How to : Smarten up the dumbed-down HiWatch IPC-T140 4MP IP camera

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
This was just for fun and the interest of doing it - and shared for those other techy folk who might find it of interest.
Or of use for others - you never know.

A couple of months ago I bought a 'Spares & Repairs' HiWatch 4MP IPC-T140 turret from eBay - seller description suggesting a stuck IR filter.
I'd not had my hands on a HiWatch device and was curious what they were like compared wth the more familiar pro-level devices.
Well, it turned out to be very ordinary, with motion detection only, the familiar Hikvision 'smart events' missing.
I looked round for any published firmware, but found none.

Hooking up the serial console though did show something interesting :
Code:
[    0.000000] Machine: Ambarella S2L (Flattened Device Tree), model: Ambarella S2LM Kiwi Board
[    0.000000] dev type:0x2261
That's the same board type as referenced in the DS-2CD2T42WD-8I , which is a 4MP R6 series device.
Code:
[    0.000000] Machine: Ambarella S2L (Flattened Device Tree), model: Ambarella S2LM Kiwi Board
[    0.000000] dev type:0x0
And the same amount of RAM and the same CPU clock speed.
Could it be the same hardware just running in a dumbed-down mode?
So I tried the R6 firmware and it worked perfectly.
But no new 'smart events' or other noticeable changes.

OK - so the dumbed-down HiWatch IPC-T140 runs on R6 firmware.
Presumably therefore the firmware adapts its capabilities based on the type of device it is running on.
Which prompts the thought 'Can the capabilities be improved by kidding the firmware about what it's running on?'

The answer is 'Yes' and there are several ways to do this, though it does need a tweak to the firmware as the 'bootpara data' isn't held in a flash partition that can be modified, like the R0 series.

What I ended up doing, which worked OK, was to modify the table that sets the device capabilities based on the devType thats coded in the security chip to give the same capabilities as the DS-2CD2T42WD-8I camera.
Other devType combinations can be used, provided the sensor type is also matched.

So the HiWatch IPC-T140 has been smartened up, and now has the very useful and familiar line crossing detection and intrusion detection smart events, and a couple of other additions to its repertoire.
Here are the after and before differences, as extracted using 'http://<camera_IP_address>/ISAPI/System/Capabilities'
Code:
197c187
< <pictureSearchType opt="CMR,MOTION,LineDetection,FieldDetection"/>
---
> <pictureSearchType opt="CMR,MOTION"/>
199c189
< <recordSearchType opt="CMR,MOTION,EDR,AllEvent,LineDetection,FieldDetection"/>
---
> <recordSearchType opt="CMR,MOTION,EDR,AllEvent"/>
212c202
< <isSupportFieldDetection>true</isSupportFieldDetection>
---
> <isSupportFieldDetection>false</isSupportFieldDetection>
220c210
< <isSupportLineDetection>true</isSupportLineDetection>
---
> <isSupportLineDetection>false</isSupportLineDetection>
242c232
< <isSupportSmartCalibration>true</isSupportSmartCalibration>
---
> <isSupportSmartCalibration>false</isSupportSmartCalibration>
And shown below are some before and after screenshots.
dumb_1.jpg smart_1.jpg smart_2.jpg
 

StewartM

Getting the hang of it
Joined
Dec 11, 2017
Messages
260
Reaction score
75
Location
Cape Town
Hi Alastair, I'm wondering if the same method will work on a R3 series DS-2DF7286-AEL PTZ.
I'm hoping to enable Platform Access in the same way you did with smart events. It's one of the few listed series (DF) that does not support HikConnect.
isSupportPlatformAccess=false and can't be activated using curl or similar methods.

I can extract v5.5.0 firmware using the Firmware Mod tool but not sure where the table that sets the device capabilities you mentioned resides.

Update - think I've figured it out. I see there are numerous posts covering this.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Hello Stewart,
An interesting idea - that sounds like a challenge!
I downloaded the firmware for that model from here :
DOWNLOAD EU PORTAL
The firmware unpacks OK with @leecher repacker.

Looking at the firmware contents - the main application program that was invariably named 'davinci' is in this firmware named 'centaurus'.
What I'd aimed to do was to decrypt that program and to locate the equivalent switch case table on the basis that the way it worked would be similar to how davinci usually works. Then the devType-indexed capability-setting target routines could be changed to modify what the device may be able to do.
Unfortunately - it looks like they haven't just renamed the program, but also used a different encryption key from the previously known set.
So this challenge has been stopped in it's tracks I'm afraid.

But it's likely just a matter of time before some capable reverse-engineering person extracts the encryption key.
 

StewartM

Getting the hang of it
Joined
Dec 11, 2017
Messages
260
Reaction score
75
Location
Cape Town
Thanks for the info. Scrap my last comment then, I'm far from figuring it out. I have a couple of long-shots still to try, mainly with custom firmware only found on hikvison's ftp site. I'll keep you posted.
 

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
Unfortunately - it looks like they haven't just renamed the program, but also used a different encryption key from the previously known set.
Nonsense..

Code:
hik_repack  -u digicap.dav fw
cd fw
lzma -d <firmware.tar.gz >firmware.tar
mkdir unp_fw
cd unp_fw
tar -xvf ../firmware.tar
hik_repack -x4d centaurus_bak centaurus.lzma
lzma -d <centaurus.lzma >centaurus
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Nonsense..
Good to know!

But I already tried -x4d and got this :
Code:
alastair@PC-I5 ~/cctv/CameraFirmware/V5.5.0/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus $ ll
total 6792
drwxrwxr-x 2 alastair alastair    4096 Aug 25 19:49 ./
drwxr-xr-x 5 alastair alastair    4096 Aug 25 19:33 ../
-rwxr-xr-x 1 alastair alastair 6944220 Jul 31  2017 centaurus_bak*
alastair@PC-I5 ~/cctv/CameraFirmware/V5.5.0/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus $ hik_repack10 -x4d centaurus_bak centaurus.lzma
HIKvision firmware repacker V0.10BETA, (c)oded by leecher@dose.0wnz.at 06/2019 Compiled by Rearanger

Done.
*** stack smashing detected ***: hik_repack10 terminated
Aborted (core dumped)
alastair@PC-I5 ~/cctv/CameraFirmware/V5.5.0/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus $ openssl version
OpenSSL 1.1.1  11 Sep 2018
alastair@PC-I5 ~/cctv/CameraFirmware/V5.5.0/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus $
alastair@PC-I5 ~/cctv/CameraFirmware/V5.5.0/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus $
Does the run-time need the older openssl installed?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Does the run-time need the older openssl installed?
Maybe not.
Linux Mint 19.1 VM under VirtualBox :
Code:
alastair@alastair-VirtualBox:/run/user/1000/gvfs/smb-share:server=pc-i5.local,share=virtualbox_shared_folder/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus$ ll
total 15656
drwx------ 1 alastair alastair       0 Aug 26 10:52 ./
drwx------ 1 alastair alastair       0 Aug 25 19:33 ../
-rwx------ 1 alastair alastair 6944220 Jul 31  2017 centaurus_bak*
-rwx------ 1 alastair alastair 6944027 Aug 26 10:34 centaurus.lzma*
-rwx------ 1 alastair alastair 2142544 Aug  6 14:58 hik_repack10*
alastair@alastair-VirtualBox:/run/user/1000/gvfs/smb-share:server=pc-i5.local,share=virtualbox_shared_folder/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus$ openssl version
OpenSSL 1.0.0t 3 Dec 2015
alastair@alastair-VirtualBox:/run/user/1000/gvfs/smb-share:server=pc-i5.local,share=virtualbox_shared_folder/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus$ ./hik_repack10 -x4d centaurus_bak dec_centaurus_bak
HIKvision firmware repacker V0.10BETA, (c)oded by leecher@dose.0wnz.at 06/2019 Compiled by Rearanger

Done.
*** stack smashing detected ***: ./hik_repack10 terminated
Aborted
alastair@alastair-VirtualBox:/run/user/1000/gvfs/smb-share:server=pc-i5.local,share=virtualbox_shared_folder/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus$ uname -a
Linux alastair-VirtualBox 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
alastair@alastair-VirtualBox:/run/user/1000/gvfs/smb-share:server=pc-i5.local,share=virtualbox_shared_folder/IPD_R3_EN_STD_V5.5.0_Build170731/contents/centaurus$
 

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
Maybe compiler/glibc problem?
Not reproducable when compiling myself. Compile with debug symbols (-g) and check where it overruns.
My production system configration:

OpenSSL-Version: 0.9.8c-4etch9
GNU libc 2.3.6

But also tested it with:
OpenSSL-Version: 1.0.0e-2ubuntu4.7
Ubuntu EGLIBC 2.13-20ubuntu5.3

Also no stack overruns there.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Maybe compiler/glibc problem?
You are probably correct.
The .10 version I used was compiled by @rearanger but I see the same error on the 0.6 version that i compiled.
One possible variable may be the crc32.o I used - attached.

Compile with debug symbols (-g) and check where it overruns.
Thanks, I will try that.
 

Attachments

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
Hm, maybe it is my output buffer that is overrunning. OpensSSL DOCs state:

" The amount of data written depends on the block alignment of the encrypted data: as a result the amount of data written may be anything from zero bytes to (inl + cipher_block_size - 1) so out should contain sufficient room. "

Try to declare

buf_out[0x1000 + 32]

in crypt_file, does it help? :)
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
This was a pain for me to compile. I still have the VM machine setup if it needs to be recompiled?

it was compiled on a ubuntu 16.04 32bit, OpenSSL 1.0.2g 1 Mar 2016
(Ubuntu GLIBC 2.23-0ubuntu11) 2.23


compile command
gcc -static -o hik_repack hik_repack.c -lcrypto -I/usr/local/ssl/include -L/usr/local/ssl/lib -lz

(just tried to decrypt centaurus_bak and get same error as alex)
 
Last edited:

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
Static compiling is easy, just do:

gcc -o hik_repack hik_repack.c -static `pkg-config --static --libs openssl`

It's described even in the header comment ;-)
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
in crypt_file, does it help?
Many thanks - I'll try that later.

Static compiling is easy, just do:

gcc -o hik_repack hik_repack.c -static `pkg-config --static --libs openssl`

It's described even in the header comment ;-)
Yes, I tried that too.

It turns out that, despite the program crash, the resultant decrypted output appears to be OK.
I'll have a play around later.
Many thanks for the suggestions, it's much appreciated.
As is your repacker tool ...
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Static compiling is easy, just do:

gcc -o hik_repack hik_repack.c -static `pkg-config --static --libs openssl`

It's described even in the header comment ;-)

Did not work for me , I can only assume some of my paths are wrong. Had to use previous example to compile. Could just be me being a numpty lol
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
hik_repack -x4d centaurus_bak centaurus.lzma
Despite that I don't want to create any more work for you - but this appears to be a bug :

On the same file, check out the file result of using x1d instead of x4d
hik_repack -x1d centaurus_bak centaurus.lzma

Using x1d doesn't result in a decryption error, unlike x2d x3d x5d x6d and the resultant file has the wrong data.
 

Defender666

Getting the hang of it
Joined
Dec 19, 2015
Messages
193
Reaction score
25
Hi

I have Hiwatch DS-I230 and it is missing Line crossing. Did not know before buying.

Can I smarten up this camera?

Which file exactly need to be modified?

I assume you use the firmware mod tool?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I read this post and forgot to reply - apologies.
Can I smarten up this camera?
Maybe, but need some more detail.
A source for the firmware is needed. What version is currently running?
Also needed is the internal model number - this usually shows in the prtHardInfo commend at a shell prompt.

Which file exactly need to be modified?
The main app program davinci.
I assume you use the firmware mod tool?
@leecher repacker tool should work OK, provided the firmware isn't new enough to use code-signing protection.
[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware
 
Top