Hikvision G1 5.5+ firmware Exploring the Cam & attempting unlock

[rearanger]

The G1 runs on ambarella S3L (also used in dahua cams)

minishell below will work with U-Boot 3.1.6-279309 (May 11 2017-13:36:13) or earlier

https://ipcamtalk.com/threads/unrestricted-root-shell-on-g1-cameras.23213/#post-221134


However will not work with U-Boot 3.1.6-297597 (Aug 30 2017-21:48:30) or newer

Spoiler: mini shell FAIL

HKVS # upf
'upf' is a ambiguous command! Exec the shortest command
***** UPDATE START *****
MAC: 94:e1:ac:59:42:2f
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename: 'mImage_g1'
Load address: 0x02000000
do_tftp_load:bld_udp_recv RRQ ok,opcode=3
################################################################################
################################################################################
################ got 4513976 bytes (4408 KB)
[ INFO][BLD] TFTP: Download File [OK]
version2 error.
hdr->crc32=0xcdd7acc7
hdr->img_len=4513720
hdr->mem_addr=0xffffffff
hdr->magic=0x4d535953
build_time:Fri Oct 13 00:12:34 2017
username: montecrypto
hostname: localhost
verify data failed! error: upm.
update mini system [FAIL]!error: upf.
!!!!! UPDATE FAIL !!!!!
HKVS #

U-Boot 3.1.6-297597 (Aug 30 2017-21:48:30)
boards:310094
Boot From: NAND 2048 RC BCH 6bit
SYS_CONFIG: 0x00070053 POC: 001
Cortex freq: 1008000000
ENET freq: 50000000
iDSP freq: 504000000
Dram freq: 840000000
Core freq: 564000000
AHB freq: 282000000
APB freq: 141000000
UART freq: 24000000
SD freq: 50000000
SDXC freq: 50000000
dev_modelS-2CD2085FWD-I
[Uboot] In release mode!
Hit Ctrl+u to stop autoboot: 4
HKVS # help
cmd 'help' is not supported.
HKVS # help
The following commands are supported:
boot erase help reset
saveenv printenv setenv upbs
format update upfusb upf
updatebusb updateb gos go
mii gpio ping
Use 'help' to get help on a specific command
HKVS # help erase
Help for 'erase':
erase [env|sysflg|param|dpt|rcvy|krn_pri|krn_sec|app_pri|app_sec|dbg|cfg_pri|cfg_sec|syslog|raw|os]
HKVS #

The cam will not drop into ASH using normal methods.

I will be experimenting with 2 G1's both running on U-Boot 3.1.6-279309 (ds-2cd2085fwd-i & ds-2cd2035-fwd-i)

The hardware chipset spec can be found on baidu by searching
S3L-SHA-001-0.5_Ambarella_S3L_System_Hardware

The hardware spec says fastboot can be used via GPIO command.(however it may be blocked by hik)

 

[rearanger]

Nand partitions

2.537512] 16 ofpart partitions found on MTD device amba_nand
[ 2.543376] Creating 16 MTD partitions on "amba_nand":
[ 2.548501] 0x000000000000-0x000000020000 : "bst"
[ 2.553969] 0x000000020000-0x000000120000 : "bld"
[ 2.559341] 0x000000120000-0x000000200000 : "ptb"
[ 2.564806] 0x000000200000-0x000000280000 : "env"
[ 2.570195] 0x000000280000-0x000000380000 : "sysflg"
[ 2.575914] 0x000000380000-0x000000400000 : "param"
[ 2.581490] 0x000000400000-0x000000500000 : "dpt"
[ 2.586994] 0x000000500000-0x000000f00000 : "rcvy"
[ 2.592555] 0x000000f00000-0x000001700000 : "krn_pri"
[ 2.598338] 0x000001700000-0x000001f00000 : "krn_sec"
[ 2.604202] 0x000001f00000-0x000004100000 : "app_pri"
[ 2.610056] 0x000004100000-0x000006300000 : "app_sec"
[ 2.615903] 0x000006300000-0x000006900000 : hci e0018000.ehci: new USB bus re gistered, assigned bus number 1

 

[Purduephotog]

Do you have any photos of the internals for this cam? You're doing great work- I'd like to catch up (I have a vested interest with some ezviz cams that also run ambarella).

 

[rearanger]

Do you have any photos of the internals for this cam? You're doing great work- I'd like to catch up (I have a vested interest with some ezviz cams that also run ambarella).

Sorry I have not done a teardown on the cam. ttl is beside the mmc slot so no need at moment to take apart.

 

[Purduephotog]

Sorry I have not done a teardown on the cam. ttl is beside the mmc slot so no need at moment to take apart.

Roger that. Some of mine are totally encased

 

[rearanger]

incoming soon. unprotected shell for G1 on other U-boot versions

**** UPDATE START *****
MAC: 94:e1:ac:59:42:2f
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename: 'mImage_g1'
Load address: 0x02000000
do_tftp_load:bld_udp_recv RRQ ok,opcode=3
################################################################################
################################################################################
################ got 4513976 bytes (4408 KB)
[ INFO][BLD]TFTP: Download File [OK]
[ INFO][BLD]BURN: Writing Flash
[ INFO][BLD]BURN: Writing data to Nand... .....[ INFO][BLD]BURN:
[ INFO][BLD]BURN: Write Flash [OK]
init started: BusyBox v1.23.2 (2017-03-17 22:46:40 PDT)
starting pid 26, tty '': '/etc/init.d/rcS'
Starting udev: [ OK ]
create static device nodes under /dev dir
modprobe: can't change directory to '3.10.104': No such file or directory
iptables v1.4.18: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
------------------------------------------------------------------
[montecrypto] minisystem action suppressed, entering shell instead
[montecrypto] run /etc/app.continue to resume minisystem action
[montecrypto] To mount UBI volumes:
[montecrypto] ubiattach -m <MTDNUM> -d <DEVNUM> /dev/ubi_ctrl
[montecrypto] mount -t ubifs /dev/ubi<DEVNUM>_0 /mnt
[montecrypto] APP: ubiattach -m 10 -d 1 /dev/ubi_ctrl; sleep 1; mount -t ubifs /dev/ubi1_0 /mnt
[montecrypto] *** Enjoy! ***
------------------------------------------------------------------
starting pid 253, tty '': '-/bin/sh'
/ #
/ #

 

[rearanger]

Working montecrypto G1 minishell for U-Boot 3.1.6-297597
Use at own risk tested on U-Boot 3.1.6-297597

 

[rearanger]

minshell will give ASH. And will allow you to use unprotected digicap.dav

I will not hack davinci for region free,as its easy and can be implemented in same way as on the G0 cam.

 

[rearanger]

See below ….Have Fun!!

Spoiler: mini shell prompt

HKVS # upf
'upf' is a ambiguous command! Exec the shortest command
***** UPDATE START *****
MAC: 94:e1:ac:59:42:2f
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename: 'mImage_g1'
Load address: 0x02000000
do_tftp_load:bld_udp_recv RRQ ok,opcode=6
tftp transfer block size is set to 1468 bytes
############################################################# got 4513976 bytes (4408 KB)
[ INFO][BLD]TFTP: Download File [OK]
[ INFO][BLD]BURN: Writing Flash
[ INFO][BLD]BURN: Writing data to Nand... .....[ INFO][BLD]BURN:
[ INFO][BLD]BURN: Write Flash [OK]
init started: BusyBox v1.23.2 (2017-03-17 22:46:40 PDT)
starting pid 26, tty '': '/etc/init.d/rcS'
Starting udev: [ OK ]
create static device nodes under /dev dir
modprobe: can't change directory to '3.10.104': No such file or directory
iptables v1.4.18: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
------------------------------------------------------------------
[montecrypto] minisystem action suppressed, entering shell instead
[montecrypto] run /etc/app.continue to resume minisystem action
[montecrypto] To mount UBI volumes:
[montecrypto] ubiattach -m <MTDNUM> -d <DEVNUM> /dev/ubi_ctrl
[montecrypto] mount -t ubifs /dev/ubi<DEVNUM>_0 /mnt
[montecrypto] APP: ubiattach -m 10 -d 1 /dev/ubi_ctrl; sleep 1; mount -t ubifs /dev/ubi1_0 /mnt
[montecrypto] *** Enjoy! ***
------------------------------------------------------------------
starting pid 253, tty '': '-/bin/sh'
/ # help
Built-in commands:
------------------
. : [ [[ alias bg break cd chdir command continue echo eval exec
exit export false fg getopts hash help history jobs kill let
local printf pwd read readonly return set shift source test times
trap true type ulimit umask unalias unset wait

/ # busybox
BusyBox v1.23.2 (2017-03-17 22:46:40 PDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
or: busybox --list[-full]
or: busybox --install [-s] [DIR]
or: function [arguments]...

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.

Currently defined functions:
[, [[, addgroup, adduser, arp, arping, ash, awk, base64, basename,
bash, beep, blkid, blockdev, brctl, bunzip2, bzcat, bzip2, cat, catv,
chat, chgrp, chmod, chown, chpasswd, chroot, chrt, chvt, cksum, clear,
cmp, cp, cpio, cryptpw, cttyhack, cut, date, dd, deallocvt, delgroup,
deluser, depmod, devmem, df, diff, dirname, dmesg, dnsdomainname, du,
dumpkmap, echo, ed, egrep, env, expand, expr, false, fatattr, fbset,
fdisk, fgconsole, fgrep, find, findfs, flash_eraseall, flash_lock,
flash_unlock, flashcp, flock, free, fstrim, fsync, ftpget, ftpput,
fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hdparm, head,
hostid, hostname, hwclock, id, ifconfig, init, inotifyd, insmod,
install, ionice, iostat, ip, ipaddr, ipcrm, ipcs, iplink, iproute,
iprule, iptunnel, kbd_mode, kill, killall, killall5, klogd, less,
linuxrc, ln, logger, login, logname, logread, losetup, ls, lsmod, lsof,
lspci, lsusb, lzcat, lzma, makemime, md5sum, mesg, mkdir, mkdosfs,
mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, mkpasswd, modinfo,
modprobe, more, mount, mountpoint, mpstat, mv, nameif, nanddump,
nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, od,
openvt, passwd, patch, pgrep, pidof, ping, ping6, pivot_root, pkill,
pmap, popmaildir, poweroff, powertop, printenv, printf, ps, pscan,
pstree, pwd, pwdx, rdate, rdev, readahead, readlink, realpath, reboot,
reformime, renice, reset, rfkill, rm, rmdir, rmmod, route, rtcwake, rx,
sed, sendmail, seq, setserial, setsid, sh, sha1sum, sha256sum, shuf,
slattach, sleep, smemcap, sort, split, stat, strings, stty, su,
sulogin, sum, sync, sysctl, syslogd, tail, tar, tcpsvd, tee, test,
tftp, time, timeout, top, touch, tr, traceroute, traceroute6, true,
tty, ttysize, tunctl, umount, uname, uncompress, unexpand, uniq,
unlink, unlzma, unxz, unzip, uptime, usleep, vi, watch, wc, wget,
which, whoami, whois, xargs, xz, xzcat, yes, zcat

/ #

 

[polaris]

Would it work on 3.1.6-526164?

Boot 3.1.6-526164 (May 6 2019-11:48:53)
boards:518302
Boot From: NAND 2048 RC BCH 6bit

SYS_CONFIG: 0x00070053 POC: 001

Cortex freq: 1008000000

ENET freq: 50000000

iDSP freq: 504000000

Dram freq: 840000000

Core freq: 564000000

AHB freq: 282000000

APB freq: 141000000

UART freq: 24000000

SD freq: 50000000

SDXC freq: 50000000

dev_modelS-2CD3T86FWDV2-I5S
[boot] In release mode!
Hit Ctrl+u to stop autoboot: 2
Hit Ctrl+u to stop autoboot: 1
Hit Ctrl+u to stop autoboot: 0

|NUL eth|

cmd 'null' is not supported.

flash booting ...
booting from pri part...
load kernel...

[ 1.510353] Card authentication succeeded

init started: BusyBox v1.19.3 (2019-01-31 12:28:43 CST)

starting pid 64, tty '': '/etc/init.d/rcS'
Starting udev: [ OK ]
create static device nodes under /dev dir
>>>run pre_app_hook
UBI device number 1, total 272 LEBs (34537472 bytes, 32.9 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
waiting for /dev/ubi1_0.
waiting for /dev/ubi1_0.
pri_iUpgSuccCnt:1, sec_iUpgSuccCnt:1
UBI device number 3, total 48 LEBs (6094848 bytes, 5.8 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
waiting for /dev/ubi3_0.
waiting for /dev/ubi3_0.
Check dir /davinci ok! (0)
UBI device number 4, total 48 LEBs (6094848 bytes, 5.8 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
waiting for /dev/ubi4_0.
Check dir /config ok! (0)
>>>run post_app_hook
find net_node, loop : 1
route: ioctl 0x890c failed: No such process
Default method to init without VIN drivers...
Cat this file to find out what VIN can be supported.
Default init without lens driver
Use default settings
/home/script/init.sh: line 445: which: not found
/home/script/init.sh: line 456: /lib/firmware: Permission denied
Load ucode failed!
/
mkdir: can't create directory '/var/run': File exists
map_size = 0x500000, nr_item = 3
addr_offset = 0x00000000, filename = orccode.bin
addr_offset = 0x00300000, filename = orcme.bin
addr_offset = 0x003a0000, filename = default_binary.bin
mmap returns 0x769a3000
loading /home/firmware/orccode.bin...addr = 0x769a3000, size = 0x1b759e
loading /home/firmware/orcme.bin...addr = 0x76ca3000, size = 0x3392c
loading /home/firmware/default_binary.bin...addr = 0x76d43000, size = 0x61d00
===============================================
ucode (S3L) version = 2018/11/1 284796.282649
===============================================
ln: prtLensCurve: File exists
ln: /dev/ttyS1: File exists
ln: /bin/t1: File exists
ln: /dev/rtc: File exists
UBI device number 5, total 112 LEBs (14221312 bytes, 13.6 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
ubimkvol: error!: UBI device does not have free logical eraseblocks
SoftwareLicense.txt cp success.
ln: /dav_web/webLib/codebase/WebComponents.exe: File exists
=====check_config start=====
===main db is ok===
[PACK][DBG_INFO][src/firm_unpack_lib.c][firm_pack_decode][183]:iPackIdx=0,iPackFlg=0x00650100,iPlatform=101,iDevMajor=111,iDevMinor=111,iLanguage=2

Enter DB_main-------------------
shared memory address is: 0x76bca000, sizeof(DEVICECONFIG) = 1159976

netprocess Infomation:
version: 8.11.3 [12:04:04-Dec 25 2018]
Path: /Camera/Platform/Branches/branches_FSP_network_protocol/shizhi/FSP_network_protocol_chanpin_V5.5.81_G1
Last Changed Rev: 482112
Last Changed Date: 2018-12-25 10:37:43 +0800 (Tue, 25 Dec 2018)
.
wait davinci set default...
[08-04 06:51:22][pid:0][OTHER][ERROR]daemon can not find Dst process.load_type 0x10012 is_need_ack 1
[08-04 06:51:22][pid:622][OTHER][ERROR] from daemon ack, dst not work len 0 , load_type is [0x10012]
[08-04 06:51:22][pid:622][UNI_IF][ERROR]65554:ipc_unix_call_service failed, ret = -3.
[08-04 06:51:22][pid:622][UNI_IF][ERROR]communicaite_to_davinci failed!!!
copy default.cls ok.
[DAEMON][DBG_INFO][src/daemon.c][firm_file_output][367]:firm unpack file : /home/process/davinci.tar.gz succ.
[DAEMON][DBG_INFO][src/daemon.c][app_system_exec][242]:system cmd [tar xvzf /home/process/davinci.tar.gz -C /home/process]
./davinci
[DAEMON][DBG_INFO][src/daemon.c][app_system_exec][259]:system [tar xvzf /home/process/davinci.tar.gz -C /home/process] succ.)
[DAEMON][DBG_INFO][src/daemon.c][app_system_exec][242]:system cmd [/home/process/davinci &]
[DAEMON][DBG_INFO][src/daemon.c][app_system_exec][259]:system [/home/process/davinci &] succ.)
shared memory address is: 0x7678d000, sizeof(DEV_CAPABILITY) = 468240
bootParms.videoinType=56, bootParms.devType=141874
bootParms.abfType=0

