[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

montecrypto

IPCT Contributor
Joined
Apr 20, 2016
Messages
104
Reaction score
304
The attached app unpacks and repacks Hikvision firmware for K41/K51 NVRs and R0/R1/R6/G0 cameras. I plan to add support for more hardware, but in many cases I need to buy cameras to extract keys from them. Your donations can help, contribute here if you feel like it:

The binary runs on x64 Linux. Enjoy.

Code:
hikpack v2.5 Hikvision firmware packer/unpacker by montecrypto
*** No expressed or implied warranties of any kind. Use at your own risk ***
Usage:
   hikpack -t <fwtype> -i <src_dav_file>                     print dav file information
   hikpack -t <fwtype> -x <src_dav_file> -o <dst_dir>        extract dav file into directory
   hikpack [opts] -t <fwtype> -p <dst_dav_file> -o <src_dir> pack dav file from source directory
   hikpack -t <fwtype> -d <src_crypted_file> -o <dst_file>   decrypt file
   hikpack -t <fwtype> -g <src_crypted_cfg> -o <dst_file>    decrypt configuration backup file
   hikpack -t <fwtype> -G <src_file> -o <crypted_cfg_file>   encrypt configuration backup file (CRC adjusted if needed)
   hikpack -t <fwtype> -e <src_file> -o <dst_crypted_file>   encrypt file
     -t option sets firmware platform type. Currently supported: cameras: r0,r1,r6,g0 nvr: k41,k51
     ----- The following options are used by the pack (-p) command:
     -L <1,2>      set language id (1=EN, 2=CN)
     -D <YYYYMMDD> set firmware date.
     -V <ver>      set firmware version. Use hex number, e.g.: 0x05040003 for v5.4.3
For whatever reason attachments no longer work, the file is here:

hikpack_2.5.zip — RGhost — файлообменник
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Well, that's quite a Christmas present!
Many thanks.
I'll have a close look, see if it may save me looking at how the NVR firmware handles CN cameras, haven't figured that out yet.
Does paypal accept bottles of wine as currency these days?
Packed by montecrypto.
Hikvision, stop wasting R&D on pointless obfuscation!
Lol!
 

ressue

n3wb
Joined
Jul 3, 2015
Messages
13
Reaction score
4
So is it possible to do this with it? Get the newest global firmware, unpackit and change lang to cn and update to a cn camera and have english languange without the language mismatch error?
 

montecrypto

IPCT Contributor
Joined
Apr 20, 2016
Messages
104
Reaction score
304
So is it possible to do this with it? Get the newest global firmware, unpackit and change lang to cn and update to a cn camera and have english languange without the language mismatch error?
Yes, but you would also need to patch the kernel and davinci. It is actually easier than that. CN firmware already has EN locale in it,it just need to be enabled/set as default. For the web UI you can actually do that by changing/forcing cookie value in your browser.
 

Defender666

Getting the hang of it
Joined
Dec 19, 2015
Messages
193
Reaction score
25
but changing cookie will not help with the language mismatch
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Well, it seems to unpack.
Code:
alastair@PC-I5 ~/montecrypto $ ./hikpack_2.1 -t g0 -x digicap_IPC_G0_CN_STD_5.4.20_160726.dav -o contents
Magic   : 484b3230
hdr_crc : 0000253e (OK)
frm_flg : 1220060021111110021
Magic   : 484b3330
hdr_crc : b41263d4 (OK)
version : 05040014
lang_id : 00000002
date    : 160726
frm_flg : 1220060021111110021
File: _cfgUpgClass, CRC OK, SHA512 OK
File: uImage, CRC OK, SHA512 OK
File: initrun.sh, CRC OK, SHA512 OK
File: r7_app.tar.gz, CRC OK, SHA512 OK
File: g0_app.tar.gz, CRC OK, SHA512 OK
File: IEfile.tar.gz, CRC OK, SHA512 OK
File: help.tar.gz, CRC OK, SHA512 OK
File: g0_modules.tgz, CRC OK, SHA512 OK
File: mpp_modules.tgz, CRC OK, SHA512 OK
alastair@PC-I5 ~/montecrypto $
And as they often have done, Hikvision leave some debug remnants that give some ideas of how to lift the covers a bit. And how not to spell.
Code:
#check_rs232  

#if [ -f "/home/usage232" ]; then
#    echo "davinic1 start"
#    /home/process/davinci&
#else
#    echo "davinic1 start"
#    /home/process/davinci&
#fi
 

brk

n3wb
Joined
Jul 9, 2016
Messages
6
Reaction score
6
Has anyone gotten repacked/converted firmware to successfully load on a camera? If so, please post details of the camera and firmware version, I am trying to test this for an IPVM report.
Thanks!
 

whoslooking

IPCT Contributor
Joined
Oct 3, 2014
Messages
1,524
Reaction score
548
Location
London
IPVM is ok. but it's over priced and misses out a lot of true information, so much so that IPCAMTALK is a much better place, so much so that it's free for all, and the people here know what we're talking about all the best help and work arounds all come from here and free.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
451
Reaction score
166
Instead of trying to get many cameras you could tell how to extract such key so people can do it on their own camera and send you the key ? this way you will add much more keys.
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
451
Reaction score
166
We'd all need a desoldering station...
I do have one ;-) but if it require hardware physical access/modification then yes it's not that easy, I thought it was something like grabbing some file inside camera in serial debug mode for example.

But what component desoldering would it be ? the rom to access some hidden block ?
 
Top