Looks to me like the commands for flashing this “img” files to system ROM. Anyway, what I am interested in, is what those other img files contain. ![]() ![]() Reverse Engineering DVR firmware – lfto: :me. DVRIts almost 2: 0. AM, and I’m tired as hell. I’ve gotten so close to the point of giving up, that I decided to write this article about my struggles. Dual-boot Windows 10 and Kali Linux 2 on a computer with UEFI firmware. Dual-boot Windows 10 and Kali Linux 2 on a single hard drive, with /home partition. Windows 98, 98se, install win98, ISO, USB install. 2014年2月 代理店一覧に、有限会社白馬ヤマトヤが追加されました。 詳しくはこちら 2013年12月 西尾家具工芸社ショールーム. I have an Identivision. DVR which has a password set, which of course has been forgotten. I have taken the entire thing apart, removed the battery, but the user password still remains. There is no option that I can find for a factory reset, that doesn’t require me knowing the admin password. I ran nmap on it, and discovered quite a few open ports, as well as… yes you guessed it: Telnet ? That sounds fun! Anyway this telnet option is not documented anywhere, so I have no idea what to type in, when it asks for my login credentials. It is not the same as the password for the DVR, I know this because I recovered the password and tried the same for telnet) I think I should be able to avoid future hassles of forgetting passwords if I could somehow get into that telnet. Well, I downloaded a firmware update from the support website, the file looks like this: “ICR- DVR_H4. H8. 1_firmware_V4. R1. 0. 2. 01. 30. I extracted the zip, and I got this: “6. S_V4. 0. 0. R1. 0. I booted up my trusty Backtrack in VMWare and got to work. First I tried this: (I renamed the firmware file to dvr. Desktop# file dvr. Zip archive data, at least v. Desktop# file dvr. Zip archive data,at least v. Well if this . bin file is just another zip, we better extract it. Desktop# unzip dvr. Archive: dvr. bin. Install. Descroot@bt: ~/Desktop# unzip dvr. Archive: dvr. bin inflating: custom- x. Install. Desc. Well the “Install. Desc” file is just ASCII text, looks like this. Upgrade. Command" : [. Command" : "Burn". File. Name" : "romfs- x. Command" : "Burn". File. Name" : "user- x. Command" : "Burn". File. Name" : "custom- x. Hardware" : "BLOCK5. Vendor" : "General". Upgrade. Command": [ { "Command": "Burn", "File. Name": "romfs- x. Command": "Burn", "File. Name": "user- x. cramfs. Command": "Burn", "File. Name": "custom- x. Hardware": "BLOCK5. Vendor": "General"}Looks to me like the commands for flashing this “img” files to system ROM. Anyway, what I am interested in, is what those other img files contain. I’m guessing the logo- x would probably contain a bitmap image or some other kind of image with the IDENTIVISION logo, and the other imgs probably contain the Linux OS itself. Running file against the img files. Desktop/firm# file custom- x. PPCBoot imageroot@bt: ~/Desktop/firm# file custom- x. PPCBoot image. Now I’ve searched all over to try and decompress or extract . Some forums say to use this: (after installing cramfs support). But I get this. root@bt: ~/Desktop/firm# mount - o loop - t cramfs user- x. In some cases useful info is found in syslog - try. Desktop/firm# mount - o loop - t cramfs user- x. Insome cases useful info isfound insyslog- try dmesg|tail orsorunning. Running. cramfsck gives me. So I have a few cramfs. I have no idea what to do with. I ran. strings on romfs and got some interesting stuff. Compressed ROMFSv. Cruise. 1. jpg. + a lot more that I ommited.. Compressed ROMFSv. Compressedboothomelinuxrcprocrootsbinsharearpingbusyboxchmodchowndatedmesgechofalsefreehushkillkillallkillall. Image. imgconsolenulltty. AMA0tty. AMA1tty. S0. 00fs- versionfstabgroupinit. Config. Jsonresolv. DVR. htm. English. Login. htm. Simp. Chinese. js. Talk. Pre. Set. jpgadd. Pre. Set. 1. jpgaudio. GIFbg. jpgbt. gifconfig. Pre. Set. jpgdel. Pre. Set. 1. jpgdlr. Cruise. jpgedit. Cruise. Iommited.. So there is definitely something inside, I can see the filenames, so its not encrypted or anything. I need to extract this somehow. So I talked with Domonkos Tomcsányi, and he suggested that the . PPCBoot image . But how do we extract a u- boot/PPCBoot image? Time to google again. Google returns some interesting results. The first link was http: //boundarydevices. Lets try this! root@bt: ~/Desktop/firm# dd bs=1 skip=6. MB) copied, 4. 4. B/sroot@bt: ~/Desktop/firm# dd bs=1 skip=6. MB)copied,4. 4. 35. B/s. Okay, now lets run. Desktop/firm# file user- x. Linux Compressed ROM File System data, little endian size 3. CRC 0xa. 13. 05. 8c. Desktop/firm# file user- x. Linux Compressed ROM File System data,little endian size. CRC 0xa. 13. 05. 8c. Cool! 1. 21 files sounds nice! Now lets mount up the img with the stripped header! Desktop/firm# mkdir /tmp/foo. Desktop/firm# mount - o loop user- x. Desktop/firm# mkdir /tmp/fooroot@bt: ~/Desktop/firm# mount - o loop user- x. Now lets see whats inside! Desktop/firm# cd /tmp/foo. Desktop/firm# cd /tmp/fooroot@bt: /tmp/foo# lsbin etc lib sbin. Cool! We successfully mounted img file. Now its time to dig around and look for that telnet password! Whats this in romfs- x? Xtb. 3o: 0: 0: root: /: /bin/sh. Xtb. 3o: 0: 0: root: /: /bin/shthen there is another file called passwd- (have no idea what this is for…). Bo. H3mb. 8. g: 0: 0: :/root: /bin/sh. Bo. H3mb. 8. g: 0: 0: :/root: /bin/sh. Okay, so we see from these files, that they are not shaddowed… Instead of looking like this: username: x: they have some kind of hash in the place of “x”Now this the part where I realized that this entire process has already been done by some russian guys ? My friend Domonkos Tomcsányi googled the hash ? Seems to be the same for a lot of IP- Cameras and DVRs. I downloaded hash- identifier and it identified it as a DES hash. So now we basically just need to crack this hash somehow. I used John- the- ripper for this task! By the way, john also immediatly identified the hash as DES1. The hash in passwd- was cracked immediately, the one in passwd took a few hours. I also took a look at a firmware for a CP- Plus DVR (A lot more complex than the Identivison) It has a similar structure, except the bin file is not just a zip archive, its more complex. Now this is the part, where I realized again, that instead of doing everything manually, I could just binwalk, and have this entire process automated ? Try this. Me firmware. bin and watch the magic happen ? Binwalk is awesome!!! Oh, and the hash in the CP- Plus was a little different, it used a Free. BSD MD5 [3. 2/3. 2] hash according to john. John is currently cracking the hash ?Security differences between the Identivision DVR and the CP- Plus DVR are actually quite big. For example the Identivison can make use of only numbers 0- 9 and a “_” character for a 6 character long password. This gives us 1. 1 to the power of 6 number of combinations. While the CP- Plus makes use of the entire alphanumerical range including special characters. Although this does not affect the login security via the VGA frontend, when using the exact same password for a Web. UI which is often thrown out on the internet, and bruteforce protection not implemented, it is a big security risk! Note: I’m going to rewrite this article soon, with much more precise information, including modifying the firmware images, and structure of the 6. Image header. I’m also gonna be giving a speech about this topic at Hacktivity. I’ll be sure to upload the video and powerpoint soon after. Dual- boot Windows 1. Kali Linux 2 on UEFI firmware. Kali Linux 2 is the latest edition of Kali Linux, a desktop distribution that’s based on Debian and designed solely for security and hacking purposes. In this tutorial, you’ll read how to dual- boot it with Windows 1. UEFI firmware. Because the Kali Linux 2 installer, in automated disk partitioning mode, allocates disk space to partitions non- proportionally, completing the task of dual- booting Kali Linux 2 and Windows 1. Kali Linux 2 partitions manually. So you’ll need to have at least a basic understanding of disks and disk partitions in Linux. If you don’t, take a few minutes to read A beginner’s guide to disks and disk partitions in Linux and 7 tips for dual- booting Linux distributions and Windows. The following are the steps involved in setting up a dual- boot system between Windows 1. Kali Linux 2 on a single hard drive on a computer with UEFI firmware: Recover space from the hard drive. Partition the recovered space for installing Kali Linux 2. For this tutorial, we’ll create three partitions for Kali Linux 2: One for the root partition; the second for the home partition. This is optional, but it’s always nice to have your home directory in a separate partition; the third and last partition will be for swap space, unformatted disk space that the system may use as virtual memory. Completing related and important dual- booting tasks. To get from here to there, you need to: Have downloaded an installation image of Kali Linux 2, which you can grab from https: //www. Burn it to a blank DVD, or transfer it to a USB stick (recommended). Have a computer with Windows 1. Space for installing Kali Linux 2 will be derived from the free space left on the hard drive. If you have all those in place, let’s get started. Step 1 – Recover Free Space From the Hard Drive: The hard drive on the test system used for this tutorial is 5. GB in size, with about half of that occupied by Windows 1. The other unused part, recovered by shrinking the C drive, will be used for creating partitions for Kali Linux 2. To shrink a Windows 1. C drive, simply right- click on it and select Shrink Volume. Follow the prompts to complete the process. When completed, there will be an Unallocated space after the C drive, or after whatever partition you recovered the disk space from. Figure 1 shows the layout of the partitions on the hard drive used for this setup, as seen from the Windows 1. The highlighted segment will be used for installing Kali Linux 2. Figure 1: Windows 1. Windows 1. 0 partitions and the free space. Step 2 – Booting From the Installation Media: Boot the computer with the installation media you made in the optical drive or in a USB port. Just before it boots into the default boot disk, enter the boot menu by pressing the appropriate F- key, usually the F1. F1. 2 key. The idea is so the computer boots from the UEFI- aware version of the installer. It should without intervention, but just to be sure, you want to complete this step. When at the boot menu, you should see two entries for the installation media, like those shown in Figure 2. The UEFI: PNY USB 2. FD 1. 10. 0 entry boots into the target installer, so if you find an entry just like that on yours, select it and press the ENTER key to boot into it. Figure 2: Computer’s boot menu. At the Kali Linux EFI Boot Menu, you’ll be presented with a bunch of boot options. The default will boot into a GNOME 3 Live desktop. This would normally be the best option to boot into, but the version of the installer you access from the Live desktop does not render properly, so I recommend that you skip the Live desktop and boot straight into the graphical installer. And you do that by selecting the Graphical Install option, as shown in Figure 3. Figure 3: Kali Linux 2. EFI boot menu. Step 3 – The Debian Installer Disk Partitioner: After booting into the Debian Installer, which is the name of the graphical installer used by Kali Linux 2, click through several steps until you get to the disk partition methods step, shown in Figure 4. The option to select here, is Manual. So select it and click the Continue button, or press the ENTER key. Figure 4: Disk partition options of Kali Linux 2. That should open the manual disk partitioning tool’s window, where all the detected disks should be listed, along with their associated partitions. Shown in Figure 5 are the Windows 1. Step 1 listed as Free Space. That free space will be used in steps 4, 5 and 6 to create partitions for Kali Linux 2. So select it, then click Continue. Figure 5: Manual disk partitioning window of Kali Linux 2. Step 4 – Create the Root Partition: That should open a window like the one shown in Figure 6. We have to create a new partition, so select the first option. Continue. Figure 6: Creating new disk partition on Kali Linux 2. Specify the amount of disk space to allocate to the root partition. In this exampe I allocated 5. GB to it. that seems to be too much, but if you intend to use the system for a long time, 5. GB is a reasonable amount. You can go much lower, if you’re tight on disk space. Continue. Figure 7: Specify root partition size of Kali Linux 2. Stick with the default here. Continue. Figure 8: Specify location of the root partition of Kali Linux 2. This shows the specs of the new partition. No need to change anything, so select Done setting up the partition. Continue. Figure 9: Kali Linux 2 root partition details. Back to the main disk partitioning window, you should see the new partition. Now you have to repeat the process to create the other partitions, so select the remaining free space, then click Continue. Figure 1. 0: Kali Linux 2 free disk space. Step 5 – Create the Home Partition: The second partition we’re going to create will be mounted at /home, and the procedure is a repeat of the one used to create the root partition. So the drill should be familiar. Here, select the default. Continue. Figure 1. Creating new disk partition on Kali Linux 2. Specify a suitable disk space for the partition. Continue. Figure 1. Specify /home partition size on Kali Linux 2. Stick with the default. Continue. Figure 1. Specify location of the home partition of Kali Linux 2. As with the previous partition, the specs of this partition do not need to be modified, so select Done setting up the partition. Continue. Figure 1. Kali Linux 2 /home partition details. Back one more time to the main disk partitioning window, select the free space, then click Continue to begin creating the last partition. Figure 1. 5: Kali Linux 2 free disk space.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |