So... It turns out that, unlike DVRs and older cameras, newer hikvision cams, including R6 and G0, store its configuration settings in smartcard chips. The chips are made by Watchdata and they run TimeCOS. Basically, your cameras have the same chip as you VISA credit card. That chip stores configuration information, like model name, and features. Kernel retrieves that using EMV PSE protocol. This means that permanently turning newer CN cameras into EN is considerably more challenging than just editing bootparams in a write-protected nand sector. Not impossible though. Thank you Gong Hongjia and Chen Chunmei for a well-executed portfolio cross-pollination! You guys rock! Happy new year! We all look forward to being able to use hik cameras instead of credit cards for buying crap on aliexpress. Oh, and you may want to ruffle some tech feathers at Hikvision, because the way they use Watchdata chips in cameras is really messed up. It looks like someone had a serious case of crypto-key diarrhea. The keys are all over the kernel. Different kinds. In the clear.