[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware
- Thread starter montecrypto
- Start date
The return -1 is commented in 0.8, I just wasn't sure which models need subcrc check and which don't. So it then continues to unpack it. So new repacker should work.
Attached is the compiled v0.8 hik_repack. Runs on x86 linux. Thanks @leecher!
edit, Requested by the dev to remove this. Complied per their wishes.
edit, Requested by the dev to remove this. Complied per their wishes.
Last edited:
hik_repack 0.9 now has a bugfix for wrong iLangAuth (subcrc) calculation, which also affected repacking.
And -d parameter dumps more information now.
And -d parameter dumps more information now.
v09 attached.
edit, Requested by the dev to remove this. Complied per their wishes.
edit, Requested by the dev to remove this. Complied per their wishes.
Last edited:
simonchan
n3wb
chmod 755 hik_repacki used hik-repack command but doesn't work?
$./hik_repackermisson denied
simonchan
n3wb
simonchan
n3wb
i use hipack command extarct to digicap.dav firmware.
./hipack -t k51 -x ./digicap.dav -o ./test_digicap
extarct sys_app.tar.lzma and webs.tar.lzma
i changed logo.jpg file . how to pack sys_app.tar.lzma back ?
./hipack -t k51 -x ./digicap.dav -o ./test_digicap
extarct sys_app.tar.lzma and webs.tar.lzma
i changed logo.jpg file . how to pack sys_app.tar.lzma back ?
alastairstevenson
Staff member
Something like this, if I understand the question correctly :
Code:
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.96/NVR_K51_BL_ML_STD_V3.4.96_170921 $ hikpack_2.5
hikpack v2.5 Hikvision firmware packer/unpacker by montecrypto
*** No expressed or implied warranties of any kind. Use at your own risk ***
Usage:
hikpack -t <fwtype> -i <src_dav_file> print dav file information
hikpack -t <fwtype> -x <src_dav_file> -o <dst_dir> extract dav file into directory
hikpack [opts] -t <fwtype> -p <dst_dav_file> -o <src_dir> pack dav file from source directory
hikpack -t <fwtype> -d <src_crypted_file> -o <dst_file> decrypt file
hikpack -t <fwtype> -g <src_crypted_cfg> -o <dst_file> decrypt configuration backup file
hikpack -t <fwtype> -G <src_file> -o <crypted_cfg_file> encrypt configuration backup file (CRC adjusted if needed)
hikpack -t <fwtype> -e <src_file> -o <dst_crypted_file> encrypt file
-t option sets firmware platform type. Currently supported: cameras: r0,r1,r6,g0 nvr: k41,k51
----- The following options are used by the pack (-p) command:
-L <1,2> set language id (1=EN, 2=CN)
-D <YYYYMMDD> set firmware date.
-V <ver> set firmware version. Use hex number, e.g.: 0x05040003 for v5.4.3
If you find this software useful, please donate to support future development:
Bitcoin: 1N9fKwsy7AphUHZJshCp4L7RJG5CvuXnAk
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.96/NVR_K51_BL_ML_STD_V3.4.96_170921 $ hikpack_2.5 -t k51 -p new_digicap.dav -o files
File: start.sh, CRC OK
File: sys_app.tar.lzma, CRC OK
File: webs.tar.lzma, CRC OK
File: uImage, CRC OK
File: gui_res.tar.lzma, CRC OK
File: new_10.bin, CRC OK
Magic : 484b5753
hdr_crc : 0000426f (OK)
lang_id : 00000001
date_hex: 20160606
devclass: 0000003d
=== Tail record:
File: new_20.bin, CRC OK
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.96/NVR_K51_BL_ML_STD_V3.4.96_170921 $ hikpack_2.5 -t k51 -i new_digicap.dav
Magic : 484b5753
hdr_crc : 0000426f (OK)
lang_id : 00000001
date_hex: 20160606
devclass: 0000003d
File: start.sh, CRC OK
File: sys_app.tar.lzma, CRC OK
File: webs.tar.lzma, CRC OK
File: uImage, CRC OK
File: gui_res.tar.lzma, CRC OK
File: new_10.bin, CRC OK
=== Tail record:
File: new_20.bin, CRC OK
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.96/NVR_K51_BL_ML_STD_V3.4.96_170921 $simonchan
n3wb
yes.
