[Solved] DS-2CD2185FWD-I Firmware dump

[Maki_mitz]

Hello everyone,

Actually I'm trying to dump the DS -2CD2125FWD-I firmware. I tried those different method:

• Building an ARMv7 kernel from scratch and boot via TFTP, but I don't have Device Tree Blob for the Amarella board... So, addresses etc.. Seems not good ;
• Decrypt the digicap.dav with tools found on this forum (hikpack for example), but the actuel firmware seems to be too recent, so tools can't decrypt it ;
• Chip off the flash and dig into memory blocks, but I probably broke something will doing it.

So, if someone know a way to dump the firmware, I'll really appreciate the help. Or if someone has the secret key for "digicap.dav", it would be perfect too.
Thanks in advance.
Best regards.

 

[Maki_mitz]

What firmware file are you trying to unpack?

I tried with the firmware on this page : DS-2CD2185FWD-I(S)

 

[Maki_mitz]

The hikpack (see in attached picture) i'm using doesn't support G1 firmware... Is the version 2.5 the latest ? If no, you didn't manage to find a newer version.

For the SDK, I see... So my kernel can't be a right one lol. Thanks for the help !

 

[Maki_mitz]

Oops, sorry for the typo ! I didn't manage to find a newer version.

 

[alastairstevenson]

Chip off the flash and dig into memory blocks, but I probably broke something will doing it.

Given the availability of a suitable test clip that works for whatever type of flash chip that camera uses - usually an 'in-situ' read works OK.

Alternatively - check what useful flash commands if any remain in the bootloader.
You may be able to dump the flash directly and transfer out over tftp.

Also - and this is optimistic as Hikvision started disabling this method a while back - if you can add
init=/bin/sh single debug
to the bootargs environment variable, you might be able to boot it to a root shell, in which case the flash partitions can be extracted.

 

[Maki_mitz]

Given the availability of a suitable test clip that works for whatever type of flash chip that camera uses - usually an 'in-situ' read works OK.

Alternatively - check what useful flash commands if any remain in the bootloader.
You may be able to dump the flash directly and transfer out over tftp.

Also - and this is optimistic as Hikvision started disabling this method a while back - if you can add
init=/bin/sh single debug
to the bootargs environment variable, you might be able to boot it to a root shell, in which case the flash partitions can be extracted.

Yes, I wanted to do this, but I only have few commands. Mainly for update actions :/
Do you see something helpful in the available commands ?

 

[alastairstevenson]

No useful flash commands in the bootloader.

But @watchful_ip suggestion is a good one, go for it.

 

[Maki_mitz]

It works ! Huge thanks to @watchful_ip and @alastairstevenson !

I just downloaded the image here : Hikvision G1 5.5+ firmware Exploring the Cam & attempting unlock
Setup my TFTP and run "upf" ! Little cold sweat during the update, but it works fine

My U-Boot version is : Boot 3.1.6-540659 (Jun 4 2019-17:55:37)