treeswayinwind
n3wb
model: DS-7816NB-K1 / C
version: V4.30.000 build 200508
in the web page, enable ssh, then ssh root@my-nvr-ip, enter password, i can enter psh(BusyBox v1.2.1 Protect Shell) of hikvision.
this shell only have few commands.but what i need is like ls/ps/top/cat and so on.but when is type this commands, it can't work.
i have noticed that debug command can enter normal shell(not protected).
but when i input 'debug', it need password:
# debug
BgAAAKzLUeFP9mVuND8=
Password:
this is string 'BgAAAKzLUeFP9mVuND8=' is a base64 code, it format is :
[0x06 0x00 0x00 0x00] [MAC address] [ramdom code]
maybe inside nvr, there is a rsa public key, hikvision have the rsa private key, you give the challenge code(BgAAAKzLUeFP9mVuND8=) to hikvision, may be through email, then will use rsa private key to encrypt the challenge code, gen a response code, then they give the response code to you. when you enter the response code, the psh will decrypt the response code(use public key), the decode result is a base64 code,
if the result base64 code is equal to 'BgAAAKzLUeFP9mVuND8=', then you can enter debug mode.
the above is my guess
the rsa public key is easy to obtain. analysis the hikvision firmware, it must strore somewhere.
but the problem is the rsa private key, we cant got it , only hikvision they themselves knows.
and use rsa public key , we cant Obtain the rsa private key.
does anyone has the method, can calcute the response code?
dose anyone has good Suggest?
version: V4.30.000 build 200508
in the web page, enable ssh, then ssh root@my-nvr-ip, enter password, i can enter psh(BusyBox v1.2.1 Protect Shell) of hikvision.
this shell only have few commands.but what i need is like ls/ps/top/cat and so on.but when is type this commands, it can't work.
i have noticed that debug command can enter normal shell(not protected).
but when i input 'debug', it need password:
# debug
BgAAAKzLUeFP9mVuND8=
Password:
this is string 'BgAAAKzLUeFP9mVuND8=' is a base64 code, it format is :
[0x06 0x00 0x00 0x00] [MAC address] [ramdom code]
maybe inside nvr, there is a rsa public key, hikvision have the rsa private key, you give the challenge code(BgAAAKzLUeFP9mVuND8=) to hikvision, may be through email, then will use rsa private key to encrypt the challenge code, gen a response code, then they give the response code to you. when you enter the response code, the psh will decrypt the response code(use public key), the decode result is a base64 code,
if the result base64 code is equal to 'BgAAAKzLUeFP9mVuND8=', then you can enter debug mode.
the above is my guess
the rsa public key is easy to obtain. analysis the hikvision firmware, it must strore somewhere.
but the problem is the rsa private key, we cant got it , only hikvision they themselves knows.
and use rsa public key , we cant Obtain the rsa private key.
does anyone has the method, can calcute the response code?
dose anyone has good Suggest?
