un brick cameras patched via camera region patch in this forum 5.2.8 to 5.2.5

vasir

n3wb
Feb 14, 2015
14
7
First of all I would like to thank all the other "good guys" here that shared their code with all of us. (Networkcritic and few others)
Second, please do not bother me with your negative messages ... I simply don't care, I hate it when people milk extremely simple solutions and seek monitory support for something they did not work on or create.
This method can be modified and extended to do a lot more .... this is simply to get you started to un-brick your device without selling your first born.

My motivation for doing this:

Why?
Simple, for me the default Chinese language could be bypassed with the trick mentioned many times in this forum. Use Chrome and let it translate for you.

I purchased few cameras from Ebay and installed but when I updated the cameras , they went back to Chinese ... which is still ok. Then I used network critics patch method without paying attention that my cameras were all shipped with 5.2.8 so I bricked 3 of them and STOPPED!!! .BUT I was wondering if these cameras were somehow altered and are in fact hidden trojan horses monitoring and sending big Chinese daddy information about my private network or even worse infecting my other machines in the network.
I tried to contact the seller on Ebay and his account was deleted. (BIG red flag)
Tried to contact HKvision but of course no reply.
Asked few people here but all wanted $$$$. WTF!!
Now I have 3 bricked cameras looking sad in my Garage and 4 more functioning which I pulled out of my home network fearing infection.
Started thinking about it for few hours and after 1/2 bottle of good California wine I decided to un-brick the 3 camera devices and look more deeply into what they do and what other servers they contact.
So going back to the reason why I did it. Simply blaming Ebay for allowing these crooks to sell modified cameras and then bail without a trace. Either Ebay knew about these guys, deleted their accounts or did not let the buyers know about what happened. (adding risks)
Also HKvision with their customer service and allowing people to put unchecked and risky firmware in to their devices. What is going on here???
This by no means is random ... so you draw your own conclusions.
So I think that I was a victim of a criminal act which was covered by other companies and no one tried to help me resolve the problem via normal channels. So I decided to do it myself.
I have seen some odd network behaviors coming from these cameras and decided to isolate the POE network from my main and disconnect the isolated network from the internet. (YES I LOVE BSG!!)
I am offering this solution AS IS and offer NO SUPPORT or Guarantee . This solution worked for me and might not work for you so you decide to do it ... Go tiger and good luck. By the way this is not my solution ... I just added to the flow! kudos to other guys that did the main work!!!!
Also documentation is not really best so if guys here decide to change this and make it more user-friendly please do so but know where it came from :)

Anyways,
When tftp is initiated, the camera will assign an address to itself 192.0.0.64 and remain in recovery mode after the upgrade completes.
Since the camera is online and in recovery mode, you can ftp and telnet to it and do what you need to recover your camera.
Thats about it


Instructions:

IF YOU ARE NOT comfortable with the 1/2 baked instructions here ... simply wait for other Linux guys to work it out and shrink it for better overall usage!!


/----------------
Get network camera critics mtdutils (BIG thanks to networkcritics)
http://www.wrightwoodsurveillance.com/stuff/mtd.zip




Copy below files from mtdutils in a separate directory


flash_erase
flash_eraseall
nandwrite




//Next


//proceed with flashing tftp to the camera … directions are all over this forum. ONLY one camera per flash
// this can be documented better ....
//Next …. very important


//Do not close tftp program when done flashing and do not reboot camera
// this should be in Linux environment to avoid filesystem issues!!!
//in windows (VM) or mac or linux now you can ftp to 192.0.0.64 // assuming you are in the same subnet .... best done from the machine where TFTP server is sitting on.
//user can be anything
//skip password by pressing enter
//change to binary mode
//make a temp_whatever directory on root path
//cd temp_whatever
//





// upload files separated before ... flash_erase, flash_eraseall, nandwrite to the camera in /temp_whatever directory




// you can exit ftp now
//Next ->
// telnet to the camera
//default username is root
//default password is 12345
//cd to /temp_what ever directory






//chmod 777 * ... yes I know it can be done better ...




//Camera region check


VAR=`dd if=/dev/mtd6ro skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi


VAR=`dd if=/dev/mtd5ro skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi


// if you mess-up your camera they both should be english …. with broken checksum


// Next


// dump mtd5 and 6
//always keep a copy of the original files


./nanddump -nof mtd5_original /dev/mtd5
./nanddump -nof mtd6_original /dev/mtd6


./nanddump -nof mtd5_temp /dev/mtd5
./nanddump -nof mtd6_temp /dev/mtd6








// verify that the dumps are in fact patched english
VAR=`dd if=mtd6_temp skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi


VAR=`dd if=mtd5_temp skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// you should see English for both








// change back to Chinese


echo -ne \\x02 | dd conv=notrunc seek=1620 bs=1 count=1 of=mtd5_temp
echo -ne \\x02 | dd conv=notrunc seek=16 bs=1 count=1 of=mtd6_temp






// verify that the dumps are in fact patched Chinese now … if so you can proceed


VAR=`dd if=mtd6_temp skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi


VAR=`dd if=mtd5_temp skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// you should see Chinese for both


// Now you have images that should have old checksum




//next




//erase mtd5
./flash_eraseall /dev/mtd5
// write patched Chinese image back to /dev/mtd5
./nandwrite -o /dev/mtd5 mtd5_temp




//erase mtd6
./flash_eraseall /dev/mtd6
// write patched Chinese image back to /dev/mtd6
./nandwrite -o /dev/mtd6 mtd6_temp


// now check /dev/mtd5 and 6 to see if both are back to Chinese


VAR=`dd if=/dev/mtd6 skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi


VAR=`dd if=/dev/mtd5 skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi




// you can generate a checksum now or later // additional instructions


// cross your fingers are pray !! -> reboot and you should hear the sweet click sound soon :)
 
Last edited by a moderator:
I don't understand what you mean. I did try it with older FW's and the open port TFTP "issue" is systematic across all version skews.
I went back and forth from/to 5.2.3, 5.2.0 and 5.2.5.
 
Older FW don't work for new cam. I have also new cam - from 01/2015 with 5.2.8 on cam (but inside 5.2.3). And I flashed via TFTP many FW, but only 5.2.5 works perfectly. But there is no problem, with flashing via TFTP.
 
I have a camera with 5.2.8 which was hacked to run 5.2.3. (works)
Now I am running 5.2.5.
 
I didn't even realize that MTD5/6 region code on this one camera has been updated that was sent to me to fix. I changed it back to 02 like you said, re-applied TFTP and the camera is back to Chinese, ready for further hacking, LOL. The collaborative hacking is working. I had reservations about publishing the mtdutils, but glad to now someone like you was able to take that to the next level and at least unbrick some cameras for folk.

I did do some discovery during this process. There's 2 programs that run during the TFTP process you may want to be aware off and may further aid in the quest, maybe figure out how to create a firmware file.

The first program that runs is /bin/update. When I ran this, I got this error meaning that this is the program that gets run during bootup to fetch digicap.dav from TFTP
/bin/sh /bin/update
[ INFO][MIN]TFTP: TFTP from server
[ INFO][MIN]TFTP: Filename: 'digicap.dav'
[ INFO][MIN]TFTP: Download File [FAIL] error: tftp.
!!!!! UPDATE FAIL !!!!!

The second program takes the digicap.dav and applies it, it's upgrade (upgrade /digicap.dav. I ran that and got this. If we can uncover the secrets of this program, it will unlock the firmware.
[ INFO][MIN]BURN: File size is 18862850 bytes (18420 KB)
[ INFO][MIN]BURN: Writing Flash
[ INFO][MIN]BURN: ....................................................
#

For now, until I can make more progress on the MTD5/6 hack, it's probably best to just apply my IEfile.tar.gz, at least the menus will be in English until we figure out the day of week change. Vasir, if you have time to take a look at it, I have some very interesting stuff, but can't show it on the forum, so PM me.
 
I have to disagree with you there: "The collaborative hacking is working".
This happened because most people were tricked and got screwed by crooks selling them cheap hardware. AND worst yet Ebay made $$ allowing these crooks to continue selling junk.
I think this is collaborative effort to take control and rescue hardware that we purchased with our hard earned $$. If HKvision would post something on their website warning people about the issue then I would think a bit differently.
 
  • Like
Reactions: spencnor
That will unbrick the camera, but can I do the language flag hack (networkcamercritic) after this, or will I brick the camera again?