A sidetrack from these two posts: Extracting password from Dahua firmware image and Dahua IPC-HFW4300S
To recap: I managed to extract various UBI (NAND flash) images from firmware image.
binwalk -e {firmware_file}Which gave me the following files:
check.img
custom-x.ubifs.img
dhboot.bin.img
kernel.img
partition-x.cramfs.img
pd-x.ubifs.img
romfs-x.ubifs.img
user-x.ubifs.img
web-x.ubifs.imgI started with romfs-x.ubifs.img as initial grep revealed it contained root password hash (matched to ‘vizxv’).
Mounting UBIFS is not a straight forward (eg cannot use loop).
With help of two guides I found (here and here) I managed to figure out how to mount these images.
apt-get install mtd-utils
modprobe nandsim first_id_byte=0x20 second_id_byte=0xaa third_id_byte=0x00 fourth_id_byte=0x15
modprobe ubi mtd=0
tail -c+65 romfs-x.ubifs.img > romfs
ubiformat /dev/mtd0 -f romfs
ubiattach -p /dev/mtd0
mkdir target
mount -t ubifs /dev/ubi0_0 targetnote: tail -c65 strips the header.
mounting contents of romfs-x.ubifs.img gives some insight on the root file structure:
drwxr-xr-x 2 500 500 5192 Apr 2 2013 bin
drwxr-xr-x 7 500 500 480 Feb 18 2012 dev
drwxr-xr-x 6 500 500 960 Feb 24 2013 etc
drwxr-xr-x 2 500 500 160 Jan 13 2012 home
drwxr-xr-x 2 500 500 4832 Feb 22 2013 lib
lrwxrwxrwx 1 500 500 11 Dec 31 2013 linuxrc -> bin/busybox
drwxr-xr-x 13 500 500 864 Dec 5 2012 mnt
drwxr-xr-x 2 500 500 160 Jan 13 2012 nfs
drwxr-xr-x 2 500 500 160 Jan 13 2012 proc
drwxr-xr-x 2 500 500 160 Jan 13 2012 root
drwxr-xr-x 2 500 500 2728 Dec 25 2013 sbin
drwxr-xr-x 2 500 500 160 Jan 13 2012 share
drwxr-xr-x 2 500 500 160 Jan 13 2012 slave
drwxr-xr-x 2 500 500 160 Jan 13 2012 sys
lrwxrwxrwx 1 500 500 8 Dec 31 2013 tmp -> var/tmp/
drwxr-xr-x 2 500 500 160 Jan 13 2012 usr
drwxr-xr-x 3 500 500 224 Jan 13 2012 varlooking at /etc/inittab:
...
::sysinit:/etc/init.d/dnode
::sysinit:/etc/init.d/rcS
...the /etc/init.d/dnode sets up some of the device nodes, nothing interesting there…
while /etc/init.d/rcS contains some interesting stuff:
/sbin/ubimkvol /dev/ubi6 -s 2500000 -N config
mount -t ubifs ubi6_0 /mnt/mtdHere what I found out from contents of each UBIFS file:
| UBIFS | description |
|---|---|
| check.img | contains some hardware IDs |
| custom-x.ubifs.img | /mnt/custom customisation files? |
| dhboot.bin.img | bootloader |
| kernel.img | kernel image |
| partition-x.cramfs.img | contains partition.txt |
| pd-x.ubifs.img | /mnt/pd/ product description files |
| romfs-x.ubifs.img | / root |
| user-x.ubifs.img | /usr/ |
| web-x.ubifs.im | /mnt/web/ webUI related files |
Interesting bit regarding partition-x.cramfs.img, that it contains partition.txt:
# name cs offset size mask_flags
U-Boot, 0, 0x0000000000200000, 0x0000000000100000, RW
hwid, 0, 0x0000000000300000, 0x0000000000100000, RW
updateflag, 0, 0x0000000000400000, 0x0000000000100000, RW
partition, 0, 0x0000000000500000, 0x0000000000100000, RW
custom, 0, 0x0000000000600000, 0x0000000000340000, RW
product, 0, 0x0000000000940000, 0x0000000000340000, RW
Kernel, 0, 0x0000000000c80000, 0x0000000000580000, RW
romfs, 0, 0x0000000001200000, 0x0000000000800000, RW
web, 0, 0x0000000001a00000, 0x0000000000800000, RW
user, 0, 0x0000000002200000, 0x0000000001980000, RW
syslog, 0, 0x0000000007200000, 0x0000000000400000, RW
config, 0, 0x0000000007600000, 0x0000000000400000, RW
backup, 0, 0x0000000007a00000, 0x0000000000400000, RW
END
all this is effort was to find the telnet password...
I am missing /mnt/mtd mount point, specifically /mnt/mtd/Config/passwd file, which looks like contains telnet password (possibly?)...
UPDATE: solution to the password debacle is here (at the end of the article).
Now the question where the portion of the telnet password 7ujMko0 comes from? "Inspecting" (running strings) telnetd binary from flash image reveals that it is hard coded into telnetd. If Dahua ever changes that value I know where to find it now.