Mar 022017
 

I was poking around in a Swann NVR to see whether I could customise it to suit my needs a bit better.
The NVR was easy enough to pull apart with only 5 screws on the outside holding the case on.

After taking the case off, I identified the J15 header as the serial port.
Serial port header is J15

Serial port header in the NVR


The settings I used for the serial port is as follows:

Baud: 115200
8 Data bits
No Parity
1 Stop Bit

115200-8-N-1 in common notation

Plugging in my trusty USB to TTL adapter and I found that I had instant root.
I had a poke around and found out that it runs linux –

# uname -a
Linux (none) 3.4.35_hi3535 #6 SMP Wed Jun 24 11:30:14 CST 2015 armv7l GNU/Linux

Since it runs linux, I extracted the /etc/shadow file and cracked the root password, even though it’s not much use to me at the moment.

root:$1$mWYiIVv8$/taigZpC9w/xvglK1TwNV/:0:0::/root:/bin/sh ## password is 20120515

This runs busybox 1.16, and has a few partitions on flash –

# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime)
usbfs on /proc/bus/usb type usbfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/mtdblock5 on /mnt/app type cramfs (ro,relatime)
/dev/mtdblock6 on /mnt/para type yaffs2 (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime)
tmpfs on /mnt/tmp type tmpfs (rw,relatime,size=2048k)
tmpfs on /mnt/cache type tmpfs (rw,noatime,nodiratime,size=8192k,nr_inodes=4000)

This NVR uses a ARMv7 CPU –

# cat /proc/cpuinfo
Processor : ARMv7 Processor rev 1 (v7l)
processor : 0
BogoMIPS : 1987.37

processor : 1
BogoMIPS : 1993.93

Features : swp half thumb fastmult edsp tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x4
CPU part : 0xc09
CPU revision : 1

Hardware : hi3535
Revision : 0000
Serial : 0000000000000000

The hi3535 seems to be a 1GHz ARM Cortex A9 CPU.

I did a Netstat to see what was listening

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:85 0.0.0.0:* LISTEN
netstat: /proc/net/tcp6: No such file or directory
udp 0 0 0.0.0.0:3000 0.0.0.0:*
udp 0 0 0.0.0.0:3000 0.0.0.0:*
udp 0 0 0.0.0.0:59836 0.0.0.0:*
udp 0 0 0.0.0.0:2000 0.0.0.0:*
udp 0 0 0.0.0.0:59093 0.0.0.0:*
udp 0 0 0.0.0.0:45807 0.0.0.0:*
udp 0 0 0.0.0.0:32761 0.0.0.0:*

The NVR also uses uboot

U-Boot 2010.06 (Dec 02 2014 - 14:50:19)

So hopefully I can use uBoot to do some modifications to the partitions. The kernel command line shows where the root partition is, and also which partition is how big.

Kernel command line: mem=140M console=ttyAMA0,115200 root=/dev/mtdblock4 rootfstype=cramfs mtdparts=hinand:512K(uboot1),1920K(uboot2),128K(bootargs),4352K(kernel),12288K(fs),32768K(app),8192K(para),2048K(logo),11264K(ipc_img),128M@0(wholeflash),1024K@73472K(uid_img)

The partition laylout looks like this –

Creating 11 MTD partitions on "hinand":
0x000000000000-0x000000080000 : "uboot1"
0x000000080000-0x000000260000 : "uboot2"
0x000000260000-0x000000280000 : "bootargs"
0x000000280000-0x0000006c0000 : "kernel"
0x0000006c0000-0x0000012c0000 : "fs"
0x0000012c0000-0x0000032c0000 : "app"
0x0000032c0000-0x000003ac0000 : "para"
0x000003ac0000-0x000003cc0000 : "logo"
0x000003cc0000-0x0000047c0000 : "ipc_img"
0x000000000000-0x000008000000 : "wholeflash"
0x0000047c0000-0x0000048c0000 : "uid_img"

So when I have time, I should be able to dump the partitions to a TFTP server, modify them as I need, then re-upload them to make the modifications I need…hopefully.

Share

  6 Responses to “Poking the Swann NVR-7400”

  1. I was wondering if you got any further with this?

  2. HI SirLagZ.
    It is very interesting article you have. I have got the same unit. I did firmware update two days ago and the unit not working any more. No support from Swann and they said that my warranty is void as I did update myself.
    I opened NVR and noticed jtag port too as serial. At work we were messing with IAR boards and using JTAG to program it. I looked in firmware and found that the first section is Uboot and then the code.
    1. I just Wondering if it would be possible to flash the unit with this official firmware using Jtag or using serial?
    2. What utility i need to use if go with serial?
    3. Do i need to erase all section in prom or only some regions?

    I need to do it any way or I have to buy new unit which is costly and don’t like to give up.
    All findings with images and steps I will provide to you, so you get more traffic to your site and help other people who was left on their own.

    Thank you

  3. How did you determine that this was a serial port and not something else?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

This site uses Akismet to reduce spam. Learn how your comment data is processed.