Hikvision 5.2.5 & 5.2.8 Full English (INC DAYS OF WEEK) mtd Hack

[alastairstevenson]

Looking at your before and after screenshots above, it does not look like you are changing the values correctly.
If you reduce the 'language byte' (at 0x10 and 0x654) by 1, from 02 to 01, then you need to increase another byte by 01.
It looks like you have changed the other byte at 0x67A from 0x5F to 0x56 - that's more than 1. Should be 0x60.
and you have changed the other byte at 0x1E from 0x4C to 0x58 - that's again more than 1. Should be 0x4D.

 

[alastairstevenson]

Andrew - I've modified your files by changing the language byte from 02 to 01 and part of the MAC address, as per the @whoslooking method - no guarantee it will work, depending on the original manufactured state of the camera, but give it a try, see the attachment.
You know how to recover if there is a problem.
View attachment updated.zip

 

[jansko]

No problem I will try. I have copies of MTD files and i know how to recover them. I have done a recover
with telnet more times.
I will send you replay
Thank you very much
see you

Andrew


After a few hours

 

[alastairstevenson]

Excellent! Well done with your persistence!
You will be able to sleep now without bad dreams lol.
Here is what was changed, for all hardware descriptor locations in mtdblock5 & 6. Find them with a search for the Hikvision magic word 'SWKH':

 

[jansko]

cool thank you again i go sleep
andrew

 

[jansko]

alastairstevenson
I am looking mine hex which you change it . But I dont know how did you do this ( Hikvision magic word 'SWKH')


offset (h)
00000010 01 ( is this line always for region) 01 is eng 02 is china )


and how did you find second number ??

what about mtd 5 ???

what about day on OSD and language mismatch for NVR which line is for this and how find second number


I dont know what is diferent with cam which sell aliexpres is this original hikvison cam or is something fake with hack official firmware ??
Last week I tested official cam with official firmware and I made upgrade and downgrade with different versions.
Cam was working all the time.

Andrew

 

[alastairstevenson]

Hello Andrew,
To your questions:
"( Hikvision magic word 'SWKH')" - These letters exist at the beginning of each 'hardware descriptor block' to identify it, and can be conveniently used to find each one as there are several.
"00000010 01 ( is this line always for region) 01 is eng 02 is china )" - Yes, that's the understanding of the community here, and it does seem to be correct.
"and how did you find second number ??" - I didn't find it, I chose it. It's just one of the bytes that sets the 'MAC address', and it does no great harm to change it to compensate for the change in the language byte (to keep the Checksum-16 checksum unchanged as the byte range over which it is calculated has been changed in new-manufacture cameras), and the camera firmware does not object to the changed MAC address.
"what about mtd 5 ???" - The 'hardware descriptor blocks' should all be the same on both mtdblock5 and mtdblock6.
"what about day on OSD and language mismatch for NVR which line is for this and how find second number" - It is the language byte change that fixed these. The second number is just to make sure that when subtracting 01 from the language, we add 01 somewhere else to compensate. It could have been another byte in the MAC address, this would have had the same effect.

The Aliexpress sellers are buying Chinese region cameras at low prices, and re-selling outside China. As you have seen, this can cause a 'language mismatch' if the camera is connected to an NVR that is English. So the sellers mostly help the buyers by installing modified firmware that dynamically changes the camera to English / Multi-language, and all is well. But - when the buyer upgrades the camera with original Hikvision firmware, the camera changes back to Chinese, which is how it was manufactured.
What you have done is made a permanent change to the camera hardware descriptor which converts it to English.

I hope that all makes sense!
By the way - I liked the 'IP Camera selfie' and the smile of success!

 

[jansko]

Thank you
for very accurate answer

 

[ttumms123]

Hi newbie here,... this hack works but
why do I always get " Error loading XML document[object object]" message every time trying web login to cam? please help!

 

[jansko]

Hello
I dont know maybe is something wrong with browser
https://support.microsoft.com/en-us/kb/291841/

 

[whoslooking]

Use Chrome or better still firefox browsers, what you are getting is a browser error not a camera error.

 

[ttumms123]

Thanks guys for your response...
I have a chinese 3332-i with firmware 5.2.8. After searching through the forum. I realize that this camera missing the "en" folder in the directory /home/doc/xml/. Following networkcameracritic's hack, I replaced the IEfile.tar.gz file, no more error message but the camera now keep-on rebooting every 5-10 minutes.
Is downgrading to 5.2.5 my only option? any fixes to stop the rebooting?

 

[alastairstevenson]

I have a 3332-I that was labelled 5.2.8 but came with a 'hacked' 5.2.5 that made it appear to be language=1 despite the values in mtdblock5 & 6. The camera was stable, no reboots.
I changed the language bytes in mtdblock5 & 6 as per this thread and updated with 5.2.5 and all still works OK, no longer running hacked firmware.
So that should be a safe enough option, assuming yours is 2015 manufacturing date.
I'll be moving it up the firmware versions later as an experiment.

login as: root
root@192.168.1.64's password:

BusyBox v1.19.3 (2014-07-11 11:25:54 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# prtHardInfo
Start at 2015-05-27 22:22:37
Serial NO S-2CD3332-I20150320CCCH508517761
V5.2.5 build 141201
hardwareVersion = 0x0
hardWareExtVersion = 0x0
encodeChans = 1
decodeChans = 1
alarmInNums = 0
alarmOutNums = 0
ataCtrlNums = 0
flashChipNums = 0
ramSize = 0x4000000
networksNums = 1
language = 1
devType = 38920
net reboot count = 0
SD status = 0 (1:noraml;0:none)
Path: .
Working Copy Root Path: /data1/data_liwenwei/work/frontend_software_platform_5.2.7_R0
URL: https://192.0.0.140/Camera/Platform/Branches/branches_frontend_software_platform/frontend_software_platform_5.2.7_R0
Repository Root: https://192.0.0.140/Camera
Repository UUID: df2d70c3-7593-7941-af1e-571b313c0946
Revision: 103727
Node Kind: directory
Schedule: normal
Last Changed Author: liwenwei
Last Changed Rev: 103727
Last Changed Date: 2014-12-01 20:51:32 +0800 (Mon, 01 Dec 2014)
#

 

[SJshah]

Excellent work, thanks for posting.

I've been in two minds about purchasing a few China language Hik cams until reading your thread.
I know you can buy them ready hacked to Eng, but didnt want to risk it.

Gonna give it a try now.

 

[whoslooking]

Remember to ask the seller what the original firmware is, as we still don't have a working fix for 5.3.0 as yet I don't think anyone has managed to do the mtd hack on a ghost firmware 5.3.0 with a hacked lower firmware on the camera.

 

[ttumms123]

Thanks. yes, my manufacturing date is 01/2015... so will try to downgrade.

 

[ttumms123]

FYI. 3332-i with F/W 5.3.0 on the label was also came with "hacked" 5.2.5 firmware. stable and no reboot issue...

 

[ttumms123]

OK succeeded. The reboot has now gone for good!

 

[whoslooking]

FYI. 3332-i with F/W 5.3.0 on the label was also came with "hacked" 5.2.5 firmware. stable and no reboot issue...

Was your Camera a 5.3.0 or 5.2.8? As 5.3.0 won't go lower than 5.3.0 or does it?

 

[ttumms123]

Was your Camera a 5.3.0 or 5.2.8? As 5.3.0 won't go lower than 5.3.0 or does it?

I have both (5.3.0 and 5.2.8 labelled). 5.2.8 was chinese but 5.3.0 came with hacked 5.2.5. so to answer your question , yes it does.