Hi guys,
good news! I managed to jailbreak the device ! It was quite a journey - fun & tears - and also the first jailbreak for me. I learned a lot! If you are interested, I can provide a small tutorial/which steps I went through. Also thanks to the great tools out there that makes it a bit easier, such as Ghidra, Unicorn (Qiling / QEMU), binwalk & depthcharge.
What can you do with the jailbreak?- Enabe the larger temperature range by loading the config of the DS-2TP31-3AUF camera (-30...150 degrees Celsius)
- Enter debug menu with any password
- Access all data in a decrypted state from the RAM and/or filesystem (RAM: using my tool; filesystem: using cp to copy files to the SD card)
What main findings did you have?- The U-Boot bootloader has a custom function to decrypt the OS from the flash memory and load it into the RAM (loadk)
- The OS is based on Huawei LiteOS - you cannot find too much documentation online and tools like binwalk have poor support
- The OS is basically a copy from other IP cameras of HIKVision, there is a lot of unused stuff regarding all the IP camera features
- The firmware probably is very similar to other thermal cameras (see below), as there are config functions present as well. When loading config functions of other cameras you will get a slightly different interface and menus, such as a menu enabling the laserpointer, which this camera does not have - or setting a larger temperature range
- Many settings are stored in a SQLlite database -> again with many tables related to IP cameras (potentially my jailbreak can be used to hack other cameras as well...)
How does the jailbreak work?Easy! You need a UART to USB converter or similar and run the attached python script. Note that the jailbreak ONLY works with the latest firmware V5.4.38build200922 (as the addresses are hard-coded for that specific firmware). If you want to use it for other devices or other firmware you would need to adapt it.
Will the jailbreak be permanent?No and yes. The jailbreak itself does not modify the flash storage and only modifies the volatile RAM. So you would need to apply it at every reboot. However, some settings will be retained, even if the config of the original device is loaded again. I.e. when applying the jailbreak, you will have access to the menu of the DS-2TP31-3AUF and are able to set the temperature range. After rebooting, you will have the original menu again, but luckily the temperature range will remain. It is possible to retain the jailbreak in the flash, however this would require additional development effort.
Can I remove all the traces of the jailbreak?Yes. Just reboot the device and reset the device.
Is it safe?Yes. The jailbreak does not write anything permanent in the flash storage. You can abort/reboot any time.
What configs can you load?The jailbreak currently is hardcoded for the DS-2TP31-3AUF camera, however, those additional configs are present on the device:
00A41400 DS-2TP31-3AUF
00A41401 DS-2TPH10-3AUF
00A41402 DS-2TP31B-3AUF
00A41403 DS-2TPH10B-3AUF
00A41404 TB-3117M-3/U
00A41405 TBC-3117-3/U
00A41406 TB-3117-3/U
00A41407 TB-3117A-3/U
00A41408 DS-2GP13
00A42A00 HM-TP31-3AUF
00A42A01 HM-TPH10-3AUF
00A42A02 HM-TP31B-3AUF
00A42A03 TBC-3117-3 (HM-TBC3117-3/U)
00A42A04 HM-TB3117A-3/U
00A42A05 HM-TPH10B-3AUF
00A42A06 HM-TB3117-3/U
00A42A07 TB-3117M-3 (HM-TB3117M-3/U)
00A42A08 HM-TP31-3AUF-E1L
What other material/info could you provide?- Tool to download the content of the RAM (after the decryption of the main OS)
- Dumps of the flash storage and/or RAM
- Tool to download the content of the flash storage supporting SpiStack (but the second die is empty)
- Annotated Ghidra project, including the naming of the relevant functions
- Tutorial how to write your own jailbreak, debug the bootloader and OS and simulate functions of the firmware or the jailbreak using Qiling.
How does the output of the jailbreak look like?(c) 2024 by pixar
Jailbreak IR Camera from HIKVision. Only use with V5.4.38build200922 firmware as patch addresses are hardcoded! No harm can be done, as all writes are in volatile RAM (Jailbreak needs to be repeated after every reboot.)
Please press the ON button on the camera now...
System startup
U-Boot 2010.06-788427 (Mar 27 2020 - 11:37:08)
SPI Nor:"W25M512JV", Block:64KB, Chip:64MB
Hit Ctrl+u to stop autoboot: 0
Going into the console...
booting from pri part...
Load kernel to 0x81800000 ... Done!
Net: USB: scanning bus for devices...
1 USB Device(s) found
No asix device found!
Initializ AX88772B usb-net device failed !
asix usb net initialize err.
No ethernet found.
HKVS #
HKVS # loady 0x80e34330
## Ready for binary (ymodem) download to 0x80E34330 at 115200 bps...
C
start to send
[Sender]: <- CRC / G
[Sender]: STX ->
[Sender]: STX ->
[Sender]: Reached EOF
[Sender]: EOT ->
[Sender]: <- ACK
[Sender]: Batch end packet ->
CxyzModem - CRC mode, 0(SOH)/3(STX)/0(CAN) packets, 3 retries
## Total Size = 0x00000004 = 4 Bytes
HKVS #
loadk
booting from pri part...
Load kernel to 0x81800000 ... Done!
## Booting kernel from Legacy Image at 81800000 ...
Image Name: LiteOS-0.1.0-e2
Image Type: ARM Linux Kernel Image (lzma compressed)
Data Size: 5017040 Bytes = 4.8 MiB
Load Address: 80008000
Entry Point: 80008000
Uncompressing Kernel Image ... OK
HKVS # loady 0x8045ddbc
## Ready for binary (ymodem) download to 0x8045DDBC at 115200 bps...
C
start to send
[Sender]: <- CRC / G
[Sender]: STX ->
[Sender]: STX ->
[Sender]: Reached EOF
[Sender]: EOT ->
[Sender]: <- ACK
[Sender]: Batch end packet ->
CxyzModem - CRC mode, 0(SOH)/3(STX)/0(CAN) packets, 3 retries
## Total Size = 0x00000004 = 4 Bytes
HKVS #
loady 0x80097514
## Ready for binary (ymodem) download to 0x80097514 at 115200 bps...
C
start to send
[Sender]: <- CRC / G
[Sender]: STX ->
[Sender]: STX ->
[Sender]: Reached EOF
[Sender]: EOT ->
[Sender]: <- ACK
[Sender]: Batch end packet ->
CxyzModem - CRC mode, 0(SOH)/3(STX)/0(CAN) packets, 3 retries
## Total Size = 0x00000004 = 4 Bytes
HKVS #
go 0x80008000
## Starting application at 0x80008000 ...
[1;31mwait sensor level init!
debugMAC ioctl error!
CQAAAAAAAAAAAF66nxg=
Password: [DSP][TM][ERR][4370][IFR_TM.c][TSK_TMProcess]line:9965 wait sensor level init!
[DSP][TM][ERR][4394][IFR_TM.c][TSK_TMProcess]line:9965 wait sensor abc
level init!
Enter Debug Mode.
Enter 'help' for a list of built-in commands.
# [DSP][TM][ERR][4424][IFR_TM.c][TSK_TMProcess]line:9965 wait sensor level init!
Jailbreak done. Use send_command("<cmd>") or any UART console to communicate with the device
help
*******************shell commands:*************************
arp call cat cat_logmpp cd cp cpup dns
dspDebug dspStatus excInfo findsym format free getBattery getDebug
help hiddrs himd himm hwi i2c_read i2c_write ifconfig
lddrop ls mclose memcheck mkdir mopen mount nand_bad
netstat ntpdate part partinfo partition ping prtHardInfo pwd
readreg reboot rm rmdir sem setDebug setGateway setIp
setMessageBox setTempBack setTempSens ssp_read ssp_read ssp_write statfs swtmr
sync systeminfo task telnet tftp touch uart_close uart_config
uart_read uart_write umount uname unit_test writeproc writereg
# [DSP][TM][ERR][4531][IFR_TM.c][TSK_TMProcess]line:9965 wait sensor level init!
Attached you find some photos of my setup, as well as the jailbreak script.
Greetings
Pixar