Hikvision 5.2.5 & 5.2.8 Full English (INC DAYS OF WEEK) mtd Hack

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,522
Reaction score
547
Location
London
Full English Including days of the week for Version 5.2.5 & 5.2.8.

This Again is the mtd5 & mt6 Hack, but requires you to maintain the checksum -16 to the original value.
So if you change the region flag from Chinese to EN / US you need to find the other correct value to also change allowing the checksum to remain the same.

This solves the day of week in Chinese and also the Issues with IVMS and NVR with region mismatch.

Yes the Language is now region 1

No you can’t upgrade to 5.3.0 this is done via another check which I’m still looking for.

All the normal things use at your own risk, but fully tested on my own cameras.
One thing to remember that, If you update the camera you have to use Chinese firmware, with the region changed on the firmware with hiktools
to region 1.

This is also a fix for the cameras brought from AliExpress with hacked firmwares (from that Russian) that don't work correctly.

1st setup your NAS storage on your Camera

With Putty as Telnet Port 23

IP = 192.0.0.64

user = root
password = 12345

cd /mnt/nfs00

To copy the mtd files

cat /dev/mtdblock5 > temp5
cat /dev/mtdblock6 > temp6

Change the flag bytes using HxD editior,
Then putting them back with the changed block:

cat temp5 > /dev/mtdblock5
cat temp6 > /dev/mtdblock6
Reboot






NOTE: Always backup you mtd files before you play with them.

Don't forget the Thanks Button!



As Always Enjoy and Enjoy it for Free!

And the video linked below.

https://www.ipcamtalk.com/showthread.php/5988-MTD-HACK-made-easy-on-Video









 

Attachments

Last edited by a moderator:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,739
Reaction score
5,735
Location
Scotland
Hey, well done, and thanks for sharing!
But I'm curious - why did you pick the MAC address to change on mtdblock5 and the reset code on mtdblock6?
Out of interest - in your experiments, did you also try decrementing the checksum by the amount you changed the language byte?
 

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,522
Reaction score
547
Location
London
It was the safest things to change, I tried a few times and they just fail to boot.
But maintaining the same checksum worked everytime.
 

S474N

Getting the hang of it
Joined
Feb 18, 2015
Messages
143
Reaction score
8
I think it's better change for example date, not security code. And change the same things in MTD5 and MTD6.
 

Brenner

Young grasshopper
Joined
Mar 17, 2015
Messages
44
Reaction score
0
Hi Whoslooking and thanks very much for your manuals!!!


Short question for my 2332 (5.2.5). Ist the hex position of number "57" in the mtd6 always the same?

In my case I found it two characters on the right ifI compare it with your screenshots.
 

Attachments

Last edited by a moderator:

S474N

Getting the hang of it
Joined
Feb 18, 2015
Messages
143
Reaction score
8
UWFEHK is your security code. I think, that is better change same numbers in same positions! For example in 2015 and next.
 

Brenner

Young grasshopper
Joined
Mar 17, 2015
Messages
44
Reaction score
0
With security code you mean the login password? In my case it is the default "admin/12345". But why I have to change it? I´m confused now.
 

S474N

Getting the hang of it
Joined
Feb 18, 2015
Messages
143
Reaction score
8
No, this is security code for EZVIZ and NVR.
 

Brenner

Young grasshopper
Joined
Mar 17, 2015
Messages
44
Reaction score
0
Ahh, ok. So I will wait what whoslooking write about the changes.
 

S474N

Getting the hang of it
Joined
Feb 18, 2015
Messages
143
Reaction score
8
As I wrote - you can change for example date 2015XXXX.
 

Brenner

Young grasshopper
Joined
Mar 17, 2015
Messages
44
Reaction score
0
Sorry, I dont understand what I have exact to do in the hex editor :-(

Need a guide for stupids.
 

S474N

Getting the hang of it
Joined
Feb 18, 2015
Messages
143
Reaction score
8
20150316 in both files, we will change xxxx3xx

MTD5:
no 56 to 57, but line under, 33 to 34

MTD6:
no 57 to 58, but 3 line under (byte 46), 33 to 34

The same things in both MTD!

EDIT: if you want, you can change not month, but date - it's on you. But same things in both MTD!
 

S474N

Getting the hang of it
Joined
Feb 18, 2015
Messages
143
Reaction score
8
You must have MTDUTILS and worked sharing with PC/NAS.

cd /mnt/nfs00/mtdutils-1.5.0-arm-linux-gnueabi/sbin

./nanddump -nof mtd5_temp /dev/mtd5
./nanddump -nof mtd6_temp /dev/mtd6



Manipulate with bytes (02 to 01 in lang and X to X+1 for example 33 to 34 or 9A to 9B in for example date), checkum will be same.


./flash_eraseall /dev/mtd5
./flash_eraseall /dev/mtd6


./nandwrite -o /dev/mtd5 mtd5_temp
./nandwrite -o /dev/mtd6 mtd6_temp
 

S474N

Getting the hang of it
Joined
Feb 18, 2015
Messages
143
Reaction score
8
I know, I wrote it to first post.

You have 20150320, you can manipulate with day, xxxxxx20, for example byte 48 (30 to 31).
 

Brenner

Young grasshopper
Joined
Mar 17, 2015
Messages
44
Reaction score
0
1.) YEAH, I got it.
It seems that it doesn´t matter on which space the signs are. Just change the values like shown in the first thread. It only important to have the same checksum everytime.


2.) Picture mistake?
I think there is a little mistake in picture 2. In picture 1 the textmarking goes to line 00000710. In picture 2 it goes to line 00000740.
I don´t know if this is ok because I get the same checksum results, doesn´t matter I marked the text to 710 or 740.




Thanks to you both!!!!


I hope whoslooking found the hex sign to enable multiple line (line crossing detection) for newer cam that aren´t downgradable to 5.1.6.
 

S474N

Getting the hang of it
Joined
Feb 18, 2015
Messages
143
Reaction score
8
1) Yes, but there isn't rational reason to change security code.

2) Yes, but there is 00 00 00 etc. and this have no influence to checksum.
 

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,522
Reaction score
547
Location
London
The change can be made in a few different locations, what you must remember is keeping the checksum intact, i found that the build date and serial number played up on some models, but the mac code and reset didn't have any side effects. If you find where else works and the model add to the post,
If the checksum is good it will still boot without bricking, but keep a copy of the mtd file just to be safe.
 

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,522
Reaction score
547
Location
London
1.) YEAH, I got it.
It seems that it doesn´t matter on which space the signs are. Just change the values like shown in the first thread. It only important to have the same checksum everytime.


2.) Picture mistake?
I think there is a little mistake in picture 2. In picture 1 the textmarking goes to line 00000710. In picture 2 it goes to line 00000740.
I don´t know if this is ok because I get the same checksum results, doesn´t matter I marked the text to 710 or 740.




Thanks to you both!!!!


I hope whoslooking found the hex sign to enable multiple line (line crossing detection) for newer cam that aren´t downgradable to 5.1.6.
Well spotted lol yes we check down to 740,
And im still looking for multiple cross line detection and face detection, but no luck so far.
But this is what NetworkCameraCritic was looking for and how we stop the bricking.
 

phil

n3wb
Joined
Apr 22, 2015
Messages
11
Reaction score
1
Location
uk
Hi whos looking

Do you have a step by step guide on how to do this , i have a 2032 which will only work with firmware Chinese 5.2.5 and language mismatch in my uk nvr
 
Top