[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

Discussion in 'Hikvision' started by montecrypto, Dec 23, 2016.

Share This Page

  1. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,402
    Location:
    Scotland
    It's a standard feature in any HEX editor.
    With respect, you would find major difficulties in unpacking, decrypting, modifying, encrypting and repacking firmware if you are unfamiliar with a basic tool such as a HEX editor.

    What are you trying to achieve?
     
  2. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    I want to change the Picture which is shown if no camera is connected.

    It is true that i have used a HEX editor just a couple of times. But i want to learn that. And i think with a little help I could do it
     
    Last edited: Jul 25, 2018
  3. fcmcommw

    fcmcommw n3wb

    Joined:
    Aug 24, 2018
    Messages:
    2
    Likes Received:
    0
    Location:
    Illinois

    Thanks for the info. I'm having a little trouble decrypting a configuration file I downloaded. Here is the commands that I have tried to decrypt the file.

    ./hikpack -t r1 -g configurationFile -o configuraton_decrypted


    I also tried r6, G0, etc but nothing seems to work. Here is a copy of the device info if that helps.

    <DeviceInfo xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0">
    <deviceName>TEST1</deviceName>
    <deviceID>88</deviceID>
    <deviceDescription>IPCamera</deviceDescription>
    <deviceLocation>hangzhou</deviceLocation>
    <systemContact>Hikvision.China</systemContact>
    <model>DS-2CD4125FWD-IZ</model>
    <serialNumber>DS-2CD4125FWD-IZ20160426CCWR596304447</serialNumber>
    <macAddress>bc:ad:28:35:5f:6b</macAddress>
    <firmwareVersion>V5.3.5</firmwareVersion>
    <firmwareReleasedDate>build 151218</firmwareReleasedDate>
    <bootVersion>V1.3.4</bootVersion>
    <bootReleasedDate>100316</bootReleasedDate>
    <hardwareVersion>0x0</hardwareVersion>
    </DeviceInfo>
     
  4. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,402
    Location:
    Scotland
    Attach a zipped copy of the file here and I'll have a look at it when I'm back later.
     
  5. fcmcommw

    fcmcommw n3wb

    Joined:
    Aug 24, 2018
    Messages:
    2
    Likes Received:
    0
    Location:
    Illinois

    can I send the file to you separate offline. Just didn't want the creds getting out
     
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,402
    Location:
    Scotland
    Of course, use the 'conversations' facility.
     
  7. androjine

    androjine n3wb

    Joined:
    Sep 10, 2018
    Messages:
    1
    Likes Received:
    0
    Location:
    France
    Hello,

    I am very interested by Hikpack, unfortunately, the version of the camera I would like to modify is a G1 (5FWD). I read that the latest version is 2.8. Is there any chance G1 is supported by this one and is there an approximative date of release ?
    Thank you
     
  8. davehope

    davehope n3wb

    Joined:
    Aug 8, 2015
    Messages:
    12
    Likes Received:
    2
    I've been poking around one of my cameras, a DS-2CD2135F-IS, and have come across something that seems unusual.

    When using hiktools v2.5 against IPC_G0_CN_STD_5.3.3_150624, I get the following error:

    Code:
    $ ./hikpack -t g0 -i 533_g0_digicap.dav
    Magic   : 484b3230
    hdr_crc : 00002414 (OK)
    frm_flg : 1220060021111110021
    *** ERROR *** parse -5
    The other G0 firmwares I've tried extract fine. My camera will take this 5.3.3. firmware just fine, but no others. This has me wondering if there's something different in the 5.3.3 I have, can anyone shed light on the "parse -5" error?

    Edit:
    Looks like this earlier image is using the packing method r6.

    Code:
    $ ./hikpack -t r6 -i 533_g0_digicap.dav
    Magic   : 484b3230
    hdr_crc : 00002414 (OK)
    frm_flg : 1220060021111110021
    Magic   : 484b3330
    hdr_crc : 1a843bba (OK)
    version : 05030003
    lang_id : 00000002
    date    : 150624
    frm_flg : 1220060021111110021
    File: _cfgUpgClass, CRC OK
    File: uImage, CRC OK
    File: initrun.sh, CRC OK
    File: r7_app.tar.gz, CRC OK
    Just moved my reply to this thread, I had erroneously replied to the hiktools thread.
     
  9. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    The firmware i want to modify consists of 3 parts. 3 times Header + cramfs.img + new_20.bin. Just the last one worked on the DVR. So i will continue with the last one
    Decrypting and encrypting is working because md5 values of the files are the same.

    Following steps done:

    Extracting cramfs.img and its contents, decrypting, modifying, encrypting, decrypting new_10.bin, modifying MD5 values stored in new_10.bin, encrypting new_10.bin, using mkcramfs to create new cramfs.img, decrypting new_20.bin, save new MD5 value of cramfs.img new_20.bin, encrypting new_20.bin, creating dav file with hex editor.

    But the update fails. i get "Upgrading failed, execute program error"

    So i just tried to make a new firmware with unmodified files. But the new cramfs.img with the unmodified files is different to the one stored in the original dav file.
    Even when i modifiy the md5 in the new_20.bin the update with the unmodified files fails. the DVR reads the dav file till the end and then i get the error "Upgrading failed, execute program error"

    So i think the problem is generating the cramfs.img. Am i right?
     
  10. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,402
    Location:
    Scotland
    Maybe not.
    If you are modifying new_10.bin and new_20.bin manually as you say you have - you need to pay attention to the byte alignment for the decrypt/encrypt to work correctly.
    But why are you modifying manually when @montecrypto hikpack 2.5 handles this automatically for you?
     
  11. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    Because the dav file hikpack creates doesn't work. The DVR shows the error Firmware mismatch at the beginning. it doesn't fully read the file till the end. I think Hikpack can't handle the header. I tested this with unmodified files. Hikpack can't even extract the dav file correctly. because it just creates dav_header and cramfs.img. I extract the new_20.bin manually
     
  12. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,402
    Location:
    Scotland
    Ok, you can do this manually, but there may be a 4-byte re-alignment needed for the manual placement of new_20.bin
     
  13. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    I tried it with hikpack. Put every unmodified file in a folder (just used 7zip to extract the files from the original dav file)
    - dav_header
    - gui_res.tar.lzma
    - payler.zip
    - start.sh
    - sys_app.tar.lzma
    - uImage
    - WebComponents.exe
    - webs.tar.lzma
    - new_20.bin

    User the command ./hikpack -t k41 -p 1.dav -o 1

    The dav file hikpack creates can not be opened with 7zip anymore and the hex editor shows a totally different file

    To be clear: i did not decrypt and encrypt the files. The files are unmodified files from the original cramfs
     
  14. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    Can you explain this a little bit more, please?
     
  15. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,402
    Location:
    Scotland
    I'll try.
    This from my notes a couple of years ago on some NVR firmware where the @montecrypto hikpack tool had not yet been published :
    'ded' is the built in 3DES decrypt/encrypt program in the NVR.
     
  16. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    I will tell you exactly what i did (maybe you can figure out my mistake):

    1. decrypt whole untouched digicap.dav
    2. open decrypted digicap.dav (from point 1) with hex editor and just changed the md5 value with the one from the cramfs.img and saved
    3. encrypted the dav file again
    5. opened untouched dav file with hex editor and deleted everything except the header
    6. opened new cramfs.img with hex editor and copied everything and pasted behind the header from the untouched dav file
    7. opened encrypted dav file (from point 3) with hex editor and copied new_20.bin tail and pasted after the new cramfs.img and saved everything to one new dav file.

    For testing i just decrypted and encrypted tne untouched dav file and checked the new_20.bin tail and it was the same.
     
  17. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,402
    Location:
    Scotland
    I'm sorry but I just don't understand your steps as described.
    It's not encrypted - it needs to be unpacked with hiktools05R1 or @montecrypto hikpack
    new_20.bin is encrypted - so you can't just modify the contents and expect it to be accepted. It needs to be decrypted, the md5 for cramfs.img updated, and encrypted again.
    With what? It needs to be packed, not encrypted. And the updated new_20.bin needs to be appended.
    new_20.bin needs to be encrypted, and correctly byte-alligned to be accepted.
    Using the @montecrypto packer that handles new_20.bin automatically?
     
  18. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -x digicap.dav -o 1
    Magic : 484b5753
    hdr_crc : 00001de9 (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000044
    File: cramfs.img, CRC OK
    Can't read new_20.bin tail
     
  19. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,870
    Likes Received:
    3,402
    Location:
    Scotland
    This means there is not a new_20.bin and the firmware is not supported by hikpack - presumably not a k41 firmware.
     
  20. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
     

    Attached Files: