How to get root on your K9608-2W 8-channel Network Video Recorder

K9608-2W.md

Rooting K9608-2W

Let's say you have one of these and you want shell access for some reason, like setting the date & time programatically. By adding a couple magic files to a USB mass storage device, connecting it to your NVR and rebooting, you will be able to login via telnet.

How to know this will work for you

Login to the web user interface of your NVR, go to Settings (wrench and screwdriver icon). If you see the following info listed in the DevInfo tab, then these instructions should work for you. This may work with other software versions too but no promises.

Dev model	K9608-2W
HW version	2.1.0
SW version	2.7.13.0_22922330
Reldatetime	2018/10/26 10:58

Hack

Grab a thumb drive or whatever USB mass storage device is handy. Make sure the partition table is simple and has fat32 as the first primary partition. This is usually the default setup for a new device so you probably don't have to do anything. Mount it and get started making the three files as below in the top level directory.

me@here:/media/me/SANDISK$ echo 1000000001 > enable_log_forever
me@here:/media/me/SANDISK$ cat <<EOF>dvr_app
#!/bin/sh
/usr/sbin/telnetd &
exec /media/usb1/dvr_app_chain "\$@"
EOF
me@here:/media/me/SANDISK$ cat <<EOF>dvr_app_chain
#!/bin/sh
umount /root/dvr_app/dvr_app
exec /root/dvr_app/dvr_app "\$@"
EOF
me@here:/media/me/SANDISK$ 

Unmount/eject, pop it in the NVR, reboot the NVR, wait a bit and then telnet to it using the same IP or hostname you used to get to the web interface. Login with username root and password j1/_7sxw

me@here:~$ telnet nvr-host
Trying 192.168.31.337...
Connected to nvr-host.
Escape character is '^]'.
(none) login: root
Password:
Welcome to HiLinux.
# uptime
 05:42:38 up  2:35,  1 users,  load average: 13.88, 12.32, 11.89
# ls /
a.out    bin      etc      linuxrc  mnt      oem      root     sys      usr
a2.out   dev      lib      media    nfsroot  proc     sbin     tmp      var
# 

Why does this work?

One of the startup scripts contains the following snippet:

if [ -e $MOUNT_DIR/enable_log_forever ];then
                echo "enable log2 found."
                rv=$(cat $MOUNT_DIR/enable_log_forever)
                if [ "$rv" == "1000000001" ];then
                        if [ -e $MOUNT_DIR/dvr_app ];then
                                echo "mount bind dvr_app."
                                mount --bind $MOUNT_DIR/dvr_app /root/dvr_app/dvr_app
                        fi

In short, if the file enable_log_forever exists and contains 1000000001 then bind-mount dvr_app from the USB device over the top of the normal /root/dvr_app/dvr_app before running it later in the same startup script.

The shell won't allow us to unmount dvr_app from inside of the script running as that name, so we pass off execution to an arbitrary script called dvr_app_chain directly from the USB mountpoint. From there, we can unmount our dvr_app and run the orriginal with the arguments that were passed along the way. Any additional commands that we want to run can be added to either script.

One side effect is that logs will be written to your USB device. Rebooting without this USB device present will revert to running normally without telnetd.

Other suggestions

• Kill run_IOTDaemon.sh. It's the script responsible for spawning IOTDaemon once a minute. This service reaches out to ngw.dvr163.com offering remote access to your video along with all sorts of other controls, including a reverse shell.
• Change the root password. Using bind-mount, you can set up a passwd file on your USB mass storage device.
• Run dropbear instead of telnetd.
• Update the squashfs with all of your changes so that you don't depend on the USB mass storage device any more. For extra credit, add an NFS mount to hold larger packages.
• Run ntpd. The clock drift on this thing is terrible. The built in mechanism for ntp is to stop recording, update clock, then start recording again. This is appropriate for a big time shift, but not so hot for regularly maintaining time sync.

Please post comments with suggestions or requests for this document. Have a device you want root on and don't mind sending one to me? Tweet at @octosavvi.

Hello @aSmig,

Thanks for your help. After I extract the firmware, I can modify your script and I can login to the NVR. The mentioned password not working, but I can add a password-less account by the modfied startup script.

Hi all!

How can I add an swap file or partition on K8208-3WS device?
Free memory is low and I want to write an logger script on it.

I've also got a K8208-3WS device (brand HIseeu). Firmware 3.2.4.9M from 2023-01-15 11:19:31.
I was able to "decrypt' the firmware of it. and look a bit through it.
The Web Interface is completely unworking. There are links to swf files which don't exist anymore. /cgi-bin/ calls which don't work.
But as it seems, there is websocket service listening on port 10000 of the nvr, and there is javascript code how to connect to it, and stream data from it (live and recordings). In main.js there is code, how to use the library (import.js). They tried to implement it with a fixed ip address, the resulting error in the developer console made me find the code ;-). It propably also needs the JMuxer library as it seems. I've tried to get it working, but only had like 10 minutes. I don't know if those files are the same on all k8208-3ws, or if there are differences? Main.js looks like the apprentice took a shot on it, gave up in the middle of the way, but decided to publish it anyway.
Anyway, if those javascript files properly implement the protocol, it should be possible to implement a working web user interface :-). Unfortunately I won't have time in the foreseeable future, but I post the files here for if anybody else is bored and has too much time ;-)
The files are also under squashfs-root-0/web

• import.js : includes a lot of stuff... probably all the imported libraries... interesting is the function: "448: function(t, exports, n) {", which defines apip2p, and implements the protocol to talk to that websocket.
• main.js: example how to use the above library. Needs JMuxer or similar. JMuxer receives the h264 stream from the above library, and displays it in a

files not really needed

• build.js: i think that's part of the old API beeing used over a webservice behind /netsdk/ . As it seems most information you can get over it, but no recordings :-(. There actually could be endpoints for the recording which aren't listened in the file. But it's a pain in the ass going through the binary which provides the web service to find the different endpoints. The infos which where gotten over this API afterwards where send to a SWF file, to display the recordings or live streams. But this file propably is not needed anymore.
• index.html

Edit: I've noticed I can only upload image and video files ??? will post a link tomorrow. now I go to bed

mmhh ok... propably not the best way, but works for the moment.
https://gist.github.com/yennor/52a38821442cf0af5aa2b186879d1c80
and there download zip, then you get the files... sorry, was too lazy to open a new repository and urgently need to call a client...