alastairstevenson
Staff member
Have you connected any of the devices up and powered them on?
It seems they are hard-coded as Chinese.
It seems they are hard-coded as Chinese.
Hikvision G1 5.5+ firmware Exploring the Cam & attempting unlock
- Thread starter rearanger
- Start date
Just bought the harddisk drivers and installed them into NVR. Not connect and turn those DS-2CD3T86 cameras on yet.
I only want some very basic functions such as motion detection and alarms during weekend and night and sending alarms to my android or iPhone, view the cameras live from phone app, play back the recorded videos. Is it possible to get these functions? I can borrow a Chinese mobile number from a friend when registering. I can try my best to get familiar with Chinese app.
Purduephotog
Getting the hang of it
- Joined
- Oct 30, 2016
- Messages
- 204
- Reaction score
- 77
OOOh. Pick me Pick Me
Это ростелеком?
Загрузчика не достаточно будет, потому что потребуется еще шифрованная область с системными данными, а это означает, что ты сделаешь клона тому кто-то, поделился своим полным дампом.
Полноцененный у тебя хик или нет, можно понять только по дампу, но скорее всего только железо.
Yes, it's Rostelecom.
I don't fully understand, do you mean that original (hikvision) serial number/mac is encrypted? By which algorithm? It's not so many ways to encrypt config, so keys must be somewhere in firmware.
Can you share dump without sensitive data?
In my firmware I can see serial and MAC in json format like: {"sn":"157432780","hw-type":"608","eth-mac":"64db8b2b1e67"} at offset 0x100000-0x100800.
My goal is not to "make hikvision camera", but simply "make camera work". Maybe other compatible firmware exist for this model?
I don't fully understand, do you mean that original (hikvision) serial number/mac is encrypted? By which algorithm? It's not so many ways to encrypt config, so keys must be somewhere in firmware.
Can you share dump without sensitive data?
In my firmware I can see serial and MAC in json format like: {"sn":"157432780","hw-type":"608","eth-mac":"64db8b2b1e67"} at offset 0x100000-0x100800.
My goal is not to "make hikvision camera", but simply "make camera work". Maybe other compatible firmware exist for this model?
watchful_ip
Pulling my weight
The Hikvision camera has a security chip inside that stores the encrypted serial, model, mac etc. Same type of chip as a credit card.
The Hikvision firmware will read the camera data from that chip. It's bypassable but not easily.
The Hikvision firmware will read the camera data from that chip. It's bypassable but not easily.
Purduephotog
Getting the hang of it
- Joined
- Oct 30, 2016
- Messages
- 204
- Reaction score
- 77
This is the SO-IC8 chip right? Worth attaching it to a a plug and then into a smart chip reader? (I haven't bothered).
watchful_ip
Pulling my weight
Yeah it's covered in another post somewhere. It's a watchdata EMV chip the kernel talks to when asked for the cameras parameters.
You could read the data off it, by simulating how the kernel talks to it (pin codes etc). But you don't really gain from that unless you can change it which the kernel doesn't know how to do.
And just be careful - 4 years ago I was playing with it and managed to brick the chip. So now on that camera I have to bypass it in software.
You could read the data off it, by simulating how the kernel talks to it (pin codes etc). But you don't really gain from that unless you can change it which the kernel doesn't know how to do.
And just be careful - 4 years ago I was playing with it and managed to brick the chip. So now on that camera I have to bypass it in software.
If it's chip on board, then it's ok. My camera comes in hikvision box, and have hikvision logos on camera and original board.All copyrights also in place. So i think Rostelecom used genuine hikvision product with custom firmware from videocomfort (I can see some references in bootlog). I found post that describes custom firmware: Как мы научились подключать китайские камеры за 1000р к облаку. Без регистраторов и SMS (и сэкономили миллионы долларов)
Purduephotog
Getting the hang of it
- Joined
- Oct 30, 2016
- Messages
- 204
- Reaction score
- 77
I just wondered if it was worth buying and soldering another on it. Looked on digikey and they were pretty cheap.
watchful_ip
Pulling my weight
Unless you are going to program it exactly to respond in the way the kernel expects it wouldn't result in a working camera.
Bear in mind it returns encrypted camera parameter data which the kernel decrypts, so you'd need to craft/encrypt your own and program the chip to respond to the kernel correctly.
On my new G3 camera they don't even use an EMV chip which I found interesting.
Bear in mind it returns encrypted camera parameter data which the kernel decrypts, so you'd need to craft/encrypt your own and program the chip to respond to the kernel correctly.
On my new G3 camera they don't even use an EMV chip which I found interesting.
alastairstevenson
Staff member
Have you checked out the contents of mtd3 - maybe around location 0x69c ?
watchful_ip
Pulling my weight
The bootloader is encrypted, signed and secure boot, which will load an encrypted and signed kernel etc.
Last edited:
brainslayer
n3wb
just if somone want to know. i made now a patched g1 firmware for latest version. it disables all rsa checks, enables ssh and disabled psh. not much more .but it allows any future patched upgrades with web
Last edited:
alastairstevenson
Staff member
A full installable firmware or tweaked files copied in via an mImage_g1?
Do you have your own repacker?
I tried to use the pre_app_hook to boot via MicroSD but never succeeded.
brainslayer
n3wb
its only first time installable with format / update procedure. after this you install everything you want. but of course new images should be patched too, otherwise you lock yourself out again. i used a abus IPCB68620 which is a g1 and used it as playground. i will check for the preapp hook and look if there is a alternate way.
and i dont need a own repacker. the one i have does unpack and repack the latest g1 firmware without issues
i just patched davinci_bak (which must recreated with hik_repack too) to remove all RSA checks. i daemon_fsp_app to disable the rsa check for davinci_bak
i patched net_process to remove the dropbear killing code. and of course i patched initrun.sh, but this is easy of course. i can also do the same for g3, but need some dumps first to extract the keys for modifying the hik_repack too
Last edited:
brainslayer
n3wb
i checked the pre_app_hook. this has nothing todo with the sd card. its for emmc flash memory booting devices. these are soldered mmc chips. its a cheap replacement for nand flash memory.
pre_app_hook just detects these as boot device and creates some devfs crap. thats all
pre_app_hook just detects these as boot device and creates some devfs crap. thats all
rearanger
Getting the hang of it
is this leecher's hik_repack?
Have you re-writen and updated it ?
I looked at getting the web interface to do an update but did not seem to be worth the hassle. As it would be very easy to be locked out and then would have to fallback on minisys.
brainslayer
n3wb
yes this is leechers hik_repack and i did not modify it. it contains all keys for g1 platform but i have the sourcecode to add new keys once i find or get them. maybe i have just a newer version. i just started for fun with this some days ago and talked with him
but i'm not allowed to share it. you need to write to leecher to get the latest one. or i provide you the keys by pm, so you can modify whatever you have on your hdd
i patched the davinci to allow web upgrades. but it only makes sense if you stay on patched formwares of course. its just a helper to make everything easier without any need to flash with serial console and minishell..
i mean patching these 3 binaries took less than 30 minutes. so why not.
but i'm not allowed to share it. you need to write to leecher to get the latest one. or i provide you the keys by pm, so you can modify whatever you have on your hdd
i patched the davinci to allow web upgrades. but it only makes sense if you stay on patched formwares of course. its just a helper to make everything easier without any need to flash with serial console and minishell..
i mean patching these 3 binaries took less than 30 minutes. so why not.