How to - Fix your 15-beep-bootloop Hikvision DS-76xxN-Ex NVR, or convert to EN and make it updatable

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Where I can find the information on my oem one ?
A google search for the model number might allow a possible match to be made.
What's the model?
Maybe another forum member also has one.
 

reesion

n3wb
Joined
Sep 7, 2016
Messages
7
Reaction score
0
Location
Australia
Here is a worked example of how to permanently change a Hikvision China language DS-76xxN-Ex NVR to an EN language device that will then take the stock EN/ML firmware.
I've used a few Hikvision CN NVRs, bought at low cost off Aliexpress, and typically installed 'hacked to English' firmware to gain access to the newer firmware fixes and added features.
I thought it was time to do something different, and maybe also help out any forum members who want to update their firmware, or to unbrick devices that are suffering from the '15 beep bootloop' after an update.

This example was carried out on a Hikvision DS-7608N-E2/8P purchased at very low cost as a 'bricked' device from an on-line marketplace. Not eBay.

Note
This basic method will not work when the NVR was manufactured with an encoded version of the 'hardware descriptor block' as opposed to the plaintext version shown as an example here.
That requires some extra work.

The steps are summarised as follows :
  • Connect up to the NVR serial console using a 'serial TTL to USB convertor'.
  • Gain access to the bootloader by interrupting the boot process.
  • Start a normal tftp server such as from TFTP server and set IP addresses to match.
  • Pull a copy of the (normally hidden and protected) first half of mtdblock1. This holds the device 'hardware descriptor block'.
  • Do the equivalent of the 'classic MTD hack' to change the language byte from 02 (CN) to 01 (EN) and fix up the checksum as needed.
  • Write the modded section back to mtdblock1
Job done!
And the DS-76xxN-Ex NVR is now upgradeable.


This is a transcript of how to extract the normally hidden first half of mtdblock1, that holds the familiar 'hardware descriptor block'.
Code:
Uploading the first (hidden) half of mtdblock1 to do the
MTD hack on the hardware descriptor (bootpara) block.
For convenience, just temporarily changing the device and tftp server IP addresses.

-------------------------------------------------------

HKVS #
HKVS #
HKVS # reset
resetting ...



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=8c:e7:48:76:bf:4d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Environment size: 458/4092 bytes
HKVS #
HKVS #
HKVS # help
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bubt    - Burn an boot image on the Boot Flash.

cmp     - memory compare
cp      - memory copy
cpld    - write cpld info to  encrypt media

cramfsload- cramfsload  - load binary file from a filesystem image
cramfsls- cramfsls      - list files in a directory (default /)
crc32   - checksum calculation
ddr     - ddr training function
erase_env- erase envirement info on flash

getinfo - print hardware information
go      - start application at address 'addr'
help    - print command description/usage
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
tftp    - tftp  - download or upload image via network using TFTP protocol
update  - Update the digicap of the device.

version - print monitor version
HKVS # setenv ipaddr 192.168.1.214
HKVS # setenv serverip 192.168.1.99
HKVS #
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd3 000000f4 00010000    SWKH............
8041e010: 00000002 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS # tftp 0x80400000 mtd1_part1 0x20000
MAC:   8C-E7-48-76-BF-4D
TFTP to server 192.168.1.99; our IP address is 192.168.1.214
Upload Filename 'mtd1_part1'.
Upload from address: 0x80400000, 0.128 MB to be send ...
Uploading: #    [ Connected ]
#
         0.128 MB upload ok.
HKVS #

This is a transcript of how to apply the modded first half of mtdblock1, showing that the NVR now boots normally, no more 15-beep bootloop, and shows as an EN language device.
In this case it's still running the EN/ML firmware that 'bricked' it. It was then updated to the latest firmware version via the web GUI.
Code:
This is the bootpara edit to change language to EN from CN.
It's the same layout and method as the MTD hack on R0 cameras.
The aim is to get to :
--------------------------------------
language = 1
devType:DS-7608N-E2/8P
--------------------------------------
Initially we have the 15-beep bootloop due to EN/ML firmware
being loaded on a CN language NVR - DS-7608N-E2/8P
-----------------------------------------------------------

!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device buy in cn, you firmware is en err!!!!!!



