R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

koceto7878

n3wb
Joined
Dec 28, 2018
Messages
2
Reaction score
0
Location
Bulgaria
Hello,
can you help me find the password for my DS-2CD1201D-I3. There is static ip address 192.168.100.22
apply a file
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
can you help me find the password for my DS-2CD1201D-I3
Sorry, not possible for that version of firmware :
V5.4.5build 170311
because that version has had the 'Hikvision backdoor' vulnerability fixed, so it's not possible to extract the configuration file with no credentials.

Does that model of camera have a reset button?
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
Hi
Now i hacked my friend chinese camera DS-2CD2032F-IW with not upgradable firmware 5.3.0 with your manual.
Now i have updated latest firmware 5.4.5 and camera works ok. But....
Is any chance to change camera serial number from value in serial chinese to europe ? Because i use NVR europe and i want use this camera hacked to english with this NVR. And problably NVR Europe block chinese camera and i can not see video by HIK Connect cloud. Connect my NVR to cloud but i can not see video.
Is any chance to fix it ?

Now i have this:
DS-2CD2032F-IW20151013CCCH547576656

and i want change CCCH to europe number...
 
Last edited:

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
Ok thanks.... but is any chance to change setup region in serial number ?
DS-2CD2032F-IW20151013CCCH547576656


And now i have one camera DS-2CD2035-I also from china with multilanguage firmware V5.3.6 build 151221 and i also want modified it to upgrade firmware to latest version... and update in future by GUI.
Please help me...
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
but is any chance to change setup region in serial number ?
The region code is in mtd6 location 0x55 and can be modified as follows:
0x55 Region code. 01=CN 03=WR

and update in future by GUI
Not easily possible due to the need to install 'hacked to EN firmware' to overcome the language setting in the secure chip that holds the camera hardware signature.
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
But you can do it ?
Or is any chance to help me step by step maybe once update this DS-2CD2035-I ?


And to hacked DS-2CD2032
Now i have hacked software in english and how i can modified this region code ? Now is any chance ?
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
But you can do it ?
Or is any chance to help me step by step maybe once update this DS-2CD2035-I ?


And to hacked DS-2CD2032
Now i have hacked software in english and how i can modified this region code ? Now is any chance ?
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
Yes ok but it is G0 but DS-2CD2035-I looks like G1...
And manual in this thread is not fully for me...
Long-shot help request - Hikvision DS-2CD3335D - G0 series IPC.
Because i dont see where we update new firmware.... manual is not understand for me... For DS-2CD2032 is full understand...

This is ok understand
-----------------------------------------------------------
Assuming the serial console is hooked up (115,200 baud, 8 bits no parity) and shows lots of readable info when the camera is powered on -
Interrupt the bootloader with Control-U
It's handy to set some of the environment variables to suit your network.
First of all though, make a record of existing settings by using the following command, and copying the screen rollback in PuTTY to a text file to save in your work area:

printenv

Use the following commands to set the camera IP address and the TFTP server IP address:

setenv ipadrs <your_choice_for_the_camera>
setenv serverip <your_TFTP_server_address>
saveenv

Then the kernel bootargs need to be changed to get the kernel to boot into a debug mode:

setenv bootargs console=ttyAMA0,115200 init=/bin/sh rootfs=0x82000000 rootfstype=initrd debug single loglevel=9
saveenv

-------------------------------------------------------------




but from this i dont understand

-------------------------------------------------------------
Copy the kernel image uImage to your tftp root folder.

Boot over tftp and the camera should end up at a shell prompt, hopefully not a psh prompt.

tftp uImage
bootm

-----------------------------------------------------------
It's really handy to be able to copy / paste command lines from a text file (eg via Notepad) into the PuTTY command line.
These can be done singly or in multiple.
If the modified bootargs do boot into an ash shell, that's great as it will provide the access to do the needed work.
But at that point, the environment is not yet complete.
These commands are needed to take it a few steps further:
Adjust the IP addresses to match your network and your NAS for the NFS share and sharename.

/bin/mount -t proc proc /proc
/bin/mount -t sysfs none /sys
/bin/mount -t ramfs ramfs /home

/etc/S_udev

ifconfig eth0 192.168.1.64 up

mount -t nfs -o nolock 192.168.1.201:/cctv1 /mnt/nfs00

cd /mnt/nfs00

----------------------------------------------------------------

At this point there is a fully usable linux environment.
The uImage kernel can be applied to mtdblock5 & 6 (sys0, sys1) and all the remaining files from the unpacked firmware copied into /dav both when it's mounted from mtdblock7 and also mtdblock8 (app0 and app1).
Finally - reboot, interrupt the bootloader with Control-U and put the bootargs environment variable back the way it was to begin with so that the camera no longer boots into a shell in debug mode.




EDIT
For changing region in DS-2CD2032 from CH to WR i done again all operation and now i have in my number WR. Thanks
 
Last edited:

Martinp

n3wb
Joined
Dec 29, 2018
Messages
3
Reaction score
1
Location
US
DS-2DE2202I-DE3/W successfully recovered using this method - thanks all!

Here was the sequence:

1. Camera had started randomly rebooting multiple times a day (it's behind an NVR so don't think it was hacked?).
2. Annoyingly, the PTZ would reset itself each time and point at the mounting pole which wasn't super helpful.
3. Foolishly, I decided to web update from 5.3.9 to 5.4.71 which promptly bricked the camera with "firmware language mismatch: /home/webLib"
4. <insert a bunch of trial and error trying to load a new image on the camera>
5. I wanted to use a standard TFTP server and so had to work with Hikvision's custom handshake on port 9978.
6. Successfully loaded the brick-fix CN image on the camera, got logged in and ran the recovery script (took a couple of goes).
7. For the mtd6ro_mod specifics:
* changed the language byte at location 0x10 to 0x01 (from 0x02)
* recomputed the checksum (which decremented by 1 as expected) and set in locations 0x04-0x05
* left the devType bytes untouched as 0x2623- this might be the type for the DS-2DE2202I-DE3/W
8. Loaded and ran upgrade with digicap.dav from raptor_de_value_ptz_firmware_5.3.9_150910
9. Rebooted, camera came up successfully on 192.168.1.64 (in English)
10.Web upgrade from there to V5.4.71 build 170312 worked successfully.

So far, the reboots have stopped. Hope this helps folks.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Hey, well done! Another good result.

left the devType bytes untouched as 0x2623- this might be the type for the DS-2DE2202I-DE3/W
That's worth knowing - may help others, thanks.

I wanted to use a standard TFTP server and so had to work with Hikvision's custom handshake on port 9978.
Sounds like you did a bit of network sniffing.
Did you somehow emulate the Hikvision handshake - or end up just using Hikvision's updater?
 

Martinp

n3wb
Joined
Dec 29, 2018
Messages
3
Reaction score
1
Location
US
Hey, well done! Another good result.


That's worth knowing - may help others, thanks.


Sounds like you did a bit of network sniffing.
Did you somehow emulate the Hikvision handshake - or end up just using Hikvision's updater?
Watched what it was up to on the network - the camera sends a UDP request to port 9978, reply with payload "SWKH" and it moves onto a standard TFTP load. I wrote a couple of lines of Python to do the handshake. The mtd work was great Alistair!
 
Top