R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

[alastairstevenson]

Extremely interesting, can you provide additional details about that?

Yes, is this what you are interested in :

alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[i] ETag: "8e5-1e0-573af102"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --reboot
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80" with "reboot"
[+] Remote is not vulnerable
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --cmd "ls -al"
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[i] ETag: "8e5-1e0-573af102"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $

From this device :

 

[bashis]

Yes, is this what you are interested in :

alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[i] ETag: "8e5-1e0-573af102"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --reboot
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80" with "reboot"
[+] Remote is not vulnerable

Thanks!

The 'Code: 500' above do indicate some potential issues, at least something went wrong. - May be good for exploitation perspective.
- However, it could also mean that something went wrong during extracting/unpack/point of 'language' - w/o any RCE possibility.

Nevertheless, the 'reboot' above are executed 'as it comes', It's like type 'reboot' in your terminal - if that busybox command exist of course.
(And, it's executed 'w/o write to file' like most other RCE, to were I'm looking if it's responding or not after 2 sec, if still responding - not vulnerable/exploitable)

I really do not think that is exploitable (please prove me wrong), but may be still vulnerable due to the 'Code: 500'

 

[hploris]

Boa noite a todos, sou novo por aqui, pode ser ate que nao seja o lugar correto, mas se alguem puder me ajudar. Tenho um 2CD2432F-IW que travou em uso, nao consigo fazer qualquer alteração. No SADP responde TIMEOUT, botao de reset nao responde nem AC 12v nem com POE para reset. Ela sumiu com a porta 80 nao aceita nenhuma alteraçao de parametros e nao funciona o botao de reset. Alguem pode me ajudar? Sera que tem que fazer esse processo do brick? ou ela esta 'activa' e outro tratamento. qualquer comentario agradeço. muito obrigado, Um abraço.

 

[alastairstevenson]

Good night everyone, I'm new here, it may be until it's not the right place, but if anyone can help meScreenshot (25).png
Screenshot (25).png
. I have a 2CD2432F-IW that has caught in use, I can't make any changes. In SADP responds TIMEOUT, reset button does not respond neither AC 12v nor with POE for reset. She disappeared with port 80 does not accept any change of parameters and does not work the reset button. Can someone help me? Do you have to do this brick process? or it is 'active' and other treatment. any comment i thank you. Thank you very much, A hug.

The firmware version of 4.0.8 shows that the camera is operating in the 'min-system' mode.
This is a recovery mode due to a problem which stops it from booting normally.
There are no web services in this mode, no normal operation.

You will be able to make the camera work again using the BrickfixV2 method here :

R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

The original 'brick-fix tool' and 'enhanced mtd hack' has proven pretty useful for those with R0 cameras that had been bricked by doing a firmware update. It's been even more useful to deal with the fallout from the 'Hikvision backdoor' disclosure where so many people are finding their cameras...

ipcamtalk.com

A versão de firmware do 4.0.8 mostra que a câmera está operando no modo 'sistema min'.
Este é um modo de recuperação devido a um problema que o impede de inicializar normalmente.
Não há serviços web neste modo, nenhuma operação normal.
Você poderá fazer a câmera funcionar novamente usando o método BrickfixV2 aqui:

R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

The original 'brick-fix tool' and 'enhanced mtd hack' has proven pretty useful for those with R0 cameras that had been bricked by doing a firmware update. It's been even more useful to deal with the fallout from the 'Hikvision backdoor' disclosure where so many people are finding their cameras...

ipcamtalk.com

 

[hploris]

Ola bom dia, obrigado pela atenção! Apesar de para o meu nivel ser bastante complexo, vou tentar o passo a passo
Eque esta bastante detalhado. Thanks

 

[hploris]

Boa noite a todos, sou novo por aqui, pode ser ate que nao seja o lugar correto, mas se alguem puder me ajudar View attachment 116422View attachment 116422. Tenho um 2CD2432F-IW que travou em uso, não posso fazer qualquer distinção. No SADP responde TIMEOUT, botao de reset nao responde nem AC 12v nem com POE para reset. Ela sumiu com a porta 80 nao aceita nenhuma alteraçao de parametros e nao funciona o botao de reset. Alguem pode me ajudar? Será que tem que fazer esse processo do brick? ou ela esta 'ativar' e outro tratamento. qualquer comentário. muito obrigado, Um abraço.
[/CITAR]

Ola bom dia, obrigado pela atenção! Apesar de para o meu nivel ser bastante complexo, vou tentar o passo a passo
Eque esta bastante detalhado. Obrigado
[/CITAR]
Ola boa noite a todos... Preparei todos os arquivos e aplicativos necessários e iniciei o passo a passo, fiquei muito contente quando vi a camera respondendo no TFTP.exe "systema atualizado completo" fiquei feliz ate o proximo passo onde PuTTY nao abriu... ..... Alguem tem ideia do que estou fazendo errado?? tentei com 32bits e 64bits sem sucesso e ate desliguei o firewall. Muito obrigado.

 

[hploris]

Ola boa noite a todos! Preparei todos os arquivos e aplicativo e iniciei o passo a passo, fiquei contente quando vi a camera responder no TFTP.exe "systema completo atualizado" very happy! ate o proximo passo o PuTTY nao abriu!?... alguem tem ideia do que estou fazendo errado? tentei com 32bits e 64bits sem sucesso, ate tirei firewall. Muito obrigado. PuTTY Fatal Error Network Connectio Refused.... ???

 

[alastairstevenson]

PuTTY Fatal Error Network Connectio Refused.... ???

You must select Telnet, not SSH.

 

[hploris]

... erro de princípio!! mas o que importa mesmo que consegui na fase final atualizado!!! Estou muito feliz sr. Alastairstevenson muito atencioso e o passo a passo e tao bem feito que ate eu consegui.!! muito obrigado a todos que tornarao isso possivel!! Ainda com algum problema na rede locall,,, mas olha ela de volta a vida!!..... vou parar por hoje, depois coloco em rede. Thanks so much!!!

 

[alastairstevenson]

... error of principle!! but what does it really matter that I got in the final stage updated!!! I'm very happy, sir. Alastairstevenson very attentive and step by step and so well done that even I managed.!! thank you very much to everyone who will make this possible!! Still with some problem on the locall ,,, but look at her back to life!! Screenshot (37.pngScreenshot (38).png..... I'm going to stop for the day, then I'll network. Thanks so much!!

A good result - well done!

 

[freeold]

Hello,
I upgraded the original firmware of a DS-2CD2032-I that I bought a long time ago on Aliexpress using the method describe and now I can install new firmware with Internet Explorer browser or iVMS-4200 software.
All is working correctly but during the upgrade process I lost the admin user name and have only my one user as operateur with all grant but who is different to admin name and cannot create a new user like "admin" or an other name.
That strange also if some one could help me how manage this issue that will nice.
Thanks.

 

[alastairstevenson]

I lost the admin user name and have only my one user as operateur with all grant but who is different to admin name and cannot create a new user like "admin" or an other name.

Assuming the existing user can do this - maybe try resetting to factory defaults and 'activating' the camera.
This should clear the configuration database and re-populate it as normal.

 

[freeold]

Assuming the existing user can do this - maybe try resetting to factory defaults and 'activating' the camera.
This should clear the configuration database and re-populate it as normal.

Thanks, I have reset the camera as you said using is button and shuting down the power. That's works perfectly now I can see the admin user name that I lost before and can access to the function create a new user to add one.

 

[alastairstevenson]

now I can see the admin user name that I lost before

That's good!

 

[pinkchry]

Thank you so much! I upgraded the firmware on my 3 cameras to the latest available.

 

[alastairstevenson]

Well done!
Yet another good result.

 

[tallguydirk]

First off, big thanks to alastairstevenson.
Fixed six DS-2cd2232-IM with no problems with your debrick tool. Thanks to everyone who asked questions also, it helps alot. quick Something that helped me with long boot loop was another thread where someone had checked for water damage whlie fixing rj45 plug and they removed the lens ribbon to check for any damage inside.. I just happened to look for a reset button on a different brand DS-2cd2232-IM and removed the lens ribbon. i redid the ribbon, (found it easiest to put it on camera first then the lens) and it showed fw5.2.5. and now running 5.4.5. Worth checking if all else is failing, It worked for me

One question I have , has anyone use the fw IPC_R0_EN_STD_5.4.800_210813? It is on the hikvisioneurope portal but I search and found nothing on it here or anywhere else. Has anyone tried it? Is there any reason to or not to upgrade to it. I am happy with 5.4.5 but worry it might fix a another backdoor. I am a little shy of loading anything without asking with the update game they play LOL.

Thanks again to all and Stay healthy and safe. Merry Christmas!

I went ahead and loaded the 5.4.8 fw on to a DS-2CD2232-IM with china serial #, (just one of six for now). So far no problems over 24hrs. I will let you know if there is any problems down the line.

I always wonder if the updates are protecting us from a backdoor or creating a backdoor? I am not too worried about it. I am just starting out with IPCams so I went with used ebay cameras where the price of 6 used was the same as 1 new, ran some cat 5e and only have 2 rules, don't point the cameras at anything you don't want others to see and protect the home network. Not sure how I'm going to do that yet but am still in the research phase. my internet is tops out at 1.5mb but have fiber box on the house and just waiting for final install of 1gig internet so that will open the cloud options or my own ftp.

Thanks again for everything you and everyone else do here.

I too am curious what this firmware is about. Very frustrating that no release notes are included. It would seem logical that it might address some vulnerability because why else would they release a new firmware for such an old platform? Besides this thread, the only other search results I can find is in the use-IP thread where one person says the Encoding Version changed to V5.0 build 181011 and there's an audio bug with this version. Is there any way to compare the firmware file against another firmware file to identify the changes? Would anyone recommend that I update my CN > EN converted DS-2CD2332-I and DS-2CD2312-I from V5.4.5_170401 to this new V5.4.800_210813?

 

[jetcam]

I upgraded a DS-2CD2032-I cam using your procedure and it worked out well.
I then tried a 2nd cam (same model and bought at the same time). I was able to install digicap.dav using the Hikvision TFTP but when I booted up the cam I am unable to connect via putty (I am using telnet).
I figured I would re-install the brickfixv2 firmare via Hikvision tftp but no joy. The cam never connects. I made sure my firewall was off, rebooted windows pc, tried multiple times with EN and CN version of firmware.

Any ideas appreciated.

Here is what I see in the log for the 2nd cam:

[2022-03-02 16:16:55] TFTP server[127.0.0.1] initialized [2022-03-02 16:17:00] Device[192.0.0.64] test tftpserver [2022-03-02 16:17:11] Connect client[192.0.0.64] success [2022-03-02 16:17:11] Start file[C:\Temp\3-2-2022 firmware upgrade\TFTP\digicap.dav] transmitting [2022-03-02 16:18:22] Completed file[C:\Temp\3-2-2022 firmware upgrade\TFTP\digicap.dav] transmit [2022-03-02 16:18:39] Device[192.0.0.64] system update completed! [2022-03-02 16:20:55] TFTP server[127.0.0.1] initialized [2022-03-02 16:21:01] Device[192.0.0.64] test tftpserver [2022-03-02 16:22:30] Device[192.0.0.64] test tftpserver [2022-03-02 16:25:15] TFTP server[127.0.0.1] initialized [2022-03-02 16:25:22] Device[192.0.0.64] test tftpserver [2022-03-02 16:33:36] TFTP server[127.0.0.1] initialized [2022-03-02 16:33:41] Device[192.0.0.64] test tftpserver [2022-03-02 16:35:12] Device[192.0.0.64] test tftpserver [2022-03-02 16:39:13] TFTP server[127.0.0.1] initialized [2022-03-02 16:39:18] Device[192.0.0.64] test tftpserver [2022-03-02 16:41:33] Device[192.0.0.64] test tftpserver [2022-03-02 16:44:03] TFTP server[127.0.0.1] initialized [2022-03-02 16:44:08] Device[192.0.0.64] test tftpserver [2022-03-02 17:09:23] TFTP server[192.0.0.128] initialized [2022-03-02 17:09:31] Device[192.0.0.64] test tftpserver [2022-03-02 17:11:09] Device[192.0.0.64] test tftpserver [2022-03-02 17:11:27] Device[192.0.0.64] test tftpserver [2022-03-02 17:12:20] Device[192.0.0.64] test tftpserver

 

[alastairstevenson]

It looks like the camera is in a bootloop.
If you wanted to spend the time to explore this further, maybe fix it, maybe not, you'd need to connect up to the serial console, which should provide more detail.
To do this 2 items are needed :
A 4-pin 1.5mm ZH JST wired connector, usually available in 10-packs.
A serial TTL to USB convertor such as a PL2303TA-based device.
Both widely available at low cost.

 

[jetcam]

@alastairstevenson I have ordered the connector and converter. Will set up the serial console when they arrive. What info should I extract when I set up the serial console?