[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

Discussion in 'Hikvision' started by montecrypto, Dec 23, 2016.

Share This Page

  1. eadrain

    eadrain n3wb

    Joined:
    Nov 3, 2017
    Messages:
    5
    Likes Received:
    0
    Good idea, but fundamentally I can recrypt and upgrade to a start.sh encrypted by hiktools and it'll accept it?

    I was expecting it to require encryption with a private key that we dont have, otherwise the kernel will detect its non-authentic.
     
  2. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,099
    Likes Received:
    3,507
    Location:
    Scotland
    The only code signing used as anti-tamper tripwires are md5 digests of the files held within the 'manifest' file new_10.bin and the cramfs.img in new_20.bin
    No private keys, just normal encryption keys.
     
  3. eadrain

    eadrain n3wb

    Joined:
    Nov 3, 2017
    Messages:
    5
    Likes Received:
    0
    Thanks. So made a minor change to my start.sh (echo "Hello" and /bin/busybox (to list commands)) and repackaged it all. It installed ok, but then is stuck in a bootloop. The error it is giving (over serial) is /home/app/cfg/devCfg.bin failed to open. It retries after 2 seconds then reboots. I can fix it by reinstalling the original upgrade file.

    Am I missing a step/file in my upgrade repacking? After flashing the upgrade, it always logs "Erasing devCfg..... done". So why is this not being restored when my modded image reboots?
     
  4. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,099
    Likes Received:
    3,507
    Location:
    Scotland
    That's odd. It's not something I've seen.
    As you say, it should be re-created with default values.
    I'm just heading off out - I'll try to look for clues later.
    Is there an updated 'new_20.bin' on the end of digicap.dav ?
     
  5. eadrain

    eadrain n3wb

    Joined:
    Nov 3, 2017
    Messages:
    5
    Likes Received:
    0
    Yes, and if you decrypt the new_20.bin it contains the corrected md5sum of my repacked cramfs.img. The 69 byte firmware ID is also on the end of the digicap.dav.
    Basically seems to match the format of the original.

    My steps were:
    Modify start.sh (I see in the serial output my mods are working)
    Reencrypt start.sh
    Modify new_10.bin with the new md5 of the encrypted start.sh
    Reencrypt new_10.bin
    Recramfs
    Modify new_20.bin with the new md5sum of cramfs.img
    Reencrypt new_20.bin
    hikpack back into a digicap.dav

    I see hikpack has options to do with configuration files; have I missed something there.

    Thank you for your help :)
     
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,099
    Likes Received:
    3,507
    Location:
    Scotland
    No, that's for decrypting an exported configuration file.
    What you've described sounds OK.

    Just a dumb thought (I'm away just now, so can't do a search for the origin of the error you quoted) - did you ensure your new start.sh was executable before you encrypted and re-packed ? chmod +x start.sh
    Though I don't see a connection with the error, but it would cause a problem.

    *edit* And you say the mods are working, so scratch that thought.
     
  7. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,099
    Likes Received:
    3,507
    Location:
    Scotland
    I'm wondering if this is busybox related - as you mentioned changing busybox in some way.

    The device configuration is stored in part of mtdblock1, the relevant section of which is extracted by dd (part of busybox), like so :
    dd if=/dev/mtdblock1 of=/home/app/cfg.tgz count=1 bs=64k skip=1
    This is then uncompressed to give the 4MB configuration file.
    Maybe a problem in that area.
     
  8. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    Hi Guys

    i want to change the logo shown in the DVR. i extracted the digicap.dav and cramfs.
    Now i have a lot of .tar.lzma files.
    can some one explain how i can use the hikpack tool? Because i am totally new in linux.

    Thanks.
     
  9. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    Can i modify a DVR firmware? or is it just for IPC and NVR?
    because i don't know the firmware type. I tried k41
    and got this:

    test@test-VirtualBox:~$ ./hikpack -t k41 -i 1.dav -o contents
    Magic : 484b5753
    hdr_crc : 00001d1a (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000043
    File: cramfs.img, CRC OK
    WARN: missing new_20.bin trailer file
    Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
     
    Last edited: Dec 22, 2017
  10. moh_kasab

    moh_kasab n3wb

    Joined:
    Jan 14, 2018
    Messages:
    3
    Likes Received:
    0
    please i need help in using this tool in win7
     
  11. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,099
    Likes Received:
    3,507
    Location:
    Scotland
    It's a Linux tool - needs a Linux environment.
     
  12. Gul-Dukat

    Gul-Dukat Young grasshopper

    Joined:
    Sep 25, 2017
    Messages:
    41
    Likes Received:
    11
    Location:
    Australia
    Last edited: Jan 18, 2018
  13. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,099
    Likes Received:
    3,507
    Location:
    Scotland
    The free and very good Oracle VM VirtualBox Manager works well under both Windows and Linux.
    I've used it for ages and found it solid and reliable.
    You get a lot of flexibility to run whatever environments you need, if you have a well enough configured PC.
    I run Linux as the primary environment, but start up a Windows VM for those things where you have no choice such as SADP etc.
    If it comes out of cache, Windows is up in a matter of seconds.
     
  14. Gul-Dukat

    Gul-Dukat Young grasshopper

    Joined:
    Sep 25, 2017
    Messages:
    41
    Likes Received:
    11
    Location:
    Australia
    Yeah... the crazy thing about the content of my post... is that its not a Virtual Machine.
    Windows10 now supports a genuine linux kernel interface to the NT kernel. Watch the video... the developers do a good job explaining it.
     
  15. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,099
    Likes Received:
    3,507
    Location:
    Scotland
    Yes, they do.
    Interesting ...
     
  16. ChrisKelmiBe

    ChrisKelmiBe n3wb

    Joined:
    Jan 19, 2018
    Messages:
    1
    Likes Received:
    0
    Hi guys!
    Some noob question:

    I have DS-2CD2432F-IW and wanna decrypt the configuration file.

    hikpack -t r0 -g configurationFile -o zzzzz
    Command not supported

    What I'm doing wrong?
     
  17. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,099
    Likes Received:
    3,507
    Location:
    Scotland
    Nothing. You're using a combination that's not implemented.
    It's fair to say that the 'decrypt configuration file' facility in @montecrypto 's hikpack is a work in progress.
    When you consider the variety of encoding/encryption schemes used across the various model series and firmware versions, plus the way that the file is keyed to the individual camera, it's a lot of work, and probably more tedious than interesting.
     
    ChrisKelmiBe likes this.
  18. GodKnows

    GodKnows n3wb

    Joined:
    Feb 27, 2018
    Messages:
    7
    Likes Received:
    0
    Can you help me to decrypt this config file?
     

    Attached Files:

  19. Gul-Dukat

    Gul-Dukat Young grasshopper

    Joined:
    Sep 25, 2017
    Messages:
    41
    Likes Received:
    11
    Location:
    Australia
    Can you tell us a little more about it?
    Where is it from? What makes you think its encrypted? etc.
     
  20. GodKnows

    GodKnows n3wb

    Joined:
    Feb 27, 2018
    Messages:
    7
    Likes Received:
    0
    OK, I've got it from my cam. It's DS-2CD2022WD-I. How can I decrypt it. I can't find what type of firmware it is. Could you help me?
     
    Last edited: Feb 28, 2018