First of all I would like to thank all the other "good guys" here that shared their code with all of us. (Networkcritic and few others)
Second, please do not bother me with your negative messages ... I simply don't care, I hate it when people milk extremely simple solutions and seek monitory support for something they did not work on or create.
This method can be modified and extended to do a lot more .... this is simply to get you started to un-brick your device without selling your first born.
My motivation for doing this:
Why?
Simple, for me the default Chinese language could be bypassed with the trick mentioned many times in this forum. Use Chrome and let it translate for you.
I purchased few cameras from Ebay and installed but when I updated the cameras , they went back to Chinese ... which is still ok. Then I used network critics patch method without paying attention that my cameras were all shipped with 5.2.8 so I bricked 3 of them and STOPPED!!! .BUT I was wondering if these cameras were somehow altered and are in fact hidden trojan horses monitoring and sending big Chinese daddy information about my private network or even worse infecting my other machines in the network.
I tried to contact the seller on Ebay and his account was deleted. (BIG red flag)
Tried to contact HKvision but of course no reply.
Asked few people here but all wanted $$$$. WTF!!
Now I have 3 bricked cameras looking sad in my Garage and 4 more functioning which I pulled out of my home network fearing infection.
Started thinking about it for few hours and after 1/2 bottle of good California wine I decided to un-brick the 3 camera devices and look more deeply into what they do and what other servers they contact.
So going back to the reason why I did it. Simply blaming Ebay for allowing these crooks to sell modified cameras and then bail without a trace. Either Ebay knew about these guys, deleted their accounts or did not let the buyers know about what happened. (adding risks)
Also HKvision with their customer service and allowing people to put unchecked and risky firmware in to their devices. What is going on here???
This by no means is random ... so you draw your own conclusions.
So I think that I was a victim of a criminal act which was covered by other companies and no one tried to help me resolve the problem via normal channels. So I decided to do it myself.
I have seen some odd network behaviors coming from these cameras and decided to isolate the POE network from my main and disconnect the isolated network from the internet. (YES I LOVE BSG!!)
I am offering this solution AS IS and offer NO SUPPORT or Guarantee . This solution worked for me and might not work for you so you decide to do it ... Go tiger and good luck. By the way this is not my solution ... I just added to the flow! kudos to other guys that did the main work!!!!
Also documentation is not really best so if guys here decide to change this and make it more user-friendly please do so but know where it came from
Anyways,
When tftp is initiated, the camera will assign an address to itself 192.0.0.64 and remain in recovery mode after the upgrade completes.
Since the camera is online and in recovery mode, you can ftp and telnet to it and do what you need to recover your camera.
Thats about it
Instructions:
IF YOU ARE NOT comfortable with the 1/2 baked instructions here ... simply wait for other Linux guys to work it out and shrink it for better overall usage!!
/----------------
Get network camera critics mtdutils (BIG thanks to networkcritics)
http://www.wrightwoodsurveillance.com/stuff/mtd.zip
Copy below files from mtdutils in a separate directory
flash_erase
flash_eraseall
nandwrite
//Next
//proceed with flashing tftp to the camera … directions are all over this forum. ONLY one camera per flash
// this can be documented better ....
//Next …. very important
//Do not close tftp program when done flashing and do not reboot camera
// this should be in Linux environment to avoid filesystem issues!!!
//in windows (VM) or mac or linux now you can ftp to 192.0.0.64 // assuming you are in the same subnet .... best done from the machine where TFTP server is sitting on.
//user can be anything
//skip password by pressing enter
//change to binary mode
//make a temp_whatever directory on root path
//cd temp_whatever
//
// upload files separated before ... flash_erase, flash_eraseall, nandwrite to the camera in /temp_whatever directory
// you can exit ftp now
//Next ->
// telnet to the camera
//default username is root
//default password is 12345
//cd to /temp_what ever directory
//chmod 777 * ... yes I know it can be done better ...
//Camera region check
VAR=`dd if=/dev/mtd6ro skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
VAR=`dd if=/dev/mtd5ro skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// if you mess-up your camera they both should be english …. with broken checksum
// Next
// dump mtd5 and 6
//always keep a copy of the original files
./nanddump -nof mtd5_original /dev/mtd5
./nanddump -nof mtd6_original /dev/mtd6
./nanddump -nof mtd5_temp /dev/mtd5
./nanddump -nof mtd6_temp /dev/mtd6
// verify that the dumps are in fact patched english
VAR=`dd if=mtd6_temp skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
VAR=`dd if=mtd5_temp skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// you should see English for both
// change back to Chinese
echo -ne \\x02 | dd conv=notrunc seek=1620 bs=1 count=1 of=mtd5_temp
echo -ne \\x02 | dd conv=notrunc seek=16 bs=1 count=1 of=mtd6_temp
// verify that the dumps are in fact patched Chinese now … if so you can proceed
VAR=`dd if=mtd6_temp skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
VAR=`dd if=mtd5_temp skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// you should see Chinese for both
// Now you have images that should have old checksum
//next
//erase mtd5
./flash_eraseall /dev/mtd5
// write patched Chinese image back to /dev/mtd5
./nandwrite -o /dev/mtd5 mtd5_temp
//erase mtd6
./flash_eraseall /dev/mtd6
// write patched Chinese image back to /dev/mtd6
./nandwrite -o /dev/mtd6 mtd6_temp
// now check /dev/mtd5 and 6 to see if both are back to Chinese
VAR=`dd if=/dev/mtd6 skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
VAR=`dd if=/dev/mtd5 skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// you can generate a checksum now or later // additional instructions
// cross your fingers are pray !! -> reboot and you should hear the sweet click sound soon
Second, please do not bother me with your negative messages ... I simply don't care, I hate it when people milk extremely simple solutions and seek monitory support for something they did not work on or create.
