Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware
- Thread starter wzhick
- Start date
o2manyfish
n3wb
- Dec 16, 2017
- 6
- 1
Hi Everyone, Please have a bit of patience with me, trying to learn, understand and comprehend alot of new info.
I have a Hikvision / Hunt NVR -- It's been updated with the most current/available Hunt Firmware -- But some of the key features don't work. And it doesn't have IP control for home automation integration.
Last week I picked up a new NVR from another company. All the features work great and I can control it from the Home automation system. I open both units up to swap drives around and it's the exact same motherboard. (Model number not just looks the same).
The question is.... Is it possible to change the software/firmware/OS of the old one to match the new one? Is it doable without going crazy ?
Thanks for any insight or help any of you may be able to provide.
Dave
I have a Hikvision / Hunt NVR -- It's been updated with the most current/available Hunt Firmware -- But some of the key features don't work. And it doesn't have IP control for home automation integration.
Last week I picked up a new NVR from another company. All the features work great and I can control it from the Home automation system. I open both units up to swap drives around and it's the exact same motherboard. (Model number not just looks the same).
The question is.... Is it possible to change the software/firmware/OS of the old one to match the new one? Is it doable without going crazy ?
Thanks for any insight or help any of you may be able to provide.
Dave
alastairstevenson
Staff member
Without knowing anything at all about the models in question, or the firmware versions - in truth there would be no level of confidence in any answer.
o2manyfish
n3wb
- Dec 16, 2017
- 6
- 1
Old NVR is Hunt HNR51P6-16 - Firmware v3.4.96 Build 1711128 / Encoding v5.0 build 171025 / Web v4.0.1 Build 170908
I would like that to match a
Luma 510 - Firmware v3.4.95 Build 180717 / Encoding v5.0 build 180712 / Web v4.0.51 Build 180713
Does that help, or is it still not enough specific enough (not trying to sound sarcastic - asking in earnest)
Dave
I would like that to match a
Luma 510 - Firmware v3.4.95 Build 180717 / Encoding v5.0 build 180712 / Web v4.0.51 Build 180713
Does that help, or is it still not enough specific enough (not trying to sound sarcastic - asking in earnest)
Dave
alastairstevenson
Staff member
This does look very like a Hikvision DS-7716NI-E4/16P NVR, but with some spec differences that might just be erroneous (eg 12MP recording vs 6MP).
If it truly is an OEM version of that model, then there are several newer releases of Hikvision (non OEM) firmware here : DOWNLOAD EU PORTAL
Whether that could be applied and maybe add the missing functionality will depend on whether the OEM model number match is enforced in the firmware.
In an ideal world the firmware would either update as normal, or just be rejected.
But with Hikvision, firmware updates that they don't want to happen quite often come with other, unwanted consequences.
I can't find any specs for that model, if it's from Luma Surveillance. It doesn't look like they deal with end-users, just installers.
And I can't find a match for the firmware version/build for the Hikvision E, I or K series NVRs - though it will likely be an OEM version of firmware anyway with different build dates.
Firmware update by using Batch Configuration Tool:
1. Connect device to network and power on it
2. Wait some time before device is started
3. Run as administrator the Batch Configuration Tool
4. You shall see the information about all Hikvision devices at the bottom part of the screen.
5. The needed device shall be selected by click on the box before device ID. (see attached screenshot #1)
6. The security column provides the information about the device activation state.
if device is "inacive", click "Activate" button and set device password. (see attached screenshot #2)
7. Device IP address configuration.
The device IP address is shown in the "IPv4 Address" column. The default address intercom devices is 192.0.0.64.
To change IP device address (if needed), click "Edit network parameters" button and define the fixed IP address or enable DHCP.
The admin password shall be entered to apply the changes. (see attached screenshot #3)
8. Click "Add" button and enter password to add device to upper part of the screen. (see attached screenshot #4)
9. Select device at the upper part of the screen by click on the box before device ID
and click "Remote configuration" button in the "Operation" column (see attached screenshot #5)
10. Select "System Maintenance" in "Remote configuration" menu and select path to DAV file.
Click Upgrade button (see attached screenshot #6).
11. After firmware upgrade, reboot the device.
If you have intercom based on H5 platform with Chinese interface please use VIS_11_H5_INDOOR_V1.5.0_181101 firmware to change the language to English.
After upgrade intercom device by this firmware, the device is switched into "inactive" state, so you shall activate device and configure IP address to load the VIS_11_H5_INDOOR_V1.5.0_181102 firmware.
Very thanks for manual upgrade. I get from support test firmware 1.5.1 and can not upgrade it because show me error like: Upgrading failed! Error code HCNetSDK.dll[23].(Not supported.)
I write to support and he tell me that should be works. I test it on 3 devices the same model but other serial number.
I write to support and he tell me that should be works. I test it on 3 devices the same model but other serial number.
There are scripts to unpack/decrypt and encrypt/repack firmware (digicap.dav) for Hikvision IP Video Intercom and IP Door Bells devices (see attached).
To run scripts: Linux (tested on Ubuntu), Python3 and cryptodome python library are needed.
To unpack/decrypt firmware:
1) Copy digicap.dav file to the folder with scripts
2) Run script: ./unpack.sh
3) Unpacked and decrypted firmware is located in the /digicap.dav_unpacked/img folder
To encrypt/repack firmware:
1) Run script: ./repack.sh
2) repack_digicap.dav file is created.
The main application file is hicore and it is located in the hicore.tar.lzma archive.
To extract hicore file:
tar --lzma -xvpf hicore.tar.lzma
To create hicore.tar.lzma archive:
chmod 755 hicore
tar -cvf hicore.tar hicore
lzma -z hicore.tar
chmod 644 hicore.tar.lzma
rm hicore
Note: The 3DEC key for IP Video Intercom and IP Door Bells devices is stored in the .rodata section of the digicapkeyArm.ko (24 bytes at file offset 0x2C0)
To run scripts: Linux (tested on Ubuntu), Python3 and cryptodome python library are needed.
To unpack/decrypt firmware:
1) Copy digicap.dav file to the folder with scripts
2) Run script: ./unpack.sh
3) Unpacked and decrypted firmware is located in the /digicap.dav_unpacked/img folder
To encrypt/repack firmware:
1) Run script: ./repack.sh
2) repack_digicap.dav file is created.
The main application file is hicore and it is located in the hicore.tar.lzma archive.
To extract hicore file:
tar --lzma -xvpf hicore.tar.lzma
To create hicore.tar.lzma archive:
chmod 755 hicore
tar -cvf hicore.tar hicore
lzma -z hicore.tar
chmod 644 hicore.tar.lzma
rm hicore
Note: The 3DEC key for IP Video Intercom and IP Door Bells devices is stored in the .rodata section of the digicapkeyArm.ko (24 bytes at file offset 0x2C0)
But is any chance to unpack this firmware an modified translation in firmware and the repack again witch change translation.?
The language code patch for intercom indoor monitors based on H5 platform:
1. I have found, how the language code is patched in the VIS_11_H5_INDOOR_STD_V1.5.0_181101 firmware (This firmware was attached to my previous post)
The patched file is hicore.
The patched function is GET_BOOT_PARAMS.
Disassembled code:
.text:0003C53C update_language_code__loc_3C53C ; CODE XREF: GET_BOOT_PARAMS__sub_3C36C+1C0j
.text:0003C53C LDR R3, =dword_7344FC
.text:0003C540 STR R4, [R3]
.text:0003C544 MOV R3, #1 ; Load language code 1 (EN)
.text:0003C548 LDR R4, =device_boot_params_addr__dword_A55594
.text:0003C54C LDRB R2, [R4,#0x80]
.text:0003C550 STR R3, [R4,#0x10] ; Store language code (offset 0x10 in the boot params array)
.text:0003C554 CMP R2, #0
.text:0003C558 BNE loc_3C56C
.text:0003C55C BL sub_37B78
2. The disassembled code for the original firmware VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319:
.text:0003CF9C loc_3CF9C ; CODE XREF: GET_BOOT_PARAMS__sub_3CDCC+1C0j
.text:0003CF9C LDR R3, =dword_7B4468
.text:0003CFA0 STR R4, [R3]
.text:0003CFA4 LDR R4, =device_boot_params_addr_dword_B1E33C ;
.text:0003CFA4 ; --------------
.text:0003CFA4 ; Language patch:
.text:0003CFA8 LDRB R3, [R4,#0x80] ; Load language code 1 (EN) -> MOV R3, #1
.text:0003CFAC CMP R3, #0 ; Store language code (offset 0x10 in the boot params array) -> STR R3, [R4,#0x10]
.text:0003CFB0 BNE loc_3CFE4 ; Keep existing functionality -> LDRB R3, [R4,#0x80]
.text:0003CFB4 LDR R3, [R4,#0x10] ; Keep existing functionality -> CMP R3, #0
.text:0003CFB8 CMP R3, #1 ; Keep existing functionality -> BNE loc_3CFE4
.text:0003CFBC BNE loc_3CFD4 ; Keep existing functionality -> NOP
.text:0003CFC0 BL sub_38600
The language patch implementation is defined in comments.
3. I created the patched version VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319 firmware (see attached).
Also attached original and patched hicore files.
4. Loading of the patched firmware:
If you have Chinese interface:
- load VIS_11_H5_INDOOR_STD_V1.5.0_181101 firmware
- activate device
- load VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319_PATCHED firmware.
- reset device configuration
If you already have patched to English firmware:
- load VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319_PATCHED firmware.
- reset device configuration
Ok but i think about change string translation in firmware. I need correct some string in Polish language.
BTW WHere you found firmware version 1.5.1 on HikVision ?
BTW WHere you found firmware version 1.5.1 on HikVision ?
Link to the VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319 firmware (device DS-KH8301-WT): KH serie-Hikvision
This firmware version supports Polish language: http://www.hikvisioneurope.com/port...ion/VIS_11_H5_INDOOR_EN_STD_V1.5.0_181019.zip
I think you can modify "overseas.tar.lzma\overseas.tar\string\gui_value11.cfg" file and repack it.
But if i send you file firmware 1.5.1 with polish language you can unpack for me it , then i change strings in files overseas.tar.lzma\overseas.tar\string\gui_value11.cfg, then i send you corrected strings in this file for Polish Lang and then you repack me firmware 1.5.1 with polish strings corrected ? You can do it ? Thsi 1.5.1 with polish is from may 2019 and has corrected strings by me , but i found next bugs , but HikVision tell me that not corrected it in 1.5.1 because it was release. I want correct ity for me and other user. Version 1.5.1 from may 2019 i attached to this post (device DS-KH8301-WT). It has contains polish language.
Now please send me if you can file overseas.tar.lzma\overseas.tar\string\gui_value11.cfg from firmware 1.5.0 please...
BTW
Please write step by step how install on Ubuntu Python3 and cryptodome python library.
Now please send me if you can file overseas.tar.lzma\overseas.tar\string\gui_value11.cfg from firmware 1.5.0 please...
BTW
Please write step by step how install on Ubuntu Python3 and cryptodome python library.
Last edited:
Ok thanks. But what is language codding it ? I open this file in notepad ++ but polih character is not show... I have format ANSI.
Or maybe you know in what editor i can edit this file cfg with strings translation ?
Or maybe you know in what editor i can edit this file cfg with strings translation ?
Last edited:
The file information gui_value11.cfg: ISO-8859 text, with very long lines, with CRLF line terminators
But I don't know which tool may be used to edit this file.