R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Discussion in 'Hikvision' started by alastairstevenson, Dec 2, 2017.

Share This Page

  1. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    If you have done the 'enhanced mtd hack' the camera will be fully upgradeable using the EN/ML stock firmware, to a version (5.4.5) that does not have the widely exploited 'Hikvision backdoor' vulnerability.
     
  2. styliek

    styliek n3wb

    Joined:
    Jan 2, 2018
    Messages:
    2
    Likes Received:
    0
    Yes I have thank you. Reading the release notes for 5.4.5 I just dont see anything jumping out at me to make me want to upgrade. I will check the previous release notes but might stay put with 5.2.5 and play it safe.
     
  3. GAM

    GAM n3wb

    Joined:
    Jan 3, 2018
    Messages:
    1
    Likes Received:
    0
    Hi, I’ve just upgraded 2 non bricked Chinese hacked to English 2332’s one on 5.2.0 and the other on 5.2.3. Thanks so much for the video and guide it’s so simple!

    Does anyone know whether I can perform a similar upgrade with grey imported DS-2CD2335-I ? Thanks
     
  4. patdeFrance

    patdeFrance n3wb

    Joined:
    Dec 13, 2017
    Messages:
    4
    Likes Received:
    0
    good evening alastairstevenson,

    I know this forum deals with the camera "IP R0 / DS-2CD2x32."
    I suspect that Firmware and hardware are a lot different,

    but I am deeply convinced that it is on this forum that I would find the solution.
    a security camera must be better protected than an intercom.
    I am sure that on this forum, someone has the tools to explore the software used and knows the coding logic of Hikvision engineers.
    this logic should not be very different since it is possible to change the 'Language' flag of the intercom firmware in the same way as for a camera.
    you say :
    Firmware and hardware are a lot different
    Have you explored the firmware of the intercom without finding any similarity with a DS-2 ...?
    Do you think that the system of coding the language is necessarily different?

    do you know the tools that would allow me to explore the heart of the intercom and do you think I would be able to access it?

    That's a lot of questions, and I'd love to read the answers you'll want to give me.
    thank you
     

    Attached Files:

  5. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    Assuming we are talking about the Hik doorbell with this firmware : VIS_03_H2_EN_STD_V1.4.61_170731 -
    Yes, I did have a look at at, and it seemed to me that the firmware was most similar to the Hikvision NVR firmware.
    The firmware is wrapped as a cramfs file, and has within that file-naming conventions similar to the NVR firmware.
    It also uses DES3 encryption, just like the NVR firmware, though with a different encryption key.
    I didn't derive the encryption key, so I wasn't able to check out if the same method for masquerading the language as in the NVRs would be available such that modified firmware could be created.
    If / when someone extracts the DES3 encryption key, the @montecrypto hikpack tool should do all that's needed.
    Alternatively, if a telnet/SSH root shell can be obtained (I don't know if the 'psh' shell is a feature), then the in-built 'dec' program can be used to decrypt / encrypt the firmware files.
     
  6. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    Well done!
    You're not the first to ask that.
    Maybe this should be the next project to relieve the boredom.
    But check this out : Long-shot help request - Hikvision DS-2CD3335D - G0 series IPC.
     
  7. patdeFrance

    patdeFrance n3wb

    Joined:
    Dec 13, 2017
    Messages:
    4
    Likes Received:
    0
    [QUOTE = "alastairstevenson, poste: 240902, membre: 1907"] En supposant que nous parlons de la sonnette Hik avec ce firmware: VIS_03_H2_EN_STD_V1.4.61_170731


    the intercom model is as follows:

    Hikvision DS KH8301 A (DS KH8301 WT) Intérieure Vidéo Écran Tactile 7 pouces Moniteur 1024X600 0.3MP caméra, fente pour Carte TF, filaire interphone dans Intérieur Moniteur de Sécurité et Protection sur AliExpress.com | Alibaba Group a2g0w.search0104.3.32.WW0TZV & ws_ab_test = searchweb0_0, searchweb201602_2_10152_10151_10065_10068_10344_10342_10343_10340_10341_10084_10083_10305_10304_10307_10306_10302_10059_10184_10314_10534_100031_10604_10103_10142, searchweb201603_36, ppcSwitch_5 & algo_expid = 969fd324-d7a3-473a-bdf4-f51aca753bf9-5 & algo_pvid = 969fd324-d7a3-473a-bdf4-f51aca753bf9 & priceBeautifyAB = 0

    and for the door phone:

    DS KV8102 1A Métal interphone Visuel sonnette Vidéo de Contrôle D'accès IC carte, IP interphone remplacer DS KV8102 IM avec boîte de montage dans Vidéo Interphone de Sécurité et Protection sur AliExpress.com | Alibaba Group a2g0w.search0104.3.172.WW0TZV & ws_ab_test = searchweb0_0 2Csearchweb201602_2_10152_10151_10065_10068_10344_10342_10343_10340_10341_10084_10083_10305_10304_10307_10306_10302_10059_10184_10314_10534_100031_10604_10103_10142%%% 2Csearchweb201603_36 2CppcSwitch_5 & algo_expid = 969fd324-d7a3-473a-bdf4-f51aca753bf9-27 & algo_pvid = 969fd324-d7a3-473a-bdf4-f51aca753bf9 & priceBeautifyAB = 0

    the last firmware I managed to load is V1.4.71
    it is mainly the monitor that I wish "craked". the door phone is not important

    the last paragraph is a bit of Chinese for my level.
    I only used "hiktools05R1.exe"
    I do not know hikpack, but I only ask to learn !!!
     
  8. DGWASW

    DGWASW Young grasshopper

    Joined:
    Nov 15, 2017
    Messages:
    31
    Likes Received:
    5
    Location:
    Australia
    How about reinstate the four rule's for smart events line crossing /intrusion for 2342WD-I & 2335FWD-I cam's
     
  9. whoslooking

    whoslooking Known around here

    Joined:
    Oct 3, 2014
    Messages:
    1,500
    Likes Received:
    527
    Location:
    London
    After a like bit of playing with a bricked 3410 (Chinese cube) which was MTD hacked by CBX Originally.
    It was working on 5.20 which I upgraded to 5.30 all still good, then up to 5.40 then bricked being a XXX0 I thought a bit more was needed to recover, but thanks to @alastairstevenson his v2 brickfix it was so easy. So I can confirm the some models XXX0 models can also be recovered.

    Using Tftp 1st use the v2 brickfix,
    once you get the completed message close the tftp.

    Now run Tftp again with a lower firmware, I used 5.30 for this test, this time allow for the Tftp to fully complete.

    again close the Tftp and power off the camera. Power on again and wait after 2mins your camera will start again full working.

    Also Intresting mine also stayed in English after the recover.

    Now more testing to see if the Advanced MTD hack will work on the XXX0 camera's.
     
  10. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    Interesting, and a bit surprising, that the brick-fix works on a 3410 - not something I'd have expected. But good to know.
     
  11. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    It might be interesting to see if the flash layout on that camera model is the same as the R0 series - cat /proc/mtd
    If so, you could try the brickfixV2 script and see if it works OK with that camera model.
     
  12. whoslooking

    whoslooking Known around here

    Joined:
    Oct 3, 2014
    Messages:
    1,500
    Likes Received:
    527
    Location:
    London
    I'll take a deeper look tonight, but I know it differed from the mini PTZ 3Q10
     
  13. NoWaycs

    NoWaycs n3wb

    Joined:
    Jan 4, 2018
    Messages:
    2
    Likes Received:
    0
    Hello,
    I have a PTZ with a Hikvision module ? , its been hacked 2 times and I really want to get off this version, would this fix work on this? I'm not even sure what DAV version I should even use. I have uploaded what ever info I could get out of it on here and any help would be great :) Np for 3 years and I really don't want to get another auto-tracking ptz over firmware if I can help it. Thank You

    I used this version from a forum post here and it works to get it going again after trying a US firmware upgrade.

    Firmware V5.2.0 build 150106
    https://www.dropbox.com/s/3z5jvsb2c6fr2d3/DZ20150105_069_R0_EN_NEU_5.2.0_150106.zip?dl=0

    Model CMR-HD130-20-KB
    Serial No. CMR-HD130-20-KB20141212CCCH493506264
    Firmware Version V5.2.0 build 150106
    Encoding Version V5.0 build 140820
    Number of Channels 1
    Number of HDDs 1
    Number of Alarm Input 1
    Number of Alarm Output 1
     

    Attached Files:

  14. elitef

    elitef n3wb

    Joined:
    May 25, 2015
    Messages:
    9
    Likes Received:
    1
    Just wanted to say THANK YOU for this. Saved a cam which I tried to update last night but was a CN version. This now made it official :)
     
    alastairstevenson likes this.
  15. msqr

    msqr Young grasshopper

    Joined:
    May 18, 2015
    Messages:
    57
    Likes Received:
    0
    Amazing work!

    I have a bunch of CN 2132 cameras running 5.2.5 EN still. If these cameras are behind an NVR which is only accessible on my LAN (no port forwarding, I can only access my cameras via my VPN server), is there any motivation to update to 5.4.5? I remember a while ago that some camera functionality was lost upgrading right? Although I'm guessing 5.4.5 supports a replacement for NPAPI plugins Firefox 53 discontinued?

    Also, can I use something like this to update our DS-7716NI-E4/16P which is still on v3.3.4 and doesn't support whatever replacement for NPAPI there is?

    Also, am I misreading in that 5.5.0 is available for the 2132? It does say "R6" though in the filename so maybe I'm just cross eyed thinking it'd work for the 2132...

    Thanks!
     
  16. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    Unfortunately, as I haven't had my hands on such a module, I have no idea if this type of fix would work on it.
    It's unlikely that the specific fix would work on a PTZ module as the internal architecture will probably be different, so best not to try.
    But if the 'hardware signature block' is held in a flash partition, the principle of the fix could probably be applied.

    Having said that, though, the firmware at the link you gave does look very much like stock R0 firmware of that version. I don't have an R0 sample of the same build date to make a comparison.
     
  17. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    Bug fixes, improved user interface. But as you say, 1 line crossing and no longer 4 line crossing can be configured.
    No, that's never happened, despite being promised a couple of years back.
    An -NI NVR should be updateable via the stock firmware. Unless you know it wasn't sold as 'updateable'.
    Not that we've seen.
    The R6 series is a different range from the R0 series.
     
  18. NoWaycs

    NoWaycs n3wb

    Joined:
    Jan 4, 2018
    Messages:
    2
    Likes Received:
    0
    Thank you for the reply's, and I will remove off my network and straight to the NVR. Thanks Again.
     
  19. msqr

    msqr Young grasshopper

    Joined:
    May 18, 2015
    Messages:
    57
    Likes Received:
    0
    Thank you sir! That's what the new version removed, line crossing... If I upgrade to 5.4.5 with your new tools, would I be able to downgrade back to 5.2.5?

    Yeah I'm not sure. Unfortunately just like the cams I think newer firmware removed features, like ONVIF to access graymarket Hik cameras.

    Sorry, one more question. I was gifted one of these cameras a short while ago:
    Hangzhou Hikvision Digital Technology Co. Ltd.
    (a 63C2) - It's a CN camera and got it to talk to my NVR via ONVIF, but I'm guessing because of how uncommon these are, probably a hard chance for me to get the mtd hack working on it eh?

    Thanks again for all your guidance over the years!
     
  20. widj09

    widj09 n3wb

    Joined:
    May 20, 2017
    Messages:
    1
    Likes Received:
    0
    Thank you Alistair, Camera was bricked, your magic did the trick. Thanks again.
     
  21. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    No, support for ONVIF cameras is still available in the 3.4.96 NVR firmware.

    *edit* But maybe you meant 'extending the language check' to Hikvision cameras connected as ONVIF.
    Last time I checked, that was no longer enforced, so China region cameras worked OK.
    From my point of view it would certainly be guesswork for that model.
    Is the firmware old enough that it supports telnet/SSH access and a regular shell, not 'psh' ?
     
  22. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    Excellent!
    And welcome to the forum, hopefully you'll continue to find it useful.
     
  23. msqr

    msqr Young grasshopper

    Joined:
    May 18, 2015
    Messages:
    57
    Likes Received:
    0
    Thanks for the info! Yeah, that's what it was, the language check. Good to know, I might try to update the NVR firmware.

    Gotcha, let me fire up that camera to check what FW is on there. The camera is a few years old already...
     
  24. neilyboy

    neilyboy Young grasshopper

    Joined:
    Jun 18, 2015
    Messages:
    34
    Likes Received:
    8
    I just wanted to say thank you alastairstevenson! You are the man!
    I have not been around the forum in quite awhile. I am thinking about upgrading (which is pretty straightforward).
    The question I have is what type of 'language mismatch' stuff will I run into with my DS-7108N-SN/P running V3.0.13 build 150503
    Firmware on it is 'whoslookings' from this post (Hikvision NVR DS-7104N-SN firmware)

    If I upgrade my cameras to 5.4.5 will my NVR no longer be able to add them?

    Thanks for all your help you are an amazing resource!
    Neil
     
  25. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    The 'enhanced mtd hack' will convert the cameras to EN/ML and will not give a 'language mismatch' when used with an EN NVR.
     
  26. neilyboy

    neilyboy Young grasshopper

    Joined:
    Jun 18, 2015
    Messages:
    34
    Likes Received:
    8
    I was only worried as it is a CN nvr converted to US.

    Neil
     
  27. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,255
    Likes Received:
    1,880
    Location:
    Scotland
    What language do the cameras present at the moment?
    If 'hacked to English' then they should still be OK after updating.
     
    neilyboy likes this.
  28. neilyboy

    neilyboy Young grasshopper

    Joined:
    Jun 18, 2015
    Messages:
    34
    Likes Received:
    8
    Yeah. I used his fw to get them to where they are now with cn serial but english fw
     
  29. neilyboy

    neilyboy Young grasshopper

    Joined:
    Jun 18, 2015
    Messages:
    34
    Likes Received:
    8
    Just wanted to say thank you yet again alastairstevenson! I got all 8 of my cameras updated and still working with my 7108. Everything is happy!

    Neil
     
    alastairstevenson likes this.
  30. Bizentech

    Bizentech Young grasshopper

    Joined:
    Nov 17, 2015
    Messages:
    56
    Likes Received:
    1
    I have 2 quick questions,
    - how do you reboot into mini system mode for telnet access? Just a power cycle??

    - will this work for authorized by Hikvision reseller not Hikvision cameras like LTS or GNS?? They are Hikvision but they’re not lol