How to - Fix your 15-beep-bootloop Hikvision DS-76xxN-Ex NVR, or convert to EN and make it updatable

[alastairstevenson]

How did you guess that ? There is no other flash chip on the board.

Guess is the right word.
Because the code that retrieves the bootpara data (the hardware signature that is written in manufacture) has multiple mentions of 'CPLD' as opposed to the 'HKWS' prefaced block in flash memory that the bootpara data of the DS-7600N-En series use.

 

[toribola]

Isn't is possible to have these CPLD into other files ? How to decrypt the firmware updates ?
=> Chinese 3.21 works
=> EU gaves the 15 beeps.

I tried to mix the two firmwares :
The chinese firmware 3.21 with apps.tar.lzma and webs.tar.lzma from the EU one gaves the 15 beeps.

Perhap's the CPLD is coded into the firmware files ?

Regards

 

[toribola]

The 3.21 CN works and if I use hiktool it shows the SWKH header.

 HIK firmware header converter 0.5R

Head raw data(108b) :
00000000 E9 9A F7 B6 54 AE DD D3 42 B8 A3 AB B5 CB B5 BE    ....T...B.......
00000010 CF BC FE D6 E6 DD D3 BA 46 5C 54 40 34 4A 41 45    ........F\T@4JAE
00000020 43 01 29 35 22 2C 45 46 5C 54 40 34 B5 BE BA CD    C.)5",EF\T@4....
00000030 FE D6 CA DD C6 B9 AC 83 AA BF CB B5 BE BA CD BC    ................
00000040 BE A3 BE BC C8 DC 8D DF DE B9 9B D2 C0 A0 DD FE    ................
00000050 CA DD D3 BA B9 A3 AB BF CB B5 BE BA CD BC FE D6    ................
00000060 25 D2 BA B9 D3 EE 91 CB 15 DA B0 DA

Head decoded data(108b) :
00000000 53 57 4B 48 82 64 00 00 F8 01 00 00 0A 00 00 00    SWKH.d..........
00000010 02 00 00 00 2C 00 00 00 FF FF FF FF FF FF FF FF    ....,...........
00000020 FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00    ................
00000030 00 00 00 00 15 03 15 20 01 00 00 00 00 00 00 00    ....§.§ ........
00000040 68 69 63 6F 72 65 2E 74 61 72 2E 6C 7A 6D 61 00    hicore.tar.lzma.
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00000060 F8 01 00 00 70 45 2E 00 A0 64 0A 17

Magic number :    0x484B5753
iHeaderCheckSum : 0x00006482 [25730]
iHeadTotalLen :   0x000001F8 [504]
iFileNum :        0x0000000A [10]
iLanguage :       0x00000002 [2] CN
iDeviceClass :    0x0000002C
iOEMCode :        0xFFFFFFFF
iFirmwareVer :    0xFFFFFFFF
iFeature:         0xFFFFFFFF
Calculated CheckSum :        0x00006482 [25730]

Full decoded data (with full files block):
00000000 53 57 4B 48 82 64 00 00 F8 01 00 00 0A 00 00 00    SWKH.d..........
00000010 02 00 00 00 2C 00 00 00 FF FF FF FF FF FF FF FF    ....,...........
00000020 FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00    ................
00000030 00 00 00 00 15 03 15 20 01 00 00 00 00 00 00 00    ....§.§ ........
00000040 68 69 63 6F 72 65 2E 74 61 72 2E 6C 7A 6D 61 00    hicore.tar.lzma.
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00000060 F8 01 00 00 70 45 2E 00 A0 64 0A 17 75 49 6D 61    ....pE...d.↨uIma
00000070 67 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ge..............
00000080 00 00 00 00 00 00 00 00 00 00 00 00 68 47 2E 00    ............hG..
00000090 F0 F7 16 00 99 0C 6C 0B 61 70 70 2E 74 61 72 2E    ..▬...l.app.tar.
000000A0 6C 7A 6D 61 00 00 00 00 00 00 00 00 00 00 00 00    lzma............
000000B0 00 00 00 00 00 00 00 00 58 3F 45 00 F0 F0 0D 00    ........X?E.....
000000C0 D3 62 F0 06 64 76 72 43 6D 64 2E 74 61 72 2E 67    .b..dvrCmd.tar.g
000000D0 7A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    z...............
000000E0 00 00 00 00 48 30 53 00 28 30 00 00 BE 01 18 00    ....H0S.(0....↑.
000000F0 76 65 72 73 69 6F 6E 63 74 72 2E 74 61 72 2E 6C    versionctr.tar.l
00000100 7A 6D 61 00 00 00 00 00 00 00 00 00 00 00 00 00    zma.............
00000110 70 60 53 00 D0 25 01 00 15 30 92 00 68 69 73 69    p`S..%..§0..hisi
00000120 2E 74 61 72 2E 6C 7A 6D 61 00 00 00 00 00 00 00    .tar.lzma.......
00000130 00 00 00 00 00 00 00 00 00 00 00 00 40 86 54 00    ............@.T.
00000140 C0 9D 0C 00 BB 99 47 06 72 61 6D 64 69 73 6B 2E    ......G.ramdisk.
00000150 67 7A 00 00 00 00 00 00 00 00 00 00 00 00 00 00    gz..............
00000160 00 00 00 00 00 00 00 00 00 24 61 00 D8 A8 0A 00    .........$a.....
00000170 76 29 4F 05 77 65 62 73 2E 74 61 72 2E 6C 7A 6D    v)O.webs.tar.lzm
00000180 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    a...............
00000190 00 00 00 00 D8 CC 6B 00 60 48 09 00 39 2F 9F 04    ......k.`H..9/..
000001A0 73 74 61 72 74 2E 73 68 00 00 00 00 00 00 00 00    start.sh........
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
000001C0 38 15 75 00 88 07 00 00 F8 C2 03 00 6E 65 77 5F    8§u.........new_
000001D0 31 30 2E 62 69 6E 00 00 00 00 00 00 00 00 00 00    10.bin..........
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 C0 1C 75 00    .............∟u.
000001F0 68 03 00 00 AC DA 01 00
C:\temp\TFTP-Auto-Update>

 

[toribola]

OK, hickpack works. I'll decrypt all that stuff.

./hikpack -t k41 -d hicore.tar.lzma -o dec_hicore.tar.gz

 

[alastairstevenson]

The 3.21 CN works and if I use hiktool it shows the SWKH header.

Yes, that's the firmware header.
But the SWKH I was referring to is in the bootpara block that in the DS-76xxN(I)-Ex NVRs is stored in a flash block, that was written during manufacturing.

 

[toribola]

I tried to backup the CN bootpara block and write it back after uplaoding the ML firmware but it seems that I cannot erase the flash from u-boot.

HKVS # sf erase 0x10000 0x20000

8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS # sf erase 0x10000 0x20000

HKVS # sf erase 0x10000 0x20000

HKVS # sf write 0x80400000 0x10000 0x20000

HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 444c5043 ffff8174 ffffffff cd00ffff    CPLDt...........
8041e010: 1f006420 03b84e29 1291cc10 e8080000     d..)N..........
8041e020: ffff0200 ffffffff ffffffff ffffffff    ................
8041e030: ffffffff ffffffff ffffffff ffffffff    .............

 

[hsaenz12]

I tried to backup the CN bootpara block and write it back after uplaoding the ML firmware but it seems that I cannot erase the flash from u-boot.

HKVS # sf erase 0x10000 0x20000

8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS # sf erase 0x10000 0x20000

HKVS # sf erase 0x10000 0x20000

HKVS # sf write 0x80400000 0x10000 0x20000

HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 444c5043 ffff8174 ffffffff cd00ffff    CPLDt...........
8041e010: 1f006420 03b84e29 1291cc10 e8080000     d..)N..........
8041e020: ffff0200 ffffffff ffffffff ffffffff    ................
8041e030: ffffffff ffffffff ffffffff ffffffff    .............

Did you ever figure this out? I am having the same issue

 

[alastairstevenson]

Did you ever figure this out? I am having the same issue

It looks like what's missing is the command to select the flash chip - 'sf probe 0'
See the this fragment from post #1 :

HKVS # setenv serverip 192.168.1.99
HKVS # setenv ipaddr 192.168.1.214
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

 

[hsaenz12]

I set the flash chip and tried again but I am not sure if it was successful.
Should I be seeing some kind of confirmation that erase/write was complete?

