Here are the unpack scripts I wrote for D-Link and Trednet IP-cameras.
Most unpacker Shellscripts need binwalk
DCS-5222L Rev. A
Seem to be rebranded Alphanetworks camerasBytes in firmware are swapped 32byte-wise (Big endian?).
Contains a zImage.
Seem to be rebranded Alphanetworks camerasSome of the Firmware images seem to be "crypted" by inverting all bytes with the NOT operator.
Contains a cramfs which can be loop-mounted.
Blog entry on how to hack Firmware and gain telnet-access For some cameras, it is enough to enable telnet with
user: root, pass: admin
|DCS-930L, DCS-931L, DCS-932L||unp_fw_DSC93x.sh||Firmware contains an uimage including an lzma-compressed data which contains an lzma-compressed romfs starting at a fixed aligned boundary. This romfs is a cpio-archive you can unpack.|
|FLC-1301, FLD-1101||unp_fw_DCS-6111.sh||Firmware contains a gzipped file named initrd.|
TV-IP110, TV-IP110W, TV-IP110WN|
TV-IP410, TV-IP410W, TV-IP410WN
TV-IP422, TV-IP422W, TV-IP422WN
|fwunpack.pl from this blog||Firmware contains a gzipped minix-image named rootfs.|
|TV-IP110WN v2, TV-IP121WN v2||DNR-326, DNR-322L||extract-ng.sh (firmware-mod-kit)||Firmware contains lzma compressed squashfs.|
DCS-5222L Rev. B
GXC-1710M (=APPRO LC7513)
This also applies to American Dynamics cameras, ADCi400-xxxxFirmware is crypted using a vernam chiffre and has to be decrypted with my decode_fw.c
Contains jffs2 Filesystem containers which can be loop-mounted with mount_jff2.sh
Build instructions for fully featured GPL DCS-2130 firmware can be found in build_2130.sh
A security analysis of the DCS-2130 can be found in this thesis. (guest/guest always has viewing access!)
Some cameras like the DCS-2132L, DCS-2210, DCS-2332L have SSH open on Port 8992. Username: root, Password: tms320dm365.
Password for DCS-5222L, DCS-2330L, DCS-2132L v2: hi3518c
This also applies to cameras based on Appro DMS-3011, DMS-3014, LC-7211, LC-7213, LC-7214, LC-7215, NVR-2018, NVR-2028, DMS-3016, PVR-3031, LC-7224, LC-7225, DMS-3009, DMS-3004Firmware is crypted using consecutive XOR (by a tool called B2X.EXE and has to be decrypted with my appro_decrypt.c
Contains Filesystem as .tar.gz, GPL source is available from D-Link which also contains firmware updater, for simple unpacking use by appro_unpack.c
All Level1 cameras
Firmware contains a UBIFS image.
Eneo MIR series have enabled telnet by default and have no password set for root :)
PXC-2080 have root as root-password.
|ENEO-NXC1602||Username for telnetd: nseungjin1234, no password. login, then passwd root.|
For unknown reasons, newer firmware is crypted with AES.
If you need a repacker and decrypter, feel free to ask :)
Telnet can be enabled via ICMP packet: avtech.c
For some models, like the AirLive BU-720, MD-720, DM-720, you can try:
23 is the port where to run telnetd on. User: root, no PW
If you have questions or comments, just drop me a line.
Information is provided in the hope that it is useful for people purchasing the cams who want to adapt the firmware
to their needs (all firmware uses GPLed Software anyway). As I'm not providing any copyrighted material and I'm just
providing information how to unpack the firmware, I hope that there are no legal issues with this information.
If you are a camera vendor and think, I'm wrong with my assumption, please contact me via e-mail.