*** You go Hang Zhou! *** [R6 camera (DS-2CD2x42) firmware encoding method]
- Thread starter montecrypto
- Start date
Q™
IPCT Contributor
alastairstevenson
Staff member
What's crippled about it, and what firmware is currently on it?Is there any hope for a good fix for my crippled (but working) [FONT=wf_segoe-ui_normal]devTypeS-7608N-E2/8P? I am stuck with very limited upgrade options and this silly psh. Is there any hope or something I can try?[/FONT]
Do you know what region it is - eg the 4 letters in the serial number?
What would you like to get from a 'good fix'? Apart from the obvious ...
I am currently limited to the Chinese version 3.3.4 with language stuck at “2” (Menus remain in English so far.) The letters in the serial are: AARR. Most attempts to upgrade result in endless beeps with the kind note that my device is illegal. As new cameras come out, I fear that an upgrade will soon be required. I do have a serial connection, but I am worried that new Hik upgrades will also prevent a proper downgrade. I wish that I had the option to safely upgrade to the International versions, (which also used to have the nice virtual host feature.) Any crafty software workarounds would be great.
Thank you
Thank you
Mayfer. If you have NVR on firmware 3.3.4, then the block in which the region code is stored, is not encrypted. Easy way for you is to uncouple memory chip MX25L12835FMI (it is located on the back side of the motherboard in your NVR), read dump using programmer, change region code byte to 01 in sector 0x2E010, reprogramm the chip and put it back into the motherboard. After that manipulation your NVR become european forever. You can upgrade it using english firmware. Make sure, that you save the original dump. In case of failure, you can restore the NVR using the programmer.
montecrypto
IPCT Contributor
- Joined
- Apr 20, 2016
- Messages
- 104
- Reaction score
- 304
Sector number is 0x2e000, not 0x2e010. Offset in the sector is 0x10. That only changes the language, not the region code. Region code is stored at a different offset.
Also, you can write unencrypted bootparams into that sector even if the existing sector was encrypted. Firmware accepts it either way (they have to support older firmware where it was not encrypted).
And all this can be done in software, no need to desolder flash chips.
Hikvision NVR region code could be changed, what about chinese (aliexpress gray import) Hikvision cameras?
How to change region code on CH cameras, in order to update firmware on them?
Defender666
Getting the hang of it
- Joined
- Dec 19, 2015
- Messages
- 193
- Reaction score
- 25
I have a DS-2CD6362F-IVS which was bought in china at a good price. It has 5.3.5_15029 Firmware any chance to put hacked EN Firmware or even switch it to EN
Yes you are right sector is 0x2e000. 0x2e010, I meant the the total offset of memory dump. How this can be done in the software? I can not to bypass protected shell. For me desoldering the chip it takes a few minutes. So for me, this procedure easier. But after the encryption of the sector, it will also soon become useless.
I think you can use the same procedure as with the NVR. But IP cameras use Nand flash. To desoldering it you need to have some skills. And not all programmators can read it correctly. You can also use the program method, as wrote Monteсrypto, but it requires the hacker skills.
Defender666
Getting the hang of it
- Joined
- Dec 19, 2015
- Messages
- 193
- Reaction score
- 25
Is there no possibility to program through onboar channel? Through Serial connection or similar?
Is there no hacked firmware availalbe. The problem is there is no SSH/telnet connection. Well there is but it is a jail.
However the firmware file seems not encrypted I could use the tools from this forum to extract it.
Is there no hacked firmware availalbe. The problem is there is no SSH/telnet connection. Well there is but it is a jail.
However the firmware file seems not encrypted I could use the tools from this forum to extract it.