DS-2CD2432F-IW 3MP firmware issue after trying to upgrade to 5.4

[John P]

Hi,

I messed up my Hikvision DS-2CD2432F-IW 3MP camera by trying to upgrade to the latest europe firmware via the web interface. Checked my downloads an the firmware was IPC_R0_EN_STD_5.4.5_170123.

I read somewhere that I could get the email alerts with gmail working by upgrading. Didn't know at that point that Hikvision cameras bought from Aliexpress will not work with Europe firmware etc.

The sticker on the back says the camera had 5.3.0_150513 on it. Date 05/2016.

After that firmware upgrade I couldn't access it anymore via browser and SADP doesn't find the camera either.

So reading on the forum I concluded I must put the chinese firmware on it. Downloaded the chinase firmware and tried to TFTP that on to the camera. It does transfer it but never shows the "system update completed" message on TFTP.

I connected the camera to a poe with just the laptop and the camera on it. Used wireshark to look at the traffic. At boot the camera uses 192.0.0.64 and is looking for the 192.0.0.128 TFTP server. It connects to it and transfers the firmware but never starts working and doesnt appear on SADP.

I let the camera be on the poe for a long time and came back to look at the wireshark capture seeing that it is sending a broadcast every 319.4 seconds. Like it would perhaps be booting every 319.4 seconds or something like that?

Any way to recover and get the camera up and running again?
Any help would be much apreciated.

 

[alastairstevenson]

The sticker on the back says the camera had 5.3.0_150513 on it. Date 05/2016.

With that manufacturing date, the 'upgrade' program in the camera will have the anti-rollback feature such that when the 5.4.0 and above firmware has been loaded, it will disallow any downgrading to a lower version such as the CN stock version. And prior to this check, the flash area holding the apps of the camera has already been erased, so it will not appear on SADP, it's just running a bare kernel.
And if it is a CN camera the EN/ML firmware of 5.4.0 and later will not run on it.
This is a 'Catch-22 trap' specifically set by Hikvision to catch CN region cameras being updated with the newer firmware.

I believe it would be possible to recover the camera, by the use of modified firmware to gain enough access to neuter the anti-rollback feature and allow earlier firmware to be re-installed.

 

[John P]

Thanks for the quick response. So if I understood you correctly the camera erased the old software when the new one was flashed to it, but the new firmware wasn't compatible so now it has just the bare kernel.

So should the camera accept the CN 5.3.0 firmware or does the camera interpret that it had 5.4.x on it and will no longer allow to run CN 5.3.0 either?

Any tips on which modified firmware should I try to TFTP on to it?

I tried yesterday to TFTP the CN IPC_R0_CN_STD_5.3.0_150513 firmware on to the camera found here: 海康威视是以视频为核心的物联网解决方案和数据运营服务提供商，面向全球提供安防、可视化管理与大数据服务。

That one didn't give me the completed notification on TFTP either and it didn't seem to change the camera behavior in any way. So assuming it didn't accept it either.

 

[alastairstevenson]

So should the camera accept the CN 5.3.0 firmware or does the camera interpret that it had 5.4.x on it and will no longer allow to run CN 5.3.0 either?

The anti-rollback feature now implemented in the upgrade program prohibits installing a lower version than what was last installed, including the failed install, so no going back to the 5.3.0 CN version.

Any tips on which modified firmware should I try to TFTP on to it?

I don't believe there is stock firmware that would fix this, I tried a selection, nor as far as I could see could it be fixed by using one of the tools published on here to alter the version to masquerade the 5.3.0 CN firmware as 5.4.0 and fool it into accepting it.
I'd hoped that would work, but it didn't.

I have managed to recover the sample camera, though, by a slightly convoluted method I'd not want to wish on anyone, using tweaked firmware.
There may be a chance to make the method more user-friendly, such as avoiding the need for the serial console, if I can spend some time on it.
@whoslooking, some interesting initial findings building up.

 

[whoslooking]

I had hit a block also, I managed to brick and recover but not via a recommend method, not sure if this is a trap or a poor error again from hik as its plays up for genuine recovery of a failed firmware update.

 

[John P]

Hi alastairstevenson,
do you have the same or similar camera with the same problem as me? How did you recover it?

 

[alastairstevenson]

I've been doing some detailed analysis on a bricked 2232-I5 that a helpful forum member sent 'for research' that does sound similar to what you, and others, have experienced.
The essence of the problem is described here: HELP! Cant find DS-2CD2432F-IW after updating firmware to 5.4.41_170312
This problem would previously have been readily dealt with but for some enhancements that Hikvision have made to the 'upgrade' program that does the update work, not just the addition of the 'psh' restricted shell, but the implementation of the 'anti-rollback' facility.

I'm still doing a lot of detail on this - maybe too much. There seems to be a subtle difference between the newer EN/ML and the CN firmware, that has so far eluded me, in how the core program in the firmware handles the device bootparam info for device_type and vitype (sensor number). I've just not got to the end of the trail yet.
I'm speculating that there is a deliberate trap aimed at CN language cameras where EN/ML firmware is loaded.

The recovery method I used is arguably a bit complex for the average user, but I have an idea for what I hope would be a reasonably friendly set of steps.
I'm not going to divulge any detail in public here as we've seen various examples of what Hikvision have changed in response to 'interesting' findings by 'researchers'.
Where about are you located?

 

[John P]

Hi,

I'm located in Finland.

I wonder what the Aliexpress seller would say if I asked for a refund due to no warnings about firmware being limited to CN and not upgradable.
Anyone had luck getting a refund?

 

[esal]

Hi

DS-2CD2032F-IW 5.3.0 b150513(orginal sticker but was inside V5.2.5 built 141501) > 5.3.0 > 5.4.0 > v5.4.5 b150513 Can't select E-mail Encryption (5.2.5 English hack, mtdblock6 hack)

DS-2CD2032F-IW 5.3.0 > V5.2.5 > 5.3.0 > 5.4.0 > v5.4.5 b150513 All ok (Downgrader 5.3.0 Chinese to 5.2.5 English hack, mtdblock6 hack)

 

[Cuddlah]

Hi, I've just had the same thing with mine .. exact same problem and exact same camera model, dated 11-2015. Did you have any luck getting this sorted?

Thanks.

 

[John P]

Hi, sorry I didn't have the time to solve this yet. The AliExpress seller wasn't very helpful.

I'm hoping there will be a new firmware I can install. Didn't check lately.

Please let me know if you have any luck solving it.

 

[alastairstevenson]

Did you have any luck getting this sorted?

Yes - all understood, bricked cameras unbricked, CN cameras converted to upgradeable, even 'non-upgradable 5.2.8 firmware' cameras upgradeable if you're willing and able to climb a bit of a learning curve.
Loads of people doing this - and updating to EN/ML firmware that fixes the 'Hikvision backdoor' serious vulnerability.

I'm not going to divulge any detail in public here as we've seen various examples of what Hikvision have changed in response to 'interesting' findings by 'researchers'.

I changed my mind after more of Hikvision's contempt for their customers, large and small.

Quite a few threads with info and experiences, but check out this starter one : Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

 

[zork1970]

Thanks for everyone's help I've been able to get my DS-2CD2432F-IW unbricked after trying to load the latest EN (english) firmware onto my CN(chinese) camera.

My initial firmware version according to the sticker was v5.3.0_150513.

I used the TFTP boot server from here:
ftp583v525.rar

And then copied the IPC_R0_CN_STD_5.4.41_170707/digicap.dav from here:
http://www1.hikvision.com/cn/download_more_714.html

Into the "ftp583v525\Auto Update" directory connect directly to my camera via an ethernet cable.

Manually set my ip address to 192.0.0.128 and started the tftpser.eve.

Then I rebooted my camera. Regardless of how badly you've screwed up your camera it will always set it's IP address to 192.0.0.64 and look for a TFTP boot service on 192.0.0.128 to download a new firmware from.

I hope this helps.

 

[alastairstevenson]

I've been able to get my DS-2CD2432F-IW unbricked after trying to load the latest EN (english) firmware onto my CN(chinese) camera.

Presumably the camera is now running with CN menus.
If you want to convert your CN camera to English/upgradeable so it can use the English / Multi-language firmware you could consider using this method :
Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

 

[Nayto]

Presumably the camera is now running with CN menus.
If you want to convert your CN camera to English/upgradeable so it can use the English / Multi-language firmware you could consider using this method :
Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Hi there, I was just about to go out and buy a new camera today when I thought I'd take one final look here since I hadn't checked this post for awhile, and with help from the last few posts I've managed to unbrick following Zork1970's method above. But as you said, I do indeed have CN menus now.

Just a quick question, to convert it to EN menus, do I still need to run through the entire BrickFix recovery steps from start to finish now that it is no longer bricked?

Thanks for all the assistance on these forums.

 

[alastairstevenson]

Just a quick qeustion, to convert it to EN menus, do I still need to run through the entire BrickFix recovery steps from start to finish now that it is no longer bricked?

You could simply do the 'enhanced mtd hack', which involves editing mtdblock6 and checking mtdblock1
The benefit of using the brickfixv2 tool on a working (non-bricked) camera is that some of the manual, fiddly, steps such as extracting mtdblock6 and re-applying mtdblock6 are scripted, so saving some understanding and some work.
Worth doing though on a working camera, even with CN menus, is to enable telnet or SSH and verify the devType value using the prtHardInfo command.

 

[Nayto]

Worth doing though on a working camera,

Thanks for the quick reply, decided to go ahead with the full upgrade - the only problem is, the camera won't seem to grab the firmware using the HikVision update now? I have it setup exactly as I did before when using Zork's method and that time it detected the camera and uploaded the file almost instantly... now the camera just seems to start up as normal every time I reboot it. I had a ping running to 0.64 and the camera replies for a few pings but then just continues on and starts up normally. Is there any way to force the .dav file onto the camera or make it request it other than just rebooting?

(Also I tried putting both the EN and CN versions of the brickfix in the folder, didnt seem to make a difference)

Thanks.

FYI; I managed to enable SSH on the camera and devType displays = 0x9812

 

[alastairstevenson]

FYI; I managed to enable SSH on the camera and devType displays = 0x9812

OK, so it's a DS-2CD2432F-IW

the camera won't seem to grab the firmware using the HikVision update now?

That facility should not have changed following the IPC_R0_CN_STD_5.4.41_170707 firmware - unless they have sneakily broken the tftp update method.
Just to confirm the requirements - PC IP address 192.0.0.128, camera wired to a router/switch port, not via WiFi, Hikvision tftp updater should have triggered a Windows firewall request to allow inbound access to tftpserve.exe, camera on a 12v power supply, not POE.
Maybe on a temporary basis, disable the Windows firewall.
And try the power cycle a few times. There have been posts where Win10 needs that.

What does the tftp updater status window show?

Is there any way to force the .dav file onto the camera or make it request it other than just rebooting?

The normal web GUI might accept the CN version of the brickfixv2 firmware, also worth trying the firmware update via the Batch Configuration Tool : Hangzhou Hikvision Digital Technology Co. Ltd.

 

[Nayto]

Can confirm I've covered all the requirements off, other than I'm not using a switch - I just have the camera connected directly to the PC via a patch lead. I did it this same way originally and didn't have any issues, I still get the first few "boot" pings from 0.64 fine but tftp updater just stays on initialized (TFTP server [192.0.0.128] initialized). I did try disabling the firewall earlier just trying to exhaust every avenue before replying here.

I also tried uploading via the GUI as well but that just gave me 升级失败.... or Update failed so Google Translate tells me Will give the Batch tool a shot now and see how that goes. Thanks.

 

[Nayto]

also worth trying the firmware update via the Batch Configuration Tool

Just tried the Batch Tool, both EN and CN versions of the Brick Updater file give a status of Upgrading Failed. Do you think it would be worth trying to downgrade to an older version of the firmware first?

Edit: Well, I think I managed to re-brick the camera now. On a whim I decided to change the service port from 8000 to 8001 via the GUI to see if this would make any difference to the Batch Tool. This caused the camera to restart, but this time tftp picked up the camera instantly (I still had it running in the background) and it got as far as:

[2018-03-28 23:15:07] Device[192.0.0.64]test tftpserver
[2018-03-28 23:15:16] Connect client success [192.0.0.64]Success
[2018-03-28 23:15:16] Start file transmitting[E:\TFTP\ftp583v525\Auto Update\digicap.dav]
[2018-03-28 23:15:52] Completed file[E:\TFTP\ftp583v525\Auto Update\digicap.dav] transmit

I left it at that for a good 15min or so and nothing, so restarted the camera and it's back to its old bricked state, won't pickup new firmware again and now SADP no longer finds it anymore :/ I do still get a few pings from 0.64 though during the normal "boot up" when its checking for the server....