G0/G1 - 2CD2145F CN to English conversion (work-in-progress)

[nithin]

2CD2145F-IS Chinese model 4MP based on HI-Silicon H3516c processor (G0/G1?) platform
I have been unsuccessful in changing the language to CN to EN.
Any help in finding a way to downgrade existing bootloader to a older version is appreciated.

Current Firmware Link (#3) - V5.4.41 Build170710
My camera came with firmware 5.4.24_170303.
I have established RS232 serial access to the camera (see next post for details).
My observations about this camera:
1) Came with u-boot version is - U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03)

followings are the only options available in u-boot menu:

HKVS # help
erase - erase flash except bootloader area
go - start application at address 'addr'
help - print command description/usage
loadk - load kernel to DRAM
update - update digicap.dav
updateb - update bootloader
upf - update firmware, format and update (factory use)
ddr - ddr training function
mii - MII utility commands
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
HKVS #

2) u-boot prevents updating the setenv variables, thus any attempt to override bootarg fails
3) u-boot performs the signature check to prevent overwriting the u-boot with older version (see below)

HKVS # updateb
*******************************************************
* ATTENTION: PLEASE READ THIS NOTICE CAREFULLY! *
* DO NOT reset the device, or disrupt this process. *
* If this process fails, the device might be unusable.*
* If you find this too risky, power off device now. *
* or press the SPACE key to start the process now *
*******************************************************
ETH0: PHY(phyaddr=3, mii) link UP: DUPLEX=FULL : SPEED=100M
MAC: 54-C4-15-27-F6-29
TFTP from server 192.168.1.128; our IP address is 192.168.1.64
Download Filename 'u-boot_g0.bin'.
Download to address: 0x82000000
Downloading: # [ Connected ]
##########
done
Bytes transferred = 333192 (51588 hex)
set public key failed.
ver failed!
resetting ...
HKVS #

 

[nithin]

RS232 wiring info for DS-2CD2145F


RED - RX (TX on RS232 Adapter)
BLACK - TX ( RX on RS232 Adapter)
WHITE - GND

 

[alastairstevenson]

ame with u-boot version is - U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03)
followings are the only options available in u-boot menu:

Unless there are hidden commands not listed in the help - that's a pretty brain-damaged u-boot. Plus the code-signing requirement is a real barrier.
And it may be that a signed version of the old bootloader may not exist.

u-boot prevents updating the setenv variables, thus any attempt to override bootarg fails

But why then provide a setenv if saveenv does not work? That's odd.

 

[nithin]

But why then provide a setenv if saveenv does not work? That's odd.

setenv works with limited arguments such as ipaddr, serverip, netmask etc.
setenv seems to ignore bootargs, bootcmd, bootfile etc.

I tried setenv for bootargs followed by a saveenv and if I call printenv, I see no changes to bootargs are saved.

Unless there are hidden commands not listed in the help - that's a pretty brain-damaged u-boot. Plus the code-signing requirement is a real barrier.
And it may be that a signed version of the old bootloader may not exist.

The bootloader accepts firmware from 5.40.xx onwards using tftp server method. The firmware versions 5.40+ seems to introduce firmware signing. I am hoping to find a signed version of the firmware with full shell access (with dd, cat, etc.,). I still suspect Hikvison left hidden bootlodaer commands for backdoors. Thus far I am not able to uncover any such hidden options/commands. Alternatively, we can uncover the signing key used ....

 

[nithin]

I forgot one more detail -
The camera was purchased on Newegg.com and came with EN language set - original firmware 5.4.15_160608.
They somehow even made the serial # appear WR in the web UI.
This means whoever sold the camera know how to reset language to English on this CN camera.
After I attempted to update the firmware, now I am stuck with CN language (and CN appears in the camera serial #)

 

[montecrypto]

I still suspect Hikvison left hidden bootlodaer commands for backdoors. Thus far I am not able to uncover any such hidden options/commands.

There are no hidden commands in uboot except "go." that loads sec.bin file from tftp. That file contains the rest of the u-boot, including all the commands you need to directly access ubifs filesystem or memory. Hikvision is obviously not interested in sharing sec.bin, but there have been leaks. Each u-boot version uses a matching sec.bin

 

[nithin]

Thanks @montecrypto,

There are no hidden commands in uboot except "go." that loads sec.bin that contains the rest of the u-boot. That sec.bin has all the commands you need to directly access ubifs filesystem or memory. Hikvision is obviously not interested in sharing sec.bin, but there have been leaks. Each u-boot version uses a matching sec.bin

I have tried sec.bin with go. command from Watchdata EMV chips in R6, G0 and other cameras (thanks @JAFO)
but nothing happens (see logs below)

HKVS # go.
ETH0: PHY(phyaddr=3, mii) link UP: DUPLEX=FULL : SPEED=100M
MAC: 54-C4-15-27-F6-29
TFTP from server 192.168.1.128; our IP address is 192.168.1.64
Download Filename 'sec.bin'.
Download to address: 0x81fffed8
Downloading: # [ Connected ]
##########
done
Bytes transferred = 333192 (51588 hex)
Exit1!
HKVS #

I think the sec.bin fails signature check and does nothing.
As per your comments, I need matching sec.bin for U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03).

On another note, if I can corrupt part of NAND at partition #0 - bld, (0x00000000, size 0x00100000) would it cause bootstrap code to fault allowing a way to side load the u-boot code?
For this trick to work, I still need to find an exploit to cause dd command to run. I am sure someone else may have figured this out

Thanks in advance.

 

[Gul-Dukat]

need to find an exploit to cause dd command to run

I think you will find the busybox within is a cutdown version and wont have dd
My version 2xx5 cameras all had BusyBox v1.19.3 (2015-09-24 09:15:35 CST) which was missing a number of functions including dd.
I ended up getting a much more recent and jam-packed version for the ARMv7

https://busybox.net/downloads/binaries/1.21.1/busybox-armv7l


I was able to mount my NFS server over the network and run that busybox... however that was because I had ash and not psh already.

 

[Gul-Dukat]

There is another sec.bin you might want to try.

the one you have tried from Watchdata EMV chips in R6, G0 and other cameras
; 333192 sec.bin md5 - 4a32d83a3265f3c43c5691a672d3f748
Jafo also posted a different one G0 baremetal app for a limited u-boot ver
; 5528 sec.bin md5 - 114f9b0cedc67d0b9a5b62774b0184d1

 

[nithin]

There is another sec.bin you might want to try.

the one you have tried from Watchdata EMV chips in R6, G0 and other cameras
; 333192 sec.bin md5 - 4a32d83a3265f3c43c5691a672d3f748
Jafo also posted a different one G0 baremetal app for a limited u-boot ver
; 5528 sec.bin md5 - 114f9b0cedc67d0b9a5b62774b0184d1

I have tried that sec.bin without luck. u-boot seems to enforce signature check, preventing from loading it.

 

[nithin]

I think you will find the busybox within is a cutdown version and wont have dd
My version 2xx5 cameras all had BusyBox v1.19.3 (2015-09-24 09:15:35 CST) which was missing a number of functions including dd.
I ended up getting a much more recent and jam-packed version for the ARMv7

https://busybox.net/downloads/binaries/1.21.1/busybox-armv7l


I was able to mount my NFS server over the network and run that busybox... however that was because I had ash and not psh already.

Hi Gul,
Can you please share the steps to run the generic busybox on G0?
Thanks

 

[alastairstevenson]

Can you please share the steps to run the generic busybox on G0?

Here is a worked example on a DS-2CD3335 :

alastair@PC-I5 ~ $ ssh admin@192.168.1.100
admin@192.168.1.100's password:


BusyBox v1.19.3 (2017-01-18 20:54:04 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# prtHardInfo
Start at 2017-10-13 21:56:52
Serial NO :DS-2CD3335D-I20150619AACH524222564
V5.4.41 build 170710
NetProcess Version: 1.7.1.179932 [14:53:09-Dec 10 2016]
Db Encrypt Version: 65537
Db Major Version: 1176
Db svn info:
Path: /Camera/Platform/Branches/branches_frontend_software_platform/db_process_for_5.4.20
Last Changed Rev: 233659
Last Changed Date: 2016-11-08 11:13:39 +0800 (Tue, 08 Nov 2016)
hardwareVersion    = 0x0
hardWareExtVersion    = 0x0
encodeChans        = 1
decodeChans        = 1
alarmInNums        = 0
alarmOutNums        = 0
ataCtrlNums        = 0
flashChipNums        = 0
ramSize            = 0x100
networksNums        = 1
language            = 1
devType            = 0x22501
net reboot count    = 0
vi_type            = 32
Path: /Camera/Platform/Branches/branches_frontend_software_platform/comm_bug_fix/cgi_fix/ipc_repair/ipc_5.4.24_g0
Last Changed Rev: 297913
Last Changed Date: 2017-07-10 21:23:14 +0800 (Mon, 10 Jul 2017)


# mount
rootfs on / type rootfs (rw)
proc on /proc type proc (rw,relatime)
none on /sys type sysfs (rw,relatime)
ramfs on /home type ramfs (rw,relatime)
udev on /dev type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/mtdblock7 on /dav type yaffs2 (rw,relatime)
/dev/mtdblock9 on /devinfo type yaffs2 (rw,relatime)
192.168.1.201:/cctv1 on /mnt/nfs00 type nfs (rw,sync,relatime,vers=3,rsize=4096,wsize=4096,namlen=255,acregmin=0,acregmax=0,acdirmin=0,acdirmax=0,soft,noac,nolock,proto=tcp,port=2049,timeo=70,retrans=3,sec=sys,local_lock=all,addr=192.168.1.201)
# cd /mnt/nfs00
# ls -al
drwxrwxrwx   13 admin    root          4096 Oct 13 20:09 .
drwxrwxrwx   13 admin    root             0 May  2  2013 ..
drwxrwxrwx   15 admin    nogroup      20480 Oct  9 21:08 @Recycle
drwxrwxrwx    4 503      100           4096 Oct  5 10:01 G0_upd
-rwxr-xr-x    1 admin    root          1772 Oct  5 21:25 app
-rwxrwxrwx    1 65534    nogroup    1109128 May 26  2015 busybox-armv6l
-rwxrwxrwx    1 65534    nogroup    1109128 May  2  2015 busybox-armv7l
-rwxrwxrwx    1 65534    nogroup         84 Jun 18 22:29 commands.txt
-rwxrwxrwx    1 503      100          19672 Jan 23  2017 daemon_fsp_app_545
-rw-rw-rw-    1 503      100          19672 May 30  2016 daemon_fsp_app_IPC_R0_EN_STD_5.4.0_160530
drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir0
drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir1
drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir2
-rwxrwxrwx    1 503      100           5468 Sep 28 20:53 digicapkeyArm.ko
-rw-rw-rw-    1 503      100          30118 May 30  2016 en.tar.gz
-rw-r--r--    1 admin    root        781248 Sep 28 10:06 encode
drwxrwxrwx    4 503      100           4096 Oct  3 21:03 files_5420_running
-rw-rw-rw-    1 503      100        9021594 Oct 13 20:08 g0_app.tar.gz
-rw-r--r--    1 admin    root       9021980 Oct 13 13:46 g0_app.tar.gz_working
-rw-r--r--    1 admin    root        736700 Oct 13 13:46 g0_modules.tgz
-rw-r--r--    1 admin    root            68 Sep  8 19:35 info.bin
-rwxrwxrwx    1 503      100           7314 Oct  9 21:08 initrun.sh
-rw-rw-rw-    1 503      100           7314 Oct  9 21:08 initrun_changemod.sh
-rwxrwxrwx    1 503      100           7242 Oct  9 20:59 initrun_ethtest.sh
-rw-rw-rw-    1 503      100           6674 Oct  8 20:59 initrun_orig.sh
-rwxrwxrwx    1 503      100          19672 May 30  2016 keydump540
-rwxrwxrwx    1 503      100          19672 Jan 23  2017 keydump545
lrwxrwxrwx    1 admin    root            11 Mar 18  2017 linuxrc -> bin/busybox
-rw-r--r--    1 admin    root        524288 Oct 12 19:24 mtd6_before
drwxrwxrwx    2 503      100           4096 May 18 19:43 multimedia
drwx------    2 admin    root          4096 Oct 10 21:06 pulse-PKdhtXMmr18n
drwxrwxrwx    2 admin    root          4096 Feb 28  2017 s500
drwxrwxrwx    3 admin    root          4096 Sep 26 10:51 tmp
drwxr-xr-x   11 admin    root          4096 Sep  8 15:53 xcontents
# ./busybox-armv7l --help
BusyBox v1.21.1 (2013-07-08 10:26:30 CDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as.

