Hikvision 5.2.5 & 5.2.8 Full English (INC DAYS OF WEEK) mtd Hack

Discussion in 'Hikvision' started by whoslooking, May 3, 2015.

Share This Page

  1. whoslooking

    whoslooking IPCT Contributor

    Joined:
    Oct 3, 2014
    Messages:
    1,511
    Likes Received:
    538
    Location:
    London
    Full English Including days of the week for Version 5.2.5 & 5.2.8.

    This Again is the mtd5 & mt6 Hack, but requires you to maintain the checksum -16 to the original value.
    So if you change the region flag from Chinese to EN / US you need to find the other correct value to also change allowing the checksum to remain the same.

    This solves the day of week in Chinese and also the Issues with IVMS and NVR with region mismatch.

    Yes the Language is now region 1

    No you can’t upgrade to 5.3.0 this is done via another check which I’m still looking for.

    All the normal things use at your own risk, but fully tested on my own cameras.
    One thing to remember that, If you update the camera you have to use Chinese firmware, with the region changed on the firmware with hiktools
    to region 1.

    This is also a fix for the cameras brought from AliExpress with hacked firmwares (from that Russian) that don't work correctly.

    1st setup your NAS storage on your Camera

    With Putty as Telnet Port 23

    IP = 192.0.0.64

    user = root
    password = 12345

    cd /mnt/nfs00

    To copy the mtd files

    cat /dev/mtdblock5 > temp5
    cat /dev/mtdblock6 > temp6

    Change the flag bytes using HxD editior,
    Then putting them back with the changed block:

    cat temp5 > /dev/mtdblock5
    cat temp6 > /dev/mtdblock6
    Reboot






    NOTE: Always backup you mtd files before you play with them.

    Don't forget the Thanks Button!



    As Always Enjoy and Enjoy it for Free!

    And the video linked below.

    https://www.ipcamtalk.com/showthread.php/5988-MTD-HACK-made-easy-on-Video





    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
     

    Attached Files:

    Last edited by a moderator: Nov 12, 2015
    dtlight, robilight, hubail and 58 others like this.
  2. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,085
    Likes Received:
    3,057
    Location:
    Scotland
    Hey, well done, and thanks for sharing!
    But I'm curious - why did you pick the MAC address to change on mtdblock5 and the reset code on mtdblock6?
    Out of interest - in your experiments, did you also try decrementing the checksum by the amount you changed the language byte?
     
    whoslooking likes this.
  3. whoslooking

    whoslooking IPCT Contributor

    Joined:
    Oct 3, 2014
    Messages:
    1,511
    Likes Received:
    538
    Location:
    London
    It was the safest things to change, I tried a few times and they just fail to boot.
    But maintaining the same checksum worked everytime.
     
    alexander.omiz likes this.
  4. S474N

    S474N Getting the hang of it

    Joined:
    Feb 18, 2015
    Messages:
    139
    Likes Received:
    7
    I think it's better change for example date, not security code. And change the same things in MTD5 and MTD6.
     
    multigamma likes this.
  5. Brenner

    Brenner Young grasshopper

    Joined:
    Mar 17, 2015
    Messages:
    44
    Likes Received:
    0
    Hi Whoslooking and thanks very much for your manuals!!!


    Short question for my 2332 (5.2.5). Ist the hex position of number "57" in the mtd6 always the same?

    In my case I found it two characters on the right ifI compare it with your screenshots.
     

    Attached Files:

    Last edited by a moderator: May 4, 2015
  6. S474N

    S474N Getting the hang of it

    Joined:
    Feb 18, 2015
    Messages:
    139
    Likes Received:
    7
    UWFEHK is your security code. I think, that is better change same numbers in same positions! For example in 2015 and next.
     
  7. Brenner

    Brenner Young grasshopper

    Joined:
    Mar 17, 2015
    Messages:
    44
    Likes Received:
    0
    With security code you mean the login password? In my case it is the default "admin/12345". But why I have to change it? I´m confused now.
     
  8. S474N

    S474N Getting the hang of it

    Joined:
    Feb 18, 2015
    Messages:
    139
    Likes Received:
    7
    No, this is security code for EZVIZ and NVR.
     
  9. Brenner

    Brenner Young grasshopper

    Joined:
    Mar 17, 2015
    Messages:
    44
    Likes Received:
    0
    Ahh, ok. So I will wait what whoslooking write about the changes.
     
  10. S474N

    S474N Getting the hang of it

    Joined:
    Feb 18, 2015
    Messages:
    139
    Likes Received:
    7
    As I wrote - you can change for example date 2015XXXX.
     
  11. Brenner

    Brenner Young grasshopper

    Joined:
    Mar 17, 2015
    Messages:
    44
    Likes Received:
    0
    Sorry, I dont understand what I have exact to do in the hex editor :-(

    Need a guide for stupids.
     
  12. S474N

    S474N Getting the hang of it

    Joined:
    Feb 18, 2015
    Messages:
    139
    Likes Received:
    7
    20150316 in both files, we will change xxxx3xx

    MTD5:
    no 56 to 57, but line under, 33 to 34

    MTD6:
    no 57 to 58, but 3 line under (byte 46), 33 to 34

    The same things in both MTD!

    EDIT: if you want, you can change not month, but date - it's on you. But same things in both MTD!
     
    Pboo likes this.
  13. S474N

    S474N Getting the hang of it

    Joined:
    Feb 18, 2015
    Messages:
    139
    Likes Received:
    7
    You must have MTDUTILS and worked sharing with PC/NAS.

    cd /mnt/nfs00/mtdutils-1.5.0-arm-linux-gnueabi/sbin

    ./nanddump -nof mtd5_temp /dev/mtd5
    ./nanddump -nof mtd6_temp /dev/mtd6



    Manipulate with bytes (02 to 01 in lang and X to X+1 for example 33 to 34 or 9A to 9B in for example date), checkum will be same.


    ./flash_eraseall /dev/mtd5
    ./flash_eraseall /dev/mtd6


    ./nandwrite -o /dev/mtd5 mtd5_temp
    ./nandwrite -o /dev/mtd6 mtd6_temp
     
    Brenner likes this.
  14. Brenner

    Brenner Young grasshopper

    Joined:
    Mar 17, 2015
    Messages:
    44
    Likes Received:
    0
    There is no "33" three lines under byte 46 in my mtd6
     
  15. S474N

    S474N Getting the hang of it

    Joined:
    Feb 18, 2015
    Messages:
    139
    Likes Received:
    7
    I know, I wrote it to first post.

    You have 20150320, you can manipulate with day, xxxxxx20, for example byte 48 (30 to 31).
     
  16. Brenner

    Brenner Young grasshopper

    Joined:
    Mar 17, 2015
    Messages:
    44
    Likes Received:
    0
    1.) YEAH, I got it.
    It seems that it doesn´t matter on which space the signs are. Just change the values like shown in the first thread. It only important to have the same checksum everytime.


    2.) Picture mistake?
    I think there is a little mistake in picture 2. In picture 1 the textmarking goes to line 00000710. In picture 2 it goes to line 00000740.
    I don´t know if this is ok because I get the same checksum results, doesn´t matter I marked the text to 710 or 740.




    Thanks to you both!!!!


    I hope whoslooking found the hex sign to enable multiple line (line crossing detection) for newer cam that aren´t downgradable to 5.1.6.
     
  17. S474N

    S474N Getting the hang of it

    Joined:
    Feb 18, 2015
    Messages:
    139
    Likes Received:
    7
    1) Yes, but there isn't rational reason to change security code.

    2) Yes, but there is 00 00 00 etc. and this have no influence to checksum.
     
  18. whoslooking

    whoslooking IPCT Contributor

    Joined:
    Oct 3, 2014
    Messages:
    1,511
    Likes Received:
    538
    Location:
    London
    The change can be made in a few different locations, what you must remember is keeping the checksum intact, i found that the build date and serial number played up on some models, but the mac code and reset didn't have any side effects. If you find where else works and the model add to the post,
    If the checksum is good it will still boot without bricking, but keep a copy of the mtd file just to be safe.
     
  19. whoslooking

    whoslooking IPCT Contributor

    Joined:
    Oct 3, 2014
    Messages:
    1,511
    Likes Received:
    538
    Location:
    London
    Well spotted lol yes we check down to 740,
    And im still looking for multiple cross line detection and face detection, but no luck so far.
    But this is what NetworkCameraCritic was looking for and how we stop the bricking.
     
  20. phil

    phil n3wb

    Joined:
    Apr 22, 2015
    Messages:
    11
    Likes Received:
    1
    Location:
    uk
    Hi whos looking

    Do you have a step by step guide on how to do this , i have a 2032 which will only work with firmware Chinese 5.2.5 and language mismatch in my uk nvr