A sidetrack from these two posts: Extracting password from Dahua firmware image and Dahua IPC-HFW4300S
To recap: I managed to extract various UBI (NAND flash) images from firmware image.
binwalk -e {firmware_file}Which gave me the following files:
check.img
custom-x.ubifs.img
dhboot.bin.img
kernel.img
partition-x.cramfs.img
pd-x.ubifs.img
romfs-x.ubifs.img
user-x.ubifs.img
web-x.ubifs.imgI started with romfs-x.ubifs.img as initial grep revealed it contained root password hash (matched to ‘vizxv’).
Mounting UBIFS is not a straight forward (eg cannot use loop).
With help of two guides I found (here and here) I managed to figure out how to mount these images.
apt-get install mtd-utils
modprobe nandsim first_id_byte=0x20 second_id_byte=0xaa third_id_byte=0x00 fourth_id_byte=0x15
modprobe ubi mtd=0
tail -c+65 romfs-x.ubifs.img > romfs
ubiformat /dev/mtd0 -f romfs
ubiattach -p /dev/mtd0
mkdir target
mount -t ubifs /dev/ubi0_0 targetnote: tail -c65 strips the header.
mounting contents of romfs-x.ubifs.img gives some insight on the root file structure:
drwxr-xr-x 2 500 500 5192 Apr 2 2013 bin
drwxr-xr-x 7 500 500 480 Feb 18 2012 dev
drwxr-xr-x 6 500 500 960 Feb 24 2013 etc
drwxr-xr-x 2 500 500 160 Jan 13 2012 home
drwxr-xr-x 2 500 500 4832 Feb 22 2013 lib
lrwxrwxrwx 1 500 500 11 Dec 31 2013 linuxrc -> bin/busybox
drwxr-xr-x 13 500 500 864 Dec 5 2012 mnt
drwxr-xr-x 2 500 500 160 Jan 13 2012 nfs
drwxr-xr-x 2 500 500 160 Jan 13 2012 proc
drwxr-xr-x 2 500 500 160 Jan 13 2012 root
drwxr-xr-x 2 500 500 2728 Dec 25 2013 sbin
drwxr-xr-x 2 500 500 160 Jan 13 2012 share
drwxr-xr-x 2 500 500 160 Jan 13 2012 slave
drwxr-xr-x 2 500 500 160 Jan 13 2012 sys
lrwxrwxrwx 1 500 500 8 Dec 31 2013 tmp -> var/tmp/
drwxr-xr-x 2 500 500 160 Jan 13 2012 usr
drwxr-xr-x 3 500 500 224 Jan 13 2012 varlooking at /etc/inittab:
...
::sysinit:/etc/init.d/dnode
::sysinit:/etc/init.d/rcS
...the /etc/init.d/dnode sets up some of the device nodes, nothing interesting there…
while /etc/init.d/rcS contains some interesting stuff:
/sbin/ubimkvol /dev/ubi6 -s 2500000 -N config
mount -t ubifs ubi6_0 /mnt/mtdHere what I found out from contents of each UBIFS file:
| UBIFS | description |
|---|---|
| check.img | contains some hardware IDs |
| custom-x.ubifs.img | /mnt/custom customisation files? |
| dhboot.bin.img | bootloader |
| kernel.img | kernel image |
| partition-x.cramfs.img | contains partition.txt |
| pd-x.ubifs.img | /mnt/pd/ product description files |
| romfs-x.ubifs.img | / root |
| user-x.ubifs.img | /usr/ |
| web-x.ubifs.im | /mnt/web/ |