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS #
HKVS #
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=8c:e7:48:76:bf:4d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Environment size: 458/4092 bytes
HKVS # setenv serverip 192.168.1.99
HKVS # setenv ipaddr 192.168.1.214
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd3 000000f4 00010000    SWKH............
8041e010: 00000002 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS # tftp 0x80400000 mtd1_part1_mod
MAC:   8C-E7-48-76-BF-4D
TFTP from server 192.168.1.99; our IP address is 192.168.1.214
Download Filename 'mtd1_part1_mod'.
Download to address: 0x80400000
Downloading: #################################################
done
Bytes transferred = 131072 (20000 hex)
HKVS #
HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd2 000000f4 00010000    SWKH............
8041e010: 00000001 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS # sf erase 0x10000 0x20000
Erasing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf write 0x80400000 0x10000 0x20000
Writing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS #
HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd2 000000f4 00010000    SWKH............
8041e010: 00000001 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS #
HKVS #
HKVS # reset
resetting ...



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0
### CRAMFS load complete: 3181672 bytes loaded to 0x80400000
timeout for link [5000]!
MAC:   8C-E7-48-76-BF-4D
|NUL ethaddr| TFTP server not found
## Booting kernel from Legacy Image at 80400000 ...
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.16.1 (2016-06-29 13:49:45 CST)
Starting udev:      [ OK ]
Sat Feb 16 12:08:48 UTC 2019
----------<1> tar guir webs ----------
----------<2> show logo ----------
show logo Sat Feb 16 12:08:57 UTC 2019
mv: can't rename '/home/app/exec/pppd': No such file or directory
mv: can't rename '/home/app/exec/pppoe': No such file or directory
mv: can't rename '/home/app/exec/ss': No such file or directory
mv: can't rename '/home/app/exec/dropbear': No such file or directory
mv: can't rename '/home/app/exec/dropbearkey': No such file or directory
/home/start.sh: line 29: dropbearkey: not found
chmod: /usr/bin/dvrCmd/dvrtools: No such file or directory
----------<3> load hisi sdk ----------
The system mem size is 0x1
/
load 3535 ok
----------<4> del no use res ----------
mv: can't rename '/home/app/res/adAudio.jpg': No such file or directory
/home/start.sh: line 79: ./pppoed: not found
iSCSI daemon with pid=918 started!!!! the device is not toe !!!


BusyBox v1.16.1 (2016-06-29 13:49:45 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

BusyBox v1.2.1 Protect Shell (psh)
Enter 'help' for a list of davinci system commands.
.
.

[snip lots of serial console chat]
.
.

$$$$$$$$$$$$$ iAoChans[4] $$$$$$$$$$$$$

#
#
# getHardInfo
Start at 2019-02-16 12:09:04
Serial NO :0820140723AARR472802079WCVU
V3.4.80 build 160718
softBase:/Platform/trunk:0
KernelVersion: V1.0.0 build 160629
dspSoftVersion: V5.0 build 160716
codecVersion: V5.0 build 160716
hardwareVersion = 0x0
encodeChans = 0
decodeChans = 8
alarmInNums = 0
alarmOutNums = 0
flashsize = 0x0
ramSize = 0x20000000
networksNums = 1
language = 1
devType:DS-7608N-E2/8P
bootPartition = 1
randomCode =
#
#
# help
Support Commands:
GetAnrCfgInfo                   GetAnrProcess                   GetAnrRecordList
ShowIpcAbility                  accessDvrSwitch                 channelPlayback
clearDisksMode                  ctrlArchDebug                   decStat
disableHB                       disableHik264                   dspStatus
dvrLogInfo                      dt                              enableHB
enableHik264                    enableWatchdog                  errputClose
errputOpen                      get3GMode                       getCMS
getCycleReboot                  getDbgCtrl                      getHardInfo
getIp                           getLastErrorInfo                getPlayTestCtrl
getPort                         getServerInfo                   guiChkCfg
guiEnterMenuCount               guiPrtScr                       guiStatus
helpm                           helpu                           i2cRead
megaDspConfig                   miscCmd                         netstat
outputClose                     outputOpen                      partRecDetails
ping                            printPart                       pthreadInfo
recorderChanInfo                recorderFileInfo                recorderFileKeyFrame
recorderHDIdle                  recorderMediaInfo               recorderPAllocFile
recorderParam                   recorderSegExtraInfo            recorderStatus
sendATCom                       set3GPrint                      set3GEnable
searchInfo                      setGateway                      setIp
setlang                         setMtu                          setoutputmode
setPrint                        show8107coreUseInfo             showCurPlayChanFileInfo
showDeviceTemp                  showIpcMemInfo                  showNetIpcmInfo
showNetLinksInfo                showPlayChanStatus              showPlayClipFile
showPlayScreenInfo              showPlayStatus                  showPlayTime
showPreviewInfo                 showShareSvcInfo                showSpareWorkStatus
showTagSysInfo                  showUserInfo                    showpu
t1                              t2                              transcodeResStatus
getDateInfo                     dmesg                           help

#
Hi Alastair,

I've a DS-7716N-E4 / 16P believe to be running hacked EN firmware. I would like to upgrade the firmware on the unit to enable some missing features (like cloud backup and SNMP). Will the steps above work for my NVR? or is there an EN firmware already available for me apply?
Also, is this the serial TTL to USB converter that i need? FTDI FT232RL USB to Serial adapt module USB TO TTL RS232 Cable 6Pin T Pd3C_AU | eBay
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Will the steps above work for my NVR?
Yes, if the bootparms flash area is not encoded as it is on the newer firmware.

is there an EN firmware already available for me apply?
That will brick the device with the '15-beep bootloop'.

That looks OK, if a bit on the pricey side.
Maybe search for a PL2303TA-based device.

You'll also need a wired connector - 4-pin 1.5mm JST ZH
Usually come in 10-packs.

enable some missing features (like cloud backup
That's not something I've see on that series.
 

arunix

n3wb
Joined
Jun 21, 2015
Messages
10
Reaction score
3
Hi,

I need some help. I am stuck at the part of uploading the modified mtd. I get this error:

TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Download Filename 'mtd1_part1_mod'.
Download to address: 0x80400000
Downloading: T T T T T T
TFTP error: 'Undefined error code' (0)
Starting again

I even try uploading the original mtd but that still gives me an error:

TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Download Filename 'mtd1_part1_mod'.
Download to address: 0x80400000
Downloading: T T T T T T
TFTP error: 'Undefined error code' (0)
Starting again

I already tried disabling my firewall. Any ideas? I can download to my tftp server fine but uploading always fails.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
The T is a timeout error.
The NVR isn't able to connect to the tftp server.
What is the PC IP address?
What tftp server is being used?
 

arunix

n3wb
Joined
Jun 21, 2015
Messages
10
Reaction score
3
The T is a timeout error.
The NVR isn't able to connect to the tftp server.
What is the PC IP address?
What tftp server is being used?
Thank you for the fast reply.

I've used tftp32 with server address 192.0.0.128/32 and the PC is set to the same address. Using the same settings I can download from the NVR fine but it always timesout when uploading.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I managed to get it working with a freshly installed Windows 10 laptop. Must have been my antivirus or something that was blocking me.
Hey, well done!
So was this a bricked CN NVR, or just a CN NVR that you wanted to convert?

Be aware that on the newer firmware, and I'm not sure exactly from which version, maybe 3.4.96, the kernel will automatically read / check / encrypt and re-write the bootpara area if it finds that it is in plaintext.
 

arunix

n3wb
Joined
Jun 21, 2015
Messages
10
Reaction score
3
Hey, well done!
So was this a bricked CN NVR, or just a CN NVR that you wanted to convert?

Be aware that on the newer firmware, and I'm not sure exactly from which version, maybe 3.4.96, the kernel will automatically read / check / encrypt and re-write the bootpara area if it finds that it is in plaintext.
Thx! I needed to convert my CN NVR because it started to give me an error that one of my cameras has "no enough network bandwidth". I did use 3.4.98 firmware but as long as the NVR doesn't give me any issues I'm probably not gonna touch the firmware again.

On a fun sidenote, I didn't have the proper cables to interface with the NVR so I stripped the ends of some jumper wires and used those instead:
 

Attachments

toribola

n3wb
Joined
Sep 24, 2020
Messages
10
Reaction score
0
Location
France
Hi,

your method is interesting. Does it works with DS-7108N-SN bought on AliExpress?

I downloaded all the firmwares. Tryed to patch the language code but I have the 15 beeps after a tftp upgrade.

71xx_snp Chinese to English 3.13_b.150503.zip => Works
NVR_(71_4_8channel_SN)BL_ML_Eurpon_West_STD_V3.0.21_170417.zip patched with hiktools05R1 => Failure with 15 beeps

I am interested to make it works.

1/ How to do the step : - "Do the equivalent of the 'classic MTD hack' to change the language byte from 02 (CN) to 01 (EN) and fix up the checksum as needed. "

All the files are here :


Do you have any helpful commands ?

Kind regards,
 

toribola

n3wb
Joined
Sep 24, 2020
Messages
10
Reaction score
0
Location
France
Ok, I saw the explanation in #4. It is clear. I will test the change tomorow.

Kind regards.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Does it works with DS-7108N-SN bought on AliExpress?
Sorry, but I don't know if that model saves the device signature data in the same way as the 76xxN-Ex series.

All the files are here :
These are firmware files, as far as I can see, not an extract from a flash partition.

71xx_snp Chinese to English 3.13_b.150503.zip => Works
That is presumably 'hacked to English' firmware.

Ok, I saw the explanation in #4. It is clear. I will test the change tomorow.
Good luck!
 

toribola

n3wb
Joined
Sep 24, 2020
Messages
10
Reaction score
0
Location
France
Here is the result of the u-boot stuff.

I also uploaded a spi dump of the Winbond flash on the google drive : DS7108N_3.13.bin


Code:
Now press [u/U] key to upgrade software: b
HKVS #
HKVS #
HKVS # printenv
bootdelay=1
baudrate=115200
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
bootargs_end=255.255.255.0:Hik-eth:eth0:none
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
sec=tftp 0x80400000 uImage_sec;tftp 0x80800000 ramdisk.gz;bootm 0x80400000 0x80800000;
default=fsload 0x80400000 uImage;fsload 0x80800000 ramdisk.gz;bootm 0x80400000 0x80800000;
phyaddr0=0x1d
stdin=serial
stdout=serial
stderr=serial
verify=y
ethaddr=18:68:cb:84:ef:a8
bootargs=mem=188M console=ttyS1,115200
ver=U-Boot 2010.06-svn (Jul 22 2016 - 12:22:03)

Environment size: 579/4092 bytes


HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 444c5043 ffff8174 ffffffff cd00ffff    CPLDt...........
8041e010: 1f006420 03b84e29 1291cc10 e8080000     d..)N..........
8041e020: ffff0200 ffffffff ffffffff ffffffff    ................
8041e030: ffffffff ffffffff ffffffff ffffffff    ................
8041e040: ffffffff ffffffff ffffffff ffffffff    ................
8041e050: ffffffff ffffffff ffffffff ffffffff    ................
8041e060: ffffffff ffffffff ffffffff ffffffff    ................
8041e070: ffffffff ffffffff ffffffff ffffffff    ................
8041e080: ffffffff ffffffff ffffffff ffffffff    ................
8041e090: ffffffff ffffffff ffffffff ffffffff    ................
8041e0a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e0b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e0c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e0d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e0e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e0f0: ffffffff ffffffff ffffffff ffffffff    ................
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I also uploaded a spi dump of the Winbond flash on the google drive : DS7108N_3.13.bin
I'm speculating a bit - looking at the flash dump, it seems that the bootpara data (that includes language) is not stored in a flash partition but in a separate chip.
 

toribola

n3wb
Joined
Sep 24, 2020
Messages
10
Reaction score
0
Location
France
Thanks, How did you guess that ? There is no other flash chip on the board.

the getHardInfo gives the language code 2. Perhap's it derived from a hardwar spec ?

eval_cmd is getHardInfo
getHardInfo
path=/sbin:/usr/sbin:/bin:/usr/bin:/usr/bin/dvrCmd:/opt/dvrCmd
fullpath=/usr/bin/dvrCmd/getHardInfo
Start at 2020-09-25 09:38:09
Serial NO :0820170518AARR765572728WCVU
V3.0.13 build 150503
KernelVersion: V1.0.0 build 150327
dspSoftVersion: V5.0 build 150413
codecVersion: V5.0 build 080808
hardwareVersion = 0xcd00
encodeChans = 0
decodeChans = 8
alarmInNums = 0
alarmOutNums = 0
ataCtrlNums = 1
flashsize = 0x8
ramSize = 0x0
networksNums = 1
language = 2
devType:DS-7108N-SN/P
bootPartition = 2
randomCode = IOUVHP
 
Top