Converting EZVIZ C6TC from Chinese to English

rikochet · Oct 13, 2019

alastairstevenson said:
Wow!
That's a great result, well done.

I'm curious what the tinkering consisted of.
Was it a matter of changing the devType held in mtdblock2 ?

So the current working camera has US firmware and mtdblock2 has the following mods;
-- 0x10 = 02 (Chinese)
-- 0x55 = 0D (RR region)
-- 0x80 -> 0x91 = 43 53 2D 43 56 32 34 38 2D 41 30 2D 33 32 57 46 52
CS-CS248-A0-32WFR (Model string)
-- 0x04 & 0x05 = Checksum-16 of 0x09 -> 0xFC

When making the same mods on my second C6Tc it is unable to register on the EZVIZ network.

So I wonder if during the course of changing the devType at one point, trying different regions EU, US, RR etc.. at some point it was able to register with the EZVIZ network.

gpower07 · Oct 13, 2019

now it make me want to change my AI camera bought from china.

rikochet · Oct 14, 2019

I'm still trying to figure this out..

If I write the paraBlock from the first CN camera to the second CN camera it connects to the EZVIZ network perfectly..
This isn't a solution as you can't have 2 devices with the same serial registered on the EZVIZ network.
It's as if at some point I changed something which allowed that serial number to register with the US servers..
I even tried modifying the date on the second CN camera's serial code in case my serial had become black listed but no luck.

alastairstevenson · Oct 14, 2019

rikochet said:
I'm still trying to figure this out..

I expect you'll get there ...

Sorry I can't help with that, I've never looked at EZVIZ.
Presumably the comms are encrypted.

rikochet · Oct 15, 2019

So I went out and bought a CS-CV248-A0-32WFR (US model) and ripped mtdblock2..

The byte values were:
0x10 = 01 (English)
0x55 = C6 (Brazil) - strange as I bought it in Hong Kong
0X64 = D722 (same as CN)

The main things that were different were:
0x1E > 0x23 - Challenge Code
0x35 > 0x3A - Device Mac Address
0x40 > 0x52 - Serial String
0x80 > 0x90 - Model Number String

You can change the device mac, the date part of the serial string and the model number and the device will continue to register on the EZIVZ network.

However if you change the 6 character challenge code or the subserial D4####### then the firmware won't register on with the ML (Amazon AWS) server.. Which makes me think that the challenge code is generated based upon subserial string.

I still don't know what is different about my first CN device that allowed it to authenticate with it's original subserial and challenge key..

I have tried using Ettercap and Wireshark to packet sniff the network traffic but the packets didn't contain any readable strings except for the recurring subserial D4####### which is what makes me believe that it's important.

I guess I'll keep soldiering on..

alastairstevenson · Oct 15, 2019

Interesting ...
You are definitely getting there!

superhache · Apr 25, 2020

hello, i just found this forum, i also have an Ezviz CS-CV248-A0-32WFR camera, but it is bound to another account, i am wondering i i can change the sserial number so i ll be able to bind it to another ezviz account? thanks

JosQi · Jun 29, 2021

Same here. Now is my turn to try play here and there.... Kida big challenge for someone non programmer background

piterus90 · May 19, 2022

I went thru whole thread and im under huge impression what kind of tricks you guys were doing - especially omitting RO property

I was wondering, if that could not rescue blocked by previous owner camz. When I took QR code, and changed serial number to something else, it allowed me to register new device (obviously without connecting it - it wanted to connect to wifi

Did anyone scanned what camera is speaking via https with external servers? Or is it not https but some different proto?

unkn0wn · Mar 30, 2024

I am now trying to do the same with CS-H8-V100-1J5WKFL camera. But they've added a lot of security measures so I had to solder off flash chip at dump it.
The mtd2 block contains sec.bin, here is what I found out about its structure:

Serial number is generated of:

0 - 48 charactes (maximum) -> dev_type_readable
2 digits decimal ->decodeChans
8 characters -> serial_date
1 character -> unk_ser2; / 1 - A, 2 - B, other - C
1 character -> unk_ser3; / 1 - A, 2 - B, other - C
2 characters -> region, see enum in 010 Editor template (CH, WR, RR ...)
9 characters -> subserial

dev_type is actually devType_part1 << 16 | devType_part2

Code:

53 57 4B 48 E2 0D 00 00 F4 00 00 00 00 00 01 00
02 00 00 00 02 00 00 00 01 00 00 00 0C 00 58 58
58 58 58 58 00 00 00 00 00 00 00 00 01 00 01 00
00 00 00 00 00 20 BB BC 9C A6 82 00 00 00 00 00
00 32 30 32 33 31 30 32 35 58 58 58 58 58 58 58
58 58 00 09 07 01 01 00 00 01 00 00 01 00 3E 00
00 01 01 00 27 31 01 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
43 53 2D 48 38 2D 56 31 30 30 2D 31 4A 35 57 4B
46 4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

