Hi everyone.
I'm really scratching my head with a Hikvision DS-7716NI-I4/16P(B) NVR that's currently bricked, and I'm hoping to tap into some collective wisdom.
Here's the rundown of symptoms:
While I'm not a firmware reverse engineering guru myself (my binary code skills are pretty much non-existent beyond raw dumps), I'm more than willing to share the dump I pulled from the 25Q16DVSIG. If there's anyone out there who's a binary wizard and has the tools/expertise or knowledge to disassemble and sanity-check it for obvious corruption or even attempt to patch/rebuild it for D-series compatibility, I'd be incredibly grateful for the help.
Any verified or unverified dump or expert advice would be immensely appreciated!
Thanks in advance for your time and insights!
I'm really scratching my head with a Hikvision DS-7716NI-I4/16P(B) NVR that's currently bricked, and I'm hoping to tap into some collective wisdom.
Here's the rundown of symptoms:
- The unit powers on, the front panel LEDs light up, and the capacitive buttons respond with audible beeps.
- However, there's zero video output on any port (VGA, HDMI, Video Out).
- The NVR is not detected by SADP, and consequently so TFTP flashing is a no-go.
- I've tried connecting via the RS-232 serial port (using an FTDI adapter). The console output stops dead after the U-Boot banner: U-Boot 2010.06-svn74534 (Mar 25 2022 - 20:48:26). There's no further log output, and the device is completely unresponsive to any serial input – U-Boot just hangs there.
- The mainboard is fitted with a Winbond 25Q16DVSIG SPI NOR Flash chip.
- As an experiment, I attempted to flash a dump intended for a 25Q16JVSIQ chip onto this installed 25Q16DVSIG. This resulted in the unit being completely dead (no signs of life whatsoever).
- This is where it gets weird: I've done a partial analysis of the dump I pulled from the current 25Q16DVSIG. The U-Boot strings within this dump explicitly mention support for W25Q16(B/C)V series chips, but there is no mention of the D series at all. This strikes me as highly suspicious, especially since public info doesn't indicate 25Q16DVSIG chips were factory-installed on this DS-7716NI-I4/16P(B) (B revision).
- Adding to this, the U-Boot's compilation date (March 2022) is significantly newer than this NVR revision's documented End-of-Life (2017-2018). My strong suspicion is that a previous repair attempt involved swapping in a 25Q16DVSIG chip and then flashing it with an incompatible (or corrupted) dump.
- I've confirmed all critical power rails to the SPI Flash, NAND Flash, and DRAM are stable.
- I also analysed a dump from a working DS-7608NI-I2/8P (which came with a 25Q16JVSIQ chip). Its U-Boot (compiled Dec 2015) also explicitly supported W25Q16(B/C)V (meaning it supports JVSIQ). This 'working' U-Boot proceeds through a full boot sequence (initializing DRAM, NAND, network, etc., as evidenced by its extensive serial log) and even offers a command prompt, which is a stark contrast to my bricked DS-7716NI.
- This comparison strongly solidifies my theory: the U-Boot firmware (both my current one and the known good examples) is designed for B/C/J series chips, and the installed D-series chip is the root cause of the incompatibility, leading to the boot hang.
While I'm not a firmware reverse engineering guru myself (my binary code skills are pretty much non-existent beyond raw dumps), I'm more than willing to share the dump I pulled from the 25Q16DVSIG. If there's anyone out there who's a binary wizard and has the tools/expertise or knowledge to disassemble and sanity-check it for obvious corruption or even attempt to patch/rebuild it for D-series compatibility, I'd be incredibly grateful for the help.
Any verified or unverified dump or expert advice would be immensely appreciated!
Thanks in advance for your time and insights!