You go, @montecrypto!...HIKVISION: if you change the obfuscation method again, and I have to spend more time figuring it out, I will release an app that can edit everything in bootparams and write it back to flash.
What's crippled about it, and what firmware is currently on it?Is there any hope for a good fix for my crippled (but working) [FONT=wf_segoe-ui_normal]devTypeS-7608N-E2/8P? I am stuck with very limited upgrade options and this silly psh. Is there any hope or something I can try?[/FONT]
Sector number is 0x2e000, not 0x2e010. Offset in the sector is 0x10. That only changes the language, not the region code. Region code is stored at a different offset.Mayfer. If you have NVR on firmware 3.3.4, then the block in which the region code is stored, is not encrypted. Easy way for you is to uncouple memory chip MX25L12835FMI (it is located on the back side of the motherboard in your NVR), read dump using programmer, change region code byte to 01 in sector 0x2E010, reprogramm the chip and put it back into the motherboard. After that manipulation your NVR become european forever. You can upgrade it using english firmware. Make sure, that you save the original dump. In case of failure, you can restore the NVR using the programmer.
Hikvision NVR region code could be changed, what about chinese (aliexpress gray import) Hikvision cameras?Sector number is 0x2e000, not 0x2e010. Offset in the sector is 0x10. That only changes the language, not the region code. Region code is stored at a different offset.
Also, you can write unencrypted bootparams into that sector even if the existing sector was encrypted. Firmware accepts it either way (they have to support older firmware where it was not encrypted).
And all this can be done in software, no need to desolder flash chips.
Yes you are right sector is 0x2e000. 0x2e010, I meant the the total offset of memory dump. How this can be done in the software? I can not to bypass protected shell. For me desoldering the chip it takes a few minutes. So for me, this procedure easier. But after the encryption of the sector, it will also soon become useless.Sector number is 0x2e000, not 0x2e010. Offset in the sector is 0x10. That only changes the language, not the region code. Region code is stored at a different offset.
I think you can use the same procedure as with the NVR. But IP cameras use Nand flash. To desoldering it you need to have some skills. And not all programmators can read it correctly. You can also use the program method, as wrote Monteсrypto, but it requires the hacker skills.@kayl669 - is there a procedure how to make Hikvision CH cameras to become WR cameras, so user can update firmware version?