Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

habeschi

n3wb
Joined
Oct 27, 2017
Messages
21
Reaction score
0
i used this command to extract the dav file

test@test-VirtualBox:~$ ./hikpack -t k41 -i digicap.dav -o contents
Magic : 484b5753
hdr_crc : 00001d1a (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000043
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
------------------------------------------------
The Problem is i don't know which type of firmware i have. i just tried k41 and know it works. i can decrypt the tar.lzma files.

i use this command:

test@test-VirtualBox:~$ ./hikpack -t k41 -d webs.tar.lzma -o decrypted/webs.tar.lzma

by the way: can i use firmware from hikvision to update this OEM DVR?
Because i have a new product type and there is no firmware update available and i cant activate SSH on the DVR.
My main intention is to change the logo which is shown if no camrea is connected
 

moh_kasab

n3wb
Joined
Jan 14, 2018
Messages
3
Reaction score
0
hello all
iam new with this firmware stuff so please help me
i want to modify the dvr firmware so that i can add new pages to the web interface that sends serial output (RS232)
how can u do it ??
i tried to create my own firmware and here the steps
1- used hiktools with digicab.dav so i got cramfs.img
2- used 7-zip with cramfs.img so that i got webs.tar.lzma

now how can i open webs.tar.lzma ??? and if i added more pages do i need to modify any files ??? finally how can i repacked the digicap.dav ???

thx in advance
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
now how can i open webs.tar.lzma
The firmware files are encrypted.
if i added more pages do i need to modify any files ??? finally how can i repacked the digicap.dav ???
That is quite a complicated topic that needs quite a lot of knowledge and experience - far too much to be simply answered in a post on a forum.
 

moh_kasab

n3wb
Joined
Jan 14, 2018
Messages
3
Reaction score
0
alastairstevenson , thank you for your replay

where can i learn editing firmware or creating firmware ??? i really want to learn it

thx again
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
where can i learn editing firmware or creating firmware
Maybe not specifically for Hikvision devices - but the same principles apply - there are loads of resources on the internet on the subject, try these google searches for example :
reverse engineering embedded systems
how to unpack and repack cramfs images
 
Joined
Jul 21, 2016
Messages
1
Reaction score
0
Hi,
I'm new here and need your help.
I have the Hikvision DS-2CD2232-I5 chinese cam with the original hacked international/english firmware from provider: V5.2.5 build 141201.
Is there a way to update the firmware to the current official version: IPC - DS-2xx2_5.4.5_170123 (Oops:The page you are visiting may have been deleted,renamed or inaccessible.
Maybe by modifying the language flag or something else in the version?
Alternatively, can somebody provide me the hacked english version 5.4.5 for the chinese cam?

Thank you very much in advance for your answer and support.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
Is there a way to update the firmware to the current official version: IPC - DS-2xx2_5.4.5_170123
Yes, there is, if you are willing and able to follow some steps.
Lots of people have had good success with this :

Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Make sure to run the 'prtHardInfo' command at the shell prompt to confirm the devType of your specific camera.

*edit* And the needed R0 5.4.5 firmware is here : DOWNLOAD PORTAL
 
Last edited:

Alisukov

n3wb
Joined
Mar 3, 2018
Messages
4
Reaction score
1
Location
Russia
Good afternoon, tell me how to open (decrypt) the configuration file of the Hikvision DS-2CD2032-I camera firmware V5.1.2. Thank you
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
tell me how to open (decrypt) the configuration file of the Hikvision DS-2CD2032-I camera firmware V5.1.2
OK - assuming that old firmware protects the exported configuration file in the same way as the more recent firmware - and also as the encryption passphrase has been openly published in the CVE associated with the 'plaintext passwords in configuration file' vulnerability, you can use command-line OpenSSL to decrypt the configuration file as follows:
Code:
openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5
Then if you inspect the result with a hex editor you will see clearly that there is a 4-byte XOR encode operation needed to complete the process.
It's quite bizarre why any developer at Hikvision thinks it would be useful to just do a straight XOR of the data - there may be a reason, but it's not obvious to me.
 

David101

n3wb
Joined
Mar 7, 2018
Messages
2
Reaction score
0
Hello everyone,
I am new to the forum and IP cameras.

I bought a hik vision NVR off eBay, the language is chinese, I can't find English on the drop down menu.

Here are the NVR details

DS 7608N-E2/8P
Serial **********AARR*********WCVU
Master version V3.0.10 build 141126
Coding version: V5.0 build 140816


I got some questions if someone can hopefully answer.


1) is my NVR Chinese? I know it has RR in the serial but chinese is the only language on the menu.

2) can I change the language to English??
Any guide for dummies would be appreciated.

3) I haven't bought any camera yet, but would I need to buy chinese camera or European or international to prevent a language mismatch.

4) is it possible to update the firmware to English without bricking the NVR.


I know i have asked a lot but new to this so I am trying to figure this all out.


Thank in advance.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
I bought a hik vision NVR off eBay, the language is chinese, I can't find English on the drop down menu.
Was the language advised in the eBay listing?
If 'not as described' it might be easiest to return it.
The alternative is to install hacked firmware.
4) is it possible to update the firmware to English without bricking the NVR.
It's likely you will get the 15-beep bootloop "!!!You device is illegal !!! !!!You bought in China!!! !!!You must call factory!!!" or words to that effect.
Bricked as good as.
 

David101

n3wb
Joined
Mar 7, 2018
Messages
2
Reaction score
0
Was the language advised in the eBay listing?
If 'not as described' it might be easiest to return it.
The alternative is to install hacked firmware.

It's likely you will get the 15-beep bootloop "!!!You device is illegal !!! !!!You bought in China!!! !!!You must call factory!!!" or words to that effect.
Bricked as good as.

Thanks for the reply

Is there a guide to installing a hack firmware.
 

Alisukov

n3wb
Joined
Mar 3, 2018
Messages
4
Reaction score
1
Location
Russia
Thanks that responded to help, I'm not such an advanced user
Your phrase
you can use the -line OpenSSL command to decrypt the configuration file as follows:
I understand that this is an SSL request. And it is possible to open the configuration file without accessing the camera
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
I understand that this is an SSL request.
It's actually an AES decryption command - it just happens to be part of the large suite of facilities under the OpenSSL software.
A configuration file can be extracted from a camera by exploiting the 'Hikvision backdoor' vulnerability for cameras with firmware no later than 5.4.41 *edit* earlier than 5.4.41 (and I forget what early version is vulnerable).
There is an HTTP example somewhere of how to extract a configuration file without requiring a password.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
This is all in the public domain:

Here is the HTTP example that can be used against a Hikvision camera without knowing the logon credentials :
Code:
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
Then use the command
Code:
openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5
This results in a file that is statically XOR encoded and is obvious by inspection of the contents.
 

Alisukov

n3wb
Joined
Mar 3, 2018
Messages
4
Reaction score
1
Location
Russia
Thank you for directing in the right direction, about the first one I knew that without knowing the login credentials you can get a configuration and a screenshot, etc. On your command received a file decryptedoutput I'm sorry that it's dull, and what this file is decoded. When you open the notebook (L "¤ G_ђ_DrЉFD: uu2 2 2 <UDs <UDs <UDs <UDs <UDs <UDq" WD + <UDr <UDl <UDs <UD) that's what it writes.
You can expand on your words-
"This results in a file that is statically encoded by XOR and is obvious by checking the contents"Configuration_File
Thanks
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
When you open the notebook (L "¤ G_ђ_DrЉFD: uu2 2 2 <UDs <UDs <UDs <UDs <UDs <UDq" WD + <UDr <UDl <UDs <UD) that's what it writes.
Remember that this is a binary file - so it cannot be opened with a text editor or similar.
To examine it you would need a hex editor or hex dump program.
This is a hex view of the decrypted output of your first configuration file, using the Linux wxHexEditor :
upload_2018-3-10_10-30-25.png
As the file is fairly sparse, has a lot of nulls in it, you can see by inspection what the simple XOR hex key would be - 73 8B 55 44
There are various tools that would do an XOR decode of the file - but it just happens that wxhexEditor has a handy XOR 'view through' function.
upload_2018-3-10_10-42-14.png

And this is the result when it is applied :

upload_2018-3-10_10-44-56.png
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,077
Reaction score
3,954
Location
Scotland
Thanks for helping to make it work.
You are welcome.
It's a big vulnerability - the ability to anonymously extract the configuration file and see the plaintext contents.
I wonder how much this is being exploited over the internet for those Hikvision cameras that have been 'port forwarded' ?
 
Top