5

我有一台海康威视 IP 摄像机,我正在对其进行安全研究。(型号DFI6257E,貌似台湾独家型号。)

从闪存中转储固件并使用 binwalk 对其进行分析后,我发现很难理解其工作原理。几乎就像他们试图隐藏东西一样。

转储固件:https ://drive.google.com/file/d/1x9JiVbnZo4zNNnX8V8JS1MGsK4wmHFM6/view?usp=sharing

这是 binwalk 的输出:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
36392         0x8E28          LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: -1 bytes
10092544      0x9A0000        JFFS2 filesystem, little endian
16318544      0xF90050        Zlib compressed data, compressed
16318764      0xF9012C        Zlib compressed data, compressed
16319000      0xF90218        Zlib compressed data, compressed
16319136      0xF902A0        Zlib compressed data, compressed
16319592      0xF90468        Zlib compressed data, compressed
16320424      0xF907A8        Zlib compressed data, compressed
16320864      0xF90960        Zlib compressed data, compressed
16321796      0xF90D04        Zlib compressed data, compressed
16322380      0xF90F4C        Zlib compressed data, compressed
16322560      0xF91000        Zlib compressed data, compressed
16323100      0xF9121C        Zlib compressed data, compressed
16324028      0xF915BC        Zlib compressed data, compressed
16324556      0xF917CC        Zlib compressed data, compressed
16325336      0xF91AD8        Zlib compressed data, compressed
16326072      0xF91DB8        JFFS2 filesystem, little endian
16326276      0xF91E84        Zlib compressed data, compressed
16327348      0xF922B4        JFFS2 filesystem, little endian
16328220      0xF9261C        Zlib compressed data, compressed
16328684      0xF927EC        JFFS2 filesystem, little endian
16329344      0xF92A80        Zlib compressed data, compressed
16329840      0xF92C70        JFFS2 filesystem, little endian
16330528      0xF92F20        Zlib compressed data, compressed
16330992      0xF930F0        JFFS2 filesystem, little endian
16331632      0xF93370        Zlib compressed data, compressed
16332212      0xF935B4        JFFS2 filesystem, little endian
16332416      0xF93680        Zlib compressed data, compressed
16332680      0xF93788        JFFS2 filesystem, little endian
16333240      0xF939B8        Zlib compressed data, compressed
16333528      0xF93AD8        JFFS2 filesystem, little endian
16334148      0xF93D44        Zlib compressed data, compressed
16334188      0xF93D6C        JFFS2 filesystem, little endian
16334896      0xF94030        Zlib compressed data, compressed
16335076      0xF940E4        Zlib compressed data, compressed
16335412      0xF94234        Zlib compressed data, compressed
16335520      0xF942A0        Zlib compressed data, compressed
16335708      0xF9435C        Zlib compressed data, compressed
16335984      0xF94470        Zlib compressed data, compressed
16336320      0xF945C0        Zlib compressed data, compressed
16336888      0xF947F8        Zlib compressed data, compressed
16337540      0xF94A84        Zlib compressed data, compressed
16337852      0xF94BBC        Zlib compressed data, compressed
16338032      0xF94C70        Zlib compressed data, compressed
16338288      0xF94D70        Zlib compressed data, compressed
16339092      0xF95094        Zlib compressed data, compressed
16339748      0xF95324        Zlib compressed data, compressed
16339792      0xF95350        JFFS2 filesystem, little endian

我注意到的第一件事是在其他嵌入式设备固件中没有uboot headeruImage header经常看到。引导加载程序位于解压缩的 LZMA 数据中0x8E28(通过比较我从 UART 控制台输出和输出中看到的内容来了解strings 8E28​​)

但是这又不是一个常见的U-boot程序,因为当我使用 binwalk 分析它时,binwalk 未能检测到 U-boot。

我真的很想知道如何处理这些数据,0x8E28这样我就可以在 IDA 或 ghidra 上做一些 RE,并理清这个设备在内部是如何工作的。

相机的 Web 服务正在运行Angular(嵌入式设备中的另一个不寻常的功能。)但即使在 binwalk 提取之后,固件中也没有找到 Angular 二进制文件。Web 界面密码ipc_db不像大多数其他海康威视产品那样存储。

(提供的固件文件在我将管理员密码编辑为“HikHiktest”后被转储,因此 ipc_db 中的条目“admin:12345”不是 Web 界面正在寻找身份验证的正确条目。)

这个固件中还发生了很多神秘的事情。

我现在的猜测是解密已经完成uboot,其他东西是通过Huawei LiteOS为这个设备供电来处理的,但为了做进一步的研究,我需要首先从固件中提取这两个和正在使用的二进制文件。

谁能分享我如何实现我的目标?任何建议表示赞赏。

控制台启动日志的某些部分,如果有用的话:

Uncompress..............Ok


System startup


U-Boot 2010.06-396122 (Jun 12 2018 - 14:17:54)

SPI Nor: 16MB
DDR: 64MB
Erasing SPI flash, offset 0x00060000 size 64K ...done
Writing to SPI flash, offset 0x00060000 size 64K ...done
[Uboot] In release mode!
Hit Ctrl+u to stop autoboot:  0
MAC:   68-6D-BC-7D-81-EC
PHY not link.
TFTP server auto connect disabled

booting from sys part...
Load kernel to 0x81ffffc0 ...
Done!
Succeed!
## Booting kernel from Legacy Image at 81ffffc0 ...
   Image Name:   LiteOS-0.1.0-e3
   Image Type:   ARM Linux Kernel Image (gzip compressed)
   Data Size:    5997539 Bytes = 5.7 MiB
   Load Address: 80000000
   Entry Point:  80000000
   Uncompressing Kernel Image ... OK

Starting kernel ...

********hello Huawei LiteOS ARM926********

version : Huawei LiteOS V200R001C10B039
open-version : Huawei LiteOS 1.4.11
build data : Dec 11 2018 10:44:09

