R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

fireball

n3wb
Joined
Nov 26, 2018
Messages
4
Reaction score
0
Location
australia
well i can't actually get into the webgui of some of my cameras, as the username password doesn't work :(
haven't tested using the web gui with a camera that i can access the menus with yet. most of my cameras are ds-2cd2032-i
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
well i can't actually get into the webgui of some of my cameras, as the username password doesn't work
That's not a problem - for the firmware older than 5.4.5
The configuration can be extracted using by exploiting the Hikvision backdoor.
If you do get to the login prompt, try this in the browser, replacing the IP address with that of the camera:

http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Save the configurationFile, zip it/them up and attach here and I'll decrypt and decode and extract the passwords for you!
 

fireball

n3wb
Joined
Nov 26, 2018
Messages
4
Reaction score
0
Location
australia
i figured out how to use the password reset and managed to bring them back to life ! but i'm not sure of the steps of updating the firmware if i were to use the webgui instead of the tftp server method since i don't have another 12v source (so i'm stuck using the poe switch) and to get to some of the cameras physically involves a very long ladder which i dont have.

are you able to outlay the steps if i were to flash brickfixv2en firmware via the gui ??
cheers

addit:
-i logged into the hikvision webgui of 1 of my 2cd2132 cameras and uploaded the brickv2en firmware via internet explorer
-after waiting 10mins i checked sadp and see that the camera now appears as

DS-2CD-Min-system 192.0.0.64 8000 v4.0.8build 130906 and the serial has changed to a ccrr number
-i power cycled the camera and attempted to run putty and telnet to 192.0.0.64 8000 but i get the message network error. software caused connection abort !
-addit addit: realised i need to telnet 192.0.0.64 port 23 with putty !
-i've gotten to the step of the hex editor and have no idea how to proceed (sorry i'm a noob)

-i'm watching the video and in the video you highlight the dev code 0898 for that camera 2cd2332 but in the hex editor you put in 01 then 08 ???? why is that ?
addit again
-re read the enhanced_mtp_hack document and figured it out !

yay now have dead to working 2cd2132 ! thank you op and everyone that contributed.
hopefully my above stumbling blocks helps someone else.

now another 8 cameras to do uurrrggghh
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
-i've gotten to the step of the hex editor and have no idea how to proceed (sorry i'm a noob)
Read the step-by-step guide in the attachments of the first post.

yay now have dead to working 2cd2132 ! thank you op and everyone that contributed.
Hey, well done!
I was reading your post and thought you'd got a bit stuck.
But you didn't, and you got there!
Have a virtual pat on the back!
 

y3Ti

n3wb
Joined
Dec 8, 2018
Messages
1
Reaction score
0
Location
West Yorks
Bricked my Chinglish DS-2CD2032-I yesterday trying to load the official firmware from Hikvision.
Thanks to this very useful forum I unbricked it this morning following the instructions in this thread.
Hats off to alastairstevenson!
 

oberlon

n3wb
Joined
Dec 11, 2018
Messages
3
Reaction score
1
Location
Germany
Thx.
Updated my DS-2CD2432F-IW from CN Firmware 5.3.x to 5.4.5.
With this new firmware, is there any modified script running at startup?
And is it possible to get a bash? I enabled ssh via Device Network SDK but only have the psh.

Thanks a lot.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Updated my DS-2CD2432F-IW from CN Firmware 5.3.x to 5.4.5.
Good result, well done.
And is it possible to get a bash? I enabled ssh via Device Network SDK but only have the psh.
Certainly possible, but you would need to have a hacked version of firmware for that.

With this new firmware, is there any modified script running at startup?
The initrun.sh main script does vary a little between versions - but I'm not sure about your question.
 

oberlon

n3wb
Joined
Dec 11, 2018
Messages
3
Reaction score
1
Location
Germany
Okay, no bash. :winktongue:
The initrun.sh main script does vary a little between versions - but I'm not sure about your question.
Im not sure about all the mtd partitions. Perhaps your hack needs some modification on startup and your script is handling some magic on boot. Or is after all a stock firmware from hikvision on the device? I dont believe that hikvision will release any further firmware for 2432 but if so, can I use the WEB-GUI to upgrade incl. an europe firmware?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Or is after all a stock firmware from hikvision on the device?
The end result is a stock firmware on the device.
What has changed is a small part of the 'hardware descriptor block', the camera-specific information that is written during manufacturing that provides detail such as MAC address, serial number, model string, region code OEM code, language, hardware options etc etc for that individual camera.

I dont believe that hikvision will release any further firmware for 2432 but if so, can I use the WEB-GUI to upgrade incl. an europe firmware?
I agree that it looks like no more firmware for the R0 series of IP cameras.
But if there were any updates, they should work OK, unless Hikvision specifically put code in the firmware to identify that the 'enhanced MTD hack' has been done, and 'brick' the camera.
 

oberlon

n3wb
Joined
Dec 11, 2018
Messages
3
Reaction score
1
Location
Germany
The end result is a stock firmware on the device.
What has changed is a small part of the 'hardware descriptor block', the camera-specific information that is written during manufacturing that provides detail such as MAC address, serial number, model string, region code OEM code, language, hardware options etc etc for that individual camera.

I agree that it looks like no more firmware for the R0 series of IP cameras.
But if there were any updates, they should work OK, unless Hikvision specifically put code in the firmware to identify that the 'enhanced MTD hack' has been done, and 'brick' the camera.
Thx for your answer. Im happy to use a stock firmware. Thx for your time you spend in the community. BTW for a "little security" I configured the camera with a fixed IP without a default gateway. Keep on!
 

worlando

Young grasshopper
Joined
Oct 23, 2014
Messages
93
Reaction score
12
That's not a problem - for the firmware older than 5.4.5
The configuration can be extracted using by exploiting the Hikvision backdoor.
If you do get to the login prompt, try this in the browser, replacing the IP address with that of the camera:

http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Save the configurationFile, zip it/them up and attach here and I'll decrypt and decode and extract the passwords for you!
I picked a used DS-2CD2332-I up today. Can you get the PWD from it?

This cam has no reset button and none on the pigtail either.

OK. I got the Config file from it. Not sure what Vs firmware is. Maybe I missed in SADP. Attached the config... Had to change the extension to CSV.
 
Last edited:
Top