Manual: Create console/serial access to Hikvision DS-2CD2032F-I

[alastairstevenson]

I will try that but it won't be on the subnet as the camera. Notice the camera is on 192.168.1.64 and I'm unable to change it.

It will be on the same subnet that the camera uses when the bootloader starts, and takes a probe around to see if there is a Hikvision tftp server listening.
When it does this, the camera by default is using IP address 192.0.0.64, set by a bootloader environment variable.
That's fixed within the bootloader, and is not related to the configurable IP address that the Linux kernel uses after it boots.

Your Batch Configuration Utility screenshot shows the firmware version of 4.0.8 which indicates that the camera is running in the 'min-system recovery mode' which is entered for fault conditions such as incorrect firmware loaded or other failures.
In this mode there are no web services, and limited SADP services.

 

[Blitz1986]

It will be on the same subnet that the camera uses when the bootloader starts, and takes a probe around to see if there is a Hikvision tftp server listening.
When it does this, the camera by default is using IP address 192.0.0.64, set by a bootloader environment variable.
That's fixed within the bootloader, and is not related to the configurable IP address that the Linux kernel uses after it boots.

After trying with the 192.0.0.128 and still the camera doesn't respond to the tftp server. I've tried diff servers and switch with only camera and server still nothing. I did however take it apart (deeper this time) and found the mini connector. I will order the connector and attempt the rs232 connection and see what happens. Thanks!

 

[alastairstevenson]

I've tried diff servers and switch with only camera and server still nothing

This will only work using the Hikvision tftp updater.
The camera probes for it at startup and they do a handshake before proceeding.
What showed on the tftp updater status screen when you powered on the camera?

 

[Blitz1986]

Thanks,got it to take and update and now working. Didn't have to use the serial. I had been trying unsuccessfully using a Esxi VM and the camera on its own Vlan and tried with switch. When I used a physical computer as the tftp server I was able to load the brickfix.

 

[alastairstevenson]

Excellent, well done for getting there!

 

[catalin onofrei]

hi guys i've tried using the serial console but having hard time finding the right commands, this is what im doing
as soon as it boots i press 'ctrl + u'
it stops the boot but cant go any further
on screen it has 'HKVS $' written,
tried a few different commands but keeps going to next line with same 'HKVS $' and thats it
if some one can help that would be much appreciated

have ypou solved the problem? i am getting the same message...please help..

 

[Alessio831]

I can use this method for dahua sd59225u-hni brick???

 

[gazzaman2k]

do you have to plug in poe power to camera when doing this or does the usb power it on its own? reason being im not getting anything from putty when usb only

 

[alastairstevenson]

The camera needs to be powered.
The USB convertor VCC (5v) power should be left unconnected.

All the serial TTL connection is doing is listening and talking to a serial command stream.
The camera needs to be powered normally.

 

[wifi75]

I have lost the password of 6 cameras and a recorder, with the serial converter By ttl via telnet the password is reset by updating the firmware with tftp?

 

[alastairstevenson]

I have lost the password of 6 cameras and a recorder

What's the model and the firmware versions of these?
And how are the cameras connected?
There may be simple ways to reset or extract the passwords, depending on the firmware version.

 

[wifi75]

What's the model and the firmware versions of these?
And how are the cameras connected?
There may be simple ways to reset or extract the passwords, depending on the firmware version.

maybe you could help me ... IP camera DS-2CD2322WD with firmware 5.5.0 build 170725,

 

[alastairstevenson]

Are the cameras connected to NVR PoE ports?
What's the model of NVR?

 

[wifi75]

Are the cameras connected to NVR PoE ports?
What's the model of NVR?

At the moment I don't have the dvr here with me, but I don't know the dvr passwaord either. the cameras are networked not behind the recorder.

 

[alastairstevenson]

IP camera DS-2CD2322WD with firmware 5.5.0 build 170725

OK, that's too new to have the 'Hikvision backdoor' which allows a password extract.

Easy enough to try initially would be the tftp updater, applying the same version of firmware.
This normally resets the device to factory defaults.
The original updater with instructions is here :

TFTPServ

Hikvision IP Camera Emergency Firmware Recovery TFTP. Check this thread for info on how to use this tool to un-brick your Hikvision camera.

ipcamtalk.com

However - it has a 32MB filesize limit, and that firmware is just on the edge for that, in which case Scott Lamb's clone would work instead :

GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP

Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd

github.com

There is reducing support in the bootloaders for tftp updating, so it may not work.
Also - some bootloaders are set to use 192.168.1.64 and probe for the updater on 192.168.1.128 instead of the original values.

If that doesn't work - a connection to the serial console connector will be required.

Good luck!

 

[wifi75]

OK, that's too new to have the 'Hikvision backdoor' which allows a password extract.

Easy enough to try initially would be the tftp updater, applying the same version of firmware.
This normally resets the device to factory defaults.
The original updater with instructions is here :

TFTPServ

Hikvision IP Camera Emergency Firmware Recovery TFTP. Check this thread for info on how to use this tool to un-brick your Hikvision camera.

ipcamtalk.com

However - it has a 32MB filesize limit, and that firmware is just on the edge for that, in which case Scott Lamb's clone would work instead :

GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP

Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd

github.com

There is reducing support in the bootloaders for tftp updating, so it may not work.
Also - some bootloaders are set to use 192.168.1.64 and probe for the updater on 192.168.1.128 instead of the original values.

If that doesn't work - a connection to the serial console connector will be required.

Good luck!

in practice I have to connect a pc directly to the camera, and set the ip of the pc 192.168.1.64 or 192.168.1.128, download the digicap.dav and copy it to the TFTP server folder?

 

[wifi75]

OK, that's too new to have the 'Hikvision backdoor' which allows a password extract.

Easy enough to try initially would be the tftp updater, applying the same version of firmware.
This normally resets the device to factory defaults.
The original updater with instructions is here :

TFTPServ

Hikvision IP Camera Emergency Firmware Recovery TFTP. Check this thread for info on how to use this tool to un-brick your Hikvision camera.

ipcamtalk.com

However - it has a 32MB filesize limit, and that firmware is just on the edge for that, in which case Scott Lamb's clone would work instead :

GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP

Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd

github.com

There is reducing support in the bootloaders for tftp updating, so it may not work.
Also - some bootloaders are set to use 192.168.1.64 and probe for the updater on 192.168.1.128 instead of the original values.

If that doesn't work - a connection to the serial console connector will be required.

Good luck!

So I tried with 192.0.0.128, the device finds it at 192.0.0.64, after a few seconds I read
connect client 192.0.0.64 success
then:
Receive data ack error ..

why?

 

[alastairstevenson]

That's promising.
Maybe the error is the 32MB file size limit kicking in.

 

[wifi75]

That's promising.
Maybe the error is the 32MB file size limit kicking in.

Thank you very much I was able to upload the same firmware now I have full access to the cameras!
you really were amazing!
Thank you so much!!!
a question, I saw that hikvision has released other firmware updates than my version, should I upgrade to the latest version available?

 

[alastairstevenson]

Thank you very much I was able to upload the same firmware now I have full access to the cameras!

Excellent!
You did really well there, a good result.

a question, I saw that hikvision has released other firmware updates than my version, should I upgrade to the latest version available?

Well - I'm not sure if that version of firmware is vulnerable to the RCE that @watchful_ip discovered.
I don't see any new firmware on the Hikvision EU portal that would be a fixed version for that vulnerability.
Do you expose the cameras and NVR to the internet? Hopefully not.