Hikvision "Chinese Hardware" remote upgrade?

ausmisc

n3wb
Joined
Apr 20, 2020
Messages
7
Reaction score
0
Location
australia
Hi guys,

Basically I have about 15 DS-7608N-E2 / 8P that have been deployed in various locations around Australia. It's not possible to get to them physically however I need to upgrade them in some fashion to be able to support email via O365.

I know you can upgrade / update them via the serial port however as I said it's just not possible to get to them all.

Short of buying new Australian stock, is there any way to upgrade / update them remotely? will save me around $15k...

Current firmware:
DS-7608N-E2 / 8P
Firmware: V3.4.6 build 160405
Encoding: V5.0 build 160324
Web: V4.0.1 build 160323

Cheers!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,994
Reaction score
4,409
Location
Scotland
DS-7608N-E2 / 8P
Firmware: V3.4.6 build 160405
You've acknowledged that this is a Chinese model - so I'd speculate that the currently running firmware may be 'hacked to English' and therefore any update with stock EN/ML firmware will result in the '15-beep bootloop'.

Either that, or they started with the very old firmware (3.0.8) that didn't object to the device language, that allows some limited web GUI updates retaining the original EN setting in the configuration. Which then vanishes on any reset to defaults and can't be returned.

Were they purchased with a 'do not update' warning?
Are they running with Chinese menus?
 

ausmisc

n3wb
Joined
Apr 20, 2020
Messages
7
Reaction score
0
Location
australia
Hi,

These ones had been purchased directly from china via email :p with the warning to not update. Later on they started shipping "international models" that we could upgrade with EN/ML firmware which worked fine.

I do not see any Chinese in any menu.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,994
Reaction score
4,409
Location
Scotland
I believe any update attempt with stock EN/ML firmware will result in bricked devices, the '15-beep bootloop' result.
 

ausmisc

n3wb
Joined
Apr 20, 2020
Messages
7
Reaction score
0
Location
australia
I believe any update attempt with stock EN/ML firmware will result in bricked devices, the '15-beep bootloop' result.
So even if I physically connected with serial it would not be able to upgrade?

Be nice if some wizard had made a tool to do this by now haha. From talking to some open people at HikVision Australia, they have the tools to just flash the firmware directly on the board, regardless if it's Chinese hardware or not. We need this :p

EDIT: Could I Flash Chinese firmware on them with just the flag for English?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,994
Reaction score
4,409
Location
Scotland
So even if I physically connected with serial it would not be able to upgrade?
Using the update facility on the serial console won't change the net result of updating a Chinese NVR with EN/ML firmware, it will still end up 'bricked'.

they have the tools to just flash the firmware directly on the board, regardless if it's Chinese hardware or not.
It's labelled as Chinese hardware by the contents of the 'bootpara block' that's held in a hidden flash partition.
If they overwrite that with a 'donor' flash image from a EN as opposed to CN NVR, then the end result will be a clone of the donor EN NVR.
I doubt very much if Hikvision Australia are doing this, unless you know otherwise.

EDIT: Could I Flash Chinese firmware on them with just the flag for English?
The CN firmware would work OK, but with CN menus, and no option for EN menus.

Check out this post :

In the older NVRs with older firmware, the bootpara data is in plaintext and can be edited via the serial console with access to the bootloader, to convert a CN device to EN.
But the newer firmware (probably from 3.4.96, I've not checked earlier) if it finds the bootpara data is held in plaintext, it encodes it and writes it back so it's no longer plaintext and can't be edited to change to EN from CN.
The decode key isn't a fixed universal one - it's derived from some model and device-specific data, so it varies from one device to another.
 

ausmisc

n3wb
Joined
Apr 20, 2020
Messages
7
Reaction score
0
Location
australia
In the older NVRs with older firmware, the bootpara data is in plaintext and can be edited via the serial console with access to the bootloader, to convert a CN device to EN.
But the newer firmware (probably from 3.4.96, I've not checked earlier) if it finds the bootpara data is held in plaintext, it encodes it and writes it back so it's no longer plaintext and can't be edited to change to EN from CN.
The decode key isn't a fixed universal one - it's derived from some model and device-specific data, so it varies from one device to another.
To clarify, If my model has plain text bootpara I can convert it to EN and upgrade to the highest available firmware without it "detecting it" and changing it back? or if i go above a certain firmware version it will break it regardless.

Also, do you have detailed step by step instructions on this process? the linked post seems to be more of a summary, maybe I'm reading it wrong.

Cheers!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,994
Reaction score
4,409
Location
Scotland
To clarify, If my model has plain text bootpara I can convert it to EN and upgrade to the highest available firmware without it "detecting it" and changing it back?
Yes, that's a method to modify the bootpara data to change the language=CN value to language-EN
The result is permanent and allows updates with stock EN/ML firmware.

Also, do you have detailed step by step instructions on this process?
The post has sample transcripts of the bootpara extract and update steps - it's not just a summary, it's the whole detail, you need to look at the commands that were issued.
Notice that the firmware on the sample was 3.4.80 - so it didn't have the 'feature' to encode the data if it found it was held in plaintext.
 

ausmisc

n3wb
Joined
Apr 20, 2020
Messages
7
Reaction score
0
Location
australia
Yes, that's a method to modify the bootpara data to change the language=CN value to language-EN
The result is permanent and allows updates with stock EN/ML firmware.


The post has sample transcripts of the bootpara extract and update steps - it's not just a summary, it's the whole detail, you need to look at the commands that were issued.
Notice that the firmware on the sample was 3.4.80 - so it didn't have the 'feature' to encode the data if it found it was held in plaintext.

Ok thanks a lot for your help, will grab a cable and give it a try.

Cheers!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,994
Reaction score
4,409
Location
Scotland
Ok thanks a lot for your help, will grab a cable and give it a try.
Good luck.
Before you make any changes, be sure to check out and understand the 'mtd hack' of bootpara data, that's historically been used for Hikvision cameras.
Hikvision have used much the same layout in these NVRs.
When changing the langauge byte at 0x10 from 02 (CN) to 01 (EN) you must also correspondingly adjust the checksum at 0x04 and 0x05
 

ausmisc

n3wb
Joined
Apr 20, 2020
Messages
7
Reaction score
0
Location
australia
Good luck.
Before you make any changes, be sure to check out and understand the 'mtd hack' of bootpara data, that's historically been used for Hikvision cameras.
Hikvision have used much the same layout in these NVRs.
When changing the langauge byte at 0x10 from 02 (CN) to 01 (EN) you must also correspondingly adjust the checksum at 0x04 and 0x05
Thanks, is there another software needed? or just TFTP?

The steps are summarised as follows :
  • Connect up to the NVR serial console using a 'serial TTL to USB convertor'. <---- this
  • Gain access to the bootloader by interrupting the boot process. <---- this

Sorry, have not done this in about 6 years and have completely forgotten how.

Cheers!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,994
Reaction score
4,409
Location
Scotland
Thanks, is there another software needed?
A standard tftp server, to transfer out and back in the data. I use one in Linux, but the one at jounin.net works OK.

And a HEX editor to modify the data. HxD works well, and can verify the checksum, though you are just adding one to the value, to compensate for removing 1 from the language byte.

And a serial terminal emulator. PuTTY is very good.
 

ausmisc

n3wb
Joined
Apr 20, 2020
Messages
7
Reaction score
0
Location
australia
A standard tftp server, to transfer out and back in the data. I use one in Linux, but the one at jounin.net works OK.

And a HEX editor to modify the data. HxD works well, and can verify the checksum, though you are just adding one to the value, to compensate for removing 1 from the language byte.

And a serial terminal emulator. PuTTY is very good.
Awesome, ok so connect with putty, transfer file out with tftp and mod with hex.

Cheers!
 
Top