Hikvision DS-8139 from eBay. Diving in to the hardware.

Bradnvr · Feb 4, 2018

Hi. New to the forum.
I have a working Hikvision DS-80139 which is a 16 port NVR. The system was originally sold by an American retailer. I bought it off eBay about a year ago and run my house camera system from it with 10 1080 cameras of the same brand, also salvaged from eBay from someone who considered the hardware "non-working".

As you may assume, there is no support from the American company unless they I can prove I purchased it from them.

Recently, I've become interested in poking around in the internal system. I've used the external RS232 to see the U-Boot and poked around on the forms enough to know that I can't get a root login prompt

Without the terms to look for in the forum, I won't know much to search for, but I'll keep this thread updated with what I find as I try to support my own device.

Thoughts, comments, clues, and trolling welcome.

Bradnvr · Feb 4, 2018

Pasting this here for reference

Code:

U-Boot 2010.03 (2012-11-30 - 01:11:11)
umount /nand/ success!
Hit ctrl+u to stop autoboot:  0
nand_bch_correct_data: corrected bitflip 1
nand_bch_correct_data: corrected bitflip 1
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
  ##############udev rules not changed#################
Starting udev:      [ OK ]
decompress application package done.
decompress IE control done.
file:src/pal_api.c,line:347, pal_module_init successfully
file:src/pal_api.c,line:347, pal_module_init successfully
iSCSI daemon with pid=89 started!chown: /opt/webs: No such file or directory
file:src/pal_api.c,line:347, pal_module_init successfully
[CRIT][sbus_util.c #395][@sbus_get_local_addr_from_ifname]: get ipaddr from eth0 Done!
[CRIT][sbus_sub_au.c #269][@au_init]: get local from netif addr 0x400000c0 192.0.0.64
[CRIT][sbus_main_au.c #346][@fn_sau_accept]: new session hdl [0x141cf0] comming!!
[CRIT][sbus_util.c #551][@uni_hdl_info]: fn_sau_accept hdl: [0x141cf0] fd:[16] type[2]
[CRIT][sbus_util.c #571][@uni_hdl_info]: Net: Local[127.0.0.1:53000]-Remote[[URL='http://127.0.0.1:54261/']127.0.0.1:54261[/URL]]
[CRIT][sbus_sub_au.c #168][@connect_main_au]: get szLocalAddr 192.0.0.64
file:src/pal_api.c,line:347, pal_module_init successfully
file:src/pal_api.c,line:347, pal_module_init successfully
[CRIT][broker_slave.c #2004][@br_slave_init]: get local addr 192.0.0.64
[CRIT][sbus_util.c #551][@uni_hdl_info]: fn_accept_session hdl: [0x1833f0] fd:[14] type[1]
[CRIT][sbus_util.c #556][@uni_hdl_info]: Unix: [/var/master]
[CRIT][broker_slave.c #2004][@br_slave_init]: get local addr 192.0.0.64
/*********************init_global_error_lib*/, init_global_error_lib start!
[CRIT][sbus_util.c #551][@uni_hdl_info]: fn_accept_session hdl: [0x1a3a78] fd:[20] type[1]
[CRIT][sbus_util.c #556][@uni_hdl_info]: Unix: [/var/master]
:1
:1
[CRIT][param/paramLib.c #8943][@readDevParam]: flash have no fileSystem  and devCfg is new;  or flash have fileSystem
[CRIT][param/paramLib.c #8970][@readDevParam]: 1:readDevParam from /dav2/devCfg.bin OK
[CRIT][param/paramLib.c #8275][@sys_cfg_patch]: pDevCfg->cfgHead.paraVersion[0x150701]
[CRIT][param/paramLib.c #8276][@sys_cfg_patch]: pBspAbility->iConfigType[2]
[CRIT][param/paramLib.c #9017][@readDevParam]: cfg is ok, but sys cfg no patched
[CRIT][param/paramLib.c #9042][@readDevParam]: length is equal! iCfgLen[8706712]  sizeof(DEVICECONFIG)[8706712]
getPPPOECfg: from /dav2/devCfg.bin ok.
getDevCfgPppoePara struIfName[eth0]
==================enablePPPoE failed!!!
do_iproute_del [URL='http://127.0.0.0/8']127.0.0.0/8[/URL].
RTNETLINK answers: No such process
do_iproute_del default.
RTNETLINK answers: No such process
RTNETLINK answers: No such file or directory
do_iproute_add 192.168.1.1.
do_iproute_add 192.168.1.1.
do_iproute_add [URL='http://127.0.0.0/8']127.0.0.0/8[/URL].
do_iproute_add [URL='http://192.168.1.0/24']192.168.1.0/24[/URL].
<MEGA_DSP>Def Value:
<MEGA_DSP>Main mux type [0x10][0x2].
<MEGA_DSP>Sub  mux type [0x10][0x2].
<MEGA_DSP>audio enc type[0x1011][0x1].
<MEGA_DSP>voicetalk type[0x1011][0x1].
<MEGA_DSP>Need PS SysHdr[0].
iVideoEncType   : 2
iAudioEncType   : 4113
iVTType         : 4113
iMainMuxType    : 16
iSubMuxType         : 16
iMainPackLen    : 1376
iSubPackLen     : 1376
bNeedPSSysHdr   : FALSE
bNeedSubQVGARes : FALSE
bMegaPlatEnable : FALSE
<lib>AllocShareBuf: idx=1,phyAddr=0xa0000000,vaddr=0x40158000,size=0x600000
<lib>AllocShareBuf: idx=2,phyAddr=0x40800000,vaddr=0x40758000,size=0x40000
<lib>AllocShareBuf: idx=3,phyAddr=0x55020000,vaddr=0x40798000,size=0x40000
<lib>pDspInitPara->dspMemSize=864M
<lib>Netra to host share virt address.......40158000
uiVoutMainSpecify=0
encChanNums=0, flgEncChanEnable=0x0, chipRev = 33125
decChanCnt=16
ipcChanCnt=16, flgIpcChanEnable=0xffff
video_AD = 0
<lib>-----getHostStreamBufAddr,cnt 4 phyAddr=0x82000000,vaddr=0x407d8000,size=0xa000000------
<lib>start to load c674 core.
BusyBox v1.2.1 (2015.03.19-05:42+0000) Built-in shell (ash)
Enter 'help' for a list of davinci system commands.
BusyBox v1.2.1 Protect Shell (psh)
Enter 'help' for a list of davinci system commands.
# C674 buildTime : 2015-07-20 19:27:28
<lib>load c674 core is ok.err=0
<lib>start to load vid core.
VID buildTime : 2015-07-20 10:22:28
<lib>load vid core is ok.err=0
<lib>start to load vps core.
VPS buildTime : 2015-07-20 19:36:00
<lib>load vps core is ok.err=0
<lib>-----InitShareMemHeap,cnt 5 phyAddr=0xa7200000,vaddr=0x4a7d8000,size=0x10e00000------
<lib>-----InitShareMemHeap,cnt 6 phyAddr=0xa5400000,vaddr=0x5b5d8000,size=0x1c00000------
phy=40809cc0, virt=40761cc0, data=00000031 00000001 0000009f 000c2800
phy=55040ee0, virt=407b8ee0, data=00000005 00000001 00000014 0001c800
phy=55053540, virt=407cb540, data=00000004 00000000 00000007 00005e00
<lib>Cache seg 0 start 0x407d8000 0x82000000 len 0xa000000
<lib>Cache seg 1 start 0x4a7d8000 0xa7200000 len 0x10e00000
<lib>Cache seg 2 start 0x5b5d8000 0xa5400000 len 0x1c00000
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[0].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[1].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[2].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[3].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[4].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[5].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[6].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[7].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[8].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[9].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[10].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[11].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[12].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[13].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[14].vAddr=(nil) error!!!
Netra Dsp Dbg file:src/netra_dsp.c,fun:netra_dsp_init,line:772, g_pstruDspInitPara->IpcRecodeNetPool[15].vAddr=(nil) error!!!
DSP START OK
!!!!!!!!!!!!!!!!!!!!!!!!!DSP Init Ok!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
file:init/sc_hicore_dep.c,line:2893, Active is true
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
init_stream_buf, pInStreamBuf:0x5d66e008, pOutStreamBuf:0x5d6ee008
wait storage [2] and gui[2]
fatal error!iBrCallRet[-1],func[sc_force_i_frame]
:1
:1
part /dev/sda stor_get_db_total_files alloc 698 byte mem.
part /dev/sdb stor_get_db_total_files alloc 698 byte mem.
part /dev/sdc stor_get_db_total_files alloc 698 byte mem.
part /dev/sda stor_get_record_file_detail_task beging 1517607047
part /dev/sdb stor_get_record_file_detail_task beging 1517607047
wait storage [2] and gui[2]
part /dev/sdd stor_get_db_total_files alloc 698 byte mem.
part /dev/sdc stor_get_record_file_detail_task beging 1517607053
part /dev/sdd stor_get_record_file_detail_task beging 1517607053
wait storage [0] and gui[2]
[CRIT][kernel/init.c #3698][@InitGUI]: End of InitGUI!!
[CRIT][init/dvr.c #2964][@sys_init_check_md5]: szUpgDirPath[/dav0/]
panelFd[70].................
[CRIT][init/dvr.c #2979][@sys_init_check_md5]: upgrade file is correct, the device can start
maxIPCcount[16] maxAnalogCount[0]
### key info: [ipcm_svc_init]ipcm svc inited. ###
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
eChanType[0] Event[0]
eChanType[1] Event[0]
big_bit_mask p[0xbadff948], idx[-1] error!func[big_bit_mask],line[63]
<MEGA_CFG_INFO>MegaPlatMagic      [0x484f3d45]
MegaCfgLen         [120616]
MegaParaVersion    [0x140307]
MegaParaNeedStorLen[136]
MegaCfgSuppBak     [0]
<MEGA_CFG_INFO>Enter @[mega_cfg_get_device_cfg_params]
<MEGA_CFG_INFO>Enter @[mega_cfg_read_dev_param]
<MEGA_CFG_INFO>Enter @[mega_cfg_check_and_try_repair_cfg_file]
<MEGA_CFG_INFO>Enter @[mega_cfg_util_check_cfg_file_valid]
<MEGA_CFG_INFO>Exit @[mega_cfg_util_check_cfg_file_valid]
<MEGA_CFG_INFO>Mega Cfg Valid.
<MEGA_CFG_INFO>Exit @[mega_cfg_check_and_try_repair_cfg_file]
<MEGA_CFG_INFO>Exit @[mega_cfg_read_dev_param]
<MEGA_CFG_INFO>Mega Cfg Init Succ.
<MEGA_CFG_INFO>Exit @[mega_cfg_get_device_cfg_params]
<MEGA_BASELINE_INIT>MegaEyes baseline resources init ok!
[CRIT][ipc/ipcService/ipc_pse_ctrl.c #127][@pse_ctrl_task]: Poe portNum [16], ability(1), Pse portNum [0]
+++++++++++++++++++First save_error_no, time_t:1517607005
[TI][INFO] TextIn system memery num is 160*1024(Bytes).
[TI][INFO] Device 1, is not enable.Please Checked.
[TI][INFO] Device 2, is not enable.Please Checked.
[TI][INFO] Device 3, is not enable.Please Checked.
[TI][INFO] Device 4, is not enable.Please Checked.
[TI][INFO] Device 5, is not enable.Please Checked.
[TI][INFO] Device 6, is not enable.Please Checked.
[TI][INFO] Device 7, is not enable.Please Checked.
[TI][INFO] Device 8, is not enable.Please Checked.
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
eChanType[0] Event[1]
eChanType[1] Event[1]
file:src/pal_api.c,line:47, *********undefine fun:pal_set_panelled_status*********
iptables: invalid prot!
work mode is not gb28181 bGb28181[0]
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
point[3]xy(0.000000,0.000000)dis=0.000000
point[4]xy(0.000000,0.000000)dis=0.000000
appweb_check_auth g_bSendAuth[1]
^^^^^^^^^^^^cUserPWClass:1
^^^^^^^^^^^^bDeviceActive : 1
^^^^^^^^^^^^respBuf : <?xml version="1.0" encoding="UTF-8" ?>
<userCheck>
<statusValue>200</statusValue>
<statusString>OK</statusString>
<isDefaultPassword>false</isDefaultPassword>
<isRiskPassword>false</isRiskPassword>
<isActivated>true</isActivated>
</userCheck>
!!!!!!!!!!!!!!!sc_hicore is start ok!!!!!!!!!!!!!!!!
==========iAoChans[14]============
g_aoChan[0]=[1]
g_aoChan[1]=[2]
g_aoChan[2]=[3]
gb28181_start server port[5061]
[PSWD][0061]:public_base64_len 188  len 140
part /dev/sdc stor_get_record_file_detail_task ending 1517607080
part /dev/sdb stor_get_record_file_detail_task ending 1517607083
part /dev/sdd stor_get_record_file_detail_task ending 1517607085
part /dev/sda stor_get_record_file_detail_task ending 1517607085
eChanType[0] Event[1]
eChanType[1] Event[1]
eChanType[0] Event[1]
eChanType[1] Event[1]
eChanType[1] Event[0]
eChanType[0] Event[0]
# help
Support Commands:
GetAnrCfgInfo                   GetAnrProcess                   GetAnrRecordList
ShowIpcAbility                  accessDvrSwitch                 channelPlayback
clearDisksMode                  decStat                         disableHB
disableHik264                   dspStatus                       dvrLogInfo
dvrtools                        dvrtools4Mega                   enableHB
enableHik264                    enableWatchdog                  errputClose
errputOpen                      get3GMode                       getCMS
getCycleReboot                  getDbgCtrl                      getGateway
getHardInfo                     getIp                           getLastErrorInfo
getPlayTestCtrl                 getPort                         getServerInfo
guiChkCfg                       guiEnterMenuCount               guiPrtScr
guiStatus                       helpm                           helpu
i2cRead                         megaDspConfig                   miscCmd
netstat                         outputClose                     outputOpen
partRecDetails                  ping                            printPart
pthreadInfo                     recorderChanInfo                recorderFileInfo
recorderFileKeyFrame            recorderHDIdle                  recorderMediaInfo
recorderPAllocFile              recorderParam                   recorderSegExtraInfo
recorderStatus                  sendATCom                       set3GPrint
set3GEnable                     searchInfo                      setGateway
setIp                           setlang                         setMtu
setoutputmode                   setPrint                        show8107coreUseInfo
showCurPlayChanFileInfo         showDeviceTemp                  showIpcMemInfo
showNetIpcmInfo                 showNetLinksInfo                showPlayChanStatus
showPlayClipFile                showPlayScreenInfo              showPlayStatus
showPlayTime                    showPreviewInfo                 showShareSvcInfo
showSpareWorkStatus             showTagSysInfo                  showUserInfo
showpu                          t1                              t2
transcodeResStatus              getDateInfo                     dmesg
help
#

Bradnvr · Feb 5, 2018

Ha.. I just realized that zhimakaimen means "Open Sesame". Like, that magical phrase in the story of "Ali Baba and the Forty Thieves" in One Thousand and One Nights.

but,
AwAAAMQvkICuXudKkxQ=
doesnt help.

Bradnvr · Feb 7, 2018

I am fairly certain that my NVR is the exact same NVR as DS-7716NI-SP. So I downloaded that firmware and crossed my fingers.

DS-7716NI-SP/16-Hangzhou Hikvision Digital Technology Co. Ltd.
http://oversea-download.hikvision.com/uploadfile/USA/Firmware/NVR/DS-90xx&96xx-ST&77xx-SP_USA_Firmware_V3.4.3_160822.zip

The good news is, I didn't brick it. It came through bootstrap and started it's webserver. I have a new login screen now, but I cannot login. Fantastic. If it ain't broke, don't fix it. Although I notice that there is no longer brute-force protection on this firmware... now the fun begins.

Bradnvr · Feb 8, 2018

BOOM! Fixed it. Thanks to reading this forum.
First I read this:
Hikvision DS-2032-I Console Recovery

Then I searched the form for the HikVision TFTP program and found it in someone's Dropbox link...
Hikvision TFTP update software

Then I watched a youtube video on how to do it here:
note: you don't have to connect directly to the device, you just have to be on the same LAN/Subnet.

Then I tried uploading the latest firmware from my white-labeled USA manufacturer. FAILED. (see log)
Then I tried pressing "f" for format, instead of "u" for upgrade first. It asked me which param 1,2,3.. i formated all partitions and i then "u" upgraded on HikVision's firmware ... and that FAILED too. with more errors like, where are your 3 partitions? O.O
Then I thought, why not just grab an old firmware that's 4 years old, the oldest one I can find then try it out. What have I got to loose? it's a brick at this point. So i put it in the TFTP folder and pressed "u" to upgrade. Worked this time.

Here is my serial log from the RS 232 connection from the 3 attempts:

Code:

U-Boot 2010.03 (2012-11-30 - 01:11:11)

umount /nand/ success!

Hit ctrl+u to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: f

Please input part num (0 / 1 / 2):  0
Confirm to format part 0?(y/n): n

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: u
Checking device file system...

Please input ip address of device: 192.0.0.64
Please input ip address of upgrade server: 192.0.0.128
Confirm?(y/n): y
Using DaVinci EMAC device
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename 'digicap.mav'.
Load address: 0x84500000
Loading: *
TFTP error: 'No such file or directory' (0)
Starting again

Using DaVinci EMAC device
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename 'digicap.mav'.
Load address: 0x84500000
Loading: T T T T T T T T T T T T T T T T T T T T
Retry count exceeded; starting again
Using DaVinci EMAC device
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename 'digicap.mav'.
Load address: 0x84500000
Loading: *
TFTP error: 'No such file or directory' (0)
Starting again

Using DaVinci EMAC device
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename 'digicap.mav'.
Load address: 0x84500000
Loading: T T T T T T T T T T T T T T T T T T T T
Retry count exceeded; starting again
Using DaVinci EMAC device
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename 'digicap.mav'.
Load address: 0x84500000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ###################
done
Bytes transferred = 29715952 (1c56df0 hex)
The number of correct packet is: 0
start to erase nand flash addr: 0x0, len: 0x8000000 ...
Erasing at 0x7fe0000 -- 100% complete.
OK

start to write files to partition 0...
14-1.  write /nand/uImage len: 2642816
14-2.  write /nand/rootfs.img len: 1205368
14-3.  write /nand/initrun.sh len: 1016
14-4.  write /nand/guirc.tar.gz len: 14696320
nand_bch_correct_data: corrected bitflip 1
[WARNING]14-5.  write /nand/webs.tar.gz has bitflip 1 - 0 - 0 - 0 we should rewrite it!retry:1 yaffs2_err:0
nand_bch_correct_data: corrected bitflip 1
[WARNING]14-5.  write /nand/webs.tar.gz has bitflip 1 - 0 - 0 - 0 we should rewrite it!retry:2 yaffs2_err:0
14-5.  write /nand/webs.tar.gz len: 2661600
14-6.  write /nand/disknoLink.bmp len: 6968
14-7.  write /nand/diskOK.bmp len: 6968
14-8.  write /nand/logo.bmp len: 2359352
14-9.  write /nand/logo_nvr.bmp len: 2359352
14-10.  write /nand/vps_logo.bin len: 92208
14-11.  write /nand/mux_top.bit len: 801576


U-Boot 2010.03 (2012-11-30 - 01:11:11)

umount /nand/ success!

Hit ctrl+u to stop autoboot:  0
version.bin not found on /nand/flash_sys0
umount /nand/ success!
Wrong Image Format for bootm command
ERROR: can't get kernel image!
Info:partition 0 is broken, then we startup from partition 1...
version.bin not found on /nand/flash_sys0
umount /nand/ success!
version.bin not found on /nand/flash_sys1
umount /nand/ success!
Wrong Image Format for bootm command
ERROR: can't get kernel image!

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: f

Please input part num (0 / 1 / 2):  0
Confirm to format part 0?(y/n): y
start to erase nand flash partition 0  start: 0x0 end: 0x4000000 len: 0x4000000 ...
Erasing at 0x3fe0000 -- 100% complete.
--- OK!

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: f

Please input part num (0 / 1 / 2):  1
Confirm to format part 1?(y/n): y
start to erase nand flash partition 1  start: 0x4000000 end: 0x8000000 len: 0x4000000 ...
Erasing at 0x7fe0000 -- 100% complete.
--- OK!

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: f

Please input part num (0 / 1 / 2):  2
Confirm to format part 2?(y/n): y
start to erase nand flash partition 2  start: 0x8000000 end: 0x10000000 len: 0x8000000 ...
Erasing at 0xffe0000 -- 100% complete.
--- OK!

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: u
Checking device file system...

Please input ip address of device: 192.168.1.98
Please input ip address of upgrade server: 192.168.1.108
Confirm?(y/n): y
Using DaVinci EMAC device
TFTP from server 192.168.1.108; our IP address is 192.168.1.98
Filename 'digicap.mav'.
Load address: 0x84500000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ###############
done
Bytes transferred = 33021160 (1f7dce8 hex)
The number of correct packet is: 0
start to erase nand flash addr: 0x0, len: 0x8000000 ...
Erasing at 0x7fe0000 -- 100% complete.
OK

start to write files to partition 0...
14-1.  write /nand/uImage len: 2626312
14-2.  write /nand/rootfs.img len: 1238136
14-3.  write /nand/initrun.sh len: 2264


U-Boot 2010.03 (2012-11-30 - 01:11:11)

/nand/devCfg.bin isn't exsiting! err = -13
umount /nand/ success!
Hit ctrl+u to stop autoboot:  0
version.bin not found on /nand/flash_sys0
umount /nand/ success!
Wrong Image Format for bootm command
ERROR: can't get kernel image!
Info:partition 0 is broken, then we startup from partition 1...
version.bin not found on /nand/flash_sys0
umount /nand/ success!
version.bin not found on /nand/flash_sys1
umount /nand/ success!
Wrong Image Format for bootm command
ERROR: can't get kernel image!

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: u
Checking device file system...

Please input ip address of device: 192.168.1.98
Please input ip address of upgrade server: 192.168.1.108
Confirm?(y/n): y
Using DaVinci EMAC device
TFTP from server 192.168.1.108; our IP address is 192.168.1.98
Filename 'digicap.mav'.
Load address: 0x84500000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ###################
done
Bytes transferred = 26716462 (197a92e hex)
The number of correct packet is: 0
start to erase nand flash addr: 0x0, len: 0x8000000 ...
Erasing at 0x7fe0000 -- 100% complete.
OK

start to write files to partition 0...
13-1.  write /nand/uImage len: 2599972
13-2.  write /nand/rootfs.img len: 771627
13-3.  write /nand/initrun.sh len: 695
13-4.  write /nand/guirc.tar.gz len: 12458119
13-5.  write /nand/webs.tar.gz len: 2379510
13-6.  write /nand/disknoLink.bmp len: 6966
13-7.  write /nand/diskOK.bmp len: 6966
13-8.  write /nand/logo.bmp len: 2359350
13-9.  write /nand/logo_nvr.bmp len: 2359350
13-10.  write /nand/vps_logo.bin len: 92208
13-11.  write /nand/mux_top.bit len: 801572
13-12.  write /nand/ds_80101.bit len: 2879535
13-13.  write flag file /nand/version.bin len: 4
update partition 0 success!
umount /nand/ success!

start to write files to partition 1...
13-1.  write /nand/uImage len: 2599972
13-2.  write /nand/rootfs.img len: 771627
13-3.  write /nand/initrun.sh len: 695
13-4.  write /nand/guirc.tar.gz len: 12458119
13-5.  write /nand/webs.tar.gz len: 2379510
13-6.  write /nand/disknoLink.bmp len: 6966
13-7.  write /nand/diskOK.bmp len: 6966
13-8.  write /nand/logo.bmp len: 2359350
13-9.  write /nand/logo_nvr.bmp len: 2359350
13-10.  write /nand/vps_logo.bin len: 92208
13-11.  write /nand/mux_top.bit len: 801572
13-12.  write /nand/ds_80101.bit len: 2879535
13-13.  write flag file /nand/version.bin len: 4
update partition 1 success!
umount /nand/ success!

Upgrade success!
Press ENTER key to reboot

resetting ...


U-Boot 2010.03 (2012-11-30 - 01:11:11)

/nand/devCfg.bin isn't exsiting! err = -13
umount /nand/ success!▒
Hit ctrl+u to stop autoboot:  0
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
  ##############udev rules not changed#################
Starting udev:      [ OK ]
decompress application package done.
decompress IE control done.

Can't open parameter file on flash, errno=0x2.
Can't open parameter file on flash, errno=0x2.
getPPPOECfg: Open config file /dav2/devCfg.bin error=2.
getPPPOECfg: from /dav2/devCfg.bin error.
getPPPOECfg: Open config file /dav2/devCfg.bin error=2.
getPPPOECfg: from /dav2/devCfg_backup.bin error.
pppoed==>pppoed ret -1.
iSCSI daemon with pid=85 started!chown: /opt/webs: No such file or directory
/*********************init_global_error_lib*/, init_global_error_lib start!


BusyBox v1.2.1 (2013.11.14-03:03+0000) Built-in shell (ash)
Enter 'help' for a list of davinci system commands.



BusyBox v1.2.1 (2013.11.14-03:03+0000) Built-in shell (ash)
Enter 'help' for a list of davinci system commands.

$ <MEGA_CFG_INFO>Enter @[mega_cfg_reset_plat_param]
<MEGA_CFG_INFO>Reset[0] Platform Param.
<MEGA_CFG_INFO>mega cfg init false, can't reset.
<MEGA_CFG_INFO>Exit @[mega_cfg_reset_plat_param]
<MEGA_DSP>[mega_get_dsp_enc_mux_type_by_mega_dsp_config:1599] fopen file[/opt/dvrCmd/megaDspConfig] faild, errno[0x2].
<MEGA_DSP>av_stream_main_mux_type[0x2][0x10].
<MEGA_DSP>av_stream_sub_mux_type[0x2][0x10].
<MEGA_DSP>av_audio_enc_type[0x1][0x1011].
<MEGA_DSP>vt_audio_enc_type[0x1][0x1011].
<MEGA_DSP>Need PS System Header[0].
<lib>AllocShareBuf: idx=1,phyAddr=0xa0000000,vaddr=0x40515000,size=0x400000
<lib>AllocShareBuf: idx=2,phyAddr=0x40800000,vaddr=0x40915000,size=0x40000
<lib>AllocShareBuf: idx=3,phyAddr=0x55020000,vaddr=0x40955000,size=0x40000
<lib>pDspInitPara->dspMemSize=864M
<lib>Netra to host share virt address.......40515000
encChanNums=0, flgEncChanEnable=0x0, chipRev = 33125
g_pDspInitPara->decChanCnt=16
g_pDspInitPara->ipcChanCnt=16, flgIpcChanEnable=0xffff
dspmeminfo, phyaddr:0x82000000, virtaddr:0x40995000, memsize:167772160
<lib>-----getHostStreamBufAddr,cnt 4 phyAddr=0x82000000,vaddr=0x40995000,size=0xa000000------
<lib>start to load c674 core.
C674 buildTime : 2014-07-01 14:55:44
<lib>load c674 core is ok.err=0
<lib>start to load vid core.
VID buildTime : 2014-01-07 11:46:49
<lib>load vid core is ok.err=0
<lib>start to load vps core.
VPS buildTime : 2014-01-07 11:46:42
<lib>load vps core is ok.err=0
<lib>-----InitShareMemHeap,cnt 5 phyAddr=0xa7200000,vaddr=0x4a995000,size=0x10e00000------
<lib>-----InitShareMemHeap,cnt 6 phyAddr=0xa5400000,vaddr=0x5b795000,size=0x1c00000------
phy=4080aaa0, virt=4091faa0, data=00000020 00000000 0000008e 000b7000
phy=5503d440, virt=40972440, data=00000004 00000000 00000013 0001b800
phy=55053540, virt=40988540, data=00000004 00000000 00000007 00005e00
<lib>Cache seg 0 start 0x40995000 0x82000000 len 0xa000000
<lib>Cache seg 1 start 0x4a995000 0xa7200000 len 0x10e00000
<lib>Cache seg 2 start 0x5b795000 0xa5400000 len 0x1c00000
main stream pPhysAddr[16] = 0xab142980
sub stream pPhysAddr[32] = 0xad2f7180
main stream pPhysAddr[17] = 0xab35de00
sub stream pPhysAddr[33] = 0xad472600
main stream pPhysAddr[18] = 0xab579280
sub stream pPhysAddr[34] = 0xad5eda80
main stream pPhysAddr[19] = 0xab794700
sub stream pPhysAddr[35] = 0xad768f00
main stream pPhysAddr[20] = 0xab9afb80
sub stream pPhysAddr[36] = 0xad8e4380
main stream pPhysAddr[21] = 0xabbcb000
sub stream pPhysAddr[37] = 0xada5f800
main stream pPhysAddr[22] = 0xabde6480
sub stream pPhysAddr[38] = 0xadbdac80
main stream pPhysAddr[23] = 0xac001900
sub stream pPhysAddr[39] = 0xadd56100
main stream pPhysAddr[24] = 0xac21cd80
sub stream pPhysAddr[40] = 0xaded1580
main stream pPhysAddr[25] = 0xac438200
sub stream pPhysAddr[41] = 0xae04ca00
main stream pPhysAddr[26] = 0xac653680
sub stream pPhysAddr[42] = 0xae1c7e80
main stream pPhysAddr[27] = 0xac86eb00
sub stream pPhysAddr[43] = 0xae343300
main stream pPhysAddr[28] = 0xaca89f80
sub stream pPhysAddr[44] = 0xae4be780
main stream pPhysAddr[29] = 0xacca5400
sub stream pPhysAddr[45] = 0xae639c00
main stream pPhysAddr[30] = 0xacec0880
sub stream pPhysAddr[46] = 0xae7b5080
main stream pPhysAddr[31] = 0xad0dbd00
sub stream pPhysAddr[47] = 0xae930500
DSP START OK
=================starting DHCP... over eth0
clientid malloc addr 0x23623e8 len 9
vendorclass malloc addr 0x2367418 len 18
panelFd[16].................
init_stor_system maxEnChanNo = 0 maxIPCount 16
part /dev/sda stor_get_db_total_files alloc 698 byte mem.
part /dev/sda stor_get_record_file_detail_task beging 1518042236
part /dev/sdb stor_get_db_total_files alloc 698 byte mem.
part /dev/sdb stor_get_record_file_detail_task beging 1518042236
part /dev/sdc stor_get_db_total_files alloc 698 byte mem.
part /dev/sdc stor_get_record_file_detail_task beging 1518042236
part /dev/sdd stor_get_db_total_files alloc 698 byte mem.
part /dev/sdd stor_get_record_file_detail_task beging 1518042236
eth0: ip = 192.168.1.119, subnet = 255.255.255.0, router = 192.168.1.1, dns = 192.168.1.1
do_iproute_del 127.0.0.0/8.
RTNETLINK answers: No such process
do_iproute_del default.
RTNETLINK answers: No such process
RTNETLINK answers: No such file or directory
do_iproute_add 192.168.1.1.
do_iproute_add 192.168.1.1.
netAddr: 192.168.1.0/24
do_iproute_add 127.0.0.0/8.
do_iproute_add 192.168.1.0/24.
No Interface To Detect Ip Conflict!
<MEGA_CFG_INFO>MegaPlatMagic      [0x484f3d45]
MegaCfgLen         [120612]
MegaParaVersion    [0x130104]
MegaParaNeedStorLen[136]
MegaCfgSuppBak     [1]
<MEGA_CFG_INFO>Enter @[mega_cfg_get_device_cfg_params]
<MEGA_CFG_INFO>Enter @[mega_cfg_read_dev_param]
<MEGA_CFG_INFO>Enter @[mega_cfg_check_and_try_repair_cfg_file]
<MEGA_CFG_INFO>Enter @[mega_cfg_util_check_cfg_file_valid]
<MEGA_CFG_ERR>[mega_cfg_util_open_cfg_file:467] Can't open parameter file on flash, file[/dav2/mega_cfg.bin] errno[0x2].
<MEGA_CFG_ERR>[mega_cfg_util_check_cfg_file_valid:543] mega_cfg_util_open_cfg_file faild.
<MEGA_CFG_INFO>Exit @[mega_cfg_util_check_cfg_file_valid]
<MEGA_CFG_INFO>Enter @[mega_cfg_util_check_cfg_file_valid]
<MEGA_CFG_ERR>[mega_cfg_util_open_cfg_file:467] Can't open parameter file on flash, file[/dav2/mega_cfg_bak.bin] errno[0x2].
<MEGA_CFG_ERR>[mega_cfg_util_check_cfg_file_valid:543] mega_cfg_util_open_cfg_file faild.
<MEGA_CFG_INFO>Exit @[mega_cfg_util_check_cfg_file_valid]
<MEGA_CFG_INFO>Exit @[mega_cfg_check_and_try_repair_cfg_file]
<MEGA_CFG_ERR>[mega_cfg_read_dev_param:963] mega_cfg_check_and_try_repair_cfg_file faild.
<MEGA_CFG_INFO>Exit @[mega_cfg_read_dev_param]
<MEGA_CFG_ERR>[mega_cfg_get_device_cfg_params:1111] mega_cfg_read_dev_param faild.
<MEGA_CFG_INFO>Enter @[mega_cfg_restore_default_param]
<MEGA_CFG_INFO>Enter @[mega_cfg_set_default_param]
mega_cfg_make_plat_patch: Ehome pack patch.
mega_cfg_make_plat_patch: g_pstruMegaDevCfgPara = 0x275d920
mega_cfg_make_plat_patch: After pack patch mega_cfg_patch_4_para_130103.
mega_cfg_patch_4_para_130104: pack patch[0x130104].
mega_cfg_make_plat_patch: After pack patch mega_cfg_patch_4_para_130104.
<MEGA_CFG_INFO>Exit @[mega_cfg_set_default_param]
[CRIT][kernel/init.c #3204]: End of InitGUI!!
<MEGA_CFG_INFO>Exit @[mega_cfg_restore_default_param]
<MEGA_CFG_INFO>Mega Cfg Init Succ.
<MEGA_CFG_INFO>Exit @[mega_cfg_get_device_cfg_params]
<MEGA_BASELINE_INIT>MegaEyes baseline resources init ok!
start WsDiscovery Listener!!!!
<MEGA_CFG_INFO>MegaCfg Changed, Need Backup Save!!!
<MEGA_CFG_INFO>Current Time [2018-02-07 22:24:08].
<MEGA_CFG_INFO>MegaCfg Backup Succ!!!
Update ipc ip address,netmask,port is success!
Send hello message at the starting of device, g_bDiscoverable: 1.
--------enter ONVIFEventServer----------
Update ipc ip address,netmask,port is success!
Update ipc ip address,netmask,port is success!
Update ipc ip address,netmask,port is success!
Update ipc ip address,netmask,port is success!
Update ipc ip address,netmask,port is success!
Update ipc ip address,netmask,port is success!
part /dev/sdc stor_get_record_file_detail_task ending 1518042261
part /dev/sdd stor_get_record_file_detail_task ending 1518042261
part /dev/sdb stor_get_record_file_detail_task ending 1518042263
part /dev/sda stor_get_record_file_detail_task ending 1518042264

Bradnvr · Feb 8, 2018

I hope this is entertaining to someone. This forum is dead. I'm amazed I spent the last 4 days talking to myself in this thread... at least this ghost town has a good library.

And... what do you know... now that I have downgraded to a previous firmware, I typed into the magic word, and im into the command line.... :wtf:

Code:

zhimakaimen
$
$ ls
bin   dav1  dev   home  mnt   proc  sbin  sys   var
dav0  dav2  etc   lib   opt   root  srv   tmp
$

alastairstevenson · Feb 8, 2018

Bradnvr said:
And... what do you know... now that I have downgraded to a previous firmware, I typed into the magic word, and im into the command line.

With no challenge code and no password?
Unheard of with unhacked psh.
What version of firmware was this?

Bradnvr said:
I hope this is entertaining to someone.

It will be - but it's a bit outside most folks experience or expertise, so you'll not get many responses, doesn't mean though that there is no interest.
Thanks for sharing.

Silas · Feb 8, 2018

Bradnvr said:
I hope this is entertaining to someone. This forum is dead. I'm amazed I spent the last 4 days talking to myself in this thread... at least this ghost town has a good library.

And... what do you know... now that I have downgraded to a previous firmware, I typed into the magic word, and im into the command line....

Code:

zhimakaimen $ $ ls bin dav1 dev home mnt proc sbin sys var dav0 dav2 etc lib opt root srv tmp $

Don't like it. then move on..

Bradnvr · Feb 8, 2018

alastairstevenson said:
With no challenge code and no password?
Unheard of with unhacked psh.
What version of firmware was this?

Yeah, that's what I thought too.. I'm surprised I'm allowed straight in.
It's the whitelabeled American company that uses HikVision hardware, their website is SuperCircuits.com and they sell HikVision under the name ALIBI.
The firmware I used is this one: Firmware V3.1.1 Build 140710
Which is located here: Learning Center - Firmware - Alibi Recorders
and it's the first one I was able to successfully Binwalk and actually find a file system out of the firmware file. If you find anything else about it, post it here.

Caution: this firmware will install on hikvision hardware, but not everything is the same as I learned above.

Bradnvr · Feb 8, 2018

Here's the passwd and shadow file, it looks like it has a guest and root user... may be of some use to us:

passwd

Code:

root:x:0:0::/root:/bin/sh
guest:x:1000:1000:Linux User,,,:/home/guest:/bin/sh

shadow

Code:

root:$1$5WxtPNMX$vsdvmM0NegqGN30M4sXa41:15595:0:99999:7:::
guest:$1$2akOpwPS$RvmU9grkwNW/mIRLfHlT4.:15595:0:99999:7:::

group

Code:

root:x:0:root
guest:x:1000:

Someone may want to Johntheripper that.. I don't know much about cracking so I couldn't help there.
ALIBI's default user/pass is admin/1111 instead of hikvision's admin:12345

I also just learned that I can "SU" and the password is the "admin" password that I set for the device. I have full root privileges

Bradnvr · Feb 8, 2018

once the firmware is installed, a new user is generated

passwd

Code:

hikvision:x:501:501:Linux User,,,:/home/hikvision:/bin/sh

shadow

Code:

hikvision:$1$ChRPh3ur$Yy6bjTErRXoajEZ1jao79/:15302:0:99999:7:::

group

Code:

hikvision:x:500:

alastairstevenson · Feb 8, 2018

hikvision:$1$ChRPh3ur$Yy6bjTErRXoajEZ1jao79/:15302:0:99999:7:::
hikvisiopn pw=hikvision
*edit* oops - typo:
hikvision pw=hikvision

Bradnvr · Feb 8, 2018

yep that worked. nice.
interesting stuff in here. I wish i knew how to enable ssh or had a text editor..

alastairstevenson · Feb 8, 2018

Bradnvr said:
I wish i knew how to enable ssh or had a text editor..

The older NVR firmware typically does not have SSH, but instead may still have telnetd in the version of busybox.
It's convenient to edit externally if you have an NFS or SMB/CIFS share and mount it. This can be done either via the GUI or command line.

*edit* root and guest are both pw=12345

Bradnvr · Feb 8, 2018

I .. had trouble mounting a share, still working on it, but I just realized Telnet could be enabled from the web interface.

Code:

192.0.0.64 login: root
Password:

BusyBox v1.2.1 (2013.11.14-03:03+0000) Built-in shell (ash)
Enter 'help' for a list of davinci system commands.

# cd ..
# ls
bin   dav1  dev   home  mnt   proc  sbin  sys   var
dav0  dav2  etc   lib   opt   root  srv   tmp
#

if they took it out of the GUI, it sill may be enable-able through the API...

Code:

PUT /ISAPI/System/Network/telnetd HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
If-Modified-Since: 0
Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXX
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.2/doc/page/paramconfig.asp?version=3.0.4.140626
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 192.168.1.2
Content-Length: 45
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: language=en; updateTips=true; userInfo80=YWRtaW46aGF3YWlpc3VuNw%3D%3D

...<Telnetd><enabled>true</enabled></Telnetd>

Remember the Authorization!
hex for those 3 dots is EF BB BF ... i dont know what that is, could be a glitch or security.

Bradnvr · Feb 8, 2018

I wonder where this thing stores it's web interface passwords...
web interface HTML is located here: /home/hik/webs

storing this hardware information here...

Code:

fdisk -l
Disk /dev/sda: 750.1 GB, 750156374016 bytes
255 heads, 63 sectors/track, 91201 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/sda doesn't contain a valid partition table

Disk /dev/sdb: 750.1 GB, 750156374016 bytes
255 heads, 63 sectors/track, 91201 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/sdb doesn't contain a valid partition table

Disk /dev/sdc: 750.1 GB, 750156374016 bytes
255 heads, 63 sectors/track, 91201 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/sdc doesn't contain a valid partition table

Disk /dev/sdd: 750.1 GB, 750156374016 bytes
255 heads, 63 sectors/track, 91201 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/sdd doesn't contain a valid partition table


df
Filesystem                Size      Used Available Use% Mounted on
/dev/ram0                 4.0M      2.2M      1.8M  55% /
udev                     75.8M      4.0k     75.8M   0% /dev
/dev/mtdblock0           64.0M     26.7M     37.3M  42% /dav0
/dev/mtdblock1           64.0M     26.7M     37.3M  42% /dav1
/dev/mtdblock2          128.0M      9.8M    118.2M   8% /dav2


mount
/dev/root      on /        type minix  (rw,relatime)
proc           on /proc    type proc   (rw,relatime)
none           on /sys     type sysfs  (rw,relatime)
ramfs          on /home    type ramfs  (rw,relatime)
udev           on /dev     type tmpfs  (rw,relatime)
devpts         on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
/dev/mtdblock0 on /dav0    type yaffs2 (rw,relatime)
/dev/mtdblock1 on /dav1    type yaffs2 (rw,relatime)
/dev/mtdblock2 on /dav2    type yaffs2 (rw,relatime)

# cat /proc/version
Linux version 2.6.34 (root@localhost.localdomain) (gcc version 4.4.6 (crosstool-NG 1.13.2) ) #79 Tue Feb 18 08:30:40 CST 2014

# cat /proc/meminfo
MemTotal:         155172 kB
MemFree:           12196 kB
Buffers:           15936 kB
Cached:            43668 kB
SwapCached:            0 kB
Active:            38320 kB
Inactive:          42340 kB
Active(anon):      26676 kB
Inactive(anon):    26848 kB
Active(file):      11644 kB
Inactive(file):    15492 kB
Unevictable:       33128 kB
Mlocked:            1044 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                20 kB
Writeback:             0 kB
AnonPages:         54212 kB
Mapped:             5852 kB
Shmem:                 4 kB
Slab:              20496 kB
SReclaimable:      16936 kB
SUnreclaim:         3560 kB
KernelStack:        1928 kB
PageTables:         1620 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:      139652 kB
Committed_AS:      79236 kB
VmallocTotal:     581632 kB
VmallocUsed:        4600 kB
VmallocChunk:     569340 kB

# cat /proc/cpuinfo
Processor       : ARMv7 Processor rev 2 (v7l)
BogoMIPS        : 1196.03
Features        : swp half thumb fastmult vfp edsp neon vfpv3
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc08
CPU revision    : 2

Hardware        : ti8168evm
Revision        : 0000
Serial          : 0000000000000000
TI816X          : DM8165 V2.1

I'm a little surprised that this device has the same CPU as yesterday's cell phone but handles up to 16 HD streams. ... huh?

Bradnvr · Feb 9, 2018

From my own research, I'm fairly certain that the file containing the web configuration, including the usernames and passwords, is /dav2/devCfg.bin

Dav0 and Dav1 are duplicate partitions. Dav2 is the third that is ... more interesting. It appears to be encrypted or at least a obscure obfuscated format. I will attempt to render a readable format.

alastairstevenson · Feb 9, 2018

If it's like other NVR config files, it's just gzipped then plaintext. I don't recall if it's SQLite3 like the cameras - if I was at home I'd be able to check.

Bradnvr · Feb 10, 2018

mounting an existing share is not working for one reason or another.
alternatively I am using TFTP to send files and get files from a TFTP server i am running in Windows.
The TFTP server that is working well for me is called TFTPD64 by Ph. Jounin
TFTPD32 : an opensource IPv6 ready TFTP server/service for windows : TFTP server

here are the commands I run on the NVR to get and put files.

Code:

Send to windows
tftp -p 192.168.1.108 -r devCfg_backup.bin

Put on Linux:
tftp -g 192.168.1.108 -l devCfg_backup.bin

devCfg.bin is not gz, and not sqlite though. this firmware may be to early for that.. hmm. I do not recognize the file format yet.

Bradnvr · Feb 12, 2018

devCfg.bin is probably it's own format, but clear text, no encryption. If you search for "admin" you will find the main admin account and the HEX pattern follows something like this.. (note: these are test accounts, not my real passwords in the HEX)

Code:

#account number 1
61 64 6D 69 6E 00 00 00 00 00 00 00 00 00 00 00 #Username (Max 16 chrs)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
38 37 36 35 34 33 32 31 00 00 00 00 00 00 00 00 #Password (Max 16 chrs)
FF FF FF FF                                     #Probably permission level
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
02 00 00 00 00 00 00 00 00 00 00 #not sure
00 00 00 00 00 00 00 00 00 00 00
FF FF 00 00 00 00 00 00 #I'm guessing these are probably local and remote configuration.
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00

#account number 2
74 65 73 74 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
38 37 36 35 34 33 32 31 00 00 00 00 00 00 00 00
17 71 0D 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
FF FF 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00

Search

Hikvision DS-8139 from eBay. Diving in to the hardware.

Bradnvr

n3wb

Bradnvr

n3wb

Bradnvr

n3wb

Bradnvr

n3wb

Attachments

Bradnvr

n3wb

Bradnvr

n3wb

alastairstevenson

Silas

Pulling my weight

Bradnvr

n3wb

Bradnvr

n3wb

Bradnvr

n3wb

alastairstevenson

Bradnvr

n3wb

alastairstevenson

Bradnvr

n3wb

Bradnvr

n3wb

Bradnvr

n3wb

alastairstevenson

Bradnvr

n3wb

Bradnvr

n3wb