Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

wzhick

Pulling my weight
Dec 29, 2014
60
144
Firmware Mod Tool for Hikvision NVR and IP camera devices.

What is this tool?
It’s a short piece of code that makes it easily possible to change the ‘Language’ flag on the firmware update files that Hikvision provides for their range of NVRs and IP cameras. The user does not need programming expertise to use this tool.
The tool also provides some advanced facilities to extract the contents from the main body of a firmware upgrade file for inspection or further development. The tool can also re-package the updated changed or added contents into a new firmware update file that can be applied to the IP camera or NVR as a normal upgrade.

Why would I need it?
It’s common that after purchasing Hikvision IP cameras and NVRs from low-cost sources such as Chinese internet-based sellers, users encounter some problems such as ‘Language mismatch’ when trying to integrate the devices or update the firmware. Hikvision applies ‘Region codes’ and ‘language flags’ to their IP cameras and NVRs and to the associated firmware updates, and tries to ensure their products are sold via their ‘Authorised Distributor Network’. Sellers can modify internal region and language settings in various ways to cheaply sell products from one region in another region, in a way that can cause later problems for the buyer when updates are attempted.
Advanced users can modify or add files to the firmware image, to customise the capabilities and behaviour of their IP camera or NVR.

How does the tool work?
The tool scans and decodes the NVR or IP camera firmware update file that the user would like to use to update the device, and allows the ‘Language flag’ to be changed, such that ‘Language mismatch’ errors that occur on an attempted update can be eliminated.
The tool extracts all the individual files from the main section of the firmware upgrade file, making them available for inspection or changing.

How do I use it?
The steps are straightforward, but do need some care to be taken, and require an understanding that although the tool is reliable and has been tested, it may not take account of future changes such as the firmware update file structure being re-engineered, or new checksums being incorporated.
Please proceed as follows:

- Have available a Windows PC, with the Hikvision Support Tools package available, which mainly consists of a TFTP server and the instructions on how this can be used to recover a failed firmware update on an NVR or IP camera. A good source of information on this are the many threads on Hikvision devices in the forum www.ipcamtalk.com

- Store in a folder on the PC the NVR or IP camera firmware upgrade file that you would like to use, along with the ‘hiktools.exe’ firmware mod tool program. This could be the same folder as used by the TFTP program.

- Ensure the NVR or IP camera is powered on and connected to the same local network as the PC, and ensure that you can log on to the web admin GUI with an administrator account (usually admin).

- On the Windows PC, start a command-line window, usually with ‘Start | CMD’. Change the drive and directory to that holding the hiktools.exe program.

- First check that the firmware file to be changed can be correctly decoded. Assuming that the firmware filename is ‘digicap.dav, execute the following command:
hiktools digicap.dav
and inspect the result on the screen.
The tool will show the header raw data, the header decoded data, a summary of key values in the header, and the full decoded data including a list of the embedded files and their checksums.
An important value to check in the summary of key values is that the ‘magic number’ is ‘0x484B5753’ and that the iLanguage value is 1 or 2 The iHeadTotalLen varies with the number of files in the main section of the firmware update file. The value is 64 bytes plus 44 bytes x (the number of files held in the main section). This can be 108 for NVR firmware that typically has a single CRAMFS image, and 1208 for camera firmware holding 26 files. This should give a reasonable confidence level that the file is in a format that can be decoded. If the results do not match these values – DO NOT PROCEED further.

- Make a backup copy of the original firmware file with the following command:
‘copy digicap.dav digicap.dav.backup’

- At this point it is possible to simply change the ‘Language flag’ by executing the following command, using ‘1’ for English or Multi, and ‘2’ for Chinese device. If you want flash english firmware to chinese IPC or NVR you need set language to 2:
hiktools lang digicap.dav 2

- The modified firmware file is now ready to be applied to the NVR or IP camera. Log in to the web admin GUI, and use the ‘Configuration | Maintenance | Remote Upgrade’ menu to select the new firmware file, and click the ‘Upgrade’ button. Observe the progress indicator, and the reboot progress. After reboot, check that the ‘Language mismatch’ problem has been eliminated.


Advanced use of the Firmware Mod Tool

In addition to the ability to modify the language flag in a firmware update file, the tool can be used to split the firmware file into its header section and all the component parts of the main or rootfs section, and also to create a new firmware file by joining a header section to a new main section that holds files from within a specified folder where the user may have modified the contents.
This clearly provides opportunities for customising the behaviour of your NVR or IP camera, however it is suggested that these facilities should only be used by those knowledgeable in the structure and practice of embedded Linux firmware files as implemented by Hikvision in their NVR and IP camera products.
For reference, the advanced commands of the firmware mod tool are as follows:

hiktools split digicap.dav destinationdir
The output on the screen lists the names of the files extracted from the main section of the firmware file. These files are created in the specified destination directory, and can be inspected and used when the extraction is complete.
In the version 03R and later of the hiktools program, there is a facility to recombine the extracted files, some of which the user may have since modified, or added to, into an original, valid firmware file that could be used by the firmware upgrade process in the IP camera or NVR. It is therefore possible for the user to modify and customise the IP camera or NVR behaviour should they wish to do so.

hiktools create header_from_digicap.dav sourcedir
The tool creates a new firmware file by combining the header extracted from the first argument with the contents of the directory from the second argument. Those contents could be files previously extracted, some of which were since modified, or with additional files to be included in the firmware image.


