Mar 022017

I was poking around in a Swann NVR to see whether I could customise it to suit my needs a bit better.
The NVR was easy enough to pull apart with only 5 screws on the outside holding the case on.

After taking the case off, I identified the J15 header as the serial port.
Serial port header is J15

Serial port header in the NVR

The settings I used for the serial port is as follows:

Baud: 115200
8 Data bits
No Parity
1 Stop Bit

115200-8-N-1 in common notation

Plugging in my trusty USB to TTL adapter and I found that I had instant root.
I had a poke around and found out that it runs linux –

# uname -a
Linux (none) 3.4.35_hi3535 #6 SMP Wed Jun 24 11:30:14 CST 2015 armv7l GNU/Linux

Since it runs linux, I extracted the /etc/shadow file and cracked the root password, even though it’s not much use to me at the moment.

root:$1$mWYiIVv8$/taigZpC9w/xvglK1TwNV/:0:0::/root:/bin/sh ## password is 20120515

This runs busybox 1.16, and has a few partitions on flash –

# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime)
usbfs on /proc/bus/usb type usbfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/mtdblock5 on /mnt/app type cramfs (ro,relatime)
/dev/mtdblock6 on /mnt/para type yaffs2 (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime)
tmpfs on /mnt/tmp type tmpfs (rw,relatime,size=2048k)
tmpfs on /mnt/cache type tmpfs (rw,noatime,nodiratime,size=8192k,nr_inodes=4000)

This NVR uses a ARMv7 CPU –

# cat /proc/cpuinfo
Processor : ARMv7 Processor rev 1 (v7l)
processor : 0
BogoMIPS : 1987.37

processor : 1
BogoMIPS : 1993.93

Features : swp half thumb fastmult edsp tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x4
CPU part : 0xc09
CPU revision : 1

Hardware : hi3535
Revision : 0000
Serial : 0000000000000000

The hi3535 seems to be a 1GHz ARM Cortex A9 CPU.

I did a Netstat to see what was listening

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0* LISTEN
tcp 0 0* LISTEN
netstat: /proc/net/tcp6: No such file or directory
udp 0 0*
udp 0 0*
udp 0 0*
udp 0 0*
udp 0 0*
udp 0 0*
udp 0 0*

The NVR also uses uboot

U-Boot 2010.06 (Dec 02 2014 - 14:50:19)

So hopefully I can use uBoot to do some modifications to the partitions. The kernel command line shows where the root partition is, and also which partition is how big.

Kernel command line: mem=140M console=ttyAMA0,115200 root=/dev/mtdblock4 rootfstype=cramfs mtdparts=hinand:512K(uboot1),1920K(uboot2),128K(bootargs),4352K(kernel),12288K(fs),32768K(app),8192K(para),2048K(logo),11264K(ipc_img),128M@0(wholeflash),1024K@73472K(uid_img)

The partition laylout looks like this –

Creating 11 MTD partitions on "hinand":
0x000000000000-0x000000080000 : "uboot1"
0x000000080000-0x000000260000 : "uboot2"
0x000000260000-0x000000280000 : "bootargs"
0x000000280000-0x0000006c0000 : "kernel"
0x0000006c0000-0x0000012c0000 : "fs"
0x0000012c0000-0x0000032c0000 : "app"
0x0000032c0000-0x000003ac0000 : "para"
0x000003ac0000-0x000003cc0000 : "logo"
0x000003cc0000-0x0000047c0000 : "ipc_img"
0x000000000000-0x000008000000 : "wholeflash"
0x0000047c0000-0x0000048c0000 : "uid_img"

So when I have time, I should be able to dump the partitions to a TFTP server, modify them as I need, then re-upload them to make the modifications I need…hopefully.


  2 Responses to “Poking the Swann NVR-7400”

  1. I was wondering if you got any further with this?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



This site uses Akismet to reduce spam. Learn how your comment data is processed.