Firmware unpackers for IP cameras

Unpacking D-Link and Trendnet firmware

Here are the unpack scripts I wrote for D-Link and Trednet IP-cameras.
Most unpacker Shellscripts need binwalk

Trendnet	D-Link	Eneo	Unpacker script	Notes
TV-IP572P, TV-IP572PI TV-IP572W, TV-IP572WI TV-IP672P, TV-IP672PI TV-IP672W, TV-IP672WI	DCS-942L, DCS-5211L, DCS-5222L Rev. A		unp_fw_TV-IP572PI.sh repack-zImage	Seem to be rebranded Alphanetworks cameras Bytes in firmware are swapped 32byte-wise (Big endian?). Contains a zImage.
TV-IP512P, TV-IP512WN TV-IP522P TV-IP612P, TV-IP612WN	DCS-2121 DCS-3430, DCS-3411 DCS-5635, DCS-5605		unp_fw_DCS-56x5.sh	Seem to be rebranded Alphanetworks cameras Some of the Firmware images seem to be "crypted" by inverting all bytes with the NOT operator. Contains a cramfs which can be loop-mounted. Blog entry on how to hack Firmware and gain telnet-access For some cameras, it is enough to enable telnet with http://ipcam/cgi/admin/telnetd.cgi?command=on user: root, pass: admin
TV-IP551WI, TV-IP551W TV-IP651WI, TV-IP651W	DCS-930L, DCS-931L, DCS-932L		unp_fw_DSC93x.sh	Firmware contains an uimage including an lzma-compressed data which contains an lzma-compressed romfs starting at a fixed aligned boundary. This romfs is a cpio-archive you can unpack.
	DCS-3110 DCS-6111	FLC-1301, FLD-1101	unp_fw_DCS-6111.sh	Firmware contains a gzipped file named initrd.
TV-IP110, TV-IP110W, TV-IP110WN TV-IP121W, TV-IP121WN TV-IP212, TV-IP212W TV-IP252P, TV-IP262P TV-IP312W, TV-IP312WN TV-IP322P TV-IP410, TV-IP410W, TV-IP410WN TV-IP422, TV-IP422W, TV-IP422WN TV-VS1, TV-VS1P			fwunpack.pl from this blog	Firmware contains a gzipped minix-image named rootfs.
TV-IP110WN v2, TV-IP121WN v2	DNR-326, DNR-322L		extract-ng.sh (firmware-mod-kit)	Firmware contains lzma compressed squashfs.
	DCS-2130, DCS-2132L DCS-2210, DCS-2230 DCS-2330L DCS-2332L DCS-3710, DCS-3716 DCS-5222L Rev. B DCS-6511 DCS-6616 DCS-6815, DCS-6818 DVS-210, DVS-310	GXC-1710M (=APPRO LC7513) GXB-1710M/IR GXC-1720M	decode_fw.c, mount_jffs2.sh	This also applies to American Dynamics cameras, ADCi400-xxxx Firmware is crypted using a vernam chiffre and has to be decrypted with my decode_fw.c Contains jffs2 Filesystem containers which can be loop-mounted with mount_jff2.sh Build instructions for fully featured GPL DCS-2130 firmware can be found in build_2130.sh A security analysis of the DCS-2130 can be found in this thesis. (guest/guest always has viewing access!) Some cameras like the DCS-2132L, DCS-2210, DCS-2332L have SSH open on Port 8992. Username: root, Password: tms320dm365. Password for DCS-5222L, DCS-2330L, DCS-2132L v2: hi3518c
	DNR-202L		appro_decrypt.c, appro_unpack.c	This also applies to cameras based on Appro DMS-3011, DMS-3014, LC-7211, LC-7213, LC-7214, LC-7215, NVR-2018, NVR-2028, DMS-3016, PVR-3031, LC-7224, LC-7225, DMS-3009, DMS-3004 Firmware is crypted using consecutive XOR (by a tool called B2X.EXE and has to be decrypted with my appro_decrypt.c Contains Filesystem as .tar.gz, GPL source is available from D-Link which also contains firmware updater, for simple unpacking use by appro_unpack.c
		PXD-2018 PTZ1080 PXC-2080 All Level1 cameras	unp_fw_PXD-2018.sh, mount_ubifs.sh	Firmware contains a UBIFS image. Eneo MIR series have enabled telnet by default and have no password set for root :) PXC-2080 have root as root-password.
		ENEO-NXC1602		Username for telnetd: nseungjin1234, no password. login, then passwd root.
	DCS-8000LH, DCS-825L DCS-936L		Howto unpack

Sony
I also wrote an unpacker and decrypter for the firmware of Sony IP-cameras (i.e. SNC-CH120 and SNC-CH140), which is even able to repack a new firmware image!
If you want to have them, just write me an e-mail.
There is also an easy way to enable telnet, just ask, if you want to know :)
Some Sony SDK stuff can be found here

D-Link
D-Link GPL-Firmware is hard to find and downloads are partly broken, more information in this blog (They kindly mirrored the DCS-2130 firmware).
Most of these cameras can be controlled using the NIPCA-API

Tenvis
Here is my Firmware un- and repacker for their pk2 files: tenvis_pack.c

Edimax
The firmware of EDIMAX IP-cameras can be unpacked with firmware-mod-kit.

Brickcom
Telnet: Goto http://IP/systemGT.html , type telnetd in commandshell and enjoy root user with no password set.

Hisilicon
Here is my FLS file repacker: flspack.c
SIP-E200STA (based on Hi3516A): smtpack.c (now with repacker as requested)

Zavio
Telnet: http://IP/cgi-bin/admin/param?action=telnetd
User: root, no PW
On some other camera models, this will fail saying not implemented. They then have an SSHd running.
On these cameras, create a user named debugerofzavio with a password of your choice.
Then reboot camera and SSH to it, using the user and pass you just created.

AvTech
Telnet can be enabled via ICMP packet: avtech.c

Airlive
For some models, like the AirLive BU-720, MD-720, DM-720, you can try:
Telnet: http://IP/cgi-bin/admin/param?action=update&telnetd=23
23 is the port where to run telnetd on. User: root, no PW

If you have questions or comments, just drop me a line.

Information is provided in the hope that it is useful for people purchasing the cams who want to adapt the firmware
to their needs (all firmware uses GPLed Software anyway). As I'm not providing any copyrighted material and I'm just
providing information how to unpack the firmware, I hope that there are no legal issues with this information.
If you are a camera vendor and think, I'm wrong with my assumption, please contact me via e-mail.