Similar Devices: K8208-W and K9608-2W

[Cthuflu]

I was able to telnet into the (Ohwoai) K8208-W model using the same instructions and credentials from here:
Rooting K9608-2
archive link

It is pretty similar to the other reported models.

# cat /proc/version
Linux version 4.9.37 (root@ubuntu) (gcc version 6.2.1 20161016 (Hisilicon_v510_20170427) ) #2 Fri Sep 7 10:31:00 CST 2018

# cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 1685.91
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

Hardware        : Hisilicon Hi3536DV100 (Flattened Device Tree)
Revision        : 0000
Serial          : 0000000000000000

However the mtd map seems different.

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00050000 00010000 "U"
mtd1: 00010000 00010000 "E"
mtd2: 00020000 00010000 "L"
mtd3: 00060000 00010000 "C"
mtd4: 00280000 00010000 "K"
mtd5: 00ca0000 00010000 "R"

I copied the dropbear executable given onto a flash drive and used that to copy block images over ssh.
The firmware is not pure, as I had updated it using an image I found in an attempt to find an image without a flash web interface.

Here are the block images.

[ubis]

Hi,

Interesting, can you also provide mount output? I wonder what partitions are mounted.

It seems that it was built with the same Hisilicon SDK: Hisilicon_v510_20170427.

[Cthuflu]

Sure, here is the mount output. This one runs everything through multiple threads in dvr_app
/dev/sdb is the usb drive, which I remounted /etc onto.

# mount
/dev/root.old on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
tmpfs on /media type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
tmpfs on /var/run type tmpfs (rw,relatime)
tmpfs on /var/lock type tmpfs (rw,relatime)
/dev/sdb1 on /media/usb1 type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
/dev/loop0 on /tmp/dvr_resource_dir type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_app/font type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_app/skin type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_app/config type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_gui/font type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_gui/dialog type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_gui/luiengine/skin type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_gui/resource type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_gui/static type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_gui/icon type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_gui/config_ini type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_gui/combobox type squashfs (ro,relatime)
/dev/loop0 on /root/dvr_web/www type squashfs (ro,relatime)
none on /root/rec type tmpfs (rw,relatime)
/dev/sdb1 on /etc type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
/dev/sda1 on /root/rec/a1 type ext3 (rw,relatime,nobarrier,data=ordered)
/dev/sda2 on /root/rec/a2 type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

[glsmith86]

Hi all!

I have a K8208-3WS NVR with 3.2.4.0 version firmware. I can't use telnet to gain access to the system with the older method.

Can somebody help me?

[ubis]

Hi @glsmith86, have you tried https://habr.com/en/post/486856/?

If so, I believe there is nothing you can do right now, apart from modifying rootfs and using UART.