Hikvision G1 5.5+ firmware Exploring the Cam & attempting unlock

[Purduephotog]

Thanks RR.

If you do get the camera apart, please shoot the MMC slot. I've got the pins for one in the camera but I'm short a resistor/cap- can't tell- and I don't want to waste my time soldering one on if there's other components I need...

 

[Purduephotog]

I don't have any published firmware for the camera I'm looking at- Ambarella S5 'olive' board I believe. The mini-shell you, @rearanger , have was setup for G cameras, on S3. Do you know if or have you come across any S5 boot logs to help me narrow down what this hardware revision is?

I'm *really* trying to not desolder the NAND chip and dump it. If I can push the firmware over IP, or even solder on a microSD card (appears to have all the components...) then I'd do it in a heartbeat. Assuming I still can find the spare micro cards in the right pin pattern.

 

[rearanger]

I don't have any published firmware for the camera I'm looking at- Ambarella S5 'olive' board I believe. The mini-shell you, @rearanger , have was setup for G cameras, on S3. Do you know if or have you come across any S5 boot logs to help me narrow down what this hardware revision is?

I'm *really* trying to not desolder the NAND chip and dump it. If I can push the firmware over IP, or even solder on a microSD card (appears to have all the components...) then I'd do it in a heartbeat. Assuming I still can find the spare micro cards in the right pin pattern.

You are better starting a separate thread the cam you have could be totally different from the G1. Just because the SOC is similar or the same does not mean the cams software or boot sequence will be the same.

 

[Purduephotog]

Interesting if the underlying structure is similar enough to run on my mystery cam.

I think I'm gonna pull up the soldering gun... So white and nerdy.

 

[rearanger]

Another Busybox version with telnetd/telnet

Spoiler: Busybox with telnet

~ # busybox
BusyBox v1.22.1 (2015-10-28 21:51:02 CST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
or: busybox --list[-full]
or: busybox --install [-s] [DIR]
or: function [arguments]...

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.

Currently defined functions:
[, [[, add-shell, addgroup, adduser, adjtimex, ar, arping, ash, awk,
base64, basename, bash, bbconfig, blkid, blockdev, bootchartd, bunzip2,
bzcat, bzip2, cat, catv, chat, chattr, chgrp, chmod, chown, chroot,
chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc,
dd, deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff,
dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
dumpleases, echo, ed, egrep, eject, env, ether-wake, expand, expr,
false, fbset, fbsplash, fdflush, fdformat, fdisk, fgconsole, fgrep,
find, findfs, flash_eraseall, flash_lock, flash_unlock, flashcp, flock,
fold, free, freeramdisk, fsck, fstrim, fsync, ftpd, ftpget, ftpput,
fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, hdparm,
head, hexdump, hostid, hostname, httpd, hwclock, id, ifconfig, ifdown,
ifup, inetd, init, insmod, install, iostat, ip, ipaddr, ipcrm, ipcs,
iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd,
last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger,
login, logname, logread, losetup, ls, lsattr, lsmod, lsof, lspci,
lsusb, lzcat, lzma, makedevs, md5sum, mesg, microcom, mkdir, mkdosfs,
mke2fs, mkfifo, mkfs.ext2, mkfs.vfat, mknod, mkswap, mktemp, modinfo,
modprobe, more, mount, mountpoint, mpstat, mt, mv, nameif, nanddump,
nandwrite, nbd-client, nc, netstat, nice, nmeter, nohup, nslookup,
ntpd, od, openvt, passwd, patch, pgrep, pidof, ping, pipe_progress,
pivot_root, pkill, pmap, poweroff, powertop, printenv, printf, ps,
pscan, pstree, pwd, pwdx, rdate, rdev, readahead, readlink,
readprofile, realpath, reboot, remove-shell, renice, reset, resize,
rev, rm, rmdir, rmmod, route, rpm, rpm2cpio, rtcwake, run-parts,
runlevel, rx, script, sed, seq, setarch, setconsole, setkeycodes,
setlogcons, setserial, setsid, sh, sha1sum, sha256sum, sha3sum,
sha512sum, slattach, sleep, smemcap, sort, split, start-stop-daemon,
stat, strings, stty, su, sulogin, sum, swapoff, swapon, switch_root,
sync, sysctl, syslogd, tac, tail, tar, tee, telnet, telnetd, test,
tftp, tftpd, time, timeout, top, touch, tr, traceroute, true, tty,
ttysize, tune2fs, ubiattach, ubidetach, ubimkvol, ubirmvol, ubirsvol,
ubiupdatevol, udhcpc, udhcpd, umount, uname, unexpand, uniq, unix2dos,
unlzma, unxz, unzip, uptime, users, usleep, uudecode, uuencode,
vconfig, vi, vlock, wall, watch, watchdog, wc, wget, which, who,
whoami, whois, xargs, xz, xzcat, yes, zcat

