Try other pressed combination: ctrl+B or others.
Be sure, that you have word uart adapter, good ground connect, and good tx connect.
Ashkan.shajari
n3wb
I try cntrl B (putty) and it works and bootstop works properly and i config and change MAC address with (config ethaddr) successfully. Tnx for your attention!
Dahua: * button
Hikvision: cntrl U
Unv : cntrl B
For bootstop/.Tf232 serial port ttl
Dahua mac : mac and ethaddr saveenv
Hikvision mac : ethaddr saveenv
Unv mac: config ethaddr saveenv
Setenv mac for other devices/.
Ashkan.shajari
n3wb
I try cntrl B (putty) and it works and bootstop works properly and i config and change MAC address with (config ethaddr) successfully. Tnx for your attention!
Dahua: * button
Hikvision: cntrl U
Unv : cntrl B
For bootstop/.Tf232 serial port ttl
Dahua mac : mac and ethaddr saveenv
Hikvision mac : ethaddr saveenv
Unv mac: config ethaddr saveenv
Setenv mac for other devices/.
Hello, did you resolve this issue ? have an axhub, but it will not boot up - with electricity, only green led solid start, nothing else :-( thanks for reply
I am excited to report, that I was successful in recovering the password of my NVR - DS-7608NI-E2/8P. I spent weeks at it, and actually capitulated twice. Took out the hard drives and reformatted them to see if I could use them elsewhere in my network.Only to try again last night with success ! Hooray. I am here to let you know how I did it, and payback to those of you who inspired me.
The method I used was the TFTP approach using the scott lamb python3 script off the github.
The main problem was that the TFTP program would simply hang and do nothing. Yet I proved the following:
I cranked up vscode and loaded the python script into the IDE.
Then went into the terminal window at the bottom of the vscode ide, and typed the exact same command to run the script eg.
sudo python hikvision_tftp3.py
and it WORKED ! Took only a few seconds to load he digicap file via the tftp program, and the terminal windows provided a lot of feedback during the transfer. With a welcome success message at the end.
I don't really understand why though... there must be something environmental in how vscode is able to run python, that is somewhat different that a typical terminal window in linux.
Interesting stuff...
I am new to surveillance so now rampiing up on how setup the nvr and cameras in a meaningful way....
Hope this experience might help someone else....
The method I used was the TFTP approach using the scott lamb python3 script off the github.
The main problem was that the TFTP program would simply hang and do nothing. Yet I proved the following:
- Hikvision NVR briefly changes its IP to 192.0.0.64
- Arp packets fly around the network, agreeing to acknowledge the NVR nad TFTP Server address.
- I change my pc ip address to the server address... eg 192.0.0.128
- I reboot the NVR multiple times. The ptython TFTP sits there, fut fails to act despite the fact that ip addresses are all good.
- I tried doing this in linux and windows... but both failed.
- I stopped any firewalling, and opened up my opnsense network very wide.
- The TFTP program simply fails to acknowledge the NVR.
I cranked up vscode and loaded the python script into the IDE.
Then went into the terminal window at the bottom of the vscode ide, and typed the exact same command to run the script eg.
sudo python hikvision_tftp3.py
and it WORKED ! Took only a few seconds to load he digicap file via the tftp program, and the terminal windows provided a lot of feedback during the transfer. With a welcome success message at the end.
I don't really understand why though... there must be something environmental in how vscode is able to run python, that is somewhat different that a typical terminal window in linux.
Interesting stuff...
I am new to surveillance so now rampiing up on how setup the nvr and cameras in a meaningful way....
Hope this experience might help someone else....
Hi experts,
I'm fighting with password reset/FW update on my DS-7104HQHI-K1 (board version 80388_P Rev 2.1) V4.30.212 build 210618. I have the same firmware downloaded on my PC and trying to upload it to the DVR via tftpd32, but after upload I'm always getting "upgrade packet mismatch", see below.
Any idea/suggestion please?
I press [enter], DVR reboots and still asking for password.
I'm fighting with password reset/FW update on my DS-7104HQHI-K1 (board version 80388_P Rev 2.1) V4.30.212 build 210618. I have the same firmware downloaded on my PC and trying to upload it to the DVR via tftpd32, but after upload I'm always getting "upgrade packet mismatch", see below.
Any idea/suggestion please?
Code:
HKVS $ setenv ';printenv'
arch=arm
baudrate=115200
board=fy01
board_name=fy01
bootargs=mem=160M console=ttyS0,115200
bootcmd=tftpboot 0x82000000 uImage;bootm 0x82000000;
bootdelay=0
cpu=armv7
default=mtdparts;ubi part flash_sys0;ubifsmount ubi:sys0;ubifsload 0x82000000 uImage;
deviceID=RkYmyqSGgj8cH3S0te7sOR88BWNPVtk=
device_type=DS-7104HQHI-K1
ethaddr=24:0f:9b:21:82:ab
fdtcontroladdr=9fe34910
gatewayip=192.0.0.1
identification=0000000100000001000002000x9D500000003000000020001
ipaddr=192.0.0.64
mac_mode=inner
mtdids=nand0=nandflash0
mtdparts=mtdparts=nandflash0:4m(boot),52m(flash_sys0),52m(flash_sys1)
netmask=255.255.255.0
passwd=u2kt5kIP+/imuYE+s2SZXqqmZz/2vGKSF+ec+CfX1dc=
phy_addr=10
phyaddr0=0
sec=tftpboot 0x82000000 Ky2019-B1-uImage_sec;bootm 0x82000000;
serverip=192.0.0.128
soc=molchip
stderr=uart@0x18300000
stdin=uart@0x18300000
stdout=uart@0x18300000
update_ip=192.0.0.64
vendor=molchip
ver=U-Boot 2017.09-svn54936 (Dec 31 2020 - 11:43:06)
verify=y
Environment size: 1009/131068 bytes
HKVS $ setenv ';update'
Loading file 'uImage' to addr 0x82000000...
Done
the uImage support update_v3.
Verifying RSA ... OK
## Booting kernel from Legacy Image at 82000000 ...
Image Name: Linux-4.9.138
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 3694902 Bytes = 3.5 MiB
Load Address: 80008000
Entry Point: 80008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
Starting kernel ...
Thu Jan 1 00:00:01 UTC 1970
mv: can't rename 'ubi*': No such file or directory
Starting udev: [ OK ]
-0-[ 3.545345] dwceqos 1b900000.ethernet eth0: Link is Up - 100Mbps/Full - flow control rx/tx
This program will download and upgrade software.
*******************************************************
* ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY! *
* Don't reset machine,or anything that interrupt it. *
* The upgrade process must finish in 10 minutes! *
* If this program fails,machine might be unusable, *
* and you will need to reflash again. *
* If you find this too risky,power off machine now. *
*******************************************************
ftp server not exit[-110]!
################################ [ 8.000 MB]
################################ [16.000 MB]
###########
tftp transmit over,file size[19669356][18.776 MB].
[cramfs.img ]: offset is 108 size is 19668992
The digicap info: language - 0x1 device_class - 0x5A oemCode - 0xFFFFFFFF
file header error, filenums:954053725
The board info: language - 0x1 device_class - 0x9D5 oemCode - 0x1
upgrade packet mismatch, please select correct packet
Can not find correct packet for upgrade, give up!!!
failed(-5)!
Press ENTER key to rebootI press [enter], DVR reboots and still asking for password.
alastairstevenson
Staff member
That means it's the wrong firmware for the device.
Where did you download the firmware from?
What exactly is the model number on the barcode label?
Maybe this version, K72A :
Also - do a setenv ';help' to see if there is an erasecfg or similar command.
Hi alastairstevenson,
many thanks for quick reply.
I downloaded the FW from I see no more details on the device's bar code, see picture below.
see HKVS $ setenv ';help'
? - alias for 'help'
base - print or set address offset
bdinfo - print Board Info structure
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
cdp - Perform CDP network configuration
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr_info- ddr training info molchip soc
dm - Driver model low level access
echo - echo args to console
env - environment handling commands
fdt - flattened device tree utility commands
go - start application at address 'addr'
help - print command description/usage
iminfo - print header information for application image
loop - infinite loop on address range
md - memory display
mdio - MDIO utility commands
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
source - run script from memory
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
ubi - ubi commands
ubifsload- load file from an UBIFS filesystem
ubifsls - list files in a directory
ubifsmount- mount UBIFS volume
ubifsumount- unmount UBIFS volume
version - print monitor, compiler and linker version
many thanks for quick reply.
I downloaded the FW from I see no more details on the device's bar code, see picture below.
see HKVS $ setenv ';help'
? - alias for 'help'
base - print or set address offset
bdinfo - print Board Info structure
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
cdp - Perform CDP network configuration
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr_info- ddr training info molchip soc
dm - Driver model low level access
echo - echo args to console
env - environment handling commands
fdt - flattened device tree utility commands
go - start application at address 'addr'
help - print command description/usage
iminfo - print header information for application image
loop - infinite loop on address range
md - memory display
mdio - MDIO utility commands
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
source - run script from memory
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
ubi - ubi commands
ubifsload- load file from an UBIFS filesystem
ubifsls - list files in a directory
ubifsmount- mount UBIFS volume
ubifsumount- unmount UBIFS volume
version - print monitor, compiler and linker version
razor1911
n3wb
Hi guys I have Hikvision iDS-7116HQHI-M1/S - DVR running on 4.7x firmware currently and its password locked. I followed the guide for flashing new firmware but no luck i can't get passed HKVS $ no command is taking setenv ';update' or ';printenv'. I was wondering if someone can help me with this. Here it's the output of putty when i send the commands.
NDD>XSAT
UNZOK!PCK[120]
table1
DRAM1_DDR4x2_2400_32B ini_ver: 0x41210723
zq_trim[e], ldo_trim[8]
CPU1200 DONE
DRAM2_DDR4x2_2400_32B ini_ver: 0x41210723
ddr2 zq_trim[d], ldo_trim[6]
ddr init done
HVYOK
UNZOK!
Loader Start ...SPI NAND MID=000000C8 DEV=00000051
bin_size: 0x00008140
sha256_align_size 0x00008140
atf.bin RSA ok!
check sum ok!
sha256_align_size 0x000A9080
uboot RSA ok!
smp(bl31)
$$$64wfi6644wwfifi64core2_jump_program 0x002065F3
64code2JumpCodelen 0x0000018C
ARC64warmrstwarmrswarmrstt***4231###NOTICE: BL31: v2.2(release):
NOTICE: BL31: Built : 17:00:51, Aug 23 2021
NOTICE: FDT check fail.
NOTICE: BL31: No DTB found.
NOTICE: TZASC config:
NOTICE: 0x00100000@0x01f00000 (RW/N) Ree
INFO: ARM GICv2 driver initialized
INFO: BL31: Platform setup done
INFO: BL31: Initializing runtime services
NOTICE: not find OPTEE, if system not have OPTEEe, don't care OPTEE error or warning message
WARNING: No OPTEE provided by BL2 boot loader, Booting device without OPTEE initialization. SMC`s destined for OPTEE will return SMC_UNK
ERROR: Error initializing runtime service opteed_fast
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x3e000000
INFO: SPSR = 0x3c9
U-Boot 2019.04 (Nov 02 2022 - 14:14:02 +0800), Build: jenkins-Backend-BSP-CCI-8115
Read power trim = 0x00000000
remap_data 8
pwm_id:0 pinmux = 0x1
pwm_id(0) pwm_pinmux(0x1)
pclk_freq(30000000) div(3)
id = 0xc8 0x51 0xc8 0x51
env_nand_load:read nand env0 sucessful
env_nand_load:crc env0 sucessful
env_nand_load:read nand env1 sucessful
env_nand_load:crc env1 sucessful
OK
misc_init_r: boot time: 4162806(us)
misc_init_r: boot time: 4236960(us)
Set CPU clk 1200MHz
[UID] = 0x000003c1
Warning: eth0 MAC addresses don't match:
Address in SROM is e0:ba:ad:ef:92:e7
Address in environment is 00:00:23:34:45:66
[Dynamic change partition Warning]Use default partition info,ret is -19!
Hit ctrl+u to stop autoboot: 0
HKVS $ setenv ';pritenv
HKVS $ setenv ';printenv
HKVS $ setenv ';printenv'
HKVS $ setenv ';update
HKVS $ setenv ';tftp
HKVS $ setenv ';tftp'
HKVS $ setenv ";tftp"
HKVS $ setenv ";tftp"
HKVS $ setenv bootcmd ';update'
HKVS $
By the way im using this ttl converter
Thanks in advance.
NDD>XSAT
UNZOK!PCK[120]
table1
DRAM1_DDR4x2_2400_32B ini_ver: 0x41210723
zq_trim[e], ldo_trim[8]
CPU1200 DONE
table1
DRAM2_DDR4x2_2400_32B ini_ver: 0x41210723
ddr2 zq_trim[d], ldo_trim[6]
ddr init done
HVYOK
UNZOK!
Loader Start ...SPI NAND MID=000000C8 DEV=00000051
bin_size: 0x00008140
sha256_align_size 0x00008140
atf.bin RSA ok!
check sum ok!
sha256_align_size 0x000A9080
uboot RSA ok!
smp(bl31)
$$$64wfi6644wwfifi64core2_jump_program 0x002065F3
64code2JumpCodelen 0x0000018C
ARC64warmrstwarmrswarmrstt***4231###NOTICE: BL31: v2.2(release):
NOTICE: BL31: Built : 17:00:51, Aug 23 2021
NOTICE: FDT check fail.
NOTICE: BL31: No DTB found.
NOTICE: TZASC config:
NOTICE: 0x00100000@0x01f00000 (RW/N) Ree
INFO: ARM GICv2 driver initialized
INFO: BL31: Platform setup done
INFO: BL31: Initializing runtime services
NOTICE: not find OPTEE, if system not have OPTEEe, don't care OPTEE error or warning message
WARNING: No OPTEE provided by BL2 boot loader, Booting device without OPTEE initialization. SMC`s destined for OPTEE will return SMC_UNK
ERROR: Error initializing runtime service opteed_fast
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x3e000000
INFO: SPSR = 0x3c9
U-Boot 2019.04 (Nov 02 2022 - 14:14:02 +0800), Build: jenkins-Backend-BSP-CCI-8115
Read power trim = 0x00000000
remap_data 8
pwm_id:0 pinmux = 0x1
pwm_id(0) pwm_pinmux(0x1)
pclk_freq(30000000) div(3)
id = 0xc8 0x51 0xc8 0x51
env_nand_load:read nand env0 sucessful
env_nand_load:crc env0 sucessful
env_nand_load:read nand env1 sucessful
env_nand_load:crc env1 sucessful
OK
misc_init_r: boot time: 4162806(us)
misc_init_r: boot time: 4236960(us)
Set CPU clk 1200MHz
[UID] = 0x000003c1
Warning: eth0 MAC addresses don't match:
Address in SROM is e0:ba:ad:ef:92:e7
Address in environment is 00:00:23:34:45:66
[Dynamic change partition Warning]Use default partition info,ret is -19!
Hit ctrl+u to stop autoboot: 0
HKVS $ setenv ';pritenv
HKVS $ setenv ';printenv
HKVS $ setenv ';printenv'
HKVS $ setenv ';update
HKVS $ setenv ';tftp
HKVS $ setenv ';tftp'
HKVS $ setenv ";tftp"
HKVS $ setenv ";tftp"
HKVS $ setenv bootcmd ';update'
HKVS $
By the way im using this ttl converter
CP2102 USB 2.0 to UART TTL Converter
Thanks in advance.
Update - I used the Firmware_Europe_V4.30.231_230726_S3000534428.zip and voala - DVR is reset to factory default and I'm able to work with it
