Modding Hikvision's DS-7216 firmware

Pin_Guy

n3wb
Joined
Feb 11, 2021
Messages
3
Reaction score
4
Location
Argentina
I got an old non-working DS-7216 and after reviving it (changing caps and upgrading FW) and confirming it would suit my current needs, I decided to start tinkering with the firmware.
So far I made two small scripts which use the tools provided around here (hiktools and hikpack) to get all the files out, unpack the ramdisk and the .gz files around, and then after eventual mods repack/reencrypt everything into the digicap.dav file, correcting the checksums into the new_10 and new_20.bin files as well. After burning it, it is booting fine. Just finished that, all good there, haven't checked much more.
I will probably start adding dropbear first, and then close some ports.

Now I would like some pointers from experienced people with these devices:
1) What are the TCP ports 30960 and 53000 used for in these devices? I see those are open as well as the "standard" ones.
2) What would be the simplest way to enable telnetd with busybox for a while, to start poking around?
3) How to change the "admin" username? I saw there's an encrypted cfg file but haven't checked much more on that.

Thanks in advance for any time-saving pointers!
 

Pin_Guy

n3wb
Joined
Feb 11, 2021
Messages
3
Reaction score
4
Location
Argentina
Ok, didn't receive any time-saving pointers. I tinkered around a bit more.
Got dropbear working, so that was it for item 2. For item 3, I unpacked /dev/mtd1, changed the admin username and repacked it, Had to compile a new busybox with the flashcp command to be able to write that back to mtd1. All good there.
Closing the ports in point 1 was the hardest one. First I tried to compile iptables matching the kernel version (3.0.8), all OK but I couldn't insmod the modules because there was an "Unknown symbol nf_register_hooks", and "nf_unregister_hooks" in the x_tables.ko module, meaning the kernel was originally compiled with netfilter disabled. A real problem because there are no sources and there is custom code in the kernel from Hik, so the standard 3.0.8 kernel would most likely not work. If anyone knows how to insert those missing symbols in the kernel or have a workaround to get iptables working I'm all ears.
In the meantime, I took the "master" file on IDA and started debugging with a statically-compiled GDB server to see if I could patch it to close all the ports except the RTSP one which is the only one I need.
This is the original netstat output:

Code:
[root@dvrdvs ~] # netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:53000           0.0.0.0:*               LISTEN      913/master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      894/dropbear
tcp        0      0 0.0.0.0:30960           0.0.0.0:*               LISTEN      913/master
tcp        0      0 127.0.0.1:47075         127.0.0.1:53000         ESTABLISHED 913/master
tcp        0      0 127.0.0.1:53000         127.0.0.1:47075         ESTABLISHED 913/master
tcp        0      0 192.168.1.187:22        192.168.1.101:1143      ESTABLISHED 900/dropbear
tcp        0      0 :::8000                 :::*                    LISTEN      913/master
tcp        0      0 :::554                  :::*                    LISTEN      913/master
tcp        0      0 :::80                   :::*                    LISTEN      913/master
udp        0      0 0.0.0.0:7989            0.0.0.0:*                           913/master
udp        0      0 0.0.0.0:3702            0.0.0.0:*                           913/master
udp        0      0 239.255.255.250:37020   0.0.0.0:*                           913/master
udp        0      0 0.0.0.0:43957           0.0.0.0:*                           913/master
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING       2671 887/iscsid          @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING       3081 913/master          /var/cmd.socket
unix  2      [ ]         DGRAM                       190 580/udevd           @/org/kernel/udev/udevd
unix  2      [ ACC ]     STREAM     LISTENING        978 913/master          /var/dhcp.socket
unix  2      [ ACC ]     STREAM     LISTENING        984 913/master          /var/master
unix  3      [ ]         STREAM     CONNECTED        992 913/master          /var/cl.0x11da0
unix  3      [ ]         STREAM     CONNECTED       2767 913/master
unix  3      [ ]         STREAM     CONNECTED       2766 913/master
unix  3      [ ]         STREAM     CONNECTED       2765 913/master
unix  3      [ ]         STREAM     CONNECTED       2764 913/master
unix  3      [ ]         STREAM     CONNECTED       2763 913/master
unix  3      [ ]         STREAM     CONNECTED       2762 913/master
unix  3      [ ]         STREAM     CONNECTED       2761 913/master
unix  3      [ ]         STREAM     CONNECTED       2760 913/master
unix  3      [ ]         STREAM     CONNECTED       1024 913/master
unix  3      [ ]         STREAM     CONNECTED       1023 913/master
unix  3      [ ]         STREAM     CONNECTED       1022 913/master
unix  3      [ ]         STREAM     CONNECTED       1021 913/master
unix  3      [ ]         STREAM     CONNECTED       2757 913/master
unix  3      [ ]         STREAM     CONNECTED       2756 913/master
unix  3      [ ]         STREAM     CONNECTED       2755 913/master
unix  3      [ ]         STREAM     CONNECTED       2754 913/master
unix  3      [ ]         STREAM     CONNECTED       2693 913/master          /var/master
unix  3      [ ]         STREAM     CONNECTED        983 913/master
unix  3      [ ]         STREAM     CONNECTED        982 913/master
unix  3      [ ]         STREAM     CONNECTED        981 913/master
unix  3      [ ]         STREAM     CONNECTED        980 913/master
Port 3702 was open even if uPnP was disabled in the configuration.
Ports 7989 and multicast 37020 were related to a "sadp_search" function.
Port 43957 I think it was related to functions "ipcPnpCtrlTask" / "ipc_poe_ctrl"
Port 53000 was activated in a "master_create" function which created some sort of "loopback" connection on startup, but the port was open broadly instead of locally and I don't like that.
Port 30960 was activated in a "slave_create" function, also open broadly.
I also closed some strange "stream" sockets I found along the way.

This is my current netstat output with the patched "master":
Code:
[root@dvrdvs ~] # netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      895/dropbear
tcp        0     64 192.168.1.187:22        192.168.1.101:1148      ESTABLISHED 944/dropbear
tcp        0      0 :::554                  :::*                    LISTEN      897/master
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING        634 888/iscsid          @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING        815 897/master          /var/dhcp.socket
unix  2      [ ]         DGRAM                       111 580/udevd           @/org/kernel/udev/udevd
unix  3      [ ]         STREAM     CONNECTED        854 897/master
unix  3      [ ]         STREAM     CONNECTED        853 897/master
unix  3      [ ]         STREAM     CONNECTED        852 897/master
unix  3      [ ]         STREAM     CONNECTED        851 897/master
unix  3      [ ]         STREAM     CONNECTED       2886 897/master
unix  3      [ ]         STREAM     CONNECTED       2885 897/master
unix  3      [ ]         STREAM     CONNECTED       2884 897/master
unix  3      [ ]         STREAM     CONNECTED       2883 897/master
unix  3      [ ]         STREAM     CONNECTED        820 897/master
unix  3      [ ]         STREAM     CONNECTED        819 897/master
unix  3      [ ]         STREAM     CONNECTED        818 897/master
unix  3      [ ]         STREAM     CONNECTED        817 897/master
Everything I need seems to be working, so I guess that's it for now.
 
Top