I have been wanting to take apart my Hikvision DVR (DS-7204 HGHI-SH) and I have finally begun by using the hikpack tool by @montecrypto amoungst several others (binwalk, mkcramfs, bless)
Firstly hikpack doesn't directly support this DVR but I have got round that mostly... but this is where I am:
* downloaded firmware update and extracted digicap.dav
This actually contains two images, a 108 byte header + cramfs.img + new_20.bin along with another 108 byte header + cramfs.img + new_20.bin after it. Using a hex editor I carved out each one and saved them to individual digicap.dav files and tested the firmwares on the DVR, the first one failed but the second one worked so I am working with the second now.
Used binwalk to extract the cramfs.img and it's contents and hikpack (using switch -t k41) to extract the header from the digicap.dav
Validated using file hashing that the hikpack encryption and decryption was working (-t k41) correctly for this DVR model firmware and I can confirm it is.
I was able to use mkcramfs to create a new cramfs.img using the unmodified files extracted from the original cramfs.img and repack the digicap.dav using the original header and new cramfs.img containing unmodified files. Hikpack recreated a new_20.bin but I also needed to adjust the devclass manually to match the original.
Firmware upgrade successful, so I know I have the right tools to do the job! Thank you everyone for that as it was your knowledge, hardwork and tools that helped me.
Now... The problem I have when I repeat the process and modify a file.
unpack everything...
decrypt start.sh, modify file, encrypt start.sh, run md5sum against encrypted start.sh
decrypt new_10.bin, change md5sum value against start.sh, encrypt new_10.bin
repack everything as before but now the firmware fails??? I suspect that there is another checksum that needs altering but I cannot find where....
I repeated both processes again for sanity check but as soon as I change anything the firmware fails even with updating the new_10.bin file with the MD5 from the modified encrypted file.
The help I need, beyond the obvious, is what is contained in the new_20.bin? is there anything else I should be looking for or modifying? Basically, help!
Thank you everyone and keep up the good work!
Firstly hikpack doesn't directly support this DVR but I have got round that mostly... but this is where I am:
* downloaded firmware update and extracted digicap.dav
This actually contains two images, a 108 byte header + cramfs.img + new_20.bin along with another 108 byte header + cramfs.img + new_20.bin after it. Using a hex editor I carved out each one and saved them to individual digicap.dav files and tested the firmwares on the DVR, the first one failed but the second one worked so I am working with the second now.
Used binwalk to extract the cramfs.img and it's contents and hikpack (using switch -t k41) to extract the header from the digicap.dav
Validated using file hashing that the hikpack encryption and decryption was working (-t k41) correctly for this DVR model firmware and I can confirm it is.
I was able to use mkcramfs to create a new cramfs.img using the unmodified files extracted from the original cramfs.img and repack the digicap.dav using the original header and new cramfs.img containing unmodified files. Hikpack recreated a new_20.bin but I also needed to adjust the devclass manually to match the original.
Firmware upgrade successful, so I know I have the right tools to do the job! Thank you everyone for that as it was your knowledge, hardwork and tools that helped me.
Now... The problem I have when I repeat the process and modify a file.
unpack everything...
decrypt start.sh, modify file, encrypt start.sh, run md5sum against encrypted start.sh
decrypt new_10.bin, change md5sum value against start.sh, encrypt new_10.bin
repack everything as before but now the firmware fails??? I suspect that there is another checksum that needs altering but I cannot find where....
I repeated both processes again for sanity check but as soon as I change anything the firmware fails even with updating the new_10.bin file with the MD5 from the modified encrypted file.
The help I need, beyond the obvious, is what is contained in the new_20.bin? is there anything else I should be looking for or modifying? Basically, help!
Thank you everyone and keep up the good work!
