Hikvison Permanent Region Code Hack

[networkcameracritic]

I put together this region code hack and worked fine for cameras with 5.2.3 and older, but something has changed where I believe it's
checking checksum or something that makes it no longer work. I'm going to publish this in hopes that someone can help me figure out what's different in 5.2.5.

I realize there are haters and as Taylor Swift once said, Haters going to hate, hate, hate. They have personal financial interest in this like
CBX and iTuneDVR, but I feel this should be public information. I figured this out 100% on my own, did not reverse engineer anyone else's work so I consider it mine to share. So I prefer they bud out since they will make comments to try and distract this project like they did at cctvforum, but is subterfuge, it can be done and it's not that hard.

So here's how it's done. First there's two files, /dev/mtd5 and /dev/mtd6 that contain the language flag. It's at the 1620th byte in MTD5 and 16th in MTD6 and has duplicates sometimes in MTD6, but have never updated the duplicates in the past, but that may be where I've gone
wrong with 5.2.5.

First you need MTDUTILS, free open source Linux utilities to read/write to MTD. So easy enough. I've cross-compiled them for ARM
and put them here - http://www.wrightwoodsurveillance.com/stuff/mtd.zip

Then what you need to do is create a Windows share on your PC, unzip the file into this directory, telnet into the camera and mount this share, like mount -t cifs //192.168.1.50/mtdutils /mnt/nfs07 -o username=pcuser,password=pcpass.


While logged into the camera, cd /mnt/nfs07/mtdutils-1.5.0-arm-linux-gnueabi/sbin to run the commands.


Start with these commands to read flash as these will put the flash in your windows share -

./nanddump -nof mtd5_temp /dev/mtd5
./nanddump
-nof mtd6_temp /dev/mtd6

From here you can use a Windows hex editor like HxD to read these files and note that in the locations above (decimal, you will need to change to hex to see the language flag) is 02 for Chinese, changing it to 01 makes it English.

I did this in Linux, actually on the camera itself like this;
echo -ne \\x01 | dd conv=notrunc seek=1620 bs=1 count=1 of=mtd5_temp
echo -ne \\x01 | dd conv=notrunc seek=16 bs=1 count=1 of=mtd6_temp

Then you can't just write MTD, you have to erase it. Simple enough with the flash_eraseall command;
/flash_eraseall
/dev/mtd5
/flash_eraseall /dev/mtd6

Then you'll need to use nandwrite to write the image you edited back to flash;

./nandwrite -o /dev/mtd5 mtd5_temp
./nandwrite -o /dev/mtd6 mtd6_temp

This will brick a 5.2.5 camera and my belief it that's related to the checksum, which I feel is the first 4 bytes of the mtd files as that's what is different between cameras but have not tried it.

If for some reason the camera is bricked, there may be a way to recover this from the console via the UART port.

What has been done in the past to help test and debug this is to install Sourcery Codebench Lite. It's the operating system used by Hikvision. I have not tried it, but would assume you can install Linux on there, move the files, scripts and such over and use their gui debugger to help out.


Also, what's interesting is how iTuneDVR makes firmware files. I've researched this and determined that what's in the digicap.dav firmware file is the same as what's in the /dav directory on the cameras itself. I've been able to easily extra files from digicap.dav firmware files that are in /dav. It seems as though they are a concatenated list of files from this directory. Any help is figuring this out will help the cause.

 

[CBX]

Hi there

I'll try to reply in a way that doesn't go into the category of haters or subterfuge, just sticks to the facts without using loaded language.

You indicate that I have a financial interest in helping people region change their cameras/NVRs etc. You are correct.

There didn't seem to be any mention that so do you however, given that your daughter's company http://wrightwoodsurveillance.com/ sells Hikvision cameras.

Also, it might be worth pointing out that you've contacted me regarding your own cameras that you've bricked in the recent past. I've also been contacted by someone this evening who posted on cctvforum (which I've now left) who followed your instructions and has a bricked camera (beyond TFTP recovery) which had 5.2.3 loaded and is stickered on the unit itself.

That's not to say you don't have a perfect right to brick your own, but it might be helpful to let others who wish to do the same know beforehand.

It's unfortunate timing that within 7 days of me leaving cctvforum your post has been made which I am unable to respond to.

Nonetheless, good luck to you Sir.

