A sidetrack from these two posts: Extracting password from Dahua firmware image and Dahua IPC-HFW4300S
To recap: I managed to extract various UBI (NAND flash) images from firmware image.
binwalk -e {firmware_file}
Which gave me the following files:
check.img
custom-x.ubifs.img
dhboot.bin.img
kernel.img
partition-x.cramfs.img
pd-x.ubifs.img
romfs-x.ubifs.img
user-x.ubifs.img
web-x.ubifs.img
I started with romfs-x.ubifs.img as initial grep revealed it contained root password hash (matched to ‘vizxv’).
Mounting UBIFS is not a straight forward (eg cannot use loop).
With help of two guides I found (here and here) I managed to figure out how to mount these images.
apt-get install mtd-utils
modprobe nandsim first_id_byte=0x20 second_id_byte=0xaa third_id_byte=0x00 fourth_id_byte=0x15
modprobe ubi mtd=0
tail -c+65 romfs-x.ubifs.img > romfs
ubiformat /dev/mtd0 -f romfs
ubiattach -p /dev/mtd0
mkdir target
mount -t ubifs /dev/ubi0_0 target
note: tail -c65 strips the header.
mounting contents of romfs-x.ubifs.img gives some insight on the root file structure:
drwxr-xr-x 2 500 500 5192 Apr 2 2013 bin
drwxr-xr-x 7 500 500 480 Feb 18 2012 dev
drwxr-xr-x 6 500 500 960 Feb 24 2013 etc
drwxr-xr-x 2 500 500 160 Jan 13 2012 home
drwxr-xr-x 2 500 500 4832 Feb 22 2013 lib
lrwxrwxrwx 1 500 500 11 Dec 31 2013 linuxrc -> bin/busybox
drwxr-xr-x 13 500 500 864 Dec 5 2012 mnt
drwxr-xr-x 2 500 500 160 Jan 13 2012 nfs
drwxr-xr-x 2 500 500 160 Jan 13 2012 proc
drwxr-xr-x 2 500 500 160 Jan 13 2012 root
drwxr-xr-x 2 500 500 2728 Dec 25 2013 sbin
drwxr-xr-x 2 500 500 160 Jan 13 2012 share
drwxr-xr-x 2 500 500 160 Jan 13 2012 slave
drwxr-xr-x 2 500 500 160 Jan 13 2012 sys
lrwxrwxrwx 1 500 500 8 Dec 31 2013 tmp -> var/tmp/
drwxr-xr-x 2 500 500 160 Jan 13 2012 usr
drwxr-xr-x 3 500 500 224 Jan 13 2012 var
looking at /etc/inittab
:
...
::sysinit:/etc/init.d/dnode
::sysinit:/etc/init.d/rcS
...
the /etc/init.d/dnode
sets up some of the device nodes, nothing interesting there…
while /etc/init.d/rcS
contains some interesting stuff:
/sbin/ubimkvol /dev/ubi6 -s 2500000 -N config
mount -t ubifs ubi6_0 /mnt/mtd
Here what I found out from contents of each UBIFS file:
UBIFS | description |
---|---|
check.img | contains some hardware IDs |
custom-x.ubifs.img | /mnt/custom customisation files? |
dhboot.bin.img | bootloader |
kernel.img | kernel image |
partition-x.cramfs.img | contains partition.txt |
pd-x.ubifs.img | /mnt/pd/ product description files |
romfs-x.ubifs.img | / root |
user-x.ubifs.img | /usr/ |
web-x.ubifs.im | /mnt/web/ webUI related files |
Interesting bit regarding partition-x.cramfs.img, that it contains partition.txt:
# name cs offset size mask_flags
U-Boot, 0, 0x0000000000200000, 0x0000000000100000, RW
hwid, 0, 0x0000000000300000, 0x0000000000100000, RW
updateflag, 0, 0x0000000000400000, 0x0000000000100000, RW
partition, 0, 0x0000000000500000, 0x0000000000100000, RW
custom, 0, 0x0000000000600000, 0x0000000000340000, RW
product, 0, 0x0000000000940000, 0x0000000000340000, RW
Kernel, 0, 0x0000000000c80000, 0x0000000000580000, RW
romfs, 0, 0x0000000001200000, 0x0000000000800000, RW
web, 0, 0x0000000001a00000, 0x0000000000800000, RW
user, 0, 0x0000000002200000, 0x0000000001980000, RW
syslog, 0, 0x0000000007200000, 0x0000000000400000, RW
config, 0, 0x0000000007600000, 0x0000000000400000, RW
backup, 0, 0x0000000007a00000, 0x0000000000400000, RW
END
all this is effort was to find the telnet password...
I am missing /mnt/mtd mount point, specifically /mnt/mtd/Config/passwd file, which looks like contains telnet password (possibly?)...
UPDATE: solution to the password debacle is here (at the end of the article).
Now the question where the portion of the telnet password 7ujMko0
comes from? "Inspecting" (running strings
) telnetd
binary from flash image reveals that it is hard coded into telnetd
. If Dahua ever changes that value I know where to find it now.