2

I'm currently trying to reverse engineer the firmware for the Swann DVR16-4500 security camera system. I successfully extracted the cramfs filesystem and now I have the following files inside the cramfs-root directory:

-rw-r--r-- 1 root root 2289232 Dec 31  1969 gui_res.tar.lzma
-rwxr-xr-x 1 root root     744 Dec 31  1969 new_10.bin
drwxr-xr-x 2 root root    4096 Dec 15  2015 Player_ml
-rwxr-xr-x 1 root root  824944 Dec 31  1969 player.zip
-rwxr-xr-x 1 root root    2936 Dec 31  1969 start.sh
-rw-r--r-- 1 root root 6213824 Dec 31  1969 sys_app.tar.lzma
-rwxr-xr-x 1 root root 3585544 Dec 31  1969 uImage
-rwxr-xr-x 1 root root 1881320 Dec 31  1969 WebComponents.exe
-rwxr-xr-x 1 root root  689296 Dec 31  1969 webs.tar.lzma

I tried using unlzma and tar --lzma -xvf to extract the *.tar.lzma files, but I had no luck. I came across this post which suggested running the kernel in an emulator in the hopes of finding the necessary extraction tools there. I've been tearing through QEMU documentation and online videos but I can't figure out exactly what I need to do to get QEMU to run the uImage kernel using qemu-system-arm. What do I need to do in order to get the kernel to run?

Adam Nichols
  • 21
  • 2
  • 3
    what happened when you ran tar --lzma xvf <file>? Were there error messages? What was the output? Did you run the file command against the *.tar.lzma files? If so, what were the results, and were the results manually verified? Did you inspect a hex dump of any of the *.tar.lzma files? If so what were the results? – julian Apr 10 '17 at 00:53
  • what does file say on uImage? – Igor Skochinsky Apr 10 '17 at 09:32
  • When I run tar --lzma xvf I get the following response: xz: (stdin): File format not recognized tar: Child returned status 1 tar: Error is not recoverable: exiting now the file command just says all of the files are "data". When I run lzmainfo the command is satisfied that it is an lzma file, but it says that the file will be over a petabyte when it's uncompressed, similar to the post I referenced above. ` – Adam Nichols Apr 10 '17 at 12:00
  • When I run file on the uImage file I get the following response: `uImage: u-boot legacy uImage, Linux-3.10.0, Linux/ARM, OS Kernel Image (Not compressed), 3585480 bytes, Thu Mar 10 11:17:03 2016, Load Address: 0x40008000, Entry Point: 0x40008000, Header CRC: 0x253B9638, Data CRC: 0x5C656DD5 – Adam Nichols Apr 10 '17 at 12:05
  • Sorry, just speculating here. But IIRC there's a difference between .tar.xz and .tar.lzma ... and in fact the man page strongly suggests that the resulting archive is filtered through xz or lzma respectively, although both use LZMA as the compression algorithm. Also, do you have xz installed? xzdec or xz-utils on Debian/Ubuntu. – 0xC0000022L Jun 15 '18 at 19:40

0 Answers0