(I'll finish by repeating your post to avoid any perception I'm trying to distract people from it - I'd recommend fixing the mistake in the commands you state - we are talking about flashing and maybe bricking people's cameras after all)

I put together this region code hack and worked fine for cameras with 5.2.3 and older, but something has changed where I believe it's
checking checksum or something that makes it no longer work. I'm going to publish this in hopes that someone can help me figure out what's different in 5.2.5.

I realize there are haters and as Taylor Swift once said, Haters going to hate, hate, hate. They have personal financial interest in this like
CBX and iTuneDVR, but I feel this should be public information. I figured this out 100% on my own, did not reverse engineer anyone else's work so I consider it mine to share. So I prefer they bud out since they will make comments to try and distract this project like they did at cctvforum, but is subterfuge, it can be done and it's not that hard.

So here's how it's done. First there's two files, /dev/mtd5 and /dev/mtd6 that contain the language flag. It's at the 1620th byte in MTD5 and 16th in MTD6 and has duplicates sometimes in MTD6, but have never updated the duplicates in the past, but that may be where I've gone
wrong with 5.2.5.

First you need MTDUTILS, free open source Linux utilities to read/write to MTD. So easy enough. I've cross-compiled them for ARM
and put them here - http://www.wrightwoodsurveillance.com/stuff/mtd.zip

Then what you need to do is create a Windows share on your PC, unzip the file into this directory, telnet into the camera and mount this share, like mount -t cifs //192.168.1.50/mtdutils /mnt/nfs07 -o username=pcuser,password=pcpass.


While logged into the camera, cd /mnt/nfs07/mtdutils-1.5.0-arm-linux-gnueabi/sbin to run the commands.


Start with these commands to read flash as these will put the flash in your windows share -

./nanddump -nof mtd5_temp /dev/mtd5
./nanddump
-nof mtd6_temp /dev/mtd6

From here you can use a Windows hex editor like HxD to read these files and note that in the locations above (decimal, you will need to change to hex to see the language flag) is 02 for Chinese, changing it to 01 makes it English.

I did this in Linux, actually on the camera itself like this;
echo -ne \\x01 | dd conv=notrunc seek=1620 bs=1 count=1 of=mtd5_temp
echo -ne \\x01 | dd conv=notrunc seek=16 bs=1 count=1 of=mtd6_temp

Then you can't just write MTD, you have to erase it. Simple enough with the flash_eraseall command;
/flash_eraseall
/dev/mtd5
/flash_eraseall /dev/mtd6

Then you'll need to use nandwrite to write the image you edited back to flash;

./nandwrite -o /dev/mt5 mtd5_temp
./nandwrite -o /dev/mtd6 mtd6_temp

This will brick a 5.2.5 camera and my belief it that's related to the checksum, which I feel is the first 4 bytes of the mtd files as that's what is different between cameras but have not tried it.

If for some reason the camera is bricked, there may be a way to recover this from the console via the UART port.

What has been done in the past to help test and debug this is to install Sourcery Codebench Lite. It's the operating system used by Hikvision. I have not tried it, but would assume you can install Linux on there, move the files, scripts and such over and use their gui debugger to help out.


Also, what's interesting is how iTuneDVR makes firmware files. I've researched this and determined that what's in the digicap.dav firmware file is the same as what's in the /dav directory on the cameras itself. I've been able to easily extra files from digicap.dav firmware files that are in /dav. It seems as though they are a concatenated list of files from this directory. Any help is figuring this out will help the cause.

 

[networkcameracritic]

Like I've said before, this hack should not be used on the newer cameras where it says 5.2.5 or newer on the box. I did asked CBX to upgrade a few cameras for me but he refused.

But since CBX was arrogant about this, I will make this offer for people with 5.2.5 cameras. If someone lets me backup their entire camera's flash before and after his update, I will pay for the upgrade from CBX. You can use the mtdutils to do the nanddump of MTD0-17 and /dav directory. I'll be discrete so he will never know.

 

[CBX]

Hi there

I just thought I'd make a copy of your post should you subsequently decide to edit it.

The reason I declined to assist you is because I had formed the opinion (rightly or wrongly) that you could not be trusted to keep to the confidentiality agreement that forms part of the work I do.

I don't believe my refusal was arrogant but sorry if you felt it to be so.

On 12/02/2015 10:20, CBX wrote:

Hi there

Sorry to hear of your problems.

I don't think I can help you sadly, but please let me take this opportunity to wish you luck with them and the best for the future.

Cheers​

​

I will leave it to others to read your most recent post and the omissions in your original post at the start of the thread and make their own judgement.

Like I've said before, this hack should not be used on the newer cameras where it says 5.2.5 or newer on the box. I did asked CBX to upgrade a few cameras for me but he refused.

But since CBX was arrogant about this, I will make this offer for people with 5.2.5 cameras. If someone lets me backup their entire camera's flash before and after his update, I will pay for the upgrade from CBX. You can use the mtdutils to do the nanddump of MTD0-17 and /dav directory. I'll be discrete so he will never know.

 

[gpower07]

i just flashed my 2332 with cbx region change. work great. the box labeled 2.5.8.

 

[networkcameracritic]

Thanks CBX, would want to get the word out there. Now you can't trust anyone.

Can I sweeten the deal, free Hikvision camera + fees charged by Tom to anyone that works with me on this.....

 

[CBX]

Thanks CBX, would want to get the word out there. Now you can't trust anyone.

Can I sweeten the deal, free Hikvision camera + fees charged by Tom to anyone that works with me on this.....

Well played - and you are correct that offering people free cameras to be dishonest and steal my solution means now I can't trust anyone. Most people are trustworthy and it is a shame that as a result of this I am no longer able to offer permanent region change. This service is now suspended.

I can offer 5.2.5 multi-language firmware though, and it will still make the camera International region (so works with iVMS, NVRs - has English day of the week etc). If you change the firmware to original your camera will revert back to Chinese identity however.

Sorry to the majority of people out there - but this is my only source of income due to being self-employed, and it simply makes no sense to spend many hours a day developing robust, professional and safe solutions along with remote support to help those with these problems only for someone to publicly incite breaking of agreements and theft of my efforts.

I simply can't operate in the environment that has been created by this individual.

 

[iTuneDVR]

Carl!
http://www.cctvforum.com/viewtopic.php?p=266331#p266331

So!
This topic was removed!!!
Why?
Who?

Author can delete it?
Maybe that's not like these screenshots and word juggling daughter?

 

[Chust]

You guys crack me up!

Networkcameracritic- Great job teaching these guys real world business! :laugh:

CBX- Looks like the gravy train is running out of gravy! :laugh:
Personally, I trust nobody! Especially somebody that can hack something I can't. I would never use your region changer or allow you remote access. It amazes me what people will do to save a few dollars. I own several chinese and english cams. Who cares if it's in chinese. Most people set their cams and leave them alone anyways.

I do have a solution for everybody - Stop buying from China resellers and buy english Hik's or Dahua.

Hope you all become friends at the end of this silly war.

 

[iTuneDVR]

You guys crack me up!

Networkcameracritic- Great job teaching these guys real world business! :laugh:

CBX- Looks like the gravy train is running out of gravy! :laugh:
Personally, I trust nobody! Especially somebody that can hack something I can't. I would never use your region changer or allow you remote access. It amazes me what people will do to save a few dollars. I own several chinese and english cams. Who cares if it's in chinese. Most people set their cams and leave them alone anyways.

When you do not believe anyone, and that means you do not trust yourself too!
I agree with you that for the sake of saving a few dollars people are willing to buy cheap Chinese goods!

I do have a solution for everybody - Stop buying from China resellers and buy english Hik's or Dahua.
Hope you all become friends at the end of this silly war.

When will go envy then she will take with them all the anger, hatred and greed!

 

[Q™]

...Haters going to hate, hate, hate...

This is true, and perhaps this is because you make it so very easy, eh?

 

[Manta]

As soon as anyone makes this "fix" public Hikvision will move to close the hole. Please do not share this information in an open forum. I've seen this happen many times in the past with other hobbies. This will only ruin the ability to purchase the Chinese version of the cameras and perform the fix.

That being said, I know the piece you are missing. I would take a DS-2DF7286-AEL in return for the information. lol

-M

 

[Chust]

lol:laugh:

 

[riri7707]

Don't worry about that
Sure Hik knows that perfectly and allows these open doors for the China vendors .
At end benefits, always benefits.

