Reverse Engineering DVR firmware lfto me. DVRIts almost 2 0. AM, and Im tired as hell. Replay. com is coming soon and is a community to buy, sell, and trade video games, gaming systems, comics, movies, music, electronics, phones, and moreIve gotten so close to the point of giving up, that I decided to write this article about my struggles. I have an Identivision. DVR which has a password set, which of course has been forgotten. I have taken the entire thing apart, removed the battery, but the user password still remains. There is no option that I can find for a factory reset, that doesnt require me knowing the admin password. I ran nmap on it, and discovered quite a few open ports, as well as yes you guessed it Telnet That sounds fun Anyway this telnet option is not documented anywhere, so I have no idea what to type in, when it asks for my login credentials. It is not the same as the password for the DVR, I know this because I recovered the password and tried the same for telnet I think I should be able to avoid future hassles of forgetting passwords if I could somehow get into that telnet. Well, I downloaded a firmware update from the support website, the file looks like this ICR DVRH4. H8. 1firmwareV4. R1. I extracted the zip, and I got this 6. SV4. 0. 0. R1. 0. I booted up my trusty Backtrack in VMWare and got to work. HTB1CP25FVXXXXXkXFXXq6xXFXXXv/220866085/HTB1CP25FVXXXXXkXFXXq6xXFXXXv.jpg' alt='Dvr Software For Linux' title='Dvr Software For Linux' />Good day all, I have just build my self a dvr machine. I got a 8ch dvr recorder card. Now it came with some software, but it is pretty poor. What are the best FREE. Need a DVR to record over the air broadcast TV from an antenna We look at Tablo, Channel Master, and more to find the best OTA DVR for those without cable. I provide 192. 168. No. 8150 in CP Plus DVR. I am able to login through Local system via IE with http after pressing enter key Login. The Programming Languages Beacon v16 March 2016. This table contains a list of major software products or utilities, with details about the programming languages. Z K674677679C551A791A798A796AM751757759688A686AManualV1. H. 264 Network DVR User Manual GUI Display with USB Mouse Control Please read instructions. Video Surveillance DVR CCTV HD Security Camera DVR. The iDVR Internet DVR from CCTV Camera Pros is a CCTV based video surveillance DVR that provides the best. Megapixel Over Coax DVR FLIRs M4400 Series DVR uses the latest HDCVI technology, giving you the flexibility to upgrade your security systems to 1080P HD. View and Download ADEMCO DVR user manual online. DVR. DVR DVR pdf manual download. First I tried this I renamed the firmware file to dvr. Desktop file dvr. Harry E Sally Feitos Um Para O Outro. Zip archive data, at least v. Desktop file dvr. Zip archive data,at least v. Well if this. bin file is just another zip, we better extract it. Desktop unzip dvr. Archive dvr. bin. Install. Descrootbt Desktop unzip dvr. Archive  dvr. bin  inflating custom x. Install. Desc. Well the Install. Desc file is just ASCII text, looks like this. Upgrade. Command. Command Burn. File. Name romfs x. Command Burn. File. Name user x. Command Burn. File. Name custom x. Hardware BLOCK5. Vendor General. Upgrade. Command                Command Burn,         File. Name romfs x. Command Burn,         File. Name user x. cramfs. Command Burn,         File. Name custom x. Hardware BLOCK5. Vendor GeneralLooks to me like the commands for flashing this img files to system ROM. Anyway, what I am interested in, is what those other img files contain. Im guessing the logo x would probably contain a bitmap image or some other kind of image with the IDENTIVISION logo, and the other imgs probably contain the Linux OS itself. Running file against the img files. Desktopfirm file custom x. PPCBoot imagerootbt Desktopfirm file custom x. PPCBoot image. Now Ive searched all over to try and decompress or extract. Some forums say to use this after installing cramfs support. But I get this. rootbt Desktopfirm mount o loop t cramfs user x. Cornerstone Roots Free Yourself Download Music. In some cases useful info is found in syslog try. Desktopfirm mount o loop t cramfs user x. Insome cases useful info isfound insyslog try       dmesgtail  orsorunning. Running. cramfsck   gives me. So I have a few cramfs. I have no idea what to do with. I ran. strings  on romfs and got some interesting stuff. Compressed ROMFSv. Cruise. 1. jpg. a lot more that I ommited. Compressed ROMFSv. Compressedboothomelinuxrcprocrootsbinsharearpingbusyboxchmodchowndatedmesgechofalsefreehushkillkillallkillall. Image. imgconsolenulltty. AMA0tty. AMA1tty. S0. 00fs versionfstabgroupinit. Config. Jsonresolv. DVR. htm. English. Login. htm. Simp. Chinese. js. Talk. Pre. Set. jpgadd. Pre. Set. 1. jpgaudio. GIFbg. jpgbt. gifconfig. Pre. Set. jpgdel. Pre. Set. 1. jpgdlr. Cruise. jpgedit. Cruise. Iommited. So there is definitely something inside, I can see the filenames, so its not encrypted or anything. I need to extract this somehow. So I talked with Domonkos Tomcsnyi, and he suggested that the. PPCBoot image . But how do we extract a u bootPPCBoot image Time to google again. Google returns some interesting results. The first link was http boundarydevices. Lets try this rootbt Desktopfirm dd bs1 skip6. MB copied, 4. 4. Bsrootbt Desktopfirm dd bs1 skip6. MBcopied,4. 4. 35. Bs. Okay, now lets run. Desktopfirm file user x. Linux Compressed ROM File System data, little endian size 3. CRC 0xa. 13. 05. 8c. Desktopfirm file user x. Linux Compressed ROM File System data,little endian size. CRC 0xa. 13. 05. 8c. Cool 1. 21 files sounds nice Now lets mount up the img with the stripped header Desktopfirm mkdir tmpfoo. Desktopfirm mount o loop user x. Desktopfirm mkdir tmpfoorootbt Desktopfirm mount o loop user x. Now lets see whats inside Desktopfirm cd tmpfoo. Desktopfirm cd tmpfoorootbt tmpfoo lsbin  etc  lib  sbin. Cool We successfully mounted img file. Now its time to dig around and look for that telnet password Whats this in romfs x Xtb. Xtb. 3o 0 0 root binshthen there is another file called passwd have no idea what this is for. Bo. H3mb. 8. g 0 0 root binsh. Bo. H3mb. 8. g 0 0 root binsh. Okay, so we see from these files, that they are not shaddowed Instead of looking like this username x they have some kind of hash in the place of xNow this the part  where I realized that this entire process has already been done by some russian guys My friend Domonkos Tomcsnyi googled the hash Seems to be the same for a lot of IP Cameras and DVRs. I downloaded hash identifier and it identified it as a DES hash. So now we basically just need to crack this hash somehow. I used John the ripper for this task By the way, john also immediatly identified the hash as DES1. The hash in passwd was cracked immediately, the one in passwd took a few hours. I also took a look at a firmware for a CP Plus DVR A lot more complex than the Identivison It has a similar structure, except the bin file is not just a zip archive, its more complex. Now this is the part, where I realized again, that instead of doing everything manually, I could just binwalk, and have this entire process automated Try this. Me firmware. bin and watch the magic happen Binwalk is awesomeOh, and the hash in the CP Plus was a little different, it used a Free. BSD MD5 3. 23. 2 hash according to john. John is currently cracking the hash Security differences between the Identivision DVR and the CP Plus DVR are actually quite big. Silly Telephone Game Phrases here. For example the Identivison can make use of only numbers 0 9 and a character for a 6 character long password. This gives us 1. 1 to the power of 6 number of combinations. While the CP Plus makes use of the entire alphanumerical range including special characters. Although this does not affect the login security via the VGA frontend, when using the exact same password for a Web. UI which is often thrown out on the internet, and bruteforce protection not implemented, it is a big security risk Note Im going to rewrite this article soon, with much more precise information, including modifying the firmware images, and structure of the 6. Image header. Im also gonna be giving a speech about this topic at Hacktivity. Ill be sure to upload the video and powerpoint soon after.