[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

[rearanger]

Teaser lol - There is python script unpacker and an updated C source code unpacker (not by leecher) out there.

Most cams can now be unpacked. G5 and some E/H series cams cannot yet be unpacked.(no keys)

 

[kk_2]

There are copies attached somewhere in this large thread.

I re-read this long thread but unfortunately all links to hik_repack (from @leecher) have been removed.
There is a link to version 2.5 hikpack but it does not unpack this firmware. My problem is that I have 4 cameras from EZVIZ and I am trying to find the "original" software from them.
Just in case, attachement contains a full dump of the firmware from the camera.

 

[kk_2]

Teaser lol - There is python script unpacker and an updated C source code unpacker (not by leecher) out there.

Most cams can now be unpacked. G5 and some E/H series cams cannot yet be unpacked.(no keys)

Is it possible to get this script and C code ?

 

[alastairstevenson]

I re-read this long thread but unfortunately all links to hik_repack (from @leecher) have been removed.

As this is a @montecrypto thread - I assumed it was the MCR unpacker that you were looking for.
@leecher requested a while back that his repacker be removed from public distribution.

 

[mrpeenut24]

@kk_2, I tried to unpack it with the latest of leecher's unpacker that I have, but unfortunately I get the below error:

*
+ This seems to be a HK30 crypted file, unpacking HK30:
Cannot decrypt HK30 file header! -1

Unless @leecher has made some updates and would be willing to share it, doesn't look like this will work for you.

 

[kk_2]

@kk_2, I tried to unpack it with the latest of leecher's unpacker that I have, but unfortunately I get the below error:



Unless @leecher has made some updates and would be willing to share it, doesn't look like this will work for you.

Pity, but thanks anyway.

 

[rearanger]

Is it possible to get this script and C code ?

That file does not look like ait has a hikvision header....

 

[kk_2]

That file does not look like ait has a hikvision header....

This one ?

 

[rearanger]

This one ?

Spoiler: header

iMagicNum : 484B3230 (HK20)
iChkSumU8 : 00002236
iHeadSize : 108
iHeadAttr : 0
iPackSize : 14273956
iPackNums : 1
bPlatformId : 136 (unsupported by hik_repack)
bFlashSize : 003
bMemerySize : 002
bMajorTypeId: 111
bMinorTypeId: 113
bLanguageId : 001 (EN/ML)
bSqlite3Flg : 1
Cannot decrypt HK30 file header! -1

Platform id is 136 unsupported

Were did you get the .bin file from ? Have you got root on the cam?

if you have root/access to davinci/deamon_fsp then you can pull the keys from it.(there is a davinci in that bin file you posted)

 

[kk_2]

Spoiler: header

iMagicNum : 484B3230 (HK20)
iChkSumU8 : 00002236
iHeadSize : 108
iHeadAttr : 0
iPackSize : 14273956
iPackNums : 1
bPlatformId : 136 (unsupported by hik_repack)
bFlashSize : 003
bMemerySize : 002
bMajorTypeId: 111
bMinorTypeId: 113
bLanguageId : 001 (EN/ML)
bSqlite3Flg : 1
Cannot decrypt HK30 file header! -1

Platform id is 136 unsupported

Were did you get the .bin file from ? Have you got root on the cam?

if you have root/access to davinci/deamon_fsp then you can pull the keys from it.

I desoldered flash chip, put it on programmer and download firmware. Cam connected to the serial port and to the network.
I have an access to the u-boot and tftp. If you need some extra information ask.
I briked this cam more than 20 times.
Resurrection take 45 minutes (desolder, program and solder)

 

[rearanger]

keys are normally in davinci for decryption. You davinci in the .bin looks like a standard elf file (some davinci's are called davinci_bak) Yours is a straight elf file by the looks of it. Usually the keys are in there for decrypting the digicap.dav

Spoiler: hik

root@jay-VirtualBox:/media/sf_linux# ./hikdec_file 123.dav
Header02[006c] Checksum=<2236>[GOOD]
Model={880000}EN
0000 | 30 32 4b 48 36 22 00 00 6c 00 00 00 00 00 00 00| 02KH6"..l.......
0010 | a4 cd d9 00 01 00 00 00 ff ff ff ff ff ff ff ff| ................
0020 | ff ff ff ff ff ff ff ff ff ff ff ff 31 33 36 30| ............1360
0030 | 30 33 30 30 32 31 31 31 31 31 33 30 30 31 31 00| 030021111130011.
0040 | 00 01 00 00 00 00 88 00 31 33 36 30 30 33 30 30| ........13600300
0050 | 32 31 31 31 31 31 33 30 30 31 31 00 01 00 00 00| 21111130011.....
0060 | 6c 00 00 00 38 cd d9 00 f6 00 77 6c 30 33 4b 48| l...8.....wl03KH
0070 | 76 ab cc 25 00 07 00 00 00 00 00 00 | v..%........
Don't have yet this AES key
root@jay-VirtualBox:/media/sf_linux#

i ran a quick hex edit on the the davinci for the model above could not see it. Maybe best to reverse engineer the code.

 

[alastairstevenson]

I desoldered flash chip, put it on programmer and download firmware. Cam connected to the serial port and to the network

Just for fun, here is a simple unpacker script for the flash dump you posted.

#!/bin/sh
# This script holds the steps to unpack the flash dump that @kk_2 posted on ipcamtalk.
# The offsets will very likely be specific to that version of firmware. There is no attempt to
# use logic to make it universal - it's as much a memory-jogger as anything.
#
#
dd if=25q128c.bin of=boot.part bs=1 count=$((0x70000))
dd if=25q128c.bin of=uImage.part bs=1 count=$((0x380000 - 0x70000)) skip=$((0x70000))
dd ibs=1 skip=64 if=uImage.part of=uncompressor count=16407
dd ibs=1 obs=512 if=uImage.part of=mainbody.gz skip=16407
gunzip -k mainbody.gz
dd ibs=1 obs=512 if=mainbody of=romfs.cpio.xz skip=$((0x40b1d4))
xz --format=xz --decompress -k -f --single-stream romfs.cpio.xz
[ ! -d romfs_contents ] && mkdir romfs_contents
cd romfs_contents
sudo cpio -idvm < ../romfs.cpio 2>../transcript1.txt
cd ..
dd if=25q128c.bin of=appfs.part bs=1 skip=$((0x380000))
sudo unsquashfs -d  appfs appfs.part
#
#
#
#
#

 

[rearanger]

Just for fun, here is a simple unpacker script for the flash dump you posted.

#!/bin/sh
# This script holds the steps to unpack the flash dump that @kk_2 posted on ipcamtalk.
# The offsets will very likely be specific to that version of firmware. There is no attempt to
# use logic to make it universal - it's as much a memory-jogger as anything.
#
#
dd if=25q128c.bin of=boot.part bs=1 count=$((0x70000))
dd if=25q128c.bin of=uImage.part bs=1 count=$((0x380000 - 0x70000)) skip=$((0x70000))
dd ibs=1 skip=64 if=uImage.part of=uncompressor count=16407
dd ibs=1 obs=512 if=uImage.part of=mainbody.gz skip=16407
gunzip -k mainbody.gz
dd ibs=1 obs=512 if=mainbody of=romfs.cpio.xz skip=$((0x40b1d4))
xz --format=xz --decompress -k -f --single-stream romfs.cpio.xz
[ ! -d romfs_contents ] && mkdir romfs_contents
cd romfs_contents
sudo cpio -idvm < ../romfs.cpio 2>../transcript1.txt
cd ..
dd if=25q128c.bin of=appfs.part bs=1 skip=$((0x380000))
sudo unsquashfs -d  appfs appfs.part
#
#
#
#
#

i binwalked it cause i have no style lol

Have you reversed it yet too see if you can snag the keys? lol

 

[alastairstevenson]

i binwalked it cause i have no style lol

haha!
As did I.
Such a useful program.

Have you reversed it yet too see if you can snag the keys? lol

No, I haven't looked.
My guess is there will be an ioctl call in davinci in the update code and that the cipher.ko might be part of it.

 

[kk_2]

Guys ! Don't waste your time! It looks like my cam is truncated version of hikvision R0 platform.
I think there are a lot of public tools for repaking digicap.dav for this platform.
I wiil try to do it by myself.
Big thanks for help !

 

[alastairstevenson]

It looks like my cam is truncated version of hikvision R0 platform.

In which case the @montecrypto unpacker would most likely have worked on the firmware.

There are quite a few references to R2 in the flash dump - and R2 is not supported by the @montecrypto unpacker.

 

[rearanger]

In which case the @montecrypto unpacker would most likely have worked on the firmware.

There are quite a few references to R2 in the flash dump - and R2 is not supported by the @montecrypto unpacker.

also has files referencing hisilicon hi3518e chipset.

R2 is supported in leechers / other unpacker , but it does not unpack this digicap.dav. The keys/encryption is different.

 

[knedit2]

Is it possible to use these methods to decrypt the firmware for some of hikvisions other products? I assume they all work similarly.
recently some cheap thermal imagers have been showing up on ebay but we've not been able to get into the firmware to mod them

https://us.hikvision.com/sites/default/files/firmware/iptp_e2l_en_std_5.4.22_200325.zip

 

[alastairstevenson]

Is it possible to use these methods to decrypt the firmware for some of hikvisions other products?

In theory, probably yes, as there is a lot of commonality in how Hikvision firmware has been packaged.
In practice though, different series use different encryption keys for the firmware body, and the one you linked to isn't in the set that the MCR 2.5 repacker is equipped with.
Nor in another repacker that i tried.

Have you looked for and connected to the serial console on the device?
Usually a 4-pin 1.5mm JST ZH connector on the main board.
That's usually a way to get into the internals of the firmware.

 

[knedit2]

In theory, probably yes, as there is a lot of commonality in how Hikvision firmware has been packaged.
In practice though, different series use different encryption keys for the firmware body, and the one you linked to isn't in the set that the MCR 2.5 repacker is equipped with.
Nor in another repacker that i tried.

Have you looked for and connected to the serial console on the device?
Usually a 4-pin 1.5mm JST ZH connector on the main board.
That's usually a way to get into the internals of the firmware.

Ahh thats a shame, at least there is still hope though! thanks for trying it.
I read a teardown on one and there is is a 4 pin serial port on the main board, however the teardown didnt go into much detail on it past reading the boot sequence.
is it possible to get a shell through that port then? i assumed it was output only.