[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
I dont see there version v0.8 for HikVision....
 

simonchan

n3wb
Joined
Jul 22, 2019
Messages
8
Reaction score
0
Location
United States
i use hipack command extarct to digicap.dav firmware.
./hipack -t k51 -x ./digicap.dav -o ./test_digicap
extarct sys_app.tar.lzma and webs.tar.lzma
i changed logo.jpg file . how to pack sys_app.tar.lzma back ?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
how to pack sys_app.tar.lzma back ?
Something like this, if I understand the question correctly :
Code:
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.96/NVR_K51_BL_ML_STD_V3.4.96_170921 $ hikpack_2.5
hikpack v2.5 Hikvision firmware packer/unpacker by montecrypto
*** No expressed or implied warranties of any kind. Use at your own risk ***
Usage:
   hikpack -t <fwtype> -i <src_dav_file>                     print dav file information
   hikpack -t <fwtype> -x <src_dav_file> -o <dst_dir>        extract dav file into directory
   hikpack [opts] -t <fwtype> -p <dst_dav_file> -o <src_dir> pack dav file from source directory
   hikpack -t <fwtype> -d <src_crypted_file> -o <dst_file>   decrypt file
   hikpack -t <fwtype> -g <src_crypted_cfg> -o <dst_file>    decrypt configuration backup file
   hikpack -t <fwtype> -G <src_file> -o <crypted_cfg_file>   encrypt configuration backup file (CRC adjusted if needed)
   hikpack -t <fwtype> -e <src_file> -o <dst_crypted_file>   encrypt file
     -t option sets firmware platform type. Currently supported: cameras: r0,r1,r6,g0 nvr: k41,k51
     ----- The following options are used by the pack (-p) command:
     -L <1,2>      set language id (1=EN, 2=CN)
     -D <YYYYMMDD> set firmware date.
     -V <ver>      set firmware version. Use hex number, e.g.: 0x05040003 for v5.4.3

If you find this software useful, please donate to support future development:
    Bitcoin: 1N9fKwsy7AphUHZJshCp4L7RJG5CvuXnAk

alastair@PC-I5 ~/cctv/NVRFirmware/3.4.96/NVR_K51_BL_ML_STD_V3.4.96_170921 $ hikpack_2.5 -t k51 -p new_digicap.dav -o files
File: start.sh, CRC OK
File: sys_app.tar.lzma, CRC OK
File: webs.tar.lzma, CRC OK
File: uImage, CRC OK
File: gui_res.tar.lzma, CRC OK
File: new_10.bin, CRC OK
Magic   : 484b5753
hdr_crc : 0000426f (OK)
lang_id : 00000001
date_hex: 20160606
devclass: 0000003d
=== Tail record:
File: new_20.bin, CRC OK
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.96/NVR_K51_BL_ML_STD_V3.4.96_170921 $ hikpack_2.5 -t k51 -i new_digicap.dav
Magic   : 484b5753
hdr_crc : 0000426f (OK)
lang_id : 00000001
date_hex: 20160606
devclass: 0000003d
File: start.sh, CRC OK
File: sys_app.tar.lzma, CRC OK
File: webs.tar.lzma, CRC OK
File: uImage, CRC OK
File: gui_res.tar.lzma, CRC OK
File: new_10.bin, CRC OK
=== Tail record:
File: new_20.bin, CRC OK
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.96/NVR_K51_BL_ML_STD_V3.4.96_170921 $
 

simonchan

n3wb
Joined
Jul 22, 2019
Messages
8
Reaction score
0
Location
United States
yes.
hikpack_2.5 -t k51 -p new_digicap.dav -o files
File: start.sh, CRC OK
File: sys_app.tar.lzma, CRC OK
File: webs.tar.lzma, CRC OK
File: uImage, CRC OK
File: gui_res.tar.lzma, CRC OK
File: new_10.bin, CRC OK
Magic : 484b5753
hdr_crc : 0000426f (OK)
lang_id : 00000001
date_hex: 20160606
devclass: 0000003d
=== Tail record:
File: new_20.bin, CRC OK
sys_app.tar.lzma file i use ./hikpack -t k51 -d ./sys_app.tar.lzma -o ./sys_app_dec.tar
extract four folder exec hisi lib res
i changed exec folder logo.jpg.file i need to unpack the four folder back became to sys_app.tar.lzma
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
hik_repack v0.10 by leecher THANKS! (removed "removed upon author's request")

However you do not need it to decompress files, as they are left on the camera with RSA key removed

including davinci

Use montecrypto's packer to repack digicap.dav without rsa key(HOWEVER IT WILL NOT UNPACK RSA)
 
Last edited:

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
What is new in version 0.10?
repack and change firmware version and language code in unsigned firmware. (this will allow you to bypass flash update error on cam due to rollback protection)

However that in itself will not totally bypass rollback on G1 cams and will cause a boot loop.

It will also allow you to repack a G1 firmware unsigned with mods for updating a G1 cam. eg new davinci / hImage or initrun.sh

This is a work in progress there may be more protection in davinci or hImage that needs bypassed.

(I am only currently testing and using on G1's)

Anything that is usefull I will post here or on the G1 thread.
 

hatoan

n3wb
Joined
Aug 13, 2019
Messages
8
Reaction score
1
Location
ha noi
I have Hikvision Cam DS-2CD2X21G0. But I don't know unpack firmware.
I dump 128MB from chip flash winbond. but i don't know where key was save.

I have alot infomations from chipflash:
....
The length of key must be less than or equal to 16!
Error! efuse write key time out!
Error! efuse load key out!
%s,%d: invalid key len 0x%x.
%s,%d: Hmac key initial failed!
%s,%d: hash i_key_pad and message start failed!
%s,%d: hash i_key_pad and message update failed!
%s,%d: Hash Final i_key_pad+message failure, ret=%d
,%d: Hash Init o_key_pad+hash_sum_1 failure, ret=%d
%s,%d: Hash Update o_key_pad failure, ret=%d
%s,%d: Hash Final o_key_pad+hash_sum_1 failure, ret=%d
%s,%d: RSA padding mode error, mode = 0x%x. public key encryption operation, the block type shall be 02.
%s,%d: For a private key decryption operation, the block type shall be 02.
%s,%d: key is null.
%s,%d: For a private- key encryption operation, the block type shall be 00 or 01.
%s,%d: For a public key decryption operation, the block type shall be 00 or 01
....

Help me -thank you!
 
Last edited:

leecher

n3wb
Joined
Jul 5, 2019
Messages
19
Reaction score
24
Location
-
I have Hikvision Cam DS-2CD2X21G0. But I don't know unpack firmware.
I dump 128MB from chip flash winbond. but i don't know where key was save.

Help me -thank you!
If you send me the dump, I can have a look.
 
Top