Hikvision - Clearing Passwords and/or Loading Firmware via TTL Serial

Show full version.
You need stop u-boot. At screen kernel started and you have another
I boot Dahua and Hik cameras and devices with the star button and cnt u stop u boot with ttl serial and putty, but for this unv camera it does not stop boot with the star button and ... and my problem is how to stop boot the (unv camera)? and Define mac address?
 
I boot Dahua and Hik cameras and devices with the star button and cnt u stop u boot with ttl serial and putty, but for this unv camera it does not stop boot with the star button and ... and my problem is how to stop boot the (unv camera)? and Define mac address?
Try other pressed combination: ctrl+B or others.
Be sure, that you have word uart adapter, good ground connect, and good tx connect.
 
Try other pressed combination: ctrl+B or others.
Be sure, that you have word uart adapter, good ground connect, and good tx connect.
The bootloader is well past in your console screenshot.

Hint - in PuTTY you can copy / paste all of the screen rollback text into something like Notepad etc to edit and post much easier for you and the readers.
Use the 'Copy all to clipboard' option in the menu button at the top left of the window.
If you do that - you should be able to see if the bootloader shows how it can be interrupted.
I try cntrl B (putty) and it works and bootstop works properly and i config and change MAC address with (config ethaddr) successfully. Tnx for your attention!
Dahua: * button
Hikvision: cntrl U
Unv : cntrl B
For bootstop/.Tf232 serial port ttl
Dahua mac : mac and ethaddr saveenv
Hikvision mac : ethaddr saveenv
Unv mac: config ethaddr saveenv
Setenv mac for other devices/.
 
  • Like
Reactions: iTuneDVR
Show full version.
You need stop u-boot. At screen kernel started and you have another interface.
The bootloader is well past in your console screenshot.

Hint - in PuTTY you can copy / paste all of the screen rollback text into something like Notepad etc to edit and post much easier for you and the readers.
Use the 'Copy all to clipboard' option in the menu button at the top left of the window.
If you do that - you should be able to see if the bootloader shows how it can be interrupted.
I try cntrl B (putty) and it works and bootstop works properly and i config and change MAC address with (config ethaddr) successfully. Tnx for your attention!
Dahua: * button
Hikvision: cntrl U
Unv : cntrl B
For bootstop/.Tf232 serial port ttl
Dahua mac : mac and ethaddr saveenv
Hikvision mac : ethaddr saveenv
Unv mac: config ethaddr saveenv
Setenv mac for other devices/.
 
Firstly, thanks for your quick response Alastair.
That is the document I followed, but sadly it did not work for me.

Because I did not have any plugs that would work in these tiny little serial ports, I jerry rigged a few wires and terminals that I had at hand and squashed the terminals sufficiently so that they would make decent contact with the pins in the plug.
They were bare terminals and very close together, so I slipped a thin piece of plastic between them, so they did not make contact with each other. To confirm there was no contact I did a continuity test with my multimeter, just to be sure I did not fry anything.
This arrangement was extremely dodgy and quite fickle to setup, so I had not tried the other plug until after I had written the above request for help.

Figuring that I should cover all of my options, I stuffed around some more and moved my 3 cables to the JP0 plug.
What do ya know... now it works as it should!

Trap for young players... just because something looks like a serial port doesn't mean that it is the RIGHT serial port.
Using the JP3 serial plug allowed me to see the boot process, but it did not allow me to interact with the system. The JP0 serial port on the other hand... well, that just worked.
Maybe something to note for anyone else trying to fix a bricked DS-7608NI-I28P NVR. USE THE JP0 SERIAL PLUG!!!!

View attachment 94320
Noob here, just a note that on my board it shows as JP8. Board is a DS-80242.
 
I tried but without success, putty does not send the firmware
I can access the control panel via its ip, but there are no permissions to modify some functions
Hello, did you resolve this issue ? have an axhub, but it will not boot up - with electricity, only green led solid start, nothing else :-( thanks for reply
 
I am excited to report, that I was successful in recovering the password of my NVR - DS-7608NI-E2/8P. I spent weeks at it, and actually capitulated twice. Took out the hard drives and reformatted them to see if I could use them elsewhere in my network.Only to try again last night with success ! Hooray. I am here to let you know how I did it, and payback to those of you who inspired me.

The method I used was the TFTP approach using the scott lamb python3 script off the github.

The main problem was that the TFTP program would simply hang and do nothing. Yet I proved the following:
  • Hikvision NVR briefly changes its IP to 192.0.0.64
  • Arp packets fly around the network, agreeing to acknowledge the NVR nad TFTP Server address.
  • I change my pc ip address to the server address... eg 192.0.0.128
  • I reboot the NVR multiple times. The ptython TFTP sits there, fut fails to act despite the fact that ip addresses are all good.
  • I tried doing this in linux and windows... but both failed.
  • I stopped any firewalling, and opened up my opnsense network very wide.
  • The TFTP program simply fails to acknowledge the NVR.
If this sounds familar to you ... read on.

I cranked up vscode and loaded the python script into the IDE.
Then went into the terminal window at the bottom of the vscode ide, and typed the exact same command to run the script eg.
sudo python hikvision_tftp3.py

and it WORKED ! Took only a few seconds to load he digicap file via the tftp program, and the terminal windows provided a lot of feedback during the transfer. With a welcome success message at the end.

I don't really understand why though... there must be something environmental in how vscode is able to run python, that is somewhat different that a typical terminal window in linux.

Interesting stuff...

I am new to surveillance so now rampiing up on how setup the nvr and cameras in a meaningful way....

Hope this experience might help someone else....
 
Hi experts,
I'm fighting with password reset/FW update on my DS-7104HQHI-K1 (board version 80388_P Rev 2.1) V4.30.212 build 210618. I have the same firmware downloaded on my PC and trying to upload it to the DVR via tftpd32, but after upload I'm always getting "upgrade packet mismatch", see below.
Any idea/suggestion please?

Code:
HKVS $ setenv ';printenv'
arch=arm
baudrate=115200
board=fy01
board_name=fy01
bootargs=mem=160M console=ttyS0,115200
bootcmd=tftpboot 0x82000000 uImage;bootm 0x82000000;
bootdelay=0
cpu=armv7
default=mtdparts;ubi part flash_sys0;ubifsmount ubi:sys0;ubifsload 0x82000000 uImage;
deviceID=RkYmyqSGgj8cH3S0te7sOR88BWNPVtk=
device_type=DS-7104HQHI-K1
ethaddr=24:0f:9b:21:82:ab
fdtcontroladdr=9fe34910
gatewayip=192.0.0.1
identification=0000000100000001000002000x9D500000003000000020001
ipaddr=192.0.0.64
mac_mode=inner
mtdids=nand0=nandflash0
mtdparts=mtdparts=nandflash0:4m(boot),52m(flash_sys0),52m(flash_sys1)
netmask=255.255.255.0
passwd=u2kt5kIP+/imuYE+s2SZXqqmZz/2vGKSF+ec+CfX1dc=
phy_addr=10
phyaddr0=0
sec=tftpboot 0x82000000 Ky2019-B1-uImage_sec;bootm 0x82000000;
serverip=192.0.0.128
soc=molchip
stderr=uart@0x18300000
stdin=uart@0x18300000
stdout=uart@0x18300000
update_ip=192.0.0.64
vendor=molchip
ver=U-Boot 2017.09-svn54936 (Dec 31 2020 - 11:43:06)
verify=y

Environment size: 1009/131068 bytes



HKVS $ setenv ';update' 
Loading file 'uImage' to addr 0x82000000...
Done
the uImage support update_v3.
   Verifying RSA ... OK
## Booting kernel from Legacy Image at 82000000 ...
   Image Name:   Linux-4.9.138
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    3694902 Bytes = 3.5 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK

Starting kernel ...

Thu Jan  1 00:00:01 UTC 1970

mv: can't rename 'ubi*': No such file or directory
Starting udev:      [ OK ]

-0-[    3.545345] dwceqos 1b900000.ethernet eth0: Link is Up - 100Mbps/Full - flow control rx/tx

This program will download and upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

ftp server not exit[-110]!
################################        [ 8.000 MB]
################################        [16.000 MB]
###########
tftp transmit over,file size[19669356][18.776 MB].
[cramfs.img                    ]: offset is 108         size is 19668992 
The digicap info: language - 0x1 device_class - 0x5A oemCode - 0xFFFFFFFF
file header error, filenums:954053725
The board info: language - 0x1 device_class - 0x9D5 oemCode - 0x1
upgrade packet mismatch, please select correct packet
Can not find correct packet for upgrade, give up!!!
 failed(-5)!
Press ENTER key to reboot

I press [enter], DVR reboots and still asking for password.
 
Hi alastairstevenson,
many thanks for quick reply.
I downloaded the FW from I see no more details on the device's bar code, see picture below.
20250131_084717.jpg20250131_084841.jpg20250131_084717.jpg20250131_084841.jpg

see HKVS $ setenv ';help'
? - alias for 'help'
base - print or set address offset
bdinfo - print Board Info structure
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
cdp - Perform CDP network configuration
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr_info- ddr training info molchip soc
dm - Driver model low level access
echo - echo args to console
env - environment handling commands
fdt - flattened device tree utility commands
go - start application at address 'addr'
help - print command description/usage
iminfo - print header information for application image
loop - infinite loop on address range
md - memory display
mdio - MDIO utility commands
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
source - run script from memory
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
ubi - ubi commands
ubifsload- load file from an UBIFS filesystem
ubifsls - list files in a directory
ubifsmount- mount UBIFS volume
ubifsumount- unmount UBIFS volume
version - print monitor, compiler and linker version
 
Hi guys I have Hikvision iDS-7116HQHI-M1/S - DVR running on 4.7x firmware currently and its password locked. I followed the guide for flashing new firmware but no luck i can't get passed HKVS $ no command is taking setenv ';update' or ';printenv'. I was wondering if someone can help me with this. Here it's the output of putty when i send the commands.

NDD>XSAT
UNZOK!PCK[120]
table1
DRAM1_DDR4x2_2400_32B ini_ver: 0x41210723
zq_trim[e], ldo_trim[8]
CPU1200 DONE
table1
DRAM2_DDR4x2_2400_32B ini_ver: 0x41210723
ddr2 zq_trim[d], ldo_trim[6]
ddr init done
HVYOK
UNZOK!
Loader Start ...SPI NAND MID=000000C8 DEV=00000051
bin_size: 0x00008140
sha256_align_size 0x00008140
atf.bin RSA ok!
check sum ok!
sha256_align_size 0x000A9080
uboot RSA ok!
smp(bl31)
$$$64wfi6644wwfifi64core2_jump_program 0x002065F3
64code2JumpCodelen 0x0000018C
ARC64warmrstwarmrswarmrstt***4231###NOTICE: BL31: v2.2(release):
NOTICE: BL31: Built : 17:00:51, Aug 23 2021
NOTICE: FDT check fail.
NOTICE: BL31: No DTB found.
NOTICE: TZASC config:
NOTICE: 0x00100000@0x01f00000 (RW/N) Ree
INFO: ARM GICv2 driver initialized
INFO: BL31: Platform setup done
INFO: BL31: Initializing runtime services
NOTICE: not find OPTEE, if system not have OPTEEe, don't care OPTEE error or warning message
WARNING: No OPTEE provided by BL2 boot loader, Booting device without OPTEE initialization. SMC`s destined for OPTEE will return SMC_UNK
ERROR: Error initializing runtime service opteed_fast
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x3e000000
INFO: SPSR = 0x3c9


U-Boot 2019.04 (Nov 02 2022 - 14:14:02 +0800), Build: jenkins-Backend-BSP-CCI-8115

Read power trim = 0x00000000
remap_data 8
pwm_id:0 pinmux = 0x1
pwm_id(0) pwm_pinmux(0x1)
pclk_freq(30000000) div(3)
id = 0xc8 0x51 0xc8 0x51

env_nand_load:read nand env0 sucessful
env_nand_load:crc env0 sucessful
env_nand_load:read nand env1 sucessful
env_nand_load:crc env1 sucessful
OK
misc_init_r: boot time: 4162806(us)
misc_init_r: boot time: 4236960(us)
Set CPU clk 1200MHz
[UID] = 0x000003c1

Warning: eth0 MAC addresses don't match:
Address in SROM is e0:ba:ad:ef:92:e7
Address in environment is 00:00:23:34:45:66
[Dynamic change partition Warning]Use default partition info,ret is -19!
Hit ctrl+u to stop autoboot: 0
HKVS $ setenv ';pritenv
HKVS $ setenv ';printenv
HKVS $ setenv ';printenv'
HKVS $ setenv ';update
HKVS $ setenv ';tftp
HKVS $ setenv ';tftp'
HKVS $ setenv ";tftp"
HKVS $ setenv ";tftp"
HKVS $ setenv bootcmd ';update'
HKVS $

By the way im using this ttl converter

CP2102 USB 2.0 to UART TTL Converter​

CP2102-USB_1024x1024@2x.jpg


Thanks in advance.
 
Hi alastairstevenson,
many thanks for quick reply.
I downloaded the FW from I see no more details on the device's bar code, see picture below.
View attachment 213190View attachment 213191View attachment 213190View attachment 213191

see HKVS $ setenv ';help'
? - alias for 'help'
base - print or set address offset
bdinfo - print Board Info structure
bootelf - Boot from an ELF image in memory
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
cdp - Perform CDP network configuration
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr_info- ddr training info molchip soc
dm - Driver model low level access
echo - echo args to console
env - environment handling commands
fdt - flattened device tree utility commands
go - start application at address 'addr'
help - print command description/usage
iminfo - print header information for application image
loop - infinite loop on address range
md - memory display
mdio - MDIO utility commands
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
source - run script from memory
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
ubi - ubi commands
ubifsload- load file from an UBIFS filesystem
ubifsls - list files in a directory
ubifsmount- mount UBIFS volume
ubifsumount- unmount UBIFS volume
version - print monitor, compiler and linker version

Update - I used the Firmware_Europe_V4.30.231_230726_S3000534428.zip and voala - DVR is reset to factory default and I'm able to work with it :)
 
  • Like
Reactions: alastairstevenson