Hikvision TFTP server tool.

[remy9]

Hikvision issue

Hi there,

To anyone who is interested in helping. I bought a couple of Hik Cams 2cd3335-I off ebay (chinese multi lang as far as I can tell) and now one of them has mysteriously stop allowing me into the web sever, it connects to the network but that's about it. IVMS says it's offline and SADP shows it's there. all I know is, it was working one day, now it isn't. One other thing which I'd like to mention is since I got the cams, I've noticed some peculiar behaviour on my network and computer, things like being locked out of my router, mouse pointer moving inexplicably moving across the screen and some very dodgy wireshark traffic, all in all needless to say got me wondering, have these cams got some sort of backdoor trojan capabilities, maybe I'm being paranoid but I reset the router and flattened my pc all the same just in case. Now I'm wondering how could I find out if there was anything untoward in the cam and can I flash them with something reliable. I did a port scan of the cam but nothing shows. all very strange really. Anyway, I'm looking for this TFTP server tool so I can begin looking into the possibility of recovering the cam. I tried a load of links from various posts but they were old posts and nothing turned up in the links, and I'm frankly going blind tryin to find it, If anybody can help me out with this I would appreciate it very much.

Thanks!

 

[Enabler]

These cameras are computers so of course the possibility exists for malware. I've never seen any though from all my aliexpress cams and it doesn't sound like it would be in the sellers interest, though I've never bought from ebay.

When you say dodgy network traffic what do you mean? Cameras will try to connect to Hikvision services if enabled so that's normal. If from your PC then then lots of more likely causes than anything camera related.

I'd run a proper scan of your computer if you're having problems (or a reinstalled computer anyway). The prime way for malware to get from a camera to your computer would be webcomponents.exe

You can always download it and post the md5sum of it so we can check (if you can get the web pages working)

I wouldn't TFTP it except as a last resort as it will be Chinese afterwards.

I highly doubt the camera is to blame but of course it's sensible to check.

No offence but your post is one big block of text with a thread title that doesn't really describe the issues you refer to.

 

[alastairstevenson]

IVMS says it's offline and SADP shows it's there.

What exactly does SADP show?
A bit more detail and you may get helpful responses.
What is the IP address, is it on your network segment?
What version of firmware does it show? If it is 4.0.8 or so, the camera may be in the 'min-system' recovery mode, with no web services running, but with telnet and tftp available to fix up and update.

 

[remy9]

Hi Enabler,

First of all thanks for getting back! Yeah sorry about the big block of text, I had a lot to get off my chest and wasn't thinking about the composition.

Not in the sellers interest, true, but this depends on the seller and their interests. So I will remain suspicious for now based on my op.

In terms of wireshark, I have quietened down my network to the point that when I look at traffic and tcp streams that pop up I know what they are or can check the ip address and see where it's going, I seen unusual tcp streams with payloads in them that I thought was dodge. I'm not an expert in any of this and realise that without comprehensive knowledge of these tools could lead one to think one thing when it's something else, but that's part of the investigative process.

You mention these cams try to connect to Hikvision services, wasn't aware they could do that without the users authority. Not sure I like that either. I'll look into this a bit more.

I did the scans, but in the end I flattened my machine and had to do a hard rest of my router. This also has the effect of changing my ip address. Now everything is back to normal. Except I have one cam that works and one that doesn't.

I have done a bit of research into ip cam firmware, and it was the case where custom mods were being made containing back doors and the like, and some cams were shown to have fundamentally broken security. I don't think this activity has stopped, and hope this is not the case.

I know that without getting data off the camera this is going to be hard to find out, and even if I could get the data it would be difficult to tell but I'd like to explore the low hanging fruit so to speak and see what we can determine and maybe fix the cam in the process.

Ok, so lets start with the md5sum, I can't access the web server through a browser whatsoever tho. I did nmap scan and no ports are open, if I do a ping -Pn option the host is up. SADP shows it on the network security is active, address has been given by the DHCP and is on the same subnet, it looks normal.

In device management in IVMS - when I add the cam to device list, the device serial No is missing and is reporting offline.

I thought about if I could reset the web server to defaults, that might be start, but I can't find a way to do this. I read about reset buttons inside these things but mine doesn't have one, it has a very small button battery tho. Which may be for storing configuration settings, but is soldered to it's contacts so making removal difficult.

Thanks again for your time!

 

[remy9]

Hey alastairstevenson,

Thanks for chiming in and taking an interest. The firmware is 5.3.3 150803. I got a TFTPUtil but it's not the Hikvision one and read somewhere that you need that one if you want to do what you saying, but I can't find it anywhere? Network wise it's all good according to the SADP tool, but it's clearly not.

So don't know really..

 

[alastairstevenson]

The firmware is 5.3.3 150803.