hikpack_2.5 -t k51 -p new_digicap.dav -o files
File: start.sh, CRC OK
File: sys_app.tar.lzma, CRC OK
File: webs.tar.lzma, CRC OK
File: uImage, CRC OK
File: gui_res.tar.lzma, CRC OK
File: new_10.bin, CRC OK
Magic : 484b5753
hdr_crc : 0000426f (OK)
lang_id : 00000001
date_hex: 20160606
devclass: 0000003d
=== Tail record:
File: new_20.bin, CRC OK
sys_app.tar.lzma file i use ./hikpack -t k51 -d ./sys_app.tar.lzma -o ./sys_app_dec.tar
extract four folder exec hisi lib res
i changed exec folder logo.jpg.file i need to unpack the four folder back became to sys_app.tar.lzma
hikpack_2.5 -t k51 -p new_digicap.dav -o files
File: start.sh, CRC OK
File: sys_app.tar.lzma, CRC OK
File: webs.tar.lzma, CRC OK
File: uImage, CRC OK
File: gui_res.tar.lzma, CRC OK
File: new_10.bin, CRC OK
Magic : 484b5753
hdr_crc : 0000426f (OK)
lang_id : 00000001
date_hex: 20160606
devclass: 0000003d
=== Tail record:
File: new_20.bin, CRC OK
sys_app.tar.lzma file i use ./hikpack -t k51 -d ./sys_app.tar.lzma -o ./sys_app_dec.tar
extract four folder exec hisi lib res
i changed exec folder logo.jpg.file i need to unpack the four folder back became to sys_app.tar.lzma
simonchan
n3wb
hik_repack v0.10 by leecher THANKS! (removed "removed upon author's request")
However you do not need it to decompress files, as they are left on the camera with RSA key removed
including davinci
Use montecrypto's packer to repack digicap.dav without rsa key(HOWEVER IT WILL NOT UNPACK RSA)
However you do not need it to decompress files, as they are left on the camera with RSA key removed
including davinci
Use montecrypto's packer to repack digicap.dav without rsa key(HOWEVER IT WILL NOT UNPACK RSA)
Last edited:
repack and change firmware version and language code in unsigned firmware. (this will allow you to bypass flash update error on cam due to rollback protection)
However that in itself will not totally bypass rollback on G1 cams and will cause a boot loop.
It will also allow you to repack a G1 firmware unsigned with mods for updating a G1 cam. eg new davinci / hImage or initrun.sh
This is a work in progress there may be more protection in davinci or hImage that needs bypassed.
(I am only currently testing and using on G1's)
Anything that is usefull I will post here or on the G1 thread.
I have Hikvision Cam DS-2CD2X21G0. But I don't know unpack firmware.
I dump 128MB from chip flash winbond. but i don't know where key was save.
I have alot infomations from chipflash:
....
The length of key must be less than or equal to 16!
Error! efuse write key time out!
Error! efuse load key out!
%s,%d: invalid key len 0x%x.
%s,%d: Hmac key initial failed!
%s,%d: hash i_key_pad and message start failed!
%s,%d: hash i_key_pad and message update failed!
%s,%d: Hash Final i_key_pad+message failure, ret=%d
,%d: Hash Init o_key_pad+hash_sum_1 failure, ret=%d
%s,%d: Hash Update o_key_pad failure, ret=%d
%s,%d: Hash Final o_key_pad+hash_sum_1 failure, ret=%d
%s,%d: RSA padding mode error, mode = 0x%x. public key encryption operation, the block type shall be 02.
%s,%d: For a private key decryption operation, the block type shall be 02.
%s,%d: key is null.
%s,%d: For a private- key encryption operation, the block type shall be 00 or 01.
%s,%d: For a public key decryption operation, the block type shall be 00 or 01
....
Help me -thank you!
I dump 128MB from chip flash winbond. but i don't know where key was save.
I have alot infomations from chipflash:
....
The length of key must be less than or equal to 16!
Error! efuse write key time out!
Error! efuse load key out!
%s,%d: invalid key len 0x%x.
%s,%d: Hmac key initial failed!
%s,%d: hash i_key_pad and message start failed!
%s,%d: hash i_key_pad and message update failed!
%s,%d: Hash Final i_key_pad+message failure, ret=%d
,%d: Hash Init o_key_pad+hash_sum_1 failure, ret=%d
%s,%d: Hash Update o_key_pad failure, ret=%d
%s,%d: Hash Final o_key_pad+hash_sum_1 failure, ret=%d
%s,%d: RSA padding mode error, mode = 0x%x. public key encryption operation, the block type shall be 02.
%s,%d: For a private key decryption operation, the block type shall be 02.
%s,%d: key is null.
%s,%d: For a private- key encryption operation, the block type shall be 00 or 01.
%s,%d: For a public key decryption operation, the block type shall be 00 or 01
....
Help me -thank you!
Last edited: