Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,174
Reaction score
5,239
Location
Scotland
If not, can I upgrade to a later Chinese version if I don't mind losing the English menus?
Yes, unless the existing firmware has been modified to disable any updates - to stop users 'bricking' the device by not realising they should not be updated.
But a Hikvision NVR will reject a CN language / region camera with a 'language mismatch' error.
 

Japtastic

n3wb
Joined
Feb 24, 2020
Messages
8
Reaction score
0
Location
U
Thanks, not using the Hikvision NVR. Just tried but it says failed to get the upgrade status. Guess I'm stuck with an insecure camera?
 

Japtastic

n3wb
Joined
Feb 24, 2020
Messages
8
Reaction score
0
Location
U
Also tried TFTP to upgrade the firmware but it repeats 'Resend Required' a few times and then does nothing. Any way around this or is this consistent with a firmware upgrade block of some kind?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,174
Reaction score
5,239
Location
Scotland
Any way around this or is this consistent with a firmware upgrade block of some kind?
'Resend required' just means a data block sent failed the CRC check and was re-sent.
The 'does nothing' probably just means the firmware was rejected as a match for the camera.

A potential way round, though needs some low-level work, is to use the serial console to break in at a root level, and upload suitably modified files.
A fair learning curve though.
 

Japtastic

n3wb
Joined
Feb 24, 2020
Messages
8
Reaction score
0
Location
U
Thanks, I'll try to find a different CN firmware version. Any idea where from?

I'm presuming there is no guide to the low-level method?
 
Joined
Jan 13, 2020
Messages
2
Reaction score
0
Location
ukraine
HI all need help
have NVR DS-7616NI-K2/16P 3.4.99 en/ml
camera DS-2CD3T25-I3 5.5.6 build 180326 cn

and when connect with protocol hikvision or onvif always hava language mismatch

Can anyone help me solve this problem?
Donate to solve .
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,174
Reaction score
5,239
Location
Scotland
Can anyone help me solve this problem?
The cause is having a Chinese camera, and a fix would require hacked firmware in the camera, which in that version is well protected from modifications.

If you don't need motion detection recording, if continuous recording is OK, add the camera as an RTSP source using a custom protocol in the NVR web GUI camera management page.
ONVIF Device Manager will show the RTSP URL for the camera, at the bottom of the Live Video page.
 
Joined
Jan 13, 2020
Messages
2
Reaction score
0
Location
ukraine
С
The cause is having a Chinese camera, and a fix would require hacked firmware in the camera, which in that version is well protected from modifications.

If you don't need motion detection recording, if continuous recording is OK, add the camera as an RTSP source using a custom protocol in the NVR web GUI camera management page.
ONVIF Device Manager will show the RTSP URL for the camera, at the bottom of the Live Video page.
Can i dowsnload firmware to nvr via com port with changed language to cn?
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
166
Reaction score
7
Attached repacked firmware with updated gui_value11.cfg file.
I have also updated the scripts to replace gui_value11.cfg in the overseas.tar.lzma

Please use next sequence:
1. Copy gui_value11.cfg, digicap.dav and scripts into one folder.
2. Run ./unpack.sh
3. Run ./repack.sh
4. Updated firmware: repack_digicap.dav

There is link to Cryptodome python library installation: Installation — PyCryptodome 3.9a0 documentation
Note: This library shall be installed for Python3.
Hi.
I use your script to model kh8301-wt but is any chance to also write script to unpack and repack for Door Station KV8102-Im ? please
 

Andrey1991

n3wb
Joined
Apr 24, 2020
Messages
1
Reaction score
0
Location
Russia
Good afternoon! There is an intercom KH8301 ordered from Aliexpress, multilingual firmware was installed, but over time the Hic-connect service began to fail, I decided to upgrade to a newer firmware. I installed version v1.5.1 build 190131, it was successful, the language was Russian, I decided to reset the settings, and after resetting, the language changed to Chinese, and now I can not change it. I tried to flash VIS_11_H5_INDOOR_STD_V1.5.0_181101, it is flashing without problems, but in the end the version does not change and the language remains Chinese. Apparently we need more recent firmware. With firmware VIS_11_H5_INDOOR_STD_V1.5.0_181102 the version of the language written does not match and nothing happens. Please help, not for free.
 

wildlifecam

Young grasshopper
Joined
Aug 26, 2017
Messages
35
Reaction score
3
OK - assuming that old firmware protects the exported configuration file in the same way as the more recent firmware - and also as the encryption passphrase has been openly published in the CVE associated with the 'plaintext passwords in configuration file' vulnerability, you can use command-line OpenSSL to decrypt the configuration file as follows:
Code:
openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5
Then if you inspect the result with a hex editor you will see clearly that there is a 4-byte XOR encode operation needed to complete the process.
It's quite bizarre why any developer at Hikvision thinks it would be useful to just do a straight XOR of the data - there may be a reason, but it's not obvious to me.
Thanks for sharing the detailed instructions. Saved me after I lost access to one of my remote cameras. I wasn't running the latest version of the firmware that fixed the backdoor attack so I upgraded once I regained access.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,174
Reaction score
5,239
Location
Scotland
Out of curiosity - was the extracted password asdf1234 or 1111aaaa ?
These have been commonly used by the hackbots.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,174
Reaction score
5,239
Location
Scotland
Mischief - annoying people, resetting, changing passwords.
Malicious - adding them to live viewing websites. There are places that people should just not have video cameras.
Bricking them.
Footholds and botnet members.
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
166
Reaction score
7
Hi.
I use your script to model kh8301-wt but is any chance to also write script to unpack and repack for Door Station KV8102-Im ? please
 

DaveB007

n3wb
Joined
May 23, 2020
Messages
9
Reaction score
2
Location
Malta
Stupid question but I need to backup the original firmware from one of my cameras. I cannot find this hiktools.exe that this guide is mentioning. Can anyone please help me?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,174
Reaction score
5,239
Location
Scotland
I cannot find this hiktools.exe that this guide is mentioning
The original hiktools (which is quite dated now and limited to older firmware) is still attached to the first post of this thread.

I'm not quite sure what you mean by 'backup the original firmware'.
Could you clarify?
 

DaveB007

n3wb
Joined
May 23, 2020
Messages
9
Reaction score
2
Location
Malta
The original hiktools (which is quite dated now and limited to older firmware) is still attached to the first post of this thread.

I'm not quite sure what you mean by 'backup the original firmware'.
Could you clarify?
I have a camera IPC-D140 which has v5.4.5 170602 written on the back. I tried using TFTP to flash a new firmware but it did not work luckily it still showed in SADP but I unfortunately I cannot access it from the browser. I read somewhere people who had to flash the original firmware on the camera. So my plan is to extract a digicap.dav from one of my cameras which I still have sealed. And flash that on the camera I am having problems with.

After I reset the camera through SADP I noticed the firmware was ipc-d140 v4.0.8 build 150325
 
Top