Hikvision DS-2TP31 series Thermal Camera Teardown

[pixar]

Hi guys,

good news! I managed to jailbreak the device ! It was quite a journey - fun & tears - and also the first jailbreak for me. I learned a lot! If you are interested, I can provide a small tutorial/which steps I went through. Also thanks to the great tools out there that makes it a bit easier, such as Ghidra, Unicorn (Qiling / QEMU), binwalk & depthcharge.

What can you do with the jailbreak?

• Enabe the larger temperature range by loading the config of the DS-2TP31-3AUF camera (-30...150 degrees Celsius)
• Enter debug menu with any password
• Access all data in a decrypted state from the RAM and/or filesystem (RAM: using my tool; filesystem: using cp to copy files to the SD card)

What main findings did you have?

• The U-Boot bootloader has a custom function to decrypt the OS from the flash memory and load it into the RAM (loadk)
• The OS is based on Huawei LiteOS - you cannot find too much documentation online and tools like binwalk have poor support
• The OS is basically a copy from other IP cameras of HIKVision, there is a lot of unused stuff regarding all the IP camera features
• The firmware probably is very similar to other thermal cameras (see below), as there are config functions present as well. When loading config functions of other cameras you will get a slightly different interface and menus, such as a menu enabling the laserpointer, which this camera does not have - or setting a larger temperature range
• Many settings are stored in a SQLlite database -> again with many tables related to IP cameras (potentially my jailbreak can be used to hack other cameras as well...)

How does the jailbreak work?

Easy! You need a UART to USB converter or similar and run the attached python script. Note that the jailbreak ONLY works with the latest firmware V5.4.38build200922 (as the addresses are hard-coded for that specific firmware). If you want to use it for other devices or other firmware you would need to adapt it.

Will the jailbreak be permanent?

No and yes. The jailbreak itself does not modify the flash storage and only modifies the volatile RAM. So you would need to apply it at every reboot. However, some settings will be retained, even if the config of the original device is loaded again. I.e. when applying the jailbreak, you will have access to the menu of the DS-2TP31-3AUF and are able to set the temperature range. After rebooting, you will have the original menu again, but luckily the temperature range will remain. It is possible to retain the jailbreak in the flash, however this would require additional development effort.

Can I remove all the traces of the jailbreak?

Yes. Just reboot the device and reset the device.

Is it safe?

Yes. The jailbreak does not write anything permanent in the flash storage. You can abort/reboot any time.

What configs can you load?

The jailbreak currently is hardcoded for the DS-2TP31-3AUF camera, however, those additional configs are present on the device:

Code: [Select]

00A41400 DS-2TP31-3AUF
00A41401 DS-2TPH10-3AUF
00A41402 DS-2TP31B-3AUF
00A41403 DS-2TPH10B-3AUF
00A41404 TB-3117M-3/U
00A41405 TBC-3117-3/U
00A41406 TB-3117-3/U
00A41407 TB-3117A-3/U
00A41408 DS-2GP13
00A42A00 HM-TP31-3AUF
00A42A01 HM-TPH10-3AUF
00A42A02 HM-TP31B-3AUF
00A42A03 TBC-3117-3 (HM-TBC3117-3/U)
00A42A04 HM-TB3117A-3/U
00A42A05 HM-TPH10B-3AUF
00A42A06 HM-TB3117-3/U
00A42A07 TB-3117M-3 (HM-TB3117M-3/U)
00A42A08 HM-TP31-3AUF-E1L
What other material/info could you provide?

• Tool to download the content of the RAM (after the decryption of the main OS)
• Dumps of the flash storage and/or RAM
• Tool to download the content of the flash storage supporting SpiStack (but the second die is empty)
• Annotated Ghidra project, including the naming of the relevant functions
• Tutorial how to write your own jailbreak, debug the bootloader and OS and simulate functions of the firmware or the jailbreak using Qiling.

How does the output of the jailbreak look like?

Code: [Select]

(c) 2024 by pixar
Jailbreak IR Camera from HIKVision. Only use with V5.4.38build200922 firmware as patch addresses are hardcoded! No harm can be done, as all writes are in volatile RAM (Jailbreak needs to be repeated after every reboot.)
Please press the ON button on the camera now...
System startup
U-Boot 2010.06-788427 (Mar 27 2020 - 11:37:08)
SPI Nor:"W25M512JV", Block:64KB, Chip:64MB
Hit Ctrl+u to stop autoboot:  0
Going into the console...
booting from pri part...
Load kernel to 0x81800000 ... Done!
Net:   USB:   scanning bus for devices...
1 USB Device(s) found
No asix device found!
Initializ AX88772B usb-net device failed !
asix usb net initialize err.
No ethernet found.
HKVS #
HKVS # loady 0x80e34330

## Ready for binary (ymodem) download to 0x80E34330 at 115200 bps...

C
start to send
[Sender]: <- CRC / G
[Sender]: STX ->
[Sender]: STX ->
[Sender]: Reached EOF
[Sender]: EOT ->
[Sender]: <- ACK
[Sender]: Batch end packet ->
CxyzModem - CRC mode, 0(SOH)/3(STX)/0(CAN) packets, 3 retries

## Total Size      = 0x00000004 = 4 Bytes

HKVS #
loadk
booting from pri part...
Load kernel to 0x81800000 ... Done!
## Booting kernel from Legacy Image at 81800000 ...
   Image Name:   LiteOS-0.1.0-e2

   Image Type:   ARM Linux Kernel Image (lzma compressed)

   Data Size:    5017040 Bytes = 4.8 MiB

   Load Address: 80008000

   Entry Point:  80008000

   Uncompressing Kernel Image ... OK

HKVS # loady 0x8045ddbc

## Ready for binary (ymodem) download to 0x8045DDBC at 115200 bps...

C
start to send
[Sender]: <- CRC / G
[Sender]: STX ->
[Sender]: STX ->
[Sender]: Reached EOF
[Sender]: EOT ->
[Sender]: <- ACK
[Sender]: Batch end packet ->
CxyzModem - CRC mode, 0(SOH)/3(STX)/0(CAN) packets, 3 retries

## Total Size      = 0x00000004 = 4 Bytes

HKVS #
loady 0x80097514

## Ready for binary (ymodem) download to 0x80097514 at 115200 bps...

C
start to send
[Sender]: <- CRC / G
[Sender]: STX ->
[Sender]: STX ->
[Sender]: Reached EOF
[Sender]: EOT ->
[Sender]: <- ACK
[Sender]: Batch end packet ->
CxyzModem - CRC mode, 0(SOH)/3(STX)/0(CAN) packets, 3 retries

## Total Size      = 0x00000004 = 4 Bytes

HKVS #
go 0x80008000
## Starting application at 0x80008000 ...
[1;31mwait sensor level init!
debugMAC ioctl error!
CQAAAAAAAAAAAF66nxg=
Password: [DSP][TM][ERR][4370][IFR_TM.c][TSK_TMProcess]line:9965  wait sensor level init!
[DSP][TM][ERR][4394][IFR_TM.c][TSK_TMProcess]line:9965  wait sensor abc
level init!

Enter Debug Mode.
Enter 'help' for a list of built-in commands.
# [DSP][TM][ERR][4424][IFR_TM.c][TSK_TMProcess]line:9965  wait sensor level init!
Jailbreak done. Use send_command("<cmd>") or any UART console to communicate with the device
help
*******************shell commands:*************************
arp           call          cat           cat_logmpp    cd            cp            cpup          dns
dspDebug      dspStatus     excInfo       findsym       format        free          getBattery    getDebug
help          hiddrs        himd          himm          hwi           i2c_read      i2c_write     ifconfig
lddrop        ls            mclose        memcheck      mkdir         mopen         mount         nand_bad
netstat       ntpdate       part          partinfo      partition     ping          prtHardInfo   pwd
readreg       reboot        rm            rmdir         sem           setDebug      setGateway    setIp
setMessageBox  setTempBack   setTempSens   ssp_read      ssp_read      ssp_write     statfs        swtmr
sync          systeminfo    task          telnet        tftp          touch         uart_close    uart_config
uart_read     uart_write    umount        uname         unit_test     writeproc     writereg
# [DSP][TM][ERR][4531][IFR_TM.c][TSK_TMProcess]line:9965  wait sensor level init!
Attached you find some photos of my setup, as well as the jailbreak script.
Greetings
Pixar

[Fraser]

Excellent work. Thank you for your efforts on this camera. The encryption of the firmware in the flash memory is a real pain. Such a pity that the firmware update packages cannot easily be decrypted for editing before installation. As you will know, that is the approach used for Hikvision IP CCTV camera firmware modifications. I had hoped that the decryption utilities for CCTV camera update packages might work on these cameras as well, but sadly that is not the case. Your Jailbreak is a step in the right direction and the fact that it opens up the temperature range (at least until a camera reset) is very useful 

Fraser

[pixar]

Thank you! I haven't really looked into the update/decryption process. Basically my approach is that I wait for the decryption to finish and then patch/modify the necessary components. However, I just checked and it should be possible to deeper analyse the update process using the decrypted RAM dump. There are many references, including the language/region lock ("digicap.dav language is English"), "parse the digicap.dav file failed", etc.

Unfortunately my time is currently limited to analyse this further, but for anyone interested into looking into the decryption process/update process one approach could be to simulate those functions with Qiling in a controlled environment. That way you can follow how the digicap.dav file gets read, parsed and stored in the flash storage.

[Hydron]

ooh fantastic - the ability to expand the measurement range will be extremely useful, and makes this a super bargain (paid well under a hundred quid). Thanks for doing the work!