 

[networkcameracritic]

Personally, I trust nobody! Especially somebody that can hack something I can't. I would never use your region changer or allow you remote access. It amazes me what people will do to save a few dollars. I own several chinese and english cams. Who cares if it's in chinese. Most people set their cams and leave them alone anyways.

Exactly my sentiments. Allowing someone to provide custom firmware that knows a lot about hacking is like inviting a virus on your computer in the form of a free app. That's why I like to expose this, at least you see what I'm doing, nothing hidden. Even the IEfile.tar.gz, it's all source code javascript, no binaries that can harbor hidden code and I can certainly share what I changed, or better get, just expand the tarball (WinRAR or 7ZIP on Windows) and compare it to the source code on your camera. All I updated is doc/scripts/login.js, 2 lines and I add the language files in the xml directory, no magic.

As for Hikvision, they don't seem to care that much because it would be so easy to a) encrypt the firmware so nobody can hack it, b) lock out Telnet, what camera company gives telnet access to their embedded Linux, it's a security camera, treat it that way. Given they are the largest surveillance camera company in the world, I'm sure their engineers are not that stupid. I think their goal is to encourage open development. They even offer their development environment to add apps to the cameras.

Also, what you said, who cares if the menus are Chinese. Other than the initial configuration, I rarely if ever use the web interface. You can use the Chrome browser, it has a translate feature, not perfect, but good enough to get by the initial config.

 

[gpower07]

When you do not believe anyone, and that means you do not trust yourself too!
I agree with you that for the sake of saving a few dollars people are willing to buy cheap Chinese goods!



When will go envy then she will take with them all the anger, hatred and greed!

I paid a big different in price between English and Chinese version. and I don't put the camera inside my house. so I don't even care if someone hacked it. as long as he/she don't change the setting of them cams.

 

[networkcameracritic]

Yes, I developed online systems for a large telecom and oil company using Java Server Pages (Catalina), Active Server Pages (ASP) and JavaScript. There's nothing in the Java or ASP that I saw that gives me any concern. If there's an area of concern, it would be in the binaries, but for me, without the source code, I would not be able to tell. I requested the source code for all binaries and can verify this when I get it. I'm not a C++ developer, but my experience with other languages allows me to read the code to see what they are doing.

Frankly, the area of opportunity in these cameras is not hacking them, that's just playing games, it's in developing code to run inside the camera, like LPR, RTMP broadcasting and such that can be sold as plugins products like what is available on Axis which is actually very open about their code. We paid $1,500 for an LPR plugin on an Axis camera, how is that for profit compared to charge $25 to hack a cheap camera.

 

[id5]

I agree that if Hik wanted to close the door then they could, they could also price there equipment with the global market in mind and effectively remove grey imports without hurting their bottom line.

It is a competitive world out there and there will always be people that cannot or do not want to hack firmware, there is always room for the 'pay for' utilities that CBX provides.

It is also a sharing world and that is what networkcameracritic has done including a be careful message.

 

[riri7707]

I think Chineese industry have not the same thoughts as us at all.
We are not in the same world.
For us we want finished products, well packaged and 100% improved, with warranty and Customer support.
Come on, Hik series 2 is not a range for Pro, only for residential...
Pro will go more with 4 Line/6 Line and MP PTZ and will not spend time on forums around 2 Line on discussions with FW issues

For Hik all is fine to make Buisness and this is only their logic way to act.
So according they have Grey production lines too for 3rd party distribution and customisation, somewhere this is quite normal to provide open firmwares for make up, changing logo etc...
Nothing original here, but face to "Ufos models" coming from nowhere and really crappy as for example : ANRAN/ESCAM and others who really don't work for example with Onvif, even If they claim so., Hik provide interesting options Embedded in their cams

With Hik (who probably will become one of the CCTV pilar in the next incoming years), we can have choice, pay less, experiment things.
So not too bad to have this chance.
Some people spends a lot of hours trying to understand the mecanism, reverse engineering, made their cooking, testing
.
So from here 2 lines :
- those who are unemployed and really needs some contribution for their work, and I think somewhere it's normal.
- those who shares free and simply their passion around firmware.
- and some (who always complains or make jokes by criticing always the one who wrote something interesting near the true solution and don't want to share something claiming this is his secret.

But this is my thinking.

These discussions will continue for sure in the forums with a lot of workaround with Hik Firmwares.

 

[Chust]

$25 Holy Crap!
I'm in the wrong business! :sad2: