Hikvison Permanent Region Code Hack

iTuneDVR said:
Cool!
Here you split! ;)
So you are competent programmer !!! ;) ;)
So why are you pretending broom ??? ;) ;) ;)

Luck with getting the source code!
Click to expand...

Don't understand your Russian colloquialisms. What does "pretending broom" mean? I have no envy issues and admire that you were able to figure out the digicap.dav format because I have not. What I don't admire are your attacks on people trying to offer alternative solutions, maybe inferior to yours, but no reason to be mean about it. Hacking devices is a fun hobby, not for profit. We are all here to learn and enjoy the hobby, please don't stress about it.
 
I don't understand what you are referring too, still not sure what a broom has to do with anything.

Here's the way I see, correct me if I'm wrong;

- CBX released how to hack the davinci file to make cameras English, but being the Linux person he is, it was beyond comprehension for Windows people, so I merely documented how to do it using Windows tools. Did not contribute to the hack itself.

- CBX released where and what to hack exactly on CCTV forum, the exact offset, the exact bits, the exact MTD device blocks. If you want a tour, I can provide it at no extra charge. I merely contributed the how part since he missed that part, maybe because he didn't know how to do it with open source tools, so he provided most of the puzzle, I just provided the last piece, MTDUTILS to carry it out. I never reversed engineered anything he has done, I wouldn't even know how, just googled how to update MTD, anyone here can do that, no?

So what did I do that was so bad then? Provide knowledge about open source tools. I'm not the one the leaked where the region code was. I'm not the bad guy.

Lastly, IEfile.tar.gz, clearly the basis for this hack is all over the internet, on YouTube, no magic there. But it was missing something, for one, defaulting to English instead of Chinese and all the languages to make it international. Again, no magic here, just a quick look at the code. Again, not releasing anything that was not released in the past, just adding more pieces to the puzzle.

So in your words, why do you have a vendetta against me? Where is the love? In the words of my people, Que Lastima!
 
Ditto Don, this is the mystery, why a man of such intelligence like Tom can't get a job in a vibrant economy like the U.K. If he was in the U.S., I know plenty of tech startups that could use a guy like Tom.

Sorry, off-topic Don, but wish I can get your solution to work for me, but doesn't with my ISP, Hostgator. I know you said I need them to open ports, not sure they would since it's shared hosting, but haven't gotten around to asking them. It's a cool idea and I'm putting a PTZ at my lake house next time I'm up and want to open it up for neighbors to check on lake conditions where they can click on buttons to go to preset locations.
 
I decided to give this "hack" a shot using one of my cams and looks like it bricked it. I had older cam that originally shipped with 5.1.0 and I upgraded to hacked 5.2.0 at some point. Would TFTP method recover this?
 
Nope, can't ping to it, Hikvision Tools don't see it. I could upload firmware using TFTP method, but that didn't help the situation. So I guess my only option is try UART method? Is there a good resource for this?
 
Last edited by a moderator:
Wow picked a great time to buy a China 2032... I might in the future pay to have it region changed but can anyone point me to the 5.2.5 web interface English screen shots? I just want to turn off the date and know the order the image adjustment sliders are in. Once those are set I think I am fine with Chinese firmware. Thanks and sorry to tag this on the end of this topic.
 
Just use Chrome, it has a translate feature. Right click on the page and it will translate it and you can set it to translate that web page all the time. It's not perfect, but may get you by for quick setting changes.
 
networkcameracritic said:
Then you'll need to use nandwrite to write the image you edited back to flash;

./nandwrite -o /dev/mt5 mtd5_temp
./nandwrite -o /dev/mtd6 mtd6_temp
Click to expand...

It looks like a typo where you put /dev/mt5 instead of /dev/mtd5

This might be the reason @klasipca bricked his older cam?? Didn't get the flash re-written correctly?

networkcameracritic said:
I feel this should be public information.
Click to expand...

LOL. If I had the knowledge, I would share it for free too. Though this would definitely make it a more serious threat to Hikvision, and they might come up with a way to break the hack on new firmware versions.
 
Last edited by a moderator:
By the way - just out of curiosity - why did you cross-compile mtd-utils for use on the camera instead of using those utils already in the firmware?
 
Because there was no erase flash command, and you have to erase it before writing. There may have been an option to do this in their commands, but did not see it. Also, I wanted to use the feature in the newer nanddump to grab the entire flash partition just in case but the one in the camera should have worked.
 
networkcameracritic said:
Yes, it's /dev/mtd5, should have gotten an error though.
Click to expand...

Lots of people are technologically challenged and you can't rely on them to identify and resolve errors like this.

It would not surprise me at all if that typo and a failure to understand the situation was exactly what led to @klasipca's bricked cam. If you don't edit the instructions with the fix it will only happen to more people.

It speaks volumes about the difference between you and CBX that you did not fix that right away.
 
Last edited by a moderator:
bp2008 said:
Lots of people are technologically challenged and you can't rely on them to identify and resolve errors like this.

It would not surprise me at all if that typo and a failure to understand the situation was exactly what led to @klasipca's bricked cam. If you don't edit the instructions with the fix it will only happen to more people.
Click to expand...

I saw a typo before I executed the command, so it's not my issue. I've used numerous hacks before and I know the risks, but this is the first time I actually managed to brick something. Right now I am just looking for any help I can get to unbrick it then I would try this again.

I think the steps were straight forward and the only unclear part which most likely caused the camera to brick was this:

From here you can use a Windows hex editor like HxD to read these files and note that in the locations above (decimal, you will need to change to hex to see the language flag) is 02 for Chinese, changing it to 01 makes it English.
Click to expand...

This is the snapshot I took that I sent to networkcameracritic. It's showing in "hex" and the result for the 16th block is 00 in MTD6:
http://oi62.tinypic.com/8x9cia.jpg

His reply was: "In your picture, you can see hex 10 is 02 meaning Chinese, change that to hex 01 in MTD6. On MTD5 it's the 1620 byte or 654 in a hex editor. "

But, I should've clarified this with him again why I had to edit 10th byte instead of original 16th as instructions specify. I read the instructions again and found out that you can change HxD to display in "decimal" and that way it showed 02 in the 16th byte which is what I ended up editing. So, I clearly made a mistake editing 16th byte. Perhaps, mtd6 location varies which should be reflected in the instructions.
 
Last edited by a moderator:
Ah well that is definitely confusing.

The byte you highlighted is actually at offset 22. The real offset 16 is the leftmost byte in the second row there.

Another point of confusion is where the byte at offset 16 is called the "16th" byte in the instructions. When in reality offset 16 is the 17th byte, just as offset 0 is the 1st byte.
 
Yeah, now I realize that it's the offset, not byte. So far 0 replies on how to unbrick the camera or do I just throw it away.
 
I understand from your other thread that you tried TFTP recovery (which was successful, but did not unbrick it). Given that this hack is designed to survive firmware updates/installations, I bet the mtd5 or mtd6 files (or both) are not even affected by firmware updates, so if they are bad there may be no way to fix them.

Maybe a UART cable would give you the necessary access, but I don't know the first thing about using UART. It seems that if you have a fair amount of linux knowledge and can transfer files to the camera from your PC with the UART interface, then you should be able to repair the mtd5 and mtd6 files.
 
I am not a Linux expert, nor I ever tried to recover anything before with UART, but I doubt I am the first one to brick Hikvision camera. Perhaps someone already done this before and has instructions.
 
You must log in or register to reply here.
Top Bottom