Hik brick-fix and downgrader tool - R0 / DS-2CD2x32 IP cameras.

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I'm sure like me you've noticed the steady flow of posts about 'bricked' Hikvision 2x32 cameras.
These were boosted after Hikvision published their security advisory about updating to the 5.4.41 or later firmware to close off the high-severity vulnerability that forum member @montecrypto discovered.
I thought it might be interesting, and maybe useful, to take a look at why this was happening. After all - on most computing platforms it's best practice to keep on top of security updates, unless you want to be a brickerbot or ransomware victim.
But as we know, Hikvision have a strategy of trying to disadvantage their customers who purchase their products via 'unauthorised' channels, which makes their firmware updates decidedly risky and unpredictable.

As I'd loaned out all my spare Hikvision cameras I put up a 'Want to Buy' entry in the Classified section. WTB - Bricked Hikvision R0 series (DS-2CD2xx2) IP camera.
And a couple of forum members were generous enough to send samples of bricked cameras for analysis. You know who you are - many thanks for this, it's much appreciated, and will be useful to others.

I've poked around and analysed and figured a few things out.
And seen how Hikvision have incorporated code to create deliberate traps, whether it is to catch out those doing the 'mtd hack', or those who want to downgrade to avoid the 'language mismatch' problems, or those whose cameras had a specific 'hacked to English' firmware installed by the on-line reseller.
I do think these tricks erode their brand value, which is a pity as the products are actually very good.
Examples : WTB - Bricked Hikvision R0 series (DS-2CD2xx2) IP camera.
A new Hikvision tripwire.

I managed to recover the bricked cameras by some convoluted methods, not really practical for the average end-user.
But from the resulting analysis I have created a tool, which on somewhat limited testing (not just mine), has recovered what were well-bricked cameras, and is easy enough to use.
I'm not going to publish the tool publicly, as we know that Hikvision do monitor ipcamtalk.com and do try in their firmware updates for cameras and NVRs to block some of the mods that 'researchers' have used that can make the products work better for them.

The Brick-fix can be used on R0 cameras that exhibit no web services, that don't respond to SADP, and appear fairly dead.
This is a bit of a 'Catch-22' state - can't update, the firmware doesn't like the camera. Can't downgrade, attempts are blocked.

The fix is wrapped as a firmware file, so the process is straightforward -
Use the normal Hikvision tftp updater tool to apply the firmware.
Ensure the camera boots once or more.
Use the @whoslooking '5.3.0 to 5.2.5 downgrader' to bring the camera back to life, probably with CN menus if it was originally a CN camera. Custom Firmware Downgrader 5.3.0 Chinese to 5.2.5 English
Then the 'mtd hack' can be done to convert the camera to English menus.

At this point the camera should be in a fully working state, with older firmware, English menus and could be left as-is.
But it should be able to be moved on up the firmware revisions to 5.3.0 and 5.4.0 and 5.4.5 - given that the mtdblock used in the 'mtd hack' is checked out and potentially fixed up to remove yet another update trap.

With the caveat that there is some risk in the procedure, but hey, it's a bricked camera anyway that has resisted all fix attempts - if you'd like to try this out let me know via a PM, aka 'Conversation'.
But no 'Hikcontact' member please!
 

ced105

n3wb
Joined
Apr 16, 2017
Messages
7
Reaction score
4
Hello,
It works, the menus are in Chinese but we will correct this soon
Thank you Mr Alastairstevenson and others for their participation.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
You are very welcome.
And well done on being able to use the serial console and PuTTY to show the progress of the fixes and updates.
Now you need to look into the 'mtd hack' and we need to examine the contents of mtdblock6 and maybe fix it up so that updates to 5.3.0 to 5.4.0 to 5.4.5 can be done.
 
Top