[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

I have a Hikvision video doorbell based on this one: EZVIZ - a global smart home security brand and I'd like to properly unpack the firmware. (V5.2.4)

hikpack seems to unpack them:
hikpack -t r0 -x <file> -o <dir> (or "r1", both seem to work)

Magic : 484b5753
hdr_crc : 00002c82 (OK)
lang_id : 00000001
Date : -00001
version : ffffffff
frm_flg : 5140020021150000011
File: app.img, CRC OK
File: res.bin, CRC OK
File: mcu.bin, CRC OK
File: arc.bin, CRC OK

The res.bin is a jffs file which can be extracted with jefferson. It contains .aac audio files.
I'm stuck on what to do with the larger app.img file. binwalk doesn't extract it (or does so improperly) Any hints?

Also, is this a recognized .dav file format where I could modify contents, repack and use?

samples:
Code:
http://usdownload.ezvizlife.com/device/HSDB2/2.0/HSDB2.dav
http://usdownload.ezvizlife.com/device/NDB313-W/2.0/NDB313-W.dav
 
where can i download the hik_repack tool by leecher? looking to unpack some G1 firmware but it doesnt seem to be supported by hikpack_2.5?
 
  • Like
Reactions: SkYe231
Hi! How can I download file digicap.dav from 2CD2332 with 4.5.4?
Thanks!
 

Attachments

  • cat and dav commands.jpg
    cat and dav commands.jpg
    16.9 KB · Views: 447
  • prtHardInfo.jpg
    prtHardInfo.jpg
    85.1 KB · Views: 399
ds-2cd2xx2fwd or from a similar camera.
I want to learn the structure of a new davinci file.
To do this, I need a decrypted davinci file in ELF format from firmware version 2017 and higher ...


Davinci is left decrypted on the cam at runtime , so if you have root/ASH you can copy the elf/disassemble.
 
will this latest version hikpack2.5 work to change language on DS-2DE2202-DE3 camera?
camera has V5.3.8 build 150707 firmware, looks like the latest is V5.4.71 build 170407(Released)

the seller sold the camera as north american version. just looked into it and i have the ch in my serial number.
i bought the cameras about 2 years ago.
just playing around to see if it's possible to upgrade the firmware.
tnx
 
will this latest version hikpack2.5 work to change language on DS-2DE2202-DE3 camera?
hikpack2.5 can be used to change the language in the header of a firmware file, to get the file past one of the early validation checks, but that will not change the language of the camera itself.
If the camera does have CCCH in its serial number, and is Chinese, it will be best to not attempt a firmware update.
 
  • Like
Reactions: HackitZ
Out of interest, if you had a G1 series camera ( v5.6+ firmware) with nonPSH access, would it be possible to downgrade to a much earlier firmware? Other advantages one could leverage with that level of access?
 
Out of interest, if you had a G1 series camera ( v5.6+ firmware) with nonPSH access, would it be possible to downgrade to a much earlier firmware? Other advantages one could leverage with that level of access?

Unsure of the question. G1 will not downgrade without root/ash or minisys. Downgrading of G0 you would manually copy files accross

You would either repack the digicap.dav and alter header. Or manually copy the unpacked files to the correct partitions.


With ash/root you can do just about anything you want that you can do in Linux.
 
Anyone could decode an 5.5.x E3 firmware with leechers tool? Or knows a tool which can do this?
I don't think the AES keys needed are known (at least not to available tools).

With an mtd dump we could derive them, or with a couple of files from the camera, but otherwise not so much. If you have an E3 camera it might be possible via UART though likely not easy these days.
 
At work now, was planning try those steps when I get home, just don't want to brick it.
Yes its the same nvr see post here: New LaView NVR question

edit:
mission accomplished :). it took it over the web interface. upgrading to the latest now

I'm trying to do the same thing in order to get more features, but Is there a dumbed down way to install the Hikvision Firmware for less knowledgeable users?