[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

gipsh

n3wb
Joined
Mar 21, 2016
Messages
21
Reaction score
0
Maybe... The problem is that different cameras use different keys and packing methods and in many cases you need hardware access to extract keys. I cannot buy every hikvision camera on the market.
Could you describe the process of extracting the keys ?? accessing to the serial port is enough or do you do something else ?

Thanks!
 

montecrypto

IPCT Contributor
Joined
Apr 20, 2016
Messages
104
Reaction score
304
It boils down to two things:
- access to files containing encryption keys
- ability to execute code on a live camera to extract keys not stored in nand flash

For that, depending on the model, you need one or more of the following:

- serial port access
- shell access
- kernel image
- bootloader image
- nand reader and desoldering skills
 

Defender666

Getting the hang of it
Joined
Dec 19, 2015
Messages
193
Reaction score
25
I have R0 Cameras with 5.3.5 can I just repack a fitting EU 5.4.0 and change language flag and put on the camera?
 

razor_amd

n3wb
Joined
May 9, 2017
Messages
1
Reaction score
2
Location
Serbia, Trstenik
Maybe... The problem is that different cameras use different keys and packing methods and in many cases you need hardware access to extract keys. I cannot buy every hikvision camera on the market.
Maybe I can be of any help. A friend just got back from China, and brought back with him 4 different IP Cameras. I have currently opened just one model, it is DS-2CD3310D-I with software V.5.4.15_160704 and I have desoldered the SOIC8 chip: windbond w25q128 and read it's contents. His NVR is not working and has a language mismatch problem. I will open and read every single chip from these cameras if it is any use to you, just let me know, and I can send you the files.
 

Attachments

Joined
Jan 16, 2017
Messages
2
Reaction score
1
The davinci archive is encrypted - you need to decrypt it first before inflating it.
The davinci file, seems to be decrypted by daemon_fsp_app when this is run, it looks like a it uses a OpenSSL library does a check on the file offset 4 for magic number 7E3FFF8E and then proceeds to start of data at offset BC, some calls to setup a Bytes to Token using password "HangZhou" and then decrypts the file. However I've not been able to decode this myself. I am no expert on such matters, but looks like could use just a OpenSSL command line to decode after tailing off the header bytes.
 
Joined
Jan 16, 2017
Messages
2
Reaction score
1
Only those for which it has crypto keys. R2 referenced above is not currently supported.
Seems more of the current firmware updates from the last round of security holes! (LOL) Hikvision USA don't decode.
I wonder if anyone realise why the call it divinci? when most kernel and SoC are of course HiSilicon!!
 

montecrypto

IPCT Contributor
Joined
Apr 20, 2016
Messages
104
Reaction score
304
I wonder if anyone realise why the call it divinci? when most kernel and SoC are of course HiSilicon!!
The same binary in cameras with TI Davinci chipset is called Centaurus. Go figure. Centaurus is anotherTI chipset. I don't know if any hik cameras use that chipset, but I'd be interested to learn the name of the binary those cameras use.
 

gipsh

n3wb
Joined
Mar 21, 2016
Messages
21
Reaction score
0
I wonder if anyone realise why the call it divinci? when most kernel and SoC are of course HiSilicon!!
I asked the some to some hikvision engineers and they said something about the name of some old/legacy dev platform....
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
What is the aim of the new_20.bin in the end of the firmware file?
This holds the md5 value for the cramfs.img file, in the same way that new_10.bin holds the md5 values for the files within the cramfs.img file.
You could handle this manually by decrypting new_20.bin, modifying the md5 value, encrypting it, and replacing it on the tail of the digicap.dav file
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
OK, attached is 'ynew_20.bin' which has been decrypted with the NVR 3DES 'ded' encrypt/decrypt method.
Code:
$ cat ynew_20.bin | hexdump -Cv
00000000  fb 86 54 66 fe 98 1e 20  20 c2 35 eb 9a a2 c1 29  |..Tf...  .5....)|
00000010  11 a0 03 11 1e 96 f7 6c  11 a0 03 11 1e 96 f7 6c  |.......l.......l|
00000020  ff 55 62 24 d1 31 08 ee  24 d2 35 2c 17 b8 0a 40  |.Ub$.1..$.5,...@|
00000030  15 03 15 20 b9 99 98 9d  e9 11 ae 58 5f 54 27 0a  |... .......X_T'.|
00000040  a8 83 bb db 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 01 00 00 00  6c 75 6f 66 65 6e 67 67  |........luofengg|
00000060  75 6f 0a 00 00 00 00 00  00 00 00 00 00 00 00 00  |uo..............|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  54 68 75 20 4d 61 72 20  |........Thu Mar |
000000e0  20 33 20 31 31 3a 31 34  3a 33 33 20 32 30 31 36  | 3 11:14:33 2016|
000000f0  0a 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 00 00 00 00  63 72 61 6d 66 73 2e 69  |........cramfs.i|
00000160  6d 67 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |mg..............|
00000170  00 00 00 00 00 00 00 00  72 ba 1c f4 fc 83 1c 76  |........r......v|
00000180  b7 8d 6c 21 5f 4d 6a 6c  00 00 00 00 00 00 00 00  |..l!_Mjl........|
00000190  00 00 00 00 00 00 00 00                           |........|
00000198
*edit* I did add 4 nulls to the head of the file, for the block cipher correct alignment.
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
ded is a tool on the fs of the device right?
Yes, that's correct.
But - the 3DES key is not in the binary. The decryption is handled in this case by an ioctl call to the kernel.
ded is attached anyway.
As you do seem quite Linux-savvy - I'll send you the ded key via 'Conversations'.
 

Attachments

Coffeemann

n3wb
Joined
Mar 30, 2017
Messages
2
Reaction score
0
Dear Colleagues, is there any chance to implement R4 support here as well?
I can provide an access for testing purposes
 
Joined
May 1, 2014
Messages
4
Reaction score
0
Hi, You can submit manual hikpack instruction. Firmware update V5.4.20 Hikpack commands. My camera Ds-2Cd3345 V5.3.3 build 20150803, platform G0.
 
Joined
May 1, 2014
Messages
4
Reaction score
0
Yes, G0 platform. The new version of hikpack supports it. Attachment updated in the OP.
Hi, You can submit manual hikpack instruction. Firmware update V5.4.20 Hikpack commands. My camera Ds-2Cd3345 V5.3.3 build 20150803, platform G0.
 
Joined
May 1, 2014
Messages
4
Reaction score
0
Please hikpack command, step by step, decrypt/encryp digicap.dav file and change private KEY.
My camera DS-2CD3345 platform G0 - version 5.3.3
 
Top