savoyardal
n3wb
Is the source code available somewhere?
[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware
- Thread starter montecrypto
- Start date
alastairstevenson
Staff member
Nope, this isn't something that @montecrypto has shared on here.
Forgive me if this is addressed somewhere in this thread and I didn't see it in the two dozen or some comments I read, but does this tool allow for tweaking the firmware other than language/region issues? Such as the group Magic Lantern and their tweaking of Canon DSLR firmware to enable different features. If this tool doesn't, does anyone know of something that does?
alastairstevenson
Staff member
Yes, the firmware can be unpacked from it's wrapper into its constituent parts, changes can be made to the parts, and the result repacked to be applied to the device.
But even though internal structure, CRCs etc have been maintained, some devices may reject the firmware if not signed by a private key.
But even though internal structure, CRCs etc have been maintained, some devices may reject the firmware if not signed by a private key.
Hopefully i'm in the right thread. @alastairstevenson provided some guidance here
overview: trying to convert my laview wifi NVR to the OEM Hikvision wifi NVR, so that I can update to the latest 3.4.80 FW.
the nvr currently has FW: https://www.laviewsecurity.com/files/firmware/NVR LV-N9308-W v3.3.0 151124 FVNW1512.rar
the OEM FW I want to flash: http://www.hikvisioneurope.com/portal/portal/Technical Materials/02 NVR/00 Product Firmware/08 Wifi NVR/7100K1-W-M/[7108NI-E1-V-W] New WIFI NVR/V3.3.0 bulid150508 English/NVR_EXX_BL_EN_STD_V3.3.0_150508.zip
My planed steps: unpack both fw using hikpack, both outputs 3 files: cramfs.img, dav_header and new_20.bin.
then pack a new fw using dav_header from laview and cramfs.img and new_20.bin from the oem.
Would the above steps work for what I'm trying to do, or are there additional things i need to do?
Thanks in advance
overview: trying to convert my laview wifi NVR to the OEM Hikvision wifi NVR, so that I can update to the latest 3.4.80 FW.
the nvr currently has FW: https://www.laviewsecurity.com/files/firmware/NVR LV-N9308-W v3.3.0 151124 FVNW1512.rar
the OEM FW I want to flash: http://www.hikvisioneurope.com/portal/portal/Technical Materials/02 NVR/00 Product Firmware/08 Wifi NVR/7100K1-W-M/[7108NI-E1-V-W] New WIFI NVR/V3.3.0 bulid150508 English/NVR_EXX_BL_EN_STD_V3.3.0_150508.zip
My planed steps: unpack both fw using hikpack, both outputs 3 files: cramfs.img, dav_header and new_20.bin.
then pack a new fw using dav_header from laview and cramfs.img and new_20.bin from the oem.
Would the above steps work for what I'm trying to do, or are there additional things i need to do?
Thanks in advance
alastairstevenson
Staff member
Certainly worth a try.
Presumably the Hikvision firmware gets rejected at a web GUI update attempt?
Are you convinced the LAview NVR is the same model?
Presumably the Hikvision firmware gets rejected at a web GUI update attempt?
Are you convinced the LAview NVR is the same model?
At work now, was planning try those steps when I get home, just don't want to brick it.
Yes its the same nvr see post here: New LaView NVR question
edit:
mission accomplished
. it took it over the web interface. upgrading to the latest now
Last edited:
alastairstevenson
Staff member
Brilliant! Well done. I bet there was some nervousness. I know that feeling ...
Dang unit lock me out and wont accept my password. no reset button so have to send xml file to laview to reset password
Update: Got it unlocked with SAPD and Laview support.
just some notes for anyone attempting this conversion:
I should have reset to defaults when I first converted to the OEM firmware before updating to the next version.
Also the FW version 3.4.80 has to be updated twice per the release notes, else some config fields wont work.
@alastairstevenson thanks for steering me in the right direction!
Last edited:
alastairstevenson
Staff member
Glad you got there!
the device is more configurable with the latest firmware for sure, and offer basic features that was missing from the laview latest.
Before I forget, i would like to also thank @montecrypto for his excelent tool.
Before I forget, i would like to also thank @montecrypto for his excelent tool.
Last edited:
rearanger
Getting the hang of it
Has anyone got a tool to encrypt and decrypt the davinci file ATTACHED from IPC_G0_CN_STD_5.5.53_180716. davinci_bak was taken from a cam that is running that firmware using shell access.
Hello! Has someone already done a VPN client in the camera? Found firmware for DS-2CD2414 with built-in OpenVpn client. This utility unpacked the firmware. Got files: _cfgUpgClass, _cfgUpgSecPls, app.img, uImage. I opened the 7zip file with the app.img file, found the certificates and the ovpn config. Tell me how to correctly replace the certificates and config with your own and pack?
Thanks in advance!
Thanks in advance!
Are you sure DS-2CD2414?
I saw firmware for R2 model OEM model for cloud ipc with moded kersel that support tunnel with openvpn clinet.
It's work. I you this kernek to other version & it's work.
R2 is simple rebulded firmware
mrpeenut24
n3wb
Firstly, I want to say thanks to @montecrypto and @alastairstevenson for supporting this tool. I've used it to modify the firmware and give myself root non-psh shells on 3 rebadged bullet cams in the past (5.3-5.4ish fw) and wouldn't have stuck with hikvision cams if not for this. I've recently bought an OEM DS-2DE2A404IW-DE3 which came with 5.5.6 prepackaged, and I've since updated to 5.6.0 (since that was the only available downloadable firmware I could find). This appears to be an R7 model. Is there any plan to support this with this tool? Using R6 type seems to allow it to unpack, but it gives me an error when repacking, and I'm unable to get rebuilt firmware to load, yet the original seems to do okay.
I've tested with simply repacking without modifying anything:
Attempting to flash this file gives me an error:
Yet flashing the original file with the same language works okay:
I'm using the firmware hosted here: DOWNLOAD EU PORTAL
I have a good set of linux skills, and I'm handy with a usb->serial/jtag adapter and a soldering iron. If there's something more I can provide, please let me know. My goal is to root this, change psh->ash, and rebuild busybox with more commands to replace the built-in busybox.
edit:
I've managed to enable SSH with the ClientDemoEn tool, though as expected, it's limited to psh.
I've also got TTY access, but the commands on uboot are very minimal, and it doesn't seem to allow flashing a lower version of firmware. Has anybody worked with r7 devices yet and gotten any further?
Also, it appears that doing setenv/saveenv/reset doesn't persist changes to the environment. I suspect there may be a way to get it to read from the SD card slot, as I've seen some comments in the past that people were able to update uImage this way, but I've had no luck. It appears I need a sec.bin to tell it to go to an address.
Code:
$ ../hikpack_2.5/hikpack -t r6 -x digicap.dav -o 5.6.0/
Magic : 484b3230
hdr_crc : 000028b8 (OK)
frm_flg : 1210050031141110011
Magic : 484b3330
hdr_crc : c0bc25cd (OK)
version : 05060000
lang_id : 00000001
date : 190128
frm_flg : 1210050031141110011
File: _cfgUpgClass, CRC OK
File: uImage, CRC OK
File: hik_ar9331.bin, CRC OK
File: hik_ar9331_1.bin, CRC OK
File: initrun.sh, CRC OK
File: sysVersion.bin, CRC OK
File: r7_modules.tgz, CRC OK
File: WebComponents.exe, CRC OK
File: IEfile.tar.gz, CRC OK
File: r7_app.tar.gz, CRC OK
File: sound.tar.gz, CRC OK
File: help.tar.gz, CRC OK
File: SoftwareLicense.txt, CRC OK
File: cap.json, CRC OK
File: MOTOR_APP, CRC OK
File: MOTOR_APP1, CRC OK
File: MOTOR_APP2, CRC OK
$
Code:
$ ../hikpack_2.5/hikpack -L 1 -V 0x05060000 -t r6 -p digicap.testorig.dav -o 5.6.0/
File: _cfgUpgClass, CRC OK
File: uImage, CRC OK
File: hik_ar9331.bin, CRC OK
File: hik_ar9331_1.bin, CRC OK
File: initrun.sh, CRC OK
File: sysVersion.bin, CRC OK
File: r7_modules.tgz, CRC OK
File: WebComponents.exe, CRC OK
File: IEfile.tar.gz, CRC OK
File: r7_app.tar.gz, CRC OK
File: sound.tar.gz, CRC OK
File: help.tar.gz, CRC OK
File: SoftwareLicense.txt, CRC OK
File: cap.json, CRC OK
File: MOTOR_APP, CRC OK
File: MOTOR_APP1, CRC OK
File: MOTOR_APP2, CRC OK
*** WARNING *** HK30 header is missing firmware flags
Magic : 484b3330
hdr_crc : 9af48fb7 (OK)
version : 05060000
lang_id : 00000001
date : 190128
frm_flg : 1210050031141110011
*** WARNING *** HK20 record header is missing firmware flags
Magic : 484b3230
hdr_crc : 000027d4 (OK)
frm_flg : 1210050031141110011
$
Code:
$ curl -X PUT --digest -T digicap.testorig.dav -u admin:XXXXX http://XX.XX.XX.XX/ISAPI/System/updateFirmware
<?xml version="1.0" encoding="UTF-8"?>
<ResponseStatus version="2.0" xmlns="http://www.hikvision.com/ver20/XMLSchema">
<requestURL>/ISAPI/System/updateFirmware</requestURL>
<statusCode>6</statusCode>
<statusString>Invalid Content</statusString>
<subStatusCode>badDevType</subStatusCode>
</ResponseStatus>
$
Code:
$ curl -X PUT --digest -T digicap.dav -u admin:XXXXX http://XX.XX.XX.XX/ISAPI/System/updateFirmware
<?xml version="1.0" encoding="UTF-8"?>
<ResponseStatus version="2.0" xmlns="http://www.hikvision.com/ver20/XMLSchema">
<requestURL>/ISAPI/System/updateFirmware</requestURL>
<statusCode>7</statusCode>
<statusString>Reboot Required</statusString>
<subStatusCode>rebootRequired</subStatusCode>
</ResponseStatus>
$I have a good set of linux skills, and I'm handy with a usb->serial/jtag adapter and a soldering iron. If there's something more I can provide, please let me know. My goal is to root this, change psh->ash, and rebuild busybox with more commands to replace the built-in busybox.
