[MCR] Hikvision packer/unpacker for 5.3.x and newer firmware

montecrypto

IPCT Contributor
Apr 20, 2016
104
305
The attached app unpacks and repacks Hikvision firmware for K41/K51 NVRs and R0/R1/R6/G0 cameras. I plan to add support for more hardware, but in many cases I need to buy cameras to extract keys from them. Your donations can help, contribute here if you feel like it:

The binary runs on x64 Linux. Enjoy.

Code:
hikpack v2.5 Hikvision firmware packer/unpacker by montecrypto
*** No expressed or implied warranties of any kind. Use at your own risk ***
Usage:
   hikpack -t <fwtype> -i <src_dav_file>                     print dav file information
   hikpack -t <fwtype> -x <src_dav_file> -o <dst_dir>        extract dav file into directory
   hikpack [opts] -t <fwtype> -p <dst_dav_file> -o <src_dir> pack dav file from source directory
   hikpack -t <fwtype> -d <src_crypted_file> -o <dst_file>   decrypt file
   hikpack -t <fwtype> -g <src_crypted_cfg> -o <dst_file>    decrypt configuration backup file
   hikpack -t <fwtype> -G <src_file> -o <crypted_cfg_file>   encrypt configuration backup file (CRC adjusted if needed)
   hikpack -t <fwtype> -e <src_file> -o <dst_crypted_file>   encrypt file
     -t option sets firmware platform type. Currently supported: cameras: r0,r1,r6,g0 nvr: k41,k51
     ----- The following options are used by the pack (-p) command:
     -L <1,2>      set language id (1=EN, 2=CN)
     -D <YYYYMMDD> set firmware date.
     -V <ver>      set firmware version. Use hex number, e.g.: 0x05040003 for v5.4.3

For whatever reason attachments no longer work, the file is here:

hikpack_2.5.zip — RGhost — файлообменник
 
Last edited:
Well, that's quite a Christmas present!
Many thanks.
I'll have a close look, see if it may save me looking at how the NVR firmware handles CN cameras, haven't figured that out yet.
Does paypal accept bottles of wine as currency these days?
Packed by montecrypto.
Hikvision, stop wasting R&D on pointless obfuscation!
Lol!
 
Good work and a great release.
 
So is it possible to do this with it? Get the newest global firmware, unpackit and change lang to cn and update to a cn camera and have english languange without the language mismatch error?
 
So is it possible to do this with it? Get the newest global firmware, unpackit and change lang to cn and update to a cn camera and have english languange without the language mismatch error?

Yes, but you would also need to patch the kernel and davinci. It is actually easier than that. CN firmware already has EN locale in it,it just need to be enabled/set as default. For the web UI you can actually do that by changing/forcing cookie value in your browser.
 
now to work out the patching :)
 
Well, it seems to unpack.
Code:
alastair@PC-I5 ~/montecrypto $ ./hikpack_2.1 -t g0 -x digicap_IPC_G0_CN_STD_5.4.20_160726.dav -o contents
Magic   : 484b3230
hdr_crc : 0000253e (OK)
frm_flg : 1220060021111110021
Magic   : 484b3330
hdr_crc : b41263d4 (OK)
version : 05040014
lang_id : 00000002
date    : 160726
frm_flg : 1220060021111110021
File: _cfgUpgClass, CRC OK, SHA512 OK
File: uImage, CRC OK, SHA512 OK
File: initrun.sh, CRC OK, SHA512 OK
File: r7_app.tar.gz, CRC OK, SHA512 OK
File: g0_app.tar.gz, CRC OK, SHA512 OK
File: IEfile.tar.gz, CRC OK, SHA512 OK
File: help.tar.gz, CRC OK, SHA512 OK
File: g0_modules.tgz, CRC OK, SHA512 OK
File: mpp_modules.tgz, CRC OK, SHA512 OK
alastair@PC-I5 ~/montecrypto $
And as they often have done, Hikvision leave some debug remnants that give some ideas of how to lift the covers a bit. And how not to spell.
Code:
#check_rs232  

#if [ -f "/home/usage232" ]; then
#    echo "davinic1 start"
#    /home/process/davinci&
#else
#    echo "davinic1 start"
#    /home/process/davinci&
#fi
 
  • Like
Reactions: Reme
Has anyone gotten repacked/converted firmware to successfully load on a camera? If so, please post details of the camera and firmware version, I am trying to test this for an IPVM report.
Thanks!
 
IPVM is ok. but it's over priced and misses out a lot of true information, so much so that IPCAMTALK is a much better place, so much so that it's free for all, and the people here know what we're talking about all the best help and work arounds all come from here and free.
 
  • Like
Reactions: vasycara
Instead of trying to get many cameras you could tell how to extract such key so people can do it on their own camera and send you the key ? this way you will add much more keys.
 
We'd all need a desoldering station...
I do have one ;-) but if it require hardware physical access/modification then yes it's not that easy, I thought it was something like grabbing some file inside camera in serial debug mode for example.

But what component desoldering would it be ? the rom to access some hidden block ?