Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

so, now I made the changes and from 0x09 to 0xFC, that must be 244. Then calculate the checksum. Does it look better now?
That is looking good - provided that the Checksum that is showing in the HxD status bar at the bottom is the result of doing the Checksum-16 calculation on the highlighted bytes.
If it is - you then change location 0x04 to the value 0x08 (the least significant byte) and location 0x05 to the value 0x0C (the most significant byte).
Then save the file, say as 'mtdblock6_mod' in the shared folder that is mounted in the camera.
At the camera root shell prompt, while running firmware 5.2.5, the command to replace the mtdblock6 with the modified one is :
cat /mnt/nfs00/mtdblock6_mod > /dev/mtdblock6
And reboot the camera.
What happens if the checksum is wrong and I copy it back to the cam?
The firmware will consider that there is bad data in the hardware information and will not run.
The value of the checksum looks about right - but with just the screenshot and not the file itself I can't confirm.

I do think you have got the method figured out now.
Good luck!
 
  • Like
Reactions: catseyenu
If the current firmware is indeed 'hacked to English', and the cameras are Chinese language underneath that, the EN/ML firmware you linked to will not run and likely end up bricking the cameras.

So it is impossible to upgrade these cams? These are bought last year from aliexpress and they are multilanguage firmware. Whatis these first FW that works with gmail? And which is first that doesn't have security flaw that had revealed earlier?
AnBHab1.png


Now this same seller is advertising that their cameras are updateable.
Aliexpress.com : Buy HIKVISION 8mp CCTV Camera Updateable DS 2CD2085FWD I IP Camera High Resoultion WDR POE Bullet CCTV Camera With SD Card Slot from Reliable camera with sd suppliers on XinRay Store
 
Last edited:
Great instructions! But I think there is a slight error:
> ...Checksum-16 value as calculated by HxD for the 0xF4 bytes starting from location 0x09...

I observed the following cue:
- The byte 0x08 contains 0xF4, which is the length used in the instruction
- Assuming this byte denotes the checksum protected data structure length, then the whole struct (assuming C) likely defined in the source as:
{ int len; ...}
- so, the len field should take 4 bytes, the byte 0x08~0x0B should be designated for the length field, and the actual protected data structure should start 0x0C, and end after 0xFF
- the mirrored data structure at 0x20000, 0x40000 and inside mtdblock5 0x644 seems to support this observation

So, my guess is that, the correct region to do checksum should be 0x0C~0xFF inclusive.
Although, currently the last 3 bytes happen to be all zero, so is the higher 3 bytes of the length field, so either way makes no difference...
 
  • Like
Reactions: catseyenu
So, my guess is that, the correct region to do checksum should be 0x0C~0xFF inclusive.
Although, currently the last 3 bytes happen to be all zero, so is the higher 3 bytes of the length field, so either way makes no difference...
You may well be correct - and I suspect you are - when the hardware signature block is read, and transferred to it's in-use location, it's a word as opposed to a byte that's used for the checksum scope.
But I haven't chased down the checksum calculate routine to see how these values are used.
 
OK I have some cumulative experience to report:

1. For language hacked Chinese ver. camera with stock firmware (sticker) version between 5.2.5 and 5.3.0:
- You also need to get a dump of /dev/mtdblock1, and check address 0x0000C and 0x8000C, make sure it is 0x02
- Otherwise the camera will fail to upgrade, refuse to prepare initrd with misleading error message "Junk in compressed archive"
- Original source: How to upgrade a 5.25 mtd hack firmware ?

2. If you have a working Chinese ver. camera mounted 20ft above ground, AND you have no way to provide CIFS share on the network, the following trick can save you hours of efforts:
- Get a unix like shell environment with standard tools, if you are on Windows, the easiest way I know is to install Git and run Git bash.
- Web downgrade to 5.2.5 if you are on higher version, this is VERY IMPORTANT, otherwise a few minutes later you will be dragging your sorry butt up 20ft to retrieve your $100 paper weight.

- Enable SSH, log on, and prepare the mtd dumps:
-- Run prtHardInfo, note the devtype, and copy the serial number, e.g. DS-2CD2532F-IS2015xxxxx
-- If you have SD card, you can make use of it; otherwise, you will need to use tmpfs (haven't explored this part)
--- cd /mnt/mmc01
--- mkdir DS-2CD2532F-IS2015xxxxx
--- cd DS-2CD2532F-IS2015xxxxx
--- cat /dev/mtdblock5 > mtd5
--- cat /dev/mtdblock6 > mtd6
--- (optional) cat /dev/mtdblock1 > mtd1
--- cd ..

- Now, open your shell environment, e.g. Git bash
-- Download a custom compiled busybox, source: HIKVISION tweaking - CCTV Forum
-- Upload the file to your SD card storage
--- cat busybox | ssh admin@<your-camera-ip> 'cat > /mnt/mmc01/busybox'
-- Retrieve the dumped mtd files
--- ssh admin@<your-camera-ip> 'cd /mnt/mmc01 && ./busybox tar c DS-2CD2532F-IS2015xxxxxx | ./busybox bzip2 -z | ./busybox base64' > base64 -d | bzip2 -d | tar x
-- After this command, you should have a copy of the dumped mtd files on your local computer, in the folder "DS-2CD2532F-IS2015xxxxxx"

- Make a backup of the files, then perform the mtd hacks
- When you are done, check again, this your last chance avoiding that 20ft up trip. Make sure all the steps checks out exactly right!
- When are are absolutely sure, then in your shell environment
-- tar c DS-2CD2532F-IS2015xxxxx | bzip2 -z | base64 | ssh admin@<your-camera-ip> 'cd /mnt/mmc01 && ./busybox base64 -d | ./busybox bzip2 -d | ./busybox tar xv'
-- After this command, you should have your modified mtd files uploaded to your camera's SD card storage

- Now go to your ssh terminal with the camera
-- Double, triple check that you have firmware version 5.2.5 or below (prtHardInfo will tell you, you can also check Web GUI). Remember, you don't want the $100 paper weight, especially that you will have to climb 20 ft to get it!
-- When are are absolutely sure, then:
--- cd /mnt/mmc01
--- cd DS-2CD2532F-IS2015xxxxx
--- cat mtd5 > /dev/mtdblock5
--- cat mtd6 > /dev/mtdblock6
--- (optional, if changed) cat mtd1 > /dev/mtdblock1

- Reboot and cross your fingers, if you have done everything right, you should get your camera back running in ~1 minute
-- Perform Web upgrade to 5.4.41, this reboot after upgrade will be a bit longer, probably because configuration upgrades
-- Perform Web upgrade to 5.4.5, now you have a much safer firmware version!
 
Last edited:
Thanks for that - it's good to share!

-- Perform Web upgrade to 5.4.41, this reboot after upgrade will be a bit longer, probably because configuration upgrades
Just as an additional bit of info - Hikvision strongly advise not skipping intermediate versions of the firmware, so the upgrade path is ideally :
5.2.5 to 5.3.0 to 5.4.0 to 5.4.5
Also - for those (many) cameras that don't have an SD card facility - it's not hard to set up a Windows share and copy the files between PC and camera over the network.
Check out the "how-to-extract-mtdblocks-using-Windows" attachment here : Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.
 
Another hint: somewhere between 5.2.5 and 5.3.0, hikvision formware switched to a totally different account management storage.
So if you:
- got a hacked Chinese camera with label >5.2.5 but hacked to run 5.2.5
- you applied the mtd hack and upgraded to official versions like 5.3.0
- you will experience old admin password no longer works
- this is because the new account storage proabably still contains admine account with the new defatul passwords
-- try the following: 1234567a, 123456789abc, 12345abc, abc12345
-- for me, the last one worked. :)
 
  • Like
Reactions: catseyenu
Hi
What is the difference between the classic mtd hack by whosloocking and the new enhanced mtd hack by alastair?

Things i figured out:

Classc mtd hack does:

Changes mtd5 at 0x0654 from 02 to 01 and increment byte 0x067A to keep the existing checksum valid
Changes mtd6 at 0x0010 from 02 to 01 and increment byte 0x001E to keep the existing checksum valid

New enhanced hack:
Changes mtd6 at 0x0010 from 02 to 01 and read devType using prtHardInfo replace the hex values at 0x64 and 0x65
Then recalculate the checksum 32 for the block 0x001C to 0x00FF and write it to 0x0004 - 0x0007



My questions:
Why is the new hack not modifying the mtd5 file?
The county code can be found 3 times in mtd6. At 0x0010, 0x20010 and 0x40010. Why are we fixing only the first? I got some "pre mtd hacked" cam from aliexpress and all of them were mtd6 modified at these 3 places.
What is the reason to read the devType and add it to mtd6? In all my cams this value was correct without changing anything.
What is the benefit of the new hacking method?

Just to be sure: With any one of these mtd hacks done i am able to flash the newest multilanguage fw "Baseline Firmware_IPC_ML_V5.4.5 170123 (2XX2) digicap.dav" to my 2CD2732F cams?

Thanks for all your work!


BR

mode
 
Last edited:
Why is the new hack not modifying the mtd5 file?
The county code can be found 3 times in mtd6. At 0x0010, 0x20010 and 0x40010. Why are we fixing only the first?
Because the current set of firmware doesn't check it.
But there is no harm in changing all instances of the hardware signature block - maybe in future firmware versions Hikvision will incorporate a cross-check to try to catch those cameras with the 'enhanced mtd hack'.
What is the reason to read the devType and add it to mtd6? In all my cams this value was correct without changing anything.
Many cameras have the value 0xFF98 for devType - which the newer firmware treats as a reason to go to 'min-system'.
What is the benefit of the new hacking method?
It allows an update to all current versions of firmware.
 
  • Like
Reactions: catseyenu
Hi Alastair,
thanks for you answer.
And what is with the mtd5 file? No hack needed there?
So the main difference is to correct the device type to enable all current fw versions.
Just updating my first hikvision from 5.0.2 to 5.4.5 :)

Edit: Now updated 3 Hikvisions to 5.4.5 without any problems using the mtd hack for files mtd5 and mtd6. Great work guys! :-)
 
Last edited:
Now updated 3 Hikvisions to 5.4.5 without any problems using the mtd hack for files mtd5 and mtd6.
Well, that's a good result, well done!
Just updating my first hikvision from 5.0.2 to 5.4.5
For the benefit of others just in case that's misinterpreted - Hikvision recommend not skipping intermediate versions.
On the cameras, firmware updates tend to be file-based, incremental, unlike the NVRs which are monolithic updates, unaffected by what has gone before.
 
  • Like
Reactions: marku2
ok I have upgraded one DS-2CD2032F-I that was on firmware v5.2.5 unit now on v5.4.5(cheers @alastairstevenson)

I have 1 cam on v5.2.0 and 2 on 5.3.3 can I just hex edit same as I did with firmware v5.2.5. Or do I need to change firmware first ???