[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

[danosimo]

Actually, I stand corrected. I have a DS-2TP31 (without the B) and I am still not able to get temperature range options. Any ideas?

 

[camkeke]

Is V5.6.6 build 210625 (5.6.x) for IPC-T23xxG-LU and similar models supported?

 

[alastairstevenson]

I don't know.
Does it unpack ok?

 

[hkzxc]

Greetings.

Need some help with compiling a FW for my DS-7608NI-K2. That's K51 platform. FW version 4.72.107.

I've successfully unpacked a firmware file, decrypted and modified the contents of the sys_app.tar.lzma file, but when trying to update the FW using GUI interface from USB stick through local update menu, got "Upgrading failed. Execute program error." window all the time after it tried to unpack all the files from my FW.

What have been tried/checked:
1. Packed with and without version/language/date flags while packing (if those flags were'nt used, GUI don't even tries to start FW unpacking and checking process showing same error window immediately);
2. Decrypted and checked all the MD5's of all the FW files inside new_10.bin and new_20.bin - they match stored values there.
3. For the testing purposes tried to unpack the FW, modified contents of factory non-encrypted file gui_res.tar.lzma, then tried to compile FW update file and yet failed with identical error window.
4. TFTP'ed this FW update file using "192.0.0.128 method". NVR doesn't seems to want to download anything from my local TFTP server at all.
5. Updated FW using the same version file just to make sure it will accept same version over the installed. Accepted and installed.


I'm using Ubuntu and it's build-in GUI LZMA archiver. Although i've modified just a few config files, i got FW file ~2MB smaller comparison to a original FW size (37.6 vs 39.8 Mb).
Is there any steps i'm missing or do i need to look at to make it work?

I happen to have the same requirement: to decrypt a tar.lzma file, repackage it, and then replace the original tar.lzma file. Through reverse engineering, I found that the decryption of the tar.lzma file involves invoking a driver’s ioctl. How should I proceed from here? Do you have any related tutorials I could refer to? Thanks!

 

[brainslayer]

I happen to have the same requirement: to decrypt a tar.lzma file, repackage it, and then replace the original tar.lzma file. Through reverse engineering, I found that the decryption of the tar.lzma file involves invoking a driver’s ioctl. How should I proceed from here? Do you have any related tutorials I could refer to? Thanks!

these files (also the tar.lzma files) are all encrypted in the same way and can be decrypted/encrypted using the hik unpacker if the device is supported since each device has different encryption keys which are stored in the linux kernel. to reverse engineer these keys you need to get the unencrypted kernel which can be obtained by dumping the flash memory

 

[john.flavor]

Is V5.6.6 build 210625 (5.6.x) for IPC-T23xxG-LU and similar models supported?

That kind of firmware can be unpacked, but couldn't pack back with modifications, because of checking checksums of all files inside digicap.dav.

 

[brainslayer]

That kind of firmware can be unpacked, but couldn't pack back with modifications, because of checking all checksums of files inside digicap.dav.

yes but the checks are done by the firmware files itself. you just need to patch alot to ignore all the signature checks. i did this already for a G1 model

 

[john.flavor]

yes but the checks are done by the firmware files itself. you just need to patch alot to ignore all the signature checks. i did this already for a G1 model

Agree, but there is no reason to do it - if you try to update camera using modified digicap.dav (even with changed bLangaugeId), it will be failed, because original web-server do verifying of checksums. If you can modify camera's web-server or bootloader - don't need to change files in digicap.dav.

 

[brainslayer]

the patch i made a long time ago also disables the checks for upgrading. so once you have this jealbroken fw installed you can upgrade it without any checks

linux:/GruppenLW/conv/jana # ssh admin@172.29.0.51
admin@172.29.0.51's password:


BusyBox v1.19.3 (2021-06-23 10:24:22 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# uname -a
Linux Ambarella 3.10.104 #1 PREEMPT Wed Jun 23 10:26:49 CST 2021 armv7l GNU/Linux

# ps
PID USER VSZ STAT COMMAND
1 admin 2316 S init
2 admin 0 SW [kthreadd]
3 admin 0 SW [ksoftirqd/0]
5 admin 0 SW< [kworker/0:0H]
7 admin 0 SW< [khelper]
8 admin 0 SW [kdevtmpfs]
9 admin 0 SW< [writeback]
10 admin 0 SW< [bioset]
11 admin 0 SW< [crypto]
12 admin 0 SW< [kblockd]
13 admin 0 SW [khubd]
29 admin 0 SW [irq/98-e0002000]
30 admin 0 SW [irq/99-e001f000]
31 admin 0 SW< [rpciod]
33 admin 0 SW [kswapd0]
34 admin 0 SWN [ksmd]
35 admin 0 SW [fsnotify_mark]
36 admin 0 SW< [nfsiod]
37 admin 0 SW< [cifsiod]
52 admin 0 SW [spi0]
56 admin 0 SW [spi1]
63 admin 0 SW< [deferwq]
74 admin 1432 S < /usr/bin/udevd -d
277 admin 1860 S /usr/sbin/dropbear -R -I 1800
327 admin 0 SW [ubi_bgt1d]
334 admin 0 SW [ubifs_bgt1_0]
338 admin 0 SW [ubi_bgt3d]
345 admin 0 SW [ubifs_bgt3_0]
350 admin 0 SW [ubi_bgt4d]
357 admin 0 SW [ubifs_bgt4_0]
397 admin 0 DW [mark_mergeable]
416 admin 0 SW [iav_guard]
430 admin 0 SW [hdmid]
626 admin 0 SW [ubi_bgt5d]
631 admin 0 SW [ubifs_bgt5_0]
637 admin 4332 S /bin/execSystemCmd
639 admin 5548 S /home/process/daemon_fsp_app
642 admin 21576 S /home/process/database_process
643 admin 18740 S /home/process/net_process
662 admin 243m S < /home/process/davinci
680 admin 0 DW [motor]
706 admin 514m S {Dsp_Main} ./hikdsp
707 admin 0 SW [vin_update_sht_]
889 admin 2320 S /bin/sh
890 admin 2316 S init
5739 admin 0 SW [kworker/0:2]
12046 admin 0 SW [cifsd]
14528 admin 1960 R /usr/sbin/dropbear -R -I 1800
14530 admin 2320 S -sh
14542 admin 2320 R ps
21747 admin 0 SW [kworker/u2:2]
25051 admin 0 SW [kworker/0:1]
27095 admin 0 SW [kworker/u2:1]
#