OK, so it's not reverted to 'min-system' mode. That's visible with SADP but just runs a basic kernel with no web services active.
Hikvision have taken their specific tftp updater tool off their websites, but you can find one inside the download link at the first post here: https://www.ipcamtalk.com/showthread.php/4036-Custom-Firmware-Downgrader-5-3-0-Chinese-to-5-2-5-English
Be aware that your PC firewall may block the needed inbound access if you don't respond by allowing all properly to the 'Windows has blocked ...' popup the first time you run it.
If you are in to network capture, an indication of the bootloader probing for the tftp server is a udp packet, some info here:
https://www.ipcamtalk.com/showthread.php/3647-Hikvision-DS-2032-I-Console-Recovery?p=31045&viewfull=1#post31045
But it may be that the newer instances of the bootloader may behave differently, certainly the 'magic number' has now been changed, so no guarantee you'll see that.
With the serial console access, just a standard tftp server works fine for updating.

 

[alastairstevenson]

Looks normal enough except that I see no response from 192.0.0.128 to the ARP request from the camera, does that mean your PC was not set on 192.0.0.128?

 

[remy9]

No no, that was just a quick scan to see what traffic was generated when turning it on as it currently stands. Goes quiet after that. So if it looks ok, I'll try the tool to see if it connects. I don't have any replacement firmware yet, nor know what to use. I saw in the other link you posted there was mention of cloning a good cam but don't know much about that, and would that be necessary? Will try the tool later this evening.. Cheers!

 

[alastairstevenson]

The official 3335 firmware isn't ML as far as I know, but can be found here if you feel like learning Chinese, section 09: http://www1.hikvision.com/cn/download_more_714.html

 

[remy9]

Ha ha, yes.. well maybe in another life. Dude, this is great stuff, I'll use it if I have to. I can always take screen grabs off the working cam and reference that
to know what settings I'm messing about with. I did see something about using the American version of the firmware but that involves changing the region lock or something.. sounds interesting.

In the beginning, and in my naivety got in touch with Hikvision tech support, as soon as they found out it wasn't from one of their trusted partners didn't want to having anything to do with me.. which I thought was a bit harsh because any other piece of tech I've bought most companies will help you out of a bind..

anyway, short story long, they did tell me the the firmware as reported by the camera (5.3.3 150803) and what on a stuck on label on the box (5.3.3 150925) was nothing they recognize, so got me wondering...

and I see the one on the Chinese site is [FONT=微软雅黑]V5.3.1 Build150424 all very confusing and hurting my head.. [/FONT]

 

[Enabler]

Hi Enabler,

First of all thanks for getting back! Yeah sorry about the big block of text, I had a lot to get off my chest and wasn't thinking about the composition.

No worries mate - much better this time!

Not in the sellers interest, true, but this depends on the seller and their interests. So I will remain suspicious for now based on my op.

Totally reasonable I just wanted to let you know this is unlikely but of course keep an open mind.

You mention these cams try to connect to Hikvision services, wasn't aware they could do that without the users authority. Not sure I like that either. I'll look into this a bit more.

Agreed - but it's normal. So just be aware a camera by default will do this.

I have done a bit of research into ip cam firmware, and it was the case where custom mods were being made containing back doors and the like, and some cams were shown to have fundamentally broken security. I don't think this activity has stopped, and hope this is not the case.

Never seen this on a 2xx5 camera which has much higher security on it - but again best approach is to be sceptical which is what you're doing.

Ok, so lets start with the md5sum, I can't access the web server through a browser whatsoever tho. I did nmap scan and no ports are open, if I do a ping -Pn option the host is up. SADP shows it on the network security is active, address has been given by the DHCP and is on the same subnet, it looks normal.

if SADP sees the camera then a port must be open. Did you scan all 65535 ports?

5.3.3 150803 does exist and is fine - they are probably talking about something else. This camera is normally only sold in China so I wouldn't expect Tech Support from other regions to know about it.

5.3.3 150925 does not exist but 5.3.5 150925 does.

this camera doesn't have a recovery partition and I wouldn't expect it to show as 4.0.8 in SADP if there's a problem.

If you really want to TFTP it you don't need to open the camera, just use the Hikvision TFTP (which provides the magic packet) and 5.3.5 150925 posted elsewhere on this forum. The camera will be Chinese after though and won't work with non Chinese iVMS/NVRs etc.

 

[alastairstevenson]

In the beginning, and in my naivety got in touch with Hikvision tech support, as soon as they found out it wasn't from one of their trusted partners didn't want to having anything to do with me.. which I thought was a bit harsh because any other piece of tech I've bought most companies will help you out of a bind..

Yes, an unfortunately common situation for Hikvision, despite the warm words on their websites about technical support. In my view it does their brand harm to have that bad unhelpful attitude to their indirect customers.

firmware as reported by the camera (5.3.3 150803) and what on a stuck on label on the box (5.3.3 150925)

It's generally a good sign when these are the same - it could be interpreted as indicating the seller has not installed 'hacked to English' firmware as is so common - and is actually helpful in getting a good cheap camera that works with your NVR, until you wipe over the hacked firmware with an 'official' update...
But this has got me wondering - I have a 3335 that's all Chinese (the xxx5 is considered a China-only model) and has 5.3.3 150514 firmware. Yours you say was multi-language.
Does SADP report the same version of firmware as the label?
On what's on the website vs what's on what you buy - it's often quite a while before what they put on during manufacture appears on the website. It sounds like yours is pretty up to date, if it was multi-language.
As a long shot it may be worth asking the seller if they could source the firmware for you. They will likely have some helpful 'engineer' doing that stuff for them.

 

[alastairstevenson]

this camera doesn't have a recovery partition and I wouldn't expect it to show as 4.0.8 in SADP if there's a problem.

That's interesting - I didn't know that, thanks. It was always a good indicator.
I'll try to fix that in my brain.

 

[alastairstevenson]

5.3.5 150925 posted elsewhere on this forum.

Do you have a link for that? I don't recall seeing that here for the 3335.
Query - are you sure that will work? The 3335 uses the HiSilicon 3516a, quite different from the 2-series cameras.

 

[remy9]

Oh great cheers, thanks for that. No you're right the label on the box is 5.3.5 150925.. my bad. Yeah, did a scan of all ports.. nadda showed up.

Well, this region thing is making sense to me now, but I didn't think IP Cams fell foul to this sort of thing.. down with this sort of thing! as father ted would say.

Well, the question I'm wondering now, is why have one firmware in the device and stick a label saying different on the box? Does it mean up-gradable?

so here's the output of the downgrader tool :

[2016-01-28 22:24:32] Start file[C:\Users\Ha\Desktop\TFTP\5.30 Downgrader\digicap.dav] transmitting

[2016-01-28 22:24:35] Resend required


[2016-01-28 22:24:37] Resend required


[2016-01-28 22:24:40] Resend required


[2016-01-28 22:24:43] Completed file[C:\Users\Ha\Desktop\TFTP\5.30 Downgrader\digicap.dav] transmit

Sort of a success I suppose, But nothing happened after more than 5 minutes.. so I pulled the plug and reset everything, opened SADP and it was still saying the same setting as before.. no change. Maybe I didn't wait long enough. I've yet to try the Chinese firmware for that cam.. but based on what you're saying 5.3.3 150803 does exist and so does 5.3.3 150925 but I don't see them anywhere..

Thanks again for your input, your helping relieve my paranoia.

 

[alastairstevenson]

Well, the question I'm wondering now, is why have one firmware in the device and stick a label saying different on the box? Does it mean up-gradable?

This suggests the seller, or someone in the chain, has installed a hacked version of the firmware to put multi-language on a normally CN-only camera.
It would be good to get the seller to supply that firmware.

I'm pretty sure the 5.3.0 to 5.2.5 downgrader firmware (if that is what you are trying above) will not work on this camera. The SoC, and a whole bunch of other internals, are quite different from the 2-series that the downgrade firmware was derived from.
I think you're likely to have success, but Chinese menus, with the one from the Hik CN site.
Unless someone on here has a copy of a hacked ML or EN version they could offer.

 

[remy9]

Does SADP report the same version of firmware as the label?

no, it's 5.3.5 150925 on the box, and 5.3.3 150803 in the device.

As a long shot it may be worth asking the seller if they could source the firmware for you. They will likely have some helpful 'engineer' doing that stuff for them.

Well, funny you mention that, I did get in touch and they want me to connect with their 'engineer' via skype - but that's not happening. I explained the situation and showed them the details via screen shots, and asked if they send me the firmware I'll fix it, otherwise it goes back. I'd rather not send it back if it's a case of re-flashing the firmware..

 

[Enabler]

Do you have a link for that? I don't recall seeing that here for the 3335.
Query - are you sure that will work? The 3335 uses the HiSilicon 3516a, quite different from the 2-series cameras.

I saw it but sorry don't have the link handy.

There seems to be a strong view that 2xx5 and 3xx5 are different inside - I really don't think they are.

The casing and associated IP rating are different - but everything else (including WDR) are the same in my experience despite anything said on Hikvison websites.

Both are hi3516a and use the same firmware.

 

[Enabler]

Oh great cheers, thanks for that. No you're right the label on the box is 5.3.5 150925.. my bad. Yeah, did a scan of all ports.. nadda showed up.

OK run Wireshark and SADP at same time - should be traffic to and from camera showing ports

alastair is right - this is hacked firmware to enable other languages. Hikvision don't make English firmware for this camera on purpose because they like to control the markets and charge more (sometimes LOTS more) for cameras sold outside China.

Hacked firmware isn't a bad thing (unless you are Hikvision) - but it does mean you can't just upgrade yourself without losing English with these.

Sorry can't find link 5.3.5 on here but I remember it was posted.

 

[Enabler]

If the camera is 5.3.5 150925 from the factory you need at least that to TFTP upgrade (unless you are a Chinese hacker it seems).

Don't bother with earlier versions they won't work.