HIKVISION tweaking

[litch 0]

RE: ALL POSTS: Use at own risk.

 

Just a braindump of what I've been meddling with recently...

 

Get ASH back on V5.3 (PSH restrictions)

(Involves TFTP firmware flash process - very much do at own risk)

1. Get your hands on "hiktools05r.rar" (3rd party firmware file editor, ~9KB) and "Auto Update.rar" (Hikvision tftp update application, ~176KB) - don't ask me for them, source them yourself.
   
2. Get your hands on the digicam.dav v5.3 firmware of your choice.
   
3. Extract hiktools05r, and get a command prompt to that directory (eg: C:\hiktools05r>)
   
4. Copy digicam.dav to C:\hiktools05r
   
5. Make a subdirectory called "temp" (C:\hiktools05r> mkdir temp)
   
6. C:\hiktools05r> hiktools.exe split digicam.dav temp
   
7. (hiktools05r extracts all the firmware files)
   
8. Edit C:\hiktools05r\temp\initrun.sh with wordpad (turn off line wrap) or your favourite text editor other than notepad (notepad doesn't support unix text file linebreaks) and append "sed -i 's/psh/ash/g' /etc/profile" (without the double quotes) and save.
   
9. Alternatively, by command line: C:\hiktools05r> echo sed -i 's/psh/ash/g' /etc/profile >> temp\initrun.sh
   
10. Re-make the firmware by: C:\hiktools05r> hiktools.exe create digicam.dav temp
    
11. The new file will be c:\hiktools05r\temp.dav - copy that to the Auto Update directory where tftpserv.exe is, rename as digicap.dav and upload to the camera (process not covered here).

 

 

Move files around without scp

PC to Cam

cat [localfile] | ssh root@camip "cat - > [fileoncam]"

Cam to PC

ssh root@camip "cat [fileoncam]" > [localfile]

 

NB: Try not to use gzip/tar/other filters - the CPU isn't that fast and it's best to just copy direct bytes. If you need to compress something, do it prior to the transfer.

 

Backup all your nand partitions

 

First - Upload a script file to cam (eg. /root/readmtd.cam.sh)

#!/bin/sh

LIST=

for m in /sys/class/mtd/mtd*[0-9];
do
   #echo `cat $m/name` = `cat $m/size`
   SIZE=`cat $m/size`
   NAME=`cat $m/name`
   echo "MTDNAME=$NAME"
   echo "SIZE=$SIZE"
   MTD=`echo "$m" | sed 's/^.*\///g'`
   echo "COUNT=\`expr $SIZE / 2048 \`"
   echo "sshpass -p _PASS_ ssh root@_CAMIP_ \"dd if=/dev/$MTD bs=2048 count=\$COUNT\" > mtd-$MTDNAME.bin"
   echo
done

 

Then on PC, run:

ssh root@camip "sh /root/readmtd.cam.sh" > readmtd.pc.sh

 

readmtd.pc.sh will be filled with remote ssh commands to pull each nand partition off the camera - note the fields to replace:

 

Where [pass] is the cam's ssh root password (same as admin), and [camip] is the camera's ip/fqdn

sed -i 's/_PASS_/[pass]/g' readmtd.pc.sh
sed -i 's/camip/[camip]/g' readmtd.pc.sh 

 

Files received (example):

-rw-r--r-- 1 root root 25165824 Jun 26 16:19 mtd-app_pri.bin
-rw-r--r-- 1 root root 25165824 Jun 26 16:18 mtd-app_sec.bin
-rw-r--r-- 1 root root  1048576 Jun 26 16:18 mtd-bld.bin
-rw-r--r-- 1 root root   131072 Jun 26 16:19 mtd-bst.bin
-rw-r--r-- 1 root root  4194304 Jun 26 16:18 mtd-cfg_pri.bin
-rw-r--r-- 1 root root  4194304 Jun 26 16:18 mtd-cfg_sec.bin
-rw-r--r-- 1 root root 16777216 Jun 26 16:18 mtd-dbg.bin
-rw-r--r-- 1 root root  1048576 Jun 26 16:18 mtd-dpt.bin
-rw-r--r-- 1 root root   524288 Jun 26 16:18 mtd-env.bin
-rw-r--r-- 1 root root  1048576 Jun 26 16:18 mtd-hal.bin
-rw-r--r-- 1 root root  8388608 Jun 26 16:17 mtd-krn_pri.bin
-rw-r--r-- 1 root root  8388608 Jun 26 16:19 mtd-krn_sec.bin
-rw-r--r-- 1 root root   524288 Jun 26 16:18 mtd-param.bin
-rw-r--r-- 1 root root  1048576 Jun 26 16:19 mtd-ptb.bin
-rw-r--r-- 1 root root 10485760 Jun 26 16:18 mtd-rcvy.bin
-rw-r--r-- 1 root root  4194304 Jun 26 16:19 mtd-rmd_pri.bin
-rw-r--r-- 1 root root  4194304 Jun 26 16:19 mtd-rmd_sec.bin

