Decompiling Hikvision firmware (9000 series) digicap.mav

Discussion in 'NVR's, DVR's & Computers' started by korin1, Aug 1, 2019.

Share This Page

  1. korin1

    korin1 Young grasshopper

    Joined:
    Aug 27, 2017
    Messages:
    35
    Likes Received:
    5
    hey there,
    im trying to decompile /extracting an hikvision firmware 9k series. (ds-90xx96xx-st77xx-sp_usa_firmware_v3.4.5_170518.zip)
    a digicap.mav file, is there anyone has successes extracting it properly ?

    so far i was able to extract the firmware BUT some files are still encrypted
    extracted files ,

    diskOK.bmp: PC bitmap, Windows 3.x format, 48 x 48 x 24
    disknoLink.bmp: PC bitmap, Windows 3.x format, 48 x 48 x 24
    ds_80101.bit: data
    guirc.tar.gz: data
    initrun.sh: data
    logo.bmp: PC bitmap, Windows 3.x format, 1024 x 768 x 24
    logo_nvr.bmp: PC bitmap, Windows 3.x format, 1024 x 768 x 24
    mux_top.bit: Xilinx BIT data - from mux_top.ncd;HW_TIMEOUT=FALSE;UserID=0xFFFFFFFF - for 6slx25fgg484 - built 2011/08/15(10:31:38) - data length 0xc3ab6
    new_10.bin: data
    rootfs.img: gzip compressed data, was "initrd", last modified: Fri May 29 07:29:28 2015, max compression, from Unix
    uImage: u-boot legacy uImage, Linux-2.6.34, Linux/ARM, OS Kernel Image (Not compressed), 2626248 bytes, Sat Jan 16 08:20:22 2016, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0xE53DE128, Data CRC: 0x2415E5FB
    vps_logo.bin: data
    webs.tar.gz: data
    _________________________________________________________________________
    -rwxrwxrwx 1 root root 6.9K Aug 2 00:08 diskOK.bmp
    -rwxrwxrwx 1 root root 6.9K Aug 2 00:08 disknoLink.bmp
    -rwxrwxrwx 1 root root 2.8M Aug 2 00:08 ds_80101.bit
    -rwxrwxrwx 1 root root 16M Aug 2 00:08 guirc.tar.gz
    -rwxrwxrwx 1 root root 2.3K Aug 2 00:08 initrun.sh
    -rwxrwxrwx 1 root root 2.3M Aug 2 00:08 logo.bmp
    -rwxrwxrwx 1 root root 2.3M Aug 2 00:08 logo_nvr.bmp
    -rwxrwxrwx 1 root root 783K Aug 2 00:08 mux_top.bit
    -rwxrwxrwx 1 root root 1.1K Aug 2 00:08 new_10.bin
    -rwxrwxrwx 1 root root 1.2M Aug 2 00:08 rootfs.img
    -rwxrwxrwx 1 root root 2.6M Aug 2 00:08 uImage
    -rwxrwxrwx 1 root root 91K Aug 2 00:08 vps_logo.bin
    -rwxrwxrwx 1 root root 3.8M Aug 2 00:08 webs.tar.gz

    _________________________________________________________________________

    note that webs.tar.gz AND guirc.tar.gz should be gzip file however those are encrypted.
    even initrun.sh who should be normal text is encrypted.


    help would be nice.

    thanks
     
  2. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,103
    Likes Received:
    3,507
    Location:
    Scotland
    I just tried this with @montecrypto hikpack tool and it looks OK.
    [MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

    Code:
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ hikpack_2.5
    hikpack v2.5 Hikvision firmware packer/unpacker by montecrypto
    *** No expressed or implied warranties of any kind. Use at your own risk ***
    Usage:
       hikpack -t <fwtype> -i <src_dav_file>                     print dav file information
       hikpack -t <fwtype> -x <src_dav_file> -o <dst_dir>        extract dav file into directory
       hikpack [opts] -t <fwtype> -p <dst_dav_file> -o <src_dir> pack dav file from source directory
       hikpack -t <fwtype> -d <src_crypted_file> -o <dst_file>   decrypt file
       hikpack -t <fwtype> -g <src_crypted_cfg> -o <dst_file>    decrypt configuration backup file
       hikpack -t <fwtype> -G <src_file> -o <crypted_cfg_file>   encrypt configuration backup file (CRC adjusted if needed)
       hikpack -t <fwtype> -e <src_file> -o <dst_crypted_file>   encrypt file
         -t option sets firmware platform type. Currently supported: cameras: r0,r1,r6,g0 nvr: k41,k51
         ----- The following options are used by the pack (-p) command:
         -L <1,2>      set language id (1=EN, 2=CN)
         -D <YYYYMMDD> set firmware date.
         -V <ver>      set firmware version. Use hex number, e.g.: 0x05040003 for v5.4.3
    
    If you find this software useful, please donate to support future development:
        Bitcoin: 1N9fKwsy7AphUHZJshCp4L7RJG5CvuXnAk
    
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ hikpack_2.5 -t k41 -i digicap.mav
    Magic   : 484b5753
    hdr_crc : 00007723 (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000009
    File: uImage, CRC OK
    File: rootfs.img, CRC OK
    File: initrun.sh, CRC OK
    File: guirc.tar.gz, CRC OK
    File: webs.tar.gz, CRC OK
    File: disknoLink.bmp, CRC OK
    File: diskOK.bmp, CRC OK
    File: logo.bmp, CRC OK
    File: logo_nvr.bmp, CRC OK
    File: vps_logo.bin, CRC OK
    File: mux_top.bit, CRC OK
    File: ds_80101.bit, CRC OK
    File: new_10.bin, CRC OK
    === Tail record:
    File: new_20.bin, CRC OK
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ hikpack_2.5 -t k41 -x digicap.mav -o contents
    Magic   : 484b5753
    hdr_crc : 00007723 (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000009
    File: uImage, CRC OK
    File: rootfs.img, CRC OK
    File: initrun.sh, CRC OK
    File: guirc.tar.gz, CRC OK
    File: webs.tar.gz, CRC OK
    File: disknoLink.bmp, CRC OK
    File: diskOK.bmp, CRC OK
    File: logo.bmp, CRC OK
    File: logo_nvr.bmp, CRC OK
    File: vps_logo.bin, CRC OK
    File: mux_top.bit, CRC OK
    File: ds_80101.bit, CRC OK
    File: new_10.bin, CRC OK
    === Tail record:
    File: new_20.bin, CRC OK
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ cd contents
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5/contents $ hikpack_2.5 -t k41 -d initrun.sh -o dec_initrun.sh
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5/contents $
    
    Example decrypt :
    Code:
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5/contents $ cat dec_initrun.sh
    cd /home/hik
    /bin/tar -zxf dvrCmd.tar.gz -C /opt/
    #/bin/cp /dav0/vid_m3.bin /home/hik
    #/bin/cp /dav0/vps_m3.bin /home/hik
    #/bin/cp /dav0/C674.bin /home/hik
    # echo mount -t nfs -o nolock 10.1.14.117:/back-end-team/linyanhao/data/nfs/ /tmp/
    # mount -t nfs -o nolock 10.1.14.117:/back-end-team/linyanhao/data/nfs/ /tmp/
    # sleep 10
    # mount -t nfs -o nolock 10.1.14.117:/back-end-team/linyanhao/data/nfs/ /tmp/
    # sleep 10
    # mount -t nfs -o nolock 10.1.14.117:/back-end-team/linyanhao/data/nfs/ /tmp/
    # #cp /tmp/netra/initrun.sh /dav0/initrun.sh
    # cp /tmp/netra/C674.bin /home/hik
    # cp /tmp/netra/vps_m3.bin /home/hik
    # cp /tmp/netra/vid_m3.bin /home/hik
    #rm dvrCmd.tar.gz -f
    LD_LIBRARY_PATH=/home/app/lib/;export LD_LIBRARY_PATH
    /bin/chmod u+x ./iscsi/iscsid
    ./iscsi/iscsid&
    /bin/chmod u+x ./pppoed
    #./pppoed&
    sleep 1
    insmod cmemdrv.ko
    #rm cmemdrv.ko -rf
    ulimit -n 8192
    /bin/chmod u+x ./ -R
    # #disable psh
    # sed -i '/psh/d' /etc/profile
    # sed -i '/guest/d' /etc/profile
    
    # #genrate core
    # echo  "/tmp/core%t" >/proc/sys/kernel/core_pattern
    # ulimit -c unlimited
    
    
    # echo  mount mount moutn111
    # mount -t nfs 10.1.14.117:/back-end-team/liwei/data/nfs/v3.2.0 /tmp -o nolock,proto=tcp,nfsvers=3;
    # echo  mount mount moutn222
    # sleep 10
    # mount -t nfs 10.1.14.117:/back-end-team/liwei/data/nfs/v3.2.0 /tmp -o nolock,proto=tcp,nfsvers=3;
    # echo  mount mount moutn333
    # sleep 10
    # mount -t nfs 10.1.14.117:/back-end-team/liwei/data/nfs/v3.2.0 /tmp -o nolock,proto=tcp,nfsvers=3;
    # cp -f /tmp/master /home/app/exec/;
    # cp -f /tmp/sc_hicore /home/hik/ ;
    # cp -f /tmp/1024x768.cfg /home/app/conf/1024x768.cfg;
    # cp -f /tmp/720x576.cfg /home/app/conf/720x576.cfg;
    # cp -f /tmp/string /home/app/string/
    # cp /tmp/netra/C674.bin /home/hik
    # cp /tmp/netra/vps_m3.bin /home/hik
    # cp /tmp/netra/vid_m3.bin /home/hik
    ./master -M &
    #rm master -rf
    cd /
    
    #wl added
    /bin/chown -R root:root /opt/dvrCmd
    /bin/chown -R root:root /opt/webs
    /bin/chmod a+s /bin/su
    /bin/chmod a+s /opt/dvrCmd/dvrtools
    /bin/chmod -R 744 /dav0
    /bin/chmod -R 744 /dav1
    /bin/chmod -R 744 /dav2
    /bin/chmod 777 /dev/hikio
    /bin/chmod 777 /dev/ttyS1
    /bin/chmod 777 /dev/ttyS2
    /bin/chmod 777 /dev/rtc
    #for T1 test
    /bin/chmod 777 /opt/dvrCmd/t1
    /bin/chmod a+s /opt/dvrCmd/t1
    /bin/chmod a+s /opt/dvrCmd
    #wl added end
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5/contents $
    
     
  3. korin1

    korin1 Young grasshopper

    Joined:
    Aug 27, 2017
    Messages:
    35
    Likes Received:
    5
    have u tried on this https://us.hikvision.com/sites/defa...96xx-st77xx-sp_usa_firmware_v3.4.5_170518.zip ?

    can u please reupload the hik tool it seems rghost is down for the moment
     
  4. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,103
    Likes Received:
    3,507
    Location:
    Scotland

    Attached Files:

    korin1 likes this.
  5. korin1

    korin1 Young grasshopper

    Joined:
    Aug 27, 2017
    Messages:
    35
    Likes Received:
    5
    thanks for the upload

    well thats weird
    extraction seems to work fine , but i got the same result when extracking with the hipack.
    files are still encrypted.
    at first i thought something was wrong.

    after reading again ur commands it seems that after the extraction of the mav file, u gota decrypt the encrypted files aswell :)

    thanks.

    do u have a source code of that / python code for decrypting only the file?

    here for example it is the same code but when trying to decrypt a file it did not work.





    UPDATE:
    for everyone that tries to unpack/untar the web and guirc gzip file, u will receive an error when trying to open and u wont be able to open the "tar" file inside the gzip file.

    however if u extract the tar file from the gzip file (WITH OUT OPENING THE GZIP FILE!) it will work, if u try to extract or open the tar file when the gzip file is open it will FAIL.

    i was scratching my head for some time and for some reason it was decrypted but i could not open the tar file inside the gzip file with 7z , untill i right click and extracted, still received that error but the file was there.
     

    Attached Files:

    Last edited: Aug 2, 2019
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,103
    Likes Received:
    3,507
    Location:
    Scotland
    No, I don't have any Python code for the file encryption/decryption.

    Unpacking the firmware header and files is a different type of activity than decrypting a file.
    Those specific NVR files are DES-3 encrypted.
     
  7. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,103
    Likes Received:
    3,507
    Location:
    Scotland
    It's actually a tar file using gzip compression.

    You may find it easier to use 'tar' itself to do the unpacking of the decrypted archive, with the 'gzip' command line option, for example :
    Code:
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ ll
    total 61744
    drwxrwxr-x  3 alastair alastair     4096 Aug  2 20:38  ./
    drwxrwxr-x 47 alastair alastair     4096 Aug  2 11:09  ../
    drwxr-xr-x  2 alastair alastair     4096 Aug  2 20:31  contents/
    -rw-r--r--  1 alastair alastair     2264 Aug  2 11:11  dec_initrun.sh
    -rw-rw-r--  1 alastair alastair 33007352 May 18  2017  digicap.mav
    -rw-rw-r--  1 alastair alastair 26176553 Aug  2 11:09  ds-90xx96xx-st77xx-sp_usa_firmware_v3.4.5_170518_0.zip
    -rw-rw-r--  1 alastair alastair    81530 Jul 12  2017 'RN DS-90xx-ST DS-96xx-ST DS-7716NI-SP^16 v3.4.5 071117NA.pdf'
    -rw-r--r--  1 alastair alastair  3940216 Aug  2 11:10  webs.tar.gz
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ hikpack_2.5 -t k41 -d webs.tar.gz -o dec_webs.tar.gz
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ mkdir home
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ tar -zxf dec_webs.tar.gz -C home
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ ll home
    total 12
    drwxr-xr-x 3 alastair alastair 4096 Aug  2 20:39 ./
    drwxrwxr-x 4 alastair alastair 4096 Aug  2 20:39 ../
    drwxr-xr-x 5 alastair alastair 4096 May 18  2017 webs/
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $ ll home/webs
    total 32
    drwxr-xr-x 5 alastair alastair 4096 May 18  2017 ./
    drwxr-xr-x 3 alastair alastair 4096 Aug  2 20:39 ../
    drwxr-xr-x 2 alastair alastair 4096 Mar  2  2017 codebase/
    -rwxr--r-- 1 alastair alastair  778 Mar  2  2017 dispatch.asp*
    drwxr-xr-x 6 alastair alastair 4096 Mar  2  2017 doc/
    -rwxr--r-- 1 alastair alastair 1150 Mar  2  2017 favicon.ico*
    drwxr-xr-x 5 alastair alastair 4096 May 18  2017 help/
    -rwxr--r-- 1 alastair alastair  480 Mar  2  2017 index.asp*
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.5 $
    
     
    Purduephotog likes this.
  8. korin1

    korin1 Young grasshopper

    Joined:
    Aug 27, 2017
    Messages:
    35
    Likes Received:
    5
    i forgot to mention that it was on windows :)
    where the 3DES key can be found ?
     
  9. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,103
    Likes Received:
    3,507
    Location:
    Scotland
    Disclosure - from the DES_ecb3 source code freely provided by another forum member :
    Code:
        const DES_cblock key1 = {0x24, 0x8B, 0xA7, 0xF5, 0x4C, 0x7B, 0x9A, 0xE3},
                         key2 = {0x98, 0x75, 0x14, 0xE1, 0x1C, 0xBC, 0x46, 0xE3},
                         key3 = {0x78, 0x41, 0xBC, 0x11, 0x00, 0xB9, 0x2C, 0x13};
        DES_key_schedule ks1, ks2, ks3;
     
  10. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,103
    Likes Received:
    3,507
    Location:
    Scotland
    No - but this command-line should work OK, if you ignore the 'bad decrypt' diagnostic :
    Code:
    This works OK, though gives a bad decrypt, not sure why.
    
    openssl enc -d -in encFile -out decFile -des-ede3 -K 248BA7F54C7B9AE3987514E11CBC46E37841BC1100B92C13
     
  11. Purduephotog

    Purduephotog Getting the hang of it

    Joined:
    Oct 30, 2016
    Messages:
    86
    Likes Received:
    32
    @alastairstevenson - I tried following line by line your example there, and I finally get it to work. Thank you.

    When I tried to pull apart my firmware for my NVR (the problematic one) I'll get:
    Code:
    openwrt@openwrt-VirtualBox:~/firmware/EZVIZNVR$ ../hikpack-2.5 -t k41 -i digicap.dav
    Magic   : 484b5753
    hdr_crc : 000018d3 (OK)
    lang_id : 00000001
    date_hex: 20160606
    devclass: 0000002a
    File: cramfs.img, CRC OK
    === Tail record:
    File: new_20.bin, CRC OK
    Extra tail at the end of dav, 71 bytes, maybe firmware id?
    openwrt@openwrt-VirtualBox:~/firmware/EZVIZNVR$ ../hikpack-2.5 -t k41 -i 
    I think I just realized there's a difference between hikpack and hik_repack v9/10 etc.... I'm slow
     
  12. rjprb

    rjprb n3wb

    Joined:
    Aug 11, 2019
    Messages:
    3
    Likes Received:
    0
    Location:
    Peru
    Hello, I have the NVR which i install an update with a firmware i_series_usa_firmware_v3.4.92_170518 that has a file digicap.dav, causing the NVR no longer pass the logo screen, beeping 15 times and then restarting. I found another page with the firmware ds-90xx96xx-st77xx-sp_usa_firmware_v3.4.2_160530, which has a file digicap.mav and I tried to install it using the Putty console and TFTP Sever, but the TFTP does not recognize the extension .MAV, how can I install the correct firmware?


    The first firmware upgrade i download from https://www.hikvision.com/en/Support/Downloads/Firmware/NVR (digicamp.dav), after the instalation the NVR no longer pass the logo screen.


    The page with the correct firmware for my NVR is digicap.mav is https://us.hikvision.com/en/products/more-products/discontinued-products/network-video-recorder/ds-7700ni-sp-series-nvr-ds-7716ni-sp16