Unpacking D-Link and Trendnet firmware

Here are the unpack scripts I wrote for D-Link and Trednet IP-cameras.
Most unpacker Shellscripts need binwalk

TrendnetD-LinkEneoUnpacker scriptNotes
TV-IP572P, TV-IP572PI
TV-IP572W, TV-IP572WI
TV-IP672P, TV-IP672PI
TV-IP672W, TV-IP672WI
DCS-942L, DCS-5211L,
DCS-5222L Rev. A
unp_fw_TV-IP572PI.sh
repack-zImage

Seem to be rebranded Alphanetworks cameras

Bytes in firmware are swapped 32byte-wise (Big endian?).
Contains a zImage.
TV-IP512P, TV-IP512WN
TV-IP522P
TV-IP612P, TV-IP612WN
DCS-2121
DCS-3430, DCS-3411
DCS-5635, DCS-5605
unp_fw_DCS-56x5.sh

Seem to be rebranded Alphanetworks cameras

Some of the Firmware images seem to be "crypted" by inverting all bytes with the NOT operator.
Contains a cramfs which can be loop-mounted.
Blog entry on how to hack Firmware and gain telnet-access For some cameras, it is enough to enable telnet with
http://ipcam/cgi/admin/telnetd.cgi?command=on
user: root, pass: admin
TV-IP551WI, TV-IP551W
TV-IP651WI, TV-IP651W
DCS-930L, DCS-931L, DCS-932L unp_fw_DSC93x.sh Firmware contains an uimage including an lzma-compressed data which contains an lzma-compressed romfs starting at a fixed aligned boundary. This romfs is a cpio-archive you can unpack.
  DCS-3110
DCS-6111
FLC-1301, FLD-1101 unp_fw_DCS-6111.sh Firmware contains a gzipped file named initrd.
TV-IP110, TV-IP110W, TV-IP110WN
TV-IP121W, TV-IP121WN
TV-IP212, TV-IP212W
TV-IP252P, TV-IP262P
TV-IP312W, TV-IP312WN
TV-IP322P
TV-IP410, TV-IP410W, TV-IP410WN
TV-IP422, TV-IP422W, TV-IP422WN
TV-VS1, TV-VS1P
    fwunpack.pl from this blog Firmware contains a gzipped minix-image named rootfs.
TV-IP110WN v2, TV-IP121WN v2 DNR-326, DNR-322L   extract-ng.sh (firmware-mod-kit) Firmware contains lzma compressed squashfs.
  DCS-2130, DCS-2132L
DCS-2210, DCS-2230
DCS-2330L
DCS-2332L
DCS-3710, DCS-3716
DCS-5222L Rev. B
DCS-6511
DCS-6616
DCS-6815, DCS-6818
DVS-210, DVS-310
GXC-1710M (=APPRO LC7513)
GXB-1710M/IR
GXC-1720M
decode_fw.c, mount_jffs2.sh

This also applies to American Dynamics cameras, ADCi400-xxxx

Firmware is crypted using a vernam chiffre and has to be decrypted with my decode_fw.c
Contains jffs2 Filesystem containers which can be loop-mounted with mount_jff2.sh
Build instructions for fully featured GPL DCS-2130 firmware can be found in build_2130.sh
A security analysis of the DCS-2130 can be found in this thesis. (guest/guest always has viewing access!)
Some cameras like the DCS-2132L, DCS-2210, DCS-2332L have SSH open on Port 8992. Username: root, Password: tms320dm365.
Password for DCS-5222L, DCS-2330L, DCS-2132L v2: hi3518c
    PXD-2018 PTZ1080
PXC-2080
All Level1 cameras
unp_fw_PXD-2018.sh, mount_ubifs.sh Firmware contains a UBIFS image.
Eneo MIR series have enabled telnet by default and have no password set for root :)
PXC-2080 have root as root-password.
    ENEO-NXC1602   Username for telnetd: nseungjin1234, no password. login, then passwd root.

Sony
I also wroten an unpacker and decrypter for the firmware of Sony IP-cameras (i.e. SNC-CH120 and SNC-CH140), which is even able to repack a new firmware image!
If you want to have them, just write me an e-mail.
There is also an easy way to enable telnet, just ask, if you want to know :)
Some Sony SDK stuff can be found here

D-Link
D-Link GPL-Firmware is hard to find and downloads are partly broken, more information in this blog (They kindly mirrored the DCS-2130 firmware).
Most of these cameras can be controlled using the NIPCA-API

Tenvis
Here is my Firmware un- and repacker for their pk2 files: tenvis_pack.c

Edimax
The firmware of EDIMAX IP-cameras can be unpacked with firmware-mod-kit.

Brickcom
Telnet: Goto http://IP/systemGT.html , type telnetd in commandshell and enjoy root user with no password set.

Hisilicon
Here is my FLS file repacker: flspack.c
SIP-E200STA (based on Hi3516A): smtpack.c (Can easily be extended into a repacker if needed, but I was too lazy ;) )

Zavio
Telnet: http://IP/cgi-bin/admin/param?action=telnetd
User: root, no PW
On some other camera models, this will fail saying not implemented. They then have an SSHd running.
On these cameras, create a user named debugerofzavio with a password of your choice.
Then reboot camera and SSH to it, using the user and pass you just created.

HikVision
For unknown reasons, newer firmware is crypted with AES.
If you need a repacker and decrypter, feel free to ask :)

AvTech
Telnet can be enabled via ICMP packet: avtech.c

Airlive
For some models, like the AirLive BU-720, MD-720, DM-720, you can try:
Telnet: http://IP/cgi-bin/admin/param?action=update&telnetd=23
23 is the port where to run telnetd on. User: root, no PW

If you have questions or comments, just drop me a line.

Information is provided in the hope that it is useful for people purchasing the cams who want to adapt the firmware
to their needs (all firmware uses GPLed Software anyway). As I'm not providing any copyrighted material and I'm just
providing information how to unpack the firmware, I hope that there are no legal issues with this information.
If you are a camera vendor and think, I'm wrong with my assumption, please contact me via e-mail.