Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

Discussion in 'Hikvision' started by alastairstevenson, Aug 11, 2017.

Share This Page

  1. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    I was not going to post these details in public, to reduce the chance of Hikvision blocking them in future firmware - though no such inhibitions in private, quite busy on the topic!
    But then this happened : Hikvision no longer selling to the end user
    See also this link and the attached PDF in this post.
    HikVision End of Supply 4-8-17
    It's just another example of how Hikvision continues to treat their customers with contempt in their misguided and ultimately doomed 'Prop up the Authorised Resellers inflated margins' tactics.
    Shame on you, Hikvision, what an awful way to do business!

    Some other, for a $multi-billion business, rather un-business-like activities:
    Putting Blogger Anti-Hikvision Rhetoric in Perspective
    Blogger’s Cyberbullying Mission Tiresome, Destined to Fail
    Hikvision Attacks IPVM
    Hikvision Blogs About IPVM: "Putting Blogger Anti-Hikvision Rhetoric In Perspective"

    I'm sure their main rival Dahua will be quite pleased to fill the gap that Hikvision seem to be vacating.
    If the way that the postings volume in ipcamtalk.com has shifted to the now dominant Dahua away from Hikvision over the past year is an indication, maybe the customer sentiment is already moving against Hikvision.


    So it's time to provide a roundup of a little help to Hikvision's stranded and unsupported R0 camera customers.

    You bought your DS-2CD2x32-I camera at low cost off eBay or Aliexpress and upgraded the firmware to the published 5.3.0 version.
    The web GUI menus changed to Chinese. Your Hikvision NVR now rejects the camera with a 'Language mismatch' error. Your camera no longer responds - it's bricked.
    You've fallen into a deliberate Hikvision trap aimed at on-line purchasers of Chinese market cameras running seller-installed 'Hacked to English' firmware.
    Go to the @whoslooking Custom Firmware Downgrader 5.3.0 Chinese to 5.2.5 English and get back to English menus.

    To fix Chinese day-of-the-week or 'Language mismatch' errors connecting your 5.2.5 firmware camera to your NVR, go to the classic mtd hack from @whoslooking
    Hikvision 5.2.5 & 5.2.8 Full English (INC DAYS OF WEEK) mtd Hack

    If you saw the Hikvision security advice to update your camera firmware following the high-severity security vulnerability / backdoor found and reported by forum member @montecrypto and it bricked - you have fallen into the Hikvision deliberate Catch-22 trap.
    Backdoor found in Hikvision cameras
    Hangzhou Hikvision Digital Technology Co. Ltd.
    (I wonder if the ISC-CERT referenced here is deliberately mistyped?)
    Hangzhou Hikvision Digital Technology Co. Ltd.
    A perfect 10 out of 10! And 8.8 for putting passwords in plain text in the configuration file. Dohh..
    Hikvision Cameras | ICS-CERT
    https://nvd.nist.gov/vuln/detail/CVE-2017-7923
    https://ipcamtalk.com/threads/ds-2c...r-trying-to-upgrade-to-5-4.19971/#post-192126
    These are very good reasons to update the camera firmware. And shame on you Hikvision for putting in measures that block this.

    Now your camera won't run the updated/fixed firmware / won't downgrade as a downgrade block has been implemented. It's bricked!
    Fortunately - as there is a lot of this around - there is a fix for the problem, the 'Brickfix tool'.
    Tool and instructions in the attached file Brick_fix_tool.txt

    Have you found that following email provider security improvements, your camera with older firmware will no longer send gmail or GMX notifications?
    You know there is a fix for this, and bug-fixes and various serious security fixes in updated firmware, but you can't apply it as the Hikvision firmware has code that will stop it running on cameras bought at low cost on-line or from other than authorised resellers.
    You could try the attached 'enhanced_mtd_hack.txt' guide which has been pretty successful in allowing the 'non-upgradable' cameras to be fully upgraded and making them safer and better to use. Which is something Hikvision should be encouraging, not blocking. In my view.
     

    Attached Files:

    zero4s, peraburek, David77 and 14 others like this.
  2. marku2

    marku2 Getting the hang of it

    Joined:
    Dec 23, 2016
    Messages:
    296
    Likes Received:
    55
    Location:
    Australia
    Thank you Alister that was a good read and thank you for all the help you have freely given I really appreciate all you efforts I'm just waiting for my USB connector then time to play
     
    alastairstevenson likes this.
  3. marku2

    marku2 Getting the hang of it

    Joined:
    Dec 23, 2016
    Messages:
    296
    Likes Received:
    55
    Location:
    Australia
    And I'm fixing up a so called professional installer selling Chinese cameras go figure that out hikvision
     
  4. Tolting Colt Acres

    Tolting Colt Acres Getting the hang of it

    Joined:
    Jun 7, 2016
    Messages:
    182
    Likes Received:
    60
    As Trump would say.... this is YUGE!

    Ipcamtalk users are blessed to have folks like Alastair willing to share their in depth knowledge with us... otherwise we would be locked out in the cold!

    Sticky, mod?
     
  5. Securame

    Securame Getting the hang of it

    Joined:
    Mar 25, 2014
    Messages:
    301
    Likes Received:
    49
    Location:
    Barcelona, Spain
    Thanks for all that good info!
     
    alastairstevenson likes this.
  6. whoslooking

    whoslooking Known around here

    Joined:
    Oct 3, 2014
    Messages:
    1,491
    Likes Received:
    519
    Location:
    London
    A fantastic release Alistair, This one needs to be made a sticky.

    cracking job!
     
  7. mjb

    mjb n3wb

    Joined:
    May 9, 2014
    Messages:
    25
    Likes Received:
    15
    Many thanks!

    As someone who spent 30+ years consulting with technology companies, I can assure you Hikvision's approach is EXACTLY the wrong way to do what they are trying to do. Rather than introduce a new end-user subbrand (Hi-Watch) they should have introduced a new higher-end brand (e.g., "Hik-Plus") that was targeted at trade installers only.

    Well, the good news is this will provide a great business school case for MBA studends at Harvard, INSEAD, AGSM, etc. The students will all learn about a company named Hikvision that took an enviable business position into bankruptcy though mismanagement.
     
  8. Calumet

    Calumet n3wb

    Joined:
    Aug 10, 2017
    Messages:
    5
    Likes Received:
    2
    Thousand of thanks, it's working with the help ofalastairstevenson.

    DS-2CD2532F-IWS and one DS-2CD2432F-IW came with 5.3.0 and were bricked.
    Now, both are on 5.4.5 !
     
  9. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    Excellent!
    Another of many good results.
    And well done for unbricking and following the upgrading recipe to a successful conclusion.
     
  10. scn101

    scn101 Getting the hang of it

    Joined:
    Feb 25, 2015
    Messages:
    161
    Likes Received:
    39
    Location:
    Dallas, TX
    This is great job and works! But there is one thing to note from another post by@alastairstevenson, "depending on what original firmware was on the camera (5.2.8 mostly needs this) check the bytes at 0x0C and 0x8000C in mtdblock1 and if they are 0 change them to 2." I can attest that without this my orig 5.2.8 2332 cam would brick when updating from 5.2.5 to 5.3.0. With this change, it all went smoothly.
     
    alastairstevenson likes this.
  11. Billiboy

    Billiboy Young grasshopper

    Joined:
    Sep 27, 2016
    Messages:
    68
    Likes Received:
    2
    Location:
    Berlin
    a question about checksum
    Before I change the original mtdblock6 hav it checksum 16 FD24

    I change
    0x10 to 0x01 for EN
    0x64 to 0x07
    0x65 to 0x98 for devType = 38919
    Then is the Checksum FC2B

    Is it true that I must have the checksume FD24 again after the changes?
     
  12. scn101

    scn101 Getting the hang of it

    Joined:
    Feb 25, 2015
    Messages:
    161
    Likes Received:
    39
    Location:
    Dallas, TX
    No. Now just change the Checksum from FD24 to FC2B.
     
  13. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    I keep meaning to write this up.
    It's the 'icing on the cake' for the 'enhanced mtd hack', covering those remaining cameras that the label shows originally had 5.2.8 firmware installed.
    Mtdblock1 holds a couple of signature blocks with the results of the previous firmware update, and its version number.
    On some of the 5.2.8 cameras part of that data is missing.
     
  14. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    Are you sure that checksum is correct? It seems a bit big to me.
     
  15. Billiboy

    Billiboy Young grasshopper

    Joined:
    Sep 27, 2016
    Messages:
    68
    Likes Received:
    2
    Location:
    Berlin
    I thought you always had to come to exactly the checksum you had before the change. I know the bios adjust for wlan module with hp.
     
  16. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    No, the checksum must reflect the current data, it's the 'Checksum-16' value of the 0xF4 bytes from location 0x09 downwards.
    I just wondered if you'd worked it out correctly as it seemed larger than those I've seen.

    *edit*
     
  17. nlagaros

    nlagaros n3wb

    Joined:
    Oct 12, 2015
    Messages:
    10
    Likes Received:
    1
    Thank you Alastair. You made it so simple!
     
    alastairstevenson likes this.
  18. Billiboy

    Billiboy Young grasshopper

    Joined:
    Sep 27, 2016
    Messages:
    68
    Likes Received:
    2
    Location:
    Berlin
    Sorry, I have to translate this into German everything, so some things is not to be understood correctly.
    I did not quite understand this with the Checksum.
    I put the cursor before offset 09 and let me display the checksum?
    I do not understand exactly where the value of the 0xF4 bytes ist.
    Start by 0x09 downwards, I understand this, how far?
    @alastairstevenson thank you for your patience
     

    Attached Files:

  19. Billiboy

    Billiboy Young grasshopper

    Joined:
    Sep 27, 2016
    Messages:
    68
    Likes Received:
    2
    Location:
    Berlin
    In a other Tread I have found
    " Select 0xF4 (244) bytes from ...."
    in the Picture are 0xF4 Bytes?
    Then is the calculated Checksum 0D01.
    If that is correct, then why is in the original file by 0x04 and 0x05 E4 0B.
    Sorry, I just do not understand it
     

    Attached Files:

    • 0xF4.JPG
      0xF4.JPG
      File size:
      134.7 KB
      Views:
      12
  20. Billiboy

    Billiboy Young grasshopper

    Joined:
    Sep 27, 2016
    Messages:
    68
    Likes Received:
    2
    Location:
    Berlin
    so, now I made the changes and from 0x09 to 0xFC, that must be 244. Then calculate the checksum. Does it look better now?
    What happens if the checksum is wrong and I copy it back to the cam?

    Copy to the cam bit the command (cp /mnt/nfs00/mtdblock6 /dev), then overwrites the original file?
    Do I then still file right?
     

    Attached Files:

  21. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    That is looking good - provided that the Checksum that is showing in the HxD status bar at the bottom is the result of doing the Checksum-16 calculation on the highlighted bytes.
    If it is - you then change location 0x04 to the value 0x08 (the least significant byte) and location 0x05 to the value 0x0C (the most significant byte).
    Then save the file, say as 'mtdblock6_mod' in the shared folder that is mounted in the camera.
    At the camera root shell prompt, while running firmware 5.2.5, the command to replace the mtdblock6 with the modified one is :
    cat /mnt/nfs00/mtdblock6_mod > /dev/mtdblock6
    And reboot the camera.
    The firmware will consider that there is bad data in the hardware information and will not run.
    The value of the checksum looks about right - but with just the screenshot and not the file itself I can't confirm.

    I do think you have got the method figured out now.
    Good luck!
     
    catseyenu likes this.
  22. Billiboy

    Billiboy Young grasshopper

    Joined:
    Sep 27, 2016
    Messages:
    68
    Likes Received:
    2
    Location:
    Berlin
  23. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    You are welcome.
    Good luck with doing the updates.
     
    Billiboy likes this.
  24. fraatti

    fraatti n3wb

    Joined:
    Dec 26, 2015
    Messages:
    2
    Likes Received:
    0
    Hi!

    I want to make sure that it is possible to upgrade my cams. Camera model is DS-2CD-2035-I and current FW if (chinese hacked english?) V5.3.6_151215. Platform is G1

    I have found following firmware:
    V5.4.4 161116 - 2017-03-21
    V5.4.4 170112 - 2017-03-21
    V5.4.5 - 2017-03-21
    V5.4.6 170427
    DOWNLOAD PORTAL

    What do you think?
     
  25. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    If the current firmware is indeed 'hacked to English', and the cameras are Chinese language underneath that, the EN/ML firmware you linked to will not run and likely end up bricking the cameras.
     
  26. David77

    David77 n3wb

    Joined:
    Apr 12, 2017
    Messages:
    6
    Likes Received:
    0
    Thank you alastairstevenson !!

     
  27. fraatti

    fraatti n3wb

    Joined:
    Dec 26, 2015
    Messages:
    2
    Likes Received:
    0
    So it is impossible to upgrade these cams? These are bought last year from aliexpress and they are multilanguage firmware. Whatis these first FW that works with gmail? And which is first that doesn't have security flaw that had revealed earlier?
    [​IMG]

    Now this same seller is advertising that their cameras are updateable.
    Aliexpress.com : Buy HIKVISION 8mp CCTV Camera Updateable DS 2CD2085FWD I IP Camera High Resoultion WDR POE Bullet CCTV Camera With SD Card Slot from Reliable camera with sd suppliers on XinRay Store
     
    Last edited: Sep 13, 2017
  28. marku2

    marku2 Getting the hang of it

    Joined:
    Dec 23, 2016
    Messages:
    296
    Likes Received:
    55
    Location:
    Australia
    The CH in the serial number is the killer ask the seller for the digicap file if you had WR it would be ok to upgrade
    Via the Europe web page.
     
    alastairstevenson likes this.
  29. AdamWu

    AdamWu n3wb

    Joined:
    Oct 29, 2015
    Messages:
    4
    Likes Received:
    4
    Great instructions! But I think there is a slight error:
    > ...Checksum-16 value as calculated by HxD for the 0xF4 bytes starting from location 0x09...

    I observed the following cue:
    - The byte 0x08 contains 0xF4, which is the length used in the instruction
    - Assuming this byte denotes the checksum protected data structure length, then the whole struct (assuming C) likely defined in the source as:
    { int len; ...}
    - so, the len field should take 4 bytes, the byte 0x08~0x0B should be designated for the length field, and the actual protected data structure should start 0x0C, and end after 0xFF
    - the mirrored data structure at 0x20000, 0x40000 and inside mtdblock5 0x644 seems to support this observation

    So, my guess is that, the correct region to do checksum should be 0x0C~0xFF inclusive.
    Although, currently the last 3 bytes happen to be all zero, so is the higher 3 bytes of the length field, so either way makes no difference...
     
  30. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    6,291
    Likes Received:
    1,517
    Location:
    Scotland
    You may well be correct - and I suspect you are - when the hardware signature block is read, and transferred to it's in-use location, it's a word as opposed to a byte that's used for the checksum scope.
    But I haven't chased down the checksum calculate routine to see how these values are used.