[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

Gul-Dukat

Young grasshopper
Joined
Sep 25, 2017
Messages
41
Reaction score
11
Location
Australia
OK, I've got it from my cam. It's DS-2CD2022WD-I. How can I decrypt it. I can't find what type of firmware it is. Could you help me?
At first glance, it looks like a configuration file, rather than a firmware file. Typically firmware files are in the Megabytes (approx 16MB) not Kilobytes (your files was ~800K.
 

GodKnows

n3wb
Joined
Feb 27, 2018
Messages
7
Reaction score
0
At first glance, it looks like a configuration file, rather than a firmware file. Typically firmware files are in the Megabytes (approx 16MB) not Kilobytes (your files was ~800K.
Yes, it's configuration file. Can you help me to decrypt it?
 

Gul-Dukat

Young grasshopper
Joined
Sep 25, 2017
Messages
41
Reaction score
11
Location
Australia
Can you help me to decrypt it?
What makes you think it is encrypted?
Do you know what version of firmware the DS-2CD2022WD-I is or should be running, which this configuration presumably was extracted. At the very least you could look on the base on the camera and tell us what it was once running.
How did you extract this file. Was if from the management web console?
What are you looking for, (or what type of detail) within the file?
Some extra information will help get you where you want to go.
 

GodKnows

n3wb
Joined
Feb 27, 2018
Messages
7
Reaction score
0
What makes you think it is encrypted?
Do you know what version of firmware the DS-2CD2022WD-I is or should be running, which this configuration presumably was extracted. At the very least you could look on the base on the camera and tell us what it was once running.
How did you extract this file. Was if from the management web console?
What are you looking for, (or what type of detail) within the file?
Some extra information will help get you where you want to go.
firmware version is V5.4.1. I've got it with hikcgi.
 

GodKnows

n3wb
Joined
Feb 27, 2018
Messages
7
Reaction score
0
@GodKnows Attached is a decoded/decrypted copy of your configuration file - for camera "HIKVISION DS-2CD2022WD-I - 615893469"
It does have some plaintext passwords in it.

Don't ask me how I did it - it was a bit of a cheat ...
thanks, but can you tell me please, how have you got it?
 

montecrypto

IPCT Contributor
Joined
Apr 20, 2016
Messages
104
Reaction score
295
The segfault during decryption in version 2.5 of Hikpack is a bug. It was fixed in 2.6 The current version is 2.8, but the last published was 2.5 I was planning to improve the decryption routine to take a password as an option, and then publish it, but never got to do that. Hikvision improved security in 5.5 and cameras now ask for export password instead of using a default key.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,758
Reaction score
3,790
Location
Scotland
I was planning to improve the decryption routine to take a password as an option, and then publish it, but never got to do that.
Do you have any thoughts to update the version currently published in this thread?
It's been a pretty useful tool for many people.
 

habeschi

n3wb
Joined
Oct 27, 2017
Messages
21
Reaction score
0
Hi There,

if i just extract and pack the dav file again (without modifying) i cant use it anymore. the DVR doen't accept the File. "Missmatch" error.
It is an ANNKE DVR. Maybe the firmware isn't supported?
-
test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -x annke.dav -o dav
Magic : 484b5753
hdr_crc : 00001d1a (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000043
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
test@ubuntu:~/Desktop/1$ ./hikpack -t k41 -p dav.dav -o dav
File: cramfs.img, CRC OK
Magic : 484b5753
hdr_crc : 00001d01 (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 0000002a
=== Tail record:
File: new_20.bin, CRC OK
=== Appending extra_tail, 29082624 bytes
-
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,758
Reaction score
3,790
Location
Scotland
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 29082624 bytes, maybe firmware id?
That seems to be one of those firmware files that is comprised of 2 similarly-sized but different component parts.
To work with that, you'd need to do some manual work in splitting up the 2 components and tweaking them separately and recombining.
Hikpack doesn't handle that type directly, but may be OK with each component separately.
 

habeschi

n3wb
Joined
Oct 27, 2017
Messages
21
Reaction score
0
After Extracting i get 3 files.

cramfs.img
dav_extra_trail
dav_header

The cramfs.img contains a "new_10.bin" file.

That seems to be one of those firmware files that is comprised of 2 similarly-sized but different component parts.
To work with that, you'd need to do some manual work in splitting up the 2 components and tweaking them separately and recombining.
How can i do that?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,758
Reaction score
3,790
Location
Scotland
How can i do that?
Here is an example of NVR firmware that is composed of 3 parts, the digicap.dav file size is 45.3MB
DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626.zip
Using hikpack on the original digicap.dav will only operate on the first section.
When they are split, you can see that each section is valid, and different.

Code:
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ ll
total 132880
drwxr-xr-x 5 alastair alastair     4096 Sep 23  2017 ./
drwxr-xr-x 3 alastair alastair     4096 Sep 23  2017 ../
-rw-r--r-- 1 alastair alastair 45340160 Jun 27  2017 digicap.dav
-rw-r--r-- 1 alastair alastair 45339560 Sep 23  2017 DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626.zip
-rw-r--r-- 1 alastair alastair 14651904 Sep 23  2017 FWpart1
-rw-r--r-- 1 alastair alastair 14656000 Sep 23  2017 FWpart2
-rw-r--r-- 1 alastair alastair 16032256 Sep 23  2017 FWpart3
drwxr-xr-x 2 alastair alastair     4096 Oct  3  2017 part1/
drwxr-xr-x 2 alastair alastair     4096 Sep 23  2017 part2/
drwxr-xr-x 2 alastair alastair     4096 Sep 23  2017 part3/
-rw-r--r-- 1 alastair alastair      139 Sep 23  2017 split.txt
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i digicap.dav
Magic   : 484b5753
hdr_crc : 00001cad (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000044
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 30688256 bytes, maybe firmware id?
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart1
Magic   : 484b5753
hdr_crc : 00001cad (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000044
File: cramfs.img, CRC OK
Can't read new_20.bin tail
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart2
Magic   : 484b5753
hdr_crc : 00001d7a (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000042
File: cramfs.img, CRC OK
Can't read new_20.bin tail
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ hikpack_2.5 -t k41 -i FWpart3
Magic   : 484b5753
hdr_crc : 00001d5e (OK)
lang_id : 00000001
date_hex: 20150315
devclass: 00000043
File: cramfs.img, CRC OK
Can't read new_20.bin tail
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $
alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $ cat split.txt

head -c 14651904 digicap.dav > FWpart1
tail -c 30688256 digicap.dav | head -c 14656000 > FWpart2
tail -c 16032256 digicap.dav > FWpart3


alastair@PC-I5 ~/cctv/NVRFirmware/3.4.84/DVR_K56_K55_K57_OVERSEAS_ML_STD_V3.4.84_Build170626 $
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,758
Reaction score
3,790
Location
Scotland
where can i get it?
It's in the code example above.
But you will need to find the locations of the needed splits.
Just do a hex search for the other locations of the first 4 bytes of the digicap.dav file
These are the encoded 'HKWS' characters.
 

habeschi

n3wb
Joined
Oct 27, 2017
Messages
21
Reaction score
0
Is there any description about how to search the firmware for the HKWS characters. Because i have never done this before.
 
Top