Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

[alastairstevenson]

- firmware upgrad to 5.4.41 on 2332 stuck on reboot

You haven't said where the firmware for this camera came from. It's an 'R0' series camera.
From the 5.4.41 version - it sounds like it may be on a Hikvision security notification page. But which version did you use?

The correct set of firmware for the DS-2CD2332 is here : DOWNLOAD PORTAL

- Tried to unbrick 2332 with TFTP which stuck on "Completed file...", but didn't get a "Device update completed".

This camera is likely to be stuck in the 'Catch-22' state where the updated firmware won't run, and the downgrade to earlier firmware is blocked.
If so - quite a lot to take in, but the 'brick-fix tool' followed by the 5.3.0 to 5.2.5 downgrader should bring it back to life, with CN menus.
Then an 'mtd hack' is required, which one depending on what version of firmware you want to end up with.
Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

 

[paloema]

Hey @alastairstevenson, I really hoped for your input. Thanks for this!

I downloaded the 2332 from: DS-2CD2332-I-Hangzhou Hikvision Digital Technology Co. Ltd., so I do not know if correct or not. To be totally honest, I guess I screwed it up and used the wrong firmware for the devices. I therefore started from scratch with double and triple checking everything and both cams working now.

What I did was disconnect both cams, use TFTP with the firmware directly as linked above (for the 2342 of course now), connect the 2342, and it worked. After that tried with 2332, but with Custom Firmware Downgrader you linked above, and this worked out!

So again, thanks for all the input here and in the other threads!

 

[alastairstevenson]

I therefore started from scratch with double and triple checking everything and both cams working now.

A good result. Well done!

 

[HobbeS]

Yes, but not permanently.
It sounds like the (unspecified) firmware was EN or EN/ML and has been applied to a CN camera.
The fix will be to use the 'whoslooking 5.3.0 to 5.2.5 downgrader', probably the CN version from the second link here : Custom Firmware Downgrader 5.3.0 Chinese to 5.2.5 English
This will get the web GUI back, in Chinese.
Then you can do the 'classic mtd hack' to get back to English menus : Hikvision 5.2.5 & 5.2.8 Full English (INC DAYS OF WEEK) mtd Hack
Or if you are feeling adventurous, you could do the 'enhanced mtd hack' to allow upgrading to 5.4.5 EN/ML : Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.
But, depending on what original firmware was on the camera (5.2.8 mostly needs this) check the bytes at 0x0C and 0x8000C in mtdblock1 and if they are 0 change them to 2.

Thank you for the quick reply!

I've tried this two days ago and tried it today again. Unfortunately I can't get it working; I've tried to use TFTP and the camera just connects fine, the file is getting transmitted and ends with device system update completed. But then the camera is not accessible for me: not on 192.0.0.64 and not via it's DHCP address..
Before I started all this the camera was on FW version 5.2.0, is it possible I use the wrong digicap.dav?

I hope you can help into a direction I can get the camera working again.

 

[alastairstevenson]

But then the camera is not accessible for me: not on 192.0.0.64 and not via it's DHCP address..

The best way to assess it is to use SADP : Hangzhou Hikvision Digital Technology Co. Ltd.
If the camera has entered the 'min-system' recovery mode due to an incompatible firmware update, there are no web services, but SADP will find it and will show it as running firmware 4.0.8
Try the other version of the 5.3.0 to 5.2.5 downgrader, there are 2 versions one with EN header, one with CN header.

 

[Mike A.]

A good result. Well done!

Do you know how Hikvision handles the firmware check for their OEM cams labeled for resellers?

I have an Annke cam that's vulnerable to the current backdoor and they have no later firmware. Hik firmware stops on install saying "The type of upgrade file mismatches."

Is there a way around that? It's an English language version so I'd guess not using a language flag in the same way mentioned above.

 

[alastairstevenson]

Do you know how Hikvision handles the firmware check for their OEM cams labeled for resellers?

This is not something I've looked into previously - however it appears to be:
There is an OEM code in the firmware header.
There is an OEM code in the mtdblock6 hardware signature block, I'd speculate in location 0x18
It looks like the firmware matches these up.
I don't suppose you have telnet or SSH access to be able to change mtdblock6?

 

[Mike A.]

This is not something I've looked into previously - however it appears to be:
There is an OEM code in the firmware header.
There is an OEM code in the mtdblock6 hardware signature block, I'd speculate in location 0x18
It looks like the firmware matches these up.
I don't suppose you have telnet or SSH access to be able to change mtdblock6?

Haven't poked around on it much. I'll have to see what's open on it and/or if there's a way in.

I do have a TTL adapter but I'm kind of reluctant to tear it apart if there's an easier firmware fix coming within some reasonable time. If not, that's an option.

 

[alastairstevenson]

Presumably the web GUI doesn't have a telnet/SSH enable.
Do have any indication what the equivalent Hikvision firmware version would be, maybe from the build date shown in Device Info?

 

[Mike A.]

Presumably the web GUI doesn't have a telnet/SSH enable.
Do have any indication what the equivalent Hikvision firmware version would be, maybe from the build date shown in Device Info?

I'm guessing that they just use the same numbering scheme. It's V5.3.5 build 161112.

The web GUI is exactly the same as Hik's just with Annke labeling. I'll look to see if there's an option to enable telnet/ssh later when I get a chance.

 

[Mike A.]

Presumably the web GUI doesn't have a telnet/SSH enable.
Do have any indication what the equivalent Hikvision firmware version would be, maybe from the build date shown in Device Info?

Enabled SSH under Configuration-Security-Security Service and I now have the login prompt. But then I locked myself out for a while after trying various default logins/passwords that I found searching around that apparently aren't right. Tried root/regular admin password, root/12345.

 

[HobbeS]

The best way to assess it is to use SADP : Hangzhou Hikvision Digital Technology Co. Ltd.
If the camera has entered the 'min-system' recovery mode due to an incompatible firmware update, there are no web services, but SADP will find it and will show it as running firmware 4.0.8
Try the other version of the 5.3.0 to 5.2.5 downgrader, there are 2 versions one with EN header, one with CN header.

Thank you for the great help Alastair!
After removing the power and powering up the camera, the camera was accessible again via 192.0.0.64.

Then I've read a couple of times how to do the enhanced mtd hack. For one camera I've modified the mtdblock1 and for both camera's mtdblock6. I'm really happy I've both camera's running firmware 5.4.5 now!
Thank you for the great support & quick response!

Is it now also possible to use the hik-connect functionality and get notifications on my iPhone when there is motion detection on a camera?

 

[alastairstevenson]

I'm really happy I've both camera's running firmware 5.4.5 now!

That's good to hear, I'm glad to be able to help, as are many others on this really useful forum.

Is it now also possible to use the hik-connect functionality and get notifications on my iPhone when there is motion detection on a camera?

Not a question I can answer, sorry, I know nothing about hik-connect. I'm blind to any such external connections, it's too easy to imagine how it could be messed with. And iPhones excellent though they may be, are not a feature for me.

 

[HobbeS]

That's good to hear, I'm glad to be able to help, as are many others on this really useful forum.


Not a question I can answer, sorry, I know nothing about hik-connect. I'm blind to any such external connections, it's too easy to imagine how it could be messed with. And iPhones excellent though they may be, are not a feature for me.

Yes, with some other topics on this forum I've managed to get the notifications also working. After more than a year not happy anymore with my camera's I'm now really happy with them again.

 

[afddwfadwfadwf]

So for Chinese DS-2CD3T45-I5 (V5.4.20 build 160726) and DS-2CD3345-I (V5.3.8 build 160108) hacked to English/non-upgradeable, what method is out there to upgrade?

I don't mind Chinese UI. Tried Chinese firmware IPC_G0_CN_STD_5.4.41_170710.zip, hikpack -L 1/2 and original dav all returned HTTP 401 on web update.

 

[xuvisku]

My camera is the model DS-2CD2032-I with firmware 5.2.5 141201.
The camera was losing its settings once a day and I decided to upgrade to the latest firmware 5.4.5 170123 downloaded directly from hikvision's website.
After the update I can no longer log in the camera and the error occurs
firmware language mismatch: /home/webLib/doc/page/login.asp

Can I downgrade from 5.4.5 to 5.2.5? What do you suggest?

Thank you.

 

[alastairstevenson]

Hikvision have implemented a 'downgrade block' to stop users fixing their cameras by installing older, working firmware.
You can, however, fix this, after quite a lot of reading, by using the 'brick-fix tool' from here : Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.
You'll be far from alone in doing this - there is a lot of it around.

 

[netpirat]

Hello Guys,
i would like to update my NVR from 3.3.2 Firmware to the actually one. But I have a chinese version.

Model: DS-7732N-E4 / 16P

It is possible to make the update when a change the languarge code from 1 (EN/ML) to 2 chinese (digicap.dav). But it will not start. Beeping Beeping Beepin and only the picture NVR Embedded.

I read a lot the last two days about MTD Hack. Is it possible for that NVR, too? I have not Telnet available. I checked it today. It is frustrating. Nobody look on N or NI when he buys an NVR.

Can i get access to the root files?

I hope someone can help me.

BR

Netpirat

 

[alastairstevenson]

But it will not start. Beeping Beeping Beepin and only the picture NVR Embedded.

As your NVR is a CN model and EN firmware has been applied, behind the scenes on the console the firmware will be saying (sic) "!!!You NVR is illegal, you bought in China!!! !!!You need to contact the factory!!!" while beeping 15 times then rebooting.

To answer your questions:

It is possible to make the update when a change the languarge code from 1 (EN/ML) to 2 chinese (digicap.dav).

That only changes the language of the header in the firmware file, it does not change the internal region version of the firmware or the NVR. It's just bypassing one of the initial checks done when the update process starts.

I read a lot the last two days about MTD Hack. Is it possible for that NVR, too?

Not easily - the kernel has been coded to both hide and to prohibit changes to the 'hardware signature block' of the NVR.

Can i get access to the root files?

The easiest fix would be some 'hacked to English' firmware, which is probably what was installed by the seller when you bought the NVR.

I hope someone can help me.

Check your 'Conversations' for a potential solution.

 

[omid]

hi members