Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
how to change the number [2] CN by [1] EN. what is the CMD command ?
Here you go :
Code:
C:\Users\admin\Documents\firmware>hiktools05r1 lang digicap_sample.dav 1


 HIK firmware header converter 0.5R

Head raw data(108b) :
00000000 E9 9A F7 B6 A6 14 DD D3 86 BC A3 AB A2 CB B5 BE    ................
00000010 CF BC FE D6 C8 DD D3 BA B8 A3 AB BF 34 4A 41 45    ............4JAE
00000020 7B 52 E0 CB 2C 98 B8 B9 A3 AB BC CE 84 8F 8E FD    {R..,...........
00000030 CE E3 FA ED E0 8B 88 92 9A 8E FA 85 8E 88 FC BC    ................
00000040 89 A9 BB B4 EF C9 C4 F8 DA A8 E5 D2 C9 CD BC FE    ................
00000050 CA DD D3 BA B9 A3 AB BF CB B5 BE BA CD BC FE D6    ................
00000060 E1 D6 BA B9 C3 A2 BF CB 79 2E BE CD

Head decoded data(108b) :
00000000 53 57 4B 48 70 DE 00 00 3C 05 00 00 1D 00 00 00    SWKHp...<...?...
00000010 02 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF    ................
00000020 C7 AC 36 01 F1 4B 02 00 00 00 03 05 31 31 34 30    ..6..K......1140
00000030 30 35 30 30 33 31 31 31 31 31 31 30 30 32 31 00    050031111110021.
00000040 5F 63 66 67 55 70 67 53 65 63 50 6C 73 00 00 00    _cfgUpgSecPls...
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00000060 3C 05 00 00 60 09 00 00 CC 90 04 00

Magic number :    0x484B5753
iHeaderCheckSum : 0x0000DE70 [56944]
iHeadTotalLen :   0x0000053C [1340]
iFileNum :        0x0000001D [29]
iLanguage :       0x00000002 [2] CN
iDeviceClass :    0x00000002
iOEMCode :        0x00000001
iFirmwareVer :    0xFFFFFFFF
iFeature:         0x0136ACC7
Calculated CheckSum :        0x0000DE70 [56944]

Full decoded data (with full files block):
00000000 53 57 4B 48 70 DE 00 00 3C 05 00 00 1D 00 00 00    SWKHp...<...?...
<<snip>>
00000520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00000530 0E 73 32 01 B9 39 04 00 B6 6A 2C 01
Language changed to 1
C:\Users\admin\Documents\firmware>
 
Joined
Sep 21, 2018
Messages
13
Reaction score
0
Location
Slovenia
Read a lot.. but I did not found anywhere how to add or edit firmware so that I can add new language by my own.. So I would like to make translation to non-existing language.

Also.. how to edit IP video intercom firmware..
 

samy2189

n3wb
Joined
Oct 21, 2018
Messages
2
Reaction score
0
Location
Philippines
How to edit hikvision intercom indoor monitor firmware language from 1 to 2 using hiktools. ..I tried a lot but shows access denied or path incorrect or unable to open dav file..please help
I am trying on firmware 1.4.71
my monitor is Chinese version so Iam trying to change language from 1 to 2 so I can upgrade using batch configuration
 
Joined
Nov 9, 2018
Messages
1
Reaction score
0
Location
malta
hi all,

new to this form...
any way of changing DS-2CD3345P1 to english ?
managed to connect to nvr using onvif,,,

any suggestions please?

thanks in advance
 

sumguy

Getting the hang of it
Joined
Jan 23, 2016
Messages
106
Reaction score
21
What are my options as far as changing the language on a DS-2CD3346DWD-I from Chinese to English? The firmware it has is V5.5.12 build 180102. It does not answer ssh when using telnet (if ssh is functional will it at least appear to be open with telnet?). It appears to be listening on port 9010 and 9020 seems to return some XML. So given all that, what are my options as far as hacking the firmware to change the language to English? I could do some jtag stuff if this is known to work.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
what are my options as far as hacking the firmware to change the language to English?
In reality they are strictly limited or non-existent now that Hikvision are using security chips to hold the camera-specific hardware info, and requiring correctly signed firmware for any updates.
 

Chris BC

n3wb
Joined
Mar 3, 2019
Messages
12
Reaction score
0
Location
AZ
Hmmm, so does this answer my question in the other thread? Hikvision has now locked things down such that firmware tweaks are not possible? Not even changing an OEM version camera so it can be upgraded with branded firmware?

Not sure I need this anytime soon, as the OEM seller I bought from did have firmware updates. But I can't be 100% sure everything lines up. My OEM version of the DS-2CD2685FWD-IZS only does 15 fps where Hikvsion's data sheet for the branded camera shows 20 fps. (Yes, actually, I do want 20 fps at 4K, and would opt for 30 fps at 4K if it came in a sub $500 camera.) On the other hand the 4K dome camera model DS-2CD2785FWD-IZS offers the same 20 fps listed for the branded one.
 

supe

n3wb
Joined
Dec 19, 2016
Messages
10
Reaction score
1
Spent some hours reading through this thread, but didn't find a solution to flashing a laview NVR LV-N9308-W with Firmware v3.3.0 to the OEM Hikvision DS-7108NI-E1VW Firmware 3.3.0, so as to later update to FW 3.4.80. I used the hiktools to split the OEM firmware which created a cramfs.img file and then create a new file with the header from the Laview FW, but this did not work using web or tftp update. I tried extracting the content of the cramfs.img file and replaced the uImage file with the one from the Laview firmware and create the new FW, but it still fails with something about opcode 2 when using tftp.

Any guidance if what i'm trying to do is at all possible would be appreciated?

Thanks in advance.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I used the hiktools to split the OEM firmware which created a cramfs.img file and then create a new file with the header from the Laview FW, but this did not work using web or tftp update.
There are a couple of files that do integrity checking, new_10.bin inside the cramfs.img and new_20.bin on the end of the firmware wrapper.
These files are encrypted, and hold hashed values of the individual files and the cramfs.img respectively.
If using Hiktools - you'd need to decrypt, update, encrypt and pack manually.

If you use @montecrypto 's repacker, new_20.bin is handled automatically, and you can use the decryption / encryption facilities in the tool for new_10.bin.
[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware
That might work - but it depends on whether the OEM flag, if any, is validated and respected by the 'update' programs in the NVR.
 

supe

n3wb
Joined
Dec 19, 2016
Messages
10
Reaction score
1
There are a couple of files that do integrity checking, new_10.bin inside the cramfs.img and new_20.bin on the end of the firmware wrapper.
These files are encrypted, and hold hashed values of the individual files and the cramfs.img respectively.
If using Hiktools - you'd need to decrypt, update, encrypt and pack manually.

Ok cool, thanks for clarifying the process, i'm new to this but like to tinker, is there a guide somewhere I can follow to do those steps?

So i've been browsing the unpacker/packer thread for guidance but its not easy to follow for my specific goal. Would this tool do what I need or is there some other method I should be researching?

links of the laview firmware I have installed now, and the OEM hikvion firmware i'm trying to change to:

https://www.laviewsecurity.com/files/firmware/NVR LV-N9308-W v3.3.0 151124 FVNW1512.rar

http://www.hikvisioneurope.com/portal/portal/Technical Materials/02 NVR/00 Product Firmware/08 Wifi NVR/7100K1-W-M/[7108NI-E1-V-W] New WIFI NVR/V3.3.0 bulid150508 English/NVR_EXX_BL_EN_STD_V3.3.0_150508.zip



 
Last edited:

Ivan1985

n3wb
Joined
May 6, 2019
Messages
19
Reaction score
12
Location
Russia
How to edit hikvision intercom indoor monitor firmware language from 1 to 2 using hiktools. ..I tried a lot but shows access denied or path incorrect or unable to open dav file..please help
I am trying on firmware 1.4.71
my monitor is Chinese version so Iam trying to change language from 1 to 2 so I can upgrade using batch configuration
Hi samy2189,

There are 2 files used by Aliexpress seller to update Chinese DS-KH8301-WT intercom indoor monitor to English language.
1. VIS_11_H5_INDOOR_STD_V1.5.0_181101 has Chinese version language attribute in the DAV header file.
It can be loaded by using batch configuration tool or by tftp tool, if you already updated intercom firmware to original English version and got Chinese interface.
This firmware forces device version to English and does full configuration reset, so device shall be activated after firmware upgrade.

2. VIS_11_H5_INDOOR_STD_V1.5.0_181102 has English version language attribute in the DAV header file.
It may be loaded by using batch configuration tool, if you still have patched English firmware on your device, but it may not be loaded by tftp tool (becasue of English version language attribute in the DAV header file).
This firmware forces device version to English, but the configuration reset is not done.

Note: I think that these firmware versions are unofficial releases provided by Hikvision, because all firmware fixes are done at compile time.
The language code fix is done in "GET_BOOT_PARAMS" function by forcing language code to 1.
 

Attachments

Ivan1985

n3wb
Joined
May 6, 2019
Messages
19
Reaction score
12
Location
Russia
Sorry @pepeEL, I may not help you with FW for camera DS-2CD2035, but I can share may experience with DS-KH8301-WT intercom indoor monitor based on H5 platform.

1. I downloaded firmware VIS_11_H5_INDOOR_EN_STD_V1.5.0_180622 from www.hikvisioneurope.com/portal and tried to unpack it by using the hikpack tool, but this tool does not support the intercom indoor monitors, so I used fwtype = k41:
hikpack -t k41 -x digicap.dav -o img
Magic : 484b5753
hdr_crc : 00001bd4 (OK)
lang_id : 00000001
date_hex: 00000000
devclass: 000003e8
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 64 bytes, maybe firmware id?

2. There were 3 extracted files:
cramfs.img - Compressed ROMFS file
dav_header - Header file (108 bytes)
dav_extra_tail - extra tail (64 bytes)

The header file format is clearly defined in the forum.

4. dav_extra_tail file analysis for H5 platform devices:
- offset 0x00: 16 bytes, MD5 hash of cramfs.img file
- offset 0x10: 4 bytes (little endian) -> size of next (FW ID) field in 16 bit words
- offset 0x14: maybe FW ID?

5. The next task was to create firmware packer/unpacker:
I have found the python scripts to unpack/repack the DAV files for IPC R0 series
(neobit/hikvision) and updated these scripts for intercom indoor monitors H5 series (attached).
Python version 3 and cryptodome python library are needed to run the scripts.
 

Attachments

Ivan1985

n3wb
Joined
May 6, 2019
Messages
19
Reaction score
12
Location
Russia
Unpacking and decryption of Compressed ROMFS image file (cramfs.img) for intercom indoor monitors based on H5 platform:

1. Cramfs.img can be opened by the cramfs tools or by 7zip.

It contains next files:
- app.tar.lzma -> encrypted file
- audio.tar.lzma -> encrypted file
- dec
- digicapkeyArm.ko
- dvrCmd.tar.gz
- dvrCmd2.tar.gz
- hicore.tar.lzma -> encrypted file
- hisi.tar.lzma -> encrypted file
- logo.tar.gz
- logo.tar.lzma -> encrypted file
- misc.tar.lzma -> encrypted file
- overseas.tar.lzma
- ramdisk.gz
- showlogo
- start.sh -> encrypted file
- uImage
- version

There are several encrypted files.
The Triple DES ECB Cipher algorithm is used for another HIKVISION devices, so it is also used for this image.

2. Locking into dec file, it can be found next strings:
"Usage: ./dec FILEin FILEout", "/dev/decryptkey", "set key err %d"

The IDA interactive disassemble is needed to analyse the dec file.
This file contains several functions: "decrypt_sec", "des3_ede_setkey".
These functions are part of Cryptographic API.
The link to the Cryptographic API source code (Linux source code: crypto/des_generic.c (v5.1.5) - Bootlin, Linux source code: include/crypto/des.h (v5.1.5) - Bootlin)

static void des3_ede_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen);
The 3DES key lenght is 24 bytes.

Disassembled code:
.text:0000D304 loc_D304 ; CODE XREF: decrypt_abstract_api+54j
.text:0000D304 SUB R3, R11, #-var_194
.text:0000D308 MOV R0, R3 ; struct crypto_tfm *tfm
.text:0000D30C LDR R1, [R11,#var_1A0] ; const u8 *key
.text:0000D310 LDR R2, [R11,#var_1A4] ; unsigned int keylen
.text:0000D314 BL des3_ede_setkey

.text:0000D318 MOV R3, R0
.text:0000D31C STR R3, [R11,#var_14]
.text:0000D320 LDR R3, [R11,#var_14]
.text:0000D324 CMP R3, #0
.text:0000D328 BEQ loc_D340
.text:0000D32C LDR R3, =aSetKeyErrD ; "set key err %d"
.text:0000D330 MOV R0, R3 ; format
.text:0000D334 LDR R1, [R11,#var_14]
.text:0000D338 BL printf
.text:0000D33C B loc_D3D0

The DES key is read by ioctrl function, so DES key is not part of the image.

3. Extracting the DES key:
Dec file is not encrypted and can be patched to read key over UART interface (by using printf function).
Some programming skills and understanding of the ARM instruction set are needed to create this patch.

To create DAV file with patched dec file:
- Create cramfs.img file: mkfs.cramfs -v img cramfs.img
- Set Chinese language attibute in the header file (header offset 0x10: set byte = 0x02)
- Pack dagicap.dav file by using repackFirmwareH5.py

Load DAV file by using TFTP tool.

The link to description how to set UART connection to Hik cameras UART connection to recover Hik cameras
The same is applicable for intercom indoor monitors (the UART connector is hidden under the sticker at back side of the monitor).
The USB-to-UART_TTL converter with 3V logical levels and PuTTY software are needed.

UART settings:
- speed: 115200 baud
- data bits: 8
- stop bits: 1
- Parity: None
- Flow control: None

The UART log, if everything is correctly done:

hisfc300_spi_probe:Block protect enabled!
Hit any key to stop autoboot: 0
### CRAMFS load complete: 2289552 bytes loaded to 0x80400000
### CRAMFS load complete: 1206447 bytes loaded to 0x80800000
timeout for link [5000]!
## Booting kernel from Legacy Image at 80400000 ...
## Loading init Ramdisk from Legacy Image at 80800000 ...
Loading Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.16.1 (2016-08-19 14:10:59 CST)
Fri May 17 23:16:16 UTC 2019

Starting udev: [ OK ]
DES key 1292042785
DES key 303108950
DES key 1292042753
DES key 303108182
DES key 1292042753
DES key 487658070

The full 3DES_KEY: 2102034D561311120102034D561011120102034D5612111D

4. Files decryption:
openssl can be used to decrypt/encrypt the files.
It suppports des-ede3 (Triple DES EDE in ECB mode).

Notes:
The DES algorithm works with 64 bits (8 bytes) blocks, so the files have to be aligned by 8 bytes before decryption.
The lenght of all encrypted files are not aligned by 8 bytes.
The last byte of each encrypted file in the image contains information about the alignment (number of unused bytes at the end of decrypted file).

The decryption sequence:
- remove last byte from the encrypted file (this byte defines the number of unused bytes at the end of decrypted file)
- decrypt file:
openssl des-ede3 -d -in in_filename -out out_filename -K 2102034D561311120102034D561011120102034D5612111D -nopad
- Remove unused bytes at the end of decrypted file


Decrypted start.sh file is attached.

5. Files encryption sequence:
- if file is not aligned by 8 bytes -> add bytes (0x00) to the end of file to fix it.
- if file is aligned by 8 bytes -> add 8 bytes (0x00) to the end of file!!!
- encrypt file:
openssl des-ede3 -e -in in_filename -out out_filename -K 2102034D561311120102034D561011120102034D5612111D -nopad
- add one byte with the number of unused bytes to the end of encrypted file
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Some programming skills and understanding of the ARM instruction set are needed to create this patch.
Yes indeed, a good level of programming knowledge and experience to patch an executable like that.
Even if it didn't have a %x format string ...
Well done!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
The IDA interactive disassemble is needed to analyse the dec file.
The DES key is read by ioctrl function, so DES key is not part of the image.
So it's stored in a presumably obfuscated way in the uImage.

You've probably done this already - in which case apologies, but if not, attached is the symbol table extracted from uImage so that code sections and data names can be loaded into IDA.
 

Attachments

Ivan1985

n3wb
Joined
May 6, 2019
Messages
19
Reaction score
12
Location
Russia
So it's stored in a presumably obfuscated way in the uImage.

You've probably done this already - in which case apologies, but if not, attached is the symbol table extracted from uImage so that code sections and data names can be loaded into IDA.
No, I have not done this. Thank you for the symbol table.
The 3DES_KEY is stored in the digicapKeyArm.ko file.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Thank you for the symbol table.
No problem.
Oops .. I should also have mentioned that the symbol table was from the uImage from the VIS_11_H5_INDOOR_STD_V1.5.0_181101 firmware that you posted.
And attached is the uncompressed kernel that the symbols are from.
 

Attachments

Top