edit:
I've managed to enable SSH with the ClientDemoEn tool, though as expected, it's limited to psh.
Code:
# help
Support Commands:
taskShow printPart prtHardInfo
getPreviewStatus setIp setV6ip
setGateway dspStatus outputClose
outputOpen getDebug setDebug
debugLog getIrstate getMtu
camCmd getCamVer getLux
getMcuInfo getMotion getRawdata
setIrcmd setRectFrame updateCamera
setLaserMode getLaserMode setIrMode
getIrMode setBaiguangMode getBaiguangMode
setYTLock InquireFanSwitch StartLaser
CloseLaser LaserMotReset EnlargeCur
ReduceCur SetCur LaserMotDirect
LaserTeleOffset LaserWideOffset InqSwitch
InqCurrent InqCurMotDirect getMcuStateInfo
setFastFocus getTrackStatus getSelfcheckResult
setLdcMode getLdcMode appCmd
ezoomlens_start_t2_test prtLensCurve getLensCurve
getIp gdbcfg {Test1}
{Test2} {Test3} {Test4}
{TestN} {TestY} setAgingMode
getAgingMode setAgingTime getAgingTime
setLensZoomPos getLensZoomPos showKey
showServer showUpnp showStatus
showDefence setLBS setAlarm
cloudService t1 sandbox
ifconfig netstat ping
ping6 top iostat
mpstat ps reset
dmesg wl iwpriv
iperf setWifiEnable getWifiInfo
exit getDateInfo diagnose
diag help debug
#
Code:
HKVS # help
erase - erase flash except bootloader area
go - start application at address 'addr'
help - print command description/usage
loadk - load kernel to DRAM
update - update digicap.dav
updateb - update bootloader
upf - update firmware, format and update (factory use)
ddr - ddr training function
mii - MII utility commands
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
HKVS #
Last edited:
Hm,works fine with my own repacker, created file is identical with just unpacking and repacking:
Code:
$ ../hik_repack -u digicap.dav dav
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015
* 1210050031141110011
+ This seems to be a HK30 crypted file, unpacking HK30:
+ This seems to be a 00790000 device
* _cfgUpgClass
* uImage
* hik_ar9331.bin
* hik_ar9331_1.bin
* initrun.sh
* sysVersion.bin
* r7_modules.tgz
* WebComponents.exe
* IEfile.tar.gz
* r7_app.tar.gz
* sound.tar.gz
* help.tar.gz
* SoftwareLicense.txt
* cap.json
* MOTOR_APP
* MOTOR_APP1
* MOTOR_APP2
$ ../hik_repack -r digicap.dav dav newdigi.dav
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015
+ This seems to be a 00790000 device
* _cfgUpgClass (from dav/_cfgUpgClass)
* uImage (from dav/uImage)
* hik_ar9331.bin (from dav/hik_ar9331.bin)
* hik_ar9331_1.bin (from dav/hik_ar9331_1.bin)
* initrun.sh (from dav/initrun.sh)
* sysVersion.bin (from dav/sysVersion.bin)
* r7_modules.tgz (from dav/r7_modules.tgz)
* WebComponents.exe (from dav/WebComponents.exe)
* IEfile.tar.gz (from dav/IEfile.tar.gz)
* r7_app.tar.gz (from dav/r7_app.tar.gz)
* sound.tar.gz (from dav/sound.tar.gz)
* help.tar.gz (from dav/help.tar.gz)
* SoftwareLicense.txt (from dav/SoftwareLicense.txt)
* cap.json (from dav/cap.json)
* MOTOR_APP (from dav/MOTOR_APP)
* MOTOR_APP1 (from dav/MOTOR_APP1)
* MOTOR_APP2 (from dav/MOTOR_APP2)
HK30 Repack completed.
$ diff digicap.dav newdigi.dav
$alastairstevenson
Staff member
What version of openSSL do we need to use for the compile?
You can probably figure out that coding isn't one of my strengths ...
alastairstevenson
Staff member
And welcome to the forum, by the way!
I'm using OpenSSL 0.9.8c on a 32bit machine.
alastairstevenson
Staff member
Interesting - I never thought to try that.