78XX to 76XX eeprom mod

[stooge]

I just finished poking around in the eeprom of a grey market 7816N-E2/8P and I managed to get it to run the latest firmware(V3.4.103) that was previously throwing the illegal device error and I thought I would share the information.

Spoiler: version running

I changed the model number from 7816N-E2/8P to 7616N-E2/8P and then I started to change values until I hit the right one that allowed the firmware to run which ended up being a hex byte from "02" to "01" much like the digicap.dav modification to install English language.

the eeprom is on the bottom of the mainboard and in my unit it is a macronix MX25L12835F chip.

Spoiler: eeprom onboard

for this chip you need to select MX25L12835F @S0P16 in the minipro software.

if you do have one of these grey market units and want to install the latest firmware you will need to remove the eeprom from the mainboard and read the eeprom then modify it and flash it back to the eeprom.

a hot air rework station is the best tool to take the eeprom chip off the mainboard and I use a minipro eeprom programmer.

Spoiler: minipro

once you read the eeprom and save a dump use a hex editior and search the model number and change the values from 78XX to 76XX.
I found it in 2 places

Spoiler: location 1

Spoiler: location 2

making those changes just changes the displayed model number you need to make the following change to get the firmware to run without throwing the illegal device error

Spoiler: lang change

 

[alastairstevenson]

I just finished poking around in the eeprom of a grey market 7816N-E2/8P and I managed to get it to run the latest firmware(V3.4.103) that was previously throwing the illegal device error and I thought I would share the informatio

A good post with lots of useful info - thanks for sharing!

if you do have one of these grey market units and want to install the latest firmware you will need to remove the eeprom from the mainboard and read the eeprom then modify it and flash it back to the eeprom.

a hot air rework station is the best tool to take the eeprom chip off the mainboard and I use a minipro eeprom programmer.

Arguably though a bit outside the skillset of the average user.
Presumably in-situ programming isn't feasible on that chip type? I've done this on other SPI flash.

making those changes just changes the displayed model number you need to make the following change to get the firmware to run without throwing the illegal device error

You also need to change the checksum, the bytes after the SWKF magic number.

It might be interesting to check this out - another way to achieve the same thing, without the need to remove the flash chip :
How to - Fix your 15-beep-bootloop Hikvision DS-76xxN-Ex NVR, or convert to EN and make it updatable
Note though, that in later manufacture units, Hikvision have encoded the bootpara block, it's no longer in plaintext.

 

[stooge]

i did try to read while onboard and the data was not reliable so i just removed the eeprom to do it.
i am not too sure about the checksum but i did zero out everything between SWKH and p20141218 and it still booted.
thanks for that link because i did not know you could do that and it looks like i went about it the hard way lol.

 

[alastairstevenson]

It's all good fun whichever way it's done.
And good to share for the benefit of others.

 

[stooge]

It's all good fun whichever way it's done.
And good to share for the benefit of others.

i followed your guide for using serial + tftp and it made life alot easier thanks for that.
this has probably been posted before but i have been poking around and i manged to find the device type flag which changes the amount of ip channels/cameras that can be connected.

the byte before A1 is the device type and the following values change the number of channels

33 = 4 cameras
37 = 8 cameras
3F = 16 cameras (this was my original value)
4F = 32 cameras

i dont have 32 cameras to test with but when i set it as type 33 only 4 cameras were able to be added.
i set mine to 4F and the serial shows it is

g_pstruDspInitPara->device_type=0x4f
and
decChanCnt:16 ipcChanCnt:32

it now gives me the option for live view to have 32 or 6*6

Spoiler: menu

Spoiler: live view 32

 

[alastairstevenson]

Just wait until you find the 'self-destruct' byte ...

 

[Oleglevsha]

this is amazing
Be even more surprised when you delete the name DS-7616N-E2/8P

 

[shankar11]

I just finished poking around in the eeprom of a grey market 7816N-E2/8P and I managed to get it to run the latest firmware(V3.4.103) that was previously throwing the illegal device error and I thought I would share the information.

Spoiler: version running

I changed the model number from 7816N-E2/8P to 7616N-E2/8P and then I started to change values until I hit the right one that allowed the firmware to run which ended up being a hex byte from "02" to "01" much like the digicap.dav modification to install English language.

the eeprom is on the bottom of the mainboard and in my unit it is a macronix MX25L12835F chip.

Spoiler: eeprom onboard

for this chip you need to select MX25L12835F @S0P16 in the minipro software.

if you do have one of these grey market units and want to install the latest firmware you will need to remove the eeprom from the mainboard and read the eeprom then modify it and flash it back to the eeprom.

a hot air rework station is the best tool to take the eeprom chip off the mainboard and I use a minipro eeprom programmer.

Spoiler: minipro

once you read the eeprom and save a dump use a hex editior and search the model number and change the values from 78XX to 76XX.
I found it in 2 places

Spoiler: location 1

Spoiler: location 2

making those changes just changes the displayed model number you need to make the following change to get the firmware to run without throwing the illegal device error

Spoiler: lang change

Hi Stoge,

Grate job , my model DS-7804F-N1 eeprom is "8zf17nw872"
Please advise me can I follow same way?

Thanks in advance