G0/G1 - 2CD2145F CN to English conversion (work-in-progress)

Discussion in 'Hikvision' started by nithin, Oct 10, 2017.

Share This Page

  1. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    2CD2145F-IS Chinese model 4MP based on HI-Silicon H3516c processor (G0/G1?) platform
    I have been unsuccessful in changing the language to CN to EN.
    Any help in finding a way to downgrade existing bootloader to a older version is appreciated.

    Current Firmware Link (#3) - V5.4.41 Build170710
    My camera came with firmware 5.4.24_170303.
    I have established RS232 serial access to the camera (see next post for details).
    My observations about this camera:
    1) Came with u-boot version is - U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03)
    followings are the only options available in u-boot menu:
    Code:
    HKVS # help
    erase - erase flash except bootloader area
    go - start application at address 'addr'
    help - print command description/usage
    loadk - load kernel to DRAM
    update - update digicap.dav
    updateb - update bootloader
    upf - update firmware, format and update (factory use)
    ddr - ddr training function
    mii - MII utility commands
    ping - send ICMP ECHO_REQUEST to network host
    printenv- print environment variables
    reset - Perform RESET of the CPU
    saveenv - save environment variables to persistent storage
    setenv - set environment variables
    HKVS #
    
    2) u-boot prevents updating the setenv variables, thus any attempt to override bootarg fails
    3) u-boot performs the signature check to prevent overwriting the u-boot with older version (see below)
    Code:
    HKVS # updateb
    *******************************************************
    * ATTENTION: PLEASE READ THIS NOTICE CAREFULLY! *
    * DO NOT reset the device, or disrupt this process. *
    * If this process fails, the device might be unusable.*
    * If you find this too risky, power off device now. *
    * or press the SPACE key to start the process now *
    *******************************************************
    ETH0: PHY(phyaddr=3, mii) link UP: DUPLEX=FULL : SPEED=100M
    MAC: 54-C4-15-27-F6-29
    
    
    
    TFTP from server 192.168.1.128; our IP address is 192.168.1.64
    Download Filename 'u-boot_g0.bin'.
    Download to address: 0x82000000
    Downloading: # [ Connected ]
    ##########
    done
    Bytes transferred = 333192 (51588 hex)
    set public key failed.
    ver failed!
    resetting ...
    HKVS #
     
  2. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    RS232 wiring info for DS-2CD2145F
    IMG_4622.jpg

    RED - RX (TX on RS232 Adapter)
    BLACK - TX ( RX on RS232 Adapter)
    WHITE - GND
     
  3. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,085
    Likes Received:
    3,057
    Location:
    Scotland
    Unless there are hidden commands not listed in the help - that's a pretty brain-damaged u-boot. Plus the code-signing requirement is a real barrier.
    And it may be that a signed version of the old bootloader may not exist.
    But why then provide a setenv if saveenv does not work? That's odd.
     
  4. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    setenv works with limited arguments such as ipaddr, serverip, netmask etc.
    setenv seems to ignore bootargs, bootcmd, bootfile etc.

    I tried setenv for bootargs followed by a saveenv and if I call printenv, I see no changes to bootargs are saved.

    The bootloader accepts firmware from 5.40.xx onwards using tftp server method. The firmware versions 5.40+ seems to introduce firmware signing. I am hoping to find a signed version of the firmware with full shell access (with dd, cat, etc.,). I still suspect Hikvison left hidden bootlodaer commands for backdoors. Thus far I am not able to uncover any such hidden options/commands. Alternatively, we can uncover the signing key used ....
     
    Last edited: Oct 10, 2017
  5. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    I forgot one more detail -
    The camera was purchased on Newegg.com and came with EN language set - original firmware 5.4.15_160608.
    They somehow even made the serial # appear WR in the web UI.
    This means whoever sold the camera know how to reset language to English on this CN camera.
    After I attempted to update the firmware, now I am stuck with CN language (and CN appears in the camera serial #)
     
    Last edited: Oct 10, 2017
  6. montecrypto

    montecrypto IPCT Contributor

    Joined:
    Apr 20, 2016
    Messages:
    104
    Likes Received:
    293
    There are no hidden commands in uboot except "go." that loads sec.bin file from tftp. That file contains the rest of the u-boot, including all the commands you need to directly access ubifs filesystem or memory. Hikvision is obviously not interested in sharing sec.bin, but there have been leaks. Each u-boot version uses a matching sec.bin
     
  7. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    Thanks @montecrypto,

    I have tried sec.bin with go. command from Watchdata EMV chips in R6, G0 and other cameras (thanks @JAFO)
    but nothing happens (see logs below)

    HKVS # go.
    ETH0: PHY(phyaddr=3, mii) link UP: DUPLEX=FULL : SPEED=100M
    MAC: 54-C4-15-27-F6-29
    TFTP from server 192.168.1.128; our IP address is 192.168.1.64
    Download Filename 'sec.bin'.
    Download to address: 0x81fffed8
    Downloading: # [ Connected ]
    ##########
    done
    Bytes transferred = 333192 (51588 hex)
    Exit1!
    HKVS #

    I think the sec.bin fails signature check and does nothing.
    As per your comments, I need matching sec.bin for U-Boot 2010.06-263780 (Mar 14 2017 - 20:24:03).

    On another note, if I can corrupt part of NAND at partition #0 - bld, (0x00000000, size 0x00100000) would it cause bootstrap code to fault allowing a way to side load the u-boot code?
    For this trick to work, I still need to find an exploit to cause dd command to run. I am sure someone else may have figured this out :)

    Thanks in advance.
     
  8. Gul-Dukat

    Gul-Dukat Young grasshopper

    Joined:
    Sep 25, 2017
    Messages:
    41
    Likes Received:
    11
    Location:
    Australia
    I think you will find the busybox within is a cutdown version and wont have dd
    My version 2xx5 cameras all had BusyBox v1.19.3 (2015-09-24 09:15:35 CST) which was missing a number of functions including dd.
    I ended up getting a much more recent and jam-packed version for the ARMv7

    https://busybox.net/downloads/binaries/1.21.1/busybox-armv7l


    I was able to mount my NFS server over the network and run that busybox... however that was because I had ash and not psh already.
     
    nithin likes this.
  9. Gul-Dukat

    Gul-Dukat Young grasshopper

    Joined:
    Sep 25, 2017
    Messages:
    41
    Likes Received:
    11
    Location:
    Australia
  10. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    I have tried that sec.bin without luck. u-boot seems to enforce signature check, preventing from loading it.
     
  11. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    Hi Gul,
    Can you please share the steps to run the generic busybox on G0?
    Thanks
     
  12. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,085
    Likes Received:
    3,057
    Location:
    Scotland
    Here is a worked example on a DS-2CD3335 :
    Code:
    alastair@PC-I5 ~ $ ssh admin@192.168.1.100
    admin@192.168.1.100's password:
    
    
    BusyBox v1.19.3 (2017-01-18 20:54:04 CST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    # prtHardInfo
    Start at 2017-10-13 21:56:52
    Serial NO :DS-2CD3335D-I20150619AACH524222564
    V5.4.41 build 170710
    NetProcess Version: 1.7.1.179932 [14:53:09-Dec 10 2016]
    Db Encrypt Version: 65537
    Db Major Version: 1176
    Db svn info:
    Path: /Camera/Platform/Branches/branches_frontend_software_platform/db_process_for_5.4.20
    Last Changed Rev: 233659
    Last Changed Date: 2016-11-08 11:13:39 +0800 (Tue, 08 Nov 2016)
    hardwareVersion    = 0x0
    hardWareExtVersion    = 0x0
    encodeChans        = 1
    decodeChans        = 1
    alarmInNums        = 0
    alarmOutNums        = 0
    ataCtrlNums        = 0
    flashChipNums        = 0
    ramSize            = 0x100
    networksNums        = 1
    language            = 1
    devType            = 0x22501
    net reboot count    = 0
    vi_type            = 32
    Path: /Camera/Platform/Branches/branches_frontend_software_platform/comm_bug_fix/cgi_fix/ipc_repair/ipc_5.4.24_g0
    Last Changed Rev: 297913
    Last Changed Date: 2017-07-10 21:23:14 +0800 (Mon, 10 Jul 2017)
    
    
    # mount
    rootfs on / type rootfs (rw)
    proc on /proc type proc (rw,relatime)
    none on /sys type sysfs (rw,relatime)
    ramfs on /home type ramfs (rw,relatime)
    udev on /dev type tmpfs (rw,relatime)
    devpts on /dev/pts type devpts (rw,relatime,mode=600)
    /dev/mtdblock7 on /dav type yaffs2 (rw,relatime)
    /dev/mtdblock9 on /devinfo type yaffs2 (rw,relatime)
    192.168.1.201:/cctv1 on /mnt/nfs00 type nfs (rw,sync,relatime,vers=3,rsize=4096,wsize=4096,namlen=255,acregmin=0,acregmax=0,acdirmin=0,acdirmax=0,soft,noac,nolock,proto=tcp,port=2049,timeo=70,retrans=3,sec=sys,local_lock=all,addr=192.168.1.201)
    # cd /mnt/nfs00
    # ls -al
    drwxrwxrwx   13 admin    root          4096 Oct 13 20:09 .
    drwxrwxrwx   13 admin    root             0 May  2  2013 ..
    drwxrwxrwx   15 admin    nogroup      20480 Oct  9 21:08 @Recycle
    drwxrwxrwx    4 503      100           4096 Oct  5 10:01 G0_upd
    -rwxr-xr-x    1 admin    root          1772 Oct  5 21:25 app
    -rwxrwxrwx    1 65534    nogroup    1109128 May 26  2015 busybox-armv6l
    -rwxrwxrwx    1 65534    nogroup    1109128 May  2  2015 busybox-armv7l
    -rwxrwxrwx    1 65534    nogroup         84 Jun 18 22:29 commands.txt
    -rwxrwxrwx    1 503      100          19672 Jan 23  2017 daemon_fsp_app_545
    -rw-rw-rw-    1 503      100          19672 May 30  2016 daemon_fsp_app_IPC_R0_EN_STD_5.4.0_160530
    drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir0
    drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir1
    drwxrwxrwx    2 admin    root         12288 Nov 20  2016 datadir2
    -rwxrwxrwx    1 503      100           5468 Sep 28 20:53 digicapkeyArm.ko
    -rw-rw-rw-    1 503      100          30118 May 30  2016 en.tar.gz
    -rw-r--r--    1 admin    root        781248 Sep 28 10:06 encode
    drwxrwxrwx    4 503      100           4096 Oct  3 21:03 files_5420_running
    -rw-rw-rw-    1 503      100        9021594 Oct 13 20:08 g0_app.tar.gz
    -rw-r--r--    1 admin    root       9021980 Oct 13 13:46 g0_app.tar.gz_working
    -rw-r--r--    1 admin    root        736700 Oct 13 13:46 g0_modules.tgz
    -rw-r--r--    1 admin    root            68 Sep  8 19:35 info.bin
    -rwxrwxrwx    1 503      100           7314 Oct  9 21:08 initrun.sh
    -rw-rw-rw-    1 503      100           7314 Oct  9 21:08 initrun_changemod.sh
    -rwxrwxrwx    1 503      100           7242 Oct  9 20:59 initrun_ethtest.sh
    -rw-rw-rw-    1 503      100           6674 Oct  8 20:59 initrun_orig.sh
    -rwxrwxrwx    1 503      100          19672 May 30  2016 keydump540
    -rwxrwxrwx    1 503      100          19672 Jan 23  2017 keydump545
    lrwxrwxrwx    1 admin    root            11 Mar 18  2017 linuxrc -> bin/busybox
    -rw-r--r--    1 admin    root        524288 Oct 12 19:24 mtd6_before
    drwxrwxrwx    2 503      100           4096 May 18 19:43 multimedia
    drwx------    2 admin    root          4096 Oct 10 21:06 pulse-PKdhtXMmr18n
    drwxrwxrwx    2 admin    root          4096 Feb 28  2017 s500
    drwxrwxrwx    3 admin    root          4096 Sep 26 10:51 tmp
    drwxr-xr-x   11 admin    root          4096 Sep  8 15:53 xcontents
    # ./busybox-armv7l --help
    BusyBox v1.21.1 (2013-07-08 10:26:30 CDT) multi-call binary.
    BusyBox is copyrighted by many authors between 1998-2012.
    Licensed under GPLv2. See source distribution for detailed
    copyright notices.
    
    Usage: busybox [function [arguments]...]
       or: busybox --list[-full]
       or: busybox --install [-s] [DIR]
       or: function [arguments]...
    
        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.
    
    Currently defined functions:
        [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash, awk, base64, basename, beep, blkid,
        blockdev, bootchartd, brctl, bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod, chown,
        chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm, conspy, cp, cpio, crond, crontab, cryptpw,
        cttyhack, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff, dirname,
        dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, ed, egrep, eject, env, envdir,
        envuidgid, ether-wake, expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat, fdisk,
        fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk, fsck, fsck.minix, fsync, ftpd, ftpget,
        ftpput, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid, hostname,
        httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd, init, insmod, install, ionice,
        iostat, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill, killall,
        killall5, klogd, last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname,
        logread, losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat,
        makedevs, makemime, man, md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2,
        mkfs.minix, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mountpoint, mpstat,
        mt, mv, nameif, nanddump, nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup, ntpd, od,
        openvt, passwd, patch, pgrep, pidof, ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir,
        poweroff, powertop, printenv, printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev, readahead,
        readlink, readprofile, realpath, reboot, reformime, remove-shell, renice, reset, resize, rev, rm, rmdir,
        rmmod, route, rpm, rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir, rx, script, scriptreplay, sed,
        sendmail, seq, setarch, setconsole, setfont, setkeycodes, setlogcons, setserial, setsid, setuidgid, sh,
        sha1sum, sha256sum, sha3sum, sha512sum, showkey, slattach, sleep, smemcap, softlimit, sort, split,
        start-stop-daemon, stat, strings, stty, su, sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync,
        sysctl, syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, 
    
    
    tftp, tftpd, time, timeout, top, touch,
        tr, traceroute, traceroute6, true, tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, umount, uname, unexpand,
        uniq, unix2dos, unlzma, unlzop, unxz, unzip, uptime, users, usleep, uudecode, uuencode, vconfig, vi, vlock,
        volname, wall, watch, watchdog, wc, wget, which, who, whoami, whois, xargs, xz, xzcat, yes, zcat, zcip
    
    #
    
    *edit*
    And this could be how to integrate it in permanently, in initrun.sh (camera) or start.sh (NVR) :
    Code:
    # Add in the fuller busybox, which has telnetd in it and more.
    mv /home/app/busybox-armv7l /bin
    chmod +x /bin/busybox-armv7l
    /bin/busybox-armv7l --install -s /bin
    /bin/busybox-armv7l telnetd
     
    Ca't'h'y, nithin and Gul-Dukat like this.
  13. montecrypto

    montecrypto IPCT Contributor

    Joined:
    Apr 20, 2016
    Messages:
    104
    Likes Received:
    293
    Just received a G1. Contrary to popular belief, G1 is not an english equivalent of G0. It is a different camera platform based on Ambarella S3L. It resembles R2 -- the amboot does not have any firmware parsing code, it boots a minisystem that flashes digicap.dav. Good news -- amboot does not appear to be signed, only crc32 is validated and it should be possible to reflash it if needed.
     
  14. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    Very interesting. Thanks
     
  15. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,085
    Likes Received:
    3,057
    Location:
    Scotland
    nithin likes this.
  16. nithin

    nithin n3wb

    Joined:
    Oct 12, 2016
    Messages:
    20
    Likes Received:
    3
    I have two G0, 2CD2145F-IS cameras, both have drastically different internal PCB designs.
    Both use G0 , HiSilicon_V300 CPU (CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d)

    Camera #1: (all the electronics + power supply are on 1 board, CMOS sensor+lens on a separate breakout board)
    [​IMG]

    Camera #2: (split design, most of the electronics are camera board, power supply on a separate board, below)
    [​IMG]

    I wonder if they have multiple G0/G1 variations of 2CD-21X5
     

    Attached Files:

  17. Gul-Dukat

    Gul-Dukat Young grasshopper

    Joined:
    Sep 25, 2017
    Messages:
    41
    Likes Received:
    11
    Location:
    Australia
    My 2135's are also different designs. the 2.8mm lense is on split board. the 4mm is one larger board at the base.
     
  18. Ca't'h'y

    Ca't'h'y n3wb

    Joined:
    Nov 28, 2017
    Messages:
    1
    Likes Received:
    0
    According to the method you said, I added the code to the initrun.sh(camera) and packed it, but it can‘t upgrade in the camera correctly,I want to know how to upgrade the software what we revised .Thank you ,waiting your reply!
     
  19. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,085
    Likes Received:
    3,057
    Location:
    Scotland
    Without more detail on what you tried it's not really possible to suggest what you should do.
     
  20. wmocahbee

    wmocahbee n3wb

    Joined:
    May 13, 2016
    Messages:
    8
    Likes Received:
    0
    I know this may be a stab in the dark, is there not a way to put DD on a sd card and mount it and execute it from there?