Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


DeathCamel57 last won the day on June 9 2023

DeathCamel57 had the most liked content!

Community Reputation

1 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. DeathCamel57

    Just introducing myself

    I'm Dylan, a software developer and linux kernel enthusiast. I ran across here while researching my DVR box. I'm currently working on updating the BSP (board support package) for the Hisilicon Hi3520D V200. My goal is to be able to run a modern U-Boot and Kernel on this device and establish Yocto support to allow customized firmware to be easily developed. Hisilicon's BSP only supports Linux 3.0.11, and I have updated the BSP to Linux 3.0.101 successfully. I'm currently working on updating this BSP to 6.x. I recently bought a Hi3536 based NVR as my next BSP porting project, but that's on the backburner until this one is complete.
  2. DeathCamel57

    K9604-W Bypass Firmware Verification

    Just thought I'd chime in about `K9604`/`NVR0408` device firmwares. There are two types of headers for the ROMs for this device. There's the `JUAN` header, and the non-`JUAN`. (It's been a few months since I was working with the firmware in Ghidra, so forgive me for not remembering the other firmware). From what I saw in `dvr_app`'s firmware upgrade function, it checks the header to determine which firmware decryption function to run. Since you're modifying the header, without unpacking and repacking the data, the new firmware file will not be encrypted properly, so it won't take the upgrade. Honestly, your best bet if you're *really* trying to do this is to get a CH341A flash programmer, backup the rom, and flash a dump from another system. You won't really find this flash dump online, but can provide the ROM dump for the `NVR0408`/`K9604-W` system (motherboard `HI3520D_V318P3_NVR0408`) if you need it. This file is like 16MB large, so I can't just attach it here.
  3. The telnet password is likely `j1/_7sxw` (without the backticks). This is a fairly common password for devices created by JUAN.
  4. I actually did some work on one of these devices for a friend. I took a dump of the firmware from my live device, and did some digging, and here's what I found: There are two sets of firmware for the `K9604-W`/`NVR0408`. I have a `JUAN` system. Since I don't have the other type of device, I can't test the other firmware. Here's an undocumented reset I found for the `JUAN` firmware. Using a USB flash drive, create a text file called `restore_factory_config_is_dangerous` on the flash drive (no extension). You have two options here depending on what you want to do. Open that text file, and put `2012` as the only text in it (no new line) if you want to restore the factory config. Open that text file, and put `2017` as the only text in it (no new line) if you want to restore the factory config, and reset the user database to the initial state. Reboot the device. Before the firmware loads the UI, it should wipe the data necessary to restore the configs/users, then reboot. Make sure you unplug the USB after the reboot. This is because it expects the `dvr_app` to be located on the flash drive (which it won't be), so the UI and such will be broken. More information about how I came upon this can be found on my blog at RandomCPU Night Owl DVR Reset