[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

I wondered if you'd seen this earlier tool, published a couple of years ago, used a lot : Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

Will the IPVM report be published subscription-only?

Yes, generally speaking our reports are only available to members. For this one, I intend to cover more of the business/market impact side of tools like this, not so much a "how to" on modifying firmware. Thanks for the link, I will check that one out too.
 
Hello montecrypto. Thanks for the work you've done. I want to transfer you some donations, but cant do it through Paypal, the payment does not pass. Do you have webmoney?
 
I want to transfer you some donations, but cant do it through Paypal, the payment does not pass.
Paypal worked OK for me, after the Merchant detail was modified by @montecrypto to accept transfers from non-US sources.

And I've just had the first success (for someone else) in the use of the tool, getting past one of Hikvision's more recent silly attempts to turn their unsuspecting customers against their products.
 
So does pulling the decryption strings destroy the camera?
Secondly, how does this work, I see that it only works on linux, however, how would I use this to turn the hikvision USA 5.4.0 firmware to a working firmware for my Chinese camera that is currently on 5.3.0?
 
So does pulling the decryption strings destroy the camera?
We could speculate that the flash IC had to be desoldered to be read, and that getting it back on was not successful.
But I'm guessing.
Secondly, how does this work, I see that it only works on linux, however, how would I use this to turn the hikvision USA 5.4.0 firmware to a working firmware for my Chinese camera that is currently on 5.3.0?
This depends a lot on what camera, or more specifically what camera series it is.
If it's an R0 series (eg 2xx2) you could use the '5.3.0 to 5.2.5 downgrader' then do the 'MTD hack'.
If your camera is running 'hacked firmware' giving English menus - what's the rationale for the update?
 
We could speculate that the flash IC had to be desoldered to be read, and that getting it back on was not successful.
But I'm guessing.

This depends a lot on what camera, or more specifically what camera series it is.
If it's an R0 series (eg 2xx2) you could use the '5.3.0 to 5.2.5 downgrader' then do the 'MTD hack'.
If your camera is running 'hacked firmware' giving English menus - what's the rationale for the update?
Yes I have R0 series (2732).
I would like the 5.4.0 as they added the TLS option for email so that I can add my gmail address.
 
I have received CN camera on G0 platform (2135F-IW) and I modified original firmware by switching default language on EN in configuration file. But after repacking modified firmware, device did not accept it. The firmware ver. 5.4.0. Does anyone had success with this version?
 
Oh, and here's one more thing. Warning message after packing.
 

Attachments

  • ____________ ____________ ____ 2017-01-27 22_39_08.png
    ____________ ____________ ____ 2017-01-27 22_39_08.png
    64 KB · Views: 421
The warning message says it all.
The G0 series of IP cameras has a code-signing firmware integrity check in both the web GUI updater and the bootloader updater.
Designed to be, and is, a pretty solid protection mechanism against accepting unauthorised firmware - you'd need a copy of Hikvision's Private Keys to circumvent it. Or get into the hardware of the camera.
 
  • Like
Reactions: catseyenu
This is some great work. Thank you @montecrypto ! Ive noticed that you have been posting some repacked firmware with SSH re-enabled. Just wondering if you've modified the tool to do that and if so do you plan on posting the new tool? I have several R0 series cameras that I'd like to re-enable SSH on. Thanks again for your work on behalf of the community.
 
SSH re-enabled. Just wondering if you've modified the tool to do that
The way Hikvision provide SSH is via the 'dropbear' SSH server.
It's started at bootup and left running.
The SSH enable/disable in the web GUI used 'iptables' to block or allow access to port 22.
Even in the R0 5.4.0 firmware, dropbear still runs even though there is no enable tickbox in the web GUI.
Putting an 'iptables -F' (flush the rules) sometime after the initial invocation (which could also be modified) is a simple enough way to re-enable SSH.
So you could unpack the R0 firmware, modify initrun.sh, and repack and apply with the web GUI.
Suggested changes like so (with credit to @montecrypto for the better lines than my usual crude ones to get psh out of the way) :
Code:
alastair@PC-I5 ~ $ ssh root@192.168.1.67
root@192.168.1.67's password:
repacked


BusyBox v1.19.3 (2016-05-23 16:23:55 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# tail -c360 /dav/initrun.sh
IEfile uncompressed."

#-------
[ -f /bin/psh.old ] || mv /bin/psh /bin/psh.old
[ -f /bin/psh.old ] && echo -e '#!/bin/sh\nexec /bin/sh $*' > /bin/psh
[ -f /bin/psh ] && chmod +x /bin/psh
echo "repacked" > /etc/motd
iptables -F
#-------

sleep 10
rm -rf /home/default_binary.bin
rm -rf /home/orccode.bin
rm -rf /home/orcme.bin
rm -rf /home/process/net_process
#
#
# prtHardInfo
Start at 2017-01-30 11:49:28
Serial NO :DS-2CD2032-I20141113CCCH489546019
V5.4.0 build 160530
NetProcess Version: 1.6.1 [14:12:02-Apr  5 2016]
Db Encrypt Version: 65537
hardwareVersion    = 0x0
hardWareExtVersion    = 0x0
encodeChans        = 1
decodeChans        = 1
alarmInNums        = 0
alarmOutNums        = 0
ataCtrlNums        = 0
flashChipNums        = 0
ramSize            = 0x4000000
networksNums        = 1
language            = 1
devType            = 0x9805
net reboot count    = 0
Path: .
Working Copy Root Path: /usr/local/jenkins/workspace/Frontend_BaseLine_Publish_Build/3631
URL: https://192.0.0.140/Camera/Platform/Branches/branches_frontend_software_platform/IPC_develop_branch/ipc_5.4.0_R0
Repository Root: https://192.0.0.140/Camera
Repository UUID: df2d70c3-7593-7941-af1e-571b313c0946
Revision: 198009
Node Kind: directory
Schedule: normal
Last Changed Author: xusen
Last Changed Rev: 197861
Last Changed Date: 2016-05-30 11:24:30 +0800 (Mon, 30 May 2016)

#
 
  • Like
Reactions: growup and vasycara
The warning message says it all.
The G0 series of IP cameras has a code-signing firmware integrity check in both the web GUI updater and the bootloader updater.
Thanks for the explanation. If I will try get a dump of the memory chip, it will help solve the problem? I myself would not be able to solve the problem of decrypting the dump, need assistance of @montecrypto.
 
Dont' know if I saw it was answered. Will this tool help us to repack the 5.40 firmware on a R0 for Chinese models?
 
It will help but i think then still need patching of kernel like in old 5.1.2 times.

The chinese seller have already patched firmware. Sadly not publish.
 
Will this tool help us to repack the 5.40 firmware on a R0 for Chinese models?
Which camera models do you want to change?
Is this because you have Chinese menus?
Depending on the manufacture date (ie the version of the bootloader), the 'MTD hack' to EN then updates from there would be a potential route, for older R0 cameras.
 
I have the 2732, no I don't have Chinese menus. The new 5.4.0 firmware enables TLS for email, so I can connect to my gmail account. The older 5.3.0 and 5.2.5 versions only allow for SSL.
 
I would like the 5.4.0 as they added the TLS option for email so that I can add my gmail address.
I have the 2732, no I don't have Chinese menus.
Do you believe the camera is a CN region with hacked firmware, such that it would revert to Chinese on a firmware update?
If not - have you tried a web GUI update with the firmware from here : DOWNLOAD PORTAL