Skip to content

Instantly share code, notes, and snippets.

@orangecms

orangecms/NBD8016R-PL-V2.md

Created July 19, 2020 19:06
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save orangecms/f61b00099490d50e5305acac0f99fdb9 to your computer and use it in GitHub Desktop.
Save orangecms/f61b00099490d50e5305acac0f99fdb9 to your computer and use it in GitHub Desktop.
Download ZIP
NBD8016R-PL-V2 NVR (Network Video Recorder) firmware
Raw
NBD8016R-PL-V2.md

HiSilicon-based NVR (Network Video Recorder)

Acronyms

AHD - Analog High Definition NVR - Network Video Recorder DVR - Digital Video Recorder IPC - IP Camera

Research

Device / Board Name

N8G5-M-V2 aka NBD8016R-PL-V2

http://www.xiongmaitech.com/en/index.php/product/product-detail/4/110/328

SPI Flash

W25Q128.V

Partitions

sbin/env_mtdparts

mtdparts=hi_sfc:320K(boot),3968K(romfs),7040K(usr),1600K(web),2816K(custom),128K(logo),512K(mtd)

Firmware

mtdblock4-custom/FirmwareInfo

NET_UPGRADE_FILE=MHK_MHK_NBD8016R-PL-V2_V4.03.R11.7601.Nat.OnvifC.20191122.bin
BURN_FILE=upall_MHK_MHK_NBD8016R-PL-V2.7601.Nat.OnvifC.20191122.bin

mtdblock4-custom/ProductDefinition

{
   "Vendor" : "General",
   "Hardware" : "NBD8008R-PL",
   "LogoPartType" : "cramfs",
   "PackSize" : 10240,
   "PreRecSize" : 2048,
   "LogoArea" : {"Begin": "0xf60000", "End": "0xf80000"},
   "CompatibleVersion" : 1
}

cloud service, possible for updates

curl -d '{}' \
  -H 'Content-Type: application/json' \
  http://pub-cfg.secu100.net:8086/
{"CfgProtocol":{"Header":{"ErrorString":"invalid protocol format args","CSeq":"1","Version":"1.0","MessageType":"any","ErrorNum":"400"}}}

MHK (Ming Hong Kai) brand

http://www.mhkdvr.com/

http://www.mhkdvr.com/en/productshow.php?id=128

Resources

https://www.unifore.net/product-highlights/nvr-dvr-hisilicon-solution-hi3536-hi3531-hi3521-hi3520d.html

https://www.hdfreaks.cc/index.php/Thread/28239-Auflistung-der-4k-Boxen-mit-HiSilicon-Chips-arm-und-HDF-Support/?postID=255012&s=bdd05f8e7b71c7021e38df5eca894f3d9071023f#post255012

Open Source Cam project

http://www.openhisiipcam.org/cctv/chinese-cctv-market/

https://github.com/OpenHisiIpCam/wrt-hisicam/

RTSP config table

https://www.ispyconnect.com/man.aspx?n=xmeye

Firmware collections

https://www.unifore.net/analog-surveillance/v4-02-r11-h-264-dvr-firmware-download.html

http://feelinlook.ru/index.php?route=information/information&information_id=9

http://www.vacron.com/IPsurveillance_support1.html

https://www.cctvsp.ru/articles/dvr-firmware-update

related camera: https://www.cctvsp.ru/articles/obnovlenie-proshivok-dlya-ip-kamer-ot-xiong-mai

This one: https://yadi.sk/d/QSzw_Yav3Rmi8L

Development

Sources / Hacking

https://github.com/ubis/HI3536DV100

root password

xc3511

Exploits / PoCs

https://habr.com/en/post/486856/

https://github.com/Snawoot/hisilicon-dvr-telnet

https://github.com/tothi/pwn-hisilicon-dvr

CVEs

https://sec-consult.com/en/blog/2018/10/millions-of-xiongmai-video-surveillance-devices-can-be-hacked-via-cloud-feature-xmeye-p2p-cloud/

https://www.cvedetails.com/cve/CVE-2017-16725/

OpenWrt

https://openwrt.org/docs/techref/hardware/soc/soc.hisilicon.hi35xx

related open IP camera project

https://github.com/OpenHisiIpCam/wrt-hisicam

HI3536D SDK

https://pan.baidu.com/s/1DolEGgtDezBhgUtE9DbhHQ

Related IP cam SDK

TUYA IPC SDK

Hi35xx NVR DVR series SoC manual

Link: https://pan.baidu.com/s/1DolEGgtDezBhgUtE9DbhHQ

Extraction code: 58w8

Firmware Modification

extraction

unsquashfs -d mtdblock1-romfs mtdblock1-romfs.bin
unsquashfs -d mtdblock2-user mtdblock2-user.bin
unsquashfs -d mtdblock3-web mtdblock3-web.bin
unsquashfs -d mtdblock4-custom mtdblock4-custom.bin

kernel

mtdblock1-romfs/boot/zImage.img

kernel modules

mtdblock2-user/lib/modules.tar.lzma

reference to custom script, similar to camera

mtdblock1-romfs/etc/init.d/rcS

52-ifconfig eth0 down
53-ifconfig eth0 up
54-
55-/usr/etc/pppd pty /etc/ppp/pppoe-start file /etc/ppp/pppoe-options &
56-
57:/mnt/custom/extapp.sh &
58-
59-#unrar x /usr/bin/Sofia.rar /var/
60-cp /usr/bin/Sofia.tar.lzma /var/
61-cd /var/
62-tar -axf /usr/bin/Sofia.tar.lzma

/mnt/custom/extapp.sh => mtdblock4

create script and repack

mtdblock4-custom/extapp.sh

#!/bin/sh

_MNT=/mnt/usb
mkdir -p $_MNT
mount /dev/sda1 $_MNT
cd /var
tar -xf $_MNT/u-root.tar.gz
./root-arm-core/bbin/sshd \
  -keys $_MNT/ssh-key/ssh.pub \
  -privatekey $_MNT/ssh-key/ssh

rebuild squashfs

mksquashfs mtdblock4-custom/ mtdblock4-custom-mod.bin -comp xz

align file size to partition

truncate -s 2883584 mtdblock4-custom-mod.bin

rebuild image

cat \
 mtdblock0-u-boot.bin \
 mtdblock1-romfs.bin \
 mtdblock2-user.bin \
 mtdblock3-web.bin \
 mtdblock4-custom-mod.bin \
 mtdblock5-logo.bin \
 mtdblock6-mtd.bin > fw-mod.bin

layout.txt

00000000:0004ffff mtdblock0-u-boot
00050000:0042ffff mtdblock1-romfs
00430000:00b0ffff mtdblock2-user
00b10000:00c9ffff mtdblock3-web
00ca0000:00f5ffff mtdblock4-custom
00f60000:00f7ffff mtdblock5-logo
00f80000:00ffffff mtdblock6-mtd

write back

sudo flashrom -p ft2232_spi:type=2232H,port=A \
  -l layout.txt \
  -i mtdblock4-custom \
  -w fw-mod.bin
@DrJaymz
Copy link

DrJaymz commented Feb 5, 2021
edited

This is good stuff. I have one of these and it works well. I just cannot find anyone who speaks English to ask the question. No matter which firmware version I load, it does not retain username and passwords for cameras. Is that normal? If not that's a major issue.

I wondered if its to do with where the settings are held.

@orangecms
Copy link
Author

Hey there and sorry, I haven't looked into the firnware's behavior in those regards. That would be part of the application logic. Maybe it isn't saved, maybe the firmware has some bugs. The app is closed source, so it's harder to investigate. My goal was to get some custom code running instead.

@DrJaymz
Copy link

DrJaymz commented Feb 5, 2021

Thanks for the response. I think I figured it out by trial an error. I had a password for one of the cameras that contained a quote ["]. This seems to trip it up and they are failing to escape the password field correctly. That's surprising because the firmware has been updated many times over the past few years that no one has found that issue.

@SporadicThought
Copy link

SporadicThought commented Feb 21, 2021
edited

Thanks for the response. I think I figured it out by trial an error. I had a password for one of the cameras that contained a quote ["]. This seems to trip it up and they are failing to escape the password field correctly. That's surprising because the firmware has been updated many times over the past few years that no one has found that issue.

I can confirm that using certain special characters in passwords on these FW can render the user inaccessible.
I have a 3536D v198 board from Heimvision (HM241). Tech support says not to use any special characters in passwords.

Screenshot_20210221-054928

I first noticed the issue on day 1 of using the product.

@SporadicThought
Copy link

@orangecms
Thank you for putting this together.

@orangecms
Copy link
Author

orangecms commented Feb 21, 2021
edited

You're welcome and thanks a lot for sharing!

There is a project to get open firmware on IP cameras: https://github.com/openipc
And a similar one, seems dead by now:
https://github.com/OpenHisiIpCam

For NVR systems, there are some projects:
https://zoneminder.com/
https://www.openeye.net/products

I have seen something based on OpenWrt for the HiSilicon based NVRs on GitHub, don't recall right now.
This one is also interesting: https://github.com/lishaoliang/opendvr

If you are interested, I will give a talk on this an related work at FOSSASIA Summit: https://eventyay.com/e/fa96ae2c/session/6721

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment