whoslooking
IPCT Contributor
But you have not, downgraded it, it was already downgraded by seller?
Hikvision 5.2.5 & 5.2.8 Full English (INC DAYS OF WEEK) mtd Hack
- Thread starter whoslooking
- Start date
whoslooking
IPCT Contributor
Thats correct we still don't know how the Chinese are managing to load what ever firmware they want, we need to know more so now with, 5.3.0
As soon as I get a 5.3.0 with 5.2.5 loaded I will see if the MTD hack still works and if we can get it to english.
As no one has posted if they have managed this yet.
As soon as I get a 5.3.0 with 5.2.5 loaded I will see if the MTD hack still works and if we can get it to english.
As no one has posted if they have managed this yet.
Hi whoslooking,
I have a Chinese cam with 5.2.5 loaded but 5.3.0 on the label. Would it be helpful to try your mtd hack and see if it still boots? Or is there any other test that would be helpful in knowing how to hack the 5.3.0 firmware in the future?
cheers
I have a Chinese cam with 5.2.5 loaded but 5.3.0 on the label. Would it be helpful to try your mtd hack and see if it still boots? Or is there any other test that would be helpful in knowing how to hack the 5.3.0 firmware in the future?
cheers
alastairstevenson
Staff member
If you do try this - be sure to make backup copies of at least mtdblock5 & 6 and also ideally all the others, 0-17, so that you have a fallback option if you need it.
*edit* Some hints and tips here: http://www.ipcamtalk.com/showthread.php/3408-HIKVISION-mtd-Brick-Recovery-Guide?p=28895&viewfull=1#post28895
*edit* Some hints and tips here: http://www.ipcamtalk.com/showthread.php/3408-HIKVISION-mtd-Brick-Recovery-Guide?p=28895&viewfull=1#post28895
whoslooking
IPCT Contributor
As Alastair has has backup all your mtd blocks first, do the hack make sure to balance the checksum.
Hi guys,
Performed the mtd hack on the 5.3.0 labelled with 5.2.5 loaded. Still booted ok after the mtd hack which was expected.
tried to upgrade the camera the 5.3.0 firmware with the mtd hack still place. The en version loaded but stuck in reboot loop. Chinese version loads but errors flashing the dav_sec area.
you cannot reload the original mtd files as you cannot get back into the camera via any method via telnet, even after the tftp process has completed. At this point, the camera reverts from 192.0.0.64 to 192.168.1.64 and is in the protected environment.
i have access to the camera also via it serial console but there are no commands that work in this protected environment.
if anybody else has any ideas, let me know.
p.s. Camera was purchased for test purposes only,so happy to experiment with it...
Performed the mtd hack on the 5.3.0 labelled with 5.2.5 loaded. Still booted ok after the mtd hack which was expected.
tried to upgrade the camera the 5.3.0 firmware with the mtd hack still place. The en version loaded but stuck in reboot loop. Chinese version loads but errors flashing the dav_sec area.
you cannot reload the original mtd files as you cannot get back into the camera via any method via telnet, even after the tftp process has completed. At this point, the camera reverts from 192.0.0.64 to 192.168.1.64 and is in the protected environment.
i have access to the camera also via it serial console but there are no commands that work in this protected environment.
if anybody else has any ideas, let me know.
p.s. Camera was purchased for test purposes only,so happy to experiment with it...
alastairstevenson
Staff member
It sounds like the 5.3.0 firmware messes with the bootloader. That's a first. I suppose when the release notes say the default / recovery IP address has been changed to 192.168.1.64 that's to be expected.
A couple of weeks back I created a modified version of the 5.3.0 firmware, with SSH permanently activated and the psh Protect Shell inhibited, and an updated busybox. But I didn't have a camera to test it on, so @alexander.omiz kindly tried it for me, but it didn't work, though I'm not sure why. He was able to recover OK thank goodness. The camera I bought to test out the 5.3.0 firmware has an error in the kernel flash area which the 5.3.0 objects to, so I can't play with it.
A couple of weeks back I created a modified version of the 5.3.0 firmware, with SSH permanently activated and the psh Protect Shell inhibited, and an updated busybox. But I didn't have a camera to test it on, so @alexander.omiz kindly tried it for me, but it didn't work, though I'm not sure why. He was able to recover OK thank goodness. The camera I bought to test out the 5.3.0 firmware has an error in the kernel flash area which the 5.3.0 objects to, so I can't play with it.
Last edited by a moderator:
Yes, It does appear that the bootloader and the update process are different. I have noticed that if you unpack the digicap.dav with the hiktools program and then repack without making any modifications, then this is enough to cause the flash write to fail. So the update process is checking maybe the digicap.dav checksum or header checksum, I don't know.
At least we know if the Chinese can still load 5.2.5 onto the camera, there is a way which we will hopefully discover soon.
At least we know if the Chinese can still load 5.2.5 onto the camera, there is a way which we will hopefully discover soon.
#alastairstevenson
I have a DS-CD2632F-IS Cam with CN 5.3.0 firmware. Can you tell me to send test your modified firmware?
dannach I of Amazone a DS-CD2632F-I with 5.2.0. Bought ML firmware in, of which I have secured all mtdblocks. (In mtdblock5 / 6 is the region code 1)
# davo22
bie me is also canceled on the serial console of the flash process with the message digicap.dav Packet Error.
Unfortunately I have no CD2xx2 5.2.5 / 5.2.8 in CN version for maybe possible downgrade available.
with thanks in advance
translated with googel
I have a DS-CD2632F-IS Cam with CN 5.3.0 firmware. Can you tell me to send test your modified firmware?
dannach I of Amazone a DS-CD2632F-I with 5.2.0. Bought ML firmware in, of which I have secured all mtdblocks. (In mtdblock5 / 6 is the region code 1)
# davo22
bie me is also canceled on the serial console of the flash process with the message digicap.dav Packet Error.
Unfortunately I have no CD2xx2 5.2.5 / 5.2.8 in CN version for maybe possible downgrade available.
with thanks in advance
translated with googel
alastairstevenson
Staff member
I think I need to check it out a bit first - when @alexander.omiz tested it for me it didn't work, though I don't yet know the reason why.
Last edited by a moderator:
whoslooking
IPCT Contributor
From the playing I have done, it seem the recovery block on 5.2.0 updraded to 5.3.0 does not change, but on a later 5.2.5 onwards it does. On the 5.20 with 5.30 everything is still there and working full busybox ftpd and telnet in recovery mode.
now to find the full boot to change forcing the image to load, this being done via tftp from the digicap not by changing the cameras files, the boot is checking a checksum somewhere in the boot. This is the key but balancing a whole firmware is a bit harder than 1bit.
now to find the full boot to change forcing the image to load, this being done via tftp from the digicap not by changing the cameras files, the boot is checking a checksum somewhere in the boot. This is the key but balancing a whole firmware is a bit harder than 1bit.
wxman
Pulling my weight
Probably a silly question, but would the reset button on the cam revert it back to the original chinese 5.2.3 that was factory-loaded on the cam? Or does the reset button not completely convert it back to factory condition?
whoslooking
IPCT Contributor
@whoslooking
Hey! I changed it on 4 cameras. It worked great, thanks a lot!
Just 1 question: When i change 02 to 01 i am only able to use english language and not other languages. Which firmware do i have to flash after changing it to 01?
Hey! I changed it on 4 cameras. It worked great, thanks a lot!
Just 1 question: When i change 02 to 01 i am only able to use english language and not other languages. Which firmware do i have to flash after changing it to 01?
Last edited by a moderator:
whoslooking
IPCT Contributor
Replace the IEfile with a multi-language file, theres a post somewhere in the forum about this.
Last edited by a moderator:
Thank you. Gonna search for it now
SethCalkins
n3wb
- Joined
- Jul 31, 2014
- Messages
- 1
- Reaction score
- 0
Works !! Great job guys!