root access to hik cam

markfree

n3wb
Joined
Jul 2, 2022
Messages
2
Reaction score
0
Location
World
I have a DS-2CD2543G2-IWS Hikvision camera V5.7.12 build 221201.
It's SSH access is protected, so, I wish to access its unprotected shell as root.

It is using this official firmware from Hikvision. Also, It seems to be the same as this one from Hikvisioneurope.

I found this post with a firmware "unpacker", but I'm not really sure what to do next.

I was able to extract the dav file "header", but now what?
Bash:
$ ./hikpack -t r6 -x digicap.dav -o extract
Magic   : 484b3230
hdr_crc : 00001fe1 (OK)
frm_flg : 2400050041111110011
Bash:
$ ls -lah extract/
-rw-r--r-- 1 user user  108 Jan 21 17:46 header_20
I don't get how to modify this binary header file or to unlock SSH with it.

I also tried to use this firmware mod tool, but could not reach success., and I'm not sure this tool is compatible with my camera.

It shows me the firmware data.
Code:
PS > .\hiktools05R1.exe .\digicap.dav
HIK firmware header converter 0.5R

Head raw data(108b) :
00000000 8A FF F7 B6 37 D5 DD D3 D6 B9 A3 AB BF CB B5 BE    ....7...........
00000010 46 94 36 D2 CB DD D3 BA 46 5C 54 40 34 4A 41 45    F.6.....F\T@4JAE
00000020 43 01 29 35 22 2C 45 46 5C 54 40 34 87 8A 8A FD    C.)5",EF\T@4....
00000030 CE E3 FA ED E7 8B 88 92 9A 8E FA 85 8E 8B FC BC    ................
00000040 D6 CB DD D3 BA B9 53 AB 8D FF 85 8E 8A F8 8C CE    ......S.........
00000050 FE EC E2 8B 88 92 9A 8F FB 84 8F BA CC BC FE D6    ................
00000060 B1 D3 BA B9 BC 83 77 CF A6 A5 9C AF

Head decoded data(108b) :
00000000 30 32 4B 48 E1 1F 00 00 6C 00 00 00 00 00 00 00    02KH.▼..l.......
00000010 8B 28 C8 04 01 00 00 00 FF FF FF FF FF FF FF FF    .(..............
00000020 FF FF FF FF FF FF FF FF FF FF FF FF 32 34 30 30    ............2400
00000030 30 35 30 30 34 31 31 31 31 31 31 30 30 31 31 00    050041111110011.
00000040 00 01 00 00 00 00 F0 00 32 34 30 30 30 35 30 30    ........24000500
00000050 34 31 31 31 31 31 31 30 30 31 31 00 01 00 00 00    41111110011.....
00000060 6C 00 00 00 1F 28 C8 04 13 1B 26 62

Magic number :    0x484B3230
iHeaderCheckSum : 0x00001FE1 [8161]
iHeadTotalLen :   0x0000006C [108]
iFileNum :        0x00000000 [0]
iLanguage :       0x04C8288B [80226443]
iDeviceClass :    0x00000001
iOEMCode :        0xFFFFFFFF
iFirmwareVer :    0xFFFFFFFF
iFeature:         0xFFFFFFFF
Calculated CheckSum :        0x00001FE1 [8161]

Full decoded data (with full files block):
00000000 30 32 4B 48 E1 1F 00 00 6C 00 00 00 00 00 00 00    02KH.▼..l.......
00000010 8B 28 C8 04 01 00 00 00 FF FF FF FF FF FF FF FF    .(..............
00000020 FF FF FF FF FF FF FF FF FF FF FF FF 32 34 30 30    ............2400
00000030 30 35 30 30 34 31 31 31 31 31 31 30 30 31 31 00    050041111110011.
00000040 00 01 00 00 00 00 F0 00 32 34 30 30 30 35 30 30    ........24000500
00000050 34 31 31 31 31 31 31 30 30 31 31 00 01 00 00 00    41111110011.....
00000060 6C 00 00 00 1F 28 C8 04 13 1B 26 62
I can try to extract what would be the main section of the firmware file, but the destination folder comes out empty.
Code:
PS > .\hiktools05R1.exe split .\digicap.dav destfolder
PS > dir .\destfolder\
Any tips on what to do next?
 
Top