DS-2CD 6332 fwd (fisheye) -How to upgrade (CN to EN)

[Nitin]

Hello
I have few of the above fisheye cams. They were all bought from China, so have CCCH in the serial number.
All of them have hacked firmware with english GUI.

Here is the info-
Firmware Version V5.0.9 build 141009
Encoding Version V4.0 build 141027

Now, looking at the firmware on Hikvision site, I see that newer firmware has h265 enabled(which is a big plus).

So, can somebody confirm if brickfixv2 kind of thing can be applied to these cameras (I am assuming these cameras will have mtd kind of hacks)

Alternatively, if package repackage can be used?

Please guide.

Thanks
Nitin

 

[alastairstevenson]

So, can somebody confirm if brickfixv2 kind of thing can be applied to these cameras (I am assuming these cameras will have mtd kind of hacks)

I have no idea - as this isn't an R0 series camera - but if the firmware has telnet or SSH available to enable (pretty unlikely I know) you could take a look around at the flash layout and see if it's in any way similar to R0 series.
This would be a start.
cat /proc/mtd

 

[Nitin]

Here you go
(Sorry I have no idea what this means- mtd etc)

# cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00020000 "bst"
mtd1: 00100000 00020000 "ptb"
mtd2: 00100000 00020000 "bld"
mtd3: 00100000 00020000 "hal"
mtd4: 00100000 00020000 "ano_ptb"
mtd5: 00080000 00020000 "env"
mtd6: 00080000 00020000 "param"
mtd7: 00100000 00020000 "dpt"
mtd8: 00a00000 00020000 "rcvy"
mtd9: 00800000 00020000 "krn_pri"
mtd10: 00800000 00020000 "krn_sec"
mtd11: 00400000 00020000 "rmd_pri"
mtd12: 00400000 00020000 "rmd_sec"
mtd13: 01800000 00020000 "app_pri"
mtd14: 01800000 00020000 "app_sec"
mtd15: 00400000 00020000 "cfg_pri"
mtd16: 00400000 00020000 "cfg_sec"
mtd17: 01000000 00020000 "dbg"



prtHardInfo
Start at 2018-03-04 12:41:53
Serial NO S-2CD6332FWD-xxxxxxCCCH492873934
V5.0.9 build 141009
hardwareVersion = 0x0
hardWareExtVersion = 0x0
encodeChans = 5
decodeChans = 1
alarmInNums = 0
alarmOutNums = 0
ataCtrlNums = 0
flashChipNums = 0
ramSize = 0x4000000
networksNums = 1
language = 2
devType = 39425
SD status = 2 (0:noraml;none-0:timeout)

Thanks.

 

[alastairstevenson]

Here you go

Hmmm ... Interesting. And quick!
That does look the same as the R0 series flash partition layout.

It might be interesting to take a peek at an extracted mtdblock6 to compare more detail.
Do you have any NetHDD destinations defined for the camera, Windows or NAS shares?
I wonder if tftp is still available in that old firmware? What if anything happens if you try the command tftp ? Or ftp ?

 

[Nitin]

Hello
Yes- tftp is enabled. This is how I am getting the details(and mucking around)

This seems to be the same type of camera. There is davinci in the directory etc.


How do I copy mtd0? In dev directory I see (below)
# cd dev
# ls
amb_gadget mtd0ro mtd8ro spidev0.1 tty30 tty6
ambac mtd1 mtd9 spidev0.2 tty31 tty60
ambad mtd10 mtd9ro spidev0.3 tty32 tty61
autofs mtd10ro mtdblock0 spidev0.4 tty33 tty62
console mtd11 mtdblock1 spidev0.5 tty34 tty63
core mtd11ro mtdblock10 spidev0.6 tty35 tty7
dev mtd12 mtdblock11 spidev0.7 tty36 tty8
dsp mtd12ro mtdblock12 tty tty37 tty9
dsplog mtd13 mtdblock13 tty0 tty38 ttyS0
edma mtd13ro mtdblock14 tty1 tty39 ttyS1
eeprom mtd14 mtdblock15 tty10 tty4 ttyS2
fdet mtd14ro mtdblock16 tty11 tty40 ubi1
full mtd15 mtdblock17 tty12 tty41 ubi1_0
hikio mtd15ro mtdblock2 tty13 tty42 ubi3
i2c-0 mtd16 mtdblock3 tty14 tty43 ubi3_0
iav mtd16ro mtdblock4 tty15 tty44 ubi4
input mtd17 mtdblock5 tty16 tty45 ubi4_0
iop mtd17ro mtdblock6 tty17 tty46 ubi_ctrl
kmsg mtd1ro mtdblock7 tty18 tty47 ucode
loop-control mtd2 mtdblock8 tty19 tty48 urandom
loop0 mtd2ro mtdblock9 tty2 tty49 usb1
loop1 mtd3 null tty20 tty5 usb2
loop2 mtd3ro overlay tty21 tty50 vcs
loop3 mtd4 ppp tty22 tty51 vcs1
loop4 mtd4ro psaux tty23 tty52 vcsa
loop5 mtd5 ptmx tty24 tty53 vcsa1
loop6 mtd5ro pts tty25 tty54 watchdog
loop7 mtd6 ram0 tty26 tty55 zero
mem mtd6ro random tty27 tty56



I will connect NAS as NFS and try to copy.

(Next answer will be late as going out)

Thanks
Nitin

 

[alastairstevenson]

I will connect NAS as NFS and try to copy.

tftp will be OK, easy enough.

Suggestion to try:
Download the Phillippe Jounin tftp32d tftp server from here : TFTPD32 : an opensource IPv6 ready TFTP server/service for windows : TFTP server and drop it into a folder on the PC.
Double-click it to start it up. Ignore any DHCP complaints.
And at the telnet/SSH prompt, whichever it is, in the camera, try these commands -
('l' is for local, and whatever the PC IP address is)

cd /
cat /dev/mtd6ro > mtd6ro
tftp -p -l mtd6ro <IP_address_of_your_PC>
rm mtd6ro
cat /dev/mtd5ro > mtd5ro
tftp -p -l mtd5ro <IP_address_of_your_PC>
rm mtd5ro

Then you could inspect the contents with a hex editor, and zip them up and attach here for study.

(Next answer will be late as going out)

That's good because your camera will stay working a little longer before it gets messed with and bricked.
And despite that some of us do our best work while consuming alcohol (or it seems so at the time) there is no rush.

 

[Nitin]

Ok - To update -
There is no way I can take the copied file (so far)
I tried -
1. tftp (there is no tftp client in the shell so it doesnot work). I was able to do this though -cat /dev/mtd6ro > mtd6ro

2. NFS or CIFS share
I tried smb1 (by disabling smb2/3 as per google), but the share found immediately goes to unintialized
nfs - same. From memory, this version had this bug.

Please throw some ideas how to copy off the mtd5ro

Thanks
Nitin

 

[alastairstevenson]

For some reason I thought tftp was available - sorry about that. I think I was remembering the min-system recovery environment.
On the SMB/CIFS NetHDD connection - no need to format it to use it.
Just use the mount command to find the mount point. Then use the cp command to copy the files to the mount point instead of the tftp command.
I hope that makes sense.
I'm away just now - back tonight.

 

[Nitin]

Wow - What a trick - I thought I needed to create file structure (not format- but directories) before the cam could access.
I just found it mounted in nfs00!

Here is the mtd6.Thanks
Nitin

PS - Had to put dummy zip ext to upload.

 

[Nitin]

Ok - to update - mtd5 seems the same as 2xx2.
mtd6 has some changes - But again the language flags seems at the same place.

How to check?

Thanks

 

[alastairstevenson]

mtd6 has some changes - But again the language flags seems at the same place.

Wow - that looks oh so familiar.
It does look to be laid out in the same way as the R0 series cameras.
In mtd6ro the language byte at hex location 10 is 02 which is CN. This could be changed to 01 for EN and the checksum amended.
The checksum bytes at locations 05,05 correctly match the data.
The devType bytes at 64,65 match the devType value in the prtHardInfo that you ran.

So - what to do?
I do think there is a pretty good chance that you could convert this camera to EN using the same method as the 'enhanced mtd hack' for R0 series.
However - you must realise there there is an element of risk in attempting this.
We haven't picked apart the firmware to see if the relevant sections look the same as those for R0 cameras.
If it was my camera I'd try the change - but then I'm fairly familiar with Hikvision internals and should be able to recover.
It's your choice.

Should you decide to accept this assignment, here is what you would need to do:
First - check something out that I should have thought of earlier.
For R0 cameras that had 5.2.8 firmware and earlier, some have no record in mtdblock1 of the result of the last firmware update - and 5.3.0 and later firmware objects to this, assumes it failed, and does not run.
So it would be prudent to check the content of an extract of mtd1ro
The hex location to check is 0C
If it holds 00 and not 01 then it will need fixed up.

But if mtd1ro is OK, here is how to re-write the mtd6ro_mod that's attached.
Unzip it to the Windows share that the NetHDD mount point is on.
At the camera telnet shell, use the following command (assuming that /mnt/nfs00 is the mount point) and then reboot the camera :

cat /mnt/nfs00/mtd6ro_mod > /dev/mtdblock6

Then a web GUI update through the various stock versions of EN/ML firmware should work OK.

 

[Nitin]

Hmm - The camera is already english.
I believe this camera was made english by the seller using CBX hacks.

The long script (var....) spells out chinese. prtHardInfo spells out flag 2.

Also by the way - This camera has ambarella chipset - making it closer(similar) to raptors?

Before I go and put in mtd6_mod (Thanks - I know how to bit modify and still keep the crc16), I have a few queries-
a) Before you devised the auto brickfix, everybody was modifying mtd5 and mtd6 and changing the language flags. This time you are asking to change only mtd6.
b) You mentioned mtd0. What I am confused is that this camera has language chinese, mtd5/6 are not hacked, and still gui is english. It is accepted by my IVMS 4200 as english.

You already have helped contributing the tread
Acquired a 'bricked' DS-2CD6362F-IVS

But left some questions unanswered - Is my camera been modified by some version not available in wild(mtd5/6) as it does show flag chinese in many places still the webgui is english?

Sorry - too many haphazard questions - Because I have basic knowledge of firmware - but no knowledge of mapping and the mtd blocks. But I think my camera has some version of making chinese->english waiting to be discovered. (this camera was bought in 2014)

 

[alastairstevenson]

Hmm - The camera is already english.
I believe this camera was made english by the seller using CBX hacks.

Yes, but over CN clothing based on the language=2 in the prtHardInfo.
That usually means it's running 'hacked to English firmware' such that if the firmware was updated, best case you'd end up with CN menus, worst case a bricked camera.

a) Before you devised the auto brickfix, everybody was modifying mtd5 and mtd6 and changing the language flags. This time you are asking to change only mtd6.

That's true. I studied the firmware, where it configures the running environment based on the 'hardware signature block', did some tests and experiments to confirm that the R0 'enhanced mtd hack' was effective. It was. And also confirmed by the many people who have used it.

b) You mentioned mtd0. What I am confused is that this camera has language chinese, mtd5/6 are not hacked, and still gui is english. It is accepted by my IVMS 4200 as english.

mtd1r0, not mtd0ro
It's easily possible to modify the firmware such that when the running environment is set up, and the camera language in the 'hardware signature block' is queried (whether it be the flash partition mtdblock6 for R0, or the WatchDATA chip in G0), the returned value is forced to 'EN'
That does not change the underlying language from being CN, as reported by prtHardInfo if it's returned value has not also been masqueraded by a firmware modification.

But left some questions unanswered - Is my camera been modified by some version not available in wild(mtd5/6) as it does show flag chinese in many places still the webgui is english?

Very likely the firmware is not the stock Hikvision firmware but a 'hacked to English' version.
If you find a ' .licence' file lying around in /config or /davinci (I forget where it would be) that's a good clue that it's hacked firmware.
The early hacked firmware was tied to the specific camera such that the resellers couldn't just apply it to all their stock and avoid paying the price.

Sorry - too many haphazard questions

No problem - it's a fair-sized topic.

 

[Nitin]

Unfortunately, it didnot work.
The camera didnot come up after copying the file into mtd (the mtd6).

Will check if it shows up using 192.0.0.128

 

[Nitin]

Ok - Its not showing up in 192.0.0.0 or 192.168.1.0 or sadp.
Not even brief pings.

Any other idea to unbrick?

 

[alastairstevenson]

Will, that's disappointing.
Did you check out mtdblock1?

With the PC IP address at 192.0.0.128 try a ping -t 192.0.0.64 and see if there are any responses after the camera is powered on.

 

[Nitin]

Ok - connected through single switch.
Get one ping after some time(on 192.0.0.64) from 192.0.0.128.
Did the following steps-

Downloaded old firmware from this link (downloaded 5.0.9 baseline)
DOWNLOAD PORTAL

Downloaded the hikvision ftp, disabled the firewall etc.

Still nothing - It doesnot show up in sadp or tries to contact the tftp server.

Investigation on...

 

[Nitin]

Ok - reading this -
Acquired a 'bricked' DS-2CD6362F-IVS

I will be ordering the serial cable now. Since I am in Dubai- It will take a while.

 

[alastairstevenson]

I will be ordering the serial cable now.

A couple of items required :
A serial TTL to USB convertor - a PL2303-based version works OK.
A 4-pin 1.5mm JST ZH wired connector - usually in 10-packs.

Get one ping after some time(on 192.0.0.64) from 192.0.0.128.

Is this about 2 - 3 seconds after power on?

It doesnot show up in sadp

If you haven't done so already - leave it powered for around 10 minutes or so and re-check.
There is (at least in R0 series) a hardware watchdog that reboots into min-system mode if 'davinci' doesn't periodically reset it.

 

[Nitin]

My moment of ... wait - cannot say that because who would have thought -
The modified mtd created a mac address which is exactly same to another of my 6332 on the network!!!
This is one in a million rarity? Found this out (that too by chance) after connecting the camera to power brick and connecting the camera direct to computer without switch(conventional wisdom is never connect directly). I would have missed the duplicate mac, save it for sadp where I took the snapshot, reconnected the computer to my network to see the camera still present (though it was switched off). And then realized duplicate mac.

In short - the camera works - The modified mtd WAS SUCCESSFUL. (though tried only prthardinfo - which said language 1).
Next step is ofcourse to upgrade. But before that - need to change the MAC. Can I request you to tell me which bit(must be in pairs so that crc16 remains same?) you changed so that I dont do that again (sorry no file comparer on this computer)

Thanks- your brainstorming worked on 6332 - you can safely(give me time to check updates) to you brickfix.