How to upgrade a 5.25 mtd hack firmware ?

[Calumet]

Hello, i've one DS-2CD2532F-IWS and one DS-2CD2432F-IW.
They came with 5.3.0 on the sticker from aliexpress.
After a brick i success to downgrade them with the MTD hack to 5.2.5.
I tried to upgrade the DS-2CD2432F-IW with differents firmware with no success.

Is it possible and if yes, how can i do ?

Thanks !

 

[alastairstevenson]

Is it possible and if yes, how can i do ?

Yes, it is.
Check out the 'enhanced mtd hack' here : Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

 

[Calumet]

Thank you for the answer. I spend hours to read all the threads but i'm missing something. Perhaps in the MTD hack.

EDIT : i modify again the mtd and i have now "The type of upgrade file mismatches" when i try to upgrade.

 

[alastairstevenson]

Thank you for the answer. I spend hours to read all the threads but i'm missing something. Perhaps in the MTD hack.

It looks like you have done the 'classic mtd hack'.
This will provide EN menus with 5.2.5 firmware, but with the values for the devType at 0x64 and the checksum at 0x04, it will not provide the ability to update beyond 5.3.0

Check out the 'enhanced mtd hack' here : Hikvision DS-2CD2x32-I (R0) brick-fix tool / full upgrade method / fixup roundup.

 

[Calumet]

Ok so i don't use the right method. i'm not speak english so that explain i'm confused
So now, i suppose i put back the mtdblock5 and mtdblock6 and i follow the "enchanced_mtd hack" with only modify the mtdblock6.
That's right ?

EDIT : with prtHardInfo that's what i get. Any trouble ?

 

[alastairstevenson]

So now, i suppose i put back the mtdblock5 and mtdblock6 and i follow the "enchanced_mtd hack" with only modify the mtdblock6.
That's right ?

Yes, that's correct.
From your prtHardInfo data, the devType in hex will be 0x9812
So in mtdblock6 in location 0x64 you put 12 and leave the 98 as it is already in location 0x65
And finally you need to calculate the Checksum-16 value of the 0xF4 bytes from location 0x09 onwards and put that value into location 0x04 (the least significant byte) and 0x05 (the most significant byte).
If you don't think you will manage that - send me a copy of your mtdblock6 via 'Conversations' and I'll do the changes for you.
But I'm sure you will be fine - you've done OK so far.
Good luck!

 

[rpc]

Hello alastairstevenson,

thanks for all your hard work and sharing on infos.

I do have a CN 2132 with 5.2.5 hacked to EN language from ali (box sticker says 5.2.8). It is still as I got it from CN, fully working, not bricked. Just to avoid any misunderstanding, is it "enough" to do your enhanced mtd-hack (as here) on mtd6 (and leave the mtd5 as it is?) and then to apply 5.3.0 and higher from inside the web interface?

So in steps:
(1) apply mtd6 mod, (then reboot or not?)
(2) web interface upgrade to EN 5.3.0 (or is it better to do a downgrade to EN 5.2.0 as a first step, and then up again?)

Thank you!

 

[Calumet]

Many thanks to alastairstevenson. It was a little tricky for me to understand how to calculate the checksum but he helps me.
Now i'm on 5.4.5 on both cameras.
I put back the original mtdblock 5 and mtdblock 6 with 5.2.5 chinese firmware. Make the mtdblock 6 hack.
Reboot
Upgrade by web interface with 5.3.0
Upgrade by web intefcade with 5.4.0
Upgrade by web interface with 5.4.5

 

[alastairstevenson]

It was a little tricky for me to understand how to calculate the checksum but he helps me.

But you got there.
Well done!

 

[alastairstevenson]

Just to avoid any misunderstanding, is it "enough" to do your enhanced mtd-hack (as here) on mtd6 (and leave the mtd5 as it is?) and then to apply 5.3.0 and higher from inside the web interface?

Yes, that should work OK, as long as you go through the major versions, ie 5.3.0 to 5.4.0 to 5.4.5 without skipping any.

apply mtd6 mod, (then reboot or not?)

Reboot between updates, but that's probably automatic anyway.

(box sticker says 5.2.8)

These have generally been considered non-upgradable, but the 'enhanced mtd hack' has worked OK, but I think there is a little more uncertainty with that starting point than with other versions.
With any Hikvision firmware operation there is always some uncertainty.

 

[rpc]

Wow, many, many thanks, it works like a charm. Just made the changement to mtdblock6, applied it back to hacked chinese 5.2.5 firmware, reboot and then the firmware upgrade cascade from web GUI as in #8.

All what is left, is to hope that maybe montecrypto will release a R0 firmware one day to enable back ssh & standard busybox ;-)

 

[alastairstevenson]

Excellent!
Another good result.

R0 firmware one day to enable back ssh & standard busybox ;-)

Been there, done that...
But the main thing is to get psh out of the way, otherwise SSH access is useless.
Despite the lack of SSH enable tickbox in the web GUI, the API still supports it, and can be enabled with the Win32 version of ClientDemoEn.exe from the SDK demo here : Hangzhou Hikvision Digital Technology Co. Ltd.

What do you aim to do with full SSH access?

 

[rpc]

What do you aim to do with full SSH access?

Sometimes to have access to the internal SD card to check for errors, or as now to have easy access to mtdblocks. But with psh, no chance to do that without full busybox.

 

[DeathCount]

I am having an issue with updating my firmware after "applying" the Enhanced MTD hack, which makes me think that I am missing something. Once applied and I attempt to upgrade the firmware from the Hacked CN 5.2.5 to EN 5.3.0, upon reboot the camera ends up in the recovery firmware with the default 192.0.0.64 IP address. I then have to use the downgrader to go back to 5.2.5.

The camera originally came with a hacked 5.2.0 firmware which ended up as 5.2.5 when I had to use the downgrader after unknowingly trying to update to 5.4.5 US. The serial is DS-2CD2032-I20150213CCCH505304395.

I have attached screenshots of the modifications I have made to mtdblock6 with HxD. The devType is: 38917 which translates to 0x9805. I'm a little unsure if the checksum needs to match the un-modified version, in which my case, it doesn't. Also, if it doesn't need to match, I am assuming you make the modifications to 0x04 and 0x05 with the modified checksum?

Thanks, and any help is greatly appreciated!

 

[alastairstevenson]

I'm a little unsure if the checksum needs to match the un-modified version

The checksum must match the modified version.

I am assuming you make the modifications to 0x04 and 0x05 with the modified checksum?

Yes, that's correct.
Your camera might need a small further modification.
To check that - can you post a screenshot of the first section of mtdblock1? Looking for the contents of location 0x0C.
*edit* That's for the app pri partition. Also required for location 0x8000C for the app sec partition.
If it's 0, it needs to be changed to 0x02

 

[alastairstevenson]

Looking more closely at your 'after' screenshot than I did earlier (I was in the middle of a last minute eBay bid for a 'spares or repair bit of Hik kit ...) I see that the checksum that you've applied does not match what is showing in the HxD status bar.
The checksum needs to match the actual data, and also remember to get the byte order correct, the least significant byte is at 0x04
Hopefully this will be the cause of not being able to update further.

 

[DeathCount]

Thanks Alastairstevenson! The additional modification to mtdblock1 was also needed in this case as I am currently sitting on 5.4.5 on that camera. Now I am going to attempt this on my remaining cameras. I am truly impressed with your skill and the service you are providing to users! Your help is greatly appreciated!

 

[alastairstevenson]

Excellent! Another good result.

Your camera might need a small further modification.
To check that - can you post a screenshot of the first section of mtdblock1? Looking for the contents of location 0x0C.
If it's 0, it needs to be changed to 0x02

In my haste (yes I did succeed in the bid for yet another NVR) I forgot that there are 2 locations in mtdblock1 that might need to be changed for cameras that originally had 5.2.8 or older firmware - 0x0C and 0x8000C - corresponding to the success status for the app pri and app sec partitions on the previous firmware update.

 

[gvers]

Is this worth a try on my DS-2CD2732F-IS that originally had 5.2.8 and would not take the new mtd6 hack? 0x0c and 0x8000c in mtd1 are 0 at present.

 

[alastairstevenson]

I'd say it's worth trying.
Admittedly the sample size of original 5.2.8 firmware is small (3)so far - but the analysis was based on looking in the firmware at why such devices can resist being updated.

would not take the new mtd6 hack?

This was the 'enhanced mtd hack' where the 0xFF98 devType is corrected, and the checksum is updated?