Firstly, I want to say thanks to
@montecrypto and
@alastairstevenson for supporting this tool. I've used it to modify the firmware and give myself root non-psh shells on 3 rebadged bullet cams in the past (5.3-5.4ish fw) and wouldn't have stuck with hikvision cams if not for this. I've recently bought an OEM DS-2DE2A404IW-DE3 which came with 5.5.6 prepackaged, and I've since updated to 5.6.0 (since that was the only available downloadable firmware I could find). This appears to be an R7 model. Is there any plan to support this with this tool? Using R6 type seems to allow it to unpack, but it gives me an error when repacking, and I'm unable to get rebuilt firmware to load, yet the original seems to do okay.
Code:
$ ../hikpack_2.5/hikpack -t r6 -x digicap.dav -o 5.6.0/
Magic : 484b3230
hdr_crc : 000028b8 (OK)
frm_flg : 1210050031141110011
Magic : 484b3330
hdr_crc : c0bc25cd (OK)
version : 05060000
lang_id : 00000001
date : 190128
frm_flg : 1210050031141110011
File: _cfgUpgClass, CRC OK
File: uImage, CRC OK
File: hik_ar9331.bin, CRC OK
File: hik_ar9331_1.bin, CRC OK
File: initrun.sh, CRC OK
File: sysVersion.bin, CRC OK
File: r7_modules.tgz, CRC OK
File: WebComponents.exe, CRC OK
File: IEfile.tar.gz, CRC OK
File: r7_app.tar.gz, CRC OK
File: sound.tar.gz, CRC OK
File: help.tar.gz, CRC OK
File: SoftwareLicense.txt, CRC OK
File: cap.json, CRC OK
File: MOTOR_APP, CRC OK
File: MOTOR_APP1, CRC OK
File: MOTOR_APP2, CRC OK
$
I've tested with simply repacking without modifying anything:
Code:
$ ../hikpack_2.5/hikpack -L 1 -V 0x05060000 -t r6 -p digicap.testorig.dav -o 5.6.0/
File: _cfgUpgClass, CRC OK
File: uImage, CRC OK
File: hik_ar9331.bin, CRC OK
File: hik_ar9331_1.bin, CRC OK
File: initrun.sh, CRC OK
File: sysVersion.bin, CRC OK
File: r7_modules.tgz, CRC OK
File: WebComponents.exe, CRC OK
File: IEfile.tar.gz, CRC OK
File: r7_app.tar.gz, CRC OK
File: sound.tar.gz, CRC OK
File: help.tar.gz, CRC OK
File: SoftwareLicense.txt, CRC OK
File: cap.json, CRC OK
File: MOTOR_APP, CRC OK
File: MOTOR_APP1, CRC OK
File: MOTOR_APP2, CRC OK
*** WARNING *** HK30 header is missing firmware flags
Magic : 484b3330
hdr_crc : 9af48fb7 (OK)
version : 05060000
lang_id : 00000001
date : 190128
frm_flg : 1210050031141110011
*** WARNING *** HK20 record header is missing firmware flags
Magic : 484b3230
hdr_crc : 000027d4 (OK)
frm_flg : 1210050031141110011
$
Attempting to flash this file gives me an error:
Code:
$ curl -X PUT --digest -T digicap.testorig.dav -u admin:XXXXX http://XX.XX.XX.XX/ISAPI/System/updateFirmware
<?xml version="1.0" encoding="UTF-8"?>
<ResponseStatus version="2.0" xmlns="http://www.hikvision.com/ver20/XMLSchema">
<requestURL>/ISAPI/System/updateFirmware</requestURL>
<statusCode>6</statusCode>
<statusString>Invalid Content</statusString>
<subStatusCode>badDevType</subStatusCode>
</ResponseStatus>
$
Yet flashing the original file with the same language works okay:
Code:
$ curl -X PUT --digest -T digicap.dav -u admin:XXXXX http://XX.XX.XX.XX/ISAPI/System/updateFirmware
<?xml version="1.0" encoding="UTF-8"?>
<ResponseStatus version="2.0" xmlns="http://www.hikvision.com/ver20/XMLSchema">
<requestURL>/ISAPI/System/updateFirmware</requestURL>
<statusCode>7</statusCode>
<statusString>Reboot Required</statusString>
<subStatusCode>rebootRequired</subStatusCode>
</ResponseStatus>
$
I'm using the firmware hosted here:
DOWNLOAD EU PORTAL
I have a good set of linux skills, and I'm handy with a usb->serial/jtag adapter and a soldering iron. If there's something more I can provide, please let me know. My goal is to root this, change psh->ash, and rebuild busybox with more commands to replace the built-in busybox.
edit:
I've managed to enable SSH with the ClientDemoEn tool, though as expected, it's limited to psh.
Code:
# help
Support Commands:
taskShow printPart prtHardInfo
getPreviewStatus setIp setV6ip
setGateway dspStatus outputClose
outputOpen getDebug setDebug
debugLog getIrstate getMtu
camCmd getCamVer getLux
getMcuInfo getMotion getRawdata
setIrcmd setRectFrame updateCamera
setLaserMode getLaserMode setIrMode
getIrMode setBaiguangMode getBaiguangMode
setYTLock InquireFanSwitch StartLaser
CloseLaser LaserMotReset EnlargeCur
ReduceCur SetCur LaserMotDirect
LaserTeleOffset LaserWideOffset InqSwitch
InqCurrent InqCurMotDirect getMcuStateInfo
setFastFocus getTrackStatus getSelfcheckResult
setLdcMode getLdcMode appCmd
ezoomlens_start_t2_test prtLensCurve getLensCurve
getIp gdbcfg {Test1}
{Test2} {Test3} {Test4}
{TestN} {TestY} setAgingMode
getAgingMode setAgingTime getAgingTime
setLensZoomPos getLensZoomPos showKey
showServer showUpnp showStatus
showDefence setLBS setAlarm
cloudService t1 sandbox
ifconfig netstat ping
ping6 top iostat
mpstat ps reset
dmesg wl iwpriv
iperf setWifiEnable getWifiInfo
exit getDateInfo diagnose
diag help debug
#
I've also got TTY access, but the commands on uboot are very minimal, and it doesn't seem to allow flashing a lower version of firmware. Has anybody worked with r7 devices yet and gotten any further?
Code:
HKVS # help
erase - erase flash except bootloader area
go - start application at address 'addr'
help - print command description/usage
loadk - load kernel to DRAM
update - update digicap.dav
updateb - update bootloader
upf - update firmware, format and update (factory use)
ddr - ddr training function
mii - MII utility commands
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
HKVS #
Also, it appears that doing setenv/saveenv/reset doesn't persist changes to the environment. I suspect there may be a way to get it to read from the SD card slot, as I've seen some comments in the past that people were able to update uImage this way, but I've had no luck. It appears I need a sec.bin to tell it to go to an address.