2432F-IW (chinese?) needs fw, but which version?

[pozzello]

I picked up a cheap cam thinking i could make it work, but no luck so far.

see cam sticker here: https://www.flickr.com/gp/49201507@N00/M25r36
(the QR code decodes to "www.ys7.com 553509973 QPQISA DS-2CD2432F-IW 2.8mm")

Tried @whoslooking's awesome 5.2.5 downgrader (Cam at 192.0.0.64 - not found in SADP, PC at 192.0.0.128, both connected to isolated switch, cam powered by 12v wall wart (not poE). While TFTPD seems to work, the process hangs after uploading the image and i never see the 'upgrade completed' message. Tried waiting some time, rebooting cam after stopping tftpd, etc... repeated maybe 6 times with no luck...

The behavior makes me think the cam wants a different FW version loaded, but I don't know what to try and am reluctant to throw random images at it. https://www.ys7.com/ is all in chinese and i can't find anything useful there. Anyone have a clue what FW version this puppy will accept?

Thanx, Paul

 

[mat200]

Looks like:
DS-2CD2432F-IW-Hangzhou Hikvision Digital Technology Co. Ltd.

Checkout the Annke thread discussion:
ANNKE I61DR 2MP (Hikvision Cube Clone)

 

[pozzello]

thanx for the reply. Obviously, i know what the camera is. I'm trying to determine what version of firmware will unbrick it from it's current state.
are you suggesting i try the 5.4.5 firmware from Hikvisions US web site? somehow i don't think that would work for this presumably hacked chinese cam...

 

[mat200]

thanx for the reply. Obviously, i know what the camera is. I'm trying to determine what version of firmware will unbrick it from it's current state.
are you suggesting i try the 5.4.5 firmware from Hikvisions US web site? somehow i don't think that would work for this presumably hacked chinese cam...

Hi Pozzello,

FYI - Posts are not always just for the OP, but also to help others who are going to follow or search for them in the future.

Someone in that Annke thread posted what they did to upgrade that particular re-brand, and thus it maybe useful information in this case. I do not own the camera, and thus I have not tried updating the firmware.

Thank You

 

[alastairstevenson]

are you suggesting i try the 5.4.5 firmware from Hikvisions US web site?

Don't do that, or you'll need to use the 'brick-fix tool'. Unless it has already had firmware 5.4.0 or higher applied, which would activate a downgrade block.

I picked up a cheap cam thinking i could make it work, but no luck so far.

Was this a used camera?
Can you get any web GUI access at all?

If used, and no web GUI, and your tftp update isn't going anywhere, suggestion :
Use the 'brick-fix tool' to get rid of the downgrade block.
Then use the '5.3.0 to 5.2.5 downgrader', probably the CN variant.
When the web GUI is back working, with CN menus, consider doing the 'enhanced mtd hack' to convert to EN and be fully updateable.
Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

 

[pozzello]

Hi Alastair.

I have no idea what was actually on the cam when it was working, as i received it in this state.
Most likely had an OEM version of 5.3.0 like the sticker says...
(Sticker indicates probable OEM cam, 5.3.0-150513, 11/2015 build date.)

No-show in SADP, Wireshark finds the cam at 192.0.0.64 asking for whohas 192.0.0.128 at startup,
but no GUI at that IP, so I figured it wants firmware...

I've recovered various cameras bought cheap in this state, but i guess this one may be newer
than others I've dealt with, so have yet had the pleasure of circumventing the later (?) 'downgrade block'...

Will try the 'brick-fix tool' to get rid of the downgrade block and report back. thanx.

 

[pozzello]

Thanx again Alastair! the brick-fix image did the trick. the CN version failed like everything else I had tried, but the EN version worked.
Then I re-ran tftpd and put on WhosLooking's hacked 5.2.5 and I'm back in business with this cam. Not sure if that's the 'proper' version
given that the EN brick-fix worked, but whatever. It's alive and in English, so I'm happy.

The only good thing about hikvision's business model is that it keeps a steady supply of cheap cams available, if
you've got some patience to poke around and the ability to follow some simple directions. My wife would contest that last one...

cheers, Paul.

 

[nowandthen]

Don't do that, or you'll need to use the 'brick-fix tool'. Unless it has already had firmware 5.4.0 or higher applied, which would activate a downgrade block.

Was this a used camera?
Can you get any web GUI access at all?

If used, and no web GUI, and your tftp update isn't going anywhere, suggestion :
Use the 'brick-fix tool' to get rid of the downgrade block.
Then use the '5.3.0 to 5.2.5 downgrader', probably the CN variant.
When the web GUI is back working, with CN menus, consider doing the 'enhanced mtd hack' to convert to EN and be fully updateable.
Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

Confused, in this thread DS-2CD2032-I hacked you say to upgrade to 5.4.41. But here you say 5.2.5.

What are people using? I had problems with all 5 cameras today. Could not access them. I used the password reset tool on 4 of 5,they were <V5.3. #5 is 5.3.3 and the password reset tool does not work. The 5.3.3 is a US bought camera and is "legit". I can get a Hikvision reset code for it. Do I bother or downgrade to 5.2.5?

I currently do not expose my cameras or Blue Iris to the outside world. But I would really like to do that safely.

 

[alastairstevenson]

Confused, in this thread DS-2CD2032-I hacked you say to upgrade to 5.4.41.

That version or higher is what's required to deal with the 'Hikvision backdoor' vulnerability.
But if you have a China region camera, trying an update to that version will generally result in a 'bricked' camera.

But here you say 5.2.5.

So the way to be able to update a China region camera to make it safer is to first downgrade to the 5.2.5 version, where it's possible to enable telnet, for shell access, and then to safely modify the contents of mtdblock6 to make the camera updateable. Modifying mtdblock6 on later firmware can trigger a nasty brick trap.
After this, the camera can be updated through the versions to the latest firmware.

The 5.3.3 is a US bought camera and is "legit".

If that's the case, you can simply update from that vulnerable firmware to newer versions via the Maintenance menu in the web GUI.

 

[alastairstevenson]

the brick-fix image did the trick. the CN version failed like everything else I had tried, but the EN version worked.

Excellent!
Now you could try the 'enhanced mtd hack'.

The only good thing about hikvision's business model is that it keeps a steady supply of cheap cams available, if you've got some patience to poke around

Yes, I've had a 'Want to buy bricked Hikvision items' in the Classifieds here for a while, but no takers so far.
But a very generous forum member is in the process of sending me something that I'll be really interested to explore - a different series from what I've mostly explored.
Watch this space!
And I keep a lookout on eBay too, but 'spares and repairs' Hikvision devices are a bit sparse.

 

[nowandthen]

For the Chinese cameras on older firmware. Am I at risk? They are on my network behind a firewall and I currently do not have an open port to see them outside of my LAN.

Makes me nervous (I have no experience) using telnet to make changes.

If someone gets into a camera, can they get elsewhere on my lan? My PC?

 

[pozzello]

another cheap 2342F-IW. sticker has chinese labels, but serial number has no CH or CN in it.
when i got it, showed up in SADP as running 5.4.4.1, and i was able to 'activate' (set password)
and IP/netmask/gateway, but when attempted to hit web UI from browser, got 'language mismatch' error.

So i figured the brick-fix would help un-upgrade, and it seemed to take the _EN version of the brick-fix min system
(since that's what worked for me last time) but now it's stuck at min system 4.0.8.
Pingable at 192.0.0.64, and shows up in SADP ( DS-2CD-Min-System0120140416CCRR460230497,)
but NOT sending out the usual "who has 168.0.0.128, tell 192.0.0.64" we normally see when it's looking for firmware...

Should I have tried the _CN version of the brick-fix downgrade first? Any ideas what to try now?

thanx, Paul.

 

[pozzello]

OK, nevermind. it seems all i need to do is post here, then it works the next time I try.
got whoslooking's 5.2.5 on it and all's well in cheap recycled cam-land.

when will i learn:
- make sure you and the cam you are working on are connected to a SWITCH, not direct to each other via ethernet
- give things enuf time to work. have patience. double-check your setup and try it again...

 

[pozzello]

crap. spoke too soon. i've got it working on whoslooking's 5.2.5 (from doengrader) but it's in Chinese, with no option to change it on the login screen.
i imagine i should do the 'mdt hack', but the first part of that says 'set up NAS on your cam', which is kinda hard to do when you can't read the Chinese...
Also, i cant seem to telnet into the cam at it's current ip. does it only open telnet on 192.0.0.64? or do i need to enable telnet in the gui somewhere?
I've done this before. what am i missing? we have so much info here in various bits & pieces across a million posts. Wish there were some step by step
flow chart for getting from point A to B (for various values of A & B)...

 

[alastairstevenson]

but the first part of that says 'set up NAS on your cam', which is kinda hard to do when you can't read the Chinese...

I sense your frustration... my guides are not the most concise. And this probably won't be either.
Let me try to help with some explanation, and suggestions.

On the brick-fix tool:
It's wrapped as 5.4.x firmware so that the newer downgrade-prohibiting tftp updater will accept it, but due to the size of the payload there are no apps included that provide normal services (eg SADP, ISAPI, telnet, HTTP etc).
So once it's been installed, and booted once to drop the payload, it deactivates itself and the camera will appear inert to SADP - for the first 10 minutes after any bootup, after which time the watchdog times out and reboots the camera into 'min-system' mode.
So leaving the camera powered on and coming back later can show a different status.

This is now the modified min-system, that has no anti-rollback, no psh, and does have telnet access.
The 'upgrade program' within it will now allow installation of the very useful '5.3.0 to 5.2.5 downgrader' firmware which has telnet available to be enabled, and is a safe environment from which to modify the hardware signature values in mtdblock6 (and possibly mtdblock1 for cameras that started with 5.2.8 firmware).

But - for those cameras with language=2, those that did not have the original 'mtd hack', the web GUI is in Chinese, and the default IP address is 192.0.0.64
Suggestion to make access easier for the next changes:

Put the PC IP address back to normal and use SADP to change the IP address to a normal value for your LAN. SADP can do this when the camera address is in a different IP address range.
Do the detailed configuration of the camera in English with the very good 'Batch Configuration Tool' : Hangzhou Hikvision Digital Technology Co. Ltd.
Once telnet is enabled, the NetHDD connection made, the rest is fairly straightforward.

Good luck!

 

[pozzello]

using the batch config tool as a workaround for the chinese GUI is great suggestion. thanx.
will try to get telnet enabled on my chinese whoslooking 5.2.5 cam on my lan...

 

[pozzello]

the damn thing's alarm went off when i configured the NAS. had to unplug it. very annoying.

 

[alastairstevenson]

the damn thing's alarm went off when i configured the NAS. had to unplug it. very annoying.

Yes, it's surprisingly loud.
You've probably figured already that you need to go to something like Events | Exceptions | NetHDD error (because it's unformatted, and doesn't need to be for file transfers) and untick 'Audible alarm'.
And when you've got it all working, maybe need to do the same with the PIR event alarm or it will beep at you when you walk past it.

 

[pozzello]

ok, got the alarm under control, enabled telnet and copied off mtdblock5 and 6.

editing mtdblock6 per your instructions in the brick-fix guide, changed language (byte x10) from x02 to x01.

noticed the devType bytes (0x64 and 0x65) already match my prtHardInfo.
Did the previous loading of the brick-fix do that?
If not, what does it mean that it matches already?

Anyways, adjusted the checksum bytes (0x04 and 0x05) and saved mtdblock6.

But the original whoslooking guide for the hacking to English also modified mtdblock5.
Do i need to do that also? and if so, which bytes are the checksum calculated over and stored in
that file? (original instructions modified some other bytes in order to keep checksum the same).

or am I done, having modified only mdtblock6?

thanx.

 

[alastairstevenson]

noticed the devType bytes (0x64 and 0x65) already match my prtHardInfo.

Some do, some don't. But those that don't get bricked on an update.

Did the previous loading of the brick-fix do that?

No, the brick-fix tool removes the downgrade block and psh and puts telnet back into the min-system that's used by the tftp updater.

But the original whoslooking guide for the hacking to English also modified mtdblock5.
Do i need to do that also?

The current firmware doesn't use that, so it's not necessary to change it.
That's not to say though that on a future firmware update (if there is one for R0 cameras) Hikvision won't try to identify and brick those that have had the 'enhanced mtd hack' by various means.

or am I done, having modified only mdtblock6?

Almost.
Worth checking, in case the camera originally had 5.2.8 firmware, are the values in locations 0x0C and 0x8000C of mtdblock1
If these are 0, change them to 2
This is the underlying reason why cameras that were manufactured with 5.2.8 firmware appear to be not updateable.