Special thanks alastairstevenson

UPDATE 19-06-15

version 05R1
1. Fixed minor bugs
 

Attachments

Last edited by a moderator:
From my side, I think this is a great idea to have this kind of tool.
Make sense somewhere.
I didn't try it yet, but idea is great,
Thanks +++
 
It sounds like you are really impressed with this tool from your comparison.
Not quite the same purpose behind them though. Helping people vs destroying people.
It's always sad when we get reminded of 'man's inhumanity to man' by bad events around the world.

There - I have changed the tone a bit.

*Edit* The post above this from iTuneDVR that my comment referred to has been deleted. So it stands a bit oddly now, not having the reference to nuclear bombs.
 
Last edited by a moderator:
I am very glad that another man (hi is Russian ;) too) solved this problem.
Publish its decision - it's his private right!
However, a kitchen knife can chop the cabbage, not only for the soup.
:(

We all see the results of this in the near future.
I waited for someone to publish it, so that I could move forward in the research
;)
 
Last edited by a moderator:
  • Like
Reactions: nardsbarley
- At this point it is possible to simply change the ‘Language flag’ by executing the following command, using ‘1’ for English or Multi, and ‘2’ for Chinese. If you wanf flash english firmware to chinese IPC or NVR you need set language to 2:
hiktools lang digicap.dav 2

Can someone please explain this? The screenshot shows Language = 1 for English. The first sentence here says to use 1 for English. The second sentence here says to use 2 for English.
 
What the sentence says is that if you want to flash English firmware (ie has language flag=1 in its header) to a Chinese camera (that internally has language flag=2 in its flash storage) then if you use the tool to set the firmware language=2 in the firmware header the camera will accept the firmware as an upgrade without complaining about a 'language mismatch'.
 
  • Like
Reactions: kozmo2k
I've taken this program, run through all the options and works as advertised, so kudos wzhick for publishing this and good to see fellow hackers contribute what they know.

Changing the firmware flag to English and loading English firmware will not make your camera English. What I did is replaced the IEfile.tar.gz with the one I previously offered in English and Russian, created a new digicap.dav file with this tool and did a firmware update and a Chinese camera now has English or Russian menus. Don't confuse that with making the region code permanently English and with just that fix alone, the day of week is still in Chinese but this takes the development process to the next level and feel we are close to better solution.

For those working on this effort, I found that a firmware update, besides updating files in the dav directory, also updates MTD9 & 10 via a file called himage in the firmware as well as MTD11 & 12 by a file called hroot.img. I feel somewhere in there is the key to the Chinese day of week problem.
 
I checked two cameras, one unhacked but Chinese, one hacked to English, both same model, same batch of cameras. The kernel MTD9/10 files were identical, the MTD11/12 are different, so for now, I feel the keep to making the day of week English is in the MTD11/12 files referred to in the MTD mapping as rmd_pri and rmd_sec but they are identical to each other. So need a closer look at the hroot.img file in the firmware.
 
I checked two cameras, one unhacked but Chinese, one hacked to English, both same model, same batch of cameras. The kernel MTD9/10 files were identical, the MTD11/12 are different, so for now, I feel the keep to making the day of week English is in the MTD11/12 files referred to in the MTD mapping as rmd_pri and rmd_sec but they are identical to each other. So need a closer look at the hroot.img file in the firmware.

and that is exactly what i come to yesterday, i compared original non patched 5.2.0 to custom 5.2.0 (from 1st post http://www.ipcamtalk.com/showthread.php?1078-Firmware-5-2-0-in-English&highlight=raptor+dav) with language flag set to Chinese, that custom img is described as multilanguage.
i suspected that hack was made to davinci file but that was not true, the only file that was different was hroot.img which is gzip (with header that needs to be cut) containing initrd, which is root of filesystem (with busybox, etc),
so there is other way to fool davinci file that cam is region 1 despite it has region 2 in mtd5/6, wonder what is it.

file can be mounted via loop and it is ext2 img, time to compare files with normal one

edit:
found interesting file: check_rs232 with interesting strings inside:

ďAES Decryption Has Failed !!

Registered to: sammihuang@uin-tech.net
NaN PatcherChanger v1.4.0 ---


check_rs232 is normally part of busybox and is executed in normal images always at start in initrun.sh
so that file prolly does all the magic but gotta find out what exactly and is it 5.2.0 only

(file is packed by an executable compressor, sth like upx but it's not that, maybe custom one)
 

Attachments

Last edited by a moderator:
Thanks for this wzhick, it seems to be a great tool. However, I am running into an issue with my 2 cameras that I've tried this on. Both are currently on 5.2.5, but in Chinese. I applied the tool and successfully converted the digicap.dav file over to English, but when I go to upgrade the firmware remotely, even though it says firmware upgrade successful, it is still in Chinese? Is this because I am going from 5.2.5 -> 5.2.5? Thanks!
 
Just to be clear - the firmware tool can manipulate the language flag of the firmware to match that held within the flash area of the camera, so that the camera firmware upgrade process does not reject your chosen firmware.
But what it's not doing is changing the language setting of the camera itself.
Did you use an English or Multi-language firmware file for the upgrade?
 
  • Like
Reactions: catseyenu
Thanks for this wzhick, it seems to be a great tool. However, I am running into an issue with my 2 cameras that I've tried this on. Both are currently on 5.2.5, but in Chinese. I applied the tool and successfully converted the digicap.dav file over to English, but when I go to upgrade the firmware remotely, even though it says firmware upgrade successful, it is still in Chinese? Is this because I am going from 5.2.5 -> 5.2.5? Thanks!

If you have chinese IPC, you need download original english firmware from hikvision site.
Next, use this tool on the firmware and change it language flag to chinese.
Next, upload modified firmware, reboot and select english language.
 
Last edited by a moderator:
  • Like
Reactions: alastairstevenson
I used this tool with DS-7104N-SN NVR by ENlish/ML firmware changing flag by 2 Chinese language option.
Firmware version V3.0.10 build 141128
Encoding version V5.0 build 141127

Upgrade is going ok by EN/ML firmware, but after reboot menu is still chinese not have option to choose English.

Anybody changed language NVR using this tool ?
 
It's funny you say that about check_232 because in the camera hacked to English, the initrun.sh has it in a different order than the original firmware.

So I did what you said, used binwalk -e hroot.img and it extracted the initrd file (first 64 bytes is the header) which I mounted using "mount -o loop initrd /mnt/initrd" and what it looks like is when the camera get bricked with a bad firmware update. You can do ls and see that it has the same/similar directory structure, but most of it is empty. So this is the kernel that initially is booted by the bootloader before MTD13 is used as the kernel (mounted by /etc/profile). Now to find what's different between this and the hacked one.

drwxr-xr-x. 2 root root 1024 Jul 10 2014 bin
drwxrwxrwx. 2 root root 1024 Jul 10 2014 config
drwxrwxrwx. 2 root root 1024 Jul 10 2014 dav
drwxrwxrwx. 2 root root 1024 Jul 10 2014 davinci
drwxrwxrwx. 2 root root 1024 Jul 10 2014 dev
drwxrwxrwx. 6 root root 1024 Jul 10 2014 etc
drwxrwxrwx. 2 root root 1024 Jul 10 2014 home
drwxrwxrwx. 3 root root 2048 Jul 10 2014 lib
lrwxrwxrwx. 1 root root 11 Jul 10 2014 linuxrc -> bin/busybox
drwxrwxrwx. 13 root root 1024 Jul 10 2014 mnt
drwxrwxrwx. 2 root root 1024 Jul 10 2014 opt
drwxrwxrwx. 2 root root 1024 Jul 10 2014 proc
drwxrwxrwx. 2 root root 1024 Jul 10 2014 root
drwxr-xr-x. 2 root root 1024 Jul 10 2014 sbin
drwxrwxrwx. 2 root root 1024 Jul 10 2014 srv
drwxrwxrwx. 2 root root 1024 Jul 10 2014 sys
drwxrwxrwx. 2 root root 1024 Jul 10 2014 tmp
drwxrwxrwx. 5 root root 1024 Jul 10 2014 usr
drwxrwxrwx. 3 root root 1024 Jul 10 2014 var






and that is exactly what i come to yesterday, i compared original non patched 5.2.0 to custom 5.2.0 (from 1st post http://www.ipcamtalk.com/showthread.php?1078-Firmware-5-2-0-in-English&highlight=raptor+dav) with language flag set to Chinese, that custom img is described as multilanguage.
i suspected that hack was made to davinci file but that was not true, the only file that was different was hroot.img which is gzip (with header that needs to be cut) containing initrd, which is root of filesystem (with busybox, etc),
so there is other way to fool davinci file that cam is region 1 despite it has region 2 in mtd5/6, wonder what is it.

file can be mounted via loop and it is ext2 img, time to compare files with normal one

edit:
found interesting file: check_rs232 with interesting strings inside:

ďAES Decryption Has Failed !!

Registered to: sammihuang@uin-tech.net
NaN PatcherChanger v1.4.0 ---


check_rs232 is normally part of busybox and is executed in normal images always at start in initrun.sh
so that file prolly does all the magic but gotta find out what exactly and is it 5.2.0 only

(file is packed by an executable compressor, sth like upx but it's not that, maybe custom one)