Hikvison Permanent Region Code Hack

I've already written a few pages before that you can do the hack, just downgrade to 5.2.3, do the hack, and then you can use any firmware

I would be cautious. From what I understand, if you use the MTD5/6 change on the first page of this thread on a camera that came from the factory with 5.2.5 or later, regardless of what the camera is running now (5.2.0 or 5.2.3), the camera will brick.
 
If you were succesful with the downgrading, then the hack clearly works, will not brick the camera. I couldn't downgrade a 2032 but it worth a try. If you can't see on SADP after downgrading, just upgrade back to 5.2.5 with TFTP, it will work again, but don't do the hack.

I would be cautious. From what I understand, if you use the MTD5/6 change on the first page of this thread on a camera that came from the factory with 5.2.5 or later, regardless of what the camera is running now (5.2.0 or 5.2.3), the camera will brick.
 
If you were succesful with the downgrading, then the hack clearly works, will not brick the camera. I couldn't downgrade a 2032 but it worth a try. If you can't see on SADP after downgrading, just upgrade back to 5.2.5 with TFTP, it will work again, but don't do the hack.

I believe that networkcameracritic tried this on a 5.2.8 orig FW camera and it didn't work. I have a 5.2.8 orig FW camera now running 5.2.0 (as delivered from Chinese vendor) with everything is in English including the day of the week. I would like to turn this into a English camera to allow for future easy FW upgrades using the hack (as I did successfully on another 5.1.6 orig FW camera that was running 5.2.0 [thank you networkcameracritic for the how to]) but I'm quite worried it will either brick the camera or once I recover to 5.2.0 it will somehow lose the Chinese vendor hack and be in Chinese.

Has anyone tried the hack on a 5.2.8 orig FW camera running 5.2.5 or 5.2.0 and were you successful (everything in English including day of week)?
 
If there's 5.2.0 currently on the cam, you can do the hack without any worries, it won't brick. You'll brick only if it is not downgraded, and running with 5.2.5 or 5.2.8

I believe that networkcameracritic tried this on a 5.2.8 orig FW camera and it didn't work. I have a 5.2.8 orig FW camera now running 5.2.0 (as delivered from Chinese vendor) with everything is in English including the day of the week. I would like to turn this into a English camera to allow for future easy FW upgrades using the hack (as I did successfully on another 5.1.6 orig FW camera that was running 5.2.0 [thank you networkcameracritic for the how to]) but I'm quite worried it will either brick the camera or once I recover to 5.2.0 it will somehow lose the Chinese vendor hack and be in Chinese.

Has anyone tried the hack on a 5.2.8 orig FW camera running 5.2.5 or 5.2.0 and were you successful (everything in English including day of week)?
 
If there's 5.2.0 currently on the cam, you can do the hack without any worries, it won't brick. You'll brick only if it is not downgraded, and running with 5.2.5 or 5.2.8

According to your findings, even though my camera originally came with 5.2.8 and is now running 5.2.0 I should be able to do the hack...and yet that disagrees with both S474N (post #133) and networkcameracritic (post #135). So of course I'm hesitant (though I do thank all on this board that try to help each other).

Anyone else have any experience hacking a camera that originally came with 5.2.8?
 
If there's 5.2.0 currently on the cam, you can do the hack without any worries, it won't brick. You'll brick only if it is not downgraded, and running with 5.2.5 or 5.2.8

The above did not work for me. I went ahead and applied the MTD5/6 hack on a 5.2.8 labeled camera running 5.2.0 in all English including day of the week just to test the theory and learn. Unfortunately this bricked it. Used tftp to recover and in order to restore the original MTD5/6 blocks I had to give the recovery tftp server in the camera a FW to program in order to get to its ftp and telnet logins. So I gave it 5.2.0. It flashed successfully but would not boot or show up in SADP. So the original 5.2.0 must of been a hacked version to work. So I then used tftp recovery to load 5.2.5 and the camera booted but is now in all Chinese and will not play with my Hikvision NVR. The NVR says "language mismatch."

Just a warning to others that have cameras with 5.2.8 (and most likely 5.2.5) when shipped from the factory that I do not believe this hack will work, or at least it did not for me.

I have a 5.1.6 camera that the hack did work on, as expected.
 
Thanks @scn101, how to recover the bricked camera? which was bricked by the hack solution.
The above did not work for me. I went ahead and applied the MTD5/6 hack on a 5.2.8 labeled camera running 5.2.0 in all English including day of the week just to test the theory and learn. Unfortunately this bricked it. Used tftp to recover and in order to restore the original MTD5/6 blocks I had to give the recovery tftp server in the camera a FW to program in order to get to its ftp and telnet logins. So I gave it 5.2.0. It flashed successfully but would not boot or show up in SADP. So the original 5.2.0 must of been a hacked version to work. So I then used tftp recovery to load 5.2.5 and the camera booted but is now in all Chinese and will not play with my Hikvision NVR. The NVR says "language mismatch."

Just a warning to others that have cameras with 5.2.8 (and most likely 5.2.5) when shipped from the factory that I do not believe this hack will work, or at least it did not for me.

I have a 5.1.6 camera that the hack did work on, as expected.
 
Last edited by a moderator:
Thanks @scn101, how to recover the bricked camera? which was bricked by the hack solution.

I loosely followed the directions in this thread: http://www.ipcamtalk.com/hikvision/...patch-in-this-forum-5-2-8-to-5-2-5=#post22553

I say loosely because the camera did not have the dd command (strange, normally part of busybox). Also the nanddump -nof command complained that it did not recognize the -n but leaving off the -n (using just -of <output file>) is fine. Without dd I could not change the language bits on the camera so I ftp'd the mtd5/mtd6 nanddump files to my PC, used HxD, and ftp'd the files back to the camera (I kept a copy of the original mtds on my PC before the hack and simply restored them) using flash_eraseall and nandwrite. I used the FileZilla FTP Client on my PC for ftp'ing.
 
Hi AKalm, i try my 3332-i ipc with factory chinese FW 5.2.8, but it still chinese, not what you say default english. can you share you FW and steps to upgrade to me?
Thanks very much! 5.2.5 Multlanguage - default english, days everything - Works 100%
 
Hey everybody )!
Just wondering , I'm on chinise cam with hacked 5.1.6 firmware . So is it save to use region changer in my situation , or I need to run stock firmware , not hacked, before applying a region changer ?
Thanks .
 
Last edited by a moderator:
Hey everybody )!
Just wondering , I'm on chinise cam with hacked 5.1.6 firmware . So is it save to use region changer in my situation , or I need to run stock firmware , not hacked, before applying a region changer ?
Thanks .

Should be safe. However there is no reason to do the region changer hack unless you plan to update the firmware. You should know that firmwares after 5.1.6 have some features removed, so there isn't a lot of reason to update at this time.
 
Thanks a lot !!!!!!!!!!!!!!!!!!!!!!! Worked like a charm !!!!!!!!
It is really cool that you made it public , that makes believe that there are still some people who not only aiming for money.
Thanks again !
 
Everything can be found on the first page - however, first of all make sure you can downgrade the camera to 5.2.3 or less (via TFTP) to do the hack. Please note if you downgrade, you may brick the camera (in that case, you can't access the camera to do the hack), and it can be only upgraded back to 5.2.8 if you have the original firmware (via TFTP).

Can you link it to me if you have 5.2.8 firmware?

Hi AKalm, i try my 3332-i ipc with factory chinese FW 5.2.8, but it still chinese, not what you say default english. can you share you FW and steps to upgrade to me?
 
Re: Hikvison Permanent Region Code Hack - almost completed the final step

Mtd hack works on 5.2.8 (5.2.5) camera's!!

Just need to calculate a new checksum when you are modifying the mtd's (change 02 to 01 that's done at the red circled byte), analysis - checksum.. - checksum-16, and write the result 2 bytes before F4, pictures attached for example:

attachment.php
attachment.php


This works for 5.2.8 (5.2.5) cameras:
2032, 2232, 2332 tested 100%

Still bricking: 2132, 2732 (different type of checksum)

Not tested: 2432, 2532, 2632 (don't have 5.2.8 at home)

Anyone that got it working on a 5.2.8 camera?
 

Attachments

  • 2332mtd5.jpg
    2332mtd5.jpg
    255.1 KB · Views: 587
  • 2332mtd6mtd6.jpg
    2332mtd6mtd6.jpg
    256.6 KB · Views: 580
Last edited by a moderator:
Mtd hack works on 5.2.8 (5.2.5) camera's!!

Just need to calculate a new checksum when you are modifying the mtd's (change 02 to 01 that's done at the red circled byte), analysis - checksum.. - checksum-16, and write the result 2 bytes before F4, pictures attached for example:

attachment.php
attachment.php


This works for 5.2.8 (5.2.5) cameras:
2032, 2232, 2332 tested 100%

Still bricking: 2132, 2732 (different type of checksum)

Not tested: 2432, 2532, 2632 (don't have 5.2.8 at home)

You are awesome!!!

I have 2732f-is and 2132f :D thats the only Problem. Maybe we can get it working
 
I suspect the point when the use of the different checksum type occurs can be judged by checking the manufacturing date, the part that starts 0x41 in mtdblock6, looking for something after about January / February 2015, I'm not sure exactly when.
Hikvision decided to make it harder to modify the fairly easily changed camera language setting that allowed NVRs and cameras from different regions to work together.
At the same time, the NVR firmware of 3.0.10 and upwards starts to enforce a previously ignored language match requirement when users connect their new cameras to their new NVRs.
And the software hackers that support the 'unauthorised' sellers haven't yet fully refined their patches, hence the instances of unreliable cameras. But that will happen, it's a cat and mouse game.
Some clever people out there ...
http://www.ipcamtalk.com/showthread.php/3222-Hikvision-Checksum
 
...Hikvision decided to make it harder to modify the fairly easily changed camera language setting that allowed NVRs and cameras from different regions to work together. At the same time, the NVR firmware of 3.0.10 and upwards starts to enforce a previously ignored language match requirement when users connect their new cameras to their new NVRs...it's a cat and mouse game. Some clever people out there...

I believe that what Hikvision is missing is that they could well OWN the low-mid end market by making their cameras easy to mod...if they were to EMBRACE end-user camera moding instead of fighting it.
 
In truth I suspect they have to tread a fairly fine line between keeping their high-margin 'authorised distributors' happy by ensuring they keep making money by squeezing down on the 'grey imports' from the low-margin on-line sellers, whilst still getting revenue themselves from the in-country sales that end up out of region.
Although I have no idea what the relative volumes are from authorised resellers versus the on-line sellers, I suspect the latter may the higher figure judging from the scale of Hikvision on the likes of Aliexpress.