 

[rearanger]

Strace
Ltrace
gdbserver
gdb

For G1 cams

 

[alastairstevenson]

I'm going to have to do a bit of learning to catch up with the significance of that.
You've climbed a bit more of a learning curve than I.

 

[alastairstevenson]

I just bought a couple of spares&repairs G1 cams off eBay, so I have some devices to play with.
A DS-2CD2385G1-I with a broken ethernet interface - might be a zapped ethernet transformer, contemplating desoldering and replacing.
And a DS-2CD2135FWD-I with a corroded RJ45 connection. For £10, this is expendable.

 

[btr1200]

Hi all, is there any tool for decrypt the firmaware DS-7104NI-Q1-M for hikvision?

 

[rearanger]

Some of the newer 5.6 firmwares now delete the decrypted davinci_bak from the cam.(unsure what deletes it)

All you need to do is copy a new davinci_bak to home/process then run daemon_fsp

this will leave a decrypted davinci on the cam.

Tested on 5.6.3

 

[rearanger]

Decrypted davinci 5.6.3
No special tools were used. minisys installed and daemon_fsp was used to decrypt

Below is a failed attempt by davinci to decrypt a digicap.dav via batch update/sdk

Test digicap.dav was a Previously decrypted test file. eg davinci failed due to encryption

If you use IDA or radare2 You can view some the routines used to decrypt digicap.dav

sdk/batch update
[02-25 09:00:38][pid:657][SDKCMD][ERROR]----add_socket[58],sdk_link_num=1
[02-25 09:00:38][pid:657][OTHER][ERROR]=========== Veritfy password Success!!!!!
[02-25 09:00:38][pid:657][SDKCMD][ERROR]sdk 5.0 login
[02-25 09:00:38][pid:657][SDKCMD][ERROR]sdk socket[-1] close success.
[02-25 09:00:38][pid:657][SDKCMD][ERROR]----add_socket[57],sdk_link_num=1
[02-25 09:00:38][pid:657][SDKCMD][ERROR]sdk cmd type:0x113028
[02-25 09:00:38][pid:657][OTHER][ERROR]security_check_info.basedata_randome 1429 052861
[02-25 09:00:38][pid:657][SDKCMD][ERROR]cmd_sequence =163
[02-25 09:00:38][pid:657][SDKCMD][ERROR]sdk socket[-1] close success.
[02-25 09:00:38][pid:657][SDKCMD][ERROR]----add_socket[58],sdk_link_num=1
[02-25 09:00:38][pid:657][SDKCMD][ERROR]get_sdk_process_function failed, not fin d this cmd_type=11124c
[02-25 09:00:38][pid:657][SDKCMD][ERROR]Unsupported command type:0x11124c
[02-25 09:00:38][pid:657][SDKCMD][ERROR]----add_socket[57],sdk_link_num=2
[02-25 09:00:38][pid:657][SDKCMD][ERROR]get_sdk_process_function failed, not fin d this cmd_type=111163
[02-25 09:00:38][pid:657][SDKCMD][ERROR]Unsupported command type:0x111163
[02-25 09:00:38][pid:657][SDKCMD][ERROR]----add_socket[59],sdk_link_num=3
[02-25 09:00:38][pid:657][SDKCMD][ERROR]sdk cmd type:0x30b00
[02-25 09:00:38][pid:657][OTHER][ERROR]security_check_info.basedata_randome 1429 052861
[02-25 09:00:38][pid:657][HW_IF][ERROR]NOT SUPPORT get_dsp_buffer_for_upgrade
[02-25 09:00:38][pid:657][SDKCMD][ERROR]sdk socket[-1] close success.
[02-25 09:00:38][pid:657][SDKCMD][ERROR]sdk socket[-1] close success.
[PACK][RT_ERROR][src/firm_crypt_lib.c][firm_data_verfy][951]:0 == (iRet = RSA_data_verfy(aKeyBuf, iKeyLen, pSrcBuf, iSrcLen, pDstBuf, pDstLen)) fail return eErr Val iRet=0xfffffff9!
[02-25 09:00:39][pid:657][UNI_IF][ERROR][UPG_ASSERT] 0 == firm_data_verfy(pUpgInfo->tUpgDevs.iDevSecFlag, (unsigned char *)(pUpgInfo->pFirmHead), tHeadDec.iHead Size, aSignData, &iDstLen) fail to eRetVal UPG_STAT_ERR_PACK_SIGN=0x00000074!
[02-25 09:00:39][pid:657][UNI_IF][ERROR][UPG_ASSERT] UPG_STAT_OK == (eRet = firm_pack_head(pUpgInfo)) fail to eRetVal eRet=0x00000074!
[02-25 09:00:39][pid:657][UNI_IF][ERROR]sys upg fail eUpgStat=0x74, force close slave dev!
[02-25 09:00:39][pid:657][SDKCMD][ERROR]netClient upgrade faild,retval=-39!
[02-25 09:00:40][pid:657][SDKCMD][ERROR]sdk socket[-1] close success.
[02-25 09:01:40][pid:657][SDKCMD][ERROR]----add_socket[60],sdk_link_num=1
[02-25 09:01:40][pid:657][SDKCMD][ERROR]sdk cmd type:0x10200
[02-25 09:01:40][pid:657][OTHER][ERROR]security_check_info.basedata_randome 1333051687
[02-25 09:01:40][pid:657][SDKCMD][ERROR]cmd_sequence =167
[02-25 09:01:40][pid:657][OTHER][ERROR]security_check_info.basedata_randome 1333051687
[02-25 09:01:40][pid:657][SDKCMD][ERROR]sdk socket[-1] close success.
[02-25 09:01:40][pid:657][SDKCMD][ERROR]----add_socket[57],sdk_link_num=1
[02-25 09:01:40][pid:657][SDKCMD][ERROR]----add_socket[58],sdk_link_num=2
[02-25 09:01:40][pid:657][SDKCMD][ERROR]sdk cmd type:0x10200
[02-25 09:01:40][pid:657][OTHER][ERROR]security_check_info.basedata_randome 1429052861
[02-25 09:01:40][pid:657][SDKCMD][ERROR]cmd_sequence =168
[02-25 09:01:40][pid:657][OTHER][ERROR]security_check_info.basedata_randome 1429052861
[02-25 09:01:40][pid:657][SDKCMD][ERROR]sdk cmd type:0x10200
[02-25 09:01:40][pid:657][OTHER][ERROR]security_check_info.basedata_randome 524998783
[02-25 09:01:40][pid:657][SDKCMD][ERROR]cmd_sequence =169
[02-25 09:01:40][pid:657][OTHER][ERROR]security_check_info.basedata_randome 524998783
[02-25 09:01:40][pid:657][SDKCMD][ERROR]sdk socket[-1] close success.
[02-25 09:01:40][pid:657][SDKCMD][ERROR]sdk socket[-1] close success.
security_check_info.basedata_randome 1429
052861
/bin/sh: security_check_info.basedata_randome: not found
#
#
#

web gui update
# [02-26 08:52:25][pid:657][PSIA][ERROR]new session login.
# [02-26 08:52:36][pid:657][PSIA][ERROR]new session login.
[02-26 08:52:36][pid:657][HW_IF][ERROR]NOT SUPPORT get_dsp_buffer_for_upgrade
[PACK][RT_ERROR][src/firm_crypt_lib.c][firm_data_verfy][951]:0 == (iRet = RSA_data_verfy(aKeyBuf, iKeyLen, pSrcBuf, iSrcLen, pDstBuf, pDstLen)) fail return eErrVal iRet=0xfffffff9!
[02-26 08:52:37][pid:657][UNI_IF][ERROR][UPG_ASSERT] 0 == firm_data_verfy(pUpgInfo->tUpgDevs.iDevSecFlag, (unsigned char *)(pUpgInfo->pFirmHead), tHeadDec.iHeadSize, aSignData, &iDstLen) fail to eRetVal UPG_STAT_ERR_PACK_SIGN=0x00000074!
[02-26 08:52:37][pid:657][UNI_IF][ERROR][UPG_ASSERT] UPG_STAT_OK == (eRet = firm_pack_head(pUpgInfo)) fail to eRetVal eRet=0x00000074!
[02-26 08:52:37][pid:657][UNI_IF][ERROR]sys upg fail eUpgStat=0x74, force close slave dev!
[02-26 08:52:37][pid:657][PSIA][ERROR]* PSIA Upgrading END **,iRet=-39
[02-26 08:52:55][pid:657][PSIA][ERROR]new session login.
#

 

[watchful_ip]

Yeah it decrypts it but fails RSA check. You have to disable that as you won't be able to sign fw without Hikvision's private key

(or just copy the files over manaually)

 

[rearanger]

Yeah it decrypts it but fails RSA check. You have to disable that as you won't be able to sign fw without Hikvision's private key

(or just copy the files over manaually)

I have a working decrypted/unsigned 5.6.3 digicap.dav that can be loaded straight into montecrypto's minisys update using serial.

You can also update using montecrypto's update app from root on a live cam using telnet/shell etc

So unsigned digicap.dav can be installed provided you have root without use of serial interface.

I am currently looking at the decryption routines that davinci uses.(was only posting in-case anyone else wanted to browse the code)

 

[watchful_ip]

Yep the minisys davinci is patched to disable the RSA check so that works

 

[watchful_ip]

Some of the newer 5.6 firmwares now delete the decrypted davinci_bak from the cam.(unsure what deletes it)

All you need to do is copy a new davinci_bak to home/process then run daemon_fsp

this will leave a decrypted davinci on the cam.

Tested on 5.6.3

Usually davinci deletes itself after load. That's good because otherwise it just sits in memory for no reason (in addition to the running process image).

 

[rearanger]

Usually davinci deletes itself after load. That's good because otherwise it just sits in memory for no reason (in addition to the running process image).

davinci_bak used to to be left decrypted in "home/process" in firmware's 5.5 and earlier. newer versions now delete it.

Also if you look at minisys . there is an update app for installing unsigned digicap.dav in minisys.

 

[rearanger]

Anyone interested in updating the G1 from telnet/ethernet with unsigned code. Binwalk the minisys or mount the minisys on the cam.

Look at the files update & upgrade

 

[watchful_ip]

davinci_bak used to to be left decrypted in "home/process" in firmware's 5.5 and earlier. newer versions now delete it.

Also if you look at minisys . there is an update app for installing unsigned digicap.dav in minisys.

It will accept unsigned as it's patched so the RSA check always returns 0 (i.e. OK).

An original minisys upgrade binary will reject the file.

1 thing I always hated (and my new G3 cam is the same) is that the update script formats first, then tries to download TFTP digicap.dav and upgrade. NO! Download first, check file is OK - THEN format and upgrade. I changed it so it doesn't do that anymore (G1 that is not G3 which has to have a signed minisys).

 

[rearanger]

minisys davinci will also take a filename eg "davinci digicap.dav" from the command line (unsure how useful that is. lol

 

[damogao]

I can send you DS-2CD3386FWDV2-IS and you can keep it as it is collecting dust for me now. All my others are bullets and this turret seemed a bit awkward to mount in my location so I won't be using it and it's a pain to sell something chinese-only. Just send me your shipping details via PM.

Hello, can you please let me know why your DS-2CD3386FWDV2-IS is collecting dust? It seems I made a huge mistake to buy 20 pieces of DS-2CD3386FWDV2-IS and two NVR from China. I was very scared now when reading your post. I only want some very basic functions such as motion detection and alarms during weekend and night and sending alarms to my android or iPhone, view the cameras live from phone app, play back the recorded videos. Can you please explain a little bit? Very appreciated.