At first glance, it looks like a configuration file, rather than a firmware file. Typically firmware files are in the Megabytes (approx 16MB) not Kilobytes (your files was ~800K.
[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware
- Thread starter montecrypto
- Start date
At first glance, it looks like a configuration file, rather than a firmware file. Typically firmware files are in the Megabytes (approx 16MB) not Kilobytes (your files was ~800K.
What makes you think it is encrypted?
Do you know what version of firmware the DS-2CD2022WD-I is or should be running, which this configuration presumably was extracted. At the very least you could look on the base on the camera and tell us what it was once running.
How did you extract this file. Was if from the management web console?
What are you looking for, (or what type of detail) within the file?
Some extra information will help get you where you want to go.
alastairstevenson
Staff member
@GodKnows Attached is a decoded/decrypted copy of your configuration file - for camera "HIKVISION DS-2CD2022WD-I - 615893469"
It does have some plaintext passwords in it.
Don't ask me how I did it - it was a bit of a cheat ...
The segfault during decryption in version 2.5 of Hikpack is a bug. It was fixed in 2.6 The current version is 2.8, but the last published was 2.5 I was planning to improve the decryption routine to take a password as an option, and then publish it, but never got to do that. Hikvision improved security in 5.5 and cameras now ask for export password instead of using a default key.
alastairstevenson
Staff member
Do you have any thoughts to update the version currently published in this thread?
It's been a pretty useful tool for many people.
alastairstevenson
Staff member
I was looking to decrypt my config file as well. Is the process as follows, decrypt aes-128-ecb then XOR-encoded?
Would love some help! Thanks : )
alastairstevenson
Staff member
Hi There,
if i just extract and pack the dav file again (without modifying) i cant use it anymore. the DVR doen't accept the File. "Missmatch" error.
It is an ANNKE DVR. Maybe the firmware isn't supported?
-
test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -x annke.dav -o dav
Magic : 484b5753
hdr_crc : 00001d1a (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000043
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -p dav.dav -o dav
File: cramfs.img, CRC OK
Magic : 484b5753
hdr_crc : 00001d01 (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 0000002a
=== Tail record:
File: new_20.bin, CRC OK
=== Appending extra_tail, 29082624 bytes
-
if i just extract and pack the dav file again (without modifying) i cant use it anymore. the DVR doen't accept the File. "Missmatch" error.
It is an ANNKE DVR. Maybe the firmware isn't supported?
-
test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -x annke.dav -o dav
Magic : 484b5753
hdr_crc : 00001d1a (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000043
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -p dav.dav -o dav
File: cramfs.img, CRC OK
Magic : 484b5753
hdr_crc : 00001d01 (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 0000002a
=== Tail record:
File: new_20.bin, CRC OK
=== Appending extra_tail, 29082624 bytes
-
alastairstevenson
Staff member
That seems to be one of those firmware files that is comprised of 2 similarly-sized but different component parts.
To work with that, you'd need to do some manual work in splitting up the 2 components and tweaking them separately and recombining.
Hikpack doesn't handle that type directly, but may be OK with each component separately.
After Extracting i get 3 files.
cramfs.img
dav_extra_trail
dav_header
The cramfs.img contains a "new_10.bin" file.
How can i do that?
cramfs.img
dav_extra_trail
dav_header
The cramfs.img contains a "new_10.bin" file.
How can i do that?
alastairstevenson
Staff member
Here is an example of NVR firmware that is composed of 3 parts, the digicap.dav file size is 45.3MB
DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626.zip
Using hikpack on the original digicap.dav will only operate on the first section.
When they are split, you can see that each section is valid, and different.
Code:
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ ll
total 132880
drwxr-xr-x 5 alastair alastair 4096 Sep 23 2017 ./
drwxr-xr-x 3 alastair alastair 4096 Sep 23 2017 ../
-rw-r--r-- 1 alastair alastair 45340160 Jun 27 2017 digicap.dav
-rw-r--r-- 1 alastair alastair 45339560 Sep 23 2017 DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626.zip
-rw-r--r-- 1 alastair alastair 14651904 Sep 23 2017 FWpart1
-rw-r--r-- 1 alastair alastair 14656000 Sep 23 2017 FWpart2
-rw-r--r-- 1 alastair alastair 16032256 Sep 23 2017 FWpart3
drwxr-xr-x 2 alastair alastair 4096 Oct 3 2017 part1/
drwxr-xr-x 2 alastair alastair 4096 Sep 23 2017 part2/
drwxr-xr-x 2 alastair alastair 4096 Sep 23 2017 part3/
-rw-r--r-- 1 alastair alastair 139 Sep 23 2017 split.txt
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i digicap.dav
Magic : 484b5753
hdr_crc : 00001cad (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000044
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 30688256 bytes, maybe firmware id?
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart1
Magic : 484b5753
hdr_crc : 00001cad (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000044
File: cramfs.img, CRC OK
Can't read new_20.bin tail
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart2
Magic : 484b5753
hdr_crc : 00001d7a (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000042
File: cramfs.img, CRC OK
Can't read new_20.bin tail
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart3
Magic : 484b5753
hdr_crc : 00001d5e (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000043
File: cramfs.img, CRC OK
Can't read new_20.bin tail
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ cat split.txt
head -c 14651904 digicap.dav > FWpart1
tail -c 30688256 digicap.dav | head -c 14656000 > FWpart2
tail -c 16032256 digicap.dav > FWpart3
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $alastairstevenson
Staff member
It's in the code example above.
But you will need to find the locations of the needed splits.
Just do a hex search for the other locations of the first 4 bytes of the digicap.dav file
These are the encoded 'HKWS' characters.
Is there any description about how to search the firmware for the HKWS characters. Because i have never done this before.