Currently defined functions:
    [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash, awk, base64, basename, beep, blkid,
    blockdev, bootchartd, brctl, bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod, chown,
    chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm, conspy, cp, cpio, crond, crontab, cryptpw,
    cttyhack, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff, dirname,
    dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, ed, egrep, eject, env, envdir,
    envuidgid, ether-wake, expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat, fdisk,
    fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk, fsck, fsck.minix, fsync, ftpd, ftpget,
    ftpput, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid, hostname,
    httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd, init, insmod, install, ionice,
    iostat, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill, killall,
    killall5, klogd, last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname,
    logread, losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat,
    makedevs, makemime, man, md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2,
    mkfs.minix, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mountpoint, mpstat,
    mt, mv, nameif, nanddump, nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od,
    openvt, passwd, patch, pgrep, pidof, ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir,
    poweroff, powertop, printenv, printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev, readahead,
    readlink, readprofile, realpath, reboot, reformime, remove-shell, renice, reset, resize, rev, rm, rmdir,
    rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir, rx, script, scriptreplay, sed,
    sendmail, seq, setarch, setconsole, setfont, setkeycodes, setlogcons, setserial, setsid, setuidgid, sh,
    sha1sum, sha256sum, sha3sum, sha512sum, showkey, slattach, sleep, smemcap, softlimit, sort, split,
    start-stop-daemon, stat, strings, stty, su, sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync,
    sysctl, syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time, timeout, top, touch,
    tr, traceroute, traceroute6, true, tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, umount, uname, unexpand,
    uniq, unix2dos, unlzma, unlzop, unxz, unzip, uptime, users, usleep, uudecode, uuencode, vconfig, vi, vlock,
    volname, wall, watch, watchdog, wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes, zcat, zcip

#

*edit*
And this could be how to integrate it in permanently, in initrun.sh (camera) or start.sh (NVR) :

# Add in the fuller busybox, which has telnetd in it and more.
mv /home/app/busybox-armv7l /bin
chmod +x /bin/busybox-armv7l
/bin/busybox-armv7l --install -s /bin
/bin/busybox-armv7l telnetd

 

[montecrypto]

Just received a G1. Contrary to popular belief, G1 is not an english equivalent of G0. It is a different camera platform based on Ambarella S3L. It resembles R2 -- the amboot does not have any firmware parsing code, it boots a minisystem that flashes digicap.dav. Good news -- amboot does not appear to be signed, only crc32 is validated and it should be possible to reflash it if needed.

 

[nithin]

Just received a G1. Contrary to popular belief, G1 is not an english equivalent of G0. It is a different camera platform based on Ambarella S3L. It resembles R2 -- the amboot does not have any firmware parsing code, it boots a minisystem that flashes digicap.dav. Good news -- amboot does not appear to be signed, only crc32 is validated and it should be possible to reflash it if needed.

Very interesting. Thanks

 

[alastairstevenson]

Very interesting.

Yes indeed.
Did you see this : [MCR] G1 firmware IPC_G1_EN_STD_5.4.5_170124 -PSH

 

[nithin]

Yes indeed.
Did you see this : [MCR] G1 firmware IPC_G1_EN_STD_5.4.5_170124 -PSH

I have two G0, 2CD2145F-IS cameras, both have drastically different internal PCB designs.
Both use G0 , HiSilicon_V300 CPU (CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d)

Camera #1: (all the electronics + power supply are on 1 board, CMOS sensor+lens on a separate breakout board)


Camera #2: (split design, most of the electronics are camera board, power supply on a separate board, below)


I wonder if they have multiple G0/G1 variations of 2CD-21X5

 

[Gul-Dukat]

My 2135's are also different designs. the 2.8mm lense is on split board. the 4mm is one larger board at the base.

 

[Ca't'h'y]

Here is a worked example on a DS-2CD3335 :

alastair@PC-I5 ~ $ ssh admin@192.168.1.100
admin@192.168.1.100's password:


BusyBox v1.19.3 (2017-01-18 20:54:04 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# prtHardInfo
Start at 2017-10-13 21:56:52
Serial NO :DS-2CD3335D-I20150619AACH524222564
V5.4.41 build 170710
NetProcess Version: 1.7.1.179932 [14:53:09-Dec 10 2016]
Db Encrypt Version: 65537
Db Major Version: 1176
Db svn info:
Path: /Camera/Platform/Branches/branches_frontend_software_platform/db_process_for_5.4.20
Last Changed Rev: 233659
Last Changed Date: 2016-11-08 11:13:39 +0800 (Tue, 08 Nov 2016)
hardwareVersion    = 0x0
hardWareExtVersion    = 0x0
encodeChans        = 1
decodeChans        = 1
alarmInNums        = 0
alarmOutNums        = 0
ataCtrlNums        = 0
flashChipNums        = 0
ramSize            = 0x100
networksNums        = 1
language            = 1
devType            = 0x22501
net reboot count    = 0
vi_type            = 32
Path: /Camera/Platform/Branches/branches_frontend_software_platform/comm_bug_fix/cgi_fix/ipc_repair/ipc_5.4.24_g0
Last Changed Rev: 297913
Last Changed Date: 2017-07-10 21:23:14 +0800 (Mon, 10 Jul 2017)


# mount
rootfs on / type rootfs (rw)
proc on /proc type proc (rw,relatime)
none on /sys type sysfs (rw,relatime)
ramfs on /home type ramfs (rw,relatime)
udev on /dev type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/mtdblock7 on /dav type yaffs2 (rw,relatime)
/dev/mtdblock9 on /devinfo type yaffs2 (rw,relatime)
192.168.1.201:/cctv1 on /mnt/nfs00 type nfs (rw,sync,relatime,vers=3,rsize=4096,wsize=4096,namlen=255,acregmin=0,acregmax=0,acdirmin=0,acdirmax=0,soft,noac,nolock,proto=tcp,port=2049,timeo=70,retrans=3,sec=sys,local_lock=all,addr=192.168.1.201)
# cd /mnt/nfs00
# ls -al
drwxrwxrwx   13 admin    root          4096 Oct 13 20:09 .
drwxrwxrwx   13 admin    root             0 May  2  2013 ..
drwxrwxrwx   15 admin    nogroup      20480 Oct  9 21:08 @Recycle
drwxrwxrwx    4 503      100           4096 Oct  5 10:01 G0_upd
-rwxr-xr-x    1 admin    root          1772 Oct  5 21:25 app
-rwxrwxrwx    1 65534    nogroup    1109128 May 26  2015 busybox-armv6l
-rwxrwxrwx    1 65534    nogroup    1109128 May  2  2015 busybox-armv7l
-rwxrwxrwx    1 65534    nogroup         84 Jun 18 22:29 commands.txt
-rwxrwxrwx    1 503      100          19672 Jan 23  2017 daemon_fsp_app_545
-rw-rw-rw-    1 503      100          19672 May 30  2016 daemon_fsp_app_IPC_R0_EN_STD_5.4.0_160530
drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir0
drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir1
drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir2
-rwxrwxrwx    1 503      100           5468 Sep 28 20:53 digicapkeyArm.ko
-rw-rw-rw-    1 503      100          30118 May 30  2016 en.tar.gz
-rw-r--r--    1 admin    root        781248 Sep 28 10:06 encode
drwxrwxrwx    4 503      100           4096 Oct  3 21:03 files_5420_running
-rw-rw-rw-    1 503      100        9021594 Oct 13 20:08 g0_app.tar.gz
-rw-r--r--    1 admin    root       9021980 Oct 13 13:46 g0_app.tar.gz_working
-rw-r--r--    1 admin    root        736700 Oct 13 13:46 g0_modules.tgz
-rw-r--r--    1 admin    root            68 Sep  8 19:35 info.bin
-rwxrwxrwx    1 503      100           7314 Oct  9 21:08 initrun.sh
-rw-rw-rw-    1 503      100           7314 Oct  9 21:08 initrun_changemod.sh
-rwxrwxrwx    1 503      100           7242 Oct  9 20:59 initrun_ethtest.sh
-rw-rw-rw-    1 503      100           6674 Oct  8 20:59 initrun_orig.sh
-rwxrwxrwx    1 503      100          19672 May 30  2016 keydump540
-rwxrwxrwx    1 503      100          19672 Jan 23  2017 keydump545
lrwxrwxrwx    1 admin    root            11 Mar 18  2017 linuxrc -> bin/busybox
-rw-r--r--    1 admin    root        524288 Oct 12 19:24 mtd6_before
drwxrwxrwx    2 503      100           4096 May 18 19:43 multimedia
drwx------    2 admin    root          4096 Oct 10 21:06 pulse-PKdhtXMmr18n
drwxrwxrwx    2 admin    root          4096 Feb 28  2017 s500
drwxrwxrwx    3 admin    root          4096 Sep 26 10:51 tmp
drwxr-xr-x   11 admin    root          4096 Sep  8 15:53 xcontents
# ./busybox-armv7l --help
BusyBox v1.21.1 (2013-07-08 10:26:30 CDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as.

Currently defined functions:
    [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash, awk, base64, basename, beep, blkid,
    blockdev, bootchartd, brctl, bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod, chown,
    chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm, conspy, cp, cpio, crond, crontab, cryptpw,
    cttyhack, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff, dirname,
    dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, ed, egrep, eject, env, envdir,
    envuidgid, ether-wake, expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat, fdisk,
    fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk, fsck, fsck.minix, fsync, ftpd, ftpget,
    ftpput, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid, hostname,
    httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd, init, insmod, install, ionice,
    iostat, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill, killall,
    killall5, klogd, last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname,
    logread, losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat,
    makedevs, makemime, man, md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2,
    mkfs.minix, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mountpoint, mpstat,
    mt, mv, nameif, nanddump, nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od,
    openvt, passwd, patch, pgrep, pidof, ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir,
    poweroff, powertop, printenv, printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev, readahead,
    readlink, readprofile, realpath, reboot, reformime, remove-shell, renice, reset, resize, rev, rm, rmdir,
    rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir, rx, script, scriptreplay, sed,
    sendmail, seq, setarch, setconsole, setfont, setkeycodes, setlogcons, setserial, setsid, setuidgid, sh,
    sha1sum, sha256sum, sha3sum, sha512sum, showkey, slattach, sleep, smemcap, softlimit, sort, split,
    start-stop-daemon, stat, strings, stty, su, sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync,
    sysctl, syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time, timeout, top, touch,
    tr, traceroute, traceroute6, true, tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, umount, uname, unexpand,
    uniq, unix2dos, unlzma, unlzop, unxz, unzip, uptime, users, usleep, uudecode, uuencode, vconfig, vi, vlock,
    volname, wall, watch, watchdog, wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes, zcat, zcip

#

*edit*
And this could be how to integrate it in permanently, in initrun.sh (camera) or start.sh (NVR) :

# Add in the fuller busybox, which has telnetd in it and more.
mv /home/app/busybox-armv7l /bin
chmod +x /bin/busybox-armv7l
/bin/busybox-armv7l --install -s /bin
/bin/busybox-armv7l telnetd

According to the method you said, I added the code to the initrun.sh（camera） and packed it, but it can‘t upgrade in the camera correctly，I want to know how to upgrade the software what we revised .Thank you ,waiting your reply!

 

[alastairstevenson]

but it can‘t upgrade in the camera correctly，I want to know how to upgrade the software what we revised .

Without more detail on what you tried it's not really possible to suggest what you should do.

 

[wmocahbee]

I know this may be a stab in the dark, is there not a way to put DD on a sd card and mount it and execute it from there?