Slowly getting Hikvision GPL files and uploading github

[Tawnos]

After discovering how terribly insecure the Swann-rebranded (as 8ch 3MP NVR) hikvision NVR (actual product is a ds-7608NI series) is out of the box (no https or SSL, old versions of libraries with known vulns statically linked to hikvision binaries, etc) and the difficulty updating/upgrading them to enable encryption/fix issues in the versions used, I started pinging Swann and hikvision back in April with GPL requests - a number of binaries (e.g. hicore) statically link GPL components, and things like their busybox distribution, linux version, etc are all GPLed files that hikvision and swann distribute commercially.

They finally got back to me with some code, and I'm still following up to get full GPL compliance. As I receive files, I am placing them on github: https://github.com/Tawnos/hikvision-source

If you've had any success getting them to send you other source, feel free to submit pull requests. For now, I'm trying to get them to send me the linux code they use as well as the hicore source. Ideally they'd just upload an entire system build package since I'm quite sure they have more GPL stuff than I initially called out, but with the feet dragging I've gotten so far, it might be slow going. If I have timeover the next couple weeks, I'll do a full binary scan for GPL IP to make a complete list.

 

[alastairstevenson]

Well that's an interesting exercise. Some of us will watch with great interest, maybe contribute too.
I think you are embarking on the same uphill struggle that a previous member CBX started on - though allegedly he did get some results that helped him in a particular development.

I'll do a full binary scan for GPL IP to make a complete list.

How do you do this - presumably not matching up known binary contents, but scanning the binaries for textual clues?
Without some (a lot of) disassembly, it must be quite hard to associate a text string with a specific module.
Just out of interest, here are all the strings holding GPL from the uImage kernel and cpio segments in an NVR running the 3.3.4 firmware:

---------- STRINGS_FROM_UNLZMA.TXT
<4>Symbol %s is being used by a non-GPL module, which will not be allowed in the future
GPL and additional rights
Dual BSD/GPL
Dual MIT/GPL
Dual MPL/GPL
__ksymtab_gpl
__kcrctab_gpl
__ksymtab_gpl_future
__kcrctab_gpl_future
and others. Licensed under GPLv2.

*edit* Presumably GNU isn't featured in this?
There are hundreds of such references in the uImage and cpio sections.

 

[Tawnos]

So, good news. I got confirmation that they're going to start (trying) to comply with the GPL. They have source uploaded here for a couple NVRs, now; still lots more to go: Hikvision Open Source Release Center

 

[SuperCharles]

Wonder if we can get something like router firmwares where the community versions are better than the stock ones?

 

[Tawnos]

SuperCharles - that was part of my initial goal in seeking out this source. The stock firmware didn't support SSH in my device, and it was running versions of several libraries that had known vulnerabilities. Worse, some were statically linked inside hikvision's own source code, so just replacing a shared library wasn't going to solve the issue. On that latter point, I suspect that even with this site, they still won't comply with the GPL without enforcement effort (lawsuit/injunction) from the copyright holder. By statically linking, even if the code they use was LGPL, their source code would still need to be released.

 

[Tawnos]

Well that's an interesting exercise. Some of us will watch with great interest, maybe contribute too.
I think you are embarking on the same uphill struggle that a previous member CBX started on - though allegedly he did get some results that helped him in a particular development.

How do you do this - presumably not matching up known binary contents, but scanning the binaries for textual clues?
Without some (a lot of) disassembly, it must be quite hard to associate a text string with a specific module.
Just out of interest, here are all the strings holding GPL from the uImage kernel and cpio segments in an NVR running the 3.3.4 firmware:


*edit* Presumably GNU isn't featured in this?
There are hundreds of such references in the uImage and cpio sections.

Geez, so sorry it took me so long to reply to this. I missed it .

There are tools that look for opcode patterns and match segments against known signatures for GPL code, similar to how antivirus/malware tools can use "signatures" to identify malicious code. So yeah, it's generally matching known binary contents, but often the strings will contain info. I focused on the binary that was clearly written or modified by hikvision - hicore, as it had an obvious string inclusion of GPL code (the ntfs3g libs). This avoids a bunch of legal and technical questions/issues related to the difference between "output" from a GPL program and the GPL program itself.