Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

Thank you! Successfully updated chinese DS-2CD2032-I which was on 5.2.5 firmware, to 5.4.5, everything working fine.

Now i hope that one day someone will find a way to hack G1 cameras as well.
 
  • Like
Reactions: alastairstevenson
Hello! I am the owner of the camera DS-2CD2332-I (CN) with firmware V5.2.0 build 140721 (hack language).

Please, write, what steps do I need to perform in order to competently flash the chinese camera with a multilanguage firmware?

I need to update from 5.2.0 to 5.4.0 from brickfix540?

# prtHardInfo
Start at 2017-09-30 17:15:01
Serial NO :DS-2CD2332-I201xxx
V5.2.0 build 140721
hardwareVersion = 0x0
hardWareExtVersion = 0x0
encodeChans = 1
decodeChans = 1
alarmInNums = 0
alarmOutNums = 0
ataCtrlNums = 0
flashChipNums = 0
ramSize = 0x4000000
networksNums = 1
language = 1
devType = 38920
net reboot count = 0
SD status = 0 (1:noraml;0:none)
Path: .
Working Copy Root Path: /data1/data_liwenwei/work/frontend_software_platform_IPC 5.2.0
URL: https://192.0.0.140/Camera/Platform/Branches/frontend_software_platform_IPC 5.2.0
Repository Root: https://192.0.0.140/Camera
Repository UUID: df2d70c3-7593-7941-af1e-571b313c0946
Revision: 84909
Node Kind: directory
Schedule: normal
Last Changed Author: chentianyong
Last Changed Rev: 84908
Last Changed Date: 2014-07-21 21:47:41 +0800 (Mon, 21 Jul 2014)
 
Last edited:
Please, write, what steps do I need to perform in order to competently flash the chinese camera with a multilanguage firmware?
No need for brickfix540 as you don't need to downgrade the firmware from 5.4.0 or higher if you are currently running 5.2.0.
You just need to do the 'enhanced mtd hack' which means extracting a copy of mtdblock6 and -
Change the language byte at 0x10 to 0x01 from the likely 0x02 at present.
Make sure the devType is 0x9808
Re-calculate the checksum and apply it.
Write mtdblock6 back.
Check the contents of mtdblock1 at locations 0x0C and 0x8000C and if they are 0 change to 2 and write mtdblock1 back.
Reboot and do web GUI updates to 5.3.0 to 5.4.0 to 5.4.5 using the EN/ML firmware.
 
Last edited:
I have G1 2xx5 Cameras can it also work with these

However don't find firmware for these cameras:

DS2CD2145F-I
 
Last edited:
@alastairstevenson, thanks for the answer. I'm confused((

I'm trying to do this in the following way:
1. login as: root
root@192.168.1.3's password:
# cd /mnt/nfs00
# cat /dev/mtdblock6 > temp6

2. Original temp6.
temp6.jpg

3. In # prtHardInfo
V5.2.0 build 140721
language = 1
devType = 38920

4. I made changes to the file temp6 as a file mtdblock6_2232_modded (from 1st post).
5. Saves changes to temp6 and # cat temp6 > /dev/mtdblock6 , # reboot
6. From Web I updated the firmware from V5.2.0 build 140721 to IPC_R0_EN_STD_5.3.0_151016 (on the ftp there were other firmware 5.3.0 150513 and 150814, but I did not put them).
7. Through the Web, it was not possible to update from 5.3.0_151016 to IPC_R0_EN_STD_5.4.0_160530.
8. Through the program iVMS4200 I was able to update from 5.3.0_151016 to IPC_R0_EN_STD_5.4.0_160530 and from IPC_R0_EN_STD_5.4.0_160530 to IPC_R0_EN_STD_5.4.5_170123.

5.2.0_140721
5.3.0_151016
5.4.0_160530
5.4.5_170123

I did not install the firmware "Repair the wrong warning during Day&Night switch V5.3.0_160325".
Was it necessary to put it?

ftp://ftp.hikvisioneurope.com/Product%20Firmware/Front-ends/01--IPC/R0%20platform(2xx2)/
 
Last edited:
Yes it is confusing, the new method is different. Read carefully. Its normal the new checksum has to be entered in corresponding field.
 
I have G1 2xx5 Cameras can it also work with these
However don't find firmware for these cameras:
DS2CD2145F-I
On my big assumption that G1 cameras are the same hardware as G0 cameras - maybe get some confirmation of someone who knows -
The same method of changing the 'hardware signature block' will not work for G1 series cameras as the corresponding hardware info is held in the Watchdata EMV chip as opposed to being written into a flash partition.
What I had to do on my G0 Chinese camera to change the language was to modify the firmware to alter the routine that queries the signature data for language to fix the return value to EN.
 
thanks for the answer. I'm confused((
What are you confused about?
It seems you've been successful in doing a full update, well done.
In the original prtHardInfo it shows language=1, but in your mtdblock6 the language byte=02 which suggests the camera was running 'hacked to English' firmware, which would be overwritten, and the camera revert to Chinese or end up bricked, if you'd used the normal web GUI or tftp updater to install newer firmware.

The only question seems to be why updating via the web GUI was not possible:
Through the Web, it was not possible to update from 5.3.0_151016 to IPC_R0_EN_STD_5.4.0_160530.
That's not been others' experience, as far as I know.
What was the error when you tried that update?
One possible error is if the digicap.dav file is stored down too large a folder tree, or the transfer gets interrupted due to network glitches.
 
@alastairstevenson,

I bought a camera in China with a hacked firmware on the English language.
I'm not a programmer, so I do not understand a thing. Namely, what is this sign of "x", which goes after the zeros and how to understand it in the program XhD (0x0C and 0x8000C)))
I'm very lucky that you have a similar camera like mine, I made all the changes from your picture mtdblock6_2232_modded.

Through the web interface I was able to update from firmware 5.2.5 to firmware 5.3.0.
Through the web interface from firmware 5.3.0 to firmware 5.4.0 I was unable to update due to an error: "Upgrading files".
Therefore, I updated the firmware from firmware 5.3.0 to firmware 5.4.0 and from firmware 5.4.0 to firmware 5.4.5 through iVMS.

Why there is an error - I do not understand, but updates through the program are set normally.
The camera works on the latest firmware. I can not check the information through the Telnte and SSH.

Do you think I need to worry?
 
There is nothing to worry about as it seems you have got to the required end point with the updates.
The way of writing the number with the prefix 0x is a convention to show that it is a hex value as opposed to a decimal value.
 
  • Like
Reactions: Tsarsky
Hi Alastair,

I've got 2 DS-2CD2032F-I cameras which are now suffering from the known exploit and being factory reset automatically every few days. I believe I need to upgrade them to 5.4.5 to patch the exploit.

Both cameras are currently running 5.3.0 and as far as I know are Chinese hacked to English models. They have CCCH in the serial number. They are not bricked right now, they are running fine except being factory reset every few days.

I've read dozens of posts regarding different firmware levels from different dates but it's really not clear to me where I should start. Do I need to downgrade to 5.2.5 via the downgrader? What do I do then? I'd be really grateful if you could just point me in the right direction.

Thanks alot
 
Do I need to downgrade to 5.2.5 via the downgrader?
Yes, that is the first step.
My reasoning for this is that when I did an mtd hack with a version above 5.3.0 the linux kernel wrote a 0 into the location of the language byte in mtdblock6 and after that both the bootloader and the normal firmware treated that as a flag to prohibit normal running. It was a tricky trap to get out of.
I'm speculating that it's aimed at the classic '@whoslooking mtd hack' which has been so useful to many people.
A new Hikvision tripwire.

So my recommendation:
Do the downgrade to 5.2.5 with the '5.3.0 to 5.2.5 downgrader'.
Do the 'enhanced mtd hack' on mtdblock6.
Check mtdblock1 contents in locations 0xC and 0x8000C and if they hold a 0, change it to a 2.
Reboot to an English web GUI.

Then sequential web GUI updates with firmware from here : DOWNLOAD PORTAL
5.2.5 to 5.3.0 to 5.4.0 to 5.4.5

Good luck!
 
  • Like
Reactions: Realmiraculix
Thanks for the quick response.

It didn't go very well. I uploaded the EN version of the 5.2.5 downgrader via TFTP. Got the System Update complete message, shut down TFTPserv, I assume the camera reboots automatically, it came back up with 192.168.1.64. Not visible in SADP, and I can't telnet\SSH or browse to the IP address.

Tried the Chinese version, the camera seemed to reboot whilst transmitting the firmware update. It certainly stopped responding to a ping. So that seemed even less successful.

So at the moment it's pretty dead.

Any ideas?

Thanks
 
Well that's not good. And it's unusual. The 5.3.0 to 5.2.5 downgrader is a pretty safe option.
I presume it wasn't the '4-line' version? That is hit or miss.

Suggestion - as the camera has CCCH in the serial number, and assuming it has not had the 'mtd hack' to change to EN from CN, try the CN version again of the downgrader.
Also - if the davinci program for any reason doesn't run, the internal watchdog has about a 10 minute timeout before it will reboot the camera into 'min-system' recovery mode, which has no web services, but should be visible in SADP as firmware version 4.0.8, and will respond to telnet.
That would at least give some indication that there is activity.
 
Thank you for this awesome & very informative post. In conjuction with the other post (the downgrader), I managed to revive 4 out of 7 of the below cameras:
Model DS-2CD2232-I5
Serial No. DS-2CD2232-I520160422CCCH590761064
Firmware Version V5.2.5 build 141201
Encoding Version V5.0 build 140714

What I did:
Tried to load official firmware 5.4.41 (prerequisite for 5.4.5) to the apparently (sorry didn't know) un-upgreadble cameras bought from a chinese seller. At once, so I mass-bricked them LOL.
Using the brickfix firmware (CN) and following that the downgrader, 4 out of 7 have been revived and restored to fully working condition.

I am left with the following:
2 cameras via tftp successfully update the firmware contained in the brickfix but get stuck in the downgrader part, after loading the firmware, never getting a "success message"
1 camera that doesn't pass even the 1st file from the brickfix (tried both CN and EN versions) just successfully loads it.
All 3 cameras are accessible from the tftp server obviously. All 3 cameras were a bit older purchases, still same model though, but I have no idea what firmware they were loaded with. Any hints?

Again. THANK YOU FOR THE MOST USEFUL POSTS HERE.
 
I wanted to know if someone could assist and tell me based on the mix of HIkvision IP camera models I have if they are able to be updated to 5.4.5
I have taken a screenshot and added it to the thread.


.ListOfHikvisionCameras.JPG
 
Numbers 2, 8 , 10 are R0 series and should be upgradeable, but number 2 would need a little hacking.
In practice, though, you can never tell for sure with Hikvision until you try it!
 
Hi Alastair,
Just a quick note to say that I got my camera upgraded to 5.4.5.

I think the key was downgrading with the 5.2.5 English firmware. The camera immediately came up on 192.168.1.64 but if I power cycled the camera again it came up on 192.0.0.64. I thought the firmware automatically rebooted the camera.

Anyway, somehow I figured out the Enhanced MTD hack. I didn't find any full instructions about enabling SSH\telnet on a chinese language camera or how to copy back the mtdblock6 file to the camera but I muddled through it.

Really appreciate the help. Thanks