Hikvision DS-7608N-E2/8P Firmware Upgrade Possible?

0perator00

n3wb
Oct 5, 2015
2
0
In 2017 I purchased a "HIKVISION CCTV 8 Channel NVR with POE up to 6MP camera onvif DS-7608NI-E2/8P NEW" on Ebay. Turns out it's the "DS-7608N-E2/8P" according to the interface.

Recently I decided to upgrade the firmware using "ds-76xxni-e1e2p_usa_firmware_v3.4.92_170518.zip" and ended up bricking it, as I didn't realize at the time it's a Chinese model. I managed to get a serial console going and have now loaded a firmware "V3.4.6 build 160405" which I found on the forum here.

What's my upgrade path if any? I'd love to get to a V4 firmware, is it possible?

I've tried searching the forum here, but unfortunately haven't found a working solution, and a lot of the firmware links are now old and broken.

Please help :)
 
you have a old model. will not run the v4 firmware. if you want the v4. another 200 something $$.
 
I managed to get a serial console going
That's a pretty handy facility.
It sounds like you were able to interrupt the bootloader, and use the 'device update' dialogue.

If you are up for it, It may be an interesting experiment to try this:
This will just be reading data, it will not change anything.

Install a normal tftp server on the PC, such as the Jounin one from here : TFTP server
Set the PC IP address to 192.0.0.128
Start PuTTY (or whatever serial terminal you have used), connected to the serial console source on the NVR.
Start the tftp server.
Power on the NVR, interrupt the bootloader with Control-U
At the 'Do you want to update ...' prompt, use 'b' to get to the bootloader, and try these commands:

Code:
sf probe 0
sf read 0x80400000 0x10000 0x30000
tftp 0x80400000 mtd0_1 0x20000
md 0x8041e000 80

Copy the PuTTY scrollback to clipboard, and paste into Notepad or similar and save the text somewhere.
At this point you can use 'reset' to boot the NVR back to normal, or just power it off.

If the memory display (the md command) shows readable text, it might be interesting to zip the mtd0_1 file that was uploaded to the tftp server, and attach it, and the PuTTY transcript, here.
 
  • Like
Reactions: trl
Unfortunately the device is back in production for now. What would the output be showing me from these commands? What would I stand to gain?

If I can't do a v4 firmware, what's the latest v3 firmware I should try and update to? (And where can I get an English one that works?)

Many thanks for the help.
 
What would the output be showing me from these commands? What would I stand to gain?
This would show the section of the flash memory that holds the 'device signature block' - the model, serial number, language, region, options fitted, RAM size etc etc.
Depending on the vintage of the NVR, this could be in plaintext, or encoded (for tamper protection).
One could imagine doing an 'MTD hack' on the language byte and checksum of the plaintext version to permanently convert a CN language DS-76xxN-Ex to an EN language device, removing the need for 'hacked to EN' firmware when updating.
 
One could imagine doing an 'MTD hack' on the language byte and checksum of the plaintext version to permanently convert a CN language DS-76xxN-Ex to an EN language device, removing the need for 'hacked to EN' firmware when updating.
Here is a worked example from today, where I took delivery of a Hikvision DS-7608N-E2/8P purchased at very low cost as a 'bricked' device from an on-line marketplace. Not eBay.
I do feel a bit guilty about taking advantage of the seller after he broke the NVR by applying the stock Hikvision firmware not knowing that beneath the covers it was a CN language device, not upgradeable.
But he didn't feel inclined to explore how to recover it, either with 'hacked to EN' firmware or a more techy approach.
He just wanted to move on to an 'upgradeable' model.

**Note**
This basic method will not work when the NVR was manufactured with an encoded version of the 'hardware descriptor block' as opposed to the plaintext version shown as an example here.
That requires some extra work.

The steps are summarised as follows :
Connect up to the NVR serial console using a 'serial TTL to USB convertor'.
Gain access to the bootloader by interrupting the boot process.
Pull a copy of the (normally hidden and protected) first half of mtdblock1
Do the equivalent of the 'classic MTD hack' to change the language byte from 02 (CN) to 01 (EN) and fix up the checksum as needed.
Write the modded section back to mtdblock1
Job done!
And the DS-76xxN-Ex NVR is now upgradeable.

The extract.
Code:
Uploading the first (hidden) half of mtdblock1 to do the
MTD hack on the hardware descriptor (bootpara) block.

-------------------------------------------------------

HKVS #
HKVS #
HKVS # reset
resetting ...



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=8c:e7:48:76:bf:4d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Environment size: 458/4092 bytes
HKVS #
HKVS #
HKVS # help
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bubt    - Burn an boot image on the Boot Flash.

cmp     - memory compare
cp      - memory copy
cpld    - write cpld info to  encrypt media

cramfsload- cramfsload  - load binary file from a filesystem image
cramfsls- cramfsls      - list files in a directory (default /)
crc32   - checksum calculation
ddr     - ddr training function
erase_env- erase envirement info on flash

getinfo - print hardware information
go      - start application at address 'addr'
help    - print command description/usage
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
tftp    - tftp  - download or upload image via network using TFTP protocol
update  - Update the digicap of the device.

version - print monitor version
HKVS # setenv ipaddr 192.168.1.214
HKVS # setenv serverip 192.168.1.99
HKVS #
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd3 000000f4 00010000    SWKH............
8041e010: 00000002 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS # tftp 0x80400000 mtd1_part1 0x20000
MAC:   8C-E7-48-76-BF-4D
TFTP to server 192.168.1.99; our IP address is 192.168.1.214
Upload Filename 'mtd1_part1'.
Upload from address: 0x80400000, 0.128 MB to be send ...
Uploading: #    [ Connected ]
#
         0.128 MB upload ok.
HKVS #

And the re-write.
Code:
This is the bootpara edit to change language to EN from CN.
It's the same layout and method as the MTD hack on R0 cameras.
The aim is to get to :
--------------------------------------
language = 1
devType:DS-7608N-E2/8P
--------------------------------------
Initially we have the 15-beep bootloop due to EN/ML firmware
being loaded on a CN language NVR - DS-7608N-E2/8P
-----------------------------------------------------------

!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device buy in cn, you firmware is en err!!!!!!



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS #
HKVS #
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=8c:e7:48:76:bf:4d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Environment size: 458/4092 bytes
HKVS # setenv serverip 192.168.1.99
HKVS # setenv ipaddr 192.168.1.214
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd3 000000f4 00010000    SWKH............
8041e010: 00000002 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS # tftp 0x80400000 mtd1_part1_mod
MAC:   8C-E7-48-76-BF-4D
TFTP from server 192.168.1.99; our IP address is 192.168.1.214
Download Filename 'mtd1_part1_mod'.
Download to address: 0x80400000
Downloading: #################################################
done
Bytes transferred = 131072 (20000 hex)
HKVS #
HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd2 000000f4 00010000    SWKH............
8041e010: 00000001 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS # sf erase 0x10000 0x20000
Erasing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf write 0x80400000 0x10000 0x20000
Writing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS #
HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd2 000000f4 00010000    SWKH............
8041e010: 00000001 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS #
HKVS #
HKVS # reset
resetting ...



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0
### CRAMFS load complete: 3181672 bytes loaded to 0x80400000
timeout for link [5000]!
MAC:   8C-E7-48-76-BF-4D
|NUL ethaddr| TFTP server not found
## Booting kernel from Legacy Image at 80400000 ...
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.16.1 (2016-06-29 13:49:45 CST)
Starting udev:      [ OK ]
Sat Feb 16 12:08:48 UTC 2019
----------<1> tar guir webs ----------
----------<2> show logo ----------
show logo Sat Feb 16 12:08:57 UTC 2019
mv: can't rename '/home/app/exec/pppd': No such file or directory
mv: can't rename '/home/app/exec/pppoe': No such file or directory
mv: can't rename '/home/app/exec/ss': No such file or directory
mv: can't rename '/home/app/exec/dropbear': No such file or directory
mv: can't rename '/home/app/exec/dropbearkey': No such file or directory
/home/start.sh: line 29: dropbearkey: not found
chmod: /usr/bin/dvrCmd/dvrtools: No such file or directory
----------<3> load hisi sdk ----------
The system mem size is 0x1
/
load 3535 ok
----------<4> del no use res ----------
mv: can't rename '/home/app/res/adAudio.jpg': No such file or directory
/home/start.sh: line 79: ./pppoed: not found
iSCSI daemon with pid=918 started!!!! the device is not toe !!!


BusyBox v1.16.1 (2016-06-29 13:49:45 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

BusyBox v1.2.1 Protect Shell (psh)
Enter 'help' for a list of davinci system commands.
.
.

[snip lots of serial console chat]
.
.

 $$$$$$$$$$$$$ iAoChans[4] $$$$$$$$$$$$$

#
#
# getHardInfo
Start at 2019-02-16 12:09:04
Serial NO :0820140723AARRxxxxxxxxxWCVU
V3.4.80 build 160718
softBase:/Platform/trunk:0
KernelVersion: V1.0.0 build 160629
dspSoftVersion: V5.0 build 160716
codecVersion: V5.0 build 160716
hardwareVersion = 0x0
encodeChans = 0
decodeChans = 8
alarmInNums = 0
alarmOutNums = 0
flashsize = 0x0
ramSize = 0x20000000
networksNums = 1
language = 1
devType:DS-7608N-E2/8P
bootPartition = 1
randomCode =
#
#
# help
Support Commands:
GetAnrCfgInfo                   GetAnrProcess                   GetAnrRecordList
ShowIpcAbility                  accessDvrSwitch                 channelPlayback
clearDisksMode                  ctrlArchDebug                   decStat
disableHB                       disableHik264                   dspStatus
dvrLogInfo                      dt                              enableHB
enableHik264                    enableWatchdog                  errputClose
errputOpen                      get3GMode                       getCMS
getCycleReboot                  getDbgCtrl                      getHardInfo
getIp                           getLastErrorInfo                getPlayTestCtrl
getPort                         getServerInfo                   guiChkCfg
guiEnterMenuCount               guiPrtScr                       guiStatus
helpm                           helpu                           i2cRead
megaDspConfig                   miscCmd                         netstat
outputClose                     outputOpen                      partRecDetails
ping                            printPart                       pthreadInfo
recorderChanInfo                recorderFileInfo                recorderFileKeyFrame
recorderHDIdle                  recorderMediaInfo               recorderPAllocFile
recorderParam                   recorderSegExtraInfo            recorderStatus
sendATCom                       set3GPrint                      set3GEnable
searchInfo                      setGateway                      setIp
setlang                         setMtu                          setoutputmode
setPrint                        show8107coreUseInfo             showCurPlayChanFileInfo
showDeviceTemp                  showIpcMemInfo                  showNetIpcmInfo
showNetLinksInfo                showPlayChanStatus              showPlayClipFile
showPlayScreenInfo              showPlayStatus                  showPlayTime
showPreviewInfo                 showShareSvcInfo                showSpareWorkStatus
showTagSysInfo                  showUserInfo                    showpu
t1                              t2                              transcodeResStatus
getDateInfo                     dmesg                           help

#
 
  • Like
Reactions: trl
@alastairstevenson I truly amd sorry to bother you on this- these instructions- are they expandable to dump the firmware from my 'unknown' camera? I'm into the serial console port after disassembling it, and am putting toghet a list of commands and items from dmesg. It looks like (however) something broke, and it won't boot anymore. Possibly from me handling it- I might have zapped something (and the kids kept pushing stuff on the table).
That said, if I could push the firmware off of the camera onto my PC, I'd have a lot more to work with.
Right now in the uboot mode.
 
are they expandable to dump the firmware from my 'unknown' camera?
The commands available in the bootloader can vary quite a lot, so the instructions above probably do not apply. Especially as they are Hikvision.

Suggestion:
Start a new thread for your 'unknown' camera.
Post (under the 'code' tags, the '+' sign in the edit menu of the posting window) the whole serial console boot log.
Interrupt the bootloader and post the result of the commands
printenv
help

And we'll see what sense can be made of it.
 
  • Like
Reactions: Purduephotog
Here is a worked example from today, where I took delivery of a Hikvision DS-7608N-E2/8P purchased at very low cost as a 'bricked' device from an on-line marketplace. Not eBay.
I do feel a bit guilty about taking advantage of the seller after he broke the NVR by applying the stock Hikvision firmware not knowing that beneath the covers it was a CN language device, not upgradeable.
But he didn't feel inclined to explore how to recover it, either with 'hacked to EN' firmware or a more techy approach.
He just wanted to move on to an 'upgradeable' model.

Note
This basic method will not work when the NVR was manufactured with an encoded version of the 'hardware descriptor block' as opposed to the plaintext version shown as an example here.
That requires some extra work.

The steps are summarised as follows :
Connect up to the NVR serial console using a 'serial TTL to USB convertor'.
Gain access to the bootloader by interrupting the boot process.
Pull a copy of the (normally hidden and protected) first half of mtdblock1
Do the equivalent of the 'classic MTD hack' to change the language byte from 02 (CN) to 01 (EN) and fix up the checksum as needed.
Write the modded section back to mtdblock1
Job done!
And the DS-76xxN-Ex NVR is now upgradeable.

The extract.
Code:
Uploading the first (hidden) half of mtdblock1 to do the
MTD hack on the hardware descriptor (bootpara) block.

-------------------------------------------------------

HKVS #
HKVS #
HKVS # reset
resetting ...



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=8c:e7:48:76:bf:4d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Environment size: 458/4092 bytes
HKVS #
HKVS #
HKVS # help
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bubt    - Burn an boot image on the Boot Flash.

cmp     - memory compare
cp      - memory copy
cpld    - write cpld info to  encrypt media

cramfsload- cramfsload  - load binary file from a filesystem image
cramfsls- cramfsls      - list files in a directory (default /)
crc32   - checksum calculation
ddr     - ddr training function
erase_env- erase envirement info on flash

getinfo - print hardware information
go      - start application at address 'addr'
help    - print command description/usage
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
tftp    - tftp  - download or upload image via network using TFTP protocol
update  - Update the digicap of the device.

version - print monitor version
HKVS # setenv ipaddr 192.168.1.214
HKVS # setenv serverip 192.168.1.99
HKVS #
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd3 000000f4 00010000    SWKH............
8041e010: 00000002 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS # tftp 0x80400000 mtd1_part1 0x20000
MAC:   8C-E7-48-76-BF-4D
TFTP to server 192.168.1.99; our IP address is 192.168.1.214
Upload Filename 'mtd1_part1'.
Upload from address: 0x80400000, 0.128 MB to be send ...
Uploading: #    [ Connected ]
#
         0.128 MB upload ok.
HKVS #

And the re-write.
Code:
This is the bootpara edit to change language to EN from CN.
It's the same layout and method as the MTD hack on R0 cameras.
The aim is to get to :
--------------------------------------
language = 1
devType:DS-7608N-E2/8P
--------------------------------------
Initially we have the 15-beep bootloop due to EN/ML firmware
being loaded on a CN language NVR - DS-7608N-E2/8P
-----------------------------------------------------------

!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device buy in cn, you firmware is en err!!!!!!



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS #
HKVS #
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=8c:e7:48:76:bf:4d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Environment size: 458/4092 bytes
HKVS # setenv serverip 192.168.1.99
HKVS # setenv ipaddr 192.168.1.214
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd3 000000f4 00010000    SWKH............
8041e010: 00000002 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS # tftp 0x80400000 mtd1_part1_mod
MAC:   8C-E7-48-76-BF-4D
TFTP from server 192.168.1.99; our IP address is 192.168.1.214
Download Filename 'mtd1_part1_mod'.
Download to address: 0x80400000
Downloading: #################################################
done
Bytes transferred = 131072 (20000 hex)
HKVS #
HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd2 000000f4 00010000    SWKH............
8041e010: 00000001 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS # sf erase 0x10000 0x20000
Erasing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf write 0x80400000 0x10000 0x20000
Writing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS #
HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd2 000000f4 00010000    SWKH............
8041e010: 00000001 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS #
HKVS #
HKVS # reset
resetting ...



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0
### CRAMFS load complete: 3181672 bytes loaded to 0x80400000
timeout for link [5000]!
MAC:   8C-E7-48-76-BF-4D
|NUL ethaddr| TFTP server not found
## Booting kernel from Legacy Image at 80400000 ...
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.16.1 (2016-06-29 13:49:45 CST)
Starting udev:      [ OK ]
Sat Feb 16 12:08:48 UTC 2019
----------<1> tar guir webs ----------
----------<2> show logo ----------
show logo Sat Feb 16 12:08:57 UTC 2019
mv: can't rename '/home/app/exec/pppd': No such file or directory
mv: can't rename '/home/app/exec/pppoe': No such file or directory
mv: can't rename '/home/app/exec/ss': No such file or directory
mv: can't rename '/home/app/exec/dropbear': No such file or directory
mv: can't rename '/home/app/exec/dropbearkey': No such file or directory
/home/start.sh: line 29: dropbearkey: not found
chmod: /usr/bin/dvrCmd/dvrtools: No such file or directory
----------<3> load hisi sdk ----------
The system mem size is 0x1
/
load 3535 ok
----------<4> del no use res ----------
mv: can't rename '/home/app/res/adAudio.jpg': No such file or directory
/home/start.sh: line 79: ./pppoed: not found
iSCSI daemon with pid=918 started!!!! the device is not toe !!!


BusyBox v1.16.1 (2016-06-29 13:49:45 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

BusyBox v1.2.1 Protect Shell (psh)
Enter 'help' for a list of davinci system commands.
.
.

[snip lots of serial console chat]
.
.

$$$$$$$$$$$$$ iAoChans[4] $$$$$$$$$$$$$

#
#
# getHardInfo
Start at 2019-02-16 12:09:04
Serial NO :0820140723AARRxxxxxxxxxWCVU
V3.4.80 build 160718
softBase:/Platform/trunk:0
KernelVersion: V1.0.0 build 160629
dspSoftVersion: V5.0 build 160716
codecVersion: V5.0 build 160716
hardwareVersion = 0x0
encodeChans = 0
decodeChans = 8
alarmInNums = 0
alarmOutNums = 0
flashsize = 0x0
ramSize = 0x20000000
networksNums = 1
language = 1
devType:DS-7608N-E2/8P
bootPartition = 1
randomCode =
#
#
# help
Support Commands:
GetAnrCfgInfo                   GetAnrProcess                   GetAnrRecordList
ShowIpcAbility                  accessDvrSwitch                 channelPlayback
clearDisksMode                  ctrlArchDebug                   decStat
disableHB                       disableHik264                   dspStatus
dvrLogInfo                      dt                              enableHB
enableHik264                    enableWatchdog                  errputClose
errputOpen                      get3GMode                       getCMS
getCycleReboot                  getDbgCtrl                      getHardInfo
getIp                           getLastErrorInfo                getPlayTestCtrl
getPort                         getServerInfo                   guiChkCfg
guiEnterMenuCount               guiPrtScr                       guiStatus
helpm                           helpu                           i2cRead
megaDspConfig                   miscCmd                         netstat
outputClose                     outputOpen                      partRecDetails
ping                            printPart                       pthreadInfo
recorderChanInfo                recorderFileInfo                recorderFileKeyFrame
recorderHDIdle                  recorderMediaInfo               recorderPAllocFile
recorderParam                   recorderSegExtraInfo            recorderStatus
sendATCom                       set3GPrint                      set3GEnable
searchInfo                      setGateway                      setIp
setlang                         setMtu                          setoutputmode
setPrint                        show8107coreUseInfo             showCurPlayChanFileInfo
showDeviceTemp                  showIpcMemInfo                  showNetIpcmInfo
showNetLinksInfo                showPlayChanStatus              showPlayClipFile
showPlayScreenInfo              showPlayStatus                  showPlayTime
showPreviewInfo                 showShareSvcInfo                showSpareWorkStatus
showTagSysInfo                  showUserInfo                    showpu
t1                              t2                              transcodeResStatus
getDateInfo                     dmesg                           help

#


Hello,

I have a bricked (15 Beep Loop) 7608 DVR. I have connected to the rs232 connector as described in your step by step to the USB converter.

However i suspect it may be the encrypted boot loader as in your instructions.

Note
This basic method will not work when the NVR was manufactured with an encoded version of the 'hardware descriptor block' as opposed to the plaintext version shown as an example here.
That requires some extra work.

I have tried the correct baud rate however i just get space invader type characters as if the baud rate is incorrect.

Have tried different baud rates with the similar thing. Does this mean the unit is ready for the bin? Or is it still recoverable with a different method?

Thanks
Mark
 
I have tried the correct baud rate however i just get space invader type characters as if the baud rate is incorrect.
The correct baud rate is 115,200 8 bits no parity.
The on-board serial console uses TTL serial levels - not RS232 level - so you need a serial TTL to USB convertor.
The connections are shown here :

Does this mean the unit is ready for the bin? Or is it still recoverable with a different method?
Once you get the serial console connection going you'll be able to check out how the bootpara data is held.
If it's still in plaintext, that's a fairly easy fix, as per the thread you read.
If not - it needs modded firmware.
But either way - it can be revived.

The newer firmware (eg 3.4.98 and maybe earlier) encodes and re-writes the block if it finds that it is in plaintext.
The encryption key isn't the usual simple generic ones that Hikvision have used, it's derived from some device-specific hardware info.