Hikvision G1 5.5+ firmware Exploring the Cam & attempting unlock
- Thread starter rearanger
- Start date
I don't have any published firmware for the camera I'm looking at- Ambarella S5 'olive' board I believe. The mini-shell you, @rearanger , have was setup for G cameras, on S3. Do you know if or have you come across any S5 boot logs to help me narrow down what this hardware revision is?
I'm *really* trying to not desolder the NAND chip and dump it. If I can push the firmware over IP, or even solder on a microSD card (appears to have all the components...) then I'd do it in a heartbeat. Assuming I still can find the spare micro cards in the right pin pattern.
I'm *really* trying to not desolder the NAND chip and dump it. If I can push the firmware over IP, or even solder on a microSD card (appears to have all the components...) then I'd do it in a heartbeat. Assuming I still can find the spare micro cards in the right pin pattern.
You are better starting a separate thread the cam you have could be totally different from the G1. Just because the SOC is similar or the same does not mean the cams software or boot sequence will be the same.
Interesting if the underlying structure is similar enough to run on my mystery cam.
I think I'm gonna pull up the soldering gun... So white and nerdy.
I think I'm gonna pull up the soldering gun... So white and nerdy.
Another Busybox version with telnetd/telnet
~ # busybox
BusyBox v1.22.1 (2015-10-28 21:51:02 CST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
Usage: busybox [function [arguments]...]
or: busybox --list[-full]
or: busybox --install [-s] [DIR]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, add-shell, addgroup, adduser, adjtimex, ar, arping, ash, awk,
base64, basename, bash, bbconfig, blkid, blockdev, bootchartd, bunzip2,
bzcat, bzip2, cat, catv, chat, chattr, chgrp, chmod, chown, chroot,
chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc,
dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff,
dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
dumpleases, echo, ed, egrep, eject, env, ether-wake, expand, expr,
false, fbset, fbsplash, fdflush, fdformat, fdisk, fgconsole, fgrep,
find, findfs, flash_eraseall, flash_lock, flash_unlock, flashcp, flock,
fold, free, freeramdisk, fsck, fstrim, fsync, ftpd, ftpget, ftpput,
fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, hdparm,
head, hexdump, hostid, hostname, httpd, hwclock, id, ifconfig, ifdown,
ifup, inetd, init, insmod, install, iostat, ip, ipaddr, ipcrm, ipcs,
iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd,
last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger,
login, logname, logread, losetup, ls, lsattr, lsmod, lsof, lspci,
lsusb, lzcat, lzma, makedevs, md5sum, mesg, microcom, mkdir, mkdosfs,
mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, mkswap, mktemp, modinfo,
modprobe, more, mount, mountpoint, mpstat, mt, mv, nameif, nanddump,
nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup,
ntpd, od, openvt, passwd, patch, pgrep, pidof, ping, pipe_progress,
pivot_root, pkill, pmap, poweroff, powertop, printenv, printf, ps,
pscan, pstree, pwd, pwdx, rdate, rdev, readahead, readlink,
readprofile, realpath, reboot, remove-shell, renice, reset, resize,
rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, rtcwake, run-parts,
runlevel, rx, script, sed, seq, setarch, setconsole, setkeycodes,
setlogcons, setserial, setsid, sh, sha1sum, sha256sum, sha3sum,
sha512sum, slattach, sleep, smemcap, sort, split, start-stop-daemon,
stat, strings, stty, su, sulogin, sum, swapoff, swapon, switch_root,
sync, sysctl, syslogd, tac, tail, tar, tee, telnet, telnetd, test,
tftp, tftpd, time, timeout, top, touch, tr, traceroute, true, tty,
ttysize, tune2fs, ubiattach, ubidetach, ubimkvol, ubirmvol, ubirsvol,
ubiupdatevol, udhcpc, udhcpd, umount, uname, unexpand, uniq, unix2dos,
unlzma, unxz, unzip, uptime, users, usleep, uudecode, uuencode,
vconfig, vi, vlock, wall, watch, watchdog, wc, wget, which, who,
whoami, whois, xargs, xz, xzcat, yes, zcat
BusyBox v1.22.1 (2015-10-28 21:51:02 CST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
Usage: busybox [function [arguments]...]
or: busybox --list[-full]
or: busybox --install [-s] [DIR]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, add-shell, addgroup, adduser, adjtimex, ar, arping, ash, awk,
base64, basename, bash, bbconfig, blkid, blockdev, bootchartd, bunzip2,
bzcat, bzip2, cat, catv, chat, chattr, chgrp, chmod, chown, chroot,
chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc,
dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff,
dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
dumpleases, echo, ed, egrep, eject, env, ether-wake, expand, expr,
false, fbset, fbsplash, fdflush, fdformat, fdisk, fgconsole, fgrep,
find, findfs, flash_eraseall, flash_lock, flash_unlock, flashcp, flock,
fold, free, freeramdisk, fsck, fstrim, fsync, ftpd, ftpget, ftpput,
fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, hdparm,
head, hexdump, hostid, hostname, httpd, hwclock, id, ifconfig, ifdown,
ifup, inetd, init, insmod, install, iostat, ip, ipaddr, ipcrm, ipcs,
iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd,
last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger,
login, logname, logread, losetup, ls, lsattr, lsmod, lsof, lspci,
lsusb, lzcat, lzma, makedevs, md5sum, mesg, microcom, mkdir, mkdosfs,
mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, mkswap, mktemp, modinfo,
modprobe, more, mount, mountpoint, mpstat, mt, mv, nameif, nanddump,
nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup,
ntpd, od, openvt, passwd, patch, pgrep, pidof, ping, pipe_progress,
pivot_root, pkill, pmap, poweroff, powertop, printenv, printf, ps,
pscan, pstree, pwd, pwdx, rdate, rdev, readahead, readlink,
readprofile, realpath, reboot, remove-shell, renice, reset, resize,
rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, rtcwake, run-parts,
runlevel, rx, script, sed, seq, setarch, setconsole, setkeycodes,
setlogcons, setserial, setsid, sh, sha1sum, sha256sum, sha3sum,
sha512sum, slattach, sleep, smemcap, sort, split, start-stop-daemon,
stat, strings, stty, su, sulogin, sum, swapoff, swapon, switch_root,
sync, sysctl, syslogd, tac, tail, tar, tee, telnet, telnetd, test,
tftp, tftpd, time, timeout, top, touch, tr, traceroute, true, tty,
ttysize, tune2fs, ubiattach, ubidetach, ubimkvol, ubirmvol, ubirsvol,
ubiupdatevol, udhcpc, udhcpd, umount, uname, unexpand, uniq, unix2dos,
unlzma, unxz, unzip, uptime, users, usleep, uudecode, uuencode,
vconfig, vi, vlock, wall, watch, watchdog, wc, wget, which, who,
whoami, whois, xargs, xz, xzcat, yes, zcat
alastairstevenson
Staff member
I'm going to have to do a bit of learning to catch up with the significance of that.
You've climbed a bit more of a learning curve than I.
You've climbed a bit more of a learning curve than I.
alastairstevenson
Staff member
I just bought a couple of spares&repairs G1 cams off eBay, so I have some devices to play with.
A DS-2CD2385G1-I with a broken ethernet interface - might be a zapped ethernet transformer, contemplating desoldering and replacing.
And a DS-2CD2135FWD-I with a corroded RJ45 connection. For £10, this is expendable.
A DS-2CD2385G1-I with a broken ethernet interface - might be a zapped ethernet transformer, contemplating desoldering and replacing.
And a DS-2CD2135FWD-I with a corroded RJ45 connection. For £10, this is expendable.
Some of the newer 5.6 firmwares now delete the decrypted davinci_bak from the cam.(unsure what deletes it)
All you need to do is copy a new davinci_bak to home/process then run daemon_fsp
this will leave a decrypted davinci on the cam.
Tested on 5.6.3
All you need to do is copy a new davinci_bak to home/process then run daemon_fsp
this will leave a decrypted davinci on the cam.
Tested on 5.6.3
Last edited:
Decrypted davinci 5.6.3
No special tools were used. minisys installed and daemon_fsp was used to decrypt
Below is a failed attempt by davinci to decrypt a digicap.dav via batch update/sdk
Test digicap.dav was a Previously decrypted test file. eg davinci failed due to encryption
If you use IDA or radare2 You can view some the routines used to decrypt digicap.dav
No special tools were used. minisys installed and daemon_fsp was used to decrypt
Below is a failed attempt by davinci to decrypt a digicap.dav via batch update/sdk
Test digicap.dav was a Previously decrypted test file. eg davinci failed due to encryption
If you use IDA or radare2 You can view some the routines used to decrypt digicap.dav
Last edited:
watchful_ip
Pulling my weight
Yeah it decrypts it but fails RSA check. You have to disable that as you won't be able to sign fw without Hikvision's private key
(or just copy the files over manaually)
(or just copy the files over manaually)
I have a working decrypted/unsigned 5.6.3 digicap.dav that can be loaded straight into montecrypto's minisys update using serial.
You can also update using montecrypto's update app from root on a live cam using telnet/shell etc
So unsigned digicap.dav can be installed provided you have root without use of serial interface.
I am currently looking at the decryption routines that davinci uses.(was only posting in-case anyone else wanted to browse the code)
watchful_ip
Pulling my weight
watchful_ip
Pulling my weight
Usually davinci deletes itself after load. That's good because otherwise it just sits in memory for no reason (in addition to the running process image).
davinci_bak used to to be left decrypted in "home/process" in firmware's 5.5 and earlier. newer versions now delete it.
Also if you look at minisys . there is an update app for installing unsigned digicap.dav in minisys.
Last edited:
Anyone interested in updating the G1 from telnet/ethernet with unsigned code. Binwalk the minisys or mount the minisys on the cam.
Look at the files update & upgrade
Look at the files update & upgrade
watchful_ip
Pulling my weight
It will accept unsigned as it's patched so the RSA check always returns 0 (i.e. OK).
An original minisys upgrade binary will reject the file.
1 thing I always hated (and my new G3 cam is the same) is that the update script formats first, then tries to download TFTP digicap.dav and upgrade. NO! Download first, check file is OK - THEN format and upgrade. I changed it so it doesn't do that anymore (G1 that is not G3 which has to have a signed minisys).
minisys davinci will also take a filename eg "davinci digicap.dav" from the command line (unsure how useful that is. lol
Hello, can you please let me know why your DS-2CD3386FWDV2-IS is collecting dust? It seems I made a huge mistake to buy 20 pieces of DS-2CD3386FWDV2-IS and two NVR from China. I was very scared now when reading your post. I only want some very basic functions such as motion detection and alarms during weekend and night and sending alarms to my android or iPhone, view the cameras live from phone app, play back the recorded videos. Can you please explain a little bit? Very appreciated.