[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

eadrain

n3wb
Joined
Nov 3, 2017
Messages
5
Reaction score
0
Good idea, but fundamentally I can recrypt and upgrade to a start.sh encrypted by hiktools and it'll accept it?

I was expecting it to require encryption with a private key that we dont have, otherwise the kernel will detect its non-authentic.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,079
Reaction score
3,955
Location
Scotland
The only code signing used as anti-tamper tripwires are md5 digests of the files held within the 'manifest' file new_10.bin and the cramfs.img in new_20.bin
No private keys, just normal encryption keys.
 

eadrain

n3wb
Joined
Nov 3, 2017
Messages
5
Reaction score
0
Thanks. So made a minor change to my start.sh (echo "Hello" and /bin/busybox (to list commands)) and repackaged it all. It installed ok, but then is stuck in a bootloop. The error it is giving (over serial) is /home/app/cfg/devCfg.bin failed to open. It retries after 2 seconds then reboots. I can fix it by reinstalling the original upgrade file.

Am I missing a step/file in my upgrade repacking? After flashing the upgrade, it always logs "Erasing devCfg..... done". So why is this not being restored when my modded image reboots?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,079
Reaction score
3,955
Location
Scotland
The error it is giving (over serial) is /home/app/cfg/devCfg.bin failed to open.
That's odd. It's not something I've seen.
As you say, it should be re-created with default values.
I'm just heading off out - I'll try to look for clues later.
Am I missing a step/file in my upgrade repacking?
Is there an updated 'new_20.bin' on the end of digicap.dav ?
 

eadrain

n3wb
Joined
Nov 3, 2017
Messages
5
Reaction score
0
Yes, and if you decrypt the new_20.bin it contains the corrected md5sum of my repacked cramfs.img. The 69 byte firmware ID is also on the end of the digicap.dav.
Basically seems to match the format of the original.

My steps were:
Modify start.sh (I see in the serial output my mods are working)
Reencrypt start.sh
Modify new_10.bin with the new md5 of the encrypted start.sh
Reencrypt new_10.bin
Recramfs
Modify new_20.bin with the new md5sum of cramfs.img
Reencrypt new_20.bin
hikpack back into a digicap.dav

I see hikpack has options to do with configuration files; have I missed something there.

Thank you for your help :)
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,079
Reaction score
3,955
Location
Scotland
I see hikpack has options to do with configuration files; have I missed something there.
No, that's for decrypting an exported configuration file.
What you've described sounds OK.

Just a dumb thought (I'm away just now, so can't do a search for the origin of the error you quoted) - did you ensure your new start.sh was executable before you encrypted and re-packed ? chmod +x start.sh
Though I don't see a connection with the error, but it would cause a problem.

*edit* And you say the mods are working, so scratch that thought.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,079
Reaction score
3,955
Location
Scotland
So made a minor change to my start.sh (echo "Hello" and /bin/busybox (to list commands)) and repackaged it all. It installed ok, but then is stuck in a bootloop. The error it is giving (over serial) is /home/app/cfg/devCfg.bin failed to open. It retries after 2 seconds then reboots. I can fix it by reinstalling the original upgrade file.
I'm wondering if this is busybox related - as you mentioned changing busybox in some way.

The device configuration is stored in part of mtdblock1, the relevant section of which is extracted by dd (part of busybox), like so :
dd if=/dev/mtdblock1 of=/home/app/cfg.tgz count=1 bs=64k skip=1
This is then uncompressed to give the 4MB configuration file.
Maybe a problem in that area.
 

habeschi

n3wb
Joined
Oct 27, 2017
Messages
21
Reaction score
0
Hi Guys

i want to change the logo shown in the DVR. i extracted the digicap.dav and cramfs.
Now i have a lot of .tar.lzma files.
can some one explain how i can use the hikpack tool? Because i am totally new in linux.

Thanks.
 

habeschi

n3wb
Joined
Oct 27, 2017
Messages
21
Reaction score
0
Can i modify a DVR firmware? or is it just for IPC and NVR?
because i don't know the firmware type. I tried k41
and got this:

test@test-VirtualBox:~$ ./hikpack -t k41 -i 1.dav -o contents
Magic : 484b5753
hdr_crc : 00001d1a (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000043
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,079
Reaction score
3,955
Location
Scotland
There might be hope.....
The free and very good Oracle VM VirtualBox Manager works well under both Windows and Linux.
I've used it for ages and found it solid and reliable.
You get a lot of flexibility to run whatever environments you need, if you have a well enough configured PC.
I run Linux as the primary environment, but start up a Windows VM for those things where you have no choice such as SADP etc.
If it comes out of cache, Windows is up in a matter of seconds.
 

Gul-Dukat

Young grasshopper
Joined
Sep 25, 2017
Messages
41
Reaction score
11
Location
Australia
Yeah... the crazy thing about the content of my post... is that its not a Virtual Machine.
Windows10 now supports a genuine linux kernel interface to the NT kernel. Watch the video... the developers do a good job explaining it.
 
Joined
Jan 19, 2018
Messages
1
Reaction score
0
Hi guys!
Some noob question:

I have DS-2CD2432F-IW and wanna decrypt the configuration file.

hikpack -t r0 -g configurationFile -o zzzzz
Command not supported

What I'm doing wrong?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,079
Reaction score
3,955
Location
Scotland
What I'm doing wrong?
Nothing. You're using a combination that's not implemented.
It's fair to say that the 'decrypt configuration file' facility in @montecrypto 's hikpack is a work in progress.
When you consider the variety of encoding/encryption schemes used across the various model series and firmware versions, plus the way that the file is keyed to the individual camera, it's a lot of work, and probably more tedious than interesting.
 

GodKnows

n3wb
Joined
Feb 27, 2018
Messages
7
Reaction score
0
Can you tell us a little more about it?
Where is it from? What makes you think its encrypted? etc.
OK, I've got it from my cam. It's DS-2CD2022WD-I. How can I decrypt it. I can't find what type of firmware it is. Could you help me?
 
Last edited:
Top