G0 5.5+ firmware compiled Binaries/tools & Exploring the Cam

Discussion in 'Hikvision' started by rearanger, Jul 3, 2019.

Share This Page

  1. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    Compiled Binaries

    binutils
    gdb
    gdbserver 8.3
    strace
    Busybox 1.20 (fully loaded)

    You can gain access to the root by using sec.bin. If you are stuck on Chinese menu's you can roll back using sec.bin and the files from another Chinese hacked cam. (will provide files info at later date)

    I do not YET know how to get English language on a 5.5+ Chinese cam.

    The binaries have been tested on IPC_G0_CN_STD_5.5.53_180716.
     

    Attached Files:

  2. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,892
    Likes Received:
    3,419
    Location:
    Scotland
    Wow! Many thanks for sharing.
    The looks like a lot of work - and a steep learning curve being climbed. V. impressive!
     
  3. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,892
    Likes Received:
    3,419
    Location:
    Scotland
    I put ML files on a CN DS-2CD3335 a while back by creating a modified iefile.tar.gz - populating it with the language files from the EN/ML firmware and editing the Languages.json file.
    This was from the 5.4.41 G0 firmware, so the strings will likely be different, but it might give some ideas of a possible approach.
     

    Attached Files:

    rearanger likes this.
  4. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    Attached uImage and /dav directory from G0 greymarket 5.3.3_150514

    Use it with hikpack and remake a ML upgrade / downgrade 5.3.3
    or use sec.bin to downgrade 5.5+ Chinese firmware (if you are stuck on Chinese)
     

    Attached Files:

    Last edited: Jul 5, 2019
    alastairstevenson likes this.
  5. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    If you use hikpack on davinci_bak there is script attached to the head off the davinci file after you uncompress the lzma. Run the script it will give 2 files davinci and ppp
     
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,892
    Likes Received:
    3,419
    Location:
    Scotland
    I've not looked at that yet - but what you've described is a characteristic of the 'dieter and fiona' hacked firmware.
    ppp is the rather smart patcher program that makes transient changes to the runtime environment, and checks a licence file, and integrity checks a few items. If it isn't happy, the environment reverts to a standard CN one.
     
  7. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    Leecher;s hik_repackv07 to unpack SOME g0 firmwares (works on IPC_G0_EN_STD_5.5.81_190102)

    Will also do PC_G0_EN_STD_5.5.82_190130



    Unpacker only, will not repack

    It will do davinci , but that's left decrypted on the cam at runtime anyway.

    hik_repacker runs on x86 Linux
     

    Attached Files:

    Last edited: Jul 8, 2019
    Oleglevsha and alastairstevenson like this.
  8. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    5553.jpg Time to upgraded to 5.5.82 ...or try ...

    ML Firmware unpacked using leachers unpacker than manually put uImage and /dav dir onto cam

    Chrome says

    <!DOCTYPE html>
    <html><head><title>Document Error: Not Found</title></head>
    <body><h2>Access Error: 404 -- Not Found</h2>
    <p>firmware language mismatch: /dav/webLib</p>
    </body>
    </html>

    You could edit the webLib or the davinci file.
     
    Last edited: Jul 10, 2019
  9. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    Davinci 5.582 has protection on the decrypted elf file. Some debuggers will alter the segments.

    5.5.53 never had this protection(Initrun.sh has size restrictions)

    5.5.82 Has PSH enabled in the uImage. disable /delete/rename it in initrun.sh. Use sec.bin to boot to ASH. mount drives/partition and alter initrun.sh.

    If you have manually copied files from 5.5.82 EN to a Chinese cam . Then you will be left in a boot loop. Use sec.bin to alter / fix boot loop issues

     
    Last edited: Jul 10, 2019
  10. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    You can sometimes mix and match files depending on the SDK used by hikvision. eg old uImage with new a new web gui. OR new web gui with old uImage.

    Eg 5.5.82 weblib will run with uImage from 5.5.53. Many things will work fine

    the command "busybox telnetd" with give you telnet access (busybox 1.20)
    "mount /dev/mmc01 /mnt/mmc01" will mount the mmc01
    "mount /dev/nfs00 /mnt/nfs00" will mount the nfs drive (if you have set one up)

    /dev/mtdblock5 and 6 is the location of the uImage there are 2 copies one is a backup . if you trash them both you will go into a boot loop (use sec.bin again lol ) Or if you totally trashed it. Do a firmware tftp update.

    /dev/mtdblock7 and 8 is the location of "/dav" directories
    "try to stay away from the mtdparts , as you may brick your cam with no return…."

    5.5.53 CH cam is easy to change to ML (I am unable to supply the details of the davinci code modification as its not mine to give out, if I find a another way of doing it I will release)


    5.5.53 /home/process/daemon_fsp_app loaded and decrypted davinci_bak. It decrypted to an lzma then uncompressed. Then it was executed.
    Full decrypted davinci was left in the /home/process/ directory. This copy of davinci was modified then run before daemon_fsp_app had a chance to run the original version. There you have a CH cam running ML (well after you copy the webLib dir over to cam from a ML cam)


    I have not converted the new 5.5.82 firmware to ML YET!
     
    Last edited: Jul 10, 2019
  11. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,892
    Likes Received:
    3,419
    Location:
    Scotland
    Depending on the specific source of the NFS share - normally you'd need a slightly fuller command line for this, unless you're making use of a definition somewhere else.
    Plus, the NetHDD configuration in the web GUI does this too, making it permanent.

    mount -t nfs -o nolock 192.168.1.201:/sharename /mnt/nfs00

    Feel free - it's fine.
    Though maybe on request so Hikvision don't know for sure what to obscure on the next firmware rev, which on these cameras isn't EOL yet.
     
  12. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    getting there slowly

     
  13. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
  14. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
    Please wtite step by step how to China version write firmware with English Lang.
     
  15. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    Need to check stability. also it is a possibility that a a shell script could be used to just copy needed modifications across or dump mtdpart/dav across from sec bin.

    It could end up being a very simple tutorial, if stable.(it may not be stable)

    I would prefer if some else released and wrote implementation tutorial,
     
    Last edited: Jul 12, 2019
  16. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
    Please write me step by step. I need repaire my cam DS-2CD2035-I
     
  17. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    someone else will need to do that. All the info needed is on the forums across 4 or 5 threads. over the last 2/3 years.

    It just needs all put together by someone.
     
    alastairstevenson likes this.
  18. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
  19. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    remember sec.bin is only for certain u-boot's. if you have tftp already in the u-boot you have no need for sec.bin.

    You still need to use
    setenv bootargs console=ttyAMA0,115200 single loglevel=9
    saveenv

    Just doing a cam tonight with
    U-Boot 2010.06-128034 (May 14 2015 - 19:28:38)

    And it already has tftp built in.
     
  20. rearanger

    rearanger Young grasshopper

    Joined:
    Feb 10, 2016
    Messages:
    92
    Likes Received:
    16
    Location:
    Scottish Borders
    I have noticed on this second upgrade 5.3 > 5.5.82 there are some strange effects. I would recommend using the Restore / Default settings in the Upgrade & Maintenance menu .

    i was unable to use this upgrade method via ssh . Even if you could use that method you would need TTL to get out of a boot loop if you triggered one.

    The cams i have here all have sdcards so modified firmware has been installed from there.
    If your cam does not have sdcard you will need to install from nfs.

    It may be possible to flash directly to nand from uboot/sec.bin however i have not tried this.
     
    Last edited: Jul 13, 2019