Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

[habeschi]

i used this command to extract the dav file

test@test-VirtualBox:~$ ./hikpack -t k41 -i digicap.dav -o contents
Magic : 484b5753
hdr_crc : 00001d1a (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000043
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
------------------------------------------------
The Problem is i don't know which type of firmware i have. i just tried k41 and know it works. i can decrypt the tar.lzma files.

i use this command:

test@test-VirtualBox:~$ ./hikpack -t k41 -d webs.tar.lzma -o decrypted/webs.tar.lzma

by the way: can i use firmware from hikvision to update this OEM DVR?
Because i have a new product type and there is no firmware update available and i cant activate SSH on the DVR.
My main intention is to change the logo which is shown if no camrea is connected

 

[alastairstevenson]

by the way: can i use firmware from hikvision to update this OEM DVR?

I'm sorry but I don't know the answer to that question - too many unknowns.

 

[moh_kasab]

hello all
iam new with this firmware stuff so please help me
i want to modify the dvr firmware so that i can add new pages to the web interface that sends serial output (RS232)
how can u do it ??
i tried to create my own firmware and here the steps
1- used hiktools with digicab.dav so i got cramfs.img
2- used 7-zip with cramfs.img so that i got webs.tar.lzma

now how can i open webs.tar.lzma ??? and if i added more pages do i need to modify any files ??? finally how can i repacked the digicap.dav ???

thx in advance

 

[alastairstevenson]

now how can i open webs.tar.lzma

The firmware files are encrypted.

if i added more pages do i need to modify any files ??? finally how can i repacked the digicap.dav ???

That is quite a complicated topic that needs quite a lot of knowledge and experience - far too much to be simply answered in a post on a forum.

 

[moh_kasab]

alastairstevenson , thank you for your replay

where can i learn editing firmware or creating firmware ??? i really want to learn it

thx again

 

[alastairstevenson]

where can i learn editing firmware or creating firmware

Maybe not specifically for Hikvision devices - but the same principles apply - there are loads of resources on the internet on the subject, try these google searches for example :
reverse engineering embedded systems
how to unpack and repack cramfs images

 

[masztalski76]

Hi,
I'm new here and need your help.
I have the Hikvision DS-2CD2232-I5 chinese cam with the original hacked international/english firmware from provider: V5.2.5 build 141201.
Is there a way to update the firmware to the current official version: IPC - DS-2xx2_5.4.5_170123 (Oops:The page you are visiting may have been deleted,renamed or inaccessible.
Maybe by modifying the language flag or something else in the version?
Alternatively, can somebody provide me the hacked english version 5.4.5 for the chinese cam?

Thank you very much in advance for your answer and support.

 

[alastairstevenson]

Is there a way to update the firmware to the current official version: IPC - DS-2xx2_5.4.5_170123

Yes, there is, if you are willing and able to follow some steps.
Lots of people have had good success with this :

Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Make sure to run the 'prtHardInfo' command at the shell prompt to confirm the devType of your specific camera.

*edit* And the needed R0 5.4.5 firmware is here : DOWNLOAD PORTAL

 

[Alisukov]

Good afternoon, tell me how to open (decrypt) the configuration file of the Hikvision DS-2CD2032-I camera firmware V5.1.2. Thank you

 

[alastairstevenson]

tell me how to open (decrypt) the configuration file of the Hikvision DS-2CD2032-I camera firmware V5.1.2

OK - assuming that old firmware protects the exported configuration file in the same way as the more recent firmware - and also as the encryption passphrase has been openly published in the CVE associated with the 'plaintext passwords in configuration file' vulnerability, you can use command-line OpenSSL to decrypt the configuration file as follows:

openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5

Then if you inspect the result with a hex editor you will see clearly that there is a 4-byte XOR encode operation needed to complete the process.
It's quite bizarre why any developer at Hikvision thinks it would be useful to just do a straight XOR of the data - there may be a reason, but it's not obvious to me.

 

[David101]

Hello everyone,
I am new to the forum and IP cameras.

I bought a hik vision NVR off eBay, the language is chinese, I can't find English on the drop down menu.

Here are the NVR details

DS 7608N-E2/8P
Serial **********AARR*********WCVU
Master version V3.0.10 build 141126
Coding version: V5.0 build 140816


I got some questions if someone can hopefully answer.


1) is my NVR Chinese? I know it has RR in the serial but chinese is the only language on the menu.

2) can I change the language to English??
Any guide for dummies would be appreciated.

3) I haven't bought any camera yet, but would I need to buy chinese camera or European or international to prevent a language mismatch.

4) is it possible to update the firmware to English without bricking the NVR.


I know i have asked a lot but new to this so I am trying to figure this all out.


Thank in advance.

 

[alastairstevenson]

I bought a hik vision NVR off eBay, the language is chinese, I can't find English on the drop down menu.

Was the language advised in the eBay listing?
If 'not as described' it might be easiest to return it.
The alternative is to install hacked firmware.

4) is it possible to update the firmware to English without bricking the NVR.

It's likely you will get the 15-beep bootloop "!!!You device is illegal !!! !!!You bought in China!!! !!!You must call factory!!!" or words to that effect.
Bricked as good as.

 

[David101]

Was the language advised in the eBay listing?
If 'not as described' it might be easiest to return it.
The alternative is to install hacked firmware.

It's likely you will get the 15-beep bootloop "!!!You device is illegal !!! !!!You bought in China!!! !!!You must call factory!!!" or words to that effect.
Bricked as good as.

Thanks for the reply

Is there a guide to installing a hack firmware.

 

[Alisukov]

Thanks that responded to help, I'm not such an advanced user
Your phrase
you can use the -line OpenSSL command to decrypt the configuration file as follows:
I understand that this is an SSL request. And it is possible to open the configuration file without accessing the camera

 

[alastairstevenson]

I understand that this is an SSL request.

It's actually an AES decryption command - it just happens to be part of the large suite of facilities under the OpenSSL software.
A configuration file can be extracted from a camera by exploiting the 'Hikvision backdoor' vulnerability for cameras with firmware no later than 5.4.41 *edit* earlier than 5.4.41 (and I forget what early version is vulnerable).
There is an HTTP example somewhere of how to extract a configuration file without requiring a password.

 

[alastairstevenson]

This is all in the public domain:

Here is the HTTP example that can be used against a Hikvision camera without knowing the logon credentials :

http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Then use the command

openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5

This results in a file that is statically XOR encoded and is obvious by inspection of the contents.

 

[Alisukov]

Thank you for directing in the right direction, about the first one I knew that without knowing the login credentials you can get a configuration and a screenshot, etc. On your command received a file decryptedoutput I'm sorry that it's dull, and what this file is decoded. When you open the notebook (L "¤ G_ђ_DrЉFD: uu2 2 2 <UDs <UDs <UDs <UDs <UDs <UDq" WD + <UDr <UDl <UDs <UD) that's what it writes.
You can expand on your words-
"This results in a file that is statically encoded by XOR and is obvious by checking the contents"Configuration_File
Thanks

 

[alastairstevenson]

When you open the notebook (L "¤ G_ђ_DrЉFD: uu2 2 2 <UDs <UDs <UDs <UDs <UDs <UDq" WD + <UDr <UDl <UDs <UD) that's what it writes.

Remember that this is a binary file - so it cannot be opened with a text editor or similar.
To examine it you would need a hex editor or hex dump program.
This is a hex view of the decrypted output of your first configuration file, using the Linux wxHexEditor :

As the file is fairly sparse, has a lot of nulls in it, you can see by inspection what the simple XOR hex key would be - 73 8B 55 44
There are various tools that would do an XOR decode of the file - but it just happens that wxhexEditor has a handy XOR 'view through' function.


And this is the result when it is applied :

 

[Alisukov]

Thanks for helping to make it work.

 

[alastairstevenson]

Thanks for helping to make it work.

You are welcome.
It's a big vulnerability - the ability to anonymously extract the configuration file and see the plaintext contents.
I wonder how much this is being exploited over the internet for those Hikvision cameras that have been 'port forwarded' ?