Hikvision TFTP server tool.

[remy9]

That's the thing these cams all look the same, so not sure what I'm looking at hardware wise. The firmware on it, is what I go by. I did notice tho, that with IVMS_PCNVR I was having a time getting it to work, things like having to manually input the cam settings, motion detection not recording.. and then it was, I just found it flaky and inconsistent...

To be honest, I intended to use the cams with Ispy but when I saw the web server and software tools thought 'Hello'.. but it's not worked out really and may end up back on Ispy.. despite it's flaws, it's a great piece of software.. Blue iris looks interesting. Once the camera is set up, it doesn't really matter if it's Chinese or whatever I suppose..

 

[alastairstevenson]

There seems to be a strong view that 2xx5 and 3xx5 are different inside - I really don't think they are.

The casing and associated IP rating are different - but everything else (including WDR) are the same in my experience despite anything said on Hikvison websites.

Both are hi3516a and use the same firmware

Yes indeed - but I didn't make it clear that I meant the 2xx2 cameras when I said '2 series'.
I thought from @remy9 posts that it may have been the 5.3.0 to 5.2.5 downgrader that's being tried. That is only suitable for the 2xx2 cameras and will likely brick a 3335.
Does anyone actually have an EN or ML version of firmware for the 3xx5 or 2xx5 cameras with the 3516a SoC?

 

[remy9]

So I found the 5.3.5 150925 firmware on one of your other threads here - I'm tempted to try it out.. but let ask you this, if the Chinese hackers have managed to put a custom multi lang firmware on this cam, then that means they have worked out a way to bypass the security of the cam? or had keys so to speak..

 

[Enabler]

They bypassed the security stopping modified firmware being accepted by the camera (totally different to accessing your camera without password etc).

As they are Chinese I think they might have a leaked RSA key but that's a guess.

 

[alastairstevenson]

So I found the 5.3.5 150925 firmware on one of your other threads here - I'm tempted to try it out..

For the 3335 camera? I don't recall seeing that - can you provide a link?
I have a CN 3335 camera I'd try it on.

 

[remy9]

Sure here you go -

http://iTuneDVR.ru/_ftp/HIKVISION/20...3.5_150925.zip

 

[alastairstevenson]

Many thanks.
Last time I looked at that, I thought it was for the first generation cameras. I'll have another look.

 

[remy9]

No problem!

Ah! is there a way to tell first and second gen cameras? It's not going to brick the cam if it's the wrong gen is it?

 

[alastairstevenson]

Well, you'd think our beloved Hikvision would have good checks in place in firmware upgrades that would reliably stop invalid firmware being applied.
But they seem to have put more effort into the region-locking 'features'.
In practice the web GUI does a lot more checking than the tftp updater, which has a limited code base being within the bootloader.
But as we know from much of this forum, 'bricking' is a frequent occurrence.

 

[Enabler]

No danger then of it being altered to gather network traffic and phone home? I know, I know, I being paranoid again just wondering..

It depends what you mean no danger. You can never say it's impossible but given most of these cameras would be using a switch it would only see broadcast traffic not traffic from say your PC to Internet or NAS device.

And phoning home can't be hidden from someone monitoring their Internet traffic. If you're worried give the camera a fake gateway IP so it doesn't know how to talk to the Internet or even ban it on your router.

 

[remy9]

using a switch it would only see broadcast traffic not traffic from say your PC

Good point!

give the camera a fake gateway IP

Excellent idea!

Ok, I'd like to follow up on the checking the md5sum of the web components. How would I go about such a task?

thanks!
@alastairstevenson

Did you try that firmware?

 

[Enabler]

Normally when you connect to the camera it will ask you to download webcomponents.exe and install (it's a web browser plugin)
Obviously if you've wiped your PC and you can't get on the camera again then you won't be able to do it.

 

[remy9]

I've got two of these cams, the other one is working. I have it set up on a test bed to see if there's any funny business is going on, not seen anything yet..

How do I capture the .exe? it just installs itself?

edit:

It's ok I see how to check now thanks!

