Dahua DHI-ASI7213X-T1 firmware analysis

bootloader

n3wb
Joined
Jul 26, 2021
Messages
2
Reaction score
0
Location
Berlin
Hi guys,
I'm having some fun with a hardware/software analysis of the Dahua DHI-ASI7213X-T1 thermal camera and I have some questions for you:

HARDWARE:
- Anyone can explain me why there is a stm32f103c8 in the back side of the PCB?

SOFTWARE
I tried to decompress the firmware (DahuaWiki) using both binwalk and the tools posted in this forum some years ago (GitHub - BotoX/Dahua-Firmware-Mod-Kit: Unpack and repack Dahua IP camera firmware upgrade images.). From those tools, I succeeded only in getting the u-boot.bin file in a correct way, the other sections of the firmware are not decompressed correctly.
Here are some screenshots of the binwalk result, together with the list of obtained files.
Screenshot 2021-07-26 at 10.45.40.pngScreenshot 2021-07-26 at 10.46.35.png
Screenshot 2021-07-26 at 10.47.52.pngScreenshot 2021-07-26 at 10.48.42.png
Screenshot 2021-07-26 at 10.49.15.pngScreenshot 2021-07-26 at 10.59.44.png

For what concerns dhboot (actually it is uboot) there are no problems, it is correctly extranted.
I tried to use unsquashfs and sasquatch to read the content of those files with squashfs but without any good results.
Binwalk produce two .gz files in the _firmware-x.squashfs.img.extracted folder, but the common unzip tools are not able to open those files.
The _partition-x.cramfs.img.extracted contains empty files.

I noticed that the u-boot contains a AES Inverse-SBOX; are there any encrypted sections?

Can someone help me in figuring out how to correctly read those files?

Thank you!
 

sina55555

n3wb
Joined
May 18, 2021
Messages
20
Reaction score
4
Location
ir
the firmware structure of access controllers is sth like intercoms of dahua. and the stm chip is the MCU microcontroller for controlling modules of board
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
For what concerns dhboot (actually it is uboot) there are no problems, it is correctly extranted.
I tried to use unsquashfs and sasquatch to read the content of those files with squashfs but without any good results.
If you replace the 'DH' in the first 2 bytes with 'PK' then the firmware becomes a proper zip file, allowing all the components to be extracted.
The *.img components are in uImage format, and can be unwrapped.
But you will then see that the files have been subject to the Dahua signing and encryption process that they have been using for a while now, as evidenced by the "SecrityImgMagic V2.0' reference and signature block on the end of the files.

Code:
alastair@PC-I5 ~/cctv/Dahua/tmp $ hd -n 100 Customer_ASI72XXX_EngFrn_NP_V1.000.10BE006.0.R.201213_mod.bin
00000000  50 4b 03 04 14 00 00 00  08 00 e6 85 8d 51 11 0f  |PK...........Q..|
00000010  66 95 86 00 00 00 d6 04  00 00 04 00 1c 00 68 77  |f.............hw|
00000020  69 64 55 54 09 00 03 0f  d5 d5 5f 0f d5 d5 5f 75  |idUT......_..._u|
00000030  78 0b 00 01 04 19 97 10  00 04 41 44 0f 00 ab e6  |x.........AD....|
00000040  52 ca 28 cf 4c 51 52 b0  52 88 e6 52 72 0c f6 34  |R.(.LQR.R..Rr..4|
00000050  37 32 34 8e b0 32 30 b4  32 30 b1 32 30 b5 32 37  |724..20.20.20.27|
00000060  b5 32 06 32                                       |.2.2|
00000064
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $ unzip Customer_ASI72XXX_EngFrn_NP_V1.000.10BE006.0.R.201213_mod.bin
Archive:  Customer_ASI72XXX_EngFrn_NP_V1.000.10BE006.0.R.201213_mod.bin
  inflating: hwid                   
  inflating: Install                 
  inflating: check.img               
  inflating: dhboot-min.bin.img     
  inflating: dhboot.bin.img         
  inflating: kernel.img             
  inflating: romfs-x.squashfs.img   
  inflating: web-x.squashfs.img     
  inflating: pd-x.squashfs.img       
  inflating: partition-x.cramfs.img 
  inflating: data-x.squashfs.img     
  inflating: firmware-x.squashfs.img 
 extracting: sign.img               
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $ dumpimage -o kernel kernel.img
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $ dumpimage -l kernel.img
Image Name:   kernel
Created:      Sun Dec 13 08:42:34 2020
Image Type:   ARM Linux Firmware (uncompressed)
Data Size:    4135760 Bytes = 4038.83 KiB = 3.94 MiB
Load Address: 04600000
Entry Point:  05600000
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $ file kernel
kernel: data
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $
alastair@PC-I5 ~/cctv/Dahua/tmp $ grep SecrityImgMagic *
Binary file data-x.squashfs.img matches
Binary file dhboot.bin.img matches
Binary file dhboot-min.bin.img matches
Binary file firmware-x.squashfs.img matches
Binary file kernel matches
Binary file kernel.img matches
Binary file partition-x.cramfs.img matches
Binary file pd-x.squashfs.img matches
Binary file romfs-x.squashfs.img matches
Binary file web-x.squashfs.img matches
alastair@PC-I5 ~/cctv/Dahua/tmp $
 

bootloader

n3wb
Joined
Jul 26, 2021
Messages
2
Reaction score
0
Location
Berlin
@alastairstevenson, thank you for the reply.
If you replace the 'DH' in the first 2 bytes with 'PK' then the firmware becomes a proper zip file, allowing all the components to be extracted.
The *.img components are in uImage format, and can be unwrapped.
Yes, this is also what the tool posted in this forum some years ago proposes.
The still open question is: where is the encryption key? Is it in the uboot?
Looking at the PCB of the thermal camera, I cannot spot any other flash memory except the main one where the firmware should be placed.
Another guess is that the key is in a memory within the SoC.
In the uboot binary I found the AES decrypt function, the Inverse SBOX ecc..
Anyone have an idea about where the encryption key could be?

Thanks!
 
Top