HIKVISION mtd Brick Recovery Guide

whoslooking

IPCT Contributor
Oct 3, 2014
1,524
548
London
HIKvision MTD Brick Recovery


This is to recover you bricked camera, after trying to do the MTD5 & MTD6 and failing.


You will need the 5.2.5 firmware get it here.




Also Hikvision's tftp updater and an ftp program (I use Cute ftp) & of course Telnet.




You will also need your original mtd5 & mtd6 files.


Set your PC IP to 192.0.0.128


1st run the tftp updater (with the 5.2.5 file in the tftp folder) let it update and finish, but don't close it!
now run Telnet and logon to the camera with


192.0.0.64
User= root
password= 12345


Now type


- ftpd &.


(Don't close Telnet)


This will start the ftp service on the camera.
Now using your FTP Program login in to the Camera.


192.0.0.64
User= root
password= 12345


Now copy over your mtd5 & mtd6 files with ftp to /tmp/ (name your files mtd5_temp & mtd6_temp).


Now back to Telnet.


cd /tmp/
cat mtd5_temp > /dev/mtdblock5
cat mtd6_temp > /dev/mtdblock6


Now close tftp updater & FTP Program.


Now back to Telnet.


reboot.


All done your camera will now restart and if you followed this correctly, you won't have a brick any more.
 
Last edited by a moderator:
The trick of course is taking a backup copy of mtdblock5 & 6 before making any changes ...
This can be done when the camera has booted normally, at the configured IP address, using telnet or SSH if you've enabled it. And having one of several ways to get the data off the camera.
My favourite is configuring a NAS destination in the camera, then checking the path that you can 'cd' to using 'mount'.
Then something like:
cat /dev/mtdblock5 > mtdblock5_orig
cat /dev/mtdblock6 > mtdblock6_orig
 
Think I've come to the realization this 2332 is really bricked. Tried all the methods I could find but no joy. Continuously reboots before firmware has a chance to load and every now and then on endless cycling it catches a boot. Can't find any open ports then all of a sudden during a subsequent scan ports 22 and 23 are only open. Allows me to Tftp a firmware. Any will load on the cam tftp'd. wait 10 min just to be sure but nothing. I made the mistake not reading through all the treads before starting this and well...

Big thank you WHOSLOOKING. I found the 525.zip by searching your name for your previous posts.
 
If you have your original files the above guide should solve your issues, if you used HxD to edit the files it also makes a backup of the original files you edited. If you deleted them by mistake then use windows restore or undelete to recover them. But the most important thing is having the correct firmware for the region of camera.
Also if you have another camera you could try to clone it, by copying all mtd files over but this won't work on the same network as the original.
 
I gotcha but the problem is it doesn't boot the camera always during a power off/on cycle. reboots before loads firmware completely and tired of waiting hours for it to maybe catch during a rebooting cycle. Gona put it off to the side for now and work on other projects like a hik DS-2CD2942F fisheye I been eyeing
 
HI Whoslooking
Thanks for you post. I tried the steps, but shows: # cat mtd5_temp > /dev/mtdblock5cat: write error: No space left on device. Any advise? thank you
 
Ok, you have copied to much onto the camera, start again by doing the tftp upgrade, then do one file at a time.

i.e do mtd5 then do it all again for mtd6
That will over come limited space. Or you could delete the digicap.dav that is copied onto the camera during the tftp as it not needed to do the mtd repair.
 
Big thanks to whoislooking, now 3 bricked cameras are recovered. Althoug chinese only, but you new post about mtd hacking will solved the problems. Thanks
 
  • Like
Reactions: whoslooking
It's best solution. I have NVR with PoE, but I bought also 24p GLAN switch with PoE. Now I access cams directly from network and also in NVR.
 
Also if you have another camera you could try to clone it, by copying all mtd files over but this won't work on the same network as the original.

What do you mean by this? Copy the mtdblock5 and mtdblock6 files off a working camera and then place them on the bricked camera? Or copy all the mtdblock files from a working camera to a bricked one?

And what do you mean won't work on the same network?
 
mtdblock5 & 6 hold the 'hardware descriptor block' which tells the firmware about things such as the hardware environment it's running in, so that the same firmware can be used for a variety of different camera models.
Amongst other things defined is the network 'MAC address' which needs to be unique for networking to operate. 2 devices with the same MAC address on the same network will clash and this will kill their ability to communicate. But the MAC address values on the cloned camera could be tweaked easily enough, just like the language setting.
The MAC address is bytes 35-4A. Any value could be increased or decreased, with the opposite change made to the checksum in 04,05 (04 is the least significant byte) as per @whoslooking guide for maintaining checksum integrity.

I was mulling over your camera bootup problem and recalled that I had similar symptoms (firmware requiring an initramfs instead of an initrd format for the skeleton ramdisk) on a 3332 camera where I'd been experimenting with changing values in the hardware descriptor block.
Byte 0x56 in mtdblock6 was 01 in a 2432 and 00 in the 3332, so as an experiment I changed it to 01 and the 3332 would not boot - complained about 'junk in initramfs'. When I changed it back to 00 the 3332 was OK again.
Byte 56 in the NVR hardware descriptor block, which is very similar to that in the 2xx2 cameras, is labelled 'Zone' though I don't know what that's referring to.

As you've already explored replacing mtdblock11 (where initrd resides) certainly my next experiment would be replacing mtdblock6 and 5. It's a pity I don't have one of these new manufacture cameras to experiment on.
 
Last edited by a moderator:
I am new to Hikvison camera and got DS-2C2132F-IS recently. Noticed a new firmware (5.3.0) available today and blindly upgraded, and since then it is ininfinite boot loop. I have not saved the original mtd5 and mtd6 files before upgrading to 5.3.0. Is there a way to recover my cam? Can mtd5 and mtd6 files from some other cam be used to recover?
 
If you didn't modify the mtdblock5 & 6 files to cause the bootloop - you don't need to replace them.
I think your best approach to fix this problem is to use the TFTP recovery method to install an earlier firmware version.
Which version will work OK depends to some extent on when your camera was manufactured, so maybe a couple of attempts with different firmware will be needed.

Instructions and Hikvision-specific TFTP server here:
http://www.hikvision.com/europe/down...re.asp?id=1336
It must be the Hikvision-specific Windows TFTP server (Says Hikvision TFTP Server in the window title bar) because the camera does a Hikvision-specific handshake with it before it will use it.
The digicap.dav firmware file needs to be placed in the same folder as the tftp executable, and the PC must have a static IP address of 192.0.0.128
All very specific.
And best not to connect the camera and PC directly with a network cable - wire each into a router or switch with their own cable. The router and switch doesn't have to be isolated from the normal network.

Now you need to pick a firmware version to try.
As a start maybe the 5.2.3 from here: http://www.hikvisioneurope.com/portal/index.php?dir=Product Firmware/Cameras/DS-2CD2xx2/
Plenty more in that list.
If it works - the camera will likely display in Chinese, as you have replaced the original seller-modified firmware which will have been tweaked to show English.
So if / when you get to that point - plenty of threads on the forum here to deal with that.
Good luck and let us know how you get on.
 
  • Like
Reactions: mamuli
Thanks for the detailed instructions alastairstevenson. I will give it a shot later in the evening. Meanwhile, here are some more details in case it matters wrt the recovery steps you provided for me:
  • Firmware version before upgrade - 5.2.5
  • Firmware version on the label outside the camera - 5.3
  • Language ID (shown when I ran ptrHardInfo) - 1
  • Bought if from a Chinese seller on eBay

Thanks once again!
 
What ebay seller did you use?