Hikvision - Clearing Passwords and/or Loading Firmware via TTL Serial

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
if you can see the meaning of error please tell me, here below is the log:
I can see a couple of problems.
But first: Hint - for logs and code, use the Code tags to hold the content, under the + in the edit menu. This is easier for you, and easier for the readers.

Here is what I notice:

I'm curious where you got the set of commands at the start of the log from.
Generally, these could be used to boot a kernel (uImage) over the network on a device where the kernel and/or the root file system has been erased or corrupted, allowing a minimum environment from which to do repairs.
They are not really relevant to what you are trying to do - the primary problem has not as yet been identified.

setenv bootcmd 'tftp 0xc0700000 uImage; tftp 0x42000000 digicap.dav; bootm 0xc0700000'
This is just plain wrong as a bootcmd setting.
The file digicap.dav is an encoded, encrypted firmware distribution file and has no place being loaded into memory as part of a bootcmd.
In fact, that is why there is a data abort just after it's loaded in - it's not an executable file.
But all that doesn't really matter, as the environment variables (at least in this log) have not been saved, such that the hardware reset that follows starts from scratch again.

But that does beg the question - what are the values in the bootargs and other variables?
These are used to inform the uImage kernel how to start, and where some items are located.
A couple of questions on this:
What were the very original environment variables, in particular bootargs and bootcmd?
Hopefully before making changes you interrupted the bootloader and used
printenv
to see them and record their values. That is important.

And secondly, what are the values of the environment variables now?
Are any changed from the original?
To see the problem properly, they should be returned to their original values.

This is important, because it looks like the main partition, probably mtdblock2 has invalid or corrupt data in it.
The kernel, uImage, is booting OK (though it could still be the wrong kernel for this model).
It's executing startup commands, but when it gets to the point where it's decrypting the various encrypted archives, the ded program doing the decryption finds corrupted data. This is the web server data, there are similar encrypted archives for libraries and programs.
Code:
ded in[/home/hik/gui_res.tar.lzma]/out[/home/app/gui_res.tar.lzma] ioctl faild. errno[5]
tar: unexpected EOF
tar: short read
This is a fatal error and will cause a bootloop.

In summary - the firmware that's been loaded is corrupt, and there is a question about whether the bootloader environment variables are still valid.
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
The strange part is the time, I see the time initiated at 1970 January, finally when reboot occur I see error regarding savelog for this time iCurrTime and iTempTime. Is it possible by using command to initiate the correct time and date before downloading the image? Maybe this could be the solution.
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
@alastairstevenson

Let's see each of your doubt. First of all from the console no command returns anything, printenv, update or anything else so I can't find out about the other environment variables. This is why I used the 4 lines commands packet found over the internet to force loading my image. In my case last line command "setenv bootcmd...." is the magic line, the single one which react and gives to me results like loading and rebooting.
Maybe the commands are not loading in correct way the image, but this we should find out through trying and find in internet. I will try anything you suggest, but take into account that a command can be passed to the device just through bootcmd environment variable.

Another idea, how can I reproduce the update command using "setenv bootcmd..."???


thank you,
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Much easier to see the code now!
First of all from the console no command returns anything, printenv, update or anything else so I can't find out about the other environment variables.
If that can't be done, it's hard to know how to proceed.

You can see from this :
Code:
HKVS $ setenv bootargs console=ttyS2,115200n8 root=/dev/ram0 rw initrd=0x42000000
HKVS $ setenv bootcmd 'tftp 0xc0700000 uImage; tftp 0x42000000 digicap.dav; bootm 0xc0700000'
The the firmware file digicap.dav is being referenced as the 'initrd' - the 'initial RAM drive' where important data and programs are held.
It's not valid for that use.

Suggestion :
In the tftp server folder on the PC, rename digicap.dav to something different and see how the bootup changes.
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
hmmm....just to rename the file and to make reference to it using the renamed name I think that nothing will change. But, I have 3 firmware images and I loaded then I checked the differences, so yes the differences are visible, see the two logs attached.

I have no idea how to upload here 2 files.
files

Here below you have the main part of error generated and rebooting, what's the cause and how to solve?

Code:
@@@@do not need poc test@@@@
Device Is Ready
1+0 records in
1+0 records out
65536 bytes (64.0KB) copied, 0.008212 seconds, 7.6MB/s
[ERROR]:savelog.c[1140] iCurrTime[925476] iTempTime[922502]

[ERROR]:savelog.c[1326] flash can not be Operate and quit!

LibLibLib: <HIKVQD_Process> pass at line:1158
LibLibLib: <HIKVQD_Process> pass at line:1158
[   52.503914] [HKBSP][hik_wdt hik_wdt.1]hik-wdt:hikwdt_isr. Call hikwdt notifier chain!
[   52.511757] [HKBSP][hik_wdt hik_wdt.1]hik-wdt:hikwdt_isr. I'm so Sorry (>_<)...
[   52.519055] [HKBSP][hik_wdt hik_wdt.1]hik-wdt:hikwdt_isr. last_feedwdt:4294940020(jiffies64:4294942546,timeout:25)
 
Last edited:

ste92

Getting the hang of it
Joined
Oct 6, 2015
Messages
135
Reaction score
6
hello to all, I have a problem with my dvr bought from 3 days I updated and now I can no longer access the menu. can someone help me to put the update back on? I have already identified where to connect my post is this: dvr turbo bricked
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
hello to all, I have a problem with my dvr bought from 3 days I updated and now I can no longer access the menu. can someone help me to put the update back on? I have already identified where to connect my post is this: dvr turbo bricked
Hi,

your DVR is exactly like mine by seeing your hardware. You don't have access to the menu,but can you access the DVR through network by using Internet Explorer? If yes, then you can upgrade again to the previous firmware which was working. I can confirm to you that using UART is exactly on that port marked by you with red circle.
 

ste92

Getting the hang of it
Joined
Oct 6, 2015
Messages
135
Reaction score
6
Thank you for your help!
I tried to set up lan card 192.0.0.x net mask 255.255.255.0 gateway 192.0.0.64 also dns similar to gateway but with internet explorer I can not login. but I can do the pign da dos.
which guide can I do according to you? UART What would it be?
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
Thank you for your help!
I tried to set up lan card 192.0.0.x net mask 255.255.255.0 gateway 192.0.0.64 also dns similar to gateway but with internet explorer I can not login. but I can do the pign da dos.
which guide can I do according to you? UART What would it be?
First try for you is to connect via internet if possible, so for this use your LAN and for gateway set router IP, your PC should take automatically IP, do not set anything and access the IP of your DVR, if you don't know the IP of DVR, check on the router.

If you can't do it in this way, you go to the next level by using UART. For this you need to connect to that port indicated by you with red circle, take care, from left to right there are GND, TX and RX, so you connect through cable to USB serial converter which is inserted to PC. Most of the instructions are presented at the beginning of this thread. Then we will see if for you "update" works.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
hmmm....just to rename the file and to make reference to it using the renamed name I think that nothing will change.
Agreed. But the idea was to rename it but not change the reference so it would not load.
You need to set the faulty bootcmd value back to the value it had before it was changed.

I have no idea how to upload here 2 files.
The logs still show the same major problem - the archive files in the root file system are corrupt.
The system cannot continue when that is the case.
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
I have the key as in the picture okay? from left to right you mean watching the DVR from the front panel or the back (HDMI connections, VGA)?
yes that USB TTL is good but you should have the driver for it. Also yes, I mean watching from the front panel exactly as your picture is, left to right. You will also see that if you try to fit the cable you have there for audio, the unique position will indicate the more red wire to the right that is + which should not be used.
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
Agreed. But the idea was to rename it but not change the reference so it would not load.
You need to set the faulty bootcmd value back to the value it had before it was changed.
I did it and nothing new, just not finding the file. Anyway I think that at any reboot the bootcmd is back to original but I can't read it to see what is the original. We should know something deeper, lower and lower from Hikvision secrets to solve this problem. I also asked them to help in this way. The last way is to send back to seller for resolving the problem, but the pleasure is to understand and to solve here.
Here below is the result after renaming:
Code:
U-Boot 2010.06-svn (May 25 2017 - 18:00:13)[V1.4.5]

Hit ctrl+u to stop autoboot:  0
HKVS $ setenv ipaddr 192.0.0.64
HKVS $ setenv serverip 192.0.0.128
HKVS $ setenv bootargs console=ttyS2,115200n8 root=/dev/ram0 rw initrd=0x42000000
HKVS $ setenv bootcmd 'tftp 0xc0700000 uImage; tftp 0x42000000 digicap.dav; bootm 0xc0700000'
timeout for link [4999]!
MAC:   B4-A3-82-BC-57-15
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Download Filename 'digicap.dav'.
Download to address: 0x42000000
Downloading: *
TFTP error: 'File not found' (1)
Not retrying...
data abort
pc : [<4dc1038c>]          lr : [<4dc1078c>]
sp : 4d9ff0f0  ip : 4d9ff62a     fp : 4dc38488
r10: 4d9ff194  r9 : 00000000     r8 : 4d9fffe0
r7 : 00000000  r6 : c0700000     r5 : 4dc3b004  r4 : c0700000
r3 : 00000000  r2 : 00000010     r1 : 00000000  r0 : c0700000
Flags: nZCv  IRQs off  FIQs off  Mode SVC_32
Resetting CPU ...

resetting ...


U-Boot 2010.06-svn (May 25 2017 - 18:00:13)[V1.4.5]

Hit ctrl+u to stop autoboot:  0
### CRAMFS load complete: 4233112 bytes loaded to 0x42000000
## Booting kernel from Legacy Image at 42000000 ...
Verifying RSA ... OK
   Loading Kernel Image ... OK
OK
 
  • Like
Reactions: ibm

ste92

Getting the hang of it
Joined
Oct 6, 2015
Messages
135
Reaction score
6
I tried before with a 4-channel DVR turbo hd 1.0 and I managed (I think he caught a virus I wanted to throw it instead I saved it thanks) but now with the model 7208 huhi k1 I failed. when I throw putty I can not even stop it with ctl u, when I turn it on is not even activated the lan maybe it is for what it does not find it? other guides are not there?
 

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,524
Reaction score
548
Location
London
Well all good fun but not necessary really, forcing a firmware that doesn't go into the NVR or a Camera will partly brick the device this is done on purpose to corrupt the stored user details of the device.

All new IPC come with a reset button so this is only on older models.

Once you have semi bricked the device tftp with Hikvision's tftp will restore the NVR to its original settings with just needing SADP to reactivate the device.
It truly is that simple.
 

ste92

Getting the hang of it
Joined
Oct 6, 2015
Messages
135
Reaction score
6
but I tried with SADP not find anything I set on my pc 192.0.0.xxx does not find anything
where is the reset button? my dvr is turbo 4 hd 7208 huhi k1
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
but I tried with SADP not find anything I set on my pc 192.0.0.xxx does not find anything
where is the reset button? my dvr is turbo 4 hd 7208 huhi k1
ste92 you have the same problem as me, but maybe you are more lucky than me regarding the device status. Don't look for network until you have the hand over the console. So if you connected the PC to DVR through UART and you have booting chars in your putty console, take care, CTRL+U should be pressed in first second after DVR start, it is very short moment, it will work, just try to do it immediately. Then check if for you it works the command "update" or just "u", if it works surely you are more lucky than me.
 
Last edited:

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
All new IPC come with a reset button so this is only on older models.

Once you have semi bricked the device tftp with Hikvision's tftp will restore the NVR to its original settings with just needing SADP to reactivate the device.
It truly is that simple.
I wonder how old is my device Turbo 4.0 DVR DS-7208HUHI-K2? I think not so old, but it has no reset button. Yes, it is strange to make upgrade with firmware from producer Hikvision page according to description and to have the surprise to not work anymore the device. They told me that the firmware is tested and working after I really have this experience to face rebooting in infinite cycles. Normally it should have dual memory for any wrong or not working firmware to restore easy to previously one, but it seems that hikvision is not so good as they seem to be.

Tell me please if you know a method to write this firmware, I have the one stable, the previous one, but I can't write it anymore and really I didn't used SADP, because I'm not sure it will work more than TFTP with Putty, am I wrong? Should I try with SAPD, could that work?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Should I try with SAPD, could that work?
SADP does not do firmware updates.

I have the one stable, the previous one, but I can't write it anymore
What is the file size, is it greater than 32MB?
If it is less than 32MB, you should be able to try the Hikvision tftp updater tool, from here : TFTP
When you power up the DVR, you can watch the progress using PuTTY on the serial console.
 

antonio1

Young grasshopper
Joined
Jan 16, 2019
Messages
38
Reaction score
7
Location
Romania
SADP does not do firmware updates.
What is the file size, is it greater than 32MB?
If it is less than 32MB, you should be able to try the Hikvision tftp updater tool, from here : TFTP
When you power up the DVR, you can watch the progress using PuTTY on the serial console.
The file size is about 18MB not so large. Your idea with hikvision TFTP I prepared to apply as next because I know they did it specially to start automatically at the good location, but I had no courage, let me try this and come back with the answer. I already have that TFTP thank you for sharing.
 
Top