Disassembling ARM based Camera Firmware

Question

I'm trying to disassemble hikvision firmware 5.5.85. I want to extract the contents of digicap.dav file.

Binwalk is unable to extract the known zip files.

binwalk -e  digicap.dav
DECIMAL       HEXADECIMAL     DESCRIPTION

Running Opcode signature shows its ARM based binary.

└─# binwalk -A  digicap.dav
DECIMAL       HEXADECIMAL     DESCRIPTION
6380591       0x615C2F        ARM instructions, function prologue
6523606       0x638AD6        ARM instructions, function prologue
28103893      0x1ACD4D5       ARM instructions, function prologue

Running an entropy analysis shows this:

binwalk -E digicap.dav
DECIMAL       HEXADECIMAL     ENTROPY
0             0x0             Rising entropy edge (0.995974)
12599296      0xC04000        Rising entropy edge (0.981657)
18382848      0x1188000       Falling entropy edge (0.800915)
18415616      0x1190000       Rising entropy edge (0.954710)
18907136      0x1208000       Rising entropy edge (0.998649)
28229632      0x1AEC000       Rising entropy edge (0.987824)
28426240      0x1B1C000       Rising entropy edge (0.998774)
29179904      0x1BD4000       Rising entropy edge (0.996414)
29360128      0x1C00000       Falling entropy edge (0.722392)
29507584      0x1C24000       Falling entropy edge (0.653426)
29671424      0x1C4C000       Falling entropy edge (0.546793)
29835264      0x1C74000       Falling entropy edge (0.579946)
29949952      0x1C90000       Falling entropy edge (0.550830)
30048256      0x1CA8000       Falling entropy edge (0.570541)
30392320      0x1CFC000       Falling entropy edge (0.563434)
30474240      0x1D10000       Falling entropy edge (0.810232)
30638080      0x1D38000       Falling entropy edge (0.619405)
30703616      0x1D48000       Falling entropy edge (0.550830)
30932992      0x1D80000       Falling entropy edge (0.622278)
31080448      0x1DA4000       Falling entropy edge (0.551011)
31129600      0x1DB0000       Falling entropy edge (0.646414)
31227904      0x1DC8000       Falling entropy edge (0.579931)
31391744      0x1DF0000       Falling entropy edge (0.544139)
31440896      0x1DFC000       Rising entropy edge (0.959527)
31473664      0x1E04000       Rising entropy edge (0.989212)
32014336      0x1E88000       Rising entropy edge (0.998716)
33226752      0x1FB0000       Falling entropy edge (0.795215)
33259520      0x1FB8000       Rising entropy edge (0.959458)

At this point in time, I am guessing this is an encrypted binary. I am new to reverse engineering so I am not too sure how to proceed here in extracting contents from this binary file.

Answer 1

It seems the parsing logic is hidden in the U-Boot loader

tftpboot- boot image via network using TFTP protocol
update  - update digicap.dav
updateb - update uboot(u-boot.bin) to nor
updatebl- update ubl(ubl_646x.bin) to nand
updatefs- update filesystem(davinci.img) to nand
updatek - update kernel(uImage) to nand
updates - serial update kernel or filesys

Try looking for the U-Boot source for your device on http://opensource.hikvision.com/, hopefully it will have the code of this command so you can figure out how it's laid out.

Answer 2

You can try hikpack to unpack the firmwork. The hikpack download link: https://ipcamtalk.com/attachments/hikpack_2-5-zip.45534/.

alastair@PC-I5 ~/montecrypto $ ./hikpack_2.1 -t g0 -x digicap_IPC_G0_CN_STD_5.4.20_160726.dav -o contents
Magic   : 484b3230
hdr_crc : 0000253e (OK)
frm_flg : 1220060021111110021
Magic   : 484b3330
hdr_crc : b41263d4 (OK)
version : 05040014
lang_id : 00000002
date    : 160726
frm_flg : 1220060021111110021
File: _cfgUpgClass, CRC OK, SHA512 OK
File: uImage, CRC OK, SHA512 OK
File: initrun.sh, CRC OK, SHA512 OK
File: r7_app.tar.gz, CRC OK, SHA512 OK
File: g0_app.tar.gz, CRC OK, SHA512 OK
File: IEfile.tar.gz, CRC OK, SHA512 OK
File: help.tar.gz, CRC OK, SHA512 OK
File: g0_modules.tgz, CRC OK, SHA512 OK
File: mpp_modules.tgz, CRC OK, SHA512 OK
alastair@PC-I5 ~/montecrypto $

Review this blog to get more information.