R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Discussion in 'Hikvision' started by alastairstevenson, Dec 2, 2017.

Share This Page

  1. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    OK - so the admin password for the Garage camera=housefish34!!
    Including the trailing !!
     
    worlando likes this.
  2. worlando

    worlando Young grasshopper

    Joined:
    Oct 23, 2014
    Messages:
    75
    Likes Received:
    5
    Me Saying Thank you so Much! Got it going! Merry Christmas and Happy New Year!

    THANKS.PNG
     
    alastairstevenson and iTuneDVR like this.
  3. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    And a Merry Christmas and a Guid New Year to you!
     
  4. pank

    pank n3wb

    Joined:
    Dec 27, 2018
    Messages:
    1
    Likes Received:
    0
    Location:
    United Kingdom
    Works like a charm on DS-2CD2132F-IS. DEV Code is 1E98.
    Thanks!
     
  5. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    Excellent!
    Well done, and thanks for sharing yet another good result.
     
  6. koceto7878

    koceto7878 n3wb

    Joined:
    Dec 28, 2018
    Messages:
    2
    Likes Received:
    0
    Location:
    Bulgaria
    Hello,
    can you help me find the password for my DS-2CD1201D-I3. There is static ip address 192.168.100.22
    apply a file
     

    Attached Files:

    • 123.txt
      File size:
      493 bytes
      Views:
      4
  7. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    Sorry, not possible for that version of firmware :
    V5.4.5build 170311
    because that version has had the 'Hikvision backdoor' vulnerability fixed, so it's not possible to extract the configuration file with no credentials.

    Does that model of camera have a reset button?
     
  8. koceto7878

    koceto7878 n3wb

    Joined:
    Dec 28, 2018
    Messages:
    2
    Likes Received:
    0
    Location:
    Bulgaria
    No reset button. Another idea how can I hard reset .
     
  9. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
    Hi
    Now i hacked my friend chinese camera DS-2CD2032F-IW with not upgradable firmware 5.3.0 with your manual.
    Now i have updated latest firmware 5.4.5 and camera works ok. But....
    Is any chance to change camera serial number from value in serial chinese to europe ? Because i use NVR europe and i want use this camera hacked to english with this NVR. And problably NVR Europe block chinese camera and i can not see video by HIK Connect cloud. Connect my NVR to cloud but i can not see video.
    Is any chance to fix it ?

    Now i have this:
    DS-2CD2032F-IW20151013CCCH547576656

    and i want change CCCH to europe number...
     
    Last edited: Dec 29, 2018
  10. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
    V5.3.6 build 151221
     
  11. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    The camera will work OK with the NVR, when queried for language it will say 'English'.
     
  12. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
    Ok thanks.... but is any chance to change setup region in serial number ?
    DS-2CD2032F-IW20151013CCCH547576656


    And now i have one camera DS-2CD2035-I also from china with multilanguage firmware V5.3.6 build 151221 and i also want modified it to upgrade firmware to latest version... and update in future by GUI.
    Please help me...
     
  13. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    The region code is in mtd6 location 0x55 and can be modified as follows:
    0x55 Region code. 01=CN 03=WR

    Not easily possible due to the need to install 'hacked to EN firmware' to overcome the language setting in the secure chip that holds the camera hardware signature.
     
  14. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
    But you can do it ?
    Or is any chance to help me step by step maybe once update this DS-2CD2035-I ?


    And to hacked DS-2CD2032
    Now i have hacked software in english and how i can modified this region code ? Now is any chance ?
     
  15. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
    But you can do it ?
    Or is any chance to help me step by step maybe once update this DS-2CD2035-I ?


    And to hacked DS-2CD2032
    Now i have hacked software in english and how i can modified this region code ? Now is any chance ?
     
  16. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
  17. pepeEL

    pepeEL Getting the hang of it

    Joined:
    May 18, 2016
    Messages:
    146
    Likes Received:
    4
    Yes ok but it is G0 but DS-2CD2035-I looks like G1...
    And manual in this thread is not fully for me...
    Long-shot help request - Hikvision DS-2CD3335D - G0 series IPC.
    Because i dont see where we update new firmware.... manual is not understand for me... For DS-2CD2032 is full understand...

    This is ok understand
    -----------------------------------------------------------
    Assuming the serial console is hooked up (115,200 baud, 8 bits no parity) and shows lots of readable info when the camera is powered on -
    Interrupt the bootloader with Control-U
    It's handy to set some of the environment variables to suit your network.
    First of all though, make a record of existing settings by using the following command, and copying the screen rollback in PuTTY to a text file to save in your work area:

    printenv

    Use the following commands to set the camera IP address and the TFTP server IP address:

    setenv ipadrs <your_choice_for_the_camera>
    setenv serverip <your_TFTP_server_address>
    saveenv

    Then the kernel bootargs need to be changed to get the kernel to boot into a debug mode:

    setenv bootargs console=ttyAMA0,115200 init=/bin/sh rootfs=0x82000000 rootfstype=initrd debug single loglevel=9
    saveenv

    -------------------------------------------------------------




    but from this i dont understand

    -------------------------------------------------------------
    Copy the kernel image uImage to your tftp root folder.

    Boot over tftp and the camera should end up at a shell prompt, hopefully not a psh prompt.

    tftp uImage
    bootm

    -----------------------------------------------------------
    It's really handy to be able to copy / paste command lines from a text file (eg via Notepad) into the PuTTY command line.
    These can be done singly or in multiple.
    If the modified bootargs do boot into an ash shell, that's great as it will provide the access to do the needed work.
    But at that point, the environment is not yet complete.
    These commands are needed to take it a few steps further:
    Adjust the IP addresses to match your network and your NAS for the NFS share and sharename.

    /bin/mount -t proc proc /proc
    /bin/mount -t sysfs none /sys
    /bin/mount -t ramfs ramfs /home

    /etc/S_udev

    ifconfig eth0 192.168.1.64 up

    mount -t nfs -o nolock 192.168.1.201:/cctv1 /mnt/nfs00

    cd /mnt/nfs00

    ----------------------------------------------------------------

    At this point there is a fully usable linux environment.
    The uImage kernel can be applied to mtdblock5 & 6 (sys0, sys1) and all the remaining files from the unpacked firmware copied into /dav both when it's mounted from mtdblock7 and also mtdblock8 (app0 and app1).
    Finally - reboot, interrupt the bootloader with Control-U and put the bootargs environment variable back the way it was to begin with so that the camera no longer boots into a shell in debug mode.




    EDIT
    For changing region in DS-2CD2032 from CH to WR i done again all operation and now i have in my number WR. Thanks
     
    Last edited: Dec 29, 2018
  18. Martinp

    Martinp n3wb

    Joined:
    Dec 29, 2018
    Messages:
    3
    Likes Received:
    1
    Location:
    US
    DS-2DE2202I-DE3/W successfully recovered using this method - thanks all!

    Here was the sequence:

    1. Camera had started randomly rebooting multiple times a day (it's behind an NVR so don't think it was hacked?).
    2. Annoyingly, the PTZ would reset itself each time and point at the mounting pole which wasn't super helpful.
    3. Foolishly, I decided to web update from 5.3.9 to 5.4.71 which promptly bricked the camera with "firmware language mismatch: /home/webLib"
    4. <insert a bunch of trial and error trying to load a new image on the camera>
    5. I wanted to use a standard TFTP server and so had to work with Hikvision's custom handshake on port 9978.
    6. Successfully loaded the brick-fix CN image on the camera, got logged in and ran the recovery script (took a couple of goes).
    7. For the mtd6ro_mod specifics:
    * changed the language byte at location 0x10 to 0x01 (from 0x02)
    * recomputed the checksum (which decremented by 1 as expected) and set in locations 0x04-0x05
    * left the devType bytes untouched as 0x2623- this might be the type for the DS-2DE2202I-DE3/W
    8. Loaded and ran upgrade with digicap.dav from raptor_de_value_ptz_firmware_5.3.9_150910
    9. Rebooted, camera came up successfully on 192.168.1.64 (in English)
    10.Web upgrade from there to V5.4.71 build 170312 worked successfully.

    So far, the reboots have stopped. Hope this helps folks.
     
    Last edited: Dec 30, 2018
  19. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,884
    Likes Received:
    3,413
    Location:
    Scotland
    Hey, well done! Another good result.

    That's worth knowing - may help others, thanks.

    Sounds like you did a bit of network sniffing.
    Did you somehow emulate the Hikvision handshake - or end up just using Hikvision's updater?
     
  20. Martinp

    Martinp n3wb

    Joined:
    Dec 29, 2018
    Messages:
    3
    Likes Received:
    1
    Location:
    US
    Watched what it was up to on the network - the camera sends a UDP request to port 9978, reply with payload "SWKH" and it moves onto a standard TFTP load. I wrote a couple of lines of Python to do the handshake. The mtd work was great Alistair!