 

[alastairstevenson]

Did you try that firmware?

Yes, the camera did not like the HK20 magic number in the firmware header.

[01-29 21:57:52][pid:0][PSIA][ERROR]************* PSIA Upgrading BEG **************
[01-29 21:57:53][pid:0][OTHER][ERROR]lock CLOSED
[01-29 21:57:53][pid:0][UNI_IF][ERROR][UPG_ASSERT] UPG_STAT_OK == (eRet = firm_encode(pUpgInfo->tUpgDevs.iDevSecFlag, aFirmMagic, sizeof(aFirmMagic), pBufU8, (unsigned char *)(pUpgInfo->pFirmHead), tHeadDec.iHeadSize, 0)) fail to eRetVal UPG_STAT_E
[01-29 21:57:53][pid:0][UNI_IF][ERROR][UPG_ASSERT] UPG_STAT_OK == (eRet = firm_pack_head(pUpgInfo)) fail to eRetVal eRet=0x000000e6!
[01-29 21:57:53][pid:0][PSIA][ERROR]************* PSIA Upgrading END **************,iRet=-41

.text:0000CE58                 BL      printf
.text:0000CE5C                 MOV     R3, #0xFFFFFFFF
.text:0000CE60                 LDR     R2, =a1         ; "-1"
.text:0000CE64                 LDR     R1, =a0Firm_encode_h ; "0 == firm_encode_hik(0, aFirmMagic, siz"...
.text:0000CE68                 LDR     R0, =aUpg_assertSFai ; "[UPG_ASSERT] %s fail to eRetVal %s=0x%0"...

 

[remy9]

Yes, the camera did not like the HK20 magic number in the firmware header.

Damn, did you have to re-flash with the old firmware again? or did it not change anything? Do you think this might have something to do with which gen the camera was? Problem I'm debating now is, if I try and 'fix' the cam and it doesn't work I'm bunched for a refund. But I want to try so much.. it's like this irresistible red button that... I... must... press...

 

[alastairstevenson]

No, the camera is fine, I tested the upgrade with the web GUI. It just baulked at the firmware, that's all.
A tftp update would likely force the firmware on, which would result in a bricked camera needing to be recovered.

 

[remy9]

A tftp update would likely force the firmware on

Ok, I see what you're saying. They certainly have made things a lot more difficult.. it's like mobile phone territory with locked boot loaders and the like.. what we need is a bootstrap or something.. I don't know, maybe I'll give the official Chinese on one you pointed me to go..

 

[remy9]

A tftp update would likely force the firmware on

Is there a way to save the existing firmware that's on there and be able to put it back on again if needed?

 

[alastairstevenson]

Is there a way to save the existing firmware that's on there and be able to put it back on again if needed?

That's not simple, as the content of the firmware is split down and spread across multiple flash partitions, unlike the common NVRs where it's all applied to a single mtdblock and a backup can be made.

[    1.842527] Creating 13 MTD partitions on "hinand":
[    1.842553] 0x000000000000-0x000000100000 : "bld"
[    1.848496] 0x000000100000-0x000000180000 : "env"
[    1.852660] 0x000000180000-0x000000200000 : "enc"
[    1.856800] 0x000000200000-0x000000280000 : "sysflg"
[    1.860836] 0x000000280000-0x000000380000 : "dpt"
[    1.866498] 0x000000380000-0x000000b80000 : "sys0"
[    1.895506] 0x000000b80000-0x000001380000 : "sys1"
[    1.924519] 0x000001380000-0x000003980000 : "app0"
[    2.053110] 0x000003980000-0x000005f80000 : "app1"
[    2.181902] 0x000005f80000-0x000006380000 : "cfg0"
[    2.197539] 0x000006380000-0x000006780000 : "cfg1"
[    2.213218] 0x000006780000-0x000007780000 : "syslog"
[    2.268775] 0x000007780000-0x000008000000 : "resv"

 

[remy9]

That's not simple

fair enough.. Nothing like a TFTP in reverse? or clone the digicap.dav data thats' on there?