C-like:

typedef ubyte mac_address[6]<read=Str("%02X%02X%02X%02X%02X%02X",this[0],this[1],this[2],this[3],this[4],this[5])>;

uint16 CalcChecksum(uint64 address, uint32 size)
{
    local uint32 result;
    local uint32 i;
    result = 0;
    for (i = 0; i < size; i++) {
        result += ReadUByte(address + i);
    }
    return result;
}

enum <ubyte> Region {
    REGION_CH  = 0x01,
    REGION_CH2 = 0x20,
    REGION_TW  = 0x02,
    REGION_TW2 = 0x32,
    REGION_WR  = 0x03,
    REGION_WR2 = 0x30,
    REGION_HK  = 0x04,
    REGION_HK2 = 0x31,
    REGION_BJ  = 0x21,
    REGION_SH  = 0x22,
    REGION_GZ  = 0x23,
    REGION_CD  = 0x24,
    REGION_JP  = 0x33,
    REGION_AS  = 0x34,
    REGION_EU  = 0x35,
    REGION_NA  = 0x36,
    / all other - REGION_RR
};

enum <ubyte> VideoOutType {
    VIDEO_NO_OUT = 0,
    VIDEO_CVBS = 1,
    VIDEO_HDMI = 2,
    VIDEO_SDI  = 3
};

typedef struct _SWKHHeader {
    local uint64 start = FTell();
 
    char magic[4]<bgcolor=cBlue>;
    uint32 checksum; / sum(header[12:])
    uint32 size<bgcolor=cPurple>;
    uint32 unk0; / ???
    enum <uint32> { LANG_EN = 1, LANG_CN = 2 } languange<bgcolor=cAqua>;
    uint32 device_class; / ???
    uint32 unk1;
    uint16 devType_part1<format=hex,bgcolor=cYellow>;
    char verification_code[6]<bgcolor=cLtGreen>;
    ubyte unk2[8];
    uint16 encodeChans<bgcolor=cLtBlue>;
    uint16 decodeChans<bgcolor=cLtGray>;
    ubyte unk3[4];
    ubyte alarmInNums<bgcolor=cWhite>;
    mac_address mac<format=hex,bgcolor=cLtRed>;
    mac_address mac2<format=hex,bgcolor=cLtRed>;
    char serial_date[8]<bgcolor=cGreen>;
    char subserial[9]<bgcolor=cAqua>;
    ubyte videoStandard<bgcolor=cDkGreen>;
    ubyte unk_ser2; / 1 - A, 2 - B, other - C
    ubyte unk_ser3; / 1 - A, 2 - B, other - C
    Region region<bgcolor=cPurple>; / zone
    ubyte has_audio_input<bgcolor=cLtPurple>;
    ubyte unk4;
    ubyte USBNum<bgcolor=cBlue>;
    ubyte unk5;
    ubyte alarmOutNums<bgcolor=cLtBlue>;
    ubyte unk6;
    ubyte has_speaker<bgcolor=cAqua>;
    VideoOutType videoOutType<bgcolor=cLtYellow>;
    ubyte videoInType<bgcolor=cLtAqua>;
    ubyte unk7_0;
    ubyte unk7_1;
    ubyte IRSupport<bgcolor=cBlue>;
    ubyte has_wifi<bgcolor=cLtGreen>; / 1 - yes, 0 - no
    ubyte OnepushFocus<bgcolor=cPurple>;
    uint16 devType_part2<format=hex,bgcolor=cYellow>; / devType_part1 << 16 | devType_part2
    ubyte unk_8;
    ubyte unk_9;
    ubyte unk10[24];
    char dev_type_readable[64]<bgcolor=cLtGreen>;
    ubyte unk11[12];
    ubyte unk12;
    ubyte unk99[51];
 
    local uint16 real_checksum = CalcChecksum(start + 12, size);
    local uint32 checksum_color = cGreen;
    if (checksum != real_checksum) {
        checksum_color = cRed;
        Printf("Computed checksum = %08X", this.real_checksum);
    }

    local uint64 curr_pos = FTell(); / hack to apply color after
    FSeek(start + 4);
    SetBackColor(checksum_color);
    ubyte bla[4]<hidden=true>;
    SetBackColor(cNone);
    FSeek(curr_pos);

} SWKHHeader;

SWKHHeader header;

unkn0wn · Mar 30, 2024

Ok, so I patched memory dump as following:
0x10 -> 01
0x45 -> changed date
0x55 -> 03 (world)
Changed dev visual type from CS-H8-V100-1J5WKFL to CS-H8-R100-1J5WKFL
Fixed checksum

After that I flashed memory with these new values and soldered it back to camera.

Flashed newest firmware from

http://usdownload.ezvizlife.com/device/CS-H8-R100-1J5WKFL/2.0/CS-H8-R100-1J5WKFL.dav

by putting it to sd card with name ezviz.dav

Resetted camera, connected it to router via ethernet cable.
With SADP tool activated, with ezviz studio added to my account and now everything is working!

So even new cameras with secure uboot and other stuff can be patched to work in europe.

Search

Converting EZVIZ C6TC from Chinese to English

rikochet

n3wb

gpower07

Getting comfortable

rikochet

n3wb

alastairstevenson

rikochet

n3wb

alastairstevenson

superhache

n3wb

JosQi

n3wb

piterus90

n3wb

unkn0wn

n3wb

unkn0wn

n3wb