the cost to investigate reverse engineering our DVR branding? I would be happy to ship a DVR to you. And of course, I would need an easy way to burn each new DVR ‘in-house’ ourselves afterwards.
        The brand we use is Clinton Electronics. You can download their DVR update file from their website.

  13. Bhavesh
    November 23, 2015 at 12:16

    I want to make my own desktop application which can record H.264 video from DVR

    • halftome
      November 24, 2015 at 11:52

      There are a few applications like this (open-source ones) You should check them out on GitHub for reference

      • Bhavesh
        November 24, 2015 at 12:19

        Thanks, I will check. I am planning to create web based system which can record rtsp and play.

  14. Josh
    December 13, 2015 at 17:48

    Thank you very very much.
    I tried it I couldn’t make it. Can you teach me it step by step? I really want to pay you for appreciation..please..

    • halftome
      January 7, 2016 at 12:26

      I’m working on making a tutorial.
      Until then you can drop me an email with your request here h@lfto.me

      • Giovanni
        February 10, 2016 at 07:15

        Thanks it will be great!

  15. Carlos
    February 17, 2016 at 21:19

    Hello , I have a question , how can crack the password hash Account1 (admin ) . john try and failing.

  16. Allodo
    July 1, 2016 at 09:38

    Hi,

    I wanna change Soundfiles for my Intercom.
    Therefore I unzipped the Firmware.bin and with binwalk I extracted the included data-x.cramfs.img so I can change the Soundfiles. But now I don’t know how to repack all together.

    I think the main problem is 64 Bytes Header.

    Can anybody help me to repack the data-x.cramfs? Maybe with an link for an turorial?

    Thx Forward

  17. August 11, 2016 at 14:04

    made a report on a very similar device, i think it shares almost the same firmware:
    https://github.com/tothi/hisilicon-dvr-hack

    reversed the authentication part of the ‘Sofia’ binary.
    found a universal admin password for the DVR application.

    so the application is backdoored as well (not just the os) 😉

    • halftome
      August 11, 2016 at 14:43

      nice 🙂 BME-n valamikor összefuthatnánk 😉

    • Andres Rojas
      September 30, 2016 at 03:51

      Tothi, would you please be so kind to reupload the Sofia admin password hack? the python script.

      it´s not available anymore.

      thank you.

      BTW, my email is lrojasma@gmail.com if anything comes up.

      Thank you so much.

      • pyur
        January 25, 2017 at 08:36

        assume {0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04, 0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e} is md5 hash. transrofm it into some ascii string:
        sum = first_char + second_char;
        value = sum %62; // value = sum – ( (sum / 62) * 62)
        if (value >= 0 && value = 10 && value = 36 && value <= 71) char = value + 97 – 36;
        repeat seven more times for remaining bytes.

    • February 22, 2017 at 10:06

      sorry for removing the report, it is under complete write. found some more serious, critical issues about the device. now, at last, it can be made public.

      short description with working PoC code is available in my git repo: https://github.com/tothi/hisilicon-dvr-hack
      more detailed information has been released on SecuriTeam Blog: https://blogs.securiteam.com/index.php/archives/3025

      maybe full details will be released on my github later…

  18. Steeve
    December 26, 2016 at 10:18

    hello HalfTome,
    i have some problems with my DVR, i need your help and i want to know if you can help me ?
    I bougth a DVR on Lightinthebox’s site, DVR brand is YANNSE and he can’t send alert mail.
    after testing all configurations as possible, i entered with telnet in the DVR and i saw that it works with a Busybox OS. i searched where the problem came, and it seams that there no function to send mails.
    the problem is that busybox is all write protect and i don’t see, how i will add new function.
    Can you help me, is there a solution ?
    thanks a lot for your answer
    Steeve

  19. Steeve
    December 26, 2016 at 10:27

    hello HalfTome,
    i have some problems with my DVR, i need your help and i want to know if you can help me ?
    I bougth a DVR on Lightinthebox’s site, DVR brand is YANNSE and he can’t send alert mail.
    after testing all configurations as possible, i entered with telnet in the DVR and i saw that it works with a Busybox OS. i searched where the problem came, and it seams that there no function to send mails.
    the problem is that busybox is all write protect and i don’t see, how i will add new function.
    Can you help me, is there a solution ?
    thanks a lot for your answer
    Steeve

  20. Gentle Ben
    February 19, 2017 at 11:58

    Gonna remember you for the rest of my life as the guy that introduced me to binwalk.

    • halftome
      February 19, 2017 at 18:53

      Lol, I’m honored 🙂

      • MM
        May 2, 2017 at 22:12

        Hi Benjamin

        Thanks for your post. Like Alan I have a similar problem with my NVR 7816T-F. After loading an update file the NVR is stuck on the logo. Logged in and notice that Sofia is wiped and /usr .. /mnt/web .. and /mnt/custom are all empty. Files wiped. Sofia is alos not running any more.

        Any idea how to re-activate the net download app, so that a new file can be uploaded.

        Cheers
        MM

        • MM
          May 4, 2017 at 23:25

          Solved the difficulty. No need for assistance.

          cheers
          mm

          • Andrey
            May 21, 2017 at 09:20

            How do you solve this ?

  21. Alan
    March 17, 2017 at 11:07

    Hello this is a great post but I have the following problem.
    My DVR is stuck on the logo. How can I enter a new firmware via telnet. Only have telnet access to the DVR.
    Thanks in advance
    Alan

  22. June 11, 2017 at 09:50

    just a simple question.
    In case we find suitable ROM and identify the Linux Kernel Version then Is it possible to copy encrypted string of a known password created on same Linux Kernel Version’s /etc/passwd but from another NVR/system/pc to ROM image so that it can be replaced in NVR that has unknown password ?
    I have no shadow file in my ROM.

    Procedure will be as follows –
    1) System1 Unknown Password. But we have suitable ROM file with some unknown Password in it.
    2) Identified kernel versions of ROM as 4.0.x
    3) created another System2 on PC with kernel Version 4.0.x and we have root access on it
    4) created/changed root password as Abcd$1234$
    5) copied encrypted string of root Password from /etc/passwd of System2
    5) Modified ROM file and replaced root password string created in System2
    6) Updated ROM in NVR(system1) that has new root password know to us.
    7) later System1 can change its root password with new Strong password.

    if this works then it will be time saving
    Last night by 10:PM I sarted JOHN now 2:0PM Password is not yet cracked
    my passwd file has sonly one password and that is root.
    1 password hash (Traditional DES [128/128 BS SSE2])

    -regards

    • halftome
      August 11, 2017 at 16:16

      You don’t even need the same kernel version. The format of /etc/passwd is the same. Yes, you could overwrite it, which would be easier. Cracking the password however allows you to access all devices running the same firmware (way more fun) 🙂

      • August 12, 2017 at 11:25

        It is not so easy….
        now disassembling and reassembling ROM file is a problem.
        7zip opens it but there is something more than actual content in ROM
        I mean some additional data or media other than actual firmware

      • August 12, 2017 at 11:45

        It is not so easy….
        now disassembling and reassembling ROM file is a problem.
        7zip opens it but there is something more than actual content in ROM
        I mean some additional data or media other than actual firmware

  23. Edu
    September 18, 2017 at 11:50

    Hi There!
    My friend is asking for help with these DVR’s. He said that all the users leave a trace on the DVR log (gui log, not Linux log:) ), but “superuser” seems to be not leaving any log when they access the system, both via console or network access.
    Do you think there’s a way to modify this, or create another user with the same privileges that DOES generate a trace and disable the original?

    Thanks!

  24. John R
    September 28, 2017 at 02:18

    When I run pwn_hisilicon_dvr.py, I get a “NameError: badchar 0x0 in shellcode!” error. Any ideas why?

  25. November 11, 2017 at 15:45

    Hello,

    The core of the problem perfectly described here: https://www.pcworld.com/article/3034265/hard-coded-password-exposes-up-to-46000-video-surveillance-dvrs-to-hacking.html

    Did you try to decompile a firmware from this developer – Zhuhai RaySharp Technology

    Thank you in advance.

    • halftome
      November 11, 2017 at 19:47

      No, I did not (yet)

  26. November 22, 2017 at 21:49

    Dude!! You have made my day! I have a Reolink that i just want to add some custom camera configs (dlink camera on reolink NVR RLN16-410). I’m currently only able to add them as port80 ONVIF. This doesn’t work correctly for preview and record.

  27. Chris
    August 18, 2018 at 22:41

    Wow this was exactly what I was looking for. Great work, seriously! I’m looking into replacing the firmware with a basic Linux one. And maybe put better DVR software on it like Zoneminder or something. If that’s supported at least. Anyways I’m surprised you haven’t found any backdoors or rootkits. Them Chinese must have something in place to spy on you…

    • halftome
      August 19, 2018 at 08:29

      No backdoors? What do you call a built-in telnet wide open, with a hard-coded password, and no information to the user about its existence, or any provided way to disable it? 😉

  28. Hamza
    October 24, 2018 at 02:03

    Did you ever make any progress with modifying the firmware and packing it back up to update on the DVR? (Or in other words, making custom firmware for the DVR)

    I picked up the firmware that was used for my DVR, tried updating with it and it ran through as normal. So I opened up the .bin to find the same type of .img files. I got inside and saw one for the web server portion of the DVR, so I made an edit to the html file so I’d know if my changes were made. But as soon as I packed the .img back up and placed it back in the .bin, the DVR wouldn’t take the update and restart to it’s normal self.

    Is there some sort of protection the system has from modified firmware? Maybe a checksum? I saw in the installdesc there is a CRC Value of 1c59187200003339 but I couldn’t see any main file (or the bin itself) having that value.

    • halftome
      October 25, 2018 at 09:56

      It depends on the DVR. I never got around to modding the firmware, but it should be possible. Only thing to remember is that you need to repack the .img, usually cramfs, and after you will need to re-add the 64bytes of header required by uboot. This contains checksum info as well, so you will need to update that. You should be able to use mkimage for that: https://www.systutorials.com/docs/linux/man/1-mkimage/

  29. throwaway1
    February 17, 2019 at 01:51

    FWIW, passwd- is a backup file created by vipw(8), which locks /etc/passwd while it’s being edited and syntax-checks it afterwards in order to prevent corruption and lock-outs. (There’s also shadow- for vipw -s, group- for vigr and gshadow- for vigr -s.) A modern program would probably name the backup passwd~, but this thing is ancient (4.0BSD, 1980).

    In short, somebody forgot to clean the rootfs after changing the password.

    • halftome
      July 8, 2019 at 12:10

      Thanks for that information. Nice to know 🙂

  30. Shreyash KRISHNAKANT Rami
    February 23, 2019 at 15:22

    hello,

    Can you please guide me if I want to create custom firmware for DVRs?

Leave a Reply to Gentle Ben Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.