R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,940
Reaction score
3,872
Location
Scotland
SADP will show that the camera is running the min-system recovery environment, as shown on your wireshark data (4.0.8).
That should respond to a telnet access if its the brickfix version.

On a 2032, the serial console connector is on the underside of the system board.
 

Purduephotog

Getting the hang of it
Joined
Oct 30, 2016
Messages
126
Reaction score
45
I was going to be lazy and put some pogo-pins together.
Turns out (if I may suggest) that adding a switch/hub in-between the computer and the camera- and also running ping -t with the IP of the camera, did the trick.

Until that point I never got to see any traffic of it attempting to boot/tftp. But the minute (and I repeated it many times) I started running the ping test (after clearing the ARP table) the camera connected each and every time.

So.. maybe it was the POE switch. Maybe it was the ping. But it worked and I'm happy.

Unfortunately the nvr won't force its credentials down into the camera, which means I can't just swipe them and figure out how to log into the damn thing locally.

Sigh.

Also, Alastair good Sir, if you already have an environment sent for unpacking firmware- have you seen this one ?

https://s3.amazonaws.com/mfs.ezvizlife.com/CS-X4-104P&108P&116P_v3.4.90_180413.rar

(My current PIT..Rear End)
 
Joined
Feb 18, 2017
Messages
4
Reaction score
0
Hi,

I have a DS-2CD3132F-IWS with Firmware Version V5.2.5 build 141201.

Does this mod works in this camera? Or only works with the 2X series? I would really like to update the firmware to avoid the backdoor problem. I disabled uPNP and I don't have any forwarding port, but still seems unsafe.

Regards.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,940
Reaction score
3,872
Location
Scotland
Joined
Feb 18, 2017
Messages
4
Reaction score
0
Yes, the serial has CCCH

And it's probably chinese as I bought it on eBay.

I will give a shot to the mod/hack.
 

Purduephotog

Getting the hang of it
Joined
Oct 30, 2016
Messages
126
Reaction score
45
Edit: Trojan camera works to get the cameras password but still can't add them to ivms4200

With apologies for the delayed reply -
That looks like a version of K41 NVR EN firmware or similar.
The file can be unpacked and decrypted using the @montecrypto repacker from here : [MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

What is the firmware for?
The NVR that came with the 4 camera set.

I can't get into the NVR except from the IVMS, and IVMS won't play any of the attached cameras. It's slower than snot. And I can't add the cameras to my regular network as there is no web GUI- something I hadn't seen/searched for here (unless I'm doing something really wrong).

And thank you for the reply. It is timely anytime- no hurries needed :)

j

Edit: Alastair- interesting to note, the firmware on the NVR is newer than the version on the web. So I'm starting to wonder if they wised up to the trojan horse trick as I can't put a 'naked' camera in and see it get the credentials pushed.
 
Last edited:

Tr1cky

n3wb
Joined
Aug 1, 2019
Messages
3
Reaction score
1
Location
Australia
Sorry @alastairstevenson mine was labelled wrong so let me reitterate:

DS-2CD3T32-I5 - 9821
DS-2CD3T32-I8 - 9821

100% confirmed from prtHardInfo: devType: 38945

Now im going to ASSUME that the DS-2CD2T32-I5 & I8 series are going to be - 9821 because they are identical from what i can tell.
Im also going to assume the I3 variant has the same aswell.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,940
Reaction score
3,872
Location
Scotland
Thanks for the update.

Now im going to ASSUME that the DS-2CD2T32-I5 & I8 series are going to be - 9821 because they are identical from what i can tell.
It's probably a reasonable assumption - but not something I can confirm myself.
 
Joined
Aug 16, 2019
Messages
3
Reaction score
1
Location
United Kingdom
Hi

I am having a problem at the putty stage it will not show the login/password request, i have tried both the EN and CN versions.
It is a CN gray version of DS-2CD2632F-IS , but it was hacked and showing a RR in the serial on version 4.5.

i can see the DS mini system on SADP, so it is there but it will just not log in via putty
Oh and in SADP i can actually change the password and IP address.

its very strange, can i ask has anyone experienced the same or offer help.

i have started again and i am now seeing the camera on 192.0.0.64 on SADP running the DS mini system , it just hangs on putty without asking for a login

regards Rob
 

Tr1cky

n3wb
Joined
Aug 1, 2019
Messages
3
Reaction score
1
Location
Australia
The flash systems do weird things for no reason I have found. Turn it off, open it up, hold the reset button that you will find internally and power it on while holding it for 20 seconds. Leave it for like 5-10 minutes and come back and try it again. Start from the start

I recently had the opportunity do fix about 70 cameras of various models in the 2cdxx2 range and found the flash models are the worst to do this on.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,940
Reaction score
3,872
Location
Scotland
I am having a problem at the putty stage it will not show the login/password request,
Are you saying that you do not get the telnet login prompt after using the Hikvision tftp updater to install either the EN or CN header versions if brickfixV2 firmware?

What status did the tftp updater show after the firmware file was downloaded?

If you enable the telnet client facility in the Windows PC network configuration / add/remove Windows components (varies with the version), try :
telnet 192.0.0.64
and see if you get a login prompt.
 
Joined
Aug 16, 2019
Messages
3
Reaction score
1
Location
United Kingdom
Are you saying that you do not get the telnet login prompt after using the Hikvision tftp updater to install either the EN or CN header versions if brickfixV2 firmware?

What status did the tftp updater show after the firmware file was downloaded?

If you enable the telnet client facility in the Windows PC network configuration / add/remove Windows components (varies with the version), try :
telnet 192.0.0.64
and see if you get a login prompt.
Hi Alastair

I worked it out, it was the firewall that was stopping me at the telnet stage, watch out for this guys as it makes you look a plank later lol.

i got one camera up and running, now for the other four, don't really know what i am doing, it was intense , it worked using 1098 - DS-2CD2632F-IS to V5.4.5 build 170123 right away.

However worked through your fantastic explanation and thank you.

From a Yorkshireman to a Scot, how many jars of Vegemite, do i owe ya,, if you have a donation page send me it,

You know the definition of a Yorkshireman , a Scot with the generosity squeezed out of him lol.

Genuinely though I owe ya for this one, a few Whiskeys if you are ever passing Leeds.

Can i ask is this version secure,

Once again Thank you

Regards Rob
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,940
Reaction score
3,872
Location
Scotland
Hey, Rob, well done for getting there.
I was actually born in Yorkshire so am familiar with the approach to life of the inhabitants ...
The 5.4.5 has the backdoor fixed - but other vulnerabilities, who knows. These things cannot be described as secure.
 
Joined
Aug 16, 2019
Messages
3
Reaction score
1
Location
United Kingdom
Hey, Rob, well done for getting there.
I was actually born in Yorkshire so am familiar with the approach to life of the inhabitants ...
The 5.4.5 has the backdoor fixed - but other vulnerabilities, who knows. These things cannot be described as secure.
Arrrr so you are Scotshire , what a claim

thank you once again and all that had input , and if i cant pay you in Gold all i can do is offer return advice.

If you are ever in York on a Tuesday make sure they know you are Yorkshire born, they can still shot Scots with a bow and arrow on Tuesdays in York

Very Kind regards Rob
 

rjprb

n3wb
Joined
Aug 11, 2019
Messages
3
Reaction score
0
Location
Peru
Hello, I have the NVR which i install an update with a firmware i_series_usa_firmware_v3.4.92_170518 that has a file digicap.dav, causing the NVR no longer pass the logo screen, beeping 15 times and then restarting. I found another page with the firmware ds-90xx96xx-st77xx-sp_usa_firmware_v3.4.2_160530, which has a file digicap.mav and I tried to install it using the Putty console and TFTP Sever, but the TFTP does not recognize the extension .MAV, how can I install the correct firmware?


The first firmware upgrade i download from https://www.hikvision.com/en/Support/Downloads/Firmware/NVR (digicamp.dav), after the instalation the NVR no longer pass the logo screen.


The page with the correct firmware for my NVR is digicap.mav is https://us.hikvision.com/en/products/more-products/discontinued-products/network-video-recorder/ds-7700ni-sp-series-nvr-ds-7716ni-sp16

Kind Regards
Rafael
 
Top