[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

Discussion in 'Hikvision' started by montecrypto, Dec 23, 2016.

Share This Page

  1. Gul-Dukat

    Gul-Dukat Young grasshopper

    Joined:
    Sep 25, 2017
    Messages:
    41
    Likes Received:
    11
    Location:
    Australia
    At first glance, it looks like a configuration file, rather than a firmware file. Typically firmware files are in the Megabytes (approx 16MB) not Kilobytes (your files was ~800K.
     
  2. GodKnows

    GodKnows n3wb

    Joined:
    Feb 27, 2018
    Messages:
    7
    Likes Received:
    0
    Yes, it's configuration file. Can you help me to decrypt it?
     
  3. GodKnows

    GodKnows n3wb

    Joined:
    Feb 27, 2018
    Messages:
    7
    Likes Received:
    0
    It falls with segmentation fault
     
  4. Gul-Dukat

    Gul-Dukat Young grasshopper

    Joined:
    Sep 25, 2017
    Messages:
    41
    Likes Received:
    11
    Location:
    Australia
    What makes you think it is encrypted?
    Do you know what version of firmware the DS-2CD2022WD-I is or should be running, which this configuration presumably was extracted. At the very least you could look on the base on the camera and tell us what it was once running.
    How did you extract this file. Was if from the management web console?
    What are you looking for, (or what type of detail) within the file?
    Some extra information will help get you where you want to go.
     
  5. GodKnows

    GodKnows n3wb

    Joined:
    Feb 27, 2018
    Messages:
    7
    Likes Received:
    0
    firmware version is V5.4.1. I've got it with hikcgi.
     
  6. GodKnows

    GodKnows n3wb

    Joined:
    Feb 27, 2018
    Messages:
    7
    Likes Received:
    0
    So, can you help me to decrypt it?
     
  7. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,112
    Likes Received:
    3,516
    Location:
    Scotland
    @GodKnows Attached is a decoded/decrypted copy of your configuration file - for camera "HIKVISION DS-2CD2022WD-I - 615893469"
    It does have some plaintext passwords in it.

    Don't ask me how I did it - it was a bit of a cheat ...
     

    Attached Files:

  8. GodKnows

    GodKnows n3wb

    Joined:
    Feb 27, 2018
    Messages:
    7
    Likes Received:
    0
    thanks, but can you tell me please, how have you got it?
     
  9. montecrypto

    montecrypto IPCT Contributor

    Joined:
    Apr 20, 2016
    Messages:
    104
    Likes Received:
    295
    The segfault during decryption in version 2.5 of Hikpack is a bug. It was fixed in 2.6 The current version is 2.8, but the last published was 2.5 I was planning to improve the decryption routine to take a password as an option, and then publish it, but never got to do that. Hikvision improved security in 5.5 and cameras now ask for export password instead of using a default key.
     
  10. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,112
    Likes Received:
    3,516
    Location:
    Scotland
    Do you have any thoughts to update the version currently published in this thread?
    It's been a pretty useful tool for many people.
     
    mmag likes this.
  11. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,112
    Likes Received:
    3,516
    Location:
    Scotland
    Did you find what you were looking for / achieve what you wanted to?
     
  12. jlazlow

    jlazlow n3wb

    Joined:
    Nov 25, 2016
    Messages:
    2
    Likes Received:
    0
    I was looking to decrypt my config file as well. Is the process as follows, decrypt aes-128-ecb then XOR-encoded?

    Would love some help! Thanks : )
     
  13. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,112
    Likes Received:
    3,516
    Location:
    Scotland
    A little more detail needed - check this out :
    Reset button on DS-2CD2T42WD-I5 ??
     
  14. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    Hi There,

    if i just extract and pack the dav file again (without modifying) i cant use it anymore. the DVR doen't accept the File. "Missmatch" error.
    It is an ANNKE DVR. Maybe the firmware isn't supported?
    -
    test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -x annke.dav -o dav
    Magic : 484b5753
    hdr_crc : 00001d1a (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000043
    File: cramfs.img, CRC OK
    WARN: missing new_20.bin trailer file
    Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
    test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -p dav.dav -o dav
    File: cramfs.img, CRC OK
    Magic : 484b5753
    hdr_crc : 00001d01 (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 0000002a
    === Tail record:
    File: new_20.bin, CRC OK
    === Appending extra_tail, 29082624 bytes
    -
     
  15. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,112
    Likes Received:
    3,516
    Location:
    Scotland
    That seems to be one of those firmware files that is comprised of 2 similarly-sized but different component parts.
    To work with that, you'd need to do some manual work in splitting up the 2 components and tweaking them separately and recombining.
    Hikpack doesn't handle that type directly, but may be OK with each component separately.
     
    habeschi likes this.
  16. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    After Extracting i get 3 files.

    cramfs.img
    dav_extra_trail
    dav_header

    The cramfs.img contains a "new_10.bin" file.

    How can i do that?
     
  17. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,112
    Likes Received:
    3,516
    Location:
    Scotland
    Here is an example of NVR firmware that is composed of 3 parts, the digicap.dav file size is 45.3MB
    DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626.zip
    Using hikpack on the original digicap.dav will only operate on the first section.
    When they are split, you can see that each section is valid, and different.

    Code:
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ ll
    total 132880
    drwxr-xr-x 5 alastair alastair     4096 Sep 23  2017 ./
    drwxr-xr-x 3 alastair alastair     4096 Sep 23  2017 ../
    -rw-r--r-- 1 alastair alastair 45340160 Jun 27  2017 digicap.dav
    -rw-r--r-- 1 alastair alastair 45339560 Sep 23  2017 DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626.zip
    -rw-r--r-- 1 alastair alastair 14651904 Sep 23  2017 FWpart1
    -rw-r--r-- 1 alastair alastair 14656000 Sep 23  2017 FWpart2
    -rw-r--r-- 1 alastair alastair 16032256 Sep 23  2017 FWpart3
    drwxr-xr-x 2 alastair alastair     4096 Oct  3  2017 part1/
    drwxr-xr-x 2 alastair alastair     4096 Sep 23  2017 part2/
    drwxr-xr-x 2 alastair alastair     4096 Sep 23  2017 part3/
    -rw-r--r-- 1 alastair alastair      139 Sep 23  2017 split.txt
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i digicap.dav
    Magic   : 484b5753
    hdr_crc : 00001cad (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000044
    File: cramfs.img, CRC OK
    WARN: missing new_20.bin trailer file
    Extra tail at the end of dav, 30688256 bytes, maybe firmware id?
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart1
    Magic   : 484b5753
    hdr_crc : 00001cad (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000044
    File: cramfs.img, CRC OK
    Can't read new_20.bin tail
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart2
    Magic   : 484b5753
    hdr_crc : 00001d7a (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000042
    File: cramfs.img, CRC OK
    Can't read new_20.bin tail
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart3
    Magic   : 484b5753
    hdr_crc : 00001d5e (OK)
    lang_id : 00000001
    date_hex: 20150315
    devclass: 00000043
    File: cramfs.img, CRC OK
    Can't read new_20.bin tail
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ cat split.txt
    
    head -c 14651904 digicap.dav > FWpart1
    tail -c 30688256 digicap.dav | head -c 14656000 > FWpart2
    tail -c 16032256 digicap.dav > FWpart3
    
    
    alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $
    
     
    habeschi likes this.
  18. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    i think i need that split.txt file?
    where can i get it?
     
  19. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,112
    Likes Received:
    3,516
    Location:
    Scotland
    It's in the code example above.
    But you will need to find the locations of the needed splits.
    Just do a hex search for the other locations of the first 4 bytes of the digicap.dav file
    These are the encoded 'HKWS' characters.
     
  20. habeschi

    habeschi n3wb

    Joined:
    Oct 27, 2017
    Messages:
    21
    Likes Received:
    0
    Is there any description about how to search the firmware for the HKWS characters. Because i have never done this before.