Mazi firmware upgrade issues (Hikvision R0? based)

[proton]

I have inherited a couple of Mazi Security IDH-32XR cameras which I suspect are based on Hikvision DS-2CD2332-I model. All cameras are running a modified 5.1.0 build 140218 firmware by Mazi. As you probably know that firmware version has a backdoor (even if it is a modified one). I'm trying to upgrade my cameras to the newest possible version however I'm a little bit stuck. My main issue is that Mazi Security website has only 5.4.5 build 170123 listed and the upgrade straight to this version fails immediately. I have tried to contact Mazi support however they completely ignore my requests. Using web.archive.org I've managed to find 5.3.0 build 171012 on their historical website however upgrade straight to that version fails too. I suspect that I need to get 5.2.0 version first and do the upgrade in the following order 5.1.0 -> 5.2.0 -> 5.3.0 -> 5.4.5.

From your experience with Hikvision firmware does anyone know if it is possible to force the upgrade from 5.1.0 to 5.3.0? If not, what are my options? Do you think upgrade from Mazi's 5.1.0 to Hikvision's 5.2.0 and then to Mazi's 5.3.0 firmware will work?

Any advice is appreciated.

 

[alastairstevenson]

From your experience with Hikvision firmware does anyone know if it is possible to force the upgrade from 5.1.0 to 5.3.0?

If those are truly R0 Hikvision cameras, maybe the 5.2.3 attached might work.

 

[proton]

Thanks. Do you know if it is safe to apply original Hikvision firmware to OEM devices? As far as I can tell most of the web interface is completely changed on Mazi devices with most advanced options hidden.

 

[alastairstevenson]

Thanks. Do you know if it is safe to apply original Hikvision firmware to OEM devices?

That's a bit of an open-ended question without a single answer.
Ideally, the firmware would fail validation and be rejected if not compatible.
But people have tried and suceeded.

 

[proton]

I've finally have time to try to install Hikvision firmware instead of Mazi one, however one last question before I begin. Is there an easy way to download and save current firmware from the device?

 

[alastairstevenson]

Is there an easy way to download and save current firmware from the device?

Does the camera have telnet or SSH access?
Scan the IP address for open ports with nmap or Fing or similar scanner.

 

[proton]

I don't have access to it at the moment, but I think it does. I think Mazi changed only GUI and didn't touch any other Hikvision functionality.

 

[proton]

Sorry for bothering you again. So if I have a telnet access to camera, how would a firmware backup procedure will look like?

 

[alastairstevenson]

if I have a telnet access to camera, how would a firmware backup procedure will look like?

You would need access to a full root shell where you can enter system commands, not one of the restricted shells which lack suitable commands.
And you'd need something like a network share where the files can be sent, such as an NFS share on a NAS, or an SMB/CIFS share on a Windows PC.

Here is an example of a full flash extract where an NFS share was available :

# ls -al /mnt
drwxr-xr-x   13 admin    root             0 Jan 23  2017 .
drwxr-xr-x   20 admin    root             0 Jan  1 01:41 ..
drwxr-xr-x    2 admin    root             0 Jan 23  2017 mmc01
drwxr-xr-x    2 admin    root             0 Jan 23  2017 mmc02
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs0
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs00
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs01
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs02
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs03
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs04
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs05
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs06
drwxr-xr-x    2 admin    root             0 Jan 23  2017 nfs07
# mount -t nfs -o nolock 192.168.1.201:/cctv1 /mnt/nfs00
# cd /mnt/nfs00
# mkdir DS-2CD2142FWD-I
#
# cd DS-2CD2142FWD-I
# ls -al
drwxr-xr-x    2 admin    root          4096 Oct 19  2019 .
drwxrwxrwx   12 admin    root          4096 Oct 19  2019 ..
# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00020000 "bst"
mtd1: 00100000 00020000 "bld"
mtd2: 000e0000 00020000 "ptb"
mtd3: 00080000 00020000 "env"
mtd4: 00100000 00020000 "sysflg"
mtd5: 00080000 00020000 "param"
mtd6: 00100000 00020000 "dpt"
mtd7: 00a00000 00020000 "rcvy"
mtd8: 00800000 00020000 "krn_pri"
mtd9: 00800000 00020000 "krn_sec"
mtd10: 02200000 00020000 "app_pri"
mtd11: 02200000 00020000 "app_sec"
mtd12: 00600000 00020000 "cfg_pri"
mtd13: 00600000 00020000 "cfg_sec"
mtd14: 00800000 00020000 "dbg"
mtd15: 00800000 00020000 "syslog"
#
# cat /dev/mtd0ro > mtd0ro
# cat /dev/mtd1ro > mtd1ro
# cat /dev/mtd2ro > mtd2ro
# cat /dev/mtd3ro > mtd3ro
# cat /dev/mtd4ro > mtd4ro
# cat /dev/mtd5ro > mtd5ro
# cat /dev/mtd6ro > mtd6ro
# cat /dev/mtd7ro > mtd7ro
# cat /dev/mtd8ro > mtd8ro
# cat /dev/mtd9ro > mtd9ro
# cat /dev/mtd10ro > mtd10ro
# cat /dev/mtd11ro > mtd11ro
# cat /dev/mtd12ro > mtd12ro
# cat /dev/mtd13ro > mtd13ro
# cat /dev/mtd14ro > mtd14ro
# cat /dev/mtd15ro > mtd15ro
#
#