This method can be modified and extended to do a lot more .... this is simply to get you started to un-brick your device without selling your first born.
My motivation for doing this:
Why?
Simple, for me the default Chinese language could be bypassed with the trick mentioned many times in this forum. Use Chrome and let it translate for you.
I purchased few cameras from Ebay and installed but when I updated the cameras , they went back to Chinese ... which is still ok. Then I used network critics patch method without paying attention that my cameras were all shipped with 5.2.8 so I bricked 3 of them and STOPPED!!! .BUT I was wondering if these cameras were somehow altered and are in fact hidden trojan horses monitoring and sending big Chinese daddy information about my private network or even worse infecting my other machines in the network.
I tried to contact the seller on Ebay and his account was deleted. (BIG red flag)
Tried to contact HKvision but of course no reply.
Asked few people here but all wanted $$$$. WTF!!
Now I have 3 bricked cameras looking sad in my Garage and 4 more functioning which I pulled out of my home network fearing infection.
Started thinking about it for few hours and after 1/2 bottle of good California wine I decided to un-brick the 3 camera devices and look more deeply into what they do and what other servers they contact.
So going back to the reason why I did it. Simply blaming Ebay for allowing these crooks to sell modified cameras and then bail without a trace. Either Ebay knew about these guys, deleted their accounts or did not let the buyers know about what happened. (adding risks)
Also HKvision with their customer service and allowing people to put unchecked and risky firmware in to their devices. What is going on here???
This by no means is random ... so you draw your own conclusions.
So I think that I was a victim of a criminal act which was covered by other companies and no one tried to help me resolve the problem via normal channels. So I decided to do it myself.
I have seen some odd network behaviors coming from these cameras and decided to isolate the POE network from my main and disconnect the isolated network from the internet. (YES I LOVE BSG!!)
I am offering this solution AS IS and offer NO SUPPORT or Guarantee . This solution worked for me and might not work for you so you decide to do it ... Go tiger and good luck. By the way this is not my solution ... I just added to the flow! kudos to other guys that did the main work!!!!
Also documentation is not really best so if guys here decide to change this and make it more user-friendly please do so but know where it came from
Anyways,
When tftp is initiated, the camera will assign an address to itself 192.0.0.64 and remain in recovery mode after the upgrade completes.
Since the camera is online and in recovery mode, you can ftp and telnet to it and do what you need to recover your camera.
Thats about it
Instructions:
IF YOU ARE NOT comfortable with the 1/2 baked instructions here ... simply wait for other Linux guys to work it out and shrink it for better overall usage!!
/----------------
Get network camera critics mtdutils (BIG thanks to networkcritics)
http://www.wrightwoodsurveillance.com/stuff/mtd.zip
Copy below files from mtdutils in a separate directory
flash_erase
flash_eraseall
nandwrite
//Next
//proceed with flashing tftp to the camera … directions are all over this forum. ONLY one camera per flash
// this can be documented better ....
//Next …. very important
//Do not close tftp program when done flashing and do not reboot camera
// this should be in Linux environment to avoid filesystem issues!!!
//in windows (VM) or mac or linux now you can ftp to 192.0.0.64 // assuming you are in the same subnet .... best done from the machine where TFTP server is sitting on.
//user can be anything
//skip password by pressing enter
//change to binary mode
//make a temp_whatever directory on root path
//cd temp_whatever
//
// upload files separated before ... flash_erase, flash_eraseall, nandwrite to the camera in /temp_whatever directory
// you can exit ftp now
//Next ->
// telnet to the camera
//default username is root
//default password is 12345
//cd to /temp_what ever directory
//chmod 777 * ... yes I know it can be done better ...
//Camera region check
VAR=`dd if=/dev/mtd6ro skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
VAR=`dd if=/dev/mtd5ro skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// if you mess-up your camera they both should be english …. with broken checksum
// Next
// dump mtd5 and 6
//always keep a copy of the original files
./nanddump -nof mtd5_original /dev/mtd5
./nanddump -nof mtd6_original /dev/mtd6
./nanddump -nof mtd5_temp /dev/mtd5
./nanddump -nof mtd6_temp /dev/mtd6
// verify that the dumps are in fact patched english
VAR=`dd if=mtd6_temp skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
VAR=`dd if=mtd5_temp skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// you should see English for both
// change back to Chinese
echo -ne \\x02 | dd conv=notrunc seek=1620 bs=1 count=1 of=mtd5_temp
echo -ne \\x02 | dd conv=notrunc seek=16 bs=1 count=1 of=mtd6_temp
// verify that the dumps are in fact patched Chinese now … if so you can proceed
VAR=`dd if=mtd6_temp skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
VAR=`dd if=mtd5_temp skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// you should see Chinese for both
// Now you have images that should have old checksum
//next
//erase mtd5
./flash_eraseall /dev/mtd5
// write patched Chinese image back to /dev/mtd5
./nandwrite -o /dev/mtd5 mtd5_temp
//erase mtd6
./flash_eraseall /dev/mtd6
// write patched Chinese image back to /dev/mtd6
./nandwrite -o /dev/mtd6 mtd6_temp
// now check /dev/mtd5 and 6 to see if both are back to Chinese
VAR=`dd if=/dev/mtd6 skip=16 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
VAR=`dd if=/dev/mtd5 skip=1620 bs=1 count=1 2>/dev/null` ; if [ $VAR == $'\002' ]; then echo Chinese ; elif [ $VAR == $'\001' ]; then echo English ; else echo Unknown; fi
// you can generate a checksum now or later // additional instructions
// cross your fingers are pray !! -> reboot and you should hear the sweet click sound soon
Last edited by a moderator: