[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
Hi
I try extract two firmware:
CN version firmware for g0:
IPC_G0_CN_STD_5.5.53_180716(digicap_cn.dav)

and also version EN:
IPC_G0_EN_STD_V5.5.2_Build170920(digicap_en.dav)

and i get an error and can not...(look on screen)
But some user send me on priv moded FW 5.4.41 also for g0 and this can extract(digicap.dav)
Look on my attachment.
Code:
$ ../hik_repack -u digicap_en.dav en
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015

*
+ This seems to be a HK30 crypted file, unpacking HK30:
+ This seems to be a 007A0000 device
+ This is HK30 format version 2, no repacking possible (RSA-key protected).
* _cfgUpgClass
* uImage
* initrun.sh
* r7_app.tar.gz
* g0_app.tar.gz
* IEfile.tar.gz
* help.tar.gz
* SoftwareLicense.txt
* cap.json
* g0_modules.tgz
* mpp_modules.tgz
* libr7_isp_ipc.so.tar.gz
* libcrypto.so.tar.gz
* libzoomcam_ipc.so.tar.gz
$ ../hik_repack -u digicap_cn.dav cn
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015

*
+ This seems to be a HK30 crypted file, unpacking HK30:
+ This seems to be a 007A0100 device
HK30 subcrc check error! -1
+ This is HK30 format version 2, no repacking possible (RSA-key protected).
* _cfgUpgClass
* uImage
* initrun.sh
* r7_app.tar.gz
* g0_app.tar.gz
* IEfile.tar.gz
* help.tar.gz
* SoftwareLicense.txt
* cap.json
* g0_modules.tgz
* mpp_modules.tgz
* libr7_isp_ipc.so.tar.gz
* libcrypto.so.tar.gz
* libzoomcam_ipc.so.tar.gz
$ cd en
$ tar -xzvf g0_app.tar.gz
libdadsp.so
hikdsp.lzma
sound.tar.gz
libsmart264.so
r7_isp_config.tar.gz
pppd
pppoe
pppoed
da_info
t1
execSystemCmd
ss
GBK
ASC16
HZK32
ASC32.bin
ptzCfg.bin
process/
process/davinci_bak
process/net_process.lzma
process/daemon_fsp_app
process/database_process.lzma
process/hostapd.lzma
applib/
applib/libsqlite3.so.lzma
applib/libiconv_utf8Gbk.so.lzma
applib/libipc_unix.so
applib/libfsp_base.so.lzma
applib/libosip2.so.lzma
applib/libosipparser2.so.lzma
applib/libhikosip.so.lzma
applib/libispfrontc.so
applib/libremote_dbg.so
applib/libsave_alarminfo.so
applib/libpassenger_info.so
$ ../../hik_repack -u process/davinci_bak dav
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015

*
+ This seems to be a HK30 crypted file, unpacking HK30:
+ This seems to be a 00650100 device
+ This is HK30 format version 2, no repacking possible (RSA-key protected).
* davinci.lzma
$ lzma -df dav/davinci.lzma
I don't see much sense in repacking though, as Uboot bootloader does RSA verification of firmware and we don't have hik private key to sign the firmware.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Code:
$ ../hik_repack -u digicap_en.dav en
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015

*
+ This seems to be a HK30 crypted file, unpacking HK30:
+ This seems to be a 007A0000 device
+ This is HK30 format version 2, no repacking possible (RSA-key protected).
* _cfgUpgClass
* uImage
* initrun.sh
* r7_app.tar.gz
* g0_app.tar.gz
* IEfile.tar.gz
* help.tar.gz
* SoftwareLicense.txt
* cap.json
* g0_modules.tgz
* mpp_modules.tgz
* libr7_isp_ipc.so.tar.gz
* libcrypto.so.tar.gz
* libzoomcam_ipc.so.tar.gz
$ ../hik_repack -u digicap_cn.dav cn
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015

*
+ This seems to be a HK30 crypted file, unpacking HK30:
+ This seems to be a 007A0100 device
HK30 subcrc check error! -1
+ This is HK30 format version 2, no repacking possible (RSA-key protected).
* _cfgUpgClass
* uImage
* initrun.sh
* r7_app.tar.gz
* g0_app.tar.gz
* IEfile.tar.gz
* help.tar.gz
* SoftwareLicense.txt
* cap.json
* g0_modules.tgz
* mpp_modules.tgz
* libr7_isp_ipc.so.tar.gz
* libcrypto.so.tar.gz
* libzoomcam_ipc.so.tar.gz
$ cd en
$ tar -xzvf g0_app.tar.gz
libdadsp.so
hikdsp.lzma
sound.tar.gz
libsmart264.so
r7_isp_config.tar.gz
pppd
pppoe
pppoed
da_info
t1
execSystemCmd
ss
GBK
ASC16
HZK32
ASC32.bin
ptzCfg.bin
process/
process/davinci_bak
process/net_process.lzma
process/daemon_fsp_app
process/database_process.lzma
process/hostapd.lzma
applib/
applib/libsqlite3.so.lzma
applib/libiconv_utf8Gbk.so.lzma
applib/libipc_unix.so
applib/libfsp_base.so.lzma
applib/libosip2.so.lzma
applib/libosipparser2.so.lzma
applib/libhikosip.so.lzma
applib/libispfrontc.so
applib/libremote_dbg.so
applib/libsave_alarminfo.so
applib/libpassenger_info.so
$ ../../hik_repack -u process/davinci_bak dav
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015

*
+ This seems to be a HK30 crypted file, unpacking HK30:
+ This seems to be a 00650100 device
+ This is HK30 format version 2, no repacking possible (RSA-key protected).
* davinci.lzma
$ lzma -df dav/davinci.lzma
I don't see much sense in repacking though, as Uboot bootloader does RSA verification of firmware and we don't have hik private key to sign the firmware.
unpack then repack the old way pre 5.5? or manually dump the davinci_bak onto the cam.
 

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
unpack then repack the old way pre 5.5?
But then RSA signature in HK30 V2 header is invalid and firmware file will get rejected. As far as I remember, an older firmware file without RSA signature doesn't get accepted. So there is no way without patching and flashing uboot loader which is quite risky, as upon failure, camera is bricked without a working bootloader,if you don't have an EEPROM flasher available.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
But then RSA signature in HK30 V2 header is invalid and firmware file will get rejected. As far as I remember, an older firmware file without RSA signature doesn't get accepted. So there is no way without patching and flashing uboot loader which is quite risky, as upon failure, camera is bricked without a working bootloader,if you don't have an EEPROM flasher available.
I can go up and down 5.3 all the way to 5.5 manually(and back). by dumping uImage/dav onto the mtdparts. (I have trashed the came a few times lol)

Are you saying at certain point of a normal update to 5.5 it would have updated the signature in uboot?

And if so I have a 5.3 G0 cam here I could dump the uboot nand partition for ?
 

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
I can go up and down 5.3 all the way to 5.5 manually(and back). by dumping uImage/dav onto the mtdparts. (I have trashed the came a few times lol)

Are you saying at certain point of a normal update to 5.5 it would have updated the signature in uboot?
Hm, directly dumping the files onto the the MTD might work fine. But if you do that, there is no sense in creating digicap.dav file, as you won't need it with your method anyway, if I understand correctly? So repacking digicap.dav itself would still be useless?
I just once had a cam where the firmware flashing mechanism refused to take the file, as it wasn't properly signed.
I must admit that I don't have any G0 camera available.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Hm, directly dumping the files onto the the MTD might work fine. But if you do that, there is no sense in creating digicap.dav file, as you won't need it with your method anyway, if I understand correctly? So repacking digicap.dav itself would still be useless?
I just once had a cam where the firmware flashing mechanism refused to take the file, as it wasn't properly signed.
I must admit that I don't have any G0 camera available.
My current issue at this time is, I cannot repack davinci_bak. if I can do that I can get a method to cleanly making the cam ML. Current modification is messy.(but does work)

From what you have said that issue is solved using your new re-pack? (eg davinci_bak can be unpacked and repacked correctly for the cams daemon_fsp_app)


moving on a step. It would be nice to do a full update either with a full re-pack or to disable protection. Either via web interface or via uboot.(web interface does not currently let you downgrade).
 
Last edited:

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
My current issue at this time is, I cannot repack davinci_bak. if I can do that I can get a method to cleanly making the cam ML. Current modification is messy.

From what you have said that issue is solved using your new re-pack? (eg davinci_bak can be unpacked and repacked correctly for the cams daemon_fsp_app)
Well, davinci_bak also uses firmware pack format which contains RSA signature and daemon_fsp_app verifies it against this signature. So you need to patch daemon_fsp_app to let firm_data_verify return 0 and the nrepack daemon_fsp_app
That should work, but it still involves patching of course.
 
Last edited:

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Well, davinci_bak also uses firmware pack format which contains RSA signature and daemon_fsp_app verifies it against this signature. Maybe it is possible to repack it in HK20 format, which may not get checked for RSA signature by daemon_fsp_app. Are you interested in trying to repack it as HK20? I'd need to write a conversion function for that. Alternative would be to patch daemon_fsp_app to just skip RSA verification.
I don't know at this time lol ... the current situation is I have a davinci that is modified for ML on 5.5+ firmware. it works but is injected in a bad way. I do not know what daemon_fsp_app actually does other than unpack. Every firmware version would need that davinci and of course the daemon_fsp_app modified to make a Chinese cam ML.

if daemon_fsp_app is only an unpacker then turning off RSA would do no harm, possibly an easier option. This would make manipulating davinci easier.

Currently many of these grey market G0's are sitting with the original ML firmware that was supplied so any progress is something lol


BTW G1 has been modded for unsigned firmwares Unrestricted root shell on G1 cameras

I have some of the hisilicon SDK's for the cams but not looked at u-boot's yet.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,777
Location
Scotland
Well, davinci_bak also uses firmware pack format which contains RSA signature and daemon_fsp_app verifies it against this signature. So you need to patch daemon_fsp_app to let firm_data_verify return 0 and the nrepack daemon_fsp_app
That should work, but it still involves patching of course.
I have a recollection that when daemon_fsp_app issues the ioctl to request the decryption key, the kernel does an integrity check on daemon_fsp_app such that patching it causes an abort. I didn't spend much time exploring that, on older firmware, need to check what version.
 

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
I have a recollection that when daemon_fsp_app issues the ioctl to request the decryption key, the kernel does an integrity check on daemon_fsp_app such that patching it causes an abort. I didn't spend much time exploring that, on older firmware, need to check what version.
Correct, daemon_fsp_app gets verified via RSA key in kernel (by matching on name /home/process/daemon_fsp_app),so modification of it will get detected,if kernel isn't patched. Grep for string /(/-e/0r/#%s3/$!em/ etc. in kernel to find the routine. This routine also does the decryption of it.
That's why I think that repacking doesn't make any sense on RSA crypted firmware versions, you'd have to patch everything anyway and cannot produce a valid firmware image file that would be accepted by unpatched firmware.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
What do you mean by: "injected in a bad way"?
original davinci is killed in initrun.sh after decryption/execution by daemon_fsp_app . Then modified davinci is then started up.

see below(I did think about patching it while it was an active process in memory, but thought it would be difficult)
/bin/execSystemCmd &
sleep 2
mv /home/process/davinci /home/process/davinci2
mv /home/process/davinci_1bak /home/process/davinci_bak
/home/process/daemon_fsp_app &
sleep 1
ps
sleep 1
kill 1154
rm /home/process/davinci
mv /home/process/davinci2 /home/process/davinci
/home/process/davinci &
mv /home/process/net_process1 /home/process/net_process
sleep 2
 
Last edited:

mrpeenut24

n3wb
Joined
Jun 7, 2019
Messages
10
Reaction score
11
Location
Everywhere
Hm,works fine with my own repacker, created file is identical with just unpacking and repacking:
Awesome! Thanks very much leecher! Found your tool, got a 32bit libssl/libcrypto build env, and modified initrun.sh to replace psh with sh. I have a working busybox /bin/sh shell. :)

Code:
# help
Built-in commands:
------------------
    . : [ [[ alias bg break cd chdir command continue echo eval exec
    exit export false fg getopts hash help jobs kill let local printf
    pwd read readonly return set shift source test times trap true
    type ulimit umask unalias unset wait

# ls /bin
CloseLaser                getMenuBufErrInfo         setAgingMode
EnlargeCur                getMenuInfo               setAgingTime
InitAutoLens              getModuleVer              setAlarm
InqCurMotDirect           getMotion                 setAppwebDebug
InqCurrent                getMtu                    setBrightnessInhibition
InqSwitch                 getNetConnInfo            setCamlowtempthrethold
InqWaveLen                getOperationLog           setCurAngleV
InquireFanSwitch          getPacketType             setDebug
LaserMotDirect            getPort                   setDevOldTest
LaserMotReset             getPreviewStatus          setDevcmd
LaserTeleOffset           getPreviewStatus_inner    setFanMode
LaserWideOffset           getPsLen                  setFanPwm
ReduceCur                 getQP                     setFanTemp
SetCur                    getRevertTime             setFtpService
SetMotorKeySpeed          getRtcpStatus             setGateway
StartLaser                getRtpLen                 setHeatTemp
TestCurve                 getSelfCheck              setHighTempProtect
TestOver                  getSelfcheckResult        setIp
[                         getSerUsingWays           setIrMode
[[                        getShutterLevel           setIrcmd
aflibDebug                getSlaveInfo              setIvsKeyParam
ash                       getSpecialIris            setLBS
awk                       getSubRtpLen              setLaserMode
bash                      getTmpCtrlInfo            setLowDelayMode
btools                    getUserOnlineInfo         setMcuPrtLevel
busybox                   getVCAVersion             setMtu
camCmd                    getVehiclePos             setOpenSdkLogLevel
cat                       getWifiInfo               setPacketType
check_rs232               getWifiStat               setPatternCorrect
chmod                     getisp                    setPort
cloudService              gunzip                    setPsLen
copyAlarmInfo             gzip                      setQP
cp                        help                      setRectFrame
da_info                   hiddrs                    setRevertTime
date                      hier                      setRoute
dayICR                    hiew                      setRtcpStatus
debugLog                  hil2s                     setRtpLen
df                        himc                      setSelfCheck
diagnose                  himd                      setSerial485Status
dm365                     himd.l                    setShutterLevel
dmesg                     himm                      setSignalMode
dspStatus                 iostat                    setSignalVoData1
du                        iperf                     setSpecialIris
echo                      itfDbg                    setSubRtpLen
env                       jxsorel                   setTempCtrlMode
execSystemCmd             kill                      setTestSpeed
false                     ln                        setUpgradeTime
free                      login                     setV6ip
frontlib_isp_cmd_test     ls                        setVehiclePos
fsync                     lzcat                     setWifiEnable
gcovTest                  lzma                      setWlan
gdbcfg                    mkdir                     setYTLock
getAEWindow               mknod                     setisp
getAgingMode              mount                     sh
getAgingTime              mpstat                    showDefence
getAlarmHandleInfo        mv                        showKey
getAlarmStatus            netstat                   showServer
getAppwebCallocReport     network_deamon            showStatus
getAppwebStatus           nightICR                  showUpnp
getBrightnessInhibition   outputClose               sleep
getCamDbgPara             outputOpen                ss
getCamLowtempState        ping                      startSaveAlarmInfo
getCamVer                 ping6                     stopSaveAlarmInfo
getCapaInfo               pmap                      stty
getCorrInfo               pppd                      superOpt
getCurAngle               pppoe                     sync
getDebug                  pppoed                    sysflg
getDevInfo                printPart                 syslog
getDevVer                 printPartFile             t1
getFrontlibDspVersion     prtHardInfo               tail
getFrontlibVersion        prtLensCurve              tar
getHighTempProtectConfig  prtLockList               taskShow
getIp                     prtMenuTestInfo           test
getIrMode                 ps                        testDspFun
getIrstate                psh                       testOneKey
getIvsKeyParam            pwd                       testOneKeyStart
getLaserMode              recover_mtd               top
getLensCurve              resetParam                touch
getLowDelayMode           resetPasswd               true
getMDInfo                 rm                        umount
getMcuInfo                rtw_cal                   unlzma
getMcuStateInfo           sdDataCheck               wifi.sh
getMcuVer                 sed                       wl
getMemInfo                semShow                   zcat
#

# ls /dav
MOTOR_APP          _cfgUpgClass       initrun.sh         sound
MOTOR_APP1         cap.json           lost+found         sysVersion.bin
MOTOR_APP2         hik_ar9331.bin     r7_app.tar.gz      webLib
WebComponents.exe  hik_ar9331_1.bin   r7_modules.tgz
# ls /home
applib              pidfile             ptzCfg.bin          sound
flash_eraseall      pppoe               r7_isp_config       spiflash_read_file
info.json           pppoed              r7_module           ss
initrun.sh          process             serialCom           t1
#
 

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
BTW G1 has been modded for unsigned firmwares Unrestricted root shell on G1 cameras
Thanks, hik_repack 0.8 now added support for G1 cams.
Repacking-support for these RSA-crypted models was now also added, but as mentioned above, it doesn't make any real sense, as RSA signature cannot be calculcated due to unknown RSA public key.
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
Thanks, hik_repack 0.8 now added support for G1 cams.
Repacking-support for these RSA-crypted models was now also added, but as mentioned above, it doesn't make any real sense, as RSA signature cannot be calculcated due to unknown RSA public key.
Where we can download it ?
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Thanks, hik_repack 0.8 now added support for G1 cams.
Repacking-support for these RSA-crypted models was now also added, but as mentioned above, it doesn't make any real sense, as RSA signature cannot be calculcated due to unknown RSA public key.


v0.7 of your unpacker unpacks 5.5.81 or 82 fine but below on PRE IPC_G0_CN_STD_5.5.53_180716 ….unsure IF ITS A BUG

alastair@PC-I5 ~/speed666_packer/hik_repack_v0.7 $ ./hik_repack -u digicap.dav contents
HIKvision firmware repacker V0.7, (c)oded by leecher@dose.0wnz.at 11/2015

*
+ This seems to be a HK30 crypted file, unpacking HK30:
+ This seems to be a 007A0100 device
HK30 subcrc check error! -1
alastair@PC-I5 ~/speed666_packer/hik_repack_v0.7 $
just doing some work on PC_G0_EN_STD_5.5.82_190130 your unpacker does GREAT job on that.

Thanks
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
But is any chance to unpack and modified FW to write it in china camera G0 platform ?
 
Top