R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Discussion in 'Hikvision' started by alastairstevenson, Dec 2, 2017.

Share This Page

  1. Purduephotog

    Purduephotog Getting the hang of it

    Joined:
    Oct 30, 2016
    Messages:
    82
    Likes Received:
    32
    Alastair-

    First, thank you for the great tutorial. I've been bumming around firmware for years, and this is very concise and well laid out.
    Unfortunately I think my experience has come back to bite me.

    I couldn't get the camera to reset- although I was able to log into it and force a factory reset. At that point it picked up the tftp server, did the EN-digicap download... and then it did nothing.

    Manually rebooted after a long while, but was never able to get it to reset or connect again.

    Wireshark shows some activity- I was able to capture a couple of ARP (broadcast packet below).

    The odd thing was the IP came back as 192.168.1.64 - so I moved everything over to 1.128- still no bites though, and no activity on wireshark to indicate reachout to the tftp server.
    I isolated completely from switches and direct plugged it into the PC... no go.

    So now it's in 4 pieces on my desk, and I'm about to solder in a header connector. Saw a cute little plug though- wondering what it is.

    I'm about to do a serial reprogramming on it- any last words to stop me? :) Or suggestions to try before I head down this path? I've not fired up binwalk in a looong time....

    Code:
    0000   ff ff ff ff ff ff c4 2f 90 00 35 4f 80 33 21 01   ......./..5O.3!.
    0010   01 f6 00 00 00 02 06 04 01 02 3c 89 c4 2f 90 00   ..........<../..
    0020   35 4f c0 a8 01 40 ff ff ff ff ff ff 00 00 00 00   5O...@..........
    0030   ff ff ff 00 44 53 2d 32 43 44 32 30 33 32 46 2d   ....DS-2CD2032F-
    0040   49 30 31 32 30 31 35 30 37 32 04 43 43 52 52 35   I012015072.CCRR5
    0050   33 30 35 39 32 30 39 37 00 00 00 00 00 00 00 00   30592097........
    0060   00 00 00 00 00 00 98 26 00 00 1f 40 00 00 00 00   .......&...@....
    0070   00 00 00 00 56 34 2e 30 2e 38 62 75 69 6c 64 20   ....V4.0.8build
    0080   31 35 30 34 30 31 00 00 00 00 00 00 00 00 00 00   150401..........
    0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    00b0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    00c0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    00d0   00 00 00 00 32 30 31 39 2d 30 37 2d 31 36 20 30   ....2019-07-16 0
    00e0   36 3a 31 38 3a 30 37 00 00 00 00 00 00 00 00 00   6:18:07.........
    00f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    0100   00 00 00 00 02 9c 60 52 c0 a8 01 01 00 00 00 00   ......`R........
    0110   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    0120   00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00   ............@...
    0130   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    0140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    0150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    0160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    0170   44 53 2d 32 43 44 32 30 33 32 46 2d 49 00 00 00   DS-2CD2032F-I...
    0180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    0190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    
    Oh I saw this - hah- some of the info I need :)

    Manual: Create console/serial access to Hikvision DS-2CD2032F-I

    Sounds like the camera is stuck and the reset button isn't working. Hrmm...
     
    Last edited: Jul 16, 2019
  2. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,050
    Likes Received:
    3,490
    Location:
    Scotland
    SADP will show that the camera is running the min-system recovery environment, as shown on your wireshark data (4.0.8).
    That should respond to a telnet access if its the brickfix version.

    On a 2032, the serial console connector is on the underside of the system board.
     
    Purduephotog likes this.
  3. Purduephotog

    Purduephotog Getting the hang of it

    Joined:
    Oct 30, 2016
    Messages:
    82
    Likes Received:
    32
    I was going to be lazy and put some pogo-pins together.
    Turns out (if I may suggest) that adding a switch/hub in-between the computer and the camera- and also running ping -t with the IP of the camera, did the trick.

    Until that point I never got to see any traffic of it attempting to boot/tftp. But the minute (and I repeated it many times) I started running the ping test (after clearing the ARP table) the camera connected each and every time.

    So.. maybe it was the POE switch. Maybe it was the ping. But it worked and I'm happy.

    Unfortunately the nvr won't force its credentials down into the camera, which means I can't just swipe them and figure out how to log into the damn thing locally.

    Sigh.

    Also, Alastair good Sir, if you already have an environment sent for unpacking firmware- have you seen this one ?

    https://s3.amazonaws.com/mfs.ezvizlife.com/CS-X4-104P&108P&116P_v3.4.90_180413.rar

    (My current PIT..Rear End)
     
  4. solidus3000

    solidus3000 n3wb

    Joined:
    Feb 18, 2017
    Messages:
    4
    Likes Received:
    0
    Hi,

    I have a DS-2CD3132F-IWS with Firmware Version V5.2.5 build 141201.

    Does this mod works in this camera? Or only works with the 2X series? I would really like to update the firmware to avoid the backdoor problem. I disabled uPNP and I don't have any forwarding port, but still seems unsafe.

    Regards.
     
  5. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,050
    Likes Received:
    3,490
    Location:
    Scotland
    Yes, the brickfixV2 method works with that model.
    Is it a Chinese camera / does it have CCCH in the serial number?
     
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,050
    Likes Received:
    3,490
    Location:
    Scotland
    With apologies for the delayed reply -
    That looks like a version of K41 NVR EN firmware or similar.
    The file can be unpacked and decrypted using the @montecrypto repacker from here : [MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

    What is the firmware for?
     
  7. solidus3000

    solidus3000 n3wb

    Joined:
    Feb 18, 2017
    Messages:
    4
    Likes Received:
    0
    Yes, the serial has CCCH

    And it's probably chinese as I bought it on eBay.

    I will give a shot to the mod/hack.
     
  8. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,050
    Likes Received:
    3,490
    Location:
    Scotland
  9. Purduephotog

    Purduephotog Getting the hang of it

    Joined:
    Oct 30, 2016
    Messages:
    82
    Likes Received:
    32
    Edit: Trojan camera works to get the cameras password but still can't add them to ivms4200

    The NVR that came with the 4 camera set.

    I can't get into the NVR except from the IVMS, and IVMS won't play any of the attached cameras. It's slower than snot. And I can't add the cameras to my regular network as there is no web GUI- something I hadn't seen/searched for here (unless I'm doing something really wrong).

    And thank you for the reply. It is timely anytime- no hurries needed :)

    j

    Edit: Alastair- interesting to note, the firmware on the NVR is newer than the version on the web. So I'm starting to wonder if they wised up to the trojan horse trick as I can't put a 'naked' camera in and see it get the credentials pushed.
     
    Last edited: Aug 3, 2019
  10. Tr1cky

    Tr1cky n3wb

    Joined:
    Aug 1, 2019
    Messages:
    3
    Likes Received:
    1
    Location:
    Australia
    see further down
     
    Last edited: Aug 5, 2019
    alastairstevenson likes this.
  11. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,050
    Likes Received:
    3,490
    Location:
    Scotland
  12. Tr1cky

    Tr1cky n3wb

    Joined:
    Aug 1, 2019
    Messages:
    3
    Likes Received:
    1
    Location:
    Australia
    Sorry @alastairstevenson mine was labelled wrong so let me reitterate:

    DS-2CD3T32-I5 - 9821
    DS-2CD3T32-I8 - 9821

    100% confirmed from prtHardInfo: devType: 38945

    Now im going to ASSUME that the DS-2CD2T32-I5 & I8 series are going to be - 9821 because they are identical from what i can tell.
    Im also going to assume the I3 variant has the same aswell.
     
  13. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,050
    Likes Received:
    3,490
    Location:
    Scotland
    Thanks for the update.

    It's probably a reasonable assumption - but not something I can confirm myself.
     
  14. Rob Mortimer

    Rob Mortimer n3wb

    Joined:
    Friday
    Messages:
    1
    Likes Received:
    0
    Location:
    United Kingdom
    Hi

    I am having a problem at the putty stage it will not show the login/password request, i have tried both the EN and CN versions.
    It is a CN gray version of DS-2CD2632F-IS , but it was hacked and showing a RR in the serial on version 4.5.

    i can see the DS mini system on SADP, so it is there but it will just not log in via putty
    Oh and in SADP i can actually change the password and IP address.

    its very strange, can i ask has anyone experienced the same or offer help.

    i have started again and i am now seeing the camera on 192.0.0.64 on SADP running the DS mini system , it just hangs on putty without asking for a login

    regards Rob
     
  15. Tr1cky

    Tr1cky n3wb

    Joined:
    Aug 1, 2019
    Messages:
    3
    Likes Received:
    1
    Location:
    Australia
    The flash systems do weird things for no reason I have found. Turn it off, open it up, hold the reset button that you will find internally and power it on while holding it for 20 seconds. Leave it for like 5-10 minutes and come back and try it again. Start from the start

    I recently had the opportunity do fix about 70 cameras of various models in the 2cdxx2 range and found the flash models are the worst to do this on.
     
  16. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,050
    Likes Received:
    3,490
    Location:
    Scotland
    Are you saying that you do not get the telnet login prompt after using the Hikvision tftp updater to install either the EN or CN header versions if brickfixV2 firmware?

    What status did the tftp updater show after the firmware file was downloaded?

    If you enable the telnet client facility in the Windows PC network configuration / add/remove Windows components (varies with the version), try :
    telnet 192.0.0.64
    and see if you get a login prompt.