Boot 3.1.6-526164 (May 6 2019-11:48:53)
boards:518302
Boot From: NAND 2048 RC BCH 6bit
SYS_CONFIG: 0x00070053 POC: 001
Cortex freq: 1008000000
ENET freq: 50000000
iDSP freq: 504000000
Dram freq: 840000000
Core freq: 564000000
AHB freq: 282000000
APB freq: 141000000
UART freq: 24000000
SD freq: 50000000
SDXC freq: 50000000
dev_modelS-2CD3T86FWDV2-I5S
[boot] In release mode!
Hit Ctrl+u to stop autoboot: 1
HKVS # help
cmd 'help' is not supported.
HKVS # help
The following commands are supported:
trspt boot erase help
reset saveenv printenv setenv
upbs format update upfusb
upf updatebusb updateb gos
go mii gpio ping

Use 'help' to get help on a specific command
HKVS #

 

[rearanger]

Would it work on 3.1.6-526164?

sorry I am unsure, if it does not work then you will have a brick..

if that's a Chinese cam this method alone will not make it ML.(you would have to do some ARM assembly)


the version2 fail error will not harm your cam but if you install the mImage and your cam does not like it. there may not be a way to sort it and get it working again.

I may have another G1 coming next week , but I do not know what u-boot will be on it. I can look at it and try it, if its the same as yours.

 

[rearanger]

The mini system is just a zImage: a compressed version of the Linux kernel image that is self-extracting.

After installing the mImage you can still use the original unaltered digicap.dav files as well as decrypted.

Rollback does not work. Someone else can work that one out lol (btw some firmwares let you rollback 5.4.?? or 5.5.?? . only major updates do not work.

You may be able to rollback if you copy the files/image directly to the MTD's. (that works on the G0's.

 

[rearanger]

initrun.sh PSH disabled (only)
busybox binary

 

[polaris]

I may have another G1 coming next week , but I do not know what u-boot will be on it. I can look at it and try it, if its the same as yours.

I can send you DS-2CD3386FWDV2-IS and you can keep it as it is collecting dust for me now. All my others are bullets and this turret seemed a bit awkward to mount in my location so I won't be using it and it's a pain to sell something chinese-only. Just send me your shipping details via PM.

 

[rearanger]

I can send you DS-2CD3386FWDV2-IS and you can keep it as it is collecting dust for me now. All my others are bullets and this turret seemed a bit awkward to mount in my location so I won't be using it and it's a pain to sell something chinese-only. Just send me your shipping details via PM.

Thank you that is very kind of you Please Send it to @alastairstevenson as the more people explore these cams the better. And he has helped me solve some of the issues

 

[polaris]

Thank you that is very kind of you Please Send it to @alastairstevenson as the more people explore these cams the better. And he has helped me solve some of the issues

Great, contacted.

 

[rearanger]

Rollback on G1 camera firmware's now possible - info to follow

 

[rearanger]

ROLLBACK (Use leechers hik_repack v0.10 or higher)
Test was done on a cam running mini system and active 5.6.1 firmware

./hik_repack10 -u digicap554.dav en (dump 5.5.4 digicap.dav to the "en" directory)
./hik_repack10 -r digicap554.dav en newdav l=1,v=05060001 (repack 5.5.4 digicap.dav to newdav using the files in "en" with language flag 1 and v 5.6.1 version number)

rename newdav to digicap.dav

Must use TTL and montecrypto's minisystem
start putty only
CTRL + U ON BOOT
type "update"
type "format"
setup tftp on PC
Type "update"

let it boot and enjoy.

I have only gone back one version. I am not sure what will happen if you attempt to rollback too far. The cam I rolled back had a manufacture date of 04/2018 and shipping firmware of 5.5.51

 

[Purduephotog]

Do you have a complete boot log ? I'd like to see if the SoC is the same on the cams I'm working with. I'm waiting on another 4 pin 1.0mm adapter... so I have about 40 coming. I'm sure I'll lose them all again.

 

[rearanger]

Do you have a complete boot log ? I'd like to see if the SoC is the same on the cams I'm working with. I'm waiting on another 4 pin 1.0mm adapter... so I have about 40 coming. I'm sure I'll lose them all again.

Someone has put the boot up sequence above. (SOC is an ambarella s3l)