The camera has to find the Hikvision tftp updater.
Confirm you are not using a normal tftp server?
Also confirm that the camera and PC and wired to a switch / router (not connected directly together) and the camera is powereed by a 12v supply (not PoE)
That sounds like it is a Chinese camera, 'bricked' by the EN/ML firmware update.
Exactly the case!!
No longer possible due to the 'downgrade block' from the attempted update even if the update was not successful.
Yep, sadly I understood that
The camera has to find the Hikvision tftp updater.
Confirm you are not using a normal tftp server?
Also confirm that the camera and PC and wired to a switch / router (not connected directly together) and the camera is powereed by a 12v supply (not PoE)
I use the Hikvision tftp updater. BUT, I connected the camera directly on the PC. I will try by connecting then to the router and come back to give the result.
Thanks.
I use the Hikvision tftp updater. BUT, I connected the camera directly on the PC. I will try by connecting then to the router and come back to give the result.
Thanks.
1stly did you set you computer ip to 192.0.0.128? if not it simply will not work, also i use a switch to do this not a router. A switch wont' try to assign it an IP address a router will and the router may assign it an ip address which won't work, A router can act like a switch if you turn off DHCP but you may need help setting it up again, if you have an old router factory reset it, log in turn off dHCP (make it run like a switch ) do your upgrades on the cams and then factory reset the router back to normal (it will need to be reprogrammed after) This would eliminate any IP issues.
When you have all the ips set you willhave your comptuer going into the swtich the camera into the same swirch, you load the TFTP update server on computer and in the same directory you have the digicap.dev file (the mini system one, this one is needed to get into the cam, not the one from hikvision. then power off the cam and power it back on (i use an external power adapter for my cams to do this) and all of a sudden you will see the TFTPserver window activate and a message about the frimware being uploaded. make sure you close the tftpserver program after you see it say success if you don't the next time you power cycle the cam it will again upload the firmware. that will get you through the 1st part.
That sounds like it is a Chinese camera, 'bricked' by the EN/ML firmware update.
No longer possible due to the 'downgrade block' from the attempted update even if the update was not successful.
The camera has to find the Hikvision tftp updater.
Confirm you are not using a normal tftp server?
Also confirm that the camera and PC and wired to a switch / router (not connected directly together) and the camera is powereed by a 12v supply (not PoE)
That sounds like it is a Chinese camera, 'bricked' by the EN/ML firmware update.
No longer possible due to the 'downgrade block' from the attempted update even if the update was not successful.
The camera has to find the Hikvision tftp updater.
Confirm you are not using a normal tftp server?
Also confirm that the camera and PC and wired to a switch / router (not connected directly together) and the camera is powereed by a 12v supply (not PoE)
1stly did you set you computer ip to 192.0.0.128? if not it simply will not work, also i use a switch to do this not a router. A switch wont' try to assign it an IP address a router will and the router may assign it an ip address which won't work, A router can act like a switch if you turn off DHCP but you may need help setting it up again, if you have an old router factory reset it, log in turn off dHCP (make it run like a switch ) do your upgrades on the cams and then factory reset the router back to normal (it will need to be reprogrammed after) This would eliminate any IP issues.
When you have all the ips set you willhave your comptuer going into the swtich the camera into the same swirch, you load the TFTP update server on computer and in the same directory you have the digicap.dev file (the mini system one, this one is needed to get into the cam, not the one from hikvision. then power off the cam and power it back on (i use an external power adapter for my cams to do this) and all of a sudden you will see the TFTPserver window activate and a message about the frimware being uploaded. make sure you close the tftpserver program after you see it say success if you don't the next time you power cycle the cam it will again upload the firmware. that will get you through the 1st part.
Sorry to ask a possibly dumb question but I'm trying to update currently operational 3x CN DS-2CD2332I that currently have English menus to 5.5.41. Is this possible?
Edit: Just realised that the firmware I'm on with these cams maybe safe already and no need to update? It's odd actually as none of my cameras are public-facing but are connected to a diskstation and Synology Surveillance Station which does have a public-facing IP. Passwords seem to be getting changed occasionally.... 5.2.5 Build 141201 and 5.3.3 Build 150803
That does suggest that they are exposed to the internet - or to a compromised LAN device.
The cameras may have UPnP enabled, which if also enabled on your LAN router/gateway, will allow inbound access without you explicitly configuring it.
Check using a service such as ShieldsUp! GRC | ShieldsUP! — Internet Vulnerability Profiling
Use the full port scan, and also check port 8000
If the passwords are changed again - try 1111aaaa and asdf1234
If those work - the cameras have been hacked.
That presents a high risk to your devices and data, whatever passwords you have set.
There are multiple NAS-specific malware tools out there that exploit vulnerabilities in that NAS.
Thanks for the reply. Because they are not currently bricked, do I still need to change my IP? If so, should I also change the camera I want to start with to 192.0.0.64 before starting the process?
Damn, isn't that bass ackwards or have I been lead wrong the last 24 years of my life? The download page on this site shows 5.4.5 as being the last? IPC_R0_EN_STD_5.4.5_170401
Yes, I too had thought that 5.4.5 was the last, based on the common method of naming the versions, until I unpacked the firmware and took a peek inside.
edit
See also this :
The 5.4.41 firmware version is the first that Hikvision officially issued that had the infamous 'Hikvision backdoor' vulnerability fixed although this vulnerability appears to be also fixed in the 5.4.5 version.
The original 'brick-fix tool' and 'enhanced mtd hack' has proven pretty useful for those with R0 cameras that had been bricked by doing a firmware update.
It's been even more useful to deal with the fallout from the 'Hikvision backdoor' disclosure where so many people are finding their cameras are being messed with from the internet, mischievously or maliciously, and need to update to safer firmware.
However - the rather techy original method to make the changes, and probably my not-very-clear instructions have been a challenge for some people.
* And I only just noticed this - my original .txt attachments were in Linux format, not Windows format, making them hard to read without proper line breaks. And no-one let me know! Dohh! *
So here is 'Brick-fix tool V2' aimed at making the process less complex, a bit automated and easier to use, with the following changes:
After Brick-fix toolV2 has been installed using the Hikvision tftp updater, following the power cycle to activate and drop the payload, the camera will boot directly into 'min-system' mode with telnet and tftp access and a 'fixup' script ready and primed for use.
No web GUI access or Windows shares are needed to move files in and out of the camera.
The fixup script handles all the basics of extracting the original mtdblock6, importing and applying the user-modified mtdblock6 that has had the 'enhanced mtd hack', and initiating a firmware update.
The Brick-fix toolV2 automatically writes a valid template into mtdblock1 that stops cameras that originally had firmware 5.2.0 or 5.2.8 from otherwise going into a bricked state when newer firmware is applied.
Attached to this post are the resources required to convert your R0 / DS-2CD2x32 cameras into full English upgradeable devices.
The brick-fix tool V2 in both EN and CN header language versions (brick_fixv2.zip).
A required resource list and step-by-step guide to the fixup script.
A description of how to do the 'enhanced mtd hack' with screenshot with a list of devType codes for those cameras that have the masqueraded values.
A sample transcript of the fixup script going through all 3 stages - extract mtdblocks, import modded mtdblock6, apply firmware update.
edit 15Dec17 By popular request, a video worked example using a DS-2CD3332-I camera donated by a generous forum member. edit 28Jan18 devType codes updated - thanks @hikcamuser
Resource List
The Hikvision tftp updater tool and usage instructions, courtesy of @whoslooking - tftpserv
A standard tftp server - tftpd32.452.zip at bottom of this thread.
A telnet client. PuTTY is pretty good and widely used - Download: 64-Bit | 32-Bit
Hikvision's really useful SADP tool. This will find your Hikvision device on the LAN whatever it's IP address, allow 'activation', and change of IP address. - SADP Tool
Step By Step Guide:
Here are the steps to take when using the brick-fixV2 tool to recover a bricked camera, and running the fixup script to change the camera to English / upgradeable. The camera doesn't have to be bricked to run the brick-fix tool if all that's required is a helping hand doing the 'enhanced mtd hack'.
Create a folder on the local drive of your Windows PC to hold the Hikvision tftp updater, the chosen tftp server program (e.g. jouinin.net version), the unzipped 'brick-fixV2' files, and the Hikvision firmware to use for updating. The HxD hex editor should be installed on the PC.
With the PC and the camera each on a wired connection (not WiFi) set the PC IP address to 192.0.0.128, subnet mask to 255.255.255.0 The default gateway does not matter.
Make a copy of brickfixV2EN and name it as digicap.dav If the EN version does not work, e.g. "System update completed" is not displayed in step 5 or you don't get the login prompt when trying to telnet in step 8, try the CN version.
Start the Hikvision tftp updater tftpserve.exe and if a Windows firewall popup appears, click OK to accept what the program needs.
Power on the camera and observe the status messages in the tftp updater. Hopefully you will see 'System update completed' after 2 or 3 minutes.
Close the Hikvision tftp updater, delete the digicap.dev file from step 3 and make a copy of the Hikvision firmware to use for updating and name it digicap.dav.
Power down the camera. At this point the brickfixV2 tool has been installed but not yet activated. Power on the camera to activate the tool, it will then drop the payload, fix up mtdblock1 and reboot into min-system mode for telnet access.
Using PuTTY, start a telnet session to 192.0.0.64 and make sure the telnet radio button is selected. At the login prompt username=root password=12345. You should see a # prompt. The message "can't chdir to home directory '/root/'" isn't an error and can be ignored.
Start the normal tftp server (not the Hikvision tftp updater). If it's the jouinin.net version, the program is tftpd32.exe
At this point, Stage 1 of 3 is ready to be executed.
At the telnet command prompt, type:
/dav/fixup.sh
and watch the on-screen messages.
On success with Stage 1, check the PC folder that the tftp server is running in for the presence of the file 'mtd6ro_orig'. You may have to hit F5 to refresh. Make a copy of mtd6ro_orig rename to mtd6ro_mod. Do the 'enhanced mtd hack' on it, using the instructions in the spoiler below.
These are the steps that are used to do the 'enhanced mtd hack' to mtdblock6 in an R0 IP camera.
Extract a copy of mtdblock6 from the camera. The 'Brick-fixV2 tool / fixup script' will conveniently do this for you, or it could be done manually by other methods.
Make a copy of the mtdblock6 file and name it mtd6ro_mod
Check / change as needed the language byte at location 0x10 to ensure it is 01
Check the devType value in locations 0x64 and 0x65
[*]
If the value shown is FF98 - then the FF value needs to be replaced with the true numeric value. Ideally the true value is determined from the 'devType' line from the prtHardInfo shell command, but as that is going to be unavailable on a bricked camera use this (partial) cross-reference list, paying careful attention to the exact model number.
There is some slight uncertainty here - it would be good if any forum members could confirm / supplement the content.
Replace the FF in location 0x64 with the first 2 digits of the numeric devType value.
If location 0x64 already has a 2-digit numeric value, no change is needed.
Starting at location 0x09, drag to select and highlight a length of F4 bytes, as shown he the HxD bottom status bar.
[*]
Using the Analysis / Checksum menu, double-click Checksum-16 to calculate the new checksum. This will show as a 2 byte value in the Checksums tab at the bottom of the screen. These need to be applied using the correct 'endian-ness', which is the reverse of how the values are presented on the screen.
The left hand byte (0x0C in the screenshot) is the most significant byte and should be used in location 0x05
The right hand byte (0x5F in the screenshot) is the least significant byte and should be used in location 0x04
Use your own just-calculated values - not those from the screenshot.
Click File | Save and the mtd6ro_mod file has had the 'enhanced mtd hack' and is ready to be applied to the camera.
This is done during Stage 2 of the fixup script in the brick-fixV2 tool.
Good luck!
At this point, Stage 2 of 3 is ready to be executed.
At the telnet command prompt, type:
/dav/fixup.sh
and watch the on-screen messages.
This will bring in the modified mtd6ro_mod and apply it to the camera to convert it to English / upgradeable.
At this point, Stage 3 of 3 is ready to be executed.
At the telnet command prompt, type:
/dav/fixup.sh
and watch the on-screen messages.
This will attempt a firmware update using the Hikvision firmware file digicap.dav that you placed in the same folder as the tftp server.
Assuming a successful result, shut down the tftp server and power cycle the camera. Interestingly, on testing I did find that a straight jump to the 5.4.5 firmware version worked OK. YMMV. But worth trying.
Start SADP and check for the camera presence running the firmware version used for the update.
If you used the 5.4.5 firmware, the camera will require 'activation' with your choice of strong password.
If already active, if earlier firmware was used for the upgrade, log in with the admin password=12345
Change the IP address to what you want the camera to use.
How To Upgrade
Rename the firmware to digicap.dav
Put the firmware under the same folder of this TFTP
Set the IP of computer as 192.0.0.128
Camera's IP can be anyone.
Run the tftpserv.exe
Power off and power on the DVR/DVS/IPC. The device will search the new firmware and upgrade it automatically.
Please wait until TFTP shows "Device [192.0.0.64] system update completed!" It takes about 5 minutes.
Close the TFTP before the camera reboots.
DVR/DVS/IPC will restart automatically after upgrading.
That's normal for any firmware update using the Hikvision tftp updater - it's by design.
Also - the way in which configuration data is stored and used internally by the firmware varies with the firmware versions, so a 'reset to defaults' is needed when jumping over the main versions.
I'm looking for some advice please. I suspect I've bricked my camera. I may be in the wrong subject group, if so sorry.
I have a DS-2CD2355FWD-I that I bought in Oz from an eBay vendor 2yrs ago, but never put it into operation. The camera worked but I was never able to upgrade the firmware using the Web Gui (I use Chrome). After reading other material on the web, I suspect now that a browser plugin was required before this could work.
I read about TFTP and tried that for a firmware upgrade. I have attached a screen shot of that in operation. Whilst the process appeared to start, it never finished (even after 1hr) and the camera stayed on with the IR light illuminated. I'm not sure why there are multiple "connection sucess" messages or "Starting..." messages.
Now the camera at power on turns on the IR light for about 5 secs, then turns it off (boot up seq?). I can no longer browse to the IP address of the camera.
Clearly, I need to start again with something. Will the "brick fix" method documented here ALSO work with my model?
