Skip to content

Instantly share code, notes, and snippets.

@matiaspl

matiaspl/hi3521a_console_output.txt

Last active January 7, 2024 07:15
Show Gist options
  • Save matiaspl/1649da91f7132d526a47c42e865cd879 to your computer and use it in GitHub Desktop.
Save matiaspl/1649da91f7132d526a47c42e865cd879 to your computer and use it in GitHub Desktop.
Download ZIP
Hacking a Hi3521 ARBCV100 4x1 multiviewer / seamless switcher (see comments!)
Raw
hi3521a_console_output.txt
U-Boot 2010.06 (Aug 11 2018 - 18:47:37)
Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xc2 0x20 0x17
Block:64KB Chip:8MB Name:"MX25L6436F"
SPI Nor total size: 8MB
Cannot found a valid SPI Nand Device
In: serial
Out: serial
Err: serial
Hit any key to stop autoboot: 1 ··· 0
dev 0 set background color!
jpeg decoding ...
ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ cmd = ˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇ
<<addr=0x7e0000, size=0xd12a, vobuf=0x8ac00000>>
spi_flash 8084d920
[FILE = jpegd.c LINE = 147] logo flag = 0
mmu_enable
<<imgwidth=1280, imgheight=720, linebytes=2560>>
decode success!!!!
decode jpeg!
OpenDev vo:0 intf_type:36 out_sync:8
dev 0 opened!
graphic layer 0 opened!
upgrade flag = 0
8192 KiB hi_fmc at 0:0 is now current device
## Booting kernel from Legacy Image at 82000000 ...
Image Name: Linux-3.10.0
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 4568424 Bytes = 4.4 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 3.10.0 (root@visual digital-virtual-machine) (gcc version 4.8.3 20131202 (prerelease) (Hisilicon_v400) ) #3 Sat Aug 4 14:13:59 CST 2018
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: bigfish
Memory policy: ECC disabled, Data cache writeback
CPU: All CPU(s) started in SVC mode.
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512
Kernel command line: mem=128M console=ttyAMA0,115200 mtdparts=hi_sfc:384k(uboot),4608K(core),2560K(app),512k(para)
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 128MB = 128MB total
Memory: 116328k/116328k available, 14744k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
vmalloc : 0xc8800000 - 0xff000000 ( 872 MB)
lowmem : 0xc0000000 - 0xc8000000 ( 128 MB)
pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
.text : 0xc0008000 - 0xc052ba9c (5263 kB)
.init : 0xc052c000 - 0xc0ce89f4 (7923 kB)
.data : 0xc0cea000 - 0xc0d1e320 ( 209 kB)
.bss : 0xc0d1e320 - 0xc0d3fee8 ( 135 kB)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
GIC CPU mask not found - kernel will fail to boot.
GIC CPU mask not found - kernel will fail to boot.
sched_clock: 32 bits at 62MHz, resolution 16ns, wraps every 68719ms
Console: colour dummy device 80x30
Calibrating delay loop... 2190.54 BogoMIPS (lpj=10952704)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
Initializing cgroup subsys freezer
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0xc03d0f98 - 0xc03d0ff0
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
hw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint registers.
hw-breakpoint: maximum watchpoint size is 8 bytes.
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x12080000 (irq = 38) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x12090000 (irq = 39) is a PL011 rev2
uart:2: ttyAMA2 at MMIO 0x120a0000 (irq = 40) is a PL011 rev2
bio: create slab <bio-0> at 0
SCSI subsystem initialized
hi-spi-master hi-spi-master.0: with 2 chip select slaves attached
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Switching to clocksource timer0
NET: Registered protocol family 2
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
NetWinder Floating Point Emulator V0.97 (double precision)
CPU PMU: probing PMU on CPU 0
hw perfevents: enabled with ARMv7 Cortex-A7 PMU driver, 5 counters available
VFS: Disk quotas dquot_6.5.2
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.22)
SGI XFS with ACLs, security attributes, realtime, large block/inode numbers, no debug enabled
msgmni has been set to 227
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
brd: module loaded
loop: module loaded
hiahci: initializing
ahci ahci.0: can't get clock
ahci: SSS flag set, parallel bus scan disabled
ahci ahci.0: AHCI 0001.0300 32 slots 2 ports 6 Gbps 0x3 impl platform mode
ahci ahci.0: flags: ncq sntf stag pm led clo only pmp fbs slum part ccc sxs boh
scsi0 : ahci_platform
scsi1 : ahci_platform
ata1: SATA max UDMA/133 mmio [mem 0x11010000-0x1101ffff] port 0x100 irq 49
ata2: SATA max UDMA/133 mmio [mem 0x11010000-0x1101ffff] port 0x180 irq 49
Check Flash Memory Controller v100 ... Found.
SPI Nor(cs 0) ID: 0xc2 0x20 0x17
Block:64KB Chip:8MB Name:"MX25L6436F"
SPI Nor total size: 8MB
4 cmdlinepart partitions found on MTD device hi_sfc
4 cmdlinepart partitions found on MTD device hi_sfc
Creating 4 MTD partitions on "hi_sfc":
0x000000000000-0x000000060000 : "uboot"
0x000000060000-0x0000004e0000 : "core"
0x0000004e0000-0x000000760000 : "app"
0x000000760000-0x0000007e0000 : "para"
SPI Nand ID Table Version 2.2
Cannot found a valid SPI Nand Device
Higmac dma_sg_phy: 0x86f00000
libphy: higmac_mdio_bus: probed
PHY mdio0:01 not found
ETH0: rmii, phy_addr=1, mii_name=mdio0
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
before uhci_hcd and ohci_hcd, not after
hiusb-ehci hiusb-ehci.0: HIUSB EHCI
hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1
hiusb-ehci hiusb-ehci.0: irq 51, io mem 0x10040000
hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
hiusb-ohci hiusb-ohci.0: HIUSB OHCI
hiusb-ohci hiusb-ohci.0: new USB bus registered, assigned bus number 2
hiusb-ohci hiusb-ohci.0: irq 50, io mem 0x10030000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
ata1: SATA link down (SStatus 0 SControl 300)
i2c /dev entries driver
hisi_i2c hisi_i2c.0: Hisilicon [i2c-0] probed!
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
oprofile: using timer interrupt.
TCP: cubic registered
NET: Registered protocol family 17
VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
ˇata2: SATA link down (SStatus 0 SControl 300)
Freeing unused kernel memory: 7920K (c052c000 - c0ce8000)
[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S01udev
udevd (644): /proc/644/oom_adj is deprecated, please use /proc/644/oom_score_adj instead.
[RCS]: /etc/init.d/S80network
[RCS]: /etc/init.d/S90init
modules/
modules/hi3521a_chnl.ko
modules/hi3521a_ai.ko
modules/hi_rtc.ko
modules/hiuser.ko
modules/hi3521a_jpege.ko
modules/hi3521a_venc.ko
modules/hi3521a_region.ko
modules/pinmux_hi3521a_vga_hdmi_spi.sh
modules/hi3521a_aenc.ko
modules/hi_media.ko
modules/hi3521a_adec.ko
modules/hi3521a_vfmw.ko
modules/hi3521a_ao.ko
modules/pinmux_hi3521a_vicap.sh
modules/load3521a
modules/extdrv/
modules/extdrv/sii1i2c.ko
modules/extdrv/i2c_phys.ko
modules/extdrv/gpio.ko
modules/extdrv/hi_ir.ko
modules/extdrv/sii0i2c.ko
modules/extdrv/sii3i2c.ko
modules/extdrv/sii2i2c.ko
modules/extdrv/hdmii2c.ko
modules/hi3521a_vdec.ko
modules/sysctl_hi3521a_asic.sh
modules/hi3521a_vou.ko
modules/hi3521a_ive.ko
modules/hi3521a_rc.ko
modules/crgctrl_hi3521a.sh
modules/hi3521a_hdmi.ko
modules/hi3521a_vpss.ko
modules/hi3521a_aio.ko
modules/hi3521a_jpegd.ko
modules/hi3521a_viu.ko
modules/hi3521a_h264e.ko
modules/hi3521a_vgs.ko
modules/hifb.ko
modules/hi3521a_tde.ko
modules/hi3521a_vda.ko
modules/pinmux_hi3521a_i2s.sh
modules/hi3521a_base.ko
modules/hi3521a_sys.ko
modules/mmz.ko
Hisilicon Media Memory Zone Manager
Module himedia: init ok
hi3521a_base: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
load sys.ko for Hi3521A...OK!
load vdec.ko ....OK
load vhd firmware.ko OK
Load hi_jpegdec.ko success.·(SDK_VERSION:[SDK_VERSION] Build Time:[Jan 13 2017, 18:19:19])
Load hi_tde.ko success.··(SDK_VERSION:[SDK_VERSION] Build Time:[Jan 13 2017, 18:19:06])
load region.ko ....OK!
load vgs.ko for Hi3521A...OK!
load viu.ko ...OK!
load vpss.ko ....OK!
load vou.ko ....OK!
load hdmi.ko ....OK!
load rc.ko for Hi3521A...OK!
load venc.ko for Hi3521A...OK!
load chnl.ko for Hi3521A...OK!
load h264e.ko for Hi3521A...OK!
load jpege.ko for Hi3521A...OK!
load vda.ko ....OK!
load ive.ko ... OK!
KERN_INFO OSDRV_MODULE_VERSION_STRING
HISI_IRDA-MF @Hi3518v100R001
hiir: init ok. ver=Aug 3 2018, 23:11:54.
KERN_INFO OSDRV_MODULE_VERSION_STRING
KERN_INFO OSDRV_MODULE_VERSION_STRING
KERN_INFO OSDRV_MODULE_VERSION_STRING
KERN_INFO OSDRV_MODULE_VERSION_STRING
load ai.ko for Hi3521A...OK!
load ao.ko for Hi3521A...OK!
load aenc.ko for Hi3521A...OK!
load adec.ko for Hi3521A...OK!
www/
www/Reboot.html
www/Reset.html
www/SystemUpdate.html
www/images/
www/images/b.png
www/images/bg-login-top.png
www/images/exclamation.png
www/images/bg-button-green.gif
www/images/cross.png
www/images/bg-body.gif
www/images/jquery_wysiwyg.gif
www/images/bg-sidebar.gif
www/images/tick_circle.png
www/images/bg-form-field.gif
www/images/br.png
www/images/bl.png
www/images/Thumbs.db
www/images/bullet_black.png
www/images/bg-login.gif
www/images/cross_circle.png
www/images/bg-radial-gradient.gif
www/images/tl.png
www/images/shortcut-button-bg.gif
www/images/hammer_screwdriver.png
www/images/bg-menu-item-green.gif
www/images/bg-menu-item-current.gif
www/images/loading.gif
www/images/bg-content-box.gif
www/images/information.png
www/images/tr.png
www/images/cross_grey_small.png
www/images/logo.png
www/images/menu-current-arrow.gif
www/css/
www/css/jquery.percentageloader-0.1.css
www/css/reset.css
www/css/style.css
www/css/invalid.css
www/connect.html
www/SetPassword.html
www/SetNet.html
www/index.html
www/setBaudRate.html
www/js/
www/js/jquery.percentageloader-0.1.js
www/js/simpla.jquery.configuration.js
www/js/jquery-1.4.1.min.js
www/js/ajaxfileupload.js
www/js/jquery-1.3.2.min.js
www/js/getagain.js
www/js/jquery.wysiwyg.js
www/OutputP1Main.html
lib/
lib/libcommonlib.so
lib/libAPI.so
lib/libLRCF.so
bin/
bin/webserver
bin/SII9293A1
bin/FWUpgrade
bin/IFrameVieoNet.h264
bin/SII9293A2
bin/lighttpd
bin/SII9293A0
bin/DevMsg
bin/MediaServer
bin/ddnsclient
bin/DisPlay
bin/IFrameVieoLoss.h264
bin/WatchDog
bin/SII9293A3
*** Board tools : ver0.0.1_20130123 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x120f0184: 0x00000001 --> 0x00000000
[END]
*** Board tools : ver0.0.1_20130123 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x120f0188: 0x00000001 --> 0x00000000
[END]
*** Board tools : ver0.0.1_20130123 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x120f00e0: 0x00000001 --> 0x00000000
[END]
*** Board tools : ver0.0.1_20130123 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x120f00e4: 0x00000001 --> 0x00000000
[END]
*** Board tools : ver0.0.1_20130123 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x120f017c: 0x00000001 --> 0x00000001
[END]
*** Board tools : ver0.0.1_20130123 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x120f0180: 0x00000001 --> 0x00000001
[END]
*** Board tools : ver0.0.1_20130123 ***
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x120f00ac: 0x00000002 --> 0x00000001
[END]
Please press Enter to activate this console. 1970-01-01 00:00:03.000 [WATCH_DOG CWatchdog.cpp:56]get msg qeue msgid:0
1970-01-01 00:00:03.000 [WATCH_DOG main.cpp:50]wang wang wang !
1970-01-01 00:00:03.000 [WATCH_DOG CWatchdogConfig.cpp:91]read name is TX
1970-01-01 00:00:03.000 [WATCH_DOG CWatchdogConfig.cpp:100]Product is Tx
1970-01-01 00:00:03.000 [WATCH_DOG CWatchdog.cpp:77]get process:SII9293A0
1970-01-01 00:00:03.000 [WATCH_DOG CWatchdog.cpp:77]get process:SII9293A1
1970-01-01 00:00:03.000 [WATCH_DOG CWatchdog.cpp:77]get process:SII9293A2
1970-01-01 00:00:03.000 [WATCH_DOG CWatchdog.cpp:77]get process:SII9293A3
1970-01-01 00:00:03.000 [WATCH_DOG CWatchdog.cpp:77]get process:DisPlay
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:369]kill sub process:SII9293A0 fail
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:371]killed sub process:SII9293A0, pid:54188
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:270][ startSubProcess name:/var/bin/SII9293A0, param:(null) ]
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:279]Create child:1008
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:369]kill sub process:SII9293A1 fail
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:371]killed sub process:SII9293A1, pid:54188
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:270][ startSubProcess name:/var/bin/SII9293A1, param:(null) ]
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:279]Create child:1009
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:369]kill sub process:SII9293A2 fail
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:371]killed sub process:SII9293A2, pid:54188
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:270][ startSubProcess name:/var/bin/SII9293A2, param:(null) ]
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:279]Create child:1010
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:369]kill sub process:SII9293A3 fail
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:371]killed sub process:SII9293A3, pid:54188
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:270][ startSubProcess name:/var/bin/SII9293A3, param:(null) ]
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:279]Create child:1011
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:369]kill sub process:DisPlay fail
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:371]killed sub process:DisPlay, pid:54188
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:270][ startSubProcess name:/var/bin/DisPlay, param:(null) ]
1970-01-01 00:00:05.000 [WATCH_DOG CWatchdog.cpp:279]Create child:1012
sii9293drv driver starting!
Version: CP5293-v1.00.00
Build: 16:34:53-Aug 21 2018
register_chrdev 9293 addr = 1
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:201]Get Video Index = 0
write head info error or more of User count = 0datasize = 1024 dataoffset = 4096
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:76]Starting sii-9293
sii9293drv driver starting!
Version: CP5293-v1.00.00
Build: 16:35:04-Aug 21 2018
register_chrdev 9293 addr = 2
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:201]Get Video Index = 0
write head info error or more of User count = 0datasize = 1024 dataoffset = 4096
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:76]Starting sii-9293
sii9293drv driver starting!
Version: CP5293-v1.00.00
Build: 16:35:15-Aug 21 2018
register_chrdev 9293 addr = 3
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:201]Get Video Index = 0
write head info error or more of User count = 0datasize = 1024 dataoffset = 4096
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:76]Starting sii-9293
sii9293drv driver starting!
Version: CP5293-v1.00.00
Build: 16:34:42-Aug 21 2018
register_chrdev 9293 addr = 0
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:201]Get Video Index = 0
write head info error or more of User count = 0datasize = 1024 dataoffset = 4096
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:76]Starting sii-9293
1970-01-01 00:00:05.000 [DISPLAY main.cpp:52]feed dog now!!!
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:123]Device ID: 9293
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:124]Device Revision: 01
1970-01-01 00:00:05.000 [DISPLAY si_drv_evita.c:77]#################read 4A = 0x0 60 = 0xff
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:123]Device ID: 9293
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:124]Device Revision: 01
1970-01-01 00:00:05.000 [DISPLAY si_drv_evita.c:77]#################read 4A = 0x0 60 = 0xff
=======================================id= 10
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:123]Device ID: 9293
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:124]Device Revision: 01
1970-01-01 00:00:05.000 [DISPLAY si_drv_evita.c:77]#################read 4A = 0x0 60 = 0xff
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:123]Device ID: 9293
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:124]Device Revision: 01
1970-01-01 00:00:05.000 [DISPLAY si_drv_evita.c:77]#################read 4A = 0x0 60 = 0xff
1970-01-01 00:00:05.000 [DISPLAY si_drv_rx.c:248]SII9293 OUT sysn mode = 0xf0
1970-01-01 00:00:05.000 [DISPLAY si_drv_rx.c:248]SII9293 OUT sysn mode = 0xf0
1970-01-01 00:00:05.000 [DISPLAY si_drv_rx.c:248]SII9293 OUT sysn mode = 0xf0
1970-01-01 00:00:05.000 [DISPLAY si_drv_rx.c:248]SII9293 OUT sysn mode = 0xf0
1970-01-01 00:00:05.000 [DISPLAY si_rx_audio.c:287]RX Audio: Fs code = 01
1970-01-01 00:00:05.000 [DISPLAY si_rx_audio.c:287]RX Audio: Fs code = 01
1970-01-01 00:00:05.000 [DISPLAY si_rx_audio.c:287]RX Audio: Fs code = 01
1970-01-01 00:00:05.000 [DISPLAY si_rx_audio.c:287]RX Audio: Fs code = 01
1970-01-01 00:00:05.000 [DISPLAY si_rx_audio.c:351]update audio info restart now
1970-01-01 00:00:05.000 [DISPLAY si_rx_audio.c:351]update audio info restart now
1970-01-01 00:00:05.000 [DISPLAY si_rx_audio.c:351]update audio info restart now
1970-01-01 00:00:05.000 [DISPLAY si_rx_audio.c:351]update audio info restart now
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:354]state is not chage ID: 1
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:354]state is not chage ID: 2
1970-01-01 00:00:05.000 [LRCF · LRcfServerT.hpp:209]setTask NOW !!! MaxTask = 5 StackSize = 51200
1970-01-01 00:00:05.000 [LRCF · LRcfServerT.hpp:228]Start LRCF NOW !!! Link = /tmp/.LRCFCodec
1970-01-01 00:00:05.000 [LRCF · LRcfServer.cpp:36]setTask NOW !!! MaxTask = 5 StackSize = 51200
1970-01-01 00:00:05.000 [LRCF · LRcfServer.cpp:54]Start LRCF NOW !!! Link = /tmp/.LRCFCodec
1970-01-01 00:00:05.000 [LRCF · Sock.cpp:123]Start SetServer NOW !!! Link = /tmp/.LRCFCodec
1970-01-01 00:00:05.000 [LRCF · Sock.cpp:217]SERVER link = /tmp/.LRCFCodec CLicet link = sock = 6
1970-01-01 00:00:05.000 [LRCF · Sock.cpp:217]SERVER link = /tmp/.LRCFCodec CLicet link = sock = 6
1970-01-01 00:00:05.000 [LRCF · ThreadPool.cpp:24]ThreadPool Num:5, stack:51200
1970-01-01 00:00:05.000 [DISPLAY CDisPlay.cpp:254]PIC LEN = 14429
1970-01-01 00:00:05.000 [DISPLAY CDisPlay.cpp:266]PIC LEN = 10204
1970-01-01 00:00:05.000 [DISPLAY Dconfig.cpp:61]load config from /mnt/mtd/app/config/DisPlayConfig.ini
datasize = 1024 dataoffset = 4096
datasize = 1024 dataoffset = 4096
datasize = 1024 dataoffset = 4096
datasize = 1024 dataoffset = 4096
1970-01-01 00:00:05.000 [DISPLAY CDisPlay.cpp:421]can not get input0 res Use Default
1970-01-01 00:00:05.000 [DISPLAY CDisPlay.cpp:421]can not get input0 res Use Default
1970-01-01 00:00:05.000 [DISPLAY CDisPlay.cpp:421]can not get input0 res Use Default
1970-01-01 00:00:05.000 [DISPLAY CDisPlay.cpp:421]can not get input0 res Use Default
1970-01-01 00:00:05.000 [DISPLAY CDisPlay.cpp:544]init 0x1f663b0
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:354]state is not chage ID: 0
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:354]state is not chage ID: 3
1970-01-01 00:00:05.000 [LRCF · ThreadPool.cpp:65]Start worker thread tid:-1238885280
1970-01-01 00:00:05.000 [LRCF · ThreadPool.cpp:65]Start worker thread tid:-1238832032
1970-01-01 00:00:05.000 [LRCF · ThreadPool.cpp:65]Start worker thread tid:-1238778784
1970-01-01 00:00:05.000 [LRCF · ThreadPool.cpp:65]Start worker thread tid:-1238725536
1970-01-01 00:00:05.000 [LRCF · ThreadPool.cpp:65]Start worker thread tid:-1238672288
1970-01-01 00:00:05.000 [DISPLAY hAudio.cpp:271]Ai(0,0) bind to AencChn:0 ok!
1970-01-01 00:00:05.000 [DISPLAY hAudio.cpp:271]Ai(0,1) bind to AencChn:1 ok!
1970-01-01 00:00:05.000 [CODEC hAVi.cpp:205]create VI success!!!
1970-01-01 00:00:05.000 [CODEC hAVi.cpp:205]create VI success!!!
1970-01-01 00:00:05.000 [CODEC hAVi.cpp:205]create VI success!!!
1970-01-01 00:00:05.000 [CODEC hAVi.cpp:205]create VI success!!!
1970-01-01 00:00:05.000 [DISPLAY hSys.cpp:41]SysBind[16-0-0]:[7-3-2]
1970-01-01 00:00:05.000 [DISPLAY hSys.cpp:41]SysBind[16-1-4]:[7-2-2]
1970-01-01 00:00:05.000 [DISPLAY hSys.cpp:41]SysBind[16-2-8]:[7-1-2]
1970-01-01 00:00:05.000 [DISPLAY hSys.cpp:41]SysBind[16-3-12]:[7-0-2]
1970-01-01 00:00:05.000 [DISPLAY hWnd.cpp:158]DisableHdmi err ret = 0xa0288004
1970-01-01 00:00:05.000 [DISPLAY hWnd.cpp:691]enIntfSync = 12
1970-01-01 00:00:05.000 [DISPLAY hWnd.cpp:72]InitDev >>><<< w:1920 h:1080 frmt = 60
1970-01-01 00:00:05.000 [DISPLAY hWnd.cpp:123]EnableHdmi ......
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:403]state is no source connected
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:316]Cable connection change: cable out
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:403]state is no source connected
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:316]Cable connection change: cable out
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:403]state is no source connected
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:316]Cable connection change: cable out
1970-01-01 00:00:05.000 [DISPLAY mhl_linuxdrv_main.c:403]state is no source connected
1970-01-01 00:00:05.000 [DISPLAY si_drv_device.c:316]Cable connection change: cable out
1970-01-01 00:00:06.000 [DISPLAY hWnd.cpp:339]display RGB flag = 0
1970-01-01 00:00:06.000 [DISPLAY hAudio.cpp:648]bind is ok ao ch = 0 adchn = 0 AoDev = 1
1970-01-01 00:00:06.000 [DISPLAY CDisPlay.cpp:606]clear uboot buf
1970-01-01 00:00:06.000 [DISPLAY hAudio.cpp:119]enSample rate = 48000
1970-01-01 00:00:06.000 [DISPLAY hAudio.cpp:393]clk = 2
1970-01-01 00:00:06.000 [DISPLAY hWnd.cpp:691]enIntfSync = 12
1970-01-01 00:00:06.000 [CODEC hWnd.cpp:1026]vo display x = 0 y = 0 w = 1920 h = 1080 mode = 5 i = 0
1970-01-01 00:00:06.000 [CODEC hWnd.cpp:1227]^_^ @ ^_^ [x-0, y-0, w-1440, h-1080] [dev:0 ch:0]
1970-01-01 00:00:06.000 [DISPLAY hWnd.cpp:1295]SetChnFrameRate Dev:0 Chn:0 frmt:30 err ret = 0xa00f804a
1970-01-01 00:00:06.000 [CODEC hWnd.cpp:1026]vo display x = 0 y = 0 w = 1920 h = 1080 mode = 5 i = 1
1970-01-01 00:00:06.000 [CODEC hWnd.cpp:1227]^_^ @ ^_^ [x-1440, y-0, w-480, h-360] [dev:0 ch:1]
1970-01-01 00:00:06.000 [DISPLAY hWnd.cpp:1295]SetChnFrameRate Dev:0 Chn:1 frmt:30 err ret = 0xa00f804a
1970-01-01 00:00:06.000 [CODEC hWnd.cpp:1026]vo display x = 0 y = 0 w = 1920 h = 1080 mode = 5 i = 2
1970-01-01 00:00:06.000 [CODEC hWnd.cpp:1227]^_^ @ ^_^ [x-1440, y-360, w-480, h-360] [dev:0 ch:2]
1970-01-01 00:00:06.000 [DISPLAY hWnd.cpp:1295]SetChnFrameRate Dev:0 Chn:2 frmt:30 err ret = 0xa00f804a
1970-01-01 00:00:06.000 [CODEC hWnd.cpp:1026]vo display x = 0 y = 0 w = 1920 h = 1080 mode = 5 i = 3
1970-01-01 00:00:06.000 [CODEC hWnd.cpp:1227]^_^ @ ^_^ [x-1440, y-720, w-480, h-360] [dev:0 ch:3]
1970-01-01 00:00:06.000 [DISPLAY hWnd.cpp:1295]SetChnFrameRate Dev:0 Chn:3 frmt:30 err ret = 0xa00f804a
1970-01-01 00:00:06.000 [DISPLAY hSys.cpp:41]SysBind[7-1-3]:[15-0-0]
1970-01-01 00:00:06.000 [DISPLAY hSys.cpp:41]SysBind[7-2-3]:[15-0-1]
1970-01-01 00:00:06.000 [DISPLAY hSys.cpp:41]SysBind[7-3-3]:[15-0-2]
1970-01-01 00:00:06.000 [DISPLAY hSys.cpp:41]SysBind[7-0-3]:[15-0-3]
1970-01-01 00:00:06.000 [DISPLAY CDisPlay.cpp:1233]SET VOIDE MODE IS 14
1970-01-01 00:00:06.000 [DISPLAY hAudio.cpp:119]enSample rate = 44100
1970-01-01 00:00:06.000 [DISPLAY hAudio.cpp:393]clk = 1
1970-01-01 00:00:07.000 [DISPLAY hWnd.cpp:339]display RGB flag = 0
1970-01-01 00:00:07.000 [DISPLAY CDisPlay.cpp:1270]open /dev/ttyAMA1 is ok fd = 58
(none) login:
@matiaspl
Copy link
Author

matiaspl commented Apr 24, 2019
edited
Loading

DEScrypt (?) hashes:
/etc/passwd
root:4uvdzKqBkj.jg (unknown, interestingly enough hashcat did not resolve the hash)
/etc/passwd-
root:t0xJ1/fBky6vg (pass: rosevide)

@matiaspl
Copy link
Author

matiaspl commented May 8, 2019
edited
Loading

I have been able to break in using the "bomb out to U-Boot" technique with the following procedure:

Upon boot during the first second or two (just when "Hit any key to stop autoboot:" prompt appears) connect pin 2 (SO) of the flash chip to GND. Following a bad kernel image read (detected properly by U-Boot) you will be dropped back to a passwordless (yay!) U-Boot console:

U-Boot 2010.06 (Aug 11 2018 - 18:47:37)
Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xc2 0x20 0x17
Block:64KB Chip:8MB Name:"MX25L6436F"
SPI Nor total size: 8MB
Cannot found a valid SPI Nand Device
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  1 ... 0 
dev 0 set background color!
jpeg decoding ...
ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ ˇ cmd = ˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇˇ
<<addr=0x7e0000, size=0xd12a, vobuf=0x8ac00000>>
spi_flash 8084d920
., ., Í, ++Magic err, ., ., ., load jpeg err. 
OpenDev  vo:0 intf_type:36 out_sync:8
dev 0 opened!
graphic layer 0 opened!
upgrade flag = 0
8192 KiB hi_fmc at 0:0 is now current device
Wrong Image Format for bootm command
ERROR: can't get kernel image!
HDMI has been Disconnected.
hisilicon #

The 'printenv' command gives the following:

bootdelay=1
baudrate=115200
ethaddr="00:00:23:34:45:66"
bootfile="uImage"
filesize=800000
fileaddr=82000000
netmask=0.255.255.255
ipaddr=192.168.1.10
serverip=192.168.1.169
bootcmd=setvobg 0 0x0;setenv jpeg_addr 0x7E0000;setenv jpeg_size 0xD12A;setenv vobuf 0x8AC00000;setenv upAddr 0x9DC00000;decjpg;startvo 0 36 8;startgx 0 0x8AC00000 2560 0 0 1280 720;upgrade;sf probe 0;sf read 0x82000000 0x60000 0x500000;bootm 0x82000000
bootargs=mem=128M console=ttyAMA0,115200 mtdparts=hi_sfc:384k(uboot),4608K(core),2560K(app),512k(para)
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (Aug 11 2018 - 18:47:37)
jpeg_addr=0x7E0000
jpeg_size=0xD12A
vobuf=0x8AC00000
upAddr=0x9DC00000

So far so good. Let's run a single user environment just for fun (too bad the root folder is in the initrd image - no writing possible):

setenv bootargs 'mem=128M console=ttyAMA0,115200 mtdparts=hi_sfc:384k(uboot),4608K(core),2560K(app),512k(para) single'

Now let's save the environment variables and reset the CPU

hisilicon # saveenv
Saving Environment to SPI Flash...
Erasing SPI flash, offset 0x00050000 size 64K ...done
Writing to SPI flash, offset 0x00050000 size 64K ...done
hisilicon # reset

And we're booting...

U-Boot 2010.06 (Aug 11 2018 - 18:47:37)
-- cut all the boring crap --
ˇata2: SATA link down (SStatus 0 SControl 300)
Freeing unused kernel memory: 7920K (c052c000 - c0ce8000)
Welcome to HiLinux.
#

Root console it is. Let's check what busybox can do for us in the future

# busybox
BusyBox v1.21.1 (2017-09-18 17:41:14 CST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

.BusyBox is a multi-call binary that combines many common Unix
.utilities into a single executable.  Most people will create a
.link to busybox for each function they wish to use and BusyBox
.will act like whatever it was invoked as.

Currently defined functions:
.acpid, arp, ash, blkid, blockdev, bootchartd, cat, chmod, chown, cp,
.cttyhack, date, dd, depmod, df, dhcprelay, dmesg, du, dumpleases, echo,
.egrep, env, false, fdisk, fgrep, find, flock, free, getty, grep,
.groups, gzip, halt, hush, ifconfig, init, insmod, iostat, ipcrm, ipcs,
.kill, killall, killall5, klogd, linuxrc, ln, logger, login, logread,
.losetup, ls, lsmod, lsof, lspci, lsusb, md5sum, mdev, mkdir, mkdosfs,
.mkfs.vfat, mknod, mkswap, modinfo, modprobe, more, mount, mpstat, msh,
.mv, nameif, nbd-client, nc, netstat, nmeter, passwd, ping, pivot_root,
.pmap, poweroff, powertop, ps, pstree, pwd, pwdx, reboot, reset, rev,
.rm, rmmod, route, sh, sleep, smemcap, sync, syslogd, tar, tcpsvd,
.telnet, telnetd, time, top, touch, tr, true, tunctl, udhcpc, udhcpd,
.udpsvd, umount, unexpand, unxz, users, usleep, vi, who, whois, xz,
.xzcat

To be continued ;)

@matiaspl
Copy link
Author

matiaspl commented May 8, 2019

Today let's inspect the init scripts.

/etc/init.d/S00devs:

#!/bin/sh

#mknod -m 660 /dev/console c 5 1
#mknod -m 660 /dev/null c 1 3
mknod /dev/ttyAMA0 c 204 64
mknod /dev/ttyAMA1 c 204 65
mknod /dev/ttyS000 c 204 64
#mknod /dev/ttyAMA2 c 204 66
#mknod /dev/ttyAMA3 c 204 67

mknod -m 666 /dev/mtdblock0 b 31 0
mknod -m 666 /dev/mtdblock1 b 31 1
mknod -m 666 /dev/mtdblock2 b 31 2
#mknod -m 666 /dev/mtdblock3 b 31 3
#mknod -m 666 /dev/mtdblock4 b 31 4

mknod -m 666 /dev/mtd0 c 90 0
mknod -m 666 /dev/mtd1 c 90 2
mknod -m 666 /dev/mtd2 c 90 4
#mknod -m 666 /dev/mtd3 c 90 6
#mknod -m 666 /dev/mtd4 c 90 8

#mount -t squashfs /dev/mtdblock2 /mnt/mtd/app
mount -t jffs2 /dev/mtdblock2 /mnt/mtd/
#mount -t jffs2 /dev/mtdblock3 /mnt/mtd/config

So, there are perfectly writable filesystems around here... B-)

/etc/init.d/S01udev

#!/bin/sh

mkdir -m 660 /dev/pts
mount -t devpts devpts /dev/pts

udevd --daemon
udevstart

Nothing interesting, moving along,
/etc/init.d/S80network

#!/bin/sh

ipaddr=
bootp=
gateway=
netmask=
hostname=
netdev=
autoconf=

for ipinfo in `cat /proc/cmdline`
do
	case "$ipinfo" in
	ip=*)
		for var in  ipaddr bootp gateway netmask hostname netdev autoconf
		do
			eval read $var
		done << EOF
		`echo "$ipinfo" | sed "s/:/\n/g" | sed "s/^[ 	]*$/-/g"`
EOF
		ipaddr=`echo "$ipaddr" | cut -d = -f 2`
		[ x$ipaddr == x ] && ipaddr=x
		;;
	esac
done

[ -z "$ipaddr" ] && exit 0

echo "      IP: $ipaddr"
echo "   BOOTP: $bootp"
echo " GATEWAY: $gateway"
echo " NETMASK: $netmask"
echo "HOSTNAME: $hostname"
echo "  NETDEV: $netdev"
echo "AUTOCONF: $autoconf"

if [ x$ipaddr == x- ] ; then
	# use DHCP
	:
else
	cmd="ifconfig $netdev $ipaddr"
	[ x$netmask != x- ] && cmd="$cmd netmask $netmask"
	eval $cmd
	[ x$gateway != x- ] && route add default gw $gateway
fi

ifconfig lo 127.0.0.1

Somebody forgot the 'up' word in the last line. Not that this makes any difference on a device that has zero network connectivity. I guess this is one of many leftovers from a DVR device repurposed as a multiviewer (which to me is a ingenious idea, hats off to the Chinese engineer who did this). Last but not least in this directory
/etc/init.d/S90init

#!/bin/sh

if [ -e /mnt/mtd/boot.sh ]; then
sh /mnt/mtd/boot.sh
fi

Bingo. boot.sh script looks like a perfect payload for my more or less permanent root access hack that doesn't cripple the devices' functionality (single user mode doesn't do anything creative unless all /proc, /sys, etc filesystems are mounted and init scripts were run).

/mnt/mtd/boot.sh

#!/bin/sh

mkdir -m 777 /var
mkdir -m 777 /tmp/upload
mount -t jffs2 /dev/mtdblock3 /mnt/mtd/app/config
tar xJvf /mnt/mtd/app/modules.xz -C /tmp/
cd /tmp/modules && ./load3521a -i
rm -rf /tmp/modules/

tar zxf /mnt/mtd/app/lighttpd-1.4.30-hi.tgz -C /usr/local/
chmod 777 /tmp/*
tar xJvf /mnt/mtd/app/www.xz -C /tmp/
mkdir /var/nfs
tar xJvf /mnt/mtd/app/soft.xz -C /var/
ln -s /var/bin/* /bin
ln -s /var/lib/libAPI.so /lib/libAPI.so
ln -s /var/lib/libLRCF.so /lib/libLRCF.so
ln -s /var/lib/libcommonlib.so /lib/libcommonlib.so

telnetd &

cd /mnt/mtd/
./vi.sh

echo "1048576" >> /proc/sys/net/core/wmem_max
echo "1048576" >> /proc/sys/net/core/rmem_max
echo "1048576" >> /proc/sys/net/core/wmem_default
echo "1048576" >> /proc/sys/net/core/rmem_default
WatchDog &

vi.sh

#!/bin/sh

#i2c0

#i2c1

#i2c2
himm 0x120f0184  0
himm 0x120f0188  0

#i2c3
himm 0x120f00e0 0
himm 0x120f00e4 0

#hdmi out
himm 0x120f017c 1
himm 0x120f0180 1

#audio
himm 0x120f00ac 1
#uart1

load3251a

#!/bin/sh
# Useage: ./load3521a [ -r|-i|-a ] [ ad ]
#         -r : rmmod all modules
#         -i : insmod all modules
#    default : rmmod all moules and then insmod them
#

####################Variables Definition##########################
AD_TYPE=6124        # ad type

mem_total=512;		# 512M, total mem
mem_start=0x80000000;	# phy mem start

os_mem_size=128;		# 64M, os mem
mmz_start=0x88000000;	# mmz start addr
mmz_size=350M;		# 128M, mmz size

##################################################################

report_error()
{
	echo "******* Error: There's something wrong, please check! *****"
	exit 1
}

insert_audio()
{
	insmod hi3521a_aio.ko
	insmod hi3521a_ai.ko
	insmod hi3521a_ao.ko
	insmod hi3521a_aenc.ko
	insmod hi3521a_adec.ko
#	insmod extdrv/tlv_320aic31.ko
}

remove_audio()
{
#	rmmod tlv_320aic31.ko
	rmmod hi3521a_adec
	rmmod hi3521a_aenc
	rmmod hi3521a_ao
	rmmod hi3521a_ai
	rmmod hi3521a_aio
}

insert_ad()
{
	case $AD_TYPE in
		6124)
			insmod extdrv/nvp6124.ko
			;;
		2823)
			insmod extdrv/tp2823.ko
			;;
		6574)
			insmod extdrv/rn6574.ko
			;;
		*)
			echo "xxxx Invalid ad type $AD_TYPE xxxx"
			report_error
			;;
	esac
}

remove_ad()
{
	case $AD_TYPE in
		6124)
			rmmod nvp6124
			;;
		2823)
			rmmod tp2823
			;;
		6574)
			rmmod rn6574
			;;
		*)
			echo "xxxx Invalid ad type $AD_TYPE xxxx"
			report_error
			;;
	esac
}


insert_ko()
{
	# low power control
	# source ./lowpower.sh > /dev/null

	# pinmux configuration
	source ./pinmux_hi3521a_vicap.sh > /dev/null
	source ./pinmux_hi3521a_vga_hdmi_spi.sh > /dev/null
	source ./pinmux_hi3521a_i2s.sh > /dev/null

	# crg configuration
	source ./crgctrl_hi3521a.sh > /dev/null

	# system configuration
	source ./sysctl_hi3521a_asic.sh > /dev/null

	# driver load
	insmod mmz.ko mmz=anonymous,0,$mmz_start,$mmz_size anony=1 || report_error
	insmod hiuser.ko
	insmod hi_media.ko
	insmod hi3521a_base.ko
	insmod hi3521a_sys.ko
	insmod hi3521a_vdec.ko
	insmod hi3521a_vfmw.ko
	insmod hi3521a_jpegd.ko
	insmod hi3521a_tde.ko
	insmod hi3521a_region.ko
	insmod hi3521a_vgs.ko
	insmod hi3521a_viu.ko detect_err_frame=10

	insmod hi3521a_vpss.ko
	insmod hi3521a_vou.ko
	insmod hifb.ko video="hifb:vram0_size:8100,vram1_size:1620,vram2_size:128"
	insmod hi3521a_hdmi.ko

	insmod hi3521a_rc.ko
	insmod hi3521a_venc.ko
	insmod hi3521a_chnl.ko
	insmod hi3521a_h264e.ko
	insmod hi3521a_jpege.ko
	insmod hi3521a_vda.ko
	insmod hi3521a_ive.ko
	insmod extdrv/gpio.ko
	insmod extdrv/hdmii2c.ko
	insmod extdrv/hi_ir.ko
	insmod extdrv/i2c_phys.ko
	insmod extdrv/sii0i2c.ko
	insmod extdrv/sii1i2c.ko
	insmod extdrv/sii2i2c.ko
	insmod extdrv/sii3i2c.ko

#	echo "==== Your input AD type is $AD_TYPE ===="

	insert_audio
}

remove_ko()
{
	remove_audio
	rmmod gpio
	rmmod hdmii2c
	rmmod hi_ir
	rmmod i2c_phys
	rmmod sii0i2c
	rmmod sii1i2c
	rmmod sii2i2c
	rmmod sii3i2c
	rmmod hi3521a_ive
	rmmod hi3521a_vda

	rmmod hi3521a_rc
	rmmod hi3521a_jpege
	rmmod hi3521a_h264e
	rmmod hi3521a_chnl
	rmmod hi3521a_venc

	rmmod hi3521a_hdmi
	rmmod hifb
	rmmod hi3521a_vou
	rmmod hi3521a_vpss
	rmmod hi3521a_viu

	rmmod hi3521a_vgs
	rmmod hi3521a_region
	rmmod hi3521a_tde

	rmmod hi3521a_jpegd
	rmmod hi3521a_vfmw
	rmmod hi3521a_vdec
	rmmod hi3521a_sys
	rmmod hi3521a_base
	rmmod hi_media
	rmmod hiuser
	rmmod mmz
}

load_usage()
{
	echo "Usage:  ./load3521a [-option] [ad_name]"
	echo "options:"
	echo "    -i                       insert modules"
	echo "    -r                       remove modules"
	echo "    -a                       remove modules first, then insert modules"
	echo "    -ad ad_name              config AD type [default: nvp6124]"
	echo "    -osmem os_mem_size       config os mem size [unit: M, default: 64]"
	echo "    -h                       help information"
	echo -e "Available ad: nvp6124, tp2823"
	echo -e "notes: osmem option can't be used when mmz zone partition is enable\n\n"
	echo -e "for example: ./load3521a -a -ad 6124 -osmem 64\n"
}

calc_mmz_info()
{
	mmz_start=`echo "$mem_start $os_mem_size" |
	awk 'BEGIN { temp = 0; }
	{
		temp = $1/1024/1024 + $2;
	}
	END { printf("0x%x00000\n", temp); }'`

	mmz_size=`echo "$mem_total $os_mem_size" |
	awk 'BEGIN { temp = 0; }
	{
		temp = $1 - $2;
	}
	END { printf("%dM\n", temp); }'`
	echo "mmz_start: $mmz_start, mmz_size: $mmz_size"
}


######################parse arg###################################
b_arg_os_mem=0
b_arg_ad=0
b_arg_insmod=0
b_arg_remove=0

for arg in $@
do
	if [ $b_arg_os_mem -eq 1 ] ; then
		b_arg_os_mem=0;
		os_mem_size=$arg;

		if [ -z $os_mem_size ]; then
			echo "[error] os_mem_size is null"
			exit;
		fi

		if [ $os_mem_size -ge $mem_total ] ; then
			echo "[err] os_mem[$os_mem_size], over total_mem[$mem_total]"
			exit;
		fi

		calc_mmz_info;
	fi

	if [ $b_arg_ad -eq 1 ] ; then
		b_arg_ad=0
		AD_TYPE=$arg;
	fi

	case $arg in
		"-i")
			b_arg_insmod=1;
			;;

		"-r")
			b_arg_remove=1;
			;;
		"-a")
			b_arg_insmod=1;
			b_arg_remove=1;
			;;

		"-h")
			load_usage;
			;;

		"-ad")
			b_arg_ad=1;
			;;

		"-osmem")
			b_arg_os_mem=1;
			;;
	esac
done
#######################parse arg end########################

#######################Action###############################
if [ $b_arg_remove -eq 1 ]; then
	remove_ko;
fi
if [ $b_arg_insmod -eq 1 ]; then
	insert_ko;
fi

@matiaspl
Copy link
Author

matiaspl commented Jun 27, 2019
edited
Loading

Final touch. I forgot to document the most important thing - to get root access I overwrite /etc/passwd with /etc/passwd- in boot.sh script. Add a line cp -r /etc/passwd- /etc/passwd there. Since boot.sh lays on a writable filesystem as a result I get to overwrite the initrd ram filesystem at every boot. Then I get to log in as root with root:rosevide credentials. Finis coronat opus ;)

Post scriptum:
For the time being I lost interest in further hacking but feel free to take over and post what you managed to do with this beauty/beast.

@wes1993
Copy link

wes1993 commented Nov 14, 2020

Hello!! :-D
Thanks a lot for your guide, i have seen your guide but i don't know how can i put my payload.
My device is HI
some info from ny busybox in single user mode:

/etc/init.d # busybox
BusyBox v1.26.2 (2019-07-15 17:52:17 CST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, arp, arping, ash, awk, base64, basename, blkdiscard, blkid,
        blockdev, brctl, cal, cat, catv, chat, chgrp, chmod, chown, chroot,
        cksum, clear, comm, cp, crond, crontab, cttyhack, cut, date, dc, dd,
        deallocvt, devmem, df, dhcprelay, diff, dirname, dmesg, dnsd,
        dnsdomainname, dos2unix, du, dumpleases, echo, env, ether-wake, expand,
        expr, fakeidentd, false, fatattr, fdflush, fdisk, find, fold, free,
        fsync, fuser, getopt, getty, grep, groups, gzip, halt, hdparm, head,
        hexdump, hostid, hostname, hush, hwclock, id, ifconfig, ifdown,
        ifenslave, ifup, inetd, init, insmod, ionice, iostat, ip, ipaddr,
        ipcalc, iplink, ipneigh, iproute, iprule, iptunnel, kill, killall,
        last, less, linux32, linuxrc, ln, login, logname, losetup, ls, lsmod,
        lsof, lsusb, makedevs, md5sum, mdev, mkdir, mkfifo, mknod, mkswap,
        mktemp, more, mount, mountpoint, mpstat, mt, mv, nameif, nbd-client,
        nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od, pidof, ping,
        pkill, poweroff, printenv, printf, ps, pscan, pstree, pwd, pwdx,
        readlink, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod,
        route, runlevel, runsv, sed, seq, sh, sha1sum, sha256sum, sha3sum,
        sha512sum, shuf, slattach, sleep, smemcap, sort, split, stat, strings,
        stty, sum, swapoff, swapon, sysctl, tac, tail, tar, tcpsvd, tee,
        telnet, telnetd, test, tftp, time, timeout, top, touch, tr, traceroute,
        true, truncate, tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, uevent,
        umount, uname, unexpand, uniq, unlink, uptime, users, usleep, uudecode,
        uuencode, vconfig, watch, wc, wget, which, who, whoami, whois, xargs,
        yes, zcip

Filesystem                Size      Used Available Use% Mounted on
/dev/root.old             1.0M      1.0M         0 100% /
tmpfs                    54.3M         0     54.3M   0% /dev
tmpfs                    54.3M         0     54.3M   0% /tmp
tmpfs                    54.3M         0     54.3M   0% /media
tmpfs                    54.3M         0     54.3M   0% /var/run
tmpfs                    54.3M         0     54.3M   0% /var/lock

image

NO apparently text editor:
image

How can i decrypt this pass?

/etc # more passwd
root:x:0:0:root:/root:/bin/sh
stb:x:1000:1000:Linux User,,,:/home/stb:/bin/sh

/etc # more passwd-
root:$1$$64lU4r1qa6icjzK/sBmQo.:0:0::/root:/bin/sh

Or do you know how can i flash an old FW (the old FW have a backdoor) via tftp or some else?

Thanks a lot for all your help
Stefano

@wes1993
Copy link

wes1993 commented Nov 14, 2020

I think i have found an entrypoint can you help me only to decrypt the user passord?

/etc # more passwd-
root:$1$$64lU4r1qa6icjzK/sBmQo.:0:0::/root:/bin/sh

@matiaspl
Copy link
Author

matiaspl commented Jan 7, 2021

Hi @wes1993, I somehow missed your message.
The ❌'es in your /etc/passwd file suggests that there's also an /etc/shadow present, so you might check if there's a known hash there.

The hash in your passwd- file (md5crypt type hash) has been seen online: https://forums.hak5.org/topic/38353-embedded-device-password-cracking/ so it's likely the camera uses a more or less known password.

Even if it's not, feel free to use my hash and known password and try to fin a way to alter the contents of the passwd (hopfully you will find a script ran on startup on a writable - or remountable as rw - filesystem as I did. And changing the password is as easy as rewriting the contents of /etc/passwd or/etc/shadow. You can use echo for that purpose.

@wes1993
Copy link

wes1993 commented Jan 7, 2021

Thanks a lot for your reply matiaspl,
finally i have find a way to mount my passwd so i have root access :-D
I doesen't have find a way to stream the video for now but i have telnet access :-D
Best Regards
Stefano

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment