Sounds like you have not balanced the mtd files, did you confirm your checksum-16 before and after the changes were made?
Hikvision 5.2.5 & 5.2.8 Full English (INC DAYS OF WEEK) mtd Hack
- Thread starter whoslooking
- Start date
The Checksum-16 is not actually the same as on the screenshot.
My problem now is after I reset, sadp cannot connect. so I can't update or telnet the Cam again.
Thank you
I'm travelling to London (currently at 38000ft) I will post the Checksum on my return to Phil
alastairstevenson
Staff member
The checksum is specific to each individual camera, so there is no value in sharing it.
Use HxD to compare the mtdblock5 files before and after you made any changes, and do the same for mtdblock6.
That will confirm if the changes were made correctly.
Use HxD to compare the mtdblock5 files before and after you made any changes, and do the same for mtdblock6.
That will confirm if the changes were made correctly.
im busy on this now for some days, with the video i came step further, .. but when i load the temp5 file into the hex editor, the right side is a garbage complete mess, and the SWKH word cannot be located.
Then i found out that i have 5.2.0 installed. ( model no DS-2CD3Q10FD-IW ) Could that be the cause? So i have to upgrade first i think>?
Then i found out that i have 5.2.0 installed. ( model no DS-2CD3Q10FD-IW ) Could that be the cause? So i have to upgrade first i think>?
Attachments
Do you have another camera model. With another mtd partitioning and they read only. The described method will not help you.
I offered you a solution.
My 2032 became chinese after installing the 4 roi firmware. I want to get it back to english now, without losing the 4 roi. The 5.30 downgrader helps me back to english, but losing the 4 roi.
i tried the mtd hack with the video, but didint change language. checksum was different then 1116
i tried the mtd hack with the video, but didint change language. checksum was different then 1116
Last edited by a moderator:
You're now talking about 2032, but in previous message dump from 3Q10.
I answered you about 3Q10.
The 3Q10 is not layed out the same it's more like an NVR
Where the mtd 2 contains most of the structure.
Where the mtd 2 contains most of the structure.
alastairstevenson
Staff member
It's not garbage - it's a cramfs image - as has been stated by several helpful responses, the mtdblock5 / 6 method of changing the region is specific to the 2xx2 series of cameras, and does not apply to the DS-2CD3Q10FD-IW that you have now mentioned.
hi there,
still having a problme on my IPCam, I can ping the camera>192.0.0.64, however the SADP and my browser can't see the ip or the camera after the mtd hack.
problem now is the harddrive of my laptop where the original mtd saved not working anymore.-crashed
I can log-in thru putty but not sure what to do next, the prtHardInfo command is not valid.
Need you advise please
Thank you
still having a problme on my IPCam, I can ping the camera>192.0.0.64, however the SADP and my browser can't see the ip or the camera after the mtd hack.
problem now is the harddrive of my laptop where the original mtd saved not working anymore.-crashed
I can log-in thru putty but not sure what to do next, the prtHardInfo command is not valid.
Need you advise please
Thank you
alastairstevenson
Staff member
If you are getting full access to the shell via PuTTY, there are maybe some commands you can use to extract the mtdblock5 & 6, reverse the changes you made, and re-apply.
But I think we need a bit more info on what level of access you are getting via PuTTY.
Please show:
The results of using prtHardInfo, and the 'help' command.
Hi alastairstevenson.
below is the screenshot of the putty:
I tried to update to 5.2.5 (using downgrader from this forum) but I can't ping the camera. but when i return it to 5.3.0, I able to ping but SADP and my browser can't see the ip and the cam-web-gui.
Thank you
alastairstevenson
Staff member
OK - some of this is guesswork, as I don't have a camera that is in the 'min-system' mode, and I'm not sure what commands are available in that state.
But this is what I would try:
First, and most important, see if there is access to the required mtdblocks. Without this, you will not be able to reverse the changes you made.
cat /dev/mtdblock5 > mtd5save
cat /dev/mtdblock6 > mtd6save
Next, confirm that there is a method of copying the files out.
On the PC, you need to be running a tftp server. This is a choice that works well and is much used: http://tftpd32.jounin.net/
When you have it running as a tftp server, try the following command on the camera:
tftp -p -l mtd5save PC_IP_address
As I said - I'm not sure if these commands are available in the unknown state that your camera is in, but if they are, they provide the ability to extract the mtdblock5 & 6 that were changed as part of the 'mtd hack' that appears to be the origin of the problems. If you can extract those files, you can reverse the changes you made, and insert the files and maybe get back to how you were.
But this is what I would try:
First, and most important, see if there is access to the required mtdblocks. Without this, you will not be able to reverse the changes you made.
cat /dev/mtdblock5 > mtd5save
cat /dev/mtdblock6 > mtd6save
Next, confirm that there is a method of copying the files out.
On the PC, you need to be running a tftp server. This is a choice that works well and is much used: http://tftpd32.jounin.net/
When you have it running as a tftp server, try the following command on the camera:
tftp -p -l mtd5save PC_IP_address
As I said - I'm not sure if these commands are available in the unknown state that your camera is in, but if they are, they provide the ability to extract the mtdblock5 & 6 that were changed as part of the 'mtd hack' that appears to be the origin of the problems. If you can extract those files, you can reverse the changes you made, and insert the files and maybe get back to how you were.
Hi,
I am having problem with IP camera after MTD hack for my DS - 2232 Hikvision Ip Camera
I have made changes as on the video
I have done all things & finally after giving reboot.
Camera reboots & its IP is not scanning on SADP & its ip is not accessible & camera IR light is contionously working.
Pls help me out .
Thanks in Advance.
I am having problem with IP camera after MTD hack for my DS - 2232 Hikvision Ip Camera
I have made changes as on the video
I have done all things & finally after giving reboot.
Camera reboots & its IP is not scanning on SADP & its ip is not accessible & camera IR light is contionously working.
Pls help me out .
Thanks in Advance.
enir
n3wb
- Jan 2, 2016
- 7
- 1
You have not followed the guide correctly, if you watch the video again you'll see I high light, a value before and after I make the changes. These values are not the same, in fact they are different for every camera.
I would recommend you start again with your original mtd files and watch the video again.
I would recommend you start again with your original mtd files and watch the video again.
I believe the video is not 100% correct. You're changing a value in temp5 file at offset 0x0640, while the actual value for language/region is at offset 0x0654 (btw, you already have 1 there).
Also, the value at offset 0x0648 is the checksum value, and the value at offset 0x064C, from what I've read somewhere, is the number of bytes that is used to calculate the checksum.
It looks like all values are 32 bit and therefore take 4 bytes, which in little-endian stores higher-order bytes at higher addresses. Checksum algorithm is "checksum-32" (notice 4 bytes are also used to store checksum value, but because there only 0xF4 bytes used, all high bits are 0 and therefore, checksum-16 equals checksum-32). Also, I believe, checksum calculation starts at offset 0x0650 and end at 0x0743, which is 0xF4 bytes. You just happened to have "0"s around the beginning and end, so it doesn't affect the overall checksum even if you start 3 bytes too early.
So, to simplify, I believe the correct way of changing the language code is this:
Verification steps (make sure everything matches up):
1. Check that at offset 0x064C you have 0xF4.
2. Select 0xF4 (244) bytes from offset 0x0650 to 0x0743.
3. Calculate "Checksum-32" for the selection.
4. Double-check that calculated checksum matches what you have at 0x0648. Remember, it's little-endian, meaning that, for example, checksum 0x00001234 is stored as the following sequence of bytes: 34 12 00 00).
Modification:
1. Change byte at offeset 0x0654 to "01"
2. Select 0xF4 (244) bytes from offset 0x0650 to 0x0743.
3. Calculate "Checksum-32" for the selection.
4. Modify checksum at 0x0648 accordingly and remember: little-endian, meaning that for example, if new checksum is 0x00001233, it is written as the following sequence of bytes: 33 12 00 00.
Similar process is for mtdblock6, but this has to be done 3 times because language code is repeated at the following offsets: 0x0010, 0x20010, 0x40010.
PS: This is the information I have collected, summarized and used to restore one of my DS-2CD2332-I, since I bricked it less than 24 hours ago by flashing a US firmware without realizing that I have owned a chinese version (which of course was sold as US version).
PPS:
Yes there are more language flags, but only 2 needs to be changed for the Changing of the regional language.
So this was made as simple as possible.
So this was made as simple as possible.
No problem. Those are probably backup copies for added reliability in case some memory can't be read.
BTW, in one of your posts you mentioned that you were still looking for ways to enable flashing multilingual (non-CN) firmware and still wasn't able to find anything.
Just curious if you have tried changing two letters in camera serial number from "CH" to, for example, "WR"? Could be as simple as this?
In any case, I happened to have both CH and WR variants of DS-2CD2032-I with exact same multilingual firmware (from what it looks). I'd be happy to help checking the differences, if there is anything specific you would like to take a look.
Hi guys! Good news!
After changing all these language flags I described above (1 in mtdblock6 and 3 in mtdblock6) I was able to flash the normal 5.3.0 (multilingual) firmware into my (chinese) DS-2CD2332-I and not get any errors ("404 firmware language mismatch" and alike). I was even able to (re)enable ash (as described here http://www.cctvforum.com/viewtopic.php?f=19&t=46576), but had to flash the modded firmware using TFTP method, because Web UI/iVMS-4200 didn't want to accept that by saying "update failed" after the progress reached 100%. TFTP wiped all settings but kept the language changes intact! Currently in the process of reconfiguring the camera, but so far so good!!! Yay!
BTW, it took me a while to figure out that since 5.3.0 the default IP address is now 192.168.1.64 after reboot followed TFTP update.
After changing all these language flags I described above (1 in mtdblock6 and 3 in mtdblock6) I was able to flash the normal 5.3.0 (multilingual) firmware into my (chinese) DS-2CD2332-I and not get any errors ("404 firmware language mismatch" and alike). I was even able to (re)enable ash (as described here http://www.cctvforum.com/viewtopic.php?f=19&t=46576), but had to flash the modded firmware using TFTP method, because Web UI/iVMS-4200 didn't want to accept that by saying "update failed" after the progress reached 100%. TFTP wiped all settings but kept the language changes intact! Currently in the process of reconfiguring the camera, but so far so good!!! Yay!
BTW, it took me a while to figure out that since 5.3.0 the default IP address is now 192.168.1.64 after reboot followed TFTP update.