 

 

To be continued...

Edited June 28, 2015 by Guest

[litch 0]

Format of initrd NAND partitions (rmd_pri/rmd_sec):

 

Note: 4MiB each (1024*1024*4)

 

• 64-byte header
  
  • [offset]:[length]
    
  • 0:4 = 1a d9 60 16 (magic? I don't know, doesn't change afaik)
    
  • 4:8 = 0xFF
    
  • 12:4 = initrd's gzip'd size
    
  • 16:4 = load address (in RAM) 00 00 a0 c0 (0xc0a00000)
    
  • 20:4 = 0xFF
    
  • 24:4 = 4b 44 4d 52 (KDMR = RMDK, ramdisk magic)
    
  • 28:* = 0xFF

  [*]gzip'd ext2 image (actual initrd)

  [*]trailing 0xff's to make 4MiB

 

Uncompressed initrd image is a 8MiB ext2 filesystem

Filesystem volume name:   <none>
Last mounted on:          <not available>
Filesystem UUID:          <none>
Filesystem magic number:  0xEF53
Filesystem revision #:    0 (original)
Filesystem features:      (none)
Default mount options:    (none)
Filesystem state:         clean
Errors behavior:          Unknown (continue)
Filesystem OS type:       Linux
Inode count:              824
Block count:              8192
Reserved block count:     0
Free blocks:              1650
Free inodes:              597
First block:              1
Block size:               1024
Fragment size:            1024
Blocks per group:         8192
Fragments per group:      8192
Inodes per group:         824
Inode blocks per group:   103
Last mount time:          n/a
Last write time:          Fri Mar 20 20:38:26 2015
Mount count:              0
Maximum mount count:      20
Last checked:             Fri Mar 20 20:38:26 2015
Check interval:           0 (<none>)
Reserved blocks uid:      0 (user root)
Reserved blocks gid:      0 (group root)


Group 0: (Blocks 1-8191)
 Primary superblock at 1, Group descriptors at 2-2
 Block bitmap at 3 (+2), Inode bitmap at 4 (+3)
 Inode table at 5-107 (+4)
 1650 free blocks, 597 free inodes, 43 directories
 Free blocks: 6542-8191
 Free inodes: 228-824

 

Modifying nand initrd

Note that while this seems to match all the requirements - I still haven't successfully got it to boot a modified initrd. There's going to be a checksum somewhere I'm missing... To be continued...

 

Method:

 

Extract initrd:

dd if=rmd_pri bs=64 skip=1 of=initrd.gz
gunzip initrd.gz
mount -o loop initrd ./path/to/mount

 

Re-making initrd, here's a mediocre script. At least it'll give you an idea of what's required.

PS: make sure you unmount it first

PPS: Note: _NO SIZE CHECKS_

Use at own risk.

#!/bin/sh

if [ $# -ne 2 ]; then
       echo "Bad argument count"
       echo "Usage: $0 [headerfile] [ext2imgfile]"
       exit 1
elif [ ! -f "$1" ]; then
       echo "Bad header file: $1"
       echo "  Hint: To get header file:"
       echo "    dd if=4MB_nand_img bs=64 count=1 of=header.bin"
       exit 1
elif [ ! -f "$2" ]; then
       echo "Bad ext2 image: $2"
       echo "  Hint: To get ext2 file:"
       echo "    dd if=4MB_nand_img bs=64 skip=1 | gunzip - > initrd.ext2.img"
       exit 1
fi

if [ -f initrd.gz ]; then
       echo "Warning, this program will overwrite initrd.gz - please remove first"
       exit 1;
fi

# Compress ext2 image
cat $2 | gzip -9 > initrd.gz

echo -n "Get size of gzip'd initrd: "
NEWSIZE=$(stat --format=%s initrd.gz)
echo $NEWSIZE
echo -n "Convert that size into sed-translateable bytes: "
SIZEHDR=`printf "%08X" $NEWSIZE | sed 's/[A-F0-9]\{2\}/\\\\x& /g' | tac -s' ' | sed 's/ //g'`
echo "$NEWSIZE = '$SIZEHDR'"
echo "Look for 0x35a12e00 in the old header (old initrd size) and replace with '$SIZEHDR' (new initrd size)"
# TODO: Size may vary, replace the 4th DWORD (byte offset 12, length = 4)
cat $1 | sed "s/\\x35\\xa1\\x2e\\x00/$SIZEHDR/g" > header.new
echo "Concat new header and new initrd > initrd.temp"
cat header.new initrd.gz > initrd.temp
echo -n "Get size update: "
NEWSIZE=$(stat --format=%s initrd.temp)
echo "$NEWSIZE bytes"
echo -n "Find the difference between that and 4MiB: "
TRAILER=$(expr 4194304 - $NEWSIZE)
echo "$TRAILER bytes"
echo "Generate trailing 0xff's in trailer.new"
dd if=/dev/zero bs=$TRAILER count=1 | sed 's/\x00/\xff/g' > trailer.new
echo "Append trailer to initrd.temp > initrd.nandready"
cat initrd.temp trailer.new > initrd.nandready
echo "Done."

 

To write back to nand, match the /dev/mtdX with the mtd backup script output in previous post.

In my system, rmd_pri is /dev/mtd11.

On PC:

cat initrd.nandready | ssh root@camip "cat - > /dav/newinitrd"

On cam:

nandwrite /dev/mtd11 /dav/newinitrd

 

reboot.

[litch 0]

NAND partitions...

 

• rcvy - recovery partition, includes generic filesystem, kernel, initrd, etc..
  
• dpt
  
• param - System parameters, serial, model, and several encoded partitions of data.
  
• env - Environment parameters, serial, model, boot parameters
  
• ano_ptb
  
• hal
  
• bld - Bootloader (amBoot flavour, U-Boot 1.3.x based)
  
• dbg - Reserved for debug, not used afaik
  
• cfg_pri - ubifs mounted to /config, contains sqlite3 database of web/application level config
  
• cfg_sec - as above, secondary partition
  
• app_pri - mounted to /dav via /usr/sbin/mount_app; webs, tars, general runtime application and data
  
• app_sec - as above
  
• rmd_pri - initrd
  
• rmd_sec - as above, second partition
  
• krn_pri - kernel
  
• krn_sec - as above, second parition
  
• ptb -
  
• bst -

Edited June 27, 2015 by Guest

[litch 0]

Improve busybox (temporarily, at least):

 

(Ubuntu cross-compile)

apt-get install build-essentials gcc-arm-linux-gnueabi ncurses-dev
mkdir target
wget http://www.busybox.net/downloads/busybox-1.23.2.tar.bz2
tar -xvf busybox-1.23.2.tar.bz2
cd busybox-1.23.2.tar.bz2
# <if> using my .config (attached)
 gunzip dot.config.gz
 cp dot.config .config
# <else>
 CONFIG_PREFIX=../target CROSS_COMPILE=arm-linux-gnueabi- make menuconfig
# <end>
CONFIG_PREFIX=../target CROSS_COMPILE=arm-linux-gnueabi- make
CONFIG_PREFIX=../target CROSS_COMPILE=arm-linux-gnueabi- make install
# Done.

 

Notes:

Make it static (~1.5MB) then upload to /dav (should have the room)

If you don't make it static, then you'll need to implement a whole buildroot with gcc etc.. that uses the libc that's currently on the system (ls /lib/libc*) else download that and build it as well.

 

dot.config.gz attached is static with most sub-commands:

 

Currently defined functions:
       [, [[, acpid, addgroup, adduser, adjtimex, arp, ash, awk, base64, basename,
       bash, blkid, blockdev, bunzip2, bzcat, bzip2, cal, cat, catv, chattr, chgrp,
       chmod, chown, chpasswd, chroot, cksum, comm, conspy, cp, cpio, cryptpw,
       cttyhack, cut, date, dd, delgroup, deluser, depmod, devmem, df, dirname, dmesg,
       dnsdomainname, du, echo, egrep, env, expand, expr, false, fdisk, fgrep, find,
       free, freeramdisk, fsck, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty,
       grep, groups, gunzip, gzip, halt, hd, head, hexdump, hostid, hostname, hwclock,
       id, ifconfig, init, insmod, ionice, iostat, kill, killall, killall5, klogd,
       last, less, linux32, linux64, linuxrc, ln, logger, login, logread, losetup, ls,
       lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat, makedevs,
       makemime, md5sum, mdev, mesg, mkdir, mke2fs, mkfifo, mkfs.ext2, mknod, mkpasswd,
       mkswap, modinfo, modprobe, more, mount, mpstat, mv, nanddump, nandwrite,
       netstat, nice, passwd, ping, ping6, pivot_root, pkill, poweroff, ps, pwd, rdate,
       rdev, readlink, readprofile, realpath, reboot, renice, reset, rev, rm, rmdir,
       rmmod, route, rtcwake, script, scriptreplay, sed, sendmail, setarch, setserial,
       sh, shuf, sleep, sort, strings, stty, su, sulogin, swapoff, swapon, switch_root,
       sync, sysctl, syslogd, tail, tar, telnet, telnetd, test, time, timeout, top,
       touch, tr, true, tty, ttysize, ubiattach, ubidetach, ubimkvol, ubirmvol,
       ubirsvol, ubiupdatevol, umount, uname, unexpand, unlink, unlzma, unlzop, unxz,
       unzip, uptime, users, vlock, volname, wall, watch, watchdog, wc, wget, who,
       whoami, xz, xzcat, yes, zcat

 

I believe other users on this forum have also built their own and have made that available (link pending).

dot.config.gz

Edited June 28, 2015 by Guest

[Brenning 0]

Excellent work. So what kind of things can we expect to unlock / improve with these tweaks? On the 2cd2032 for example, just trying to think of practical applications

[Securame 0]

Interesting " title="Applause" />

[litch 0]

Excellent work. So what kind of things can we expect to unlock / improve with these tweaks? On the 2cd2032 for example, just trying to think of practical applications

 

I guess it's about taking more control of the unit.

 

I was one of those who got the chinese model hardware (on a 2cd2023), and at version 5.1.x it always failed CIFS storage so I had to upgrade to get that working, but as a result was left with chinese language on the web interface or a dead unit with the "language mismatch" issue. Using some of the above methods I hacked up the webs tarball to include xml language files from another digicam.dav firmware file, added some static bindings to use and got the english web interface back that way.

 

From this point, I'm just putting all that I find online so others may get better idea on how to improve the camera firmware - like adding features that may help others (syslogd, scp, custom web pages and so on).

 

Ultimately - I just like to know how things work inside-out.

[iTuneDVR 2]

litch!

Your deep knowledge of Linux provide an excellent result!!! Excellent!!!

Where have you been all this time?

Maybe next time Hikvision programmer hide or patch this ssh vulnerability.

Excellent work!!!

[litch 0]

litch!

Your deep knowledge of Linux provide an excellent result!!! Excellent!!!

Where have you been all this time?

Maybe next time Hikvision programmer hide or patch this ssh vulnerability.

Excellent work!!!

 

There are members on here that far exceed my level, I'm guessing you could be included in that list, which would mean your post should be interpreted as extreme sarcasm.

 

Anyway - There's a gap between intermediate "tinkerers" like myself and the information available on the web to get you started digging around the system, I just wanted to give others a hand getting into things rather than spending hours gathering all that I already have.

 

I've revised the SSH access method in the OP.

[litch 0]

v5.3: Manual language fix

(again - involves firmware modding, linux commands, do at own risk)

 

This is to get the web interface of a Chinese 2CD2xx2 cam, running Chinese v5.3 firmware (eg: IPC_R0_CN_STD_5.3.0_150513) to default to english, auto detect browser language and allow language selection via the login drop-down box at the top right.

 

There are other methods (I think) but this is what I did to solve the "language mismatch" problem when you upload the multi-lang (english) firmware (eg: IPC_R0_EN_STD_5.3.0_150513) to a Chinese model camera.

