Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,524
Reaction score
547
Location
London
Thanks looks like hours of fun
 

sosaix

n3wb
Joined
Feb 20, 2015
Messages
15
Reaction score
9
another version of check_rs232, this time from 2632, firmware version on sticker 5.2.5, software version inside 5.2.0
file timestamp of check_rs232 is 20.01.2015,
strings in file:

ďSHA Decryption Has Failedx98

R: stan
-- poc .ru 2.1.3 1421752786 stan ----------


other files seem untouched
 

Attachments

Last edited by a moderator:

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
I had an idea. Clearly the camera boots off mtd11 initially and that reboots the kernel in mtd13. Since the issue with firmware seems to be checked at the kernel level, why not copy the kernels from a pre-5.2.5 camera, then you can a) install older firmware, b) do the mtd5/6 hack. Any error with mtd13, it will bring up mtd14, so semi-safe, should do the same for mtd12. If it works, then update mtd12 and 14 as they are the backup kernels.
 

sosaix

n3wb
Joined
Feb 20, 2015
Messages
15
Reaction score
9
i don't follow,

lets summarize some things, i'm into it since couple of days so be understanding, so:

mtd13 - app_pri - attached to ubi1 - mounted on /dav
mtd15 - cfg_pri - attached to ubi3 - mounted on /davinci
mtd16 - cfg_sec - attached to ubi4 - mounted on /config

digicap.dav - contains files that during flash process are placed to:
mtd13 - app_pri - all files except himage and hroot.img
mtd9 - krn_pri - current kernel - content of himage from digicap.dav
mtd11 - rmd_pri - initrd, rootfs - content of unzipped hroot.img (ext2 image) from digicap.dav

kern_sec and rmd_sec are used during recovery magic done by /etc/profile in case of *_pri failures

all hacking from chinese to english on aliexpress cams is done via check_rs232,
it is injected binary (to initrd (hroot.img)) that is loaded before davinci binary (by initram.sh), as an effect davinci binary is being patched in memory (at 0x1b3868, 0x1b3b50 and 0x6b0980)

don't know why 5.2.5 cams downgraded to 5.2.0 bricking, while chinese cams are downgraded like that (but with check_rs232 injected)


so back to your suggestion, i think flashing kernel has no sense since it is flashing during update process with himage content

i could try flash my 5.2.5 (on sticker) to 5.2.0 original image rebuilt with check_rs232 but i'm not gonna do that, i need that cam working since it is my only cam at the moment and possible brick is not an option

regards
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
I checked a Chinese and a camera hacked to English with 5.2.5 and /bin/da_info (that contains check_rs232) are identical.

# da_info
Input error argv[0]=da_info.
Commands Usage
help : Printf the command usage list
getIp : Get the device's IP address
setIp : Set the device's IP address.
Usage: setIp [IP ADDRESS]:[SUBNET MASK]
e.g. setIp 192.168.1.10:255.255.255.0
setPort : Set the device's command PORT
Usage: setPort [PORT NUMBER]
e.g. setPort 8000
setGateway: Set the device's gateway
Usage: setGateway [GATEWAY ADDRESS]
e.g. setGateway 192.168.1.1
setPacketType: Set the stream packet type
Usage: setPacketType [PACKET TYPE]
e.g. setPacketType ps; setPacketType rtp
getRtpLen : Get the main stream rtp packet length.
setRtpLen : Set the main stream rtp packet length.
Usage: setRtpLen [packet len].
e.g. setRtpLen 1000.
setDebug : Set debug parm.
e.g. setDebug -l 2 -m rtsp -d 111
setDebug -h
getDebug : Get debug parm.
e.g. getDebug
getDebug -h
debugLog : Print all debuginfo before.
e.g. debugLog
debugLog -h
setV6ip : Set the device's IP address
Usage: setIp [IP ADDRESS]/[SUBNET LEN]
e.g. setIp 2000:1:2:3:4:5:6:7/64
getAgingMode : Get the aging mode.
setAgingMode : Set the aging mode.
Usage: setAgingMode [aging mode].
e.g. setAgingMode 1.
getAgingTime : Get the aging time.
setAgingTime : Set the aging time.
Usage: setAgingTime [aging time].
e.g. setAgingTime 60.
setRectFrame: Set the autotrack rectangle frame.
Usage: setRectFrame [ENABLE].
e.g. setRectFrame 1.
setIrcmd : Set the IR PWM value(0-100)
Usage: setIrcmd [near] [mid] [far]
e.g. setIrcmd 100 100 100
setYTLock : set the yt current lock mode
Usage: setYTLock 1
getIrstate : Get the IR PWM value(0-100)
getMcuInfo : Get the information of Mcu
setFtpService : Set ftp service state.(start/stop).
setItsMode : Restart ITS lib after changing scene. Usage: setItsMode [ENABLE](0/1).
InquireFanSwitch: send Laser Cmd.
e.g. InquireFanSwitch .
StartLaser: Start Laser.
CloseLaser: Close Laser.
LaserMotReset: Reset Motor of Laser.
EnlargeCur: Enlarge electric current of Laser.
ReduceCur: Reduce electric current of Laser.
SetCur: Set electric current of Laser.(0~255)
e.g. SetCur 150.
LaserMotDirect: Set Motor Direct of Laser.(1~36)
e.g. LaserMotDirect 36.
LaserTeleOffset:Tele Offset.(0~255)
e.g. LaserTeleOffset 150.
setLaserMode:setLaserMode (0-auto,1-mannual.
e.g. setLaserMode 1.
getLaserMode:Laser control mode is 0 (0-auto, 1-mannual)
e.g. getLaserMode.
LaserWideOffset:Wide Offset.(0~255)
e.g. LaserWideOffset 150.
InqSwitch: Inquiry Switch of Laser.
InqCurrent: Inquiry Current of Laser.
InqCurMotDirect: Inquiry Current Motor Direct of Laser.
setIrMode:setIrMode (0-auto,1-mannual.
e.g. setIrMode 1.
getIrMode:Ir control mode is 0 (0-auto, 1-mannual)
e.g. getIrMode.
setFocusArea:set focus area(0-default,1~16-window number)
setExposureArea:set exposure area(0-default,1~16-window number)
***********************************************************************************
showKey : Get all the keys of civil platform
showServer : Get all the servers of civil platform
showUpnp : Get the local and nat port and address
showStatus : Get the device status of civil platform
showDefence : Get the defence plan
setLBS : set the lbs address, e.g. setLBS 123.1.1.1 or set dev.ys7.com:8555
setAlarm : set the alarmserver address. Usage as setLBS
setWlan: : set the wifi ssid, just for test config. Usage: setWlan SSID
setdefence : Set the defence plan
Usage: setDefence [enable:1] [day:*] [start:hh:mm] [end:hh:mm]
e.g. setDefence enable:1 day:3 start:7:30 end:13:0
***********************************************************************************
#
 

sosaix

n3wb
Joined
Feb 20, 2015
Messages
15
Reaction score
9
...i tried i gave up...

(have no f.. idea what you are talkin' about)
 

wzhick

Pulling my weight
Joined
Dec 29, 2014
Messages
60
Reaction score
142
New tips.

1. Take "Baseline Firmware_IPC_2XX2 series_En_V5.2.0 140721.zip" from hikvision.
2. Use hiktools to unpack dav file
3. Delete first 64 bytes from hroot.img
4. Use Winrar or Far Manager for extract initrd from hroot.img
5. Use ImgExtractor http://4pda.ru/forum/index.php?showtopic=496786&st=940#entry33392722 for unpack initrd

6. Examine the contents.

initrd_/config 0 0 777initrd_/linuxrc 0 0 777 bin/busybox
initrd_/tmp 0 0 777
initrd_/mnt 0 0 777
initrd_/mnt/nfs06 0 0 777
initrd_/mnt/nfs05 0 0 777
initrd_/mnt/nfs0 0 0 777
initrd_/mnt/nfs01 0 0 777
initrd_/mnt/nfs03 0 0 777
initrd_/mnt/nfs02 0 0 777
initrd_/mnt/mmc01 0 0 777
initrd_/mnt/nfs07 0 0 777
initrd_/mnt/nfs00 0 0 777
initrd_/mnt/mmc02 0 0 777
initrd_/mnt/nfs04 0 0 777
initrd_/davinci 0 0 777
initrd_/opt 0 0 777
initrd_/usr 0 0 777
initrd_/usr/sbin 0 0 777
initrd_/usr/sbin/ubicrc32 0 0 755
initrd_/usr/sbin/ubidetach 0 0 755
initrd_/usr/sbin/ubimkvol 0 0 755
initrd_/usr/sbin/ubirsvol 0 0 755
initrd_/usr/sbin/ubiformat 0 0 755
initrd_/usr/sbin/ubiupdatevol 0 0 755
initrd_/usr/sbin/guard.sh 0 0 755
initrd_/usr/sbin/umount_ubifs_prt.sh 0 0 755
initrd_/usr/sbin/format_ubifs_prt.sh 0 0 755
initrd_/usr/sbin/ubiattach 0 0 755
initrd_/usr/sbin/ubinfo 0 0 755
initrd_/usr/sbin/ubirename 0 0 755
initrd_/usr/sbin/mount_ubifs_prt.sh 0 0 755
initrd_/usr/sbin/set_sysflag 0 0 755
initrd_/usr/sbin/ubirmvol 0 0 755
initrd_/usr/sbin/check_dir 0 0 755
initrd_/usr/lib 0 0 777
initrd_/usr/bin 0 0 777
initrd_/proc 0 0 777
initrd_/sys 0 0 777
initrd_/etc 0 0 777
initrd_/etc/S_udev 0 0 755
initrd_/etc/inittab 0 0 755
initrd_/etc/group 0 0 755
initrd_/etc/Wireless 0 0 755
initrd_/etc/Wireless/RT2870STA 0 0 755
initrd_/etc/Wireless/RT2870STA/RT2870STA.dat 0 0 755
initrd_/etc/init.d 0 0 755
initrd_/etc/init.d/rcS 0 0 755
initrd_/etc/mdev.conf 0 0 755
initrd_/etc/inetd.conf 0 0 755
initrd_/etc/static_dev_nodes 0 0 755
initrd_/etc/passwd 0 0 755
initrd_/etc/services 0 0 755
initrd_/etc/nsswitch.conf 0 0 755
initrd_/etc/resolv.conf 0 0 755
initrd_/etc/udev 0 0 755
initrd_/etc/udev/rules.d 0 0 755
initrd_/etc/udev/rules.d/01-udev.rules 0 0 755
initrd_/etc/udev/rules.d/60-persistent-storage.rules 0 0 755
initrd_/etc/udev/rules.d/05-udev-early.rules 0 0 755
initrd_/etc/udev/rules.d/95-udev-late.rules 0 0 755
initrd_/etc/udev/rules.d/60-persistent-input.rules 0 0 755
initrd_/etc/udev/udev.conf 0 0 755
initrd_/etc/dropbear 0 0 755
initrd_/etc/dropbear/dropbear_dss_host_key 0 0 755
initrd_/etc/dropbear/dropbear_rsa_host_key 0 0 755
initrd_/etc/profile 0 0 755
initrd_/dev 0 0 777
initrd_/dev/null 0 0 666
initrd_/dev/console 0 0 600
initrd_/sbin 0 0 755
initrd_/sbin/fdisk 0 0 777 ../bin/busybox
initrd_/sbin/xtables-multi 0 0 755
initrd_/sbin/mkfs.vfat 0 0 777 ../bin/busybox
initrd_/sbin/hwclock 0 0 777 ../bin/busybox
initrd_/sbin/udevtrigger 0 0 755
initrd_/sbin/reboot 0 0 777 ../bin/busybox
initrd_/sbin/nandwrite 0 0 777 ../bin/busybox
initrd_/sbin/rmmod 0 0 777 ../bin/busybox
initrd_/sbin/iptables 0 0 777 xtables-multi
initrd_/sbin/udevcontrol 0 0 755
initrd_/sbin/modprobe 0 0 777 ../bin/busybox
initrd_/sbin/route 0 0 777 ../bin/busybox
initrd_/sbin/udevsettle 0 0 755
initrd_/sbin/telnetd 0 0 777 ../bin/busybox
initrd_/sbin/nanddump 0 0 777 ../bin/busybox
initrd_/sbin/udevinfo 0 0 755
initrd_/sbin/mdev 0 0 777 ../bin/busybox
initrd_/sbin/inetd 0 0 777 ../bin/busybox
initrd_/sbin/insmod 0 0 777 ../bin/busybox
initrd_/sbin/udevmonitor 0 0 755
initrd_/sbin/mkdosfs 0 0 777 ../bin/busybox
initrd_/sbin/udevstart 0 0 755
initrd_/sbin/ip6tables 0 0 777 xtables-multi
initrd_/sbin/init 0 0 777 ../bin/busybox
initrd_/sbin/ifconfig 0 0 777 ../bin/busybox
initrd_/sbin/poweroff 0 0 777 ../bin/busybox
initrd_/sbin/dropbear 0 0 755
initrd_/sbin/udevd 0 0 755
initrd_/sbin/halt 0 0 777 ../bin/busybox
initrd_/sbin/lsmod 0 0 777 ../bin/busybox
initrd_/lib 0 0 777
initrd_/lib/libcidn.so.1 0 0 777 libcidn-2.13.so
initrd_/lib/libutil-2.13.so 0 0 755
initrd_/lib/libz.so.1 0 0 777 libz.so.1.2.8
initrd_/lib/libc.so.6 0 0 777 libc-2.13.so
initrd_/lib/libnsl.so.1 0 0 777 libnsl-2.13.so
initrd_/lib/libnsl-2.13.so 0 0 755
initrd_/lib/libnss_compat-2.13.so 0 0 755
initrd_/lib/libnss_nis-2.13.so 0 0 755
initrd_/lib/libstdc++.so.6 0 0 777 libstdc++.so.6.0.16
initrd_/lib/libnss_dns.so.2 0 0 777 libnss_dns-2.13.so
initrd_/lib/libm.so.6 0 0 777 libm-2.13.so
initrd_/lib/libcrypt-2.13.so 0 0 755
initrd_/lib/libnss_nisplus.so.2 0 0 777 libnss_nisplus-2.13.so
initrd_/lib/libnss_dns-2.13.so 0 0 755
initrd_/lib/libcidn-2.13.so 0 0 755
initrd_/lib/libstdc++.so.6.0.16 0 0 755
initrd_/lib/libutil.so.1 0 0 777 libutil-2.13.so
initrd_/lib/libc-2.13.so 0 0 755
initrd_/lib/libnss_hesiod.so.2 0 0 777 libnss_hesiod-2.13.so
initrd_/lib/libz.so 0 0 777 libz.so.1.2.8
initrd_/lib/libnss_nisplus-2.13.so 0 0 755
initrd_/lib/libnss_hesiod-2.13.so 0 0 755
initrd_/lib/libnss_files-2.13.so 0 0 755
initrd_/lib/libpthread.so.0 0 0 777 libpthread-2.13.so
initrd_/lib/ld-2.13.so 0 0 755
initrd_/lib/libstdc++.so 0 0 777 libstdc++.so.6.0.16
initrd_/lib/libnss_nis.so.2 0 0 777 libnss_nis-2.13.so
initrd_/lib/libz.so.1.2.8 0 0 755
initrd_/lib/libdl.so.2 0 0 777 libdl-2.13.so
initrd_/lib/libcrypt.so.1 0 0 777 libcrypt-2.13.so
initrd_/lib/libnss_files.so.2 0 0 777 libnss_files-2.13.so
initrd_/lib/libresolv.so.2 0 0 777 libresolv-2.13.so
initrd_/lib/libdl-2.13.so 0 0 755
initrd_/lib/librt-2.13.so 0 0 755
initrd_/lib/libm-2.13.so 0 0 755
initrd_/lib/libgcc_s.so.1 0 0 644
initrd_/lib/librt.so.1 0 0 777 librt-2.13.so
initrd_/lib/libresolv-2.13.so 0 0 755
initrd_/lib/modules 0 0 777
initrd_/lib/libnss_compat.so.2 0 0 777 libnss_compat-2.13.so
initrd_/lib/ld-linux.so.3 0 0 777 ld-2.13.so
initrd_/lib/libpthread-2.13.so 0 0 755
initrd_/home 0 0 777
initrd_/var 0 0 777
initrd_/var/log 0 0 777
initrd_/var/log/lastlog 0 0 777
initrd_/var/log/wtmp 0 0 777
initrd_/dav 0 0 777
initrd_/srv 0 0 777
initrd_/bin 0 0 755
initrd_/bin/lzcat 0 0 777 busybox
initrd_/bin/mkdir 0 0 777 busybox
initrd_/bin/test 0 0 777 busybox
initrd_/bin/ping 0 0 777 busybox
initrd_/bin/ls 0 0 777 busybox
initrd_/bin/dd 0 0 777 busybox
initrd_/bin/netstat 0 0 777 busybox
initrd_/bin/sleep 0 0 777 busybox
initrd_/bin/dmesg 0 0 777 busybox
initrd_/bin/cp 0 0 777 busybox
initrd_/bin/df 0 0 777 busybox
initrd_/bin/[ 0 0 777 busybox
initrd_/bin/xzcat 0 0 777 busybox
initrd_/bin/unxz 0 0 777 busybox
initrd_/bin/rz 0 0 755
initrd_/bin/mount 0 0 777 busybox
initrd_/bin/mv 0 0 777 busybox
initrd_/bin/busybox 0 0 755
initrd_/bin/iostat 0 0 777 busybox
initrd_/bin/unlzma 0 0 777 busybox
initrd_/bin/false 0 0 777 busybox
initrd_/bin/touch 0 0 777 busybox
initrd_/bin/[[ 0 0 777 busybox
initrd_/bin/gunzip 0 0 777 busybox
initrd_/bin/ps 0 0 777 busybox
initrd_/bin/pppoe 0 0 755
initrd_/bin/date 0 0 777 busybox
initrd_/bin/kill 0 0 777 busybox
initrd_/bin/mpstat 0 0 777 busybox
initrd_/bin/lzma 0 0 777 busybox
initrd_/bin/sh 0 0 777 busybox
initrd_/bin/chmod 0 0 777 busybox
initrd_/bin/rm 0 0 777 busybox
initrd_/bin/mknod 0 0 777 busybox
initrd_/bin/sed 0 0 777 busybox
initrd_/bin/true 0 0 777 busybox
initrd_/bin/gzip 0 0 777 busybox
initrd_/bin/env 0 0 777 busybox
initrd_/bin/umount 0 0 777 busybox
initrd_/bin/du 0 0 777 busybox
initrd_/bin/ash 0 0 777 busybox
initrd_/bin/zcat 0 0 777 busybox
initrd_/bin/pwd 0 0 777 busybox
initrd_/bin/login 0 0 777 busybox
initrd_/bin/free 0 0 777 busybox
initrd_/bin/awk 0 0 777 busybox
initrd_/bin/cat 0 0 777 busybox
initrd_/bin/bash 0 0 777 busybox
initrd_/bin/ping6 0 0 777 busybox
initrd_/bin/xz 0 0 777 busybox
initrd_/bin/ln 0 0 777 busybox
initrd_/bin/top 0 0 777 busybox
initrd_/bin/pppd 0 0 755
initrd_/bin/fsync 0 0 777 busybox
initrd_/bin/tail 0 0 777 busybox
initrd_/bin/sync 0 0 777 busybox
initrd_/bin/tar 0 0 777 busybox
initrd_/bin/echo 0 0 777 busybox
initrd_/root 0 0 777
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
Where is this check_rs232 you speak off? I see a symbolic link to /bin/da-info. Is there another one I'm not aware of?

# ls -l check_rs232
lrwxrwxrwx 1 root root 12 Feb 22 15:51 check_rs232 -> /bin/da_info
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
I did do that, provides me with a files system I mounted that's the initial file system used to boot the camera, so that's half the equation. The problem is this, I need to compare it to the initrd that's inside the camera hacked to English as there's a difference, but I can't extract the initrd from and maybe I'm doing it wrong.

New tips.

1. Take "Baseline Firmware_IPC_2XX2 series_En_V5.2.0 140721.zip" from hikvision.
2. Use hiktools to unpack dav file
3. Delete first 64 bytes from hroot.img
4. Use Winrar or Far Manager for extract initrd from hroot.img
5. Use ImgExtractor http://4pda.ru/forum/index.php?showtopic=496786&st=940#entry33392722 for unpack initrd

6. Examine the contents.

initrd_/config 0 0 777initrd_/linuxrc 0 0 777 bin/busybox
initrd_/tmp 0 0 777
initrd_/mnt 0 0 777
initrd_/mnt/nfs06 0 0 777
initrd_/mnt/nfs05 0 0 777
initrd_/mnt/nfs0 0 0 777
initrd_/mnt/nfs01 0 0 777
initrd_/mnt/nfs03 0 0 777
initrd_/mnt/nfs02 0 0 777
initrd_/mnt/mmc01 0 0 777
initrd_/mnt/nfs07 0 0 777
initrd_/mnt/nfs00 0 0 777
initrd_/mnt/mmc02 0 0 777
initrd_/mnt/nfs04 0 0 777
initrd_/davinci 0 0 777
initrd_/opt 0 0 777
initrd_/usr 0 0 777
initrd_/usr/sbin 0 0 777
initrd_/usr/sbin/ubicrc32 0 0 755
initrd_/usr/sbin/ubidetach 0 0 755
initrd_/usr/sbin/ubimkvol 0 0 755
initrd_/usr/sbin/ubirsvol 0 0 755
initrd_/usr/sbin/ubiformat 0 0 755
initrd_/usr/sbin/ubiupdatevol 0 0 755
initrd_/usr/sbin/guard.sh 0 0 755
initrd_/usr/sbin/umount_ubifs_prt.sh 0 0 755
initrd_/usr/sbin/format_ubifs_prt.sh 0 0 755
initrd_/usr/sbin/ubiattach 0 0 755
initrd_/usr/sbin/ubinfo 0 0 755
initrd_/usr/sbin/ubirename 0 0 755
initrd_/usr/sbin/mount_ubifs_prt.sh 0 0 755
initrd_/usr/sbin/set_sysflag 0 0 755
initrd_/usr/sbin/ubirmvol 0 0 755
initrd_/usr/sbin/check_dir 0 0 755
initrd_/usr/lib 0 0 777
initrd_/usr/bin 0 0 777
initrd_/proc 0 0 777
initrd_/sys 0 0 777
initrd_/etc 0 0 777
initrd_/etc/S_udev 0 0 755
initrd_/etc/inittab 0 0 755
initrd_/etc/group 0 0 755
initrd_/etc/Wireless 0 0 755
initrd_/etc/Wireless/RT2870STA 0 0 755
initrd_/etc/Wireless/RT2870STA/RT2870STA.dat 0 0 755
initrd_/etc/init.d 0 0 755
initrd_/etc/init.d/rcS 0 0 755
initrd_/etc/mdev.conf 0 0 755
initrd_/etc/inetd.conf 0 0 755
initrd_/etc/static_dev_nodes 0 0 755
initrd_/etc/passwd 0 0 755
initrd_/etc/services 0 0 755
initrd_/etc/nsswitch.conf 0 0 755
initrd_/etc/resolv.conf 0 0 755
initrd_/etc/udev 0 0 755
initrd_/etc/udev/rules.d 0 0 755
initrd_/etc/udev/rules.d/01-udev.rules 0 0 755
initrd_/etc/udev/rules.d/60-persistent-storage.rules 0 0 755
initrd_/etc/udev/rules.d/05-udev-early.rules 0 0 755
initrd_/etc/udev/rules.d/95-udev-late.rules 0 0 755
initrd_/etc/udev/rules.d/60-persistent-input.rules 0 0 755
initrd_/etc/udev/udev.conf 0 0 755
initrd_/etc/dropbear 0 0 755
initrd_/etc/dropbear/dropbear_dss_host_key 0 0 755
initrd_/etc/dropbear/dropbear_rsa_host_key 0 0 755
initrd_/etc/profile 0 0 755
initrd_/dev 0 0 777
initrd_/dev/null 0 0 666
initrd_/dev/console 0 0 600
initrd_/sbin 0 0 755
initrd_/sbin/fdisk 0 0 777 ../bin/busybox
initrd_/sbin/xtables-multi 0 0 755
initrd_/sbin/mkfs.vfat 0 0 777 ../bin/busybox
initrd_/sbin/hwclock 0 0 777 ../bin/busybox
initrd_/sbin/udevtrigger 0 0 755
initrd_/sbin/reboot 0 0 777 ../bin/busybox
initrd_/sbin/nandwrite 0 0 777 ../bin/busybox
initrd_/sbin/rmmod 0 0 777 ../bin/busybox
initrd_/sbin/iptables 0 0 777 xtables-multi
initrd_/sbin/udevcontrol 0 0 755
initrd_/sbin/modprobe 0 0 777 ../bin/busybox
initrd_/sbin/route 0 0 777 ../bin/busybox
initrd_/sbin/udevsettle 0 0 755
initrd_/sbin/telnetd 0 0 777 ../bin/busybox
initrd_/sbin/nanddump 0 0 777 ../bin/busybox
initrd_/sbin/udevinfo 0 0 755
initrd_/sbin/mdev 0 0 777 ../bin/busybox
initrd_/sbin/inetd 0 0 777 ../bin/busybox
initrd_/sbin/insmod 0 0 777 ../bin/busybox
initrd_/sbin/udevmonitor 0 0 755
initrd_/sbin/mkdosfs 0 0 777 ../bin/busybox
initrd_/sbin/udevstart 0 0 755
initrd_/sbin/ip6tables 0 0 777 xtables-multi
initrd_/sbin/init 0 0 777 ../bin/busybox
initrd_/sbin/ifconfig 0 0 777 ../bin/busybox
initrd_/sbin/poweroff 0 0 777 ../bin/busybox
initrd_/sbin/dropbear 0 0 755
initrd_/sbin/udevd 0 0 755
initrd_/sbin/halt 0 0 777 ../bin/busybox
initrd_/sbin/lsmod 0 0 777 ../bin/busybox
initrd_/lib 0 0 777
initrd_/lib/libcidn.so.1 0 0 777 libcidn-2.13.so
initrd_/lib/libutil-2.13.so 0 0 755
initrd_/lib/libz.so.1 0 0 777 libz.so.1.2.8
initrd_/lib/libc.so.6 0 0 777 libc-2.13.so
initrd_/lib/libnsl.so.1 0 0 777 libnsl-2.13.so
initrd_/lib/libnsl-2.13.so 0 0 755
initrd_/lib/libnss_compat-2.13.so 0 0 755
initrd_/lib/libnss_nis-2.13.so 0 0 755
initrd_/lib/libstdc++.so.6 0 0 777 libstdc++.so.6.0.16
initrd_/lib/libnss_dns.so.2 0 0 777 libnss_dns-2.13.so
initrd_/lib/libm.so.6 0 0 777 libm-2.13.so
initrd_/lib/libcrypt-2.13.so 0 0 755
initrd_/lib/libnss_nisplus.so.2 0 0 777 libnss_nisplus-2.13.so
initrd_/lib/libnss_dns-2.13.so 0 0 755
initrd_/lib/libcidn-2.13.so 0 0 755
initrd_/lib/libstdc++.so.6.0.16 0 0 755
initrd_/lib/libutil.so.1 0 0 777 libutil-2.13.so
initrd_/lib/libc-2.13.so 0 0 755
initrd_/lib/libnss_hesiod.so.2 0 0 777 libnss_hesiod-2.13.so
initrd_/lib/libz.so 0 0 777 libz.so.1.2.8
initrd_/lib/libnss_nisplus-2.13.so 0 0 755
initrd_/lib/libnss_hesiod-2.13.so 0 0 755
initrd_/lib/libnss_files-2.13.so 0 0 755
initrd_/lib/libpthread.so.0 0 0 777 libpthread-2.13.so
initrd_/lib/ld-2.13.so 0 0 755
initrd_/lib/libstdc++.so 0 0 777 libstdc++.so.6.0.16
initrd_/lib/libnss_nis.so.2 0 0 777 libnss_nis-2.13.so
initrd_/lib/libz.so.1.2.8 0 0 755
initrd_/lib/libdl.so.2 0 0 777 libdl-2.13.so
initrd_/lib/libcrypt.so.1 0 0 777 libcrypt-2.13.so
initrd_/lib/libnss_files.so.2 0 0 777 libnss_files-2.13.so
initrd_/lib/libresolv.so.2 0 0 777 libresolv-2.13.so
initrd_/lib/libdl-2.13.so 0 0 755
initrd_/lib/librt-2.13.so 0 0 755
initrd_/lib/libm-2.13.so 0 0 755
initrd_/lib/libgcc_s.so.1 0 0 644
initrd_/lib/librt.so.1 0 0 777 librt-2.13.so
initrd_/lib/libresolv-2.13.so 0 0 755
initrd_/lib/modules 0 0 777
initrd_/lib/libnss_compat.so.2 0 0 777 libnss_compat-2.13.so
initrd_/lib/ld-linux.so.3 0 0 777 ld-2.13.so
initrd_/lib/libpthread-2.13.so 0 0 755
initrd_/home 0 0 777
initrd_/var 0 0 777
initrd_/var/log 0 0 777
initrd_/var/log/lastlog 0 0 777
initrd_/var/log/wtmp 0 0 777
initrd_/dav 0 0 777
initrd_/srv 0 0 777
initrd_/bin 0 0 755
initrd_/bin/lzcat 0 0 777 busybox
initrd_/bin/mkdir 0 0 777 busybox
initrd_/bin/test 0 0 777 busybox
initrd_/bin/ping 0 0 777 busybox
initrd_/bin/ls 0 0 777 busybox
initrd_/bin/dd 0 0 777 busybox
initrd_/bin/netstat 0 0 777 busybox
initrd_/bin/sleep 0 0 777 busybox
initrd_/bin/dmesg 0 0 777 busybox
initrd_/bin/cp 0 0 777 busybox
initrd_/bin/df 0 0 777 busybox
initrd_/bin/[ 0 0 777 busybox
initrd_/bin/xzcat 0 0 777 busybox
initrd_/bin/unxz 0 0 777 busybox
initrd_/bin/rz 0 0 755
initrd_/bin/mount 0 0 777 busybox
initrd_/bin/mv 0 0 777 busybox
initrd_/bin/busybox 0 0 755
initrd_/bin/iostat 0 0 777 busybox
initrd_/bin/unlzma 0 0 777 busybox
initrd_/bin/false 0 0 777 busybox
initrd_/bin/touch 0 0 777 busybox
initrd_/bin/[[ 0 0 777 busybox
initrd_/bin/gunzip 0 0 777 busybox
initrd_/bin/ps 0 0 777 busybox
initrd_/bin/pppoe 0 0 755
initrd_/bin/date 0 0 777 busybox
initrd_/bin/kill 0 0 777 busybox
initrd_/bin/mpstat 0 0 777 busybox
initrd_/bin/lzma 0 0 777 busybox
initrd_/bin/sh 0 0 777 busybox
initrd_/bin/chmod 0 0 777 busybox
initrd_/bin/rm 0 0 777 busybox
initrd_/bin/mknod 0 0 777 busybox
initrd_/bin/sed 0 0 777 busybox
initrd_/bin/true 0 0 777 busybox
initrd_/bin/gzip 0 0 777 busybox
initrd_/bin/env 0 0 777 busybox
initrd_/bin/umount 0 0 777 busybox
initrd_/bin/du 0 0 777 busybox
initrd_/bin/ash 0 0 777 busybox
initrd_/bin/zcat 0 0 777 busybox
initrd_/bin/pwd 0 0 777 busybox
initrd_/bin/login 0 0 777 busybox
initrd_/bin/free 0 0 777 busybox
initrd_/bin/awk 0 0 777 busybox
initrd_/bin/cat 0 0 777 busybox
initrd_/bin/bash 0 0 777 busybox
initrd_/bin/ping6 0 0 777 busybox
initrd_/bin/xz 0 0 777 busybox
initrd_/bin/ln 0 0 777 busybox
initrd_/bin/top 0 0 777 busybox
initrd_/bin/pppd 0 0 755
initrd_/bin/fsync 0 0 777 busybox
initrd_/bin/tail 0 0 777 busybox
initrd_/bin/sync 0 0 777 busybox
initrd_/bin/tar 0 0 777 busybox
initrd_/bin/echo 0 0 777 busybox
initrd_/root 0 0 777
 

sosaix

n3wb
Joined
Feb 20, 2015
Messages
15
Reaction score
9
Where is this check_rs232 you speak off? I see a symbolic link to /bin/da-info. Is there another one I'm not aware of?

# ls -l check_rs232
lrwxrwxrwx 1 root root 12 Feb 22 15:51 check_rs232 -> /bin/da_info

you have to unpack initrd to find that file,

if you want to see if that file is on camera, dump mtd11, then mount somewhere via loop

it must be deleted during every boot process to obscure things, but it is there and it is executed, and davinci is patched in memory so on filesystem there is no change, to find that out:
1. check pid of davinci (f.e. 842)
2. do: cat /proc/842/exe > /mnt/nfs00/dav_patched and compare with extracted davinci.tar.gz

i thought my english is at average level but now i'm getting worry ;-)

(if you don't have camera hacked or hacked this way, go to post #13 in this thread, follow link, get that custom firmware (linked there) and do extract everything to find out that it differs from original 5.2.0 firmware only by file we are talking about, i already attached two versions of that file, one is from that image, second is straight from my mtd11, 2632 bought week ago on ali)

if i would brave or have more than one cam at the moment i would try to make own custom firmware from original using extracted check_rs232,
using kindly released hiktools, one thing to do is make own header of hroot.img which seems to be simple:
offset 0x000000: 4 bytes of CRC sum of gzipped initrd noted backwards (little endian)
offset 0x00000C: 4 bytes of length (0x40 header len is not counted) also backwards (little endian)
offset 0x000010: 00 00 A0 C0 - don't know what is it but is not changing (at least in initrd that i was looking at)
offset 0x000018: 4B 44 4D 52 - ASCII "KDMR" magic bytes ("RAMDISK")

success or not (especially flashing cam with 5.2.5 on sticker) would give some answers (like, how chinese downgrading 5.2.5 cams or how it is really hacked, only by check_rs232 or there is something more)
 
Last edited by a moderator:

jordanb

Young grasshopper
Joined
Feb 11, 2015
Messages
96
Reaction score
2
Location
Scotland
Hi,

I have carried out the hiktools split digicap.dav destinationdir command to a new folder within tftp folder on c:

all files have extracted,

when I carry out the next part
hiktools create header_from_digicap.dav sourcedir

i get an unable to open dav file in the cmd

any ideas what Im doing wrong?
 

jordanb

Young grasshopper
Joined
Feb 11, 2015
Messages
96
Reaction score
2
Location
Scotland
no,

when I tried doing it that way i could only see 1 file appear.

i have a tftpserv folder, within it I have tftp server and files, digicap.dav file and hiktools.exe

when I create, I put it into a folder "new" within tftpserv folder. I can then see all the files doing it this way.
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
Your English is fine, it's my camera's English that's not so fine.

I figured out if you do a nandump -f mymtd11 /dev/mtd11, it will create a file where I can extract the initrd from, unzips fine. Yes, I see the check_rs232 file in there. So I took the entire MTD11 from the camera hacked to English, with the check_rs232 in, and copied it to the camera that reverted to Chinese. Initially both were English, but applying 5.2.5 made it Chinese. /dev/mtd11 is the same as hroot.img, so not reason why it should not work, but it did not. The camera still boots up Chinese. So where may I be going wrong?

I did as you suggested, extracted the running davinci and you are so correct. They are very different despite that davinci.tar.gz is the same. One guess that I have is that the MTD11 is messed up so how as it seems to take longer to boot so it's going to backup, MTD12. I'll have to monitor it from the sty console. It would be easier if I didn't have bronchitis.




you have to unpack initrd to find that file,

if you want to see if that file is on camera, dump mtd11, then mount somewhere via loop

it must be deleted during every boot process to obscure things, but it is there and it is executed, and davinci is patched in memory so on filesystem there is no change, to find that out:
1. check pid of davinci (f.e. 842)
2. do: cat /proc/842/exe > /mnt/nfs00/dav_patched and compare with extracted davinci.tar.gz

i thought my english is at average level but now i'm getting worry ;-)

(if you don't have camera hacked or hacked this way, go to post #13 in this thread, follow link, get that custom firmware (linked there) and do extract everything to find out that it differs from original 5.2.0 firmware only by file we are talking about, i already attached two versions of that file, one is from that image, second is straight from my mtd11, 2632 bought week ago on ali)

if i would brave or have more than one cam at the moment i would try to make own custom firmware from original using extracted check_rs232,
using kindly released hiktools, one thing to do is make own header of hroot.img which seems to be simple:
offset 0x000000: 4 bytes of CRC sum of gzipped initrd noted backwards (little endian)
offset 0x00000C: 4 bytes of length (0x40 header len is not counted) also backwards (little endian)
offset 0x000010: 00 00 A0 C0 - don't know what is it but is not changing (at least in initrd that i was looking at)
offset 0x000018: 4B 44 4D 52 - ASCII "KDMR" magic bytes ("RAMDISK")

success or not (especially flashing cam with 5.2.5 on sticker) would give some answers (like, how chinese downgrading 5.2.5 cams or how it is really hacked, only by check_rs232 or there is something more)
 

sosaix

n3wb
Joined
Feb 20, 2015
Messages
15
Reaction score
9
Your English is fine, it's my camera's English that's not so fine.

I figured out if you do a nandump -f mymtd11 /dev/mtd11, it will create a file where I can extract the initrd from, unzips fine. Yes, I see the check_rs232 file in there. So I took the entire MTD11 from the camera hacked to English, with the check_rs232 in, and copied it to the camera that reverted to Chinese. Initially both were English, but applying 5.2.5 made it Chinese. /dev/mtd11 is the same as hroot.img, so not reason why it should not work, but it did not. The camera still boots up Chinese. So where may I be going wrong?

I did as you suggested, extracted the running davinci and you are so correct. They are very different despite that davinci.tar.gz is the same. One guess that I have is that the MTD11 is messed up so how as it seems to take longer to boot so it's going to backup, MTD12. I'll have to monitor it from the sty console. It would be easier if I didn't have bronchitis.
did you try not to inject check_rs232 but use davinci bin dumped from memory (by cat /proc/842/exe > /mnt/nfs00/dav_patched)? you can make own davinci.tar.gz (remember it is not gzip but lzma) with that binary and find out if that contains language patch or not.

i don't know why they (whoever they are) did patching in memory and not on filesystem to obfuscate things to ppl like we are or maybe firmware makes some checks and davinci.tar.gz has to be untouched... it has to be checked

best regards
fuck commies
 

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,524
Reaction score
547
Location
London
After hours of looking, I found this explained that this is how the Chinese are changing the language setting. It's for the 2cd3410 but may work on others. (it came from a Russian / Slovak site).

I translated the very poor instruction's from Russian to English.


https://www.dropbox.com/s/sgtt95ied31jhgk/davinci.lzma?dl=0



1. takes a micro sd card and inserted into the camera. (or use a NAS mount)
2. Go into the web interface of the camera and select check card and formatting it, also check telnet is active (box ticked).
3. Start on Windows cmd, then execute telnet.
4. Then enter your login and password. (root / 12345)
5. Run the "mount" command


You will have something like this
mount


rootfs on / type rootfs (rw)
proc on / proc type proc (rw, relatime)
none on / sys type sysfs (rw, relatime)
ramfs on / home type ramfs (rw, relatime)
udev on / dev type tmpfs (rw, relatime)
devpts on / dev / pts type devpts (rw, relatime, mode = 600, ptmxmode = 000)
/ Dev / mtdblock5 on / dav type cramfs (ro, relatime)
/ Dev / mtdblock6 on / devinfo type jffs2 (rw, relatime)
/ Dev / mtdblock5 on / dav / ppp type cramfs (ro, relatime)
/ Dev / mmc01 on / mnt / mmc01 type vfat (rw, relatime, fmask = 0022, dmask = 0022, codepage = c
p437, iocharset = iso8859-1, shortname = mixed, errors = remount-ro)



Here is the line / dev / mmc01 on / mnt / mmc01 - it's your memory card.

Next you need to run the command to be saved on the memory card of the current firmware:


cp /dav/davinci.lzma /mnt/mmc01/davinci.lzma


after running this command it copies your original davinci.lzma to your memory card.


5. Turn off the camera, remove the memory card and insert it into your computer.
6. Now move your davinci.lzma from the memory card. ( Place is somewhere safe for Backup )
7. Now copy the modded davinci.lzma back on to your memory card.
8. Insert the card back into your camera, turn on the camera again enter via telnet
9. now in telnet Run the command cp /mnt/mmc01/davinci.lzma / dav /
10. Reboot the camera.


Job Done.
 
Last edited by a moderator:

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,524
Reaction score
547
Location
London
HxD file compare shows only one difference.

Top one is from my region free ds-3410 the other is from the Chinese hacked camera. would be nice if someone had an original file to compare with them with that came from an untouched camera.
 

Attachments

Last edited by a moderator:

iTuneDVR

Pulling my weight
Joined
Aug 23, 2014
Messages
773
Reaction score
139
Location
Россия
To the beginnig maybe necessary unpack the files, and then something with something to compare! ;)
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
Could be that model has that file. The equivalent on the 2-cd2xxx cameras is /dav/davinvi.tar.gz and that's been hacked before to make the day of week English, but it's somehow protected now, maybe by checksum or other ways. Anyway, both are lzma compressed, so a good place to start is to uncompress it like iTuneDVR mentioned, then you can use a disassembler to find the actual instruction that has been changed.

What sosaix has been saying is yes, the davinci program is still being hacked to make day of week English, but it's being done after the camera boots to bypass these checks. The program that's hacking davinci is /bin/rs232_check in hroot.img in the firmware or in the camera it's /dev/mtd11, mounted as initrd. I can see it's not all the work of one person as cameras I've gotten from different sources, while using the same method, have different sized rs232_check programs.
 
Top