[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

JSnP

Young grasshopper
Joined
Jun 19, 2019
Messages
36
Reaction score
18
Location
CA
I have a Hikvision video doorbell based on this one: EZVIZ - a global smart home security brand and I'd like to properly unpack the firmware. (V5.2.4)

hikpack seems to unpack them:
hikpack -t r0 -x <file> -o <dir> (or "r1", both seem to work)

Magic : 484b5753
hdr_crc : 00002c82 (OK)
lang_id : 00000001
Date : -00001
version : ffffffff
frm_flg : 5140020021150000011
File: app.img, CRC OK
File: res.bin, CRC OK
File: mcu.bin, CRC OK
File: arc.bin, CRC OK

The res.bin is a jffs file which can be extracted with jefferson. It contains .aac audio files.
I'm stuck on what to do with the larger app.img file. binwalk doesn't extract it (or does so improperly) Any hints?

Also, is this a recognized .dav file format where I could modify contents, repack and use?

samples:
Code:
http://usdownload.ezvizlife.com/device/HSDB2/2.0/HSDB2.dav
http://usdownload.ezvizlife.com/device/NDB313-W/2.0/NDB313-W.dav
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland

bugmenot01

Young grasshopper
Joined
Dec 31, 2015
Messages
66
Reaction score
8
where can i download the hik_repack tool by leecher? looking to unpack some G1 firmware but it doesnt seem to be supported by hikpack_2.5?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Best to send him a PM - he's a forum member.
The tool is good enough that the on-sellers can make good use of it.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
ds-2cd2xx2fwd or from a similar camera.
I want to learn the structure of a new davinci file.
To do this, I need a decrypted davinci file in ELF format from firmware version 2017 and higher ...

Davinci is left decrypted on the cam at runtime , so if you have root/ASH you can copy the elf/disassemble.
 

HackitZ

Young grasshopper
Joined
Apr 10, 2016
Messages
56
Reaction score
14
will this latest version hikpack2.5 work to change language on DS-2DE2202-DE3 camera?
camera has V5.3.8 build 150707 firmware, looks like the latest is V5.4.71 build 170407(Released)

the seller sold the camera as north american version. just looked into it and i have the ch in my serial number.
i bought the cameras about 2 years ago.
just playing around to see if it's possible to upgrade the firmware.
tnx
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
will this latest version hikpack2.5 work to change language on DS-2DE2202-DE3 camera?
hikpack2.5 can be used to change the language in the header of a firmware file, to get the file past one of the early validation checks, but that will not change the language of the camera itself.
If the camera does have CCCH in its serial number, and is Chinese, it will be best to not attempt a firmware update.
 

StewartM

Getting the hang of it
Joined
Dec 11, 2017
Messages
260
Reaction score
75
Location
Cape Town
Out of interest, if you had a G1 series camera ( v5.6+ firmware) with nonPSH access, would it be possible to downgrade to a much earlier firmware? Other advantages one could leverage with that level of access?
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Out of interest, if you had a G1 series camera ( v5.6+ firmware) with nonPSH access, would it be possible to downgrade to a much earlier firmware? Other advantages one could leverage with that level of access?
Unsure of the question. G1 will not downgrade without root/ash or minisys. Downgrading of G0 you would manually copy files accross

You would either repack the digicap.dav and alter header. Or manually copy the unpacked files to the correct partitions.


With ash/root you can do just about anything you want that you can do in Linux.
 

Hexcode

n3wb
Joined
Apr 16, 2020
Messages
1
Reaction score
0
Location
Germany
Anyone could decode an 5.5.x E3 firmware with leechers tool? Or knows a tool which can do this?
 

watchful_ip

Pulling my weight
Joined
Nov 24, 2019
Messages
251
Reaction score
226
Location
london
Anyone could decode an 5.5.x E3 firmware with leechers tool? Or knows a tool which can do this?
I don't think the AES keys needed are known (at least not to available tools).

With an mtd dump we could derive them, or with a couple of files from the camera, but otherwise not so much. If you have an E3 camera it might be possible via UART though likely not easy these days.
 

Safetyfirst

Getting the hang of it
Joined
Nov 8, 2019
Messages
118
Reaction score
25
Location
USA
At work now, was planning try those steps when I get home, just don't want to brick it.
Yes its the same nvr see post here: New LaView NVR question

edit:
mission accomplished :). it took it over the web interface. upgrading to the latest now
I'm trying to do the same thing in order to get more features, but Is there a dumbed down way to install the Hikvision Firmware for less knowledgeable users?
 
Top