 

Note that firmware names may differ depending on where you download it

 

1 - Download the multi-lang firmware (eg: IPC_R0_EN_STD_5.3.0_150513)

2 - Download the Chinese firmware (eg: IPC_R0_CN_STD_5.3.0_150513)

3 - See original post in this thread "Get ASH back on V5.3 (PSH restrictions)", follow steps 1-7 for each firmware (except change the directory name from temp, and create 2 subdirs - "en" and "cn" - extract the respective firmware there)

 

For the rest, I use linux so I'll just show the commands with some explanation along the way (if you can interpret that to your set of windows tools)

 

# Ok, so let's say we've copied the extracted English digicam.dav files to /work/english
# and the Chinese digicam.dav files are in /work/chinese
# First, we want to extract the Chinese IEfile.tar.gz - this is an lzma'd tarball (not gzip)
user@host:/work# mkdir cnwebs
user@host:/work# cd cnwebs
user@host:/work/cnwebs# cat ../chinese/IEfile.tar.gz | lzma -d | tar -cf -
# You'll see a directories called doc and codebase, a few web script pages.
# Now for the english webs...
user@host:/work/cnwebs# cd ...
user@host:/work# mkdir enwebs
user@host:/work# cd enwebs
user@host:/work/enwebs# cat ../english/IEfile.tar.gz | lzma -d | tar -cf -
# Next we want to extract all the lang files from the English firmware (IElang.tar)
user@host:/work/enwebs# cd ..
user@host:/work# mkdir enlangs
user@host:/work# cd enlangs
user@host:/work/enlangs# tar -xvf ../english/IElang.tar
# We're left with a bunch of tar.gz lang packages, let's expand them too.
user@host:/work/enlangs# for f in *.tar.gz; do tar -xvf $f; done
# Clean up the old tar files
user@host:/work/enlangs# rm *.gz
# Next we get the english doc/xml/Languages.xml file (which has the list of all the supported languages)
# and append it to the Chinese language file (which only lists Chinese)
# while retaining the chinese xml entry
user@host:/work/enlangs# cd ../cnwebs/doc/xml
user@host:/work/cnwebs/doc/xml# cat ../../../enwebs/doc/xml/Languages.xml >> Languages.xml
# A bit of file editing, open Languages.xml up and delete the </Languages> line (about line 7) along
# with the next 2 lines which look like "<?xml [cut]" and "<Languages>\n" so the xml is contiguous.
# Then remove 'default="true"' from to the chinese <Language> tag, to the english
# tag (The '<Language>' preceeding '<value>en</value>') so it looks like:
#   ...
#   <Language default="true">
#     <value>en</value>
#   ...
# Now copy over all the language packs from enlang/ to this directory
user@host:/work/cnwebs/doc/xml# cp -pr ../../enlangs/* .
# Now we hack up the javascript that chooses the language
# in cnwebs/doc/script there's login.js - we need to fine the text "chinese" (including quotes) and change it to something random.
user@host:/work/cnwebs/doc/xml# cd ../script
# Using sed:
user@host:/work/cnwebs/doc/xml/script# sed -i 's/"chinese"/"hacked"/g' login.js
# or manually do it with your desired text editor
# All that's left is to re-make the IEfiles.tar.gz
user@host:/work/cnwebs/doc/script# cd ../..
user@host:/work/cnwebs# tar -cf - * | lzma -z -9 > ../chinese/IEfile.tar.gz
# Copy /work/chinese/IEfile.tar.gz back to your C:\hiktools05r\cn folder, make sure the digicap.dav file in C:\hiktools05r\ is the chinese
# version, and run:
C:\hiktools05r\hiktools.exe create digicap.dav cn
# The C:\hiktools05r\cn.dav is now multi-lang, update via the TFTP Auto Update application.

 

NOTES:

Some Chinese text will still appear (like in the video overlay) because some binaries are compiled that way - but for the most part, you'll be able to navigate around the web interface in your desired language.

Reset your cookies in the web browser, else the login page may remember you as using Chinese last time and set it to that (though you should still be able to select English in the drop-down menu).

[iTuneDVR 2]

There are members on here that far exceed my level, I'm guessing you could be included in that list, which would mean your post should be interpreted as extreme sarcasm.

Anyway - There's a gap between intermediate "tinkerers" like myself and the information available on the web to get you started digging around the system, I just wanted to give others a hand getting into things rather than spending hours gathering all that I already have.

I've revised the SSH access method in the OP.

litch!

Sorry. Absolutely no sarcasm.

I do a normal user, and my knowledge of Linux is very, very modest. I make the decisions just different.

I'm glad you posted your thoughts and solutions here.

Functional SSH is very rich and not available to all to understand, so only qualified specialist can wrote about it, like you. Clasic linux style!

I'm always interested in watching the other researches and are always happy to their positive results.

[litch 0]

Absolutely no sarcasm.

 

My mistake

[iTuneDVR 2]

My mistake

Don't worry. It's ok!

 

ssh works wonders!

[stroonzo 0]

Here is one I am hoping someone can guide me on:

 

I have what is apparently a Chinese coded camera that I flashed with a US / English DS-2CD2x12,2x32 IP camera firmware v5.3.0_150513. I was not blocked from flashing the camera via the GUI. However, now when I attempt to access the camera via the GUI I get the following:

 

Access Error: 404 -- Not Found

firmware language mismatch: /home/webLib.

 

The camera still functions fine. What I mean is, it still works and it is seen in Digifort and it is fully functional with the same configuration as it had prior to the upgrade (I know because I have this set at 1/1000 min shutter).

 

Different than the 5.2 firmware is the SSH connection. I am presented with:

 

BusyBox v1.19.3 (2015-03-20 17:37:48 CST) built-in shell (ash)

Enter 'help' for a list of built-in commands.

 

BusyBox v1.2.1 Protect Shell (psh)

Enter 'help' for a list of davinci system commands.

 

See that? Davinci system commands. The commands used on the 5.2 firmware (such as calling a directory) are not part of this OS (if an OS is what this is).

 

Basically, I’d like to know how I can change my camera’s (not the firmware’s – that’s easy) designation to US / English. I think that would be the ultimate fix for this particular camera.

 

Thanks,

Jeff

[litch 0]

Here is one I am hoping someone can guide me on:

 

I have what is apparently a Chinese coded camera that I flashed with a US / English DS-2CD2x12,2x32 IP camera firmware v5.3.0_150513. I was not blocked from flashing the camera via the GUI. However, now when I attempt to access the camera via the GUI I get the following:

 

Access Error: 404 -- Not Found

firmware language mismatch: /home/webLib.

 

Sounds familiar.

 

The camera still functions fine. What I mean is, it still works and it is seen in Digifort and it is fully functional with the same configuration as it had prior to the upgrade (I know because I have this set at 1/1000 min shutter).

 

Different than the 5.2 firmware is the SSH connection. I am presented with:

 

BusyBox v1.19.3 (2015-03-20 17:37:48 CST) built-in shell (ash)

Enter 'help' for a list of built-in commands.

 

BusyBox v1.2.1 Protect Shell (psh)

Enter 'help' for a list of davinci system commands.

 

See that? Davinci system commands. The commands used on the 5.2 firmware (such as calling a directory) are not part of this OS (if an OS is what this is).

 

Basically, I’d like to know how I can change my camera’s (not the firmware’s – that’s easy) designation to US / English. I think that would be the ultimate fix for this particular camera.

 

Thanks,

Jeff

 

In summary...

• There's talk of changing the hardware code in other threads
  
• But I didn't find anything that worked, hence all my posts above
  
• Regardless of which way you go - you either need need to hack a firmware to get rid of psh so you can modify the hardware code, or hack a firmware so that your chinese firmware talks english.

 

If you end up finding the "Ultimate fix" - please share!

[Maniaxx 0]

@litch:

Thanks for the 5.3.0 language fix. Works great!

There are some bugs in your tutorial though:

cat ../chinese/IEfile.tar.gz | lzma -d | tar -cf -

cat ../chinese/IEfile.tar.gz | lzma -d | tar -xf -

 

cd ...

cd ..

 

cp -pr ../../enlangs/* .

cp -pr ../../../enlangs/* .

These are the ones i can remember. No guarantee.

 

Edit:

0:4 = 1a d9 60 16 (magic? I don't know, doesn't change afaik)

CRC32

 

I have reverted the ash fix. My camera is rebooting every 10mins or so with it. What are the restrictions of psh exactly anyhow? The SSH shell seems to be busybox/bash on my device even though psh is started as one of the earlier processes.

[Simpson474 0]

I am also trying to do the 5.3.0 language fix but no success so far: I can successfully split/create the unmodified image using hiktools (version 05R1) but whenever I try changing the "IEfile.tar.gz", there is no success message from the TFTP Server and the camera is inaccessible after flashing. It is enough if I extract the "IEfile.tar.gz" archive and recreate it without modifying any file within. At the beginning I had the problem that the ownership of the files in the archive was lost if I recreated the *.tar file but this issue has been solved by creating the user and group "ci". Now if I look at the content of the *.tar file I cannot see any difference (the files are not exactly binary compatible but only the order in which the files are displayed differs) compared to the HikVision file but it is still not working. Moreover the LZMA compression according to 7-zip is exactly the same (LZMA:23) as used by the HikVision file.

 

Could it be that some kind of SecureBoot has been implemented which checks the signature of the files? My DS-2CD2132F-IS camera has already been shipped with firmware 5.3.0 according to the label, maybe it has a newer bootloader on it. Could someone please provide me his working "IEfile.tar.gz" to verify whether it is also working for me (I can also provide my non-working file if someone wants to test it).

[Maniaxx 0]

The name (ci) doesn't matter. Its the UID/GID that count. Check files with 'ls -n'. Should be 1000/1000 if i remember correctly.

[Simpson474 0]

I tried today using UID/GID 1000/1000 but still no luck. Moreover I tried a very old Linux Live-CD I have burnt several years ago but extracting and repacking "IEfile.tar.gz" still caused the camera to be non-functional after flashing. However, I managed to find on the internet a special downgrade firmware from 5.3.0 Chinese to a hacked 5.2.5 multilingual: this firmware is working fine on my camera.

[Maniaxx 0]

Maybe you tried flashing an English firmware. These don't work at all by design. But the flashing process should work properly nevertheless. Maybe you don't have the latest hiktools or something.

[Simpson474 0]

I also don't understand it. The firmware is Chinese for sure: if I delete the "temp" folder containing the extracted image and execute the following commands I get a working image "temp.dav":

hiktools05R1.exe split digicap.dav temp
hiktools05R1.exe create digicap.dav temp

 

If I now add the further step to replace the "IEfile.tar.gz" (even if I just unpack and repack the file) in the temp directory before executing the second command, the TFTP Update will stop at "Completed file [C:\test\digicap.dav] transmit" and the "Device[192.0.0.64] system update completed!" message will never show up.

[litch 0]

I also don't understand it. The firmware is Chinese for sure: if I delete the "temp" folder containing the extracted image and execute the following commands I get a working image "temp.dav":

hiktools05R1.exe split digicap.dav temp
hiktools05R1.exe create digicap.dav temp

 

If I now add the further step to replace the "IEfile.tar.gz" (even if I just unpack and repack the file) in the temp directory before executing the second command, the TFTP Update will stop at "Completed file [C:\test\digicap.dav] transmit" and the "Device[192.0.0.64] system update completed!" message will never show up.

 

Here's the modified v5.3 CN file, throw that in your "/temp" directory you're using, run hiktool create and see if that works. If it does, double check what you're doing to re-make that file. If it doesn't - something else at fault here; my hiktools is "05r" - perhaps there's a bug in your release?

 

http://www.filedropper.com/iefiletar

[litch 0]

I have reverted the ash fix. My camera is rebooting every 10mins or so with it. What are the restrictions of psh exactly anyhow? The SSH shell seems to be busybox/bash on my device even though psh is started as one of the earlier processes.

 

Thanks for pointing those out Maniaxx (won't let me update the OP though).

 

PSH basically a custom shell that locks you in to only issuing a handful of (useless) commands, doesn't allow environment variables, in-line expansion, redirection or any other means to gain access to base functions (cat, grep, etc..) so any "mods" are out of the question at that point.

 

The davinci binary - essentially the brains of the whole system - periodically checks to validate the initrd and other key filesystems with known CRC values - a mismatch invokes a reboot (which is supposed to overwrite it with the original copy, which in most cases in the one we've modified in the firmware) so unfortunately it would seem my "ASH" fix is a temporary one.

[camera115 0]

hi bro !

Your solution's can be use for my model 2CD-3410FD ?

[goprojojo 0]

I followed the instructions in the first post but got stuck with step 8.

After extraction I cannot see the file 'initrun.sh' in the temp folder but only these:

 

_cfgUpgClass

_cfgUpgSecPls

app.img

uImage

 

 

Did I do something wrong? Any help appreciated.

 

Edit: I skipped step 8 and continue with step 9.

However I still cannot remake the file. I get the message ; Unable to open dav file' when I execute this:

 

C:\hiktools05R1\hiktools05R1.exe create digicam.dav temp