R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

Techwork

n3wb
Joined
Dec 30, 2021
Messages
1
Reaction score
0
Location
Sweden
The original 'brick-fix tool' and 'enhanced mtd hack' has proven pretty useful for those with R0 cameras that had been bricked by doing a firmware update.
It's been even more useful to deal with the fallout from the 'Hikvision backdoor' disclosure where so many people are finding their cameras are being messed with from the internet, mischievously or maliciously, and need to update to safer firmware.
However - the rather techy original method to make the changes, and probably my not-very-clear instructions have been a challenge for some people.
* And I only just noticed this - my original .txt attachments were in Linux format, not Windows format, making them hard to read without proper line breaks. And no-one let me know! Dohh! *

So here is 'Brick-fix tool V2' aimed at making the process less complex, a bit automated and easier to use, with the following changes:
  • After Brick-fix toolV2 has been installed using the Hikvision tftp updater, following the power cycle to activate and drop the payload, the camera will boot directly into 'min-system' mode with telnet and tftp access and a 'fixup' script ready and primed for use.
  • No web GUI access or Windows shares are needed to move files in and out of the camera.
  • The fixup script handles all the basics of extracting the original mtdblock6, importing and applying the user-modified mtdblock6 that has had the 'enhanced mtd hack', and initiating a firmware update.
  • The Brick-fix toolV2 automatically writes a valid template into mtdblock1 that stops cameras that originally had firmware 5.2.0 or 5.2.8 from otherwise going into a bricked state when newer firmware is applied.
  • Attached to this post are the resources required to convert your R0 / DS-2CD2x32 cameras into full English upgradeable devices.
  • The brick-fix tool V2 in both EN and CN header language versions (brick_fixv2.zip).
  • A required resource list and step-by-step guide to the fixup script.
  • A description of how to do the 'enhanced mtd hack' with screenshot with a list of devType codes for those cameras that have the masqueraded values.
  • A sample transcript of the fixup script going through all 3 stages - extract mtdblocks, import modded mtdblock6, apply firmware update.

edit 15Dec17 By popular request, a video worked example using a DS-2CD3332-I camera donated by a generous forum member.

edit 28Jan18 devType codes updated - thanks @hikcamuser

Resource List
Step By Step Guide:
Here are the steps to take when using the brick-fixV2 tool to recover a bricked camera, and running the fixup script to change the camera to English / upgradeable. The camera doesn't have to be bricked to run the brick-fix tool if all that's required is a helping hand doing the 'enhanced mtd hack'.
  1. Create a folder on the local drive of your Windows PC to hold the Hikvision tftp updater, the chosen tftp server program (e.g. jouinin.net version), the unzipped 'brick-fixV2' files, and the Hikvision firmware to use for updating. The HxD hex editor should be installed on the PC.
  2. With the PC and the camera each on a wired connection (not WiFi) set the PC IP address to 192.0.0.128, subnet mask to 255.255.255.0 The default gateway does not matter.
  3. Make a copy of brickfixV2EN and name it as digicap.dav If the EN version does not work, e.g. "System update completed" is not displayed in step 5 or you don't get the login prompt when trying to telnet in step 8, try the CN version.
  4. Start the Hikvision tftp updater tftpserve.exe and if a Windows firewall popup appears, click OK to accept what the program needs.
  5. Power on the camera and observe the status messages in the tftp updater. Hopefully you will see 'System update completed' after 2 or 3 minutes.
  6. Close the Hikvision tftp updater, delete the digicap.dev file from step 3 and make a copy of the Hikvision firmware to use for updating and name it digicap.dav.
  7. Power down the camera. At this point the brickfixV2 tool has been installed but not yet activated. Power on the camera to activate the tool, it will then drop the payload, fix up mtdblock1 and reboot into min-system mode for telnet access.
  8. Using PuTTY, start a telnet session to 192.0.0.64 and make sure the telnet radio button is selected. At the login prompt username=root password=12345. You should see a # prompt. The message "can't chdir to home directory '/root/'" isn't an error and can be ignored.
  9. Start the normal tftp server (not the Hikvision tftp updater). If it's the jouinin.net version, the program is tftpd32.exe

    At this point, Stage 1 of 3 is ready to be executed.
    At the telnet command prompt, type:
    /dav/fixup.sh
    and watch the on-screen messages.​

    • On success with Stage 1, check the PC folder that the tftp server is running in for the presence of the file 'mtd6ro_orig'. You may have to hit F5 to refresh. Make a copy of mtd6ro_orig rename to mtd6ro_mod. Do the 'enhanced mtd hack' on it, using the instructions in the spoiler below.
  10. These are the steps that are used to do the 'enhanced mtd hack' to mtdblock6 in an R0 IP camera.
    • Extract a copy of mtdblock6 from the camera. The 'Brick-fixV2 tool / fixup script' will conveniently do this for you, or it could be done manually by other methods.
    • Make a copy of the mtdblock6 file and name it mtd6ro_mod
    • Open it with the HxD hex editor.
    • Referring to this image
      View attachment 24161
    • Check / change as needed the language byte at location 0x10 to ensure it is 01
    • Check the devType value in locations 0x64 and 0x65
    [*]
    If the value shown is FF98 - then the FF value needs to be replaced with the true numeric value. Ideally the true value is determined from the 'devType' line from the prtHardInfo shell command, but as that is going to be unavailable on a bricked camera use this (partial) cross-reference list, paying careful attention to the exact model number.

    There is some slight uncertainty here - it would be good if any forum members could confirm / supplement the content.

    devType - Model
    2698 - DS-2CD2032F-I
    2698 - DS-2CD2032F-IW
    0598 - DS-2CD2032-I
    0698 - DS-2CD2132-I
    1E98 - DS-2CD2132F-IS
    1E98 - DS-2CD2132F-IWS
    0798 - DS-2CD2232-I5
    0898 - DS-2CD2332-I
    1298 - DS-2CD2432F-IW
    1498 - DS-2CD2532F-IS
    1098 - DS-2CD2632F-IS
    0E98 - DS-2CD2732F-IS
    0698 - DS-2CD3132-I
    1C23 - DS-2DE2103-DE3/W
    2198 - DS-2CD2T32-I8​



    • Replace the FF in location 0x64 with the first 2 digits of the numeric devType value.
    • If location 0x64 already has a 2-digit numeric value, no change is needed.
    • Starting at location 0x09, drag to select and highlight a length of F4 bytes, as shown he the HxD bottom status bar.
    [*]
    Using the Analysis / Checksum menu, double-click Checksum-16 to calculate the new checksum. This will show as a 2 byte value in the Checksums tab at the bottom of the screen. These need to be applied using the correct 'endian-ness', which is the reverse of how the values are presented on the screen.

    The left hand byte (0x0C in the screenshot) is the most significant byte and should be used in location 0x05

    The right hand byte (0x5F in the screenshot) is the least significant byte and should be used in location 0x04

    Use your own just-calculated values - not those from the screenshot.

    Click File | Save and the mtd6ro_mod file has had the 'enhanced mtd hack' and is ready to be applied to the camera.

    This is done during Stage 2 of the fixup script in the brick-fixV2 tool.​


    Good luck!​



    At this point, Stage 2 of 3 is ready to be executed.
    At the telnet command prompt, type:
    /dav/fixup.sh
    and watch the on-screen messages.

    This will bring in the modified mtd6ro_mod and apply it to the camera to convert it to English / upgradeable.

    At this point, Stage 3 of 3 is ready to be executed.
    At the telnet command prompt, type:
    /dav/fixup.sh
    and watch the on-screen messages.

    This will attempt a firmware update using the Hikvision firmware file digicap.dav that you placed in the same folder as the tftp server.​
  11. Assuming a successful result, shut down the tftp server and power cycle the camera. Interestingly, on testing I did find that a straight jump to the 5.4.5 firmware version worked OK. YMMV. But worth trying.
  12. Start SADP and check for the camera presence running the firmware version used for the update.
  13. If you used the 5.4.5 firmware, the camera will require 'activation' with your choice of strong password.
    If already active, if earlier firmware was used for the upgrade, log in with the admin password=12345
    Change the IP address to what you want the camera to use.
How To Upgrade
  1. Rename the firmware to digicap.dav
  2. Put the firmware under the same folder of this TFTP
  3. Set the IP of computer as 192.0.0.128
  4. Camera's IP can be anyone.
  5. Run the tftpserv.exe
  6. Power off and power on the DVR/DVS/IPC. The device will search the new firmware and upgrade it automatically.
  7. Please wait until TFTP shows "Device [192.0.0.64] system update completed!" It takes about 5 minutes.
  8. Close the TFTP before the camera reboots.
  9. DVR/DVS/IPC will restart automatically after upgrading.
Thankyou! Worked like a beauty...

I have a bunch of DS-2CD6412FWD-20 that got unresponsive after upgrading from a 5.1.x firmware to 5.4.x version. Saw the warning in the firmware description to late... So they've been lying around since.
So now all are saved and working perfect again.

Happy New 2022!

/Thomas
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Extremely interesting, can you provide additional details about that?
Yes, is this what you are interested in :
Code:
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[i] ETag: "8e5-1e0-573af102"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --reboot
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80" with "reboot"
[+] Remote is not vulnerable
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --cmd "ls -al"
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[i] ETag: "8e5-1e0-573af102"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $
From this device :

1641681199710.png
 

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
Yes, is this what you are interested in :
Code:
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --check
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80"
[i] ETag: "8e5-1e0-573af102"
[-] Could not verify if vulnerable (Code: 500)
alastair@PC-I5 ~/coding_stuff/bashis_disclosures $ ./Hikvision_CVE-2021-36260_RCE_POC.py --rhost 192.168.1.64 --reboot
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
[*] Checking remote "192.168.1.64:80" with "reboot"
[+] Remote is not vulnerable
Thanks!

The 'Code: 500' above do indicate some potential issues, at least something went wrong. - May be good for exploitation perspective.
- However, it could also mean that something went wrong during extracting/unpack/point of 'language' - w/o any RCE possibility.

Nevertheless, the 'reboot' above are executed 'as it comes', It's like type 'reboot' in your terminal - if that busybox command exist of course.
(And, it's executed 'w/o write to file' like most other RCE, to were I'm looking if it's responding or not after 2 sec, if still responding - not vulnerable/exploitable)

I really do not think that is exploitable (please prove me wrong), but may be still vulnerable due to the 'Code: 500'
 

hploris

n3wb
Joined
Jan 21, 2022
Messages
5
Reaction score
2
Location
sao paulo
Boa noite a todos, sou novo por aqui, pode ser ate que nao seja o lugar correto, mas se alguem puder me ajudarCaptura de Tela (25).pngCaptura de Tela (25).png. Tenho um 2CD2432F-IW que travou em uso, nao consigo fazer qualquer alteração. No SADP responde TIMEOUT, botao de reset nao responde nem AC 12v nem com POE para reset. Ela sumiu com a porta 80 nao aceita nenhuma alteraçao de parametros e nao funciona o botao de reset. Alguem pode me ajudar? Sera que tem que fazer esse processo do brick? ou ela esta 'activa' e outro tratamento. qualquer comentario agradeço. muito obrigado, Um abraço.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Good night everyone, I'm new here, it may be until it's not the right place, but if anyone can help meScreenshot (25).png
Screenshot (25).png
. I have a 2CD2432F-IW that has caught in use, I can't make any changes. In SADP responds TIMEOUT, reset button does not respond neither AC 12v nor with POE for reset. She disappeared with port 80 does not accept any change of parameters and does not work the reset button. Can someone help me? Do you have to do this brick process? or it is 'active' and other treatment. any comment i thank you. Thank you very much, A hug.
The firmware version of 4.0.8 shows that the camera is operating in the 'min-system' mode.
This is a recovery mode due to a problem which stops it from booting normally.
There are no web services in this mode, no normal operation.

You will be able to make the camera work again using the BrickfixV2 method here :

A versão de firmware do 4.0.8 mostra que a câmera está operando no modo 'sistema min'.
Este é um modo de recuperação devido a um problema que o impede de inicializar normalmente.
Não há serviços web neste modo, nenhuma operação normal.
Você poderá fazer a câmera funcionar novamente usando o método BrickfixV2 aqui:
 

hploris

n3wb
Joined
Jan 21, 2022
Messages
5
Reaction score
2
Location
sao paulo
Boa noite a todos, sou novo por aqui, pode ser ate que nao seja o lugar correto, mas se alguem puder me ajudar View attachment 116422View attachment 116422. Tenho um 2CD2432F-IW que travou em uso, não posso fazer qualquer distinção. No SADP responde TIMEOUT, botao de reset nao responde nem AC 12v nem com POE para reset. Ela sumiu com a porta 80 nao aceita nenhuma alteraçao de parametros e nao funciona o botao de reset. Alguem pode me ajudar? Será que tem que fazer esse processo do brick? ou ela esta 'ativar' e outro tratamento. qualquer comentário. muito obrigado, Um abraço.
[/CITAR]

Ola bom dia, obrigado pela atenção! Apesar de para o meu nivel ser bastante complexo, vou tentar o passo a passo
Eque esta bastante detalhado. Obrigado
[/CITAR]
Ola boa noite a todos... Preparei todos os arquivos e aplicativos necessários e iniciei o passo a passo, fiquei muito contente quando vi a camera respondendo no TFTP.exe "systema atualizado completo" fiquei feliz ate o proximo passo onde PuTTY nao abriu...Captura de Tela (31).pngCaptura de Tela (28).png ..... Alguem tem ideia do que estou fazendo errado?? tentei com 32bits e 64bits sem sucesso e ate desliguei o firewall. Muito obrigado.
 

hploris

n3wb
Joined
Jan 21, 2022
Messages
5
Reaction score
2
Location
sao paulo
Ola boa noite a todos! Preparei todos os arquivos e aplicativo e iniciei o passo a passo, fiquei contente quando vi a camera responder no TFTP.exe "systema completo atualizado" very happy! ate o proximo passo o PuTTY nao abriu!?... alguem tem ideia do que estou fazendo errado? tentei com 32bits e 64bits sem sucesso, ate tirei firewall. Muito obrigado.Captura de Tela (31).pngCaptura de Tela (28).png PuTTY Fatal Error Network Connectio Refused.... ???
 

hploris

n3wb
Joined
Jan 21, 2022
Messages
5
Reaction score
2
Location
sao paulo
... erro de princípio!! mas o que importa mesmo que consegui na fase final atualizado!!! Estou muito feliz sr. Alastairstevenson muito atencioso e o passo a passo e tao bem feito que ate eu consegui.!! muito obrigado a todos que tornarao isso possivel!! Ainda com algum problema na rede locall,,, mas olha ela de volta a vida!!Captura de Tela (37).pngCaptura de Tela (38).png..... vou parar por hoje, depois coloco em rede. Thanks so much!!!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
... error of principle!! but what does it really matter that I got in the final stage updated!!! I'm very happy, sir. Alastairstevenson very attentive and step by step and so well done that even I managed.!! thank you very much to everyone who will make this possible!! Still with some problem on the locall ,,, but look at her back to life!! Screenshot (37.pngScreenshot (38).png..... I'm going to stop for the day, then I'll network. Thanks so much!!
A good result - well done!
 

freeold

n3wb
Joined
Nov 22, 2020
Messages
2
Reaction score
1
Location
France
Hello,
I upgraded the original firmware of a DS-2CD2032-I that I bought a long time ago on Aliexpress using the method describe and now I can install new firmware with Internet Explorer browser or iVMS-4200 software.
All is working correctly but during the upgrade process I lost the admin user name and have only my one user as operateur with all grant but who is different to admin name and cannot create a new user like "admin" or an other name.
That strange also if some one could help me how manage this issue that will nice.
Thanks.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I lost the admin user name and have only my one user as operateur with all grant but who is different to admin name and cannot create a new user like "admin" or an other name.
Assuming the existing user can do this - maybe try resetting to factory defaults and 'activating' the camera.
This should clear the configuration database and re-populate it as normal.
 

freeold

n3wb
Joined
Nov 22, 2020
Messages
2
Reaction score
1
Location
France
Assuming the existing user can do this - maybe try resetting to factory defaults and 'activating' the camera.
This should clear the configuration database and re-populate it as normal.
Thanks, I have reset the camera as you said using is button and shuting down the power. That's works perfectly now I can see the admin user name that I lost before and can access to the function create a new user to add one.
 
Joined
May 11, 2020
Messages
9
Reaction score
2
Location
va
First off, big thanks to alastairstevenson.
Fixed six DS-2cd2232-IM with no problems with your debrick tool. Thanks to everyone who asked questions also, it helps alot. quick Something that helped me with long boot loop was another thread where someone had checked for water damage whlie fixing rj45 plug and they removed the lens ribbon to check for any damage inside.. I just happened to look for a reset button on a different brand DS-2cd2232-IM and removed the lens ribbon. i redid the ribbon, (found it easiest to put it on camera first then the lens) and it showed fw5.2.5. and now running 5.4.5. Worth checking if all else is failing, It worked for me :)

One question I have , has anyone use the fw IPC_R0_EN_STD_5.4.800_210813? It is on the hikvisioneurope portal but I search and found nothing on it here or anywhere else. Has anyone tried it? Is there any reason to or not to upgrade to it. I am happy with 5.4.5 but worry it might fix a another backdoor. I am a little shy of loading anything without asking with the update game they play LOL.

Thanks again to all and Stay healthy and safe. Merry Christmas!
I went ahead and loaded the 5.4.8 fw on to a DS-2CD2232-IM with china serial #, (just one of six for now). So far no problems over 24hrs. I will let you know if there is any problems down the line.

I always wonder if the updates are protecting us from a backdoor or creating a backdoor? I am not too worried about it. I am just starting out with IPCams so I went with used ebay cameras where the price of 6 used was the same as 1 new, ran some cat 5e and only have 2 rules, don't point the cameras at anything you don't want others to see and protect the home network. Not sure how I'm going to do that yet but am still in the research phase. my internet is tops out at 1.5mb but have fiber box on the house and just waiting for final install of 1gig internet so that will open the cloud options or my own ftp.

Thanks again for everything you and everyone else do here.
I too am curious what this firmware is about. Very frustrating that no release notes are included. It would seem logical that it might address some vulnerability because why else would they release a new firmware for such an old platform? Besides this thread, the only other search results I can find is in the use-IP thread where one person says the Encoding Version changed to V5.0 build 181011 and there's an audio bug with this version. Is there any way to compare the firmware file against another firmware file to identify the changes? Would anyone recommend that I update my CN > EN converted DS-2CD2332-I and DS-2CD2312-I from V5.4.5_170401 to this new V5.4.800_210813?
 
Top