ZOSI H265+ Network Video Controller

[tripLr]

I have a NVR,
I was able to Telnet into it, with root no password
changed password
kernel 4.9.37
busybox is installed

/proc # cat version
Linux version 4.9.37 (root@ubuntu) (gcc version 4.9.4 20150629 (prerelease) (Hisilicon_v500_20180120)

/proc # cat cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 1692.46
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5

Hardware : Hisilicon Hi3536DV100 (Flattened Device Tree)
Revision : 0000
Serial : 0000000000000000

Character devices:
1 mem
4 /dev/vc/0
4 tty
5 /dev/tty
5 /dev/console
5 /dev/ptmx
7 vcs
10 misc
13 input
29 fb
90 mtd
128 ptm
136 pts
180 usb
189 usb_device
204 ttyAMA
218 himedia
252 bsg
253 rtc
254 gpiochip

Block devices:
1 ramdisk
259 blkext
8 sd
11 sr
31 mtdblock
65 sd
66 sd
67 sd
68 sd
69 sd
70 sd
71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd

/proc # cat modules
mt7603u_sta 1616355 1 - Live 0xbf3f3000 (O)
wdt 4724 2 - Live 0xbf3ee000 (O)
mtprealloc 1756 1 mt7603u_sta, Live 0xbf3ea000 (PO)
hi3536dv100_adec 6231 0 - Live 0xbf3e5000 (PO)
hi3536dv100_aenc 50083 0 - Live 0xbf3d4000 (PO)
hi3536dv100_ao 88924 0 - Live 0xbf3b8000 (PO)
hi3536dv100_ai 73299 1 hi3536dv100_aenc, Live 0xbf3a0000 (PO)
hi3536dv100_aio 25672 0 - Live 0xbf394000 (PO)
vc0715 18282 0 - Live 0xbf38c000 (O)
hi_gpio 2421 1 - Live 0xbf388000 (O)
hiboard 1394 1 - Live 0xbf384000 (O)
matsha204 11477 0 - Live 0xbf37e000 (O)
gpioi2c 8429 2 vc0715,matsha204, Live 0xbf378000 (O)
hi3536dv100_jpege 42139 0 - Live 0xbf367000 (PO)
hi3536dv100_chnl 36010 0 - Live 0xbf359000 (PO)
hi3536dv100_venc 446904 1 hi3536dv100_jpege, Live 0xbf2e1000 (PO)
hi3536dv100_hdmi 290903 0 - Live 0xbf287000 (PO)
hifb 77156 5 - Live 0xbf26c000 (PO)
hi3536dv100_vou 298360 0 - Live 0xbf20f000 (PO)
hi3536dv100_vpss 123268 0 - Live 0xbf1e6000 (PO)
hi3536dv100_vgs 166491 0 - Live 0xbf1b2000 (PO)
hi3536dv100_tde 98736 0 - Live 0xbf192000 (PO)
hi3536dv100_jpegd 4519 0 - Live 0xbf18d000 (PO)
hi3536dv100_vfmw 1059563 0 - Live 0xbf078000 (PO)
hi3536dv100_vdec 166634 0 - Live 0xbf047000 (PO)
hi3536dv100_sys 53927 3 hi3536dv100_aenc,hi3536dv100_aio,hi3536dv100_venc, Live 0xbf033000 (PO)
hi3536dv100_base 47318 17 hi3536dv100_adec,hi3536dv100_aenc,hi3536dv100_ao,hi3536dv100_ai,hi3536dv100_aio,hi3536dv100_jpege,hi3536dv100_chnl,hi3536dv100_venc,hi3536dv100_hdmi,hifb,hi3536dv100_vou,hi3536dv100_vpss,hi3536dv100_vgs,hi3536dv100_tde,hi3536dv100_vfmw,hi3536dv100_vdec,hi3536dv100_sys, Live 0xbf021000 (PO)
hi_osal 60174 103 hi3536dv100_adec,hi3536dv100_aenc,hi3536dv100_ao,hi3536dv100_ai,hi3536dv100_aio,hi3536dv100_jpege,hi3536dv100_chnl,hi3536dv100_venc,hi3536dv100_hdmi,hifb,hi3536dv100_vou,hi3536dv100_vpss,hi3536dv100_vgs,hi3536dv100_tde,hi3536dv100_jpegd,hi3536dv100_vfmw,hi3536dv100_vdec,hi3536dv100_sys,hi3536dv100_base, Live 0xbf004000 (O)
sys_config 2841 0 - Live 0xbf000000 (O)

/proc # ls
1 1056 211 2307 328 461 469 520 603 cgroups diskstats ioports loadavg net stat uptime
1015 1111 212 2309 329 462 470 523 617 cmdline driver irq locks pagetypeinfo swaps version
1022 1119 214 2310 337 463 471 533 7 consoles execdomains kallsyms media-mem partitions sys vmallocinfo
1023 1120 215 2318 400 464 472 538 8 cpu fb key-users meminfo private sysvipc vmstat
1024 1121 216 2325 457 465 5 543 871 cpuinfo filesystems keys misc scsi thread-self zoneinfo
1028 1137 218 2332 458 466 5028 548 9 crypto fs kmsg modules self timer_list
1035 2 224 245 459 467 5031 566 buddyinfo device-tree interrupts kpagecount mounts slabinfo tty
1055 2087 2304 3 460 468 519 583 bus devices iomem kpageflags mtd softirqs umap

[tripLr]

anything else can i do for you all ?

[ubis]

Hi, @tripLr

Seems like you have probably identical hardware. Perhaps you could dump firmware too?

I was able to Telnet into it, with root no password

So telnet was open the whole time? In my case it was closed and I had to modify rootfs in order to launch it.

However, later I found this - Full disclosure: 0day vulnerability (backdoor) in firmware for Xiaongmai-based DVRs, NVRs and IP cameras and indeed I could open telnet not just on NVR but on my cams too. It's good that I do not expose whole system to internet.

[tripLr]

Hi, @tripLr

Seems like you have probably identical hardware. Perhaps you could dump firmware too?

I was able to Telnet into it, with root no password

So telnet was open the whole time? In my case it was closed and I had to modify rootfs in order to launch it.

However, later I found this - Full disclosure: 0day vulnerability (backdoor) in firmware for Xiaongmai-based DVRs, NVRs and IP cameras and indeed I could open telnet not just on NVR but on my cams too. It's good that I do not expose whole system to internet.

Reply ( online )

Dump firmware issue.
I am trying out how to mount the USB. It seems like I can copy out entire filesystem that way.
What I copied above was from the terminal window.

Any suggestions on how to mount usb ?
So far port scanning only shows telnet .
I could login and change password and it would be persistent.
I could see if I could remove hard drive and see if the system and firmware was loaded there.
I was able to check and found the modules (.so) binaries.
I was able to see what modules were in use in the /proc folder.

Any ideas on mounting usb would be helpful, as I have to install this for a customer this weekend.
Contact me directly https://t.me/triplr on telegram and I can start a chat or group to check this zosi firmware.
Here is the hardware pics. Cpu is under heatsink.

[tripLr]

There is in pinned gpio which is probably serial port and an internal USB probably used in the manufacturing process to flash the OS.
It looks like 1 ram chip. So probably the whole OS is on the SOC

[tripLr]

I found these on amazon as a amazon warehouse deal. Might be a good experiment for the $ there were several systems.

Here is barebones no hard drive $59

https://www.amazon.com/dp/B07XL7BW33/ref=cm_sw_r_cp_apa_fabc_981ZNWFPFEGG5JQ5JR3N

[ubis]

Any suggestions on how to mount usb ?

When you plug-in usb flash drive, does dmesg shows anything? New devices, something like sdx should show up, like sda sda1. Then you can mount them with mount command.

I could see if I could remove hard drive and see if the system and firmware was loaded there.

Firmware should be stored in NOR FLASH, and it's possible that it's on the first picture you have sent, that 8-pin IC.

[tripLr]

Ok. I'll check dmsg. Also, if I am able to output the whole file system would that help ?

[tripLr]

i created an account on pastehub
kmsg for Hisilicon HI3536DV100 DEMO Board
https://pastehub.link/2tA0mbKwe2

[tripLr]

Good news is busybox has wget.
i may be able to install rsync and openssh for an arm7 from a prebuilt somewhere . Ideas ?

[ubis]

So it seems flash layout is little bit different:

<6>hisi-sfc hisi_spi_nor.0: mx25l12835f (Chipsize 16 Mbytes, Blocksize 64KiB)
<5>4 cmdlinepart partitions found on MTD device hi_sfc
<5>4 cmdlinepart partitions found on MTD device hi_sfc
<5>Creating 4 MTD partitions on "hi_sfc":
<5>0x000000000000-0x000000060000 : "boot"
<5>0x000000060000-0x000000300000 : "kernel"
<5>0x000000300000-0x000000fd0000 : "rootfs"
<5>0x000000fd0000-0x000001000000 : "logo"

You can backup these with dd. I also noticed that USB seems to be working despite some wierd errors, logictech mouse & keyboard seems to be connected. So you can try to connect ext2 formatted flash drive and it should show up as /dev/sdb1.

Then mount it:

mkdir /mnt/flash
mount /dev/sdb1 /mnt/flash

If flash drive for some reason wouldn't work, then worst case scenario would be to use HDD. I noticed that it's plugged in and appeared as /dev/sda. There should be no system files on HDD, besides video, so it should be safe to re-format HDD to ext2/ext3/ext4 and mount the similar way like flash drive I mentioned before.

i may be able to install rsync and openssh for an arm7 from a prebuilt somewhere . Ideas ?

You could try to use toolchain from SDK I have uploaded, in README.md. However, flash drive/HDD is simplier way to dump firmware.

By the way, could you write the following commands and show output:

mount
ps

[tripLr]

Thanks for the info.
Dunno if it helps, but I was able to get the rootfs image.