HKVS #
HKVS # sf erase 0x10000 0x20000
Erasing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf write 0x80400000 0x10000 0x20000
Writing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

 

[alastairstevenson]

Should I be seeing some kind of confirmation that erase/write was complete?

Yes, confirmations as you have quoted above.
Plus you can load the flash segment into memory and display the content to see and confirm the changes, as in post #1.

 

[tomahawk]

That's because :


Check your 'Conversations'.

That's because :


Check your 'Conversations'.

I have the same issue as "AKMAL" where my download appears to be encoded, See below.

My situation is I bought a DS-7608N-E2 and tried to update to latest EN software and now it is bricked. I have tried everything to find the language codes but can not find.

Your help would be appreciated.

-
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!


U-Boot 2010.06-svn (Mar 11 2015 - 09:12:38)

Hit ctrl+u to stop autoboot: 0

This program will upgrade software.
***

• ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY! *
• Don't reset machine,or anything that interrupt it. *
• The upgrade process must finish in 10 minutes! *
• If this program fails,machine might be unusable, *
• and you will need to reflash again. *
• If you find this too risky,power off machine now. *

***

Now press [u/U] key to upgrade software: b
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=c4:2f:90:a3:26:8d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Mar 11 2015 - 09:12:38)

Environment size: 458/4092 bytes
HKVS #
HKVS #
HKVS # help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bubt - Burn an boot image on the Boot Flash.
burnrouter- Burn an boot image to the router flash from host board.
cpld - write cpld info to encrypt media
cramfsload- cramfsload - load binary file from a filesystem image
cramfsls- cramfsls - list files in a directory (default /)
crc32 - checksum calculation
ddr - ddr training function
erase_env- erase envirement info on flash
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mw - memory write (fill)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
tftp - tftp - download or upload image via network using TFTP protocol
update - Update the digicap of the device.
version - print monitor version
HKVS #
HKVS #
HKVS # setenv ipaddr 192.0.0.64
HKVS # setenv serverip 192.0.0.128
HKVS #
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: a101b6ae 8f6e8ba4 7ce4b7f0 8876b1d8 ......n....|..v.
8041e010: 32854655 40e0e74d def020b7 2099b6c9 UF.2M..@. .....
8041e020: 4960fc37 8340dc43 a4b811b5 3043838a 7.`IC.@.......C0
8041e030: 2b12c6fd 6fbf1573 b3209f42 d3357b07 ...+s..oB. ..{5.
8041e040: db2fc8ce 24b01b5e b1c2219d 17ade9b8 ../.^..$.!......
8041e050: 61b0472f a660e482 9bc58df3 116ba1bf /G.a..`.......k.
8041e060: dfd9460d c36c14a5 4960fc37 8340dc43 .F....l.7.`IC.@.
8041e070: 4960fc37 8340dc43 4960fc37 8340dc43 7.`IC.@.7.`IC.@.
8041e080: 03168135 4358f453 d7bcc135 309da1e4 5...S.XC5......0
8041e090: 4960fc37 8340dc43 4960fc37 8340dc43 7.`IC.@.7.`IC.@.
8041e0a0: 4960fc37 8340dc43 4960fc37 8340dc43 7.`IC.@.7.`IC.@.
8041e0b0: 4960fc37 8340dc43 4960fc37 8340dc43 7.`IC.@.7.`IC.@.
8041e0c0: 4960fc37 8340dc43 66ee8c7c 688cd11b 7.`IC.@.|..f...h
8041e0d0: b48fb027 3d8ef48f 4960fc37 8340dc43 '......=7.`IC.@.
8041e0e0: 4960fc37 8340dc43 4960fc37 8340dc43 7.`IC.@.7.`IC.@.
8041e0f0: ea0e09a7 6d7ea5d3 4960fc37 8340dc43 ......~m7.`IC.@.
8041e100: ffff8d8f ffffffff ffffffff ffffffff ................
8041e110: ffffffff ffffffff ffffffff ffffffff ................
8041e120: ffffffff ffffffff ffffffff ffffffff ................
8041e130: ffffffff ffffffff ffffffff ffffffff ................
8041e140: ffffffff ffffffff ffffffff ffffffff ................
8041e150: ffffffff ffffffff ffffffff ffffffff ................
8041e160: ffffffff ffffffff ffffffff ffffffff ................
8041e170: ffffffff ffffffff ffffffff ffffffff ................
8041e180: ffffffff ffffffff ffffffff ffffffff ................
8041e190: ffffffff ffffffff ffffffff ffffffff ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff ................
HKVS # tftp 0x80400000 mtd1_part1 0x20000
timeout for link [4999]!
MAC: C4-2F-90-A3-26-8D
TFTP to server 192.0.0.128; our IP address is 192.0.0.64
Upload Filename 'mtd1_part1'.
Upload from address: 0x80400000, 0.128 MB to be send ...
Uploading: # [ Connected ]
#
0.128 MB upload ok.
HKVS # !!!!!!!you Device is illegal, Please call factory!!!!!!

 

[alastairstevenson]

I have the same issue as "AKMAL" where my download appears to be encoded,

Yes, it's encrypted.
Zip up the extracted flash segment and attach here and I will see if I can fix it for you.

 

[tomahawk]

Yes, it's encrypted.
Zip up the extracted flash segment and attach here and I will see if I can fix it for you.

See attached

 

[alastairstevenson]

See attached

OK, here is a language modded version for you to try.
This is a plaintext copy, I'm not sure if a re-encrypted version will be needed.
Good luck!

 

[tomahawk]

OK, here is a language modded version for you to try.
This is a plaintext copy, I'm not sure if a re-encrypted version will be needed.
Good luck!

I tried the mod and it still will not accept the change. Could you look at the putty print-out and let me know your thoughts. I look at your mod and it is showing 01 in location 0001E010. Is that correct? What about location 0001E000?

 

[alastairstevenson]

I tried the mod and it still will not accept the change.

Well, that's a disappointment. I'd hoped the plaintext modded version would work.

I look at your mod and it is showing 01 in location 0001E010. Is that correct?

Yes, that's the 'language byte', changed from 02 (Chinese) to 01 (English).

What about location 0001E000?

The first 4 bytes are the common Hikvision 'magic number' HKVS and then there are the checksum bytes.

Could you look at the putty print-out and let me know your thoughts.

There is something unusual in the serial console transcript.
You have successfuly tftp transferred in the modified data, as is shown in the md result.

But then, after the erase, write and read commands - the read result is identical to the first read result with the original data.
It seems that the flash data has not been changed. And of course the NVR objects to it, as before.
No reboots or resets after the tftp modded file and the read / erase / write ?

Where are the status messages after the erase and write?
I'd expect to see this :

HKVS #
HKVS # sf erase 0x10000 0x20000
Erasing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf write 0x80400000 0x10000 0x20000
Writing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS #

But they do not show here :

HKVS # sf erase 0x10000 0x20000

HKVS # sf write 0x80400000 0x10000 0x20000

HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS #
HKVS # md 0x8041e000 80
8041e000: a101b6ae 8f6e8ba4 7ce4b7f0 8876b1d8    ......n....|..v.
8041e010: 32854655 40e0e74d def020b7 2099b6c9    UF.2M..@. .....
8041e020: 4960fc37 8340dc43 a4b811b5 3043838a    7.`IC.@.......C0
8041e030: 2b12c6fd 6fbf1573 b3209f42 d3357b07    ...+s..oB. ..{5.
8041e040: db2fc8ce 24b01b5e b1c2219d 17ade9b8    ../.^..$.!......
8041e050: 61b0472f a660e482 9bc58df3 116ba1bf    /G.a..`.......k.
8041e060: dfd9460d c36c14a5 4960fc37 8340dc43    .F....l.7.`IC.@.
8041e070: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e080: 03168135 4358f453 d7bcc135 309da1e4    5...S.XC5......0
8041e090: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e0a0: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e0b0: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e0c0: 4960fc37 8340dc43 66ee8c7c 688cd11b    7.`IC.@.|..f...h
8041e0d0: b48fb027 3d8ef48f 4960fc37 8340dc43    '......=7.`IC.@.
8041e0e0: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e0f0: ea0e09a7 6d7ea5d3 4960fc37 8340dc43    ......~m7.`IC.@.
8041e100: ffff8d8f ffffffff ffffffff ffffffff    ................

Suggestion -
Maybe repeat the process with the original modded file to see if the same result occurs.

And also, to try, is an encrypted version of the modified file, and also a donor file from an NVR of almost the same model.

 

[tomahawk]

Well, that's a disappointment. I'd hoped the plaintext modded version would work.


Yes, that's the 'language byte', changed from 02 (Chinese) to 01 (English).


The first 4 bytes are the common Hikvision 'magic number' HKVS and then there are the checksum bytes.


There is something unusual in the serial console transcript.
You have successfuly tftp transferred in the modified data, as is shown in the md result.

But then, after the erase, write and read commands - the read result is identical to the first read result with the original data.
It seems that the flash data has not been changed. And of course the NVR objects to it, as before.
No reboots or resets after the tftp modded file and the read / erase / write ?

Where are the status messages after the erase and write?
I'd expect to see this :

HKVS #
HKVS # sf erase 0x10000 0x20000
Erasing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf write 0x80400000 0x10000 0x20000
Writing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS #

But they do not show here :

HKVS # sf erase 0x10000 0x20000

HKVS # sf write 0x80400000 0x10000 0x20000

HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS #
HKVS # md 0x8041e000 80
8041e000: a101b6ae 8f6e8ba4 7ce4b7f0 8876b1d8    ......n....|..v.
8041e010: 32854655 40e0e74d def020b7 2099b6c9    UF.2M..@. .....
8041e020: 4960fc37 8340dc43 a4b811b5 3043838a    7.`IC.@.......C0
8041e030: 2b12c6fd 6fbf1573 b3209f42 d3357b07    ...+s..oB. ..{5.
8041e040: db2fc8ce 24b01b5e b1c2219d 17ade9b8    ../.^..$.!......
8041e050: 61b0472f a660e482 9bc58df3 116ba1bf    /G.a..`.......k.
8041e060: dfd9460d c36c14a5 4960fc37 8340dc43    .F....l.7.`IC.@.
8041e070: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e080: 03168135 4358f453 d7bcc135 309da1e4    5...S.XC5......0
8041e090: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e0a0: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e0b0: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e0c0: 4960fc37 8340dc43 66ee8c7c 688cd11b    7.`IC.@.|..f...h
8041e0d0: b48fb027 3d8ef48f 4960fc37 8340dc43    '......=7.`IC.@.
8041e0e0: 4960fc37 8340dc43 4960fc37 8340dc43    7.`IC.@.7.`IC.@.
8041e0f0: ea0e09a7 6d7ea5d3 4960fc37 8340dc43    ......~m7.`IC.@.
8041e100: ffff8d8f ffffffff ffffffff ffffffff    ................

Suggestion -
Maybe repeat the process with the original modded file to see if the same result occurs.

And also, to try, is an encrypted version of the modified file, and also a donor file from an NVR of almost the same model.

I have tried all the mod and also uploaded and downloaded the original with the same results. It appears the sf erase/ sf write/ sf read is not working as nothing appears.

Would it be possible to load CN digicap firmware to get the system working and then apply the changes? Do you have a CN firmware that will load?

Any thoughts>

 

[alastairstevenson]

It appears the sf erase/ sf write/ sf read is not working as nothing appears.

So not status messages during the sf erase and sf write commands?
That's very strange.
We're missing something here.

Did you use -
sf probe 0
before the commands -

HKVS #

HKVS # sf erase 0x10000 0x20000


HKVS # sf write 0x80400000 0x10000 0x20000


HKVS #

HKVS # sf read 0x80400000 0x10000 0x20000


HKVS #

Do you have a transcript of your repeat attempt?

 

[alastairstevenson]

Would it be possible to load CN digicap firmware to get the system working

Yes - that would work.
Do you remember what version of firmware was running on the NVR before the EN firmware update?

 

[tomahawk]

Yes - that would work.
Do you remember what version of firmware was running on the NVR before the EN firmware update?

I don't remember but the build date of the unit was 9/2015.

Below is the printout