**********************************
osAppInit
uart init ...
spi bus init ...
dmac init
i2c bus init ...
random dev init ...
hw random dev init ...
mem dev init ...
porc fs init ...
Mount procfs finished.
Mount ramfs finished.
cxx init ...
spi nor flash init ...
Spi Nor ID:0xC8 0x40 0x18 0xC8 0x40 0x18 0xC8 0x40
Spi Nor Flash Info:
Name:"GD25Q128" Size:16MB Block:64KB
gpio init ...
base module init success.
RS485_CTRL         MUXCTRL(37)  FCN0  GPIO3_0   OUTPUT   LOW_LEVEL
RS485_RXD          MUXCTRL(36)  FCN1  NO_GPIO
RS485_TXD          MUXCTRL(34)  FCN1  NO_GPIO
UART2_RXD          MUXCTRL(49)  FCN2  NO_GPIO
UART2_TXD          MUXCTRL(50)  FCN2  NO_GPIO
SENSOR_RST         MUXCTRL(14)  FCN1  NO_GPIO
SENSOR_CLK         MUXCTRL(15)  FCN1  NO_GPIO
PHY_RST            MUXCTRL(48)  FCN1  NO_GPIO
I2C0_SDA           MUXCTRL(11)  FCN3  NO_GPIO
I2C0_SCL           MUXCTRL(12)  FCN3  NO_GPIO
I2C1_SDA           MUXCTRL(8 )  FCN1  NO_GPIO
I2C1_SCL           MUXCTRL(9 )  FCN1  NO_GPIO
SPI0_CSN           MUXCTRL(13)  FCN1  NO_GPIO
SPI1_SCLK          MUXCTRL(53)  FCN1  NO_GPIO
SPI1_MOSI          MUXCTRL(51)  FCN1  NO_GPIO
SPI1_MISO          MUXCTRL(53)  FCN1  NO_GPIO
SPI1_CSN0          MUXCTRL(57)  FCN1  GPIO7_3   OUTPUT   HIGH_LEVEL
SPI1_CSN1          MUXCTRL(58)  FCN1  GPIO7_4   OUTPUT   HIGH_LEVEL
ALARM_OUT1         MUXCTRL(62)  FCN0  GPIO0_1   OUTPUT   LOW_LEVEL
ALARM_IN2          MUXCTRL(61)  FCN0  GPIO0_0   INPUT    LOW_LEVEL
ALARM_OUT2         MUXCTRL(22)  FCN0  GPIO1_6   OUTPUT   LOW_LEVEL
IRCUT_1            MUXCTRL(7 )  FCN0  GPIO6_0   OUTPUT   LOW_LEVEL
IRCUT_2            MUXCTRL(6 )  FCN0  GPIO6_1   OUTPUT   LOW_LEVEL
IRCUT/ZOOM_FB      MUXCTRL(55)  FCN1  GPIO7_1   INPUT    LOW_LEVEL
ABF/FOCUS_FB       MUXCTRL(56)  FCN1  GPIO7_2   INPUT    LOW_LEVEL
MFOCUS             MUXCTRL(60)  FCN1  GPIO7_6   INPUT    LOW_LEVEL
IRIS_SET           MUXCTRL(35)  FCN0  GPIO3_2   OUTPUT   LOW_LEVEL
IRIS_PWM           MUXCTRL(3 )  FCN1  NO_GPIO
FAR_IR_PWM         MUXCTRL(1 )  FCN1  NO_GPIO
NEAR_IR_PWM        MUXCTRL(2 )  FCN1  NO_GPIO
PHOTO_FB           MUXCTRL(63)  FCN1  NO_GPIO
PIR/TEMP_IN        MUXCTRL(64)  FCN1  NO_GPIO
USB_PWREN          MUXCTRL(25)  FCN1  NO_GPIO
WORK_LED           MUXCTRL(21)  FCN0  GPIO1_5   OUTPUT   LOW_LEVEL
START_LED          MUXCTRL(16)  FCN0  GPIO1_0   OUTPUT   LOW_LEVEL
ETHERNET_LED       MUXCTRL(18)  FCN0  GPIO1_2   OUTPUT   LOW_LEVEL
BCMDHD_OOB         MUXCTRL(65)  FCN0  GPIO8_2   INPUT    LOW_LEVEL
MRESET             MUXCTRL(59)  FCN1  GPIO7_5   INPUT    LOW_LEVEL
<6>Successfully insmod exact_timer module!
hik_core module init success.
enter pwm init
<6>init hikio.
watchdog_init success.
rtc init success
tcpip init ...

Calling lwIPRegSecSspCbk
net init ...
enter hisi_eth_init!

hisi_eth init begin.
hisi_eth: User did not set phy mode, use default=rmii
hisi_eth: User did not set phy addr, auto scan...
Detected phy addr 3, phyid: 0x1cc816
s
# g_sys_mem_addr_end=0x81f00000,
done init!
Date:Dec 18 2018.
Time:12:51:58.
osal_proc_mkdir - parent is NULL! proc=0x8109a860
mem_start=0x80000000, MEM_OS_SIZE=31M, MEM_USB_SIZE=0M, mmz_start=0x81f00000, mmz_size=33M
mmz param= anonymous,0,0x81f00000,26556K:ddr0,0,0x838ef000,7236K
<6>Hisilicon Media Memory Zone Manager
load sys.ko...OK!
load region.ko...OK!
load vgs.ko...OK!
load viu.ko...OK!
ISP Mod init!
load vpss.ko...OK!
load rc.ko ...OK!
ModuleParam: VencMaxChnNum(0) is illegal,should be [1, 16]
load venc.ko ...OK!
load chnl.ko...OK!
load vedu.ko ...OK!
ModuleParam: check H264eVBSource(0) illegal
load h264e.ko ...OK!
ModuleParam: H265eVBSource(0) is illegal,should be [1, 2]
load h265e.ko ...OK!
load jpege.ko ...OK!
sensor dev init OK.
load pwm.ko OK!
load hi_mipi driver successful!
Load hi_cipher.ko success.
load aio.ko ...OK!
load ai.ko OK!
load ao.ko OK!
load aenc.ko OK!
load adec.ko OK!
load acodec.ko...OK!
load ive.ko...OK!
SDK init ok...
Load power ok.
power on.
Unload power success.
4

0 回答 0