我有几台来自中国的 IP 摄像机,我需要向其中添加一些软件。我必须如何使用硬件编程器将我的软件刻录到相机 ROM 中,并使用特殊的二进制文件将我使用相机的 Web 界面上传到相机中。我决定使用特殊的二进制文件。
好的,我会从这里下载这个二进制文件。二进制文件成功上传到相机,我决定在里面观看。我用binwalk程序。binwalk接下来告诉我:
[arhichief@arhichief-pc updates]$ binwalk di20_fl_03.upw
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
152 0x98 uImage header, header size: 64 bytes, header CRC: 0x863E2566, created: 2014-08-01 04:16:33, image size: 3091196 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x3B8FC9B, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.8"
16243 0x3F73 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
3091412 0x2F2BD4 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 7403482 bytes, 24 inodes, blocksize: 262144 bytes, created: 2015-05-10 02:32:07
该file命令告诉我,它是 ROM 的二进制映像:
[arhichief@arhichief-pc updates]$ file di20_fl_03.upw
di20_fl_03.upw: UNIF v-740431636 format NES ROM image
提取二进制的部分后,我发现0x2F2BD4之后的数据是存储的图像,带有额外的软件和bash脚本来运行它。看起来,我找到了如何将我的软件插入相机的方法。
使用dd,我得到这部分二进制文件,提取它,添加我的程序,将它打包并写回二进制文件。
[arhichief@arhichief-pc updates]$ dd conv=notrunc bs=1 if=di20_fl_03.upw skip=3091412 count=7403482 of=fs.sqhsfs
7403482+0 records in
7403482+0 records out
7403482 bytes (7.4 MB, 7.1 MiB) copied, 8.7586 s, 845 kB/s
[arhichief@arhichief-pc updates]$ unsquashfs fs.sqhsfs
Parallel unsquashfs: Using 4 processors
23 inodes (72 blocks) to write
[=================================================================================================================================================================================================================================================================|] 72/72 100%
created 23 files
created 1 directories
created 0 symlinks
created 0 devices
created 0 fifos
[arhichief@arhichief-pc updates]$ cd squashfs-root/
[arhichief@arhichief-pc squashfs-root]$ dd if=/dev/random bs=1 of=TEST.FILE count=1258291
^C234+0 records in
234+0 records out
234 bytes copied, 28.535 s, 0.0 kB/s
[arhichief@arhichief-pc updates]$ mksquashfs squashfs-root/ fs.sqhsfs -comp xz -Xdict-size 100% -b 262144
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on fs.sqhsfs, block size 262144.
[=================================================================================================================================================================================================================================================================|] 78/78 100%
Exportable Squashfs 4.0 filesystem, xz compressed, data block size 262144
compressed data, compressed metadata, compressed fragments, compressed xattrs
duplicates are removed
Filesystem size 8529.98 Kbytes (8.33 Mbytes)
56.79% of uncompressed filesystem size (15020.30 Kbytes)
Inode table size 494 bytes (0.48 Kbytes)
47.23% of uncompressed inode table size (1046 bytes)
Directory table size 374 bytes (0.37 Kbytes)
87.59% of uncompressed directory table size (427 bytes)
Number of duplicate files found 0
Number of inodes 25
Number of files 24
Number of fragments 3
Number of symbolic links 0
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 1
Number of ids (unique uids + gids) 2
Number of uids 1
arhichief (1000)
Number of gids 1
users (100)
[arhichief@arhichief-pc updates]$ dd if=fs.sqhsfs of=di20_fl_03_new.upw conv=notrunc bs=1 seek=3091412
8736768+0 records in
8736768+0 records out
8736768 bytes (8.7 MB, 8.3 MiB) copied, 8.81158 s, 992 kB/s
在我将新的固件更新二进制文件与之匹配binwalk以确保一切正常之后。
[arhichief@arhichief-pc updates]$ binwalk di20_fl_03_new.upw
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
152 0x98 uImage header, header size: 64 bytes, header CRC: 0x863E2566, created: 2014-08-01 04:16:33, image size: 3091196 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x3B8FC9B, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.8"
16243 0x3F73 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
3091412 0x2F2BD4 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8734702 bytes, 25 inodes, blocksize: 262144 bytes, created: 2016-06-06 07:46:09
我尝试将新的固件更新二进制文件上传到相机,但相机返回一个错误。
行。我会尝试寻找一些解决方案并找到了这个。从该线程的答案中,我得到了一个 python 脚本,它提取固件并显示固件部分的校验和。好的。这个脚本接下来向我展示:
[arhichief@arhichief-pc updates]$ python2 extract_hikvision_dav_file.py di20_fl_03.upw
Magic number: 5a4b5356
Header checksum: 0000223a
Header length: 00000098
File number: 00000002
Language: 00000001
Device class: 00000002
Calced checksum: 0000223a
75496d6167650000000000000000000000000000000000000000000000000000980000003c2b2f001d4e7b18
File name: uImage
Start: 00000098
Length: 002f2b3c
Checksum: 187b4e1d
Calced checksum: 187b4e1d
6170702e696d6700000000000000000000000000000000000000000000000000d42b2f00000071003d7de138
File name: app.img
Start: 002f2bd4
Length: 00710000
Checksum: 38e17d3d
Calced checksum: 38e17d3d
[arhichief@arhichief-pc updates]$ python2 extract_hikvision_dav_file.py di20_fl_03_new.upw
Magic number: 5a4b5356
Header checksum: 0000223a
Header length: 00000098
File number: 00000002
Language: 00000001
Device class: 00000002
Calced checksum: 0000223a
75496d6167650000000000000000000000000000000000000000000000000000980000003c2b2f001d4e7b18
File name: uImage
Start: 00000098
Length: 002f2b3c
Checksum: 187b4e1d
Calced checksum: 187b4e1d
6170702e696d6700000000000000000000000000000000000000000000000000d42b2f00000071003d7de138
File name: app.img
Start: 002f2bd4
Length: 00710000
Checksum: 38e17d3d
Calced checksum: 38754ea4
我发现默认固件和更新固件中的校验和不匹配。我在 C 方面有一些经验,所以,我决定用 C 重写 python 脚本并修改它,以便它可以更正校验和。这是我的代码。所以,它运作良好,我认为。在我的代码补丁校验和之后,python 脚本的结果和我的代码是一样的。但是当我尝试将带有更正校验和的固件上传到相机时,它仍然返回错误。
我不知道我接下来要做什么,我想你会给我一些建议。
提前致谢。
PS请,抱歉问了很长的问题。我想你需要知道我所有的步骤才能给我正确的答案。我想我在其中犯了一个错误。