Hikvision - Clearing Passwords and/or Loading Firmware via TTL Serial

CCINDY

n3wb
Joined
Aug 12, 2021
Messages
4
Reaction score
0
Location
NZ
can someone share the bootargs, I believe I changed the bootargs and save it. the bootargs is wrong .
 

YetiMusk

n3wb
Joined
Sep 15, 2021
Messages
6
Reaction score
1
Location
Chicago, IL
Not sure if I should be posting here or starting a new thread so mods feel free to delete and I'll start new thread if that's preferred.

I've got a DS-7716NI-I4/16P that I seem to have had a problem firmware updating resulting in changed passwords, strange characters in username field on NVR Monitor, etc.

I've got a USB to TTL adapter that I have hooked up a few different ways to the 5 pin connector on the board which goes to the RS-232 plug on the outside of the box (don't have that type of cable handy.

There are several different combinations of hooking the wires up in which Putty will display the bootup sequence but no matter how the ground, Tx and Rx to the board, I am unable to stop the bootloader or get characters to display at any point.

Additionally, after getting fully booted up, whatever that means, it goes into a regular look of 5 beeps, 3 closely spaced then 2 quicker beeps. About 30 seconds lapses and it does the 5-beep routine again.

This is what I'm seeing:

U-Boot 2010.06-svn (Dec 28 2015 - 10:42:45)[V1.2.1]

Protected at offset: 0x0, size:0x40000 Protection status:[0x22f]=>[0x22f].
Hit ctrl+u to stop autoboot: 0
Mounting yaffs2 mount point/partnum: nand/0
Configures yaffs mount nand success!
Copy /nand/uImage to 0x42000000... [DONE]
timeout wait for link failed!
## Booting kernel from Legacy Image at 42000000 ...
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
[ 0.000000] need to Authorization
[ 2.398089] init(1) called reboot syscall, cmd: 0x0.
[ 53.572223] libphy: STMMAC FIXED MII:01 - Link is Up - 1000/Full
[ 134.719467] [APP]dvr_main_sc1900<2081>: tty unauthorized
[ 134.744840] [APP]dvr_main_sc1900<2081>: !!!!!!!!!!!!!!!sc_hicore is start ok time[1631710271]!!!!!!!!!!!!!!!!
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,450
Reaction score
5,471
Location
Scotland
I've got a USB to TTL adapter that I have hooked up a few different ways to the 5 pin connector on the board which goes to the RS-232 plug on the outside of the box (don't have that type of cable handy.

There are several different combinations of hooking the wires up in which Putty will display the bootup sequence but no matter how the ground, Tx and Rx to the board, I am unable to stop the bootloader or get characters to display at any point.
The NVR uses RS-232 on the DB9 connector on the back panel - not serial TTL.
The signal levels are quite different between the 2 standards.
RS-232 is bipolar 3 to 15V
Serial TTL is unipolar at 3.3V.

You will need an RS-232 interface, such as a USB-based adaptor version, configured as a null modem connection.
With that you will be able to fully interact with the NVR.
When you hit Control-U, there will be an update dialogue that will allow you to install the same firmware version as you have already applied.
The difference will be an implicit 'reset to defaults' that will clear the mangled configuration database that's the cause of the corrupted admin credentials.
You will need a tftp server such as the Jounin one - Hikvision's tftp updater doesn't handle files larger than 32MB.

This was a common problem when jumping too many firmware versions getting to the NVR 4.x firmware.
Hikvision eventually acknowledged the issue and created an updated firmware that handled the transition better.
 

YetiMusk

n3wb
Joined
Sep 15, 2021
Messages
6
Reaction score
1
Location
Chicago, IL
The NVR uses RS-232 on the DB9 connector on the back panel - not serial TTL.
The signal levels are quite different between the 2 standards.
RS-232 is bipolar 3 to 15V
Serial TTL is unipolar at 3.3V.

You will need an RS-232 interface, such as a USB-based adaptor version, configured as a null modem connection.
With that you will be able to fully interact with the NVR.
When you hit Control-U, there will be an update dialogue that will allow you to install the same firmware version as you have already applied.
The difference will be an implicit 'reset to defaults' that will clear the mangled configuration database that's the cause of the corrupted admin credentials.
You will need a tftp server such as the Jounin one - Hikvision's tftp updater doesn't handle files larger than 32MB.
Thank you so much for your reply!

I've got the RS-232 to USB cable and a null modem adapter on the way thanks to Amazon, as much as I'd prefer to do business locally.

This was a common problem when jumping too many firmware versions getting to the NVR 4.x firmware.
Hikvision eventually acknowledged the issue and created an updated firmware that handled the transition better.
Unfortunately, I read the memo at us.hikvision.com after updating firmware. How it wasn't as clear at www.hikvision.com/en, I don't know.

I'll post an update tomorrow afternoon!

Thanks again!
 

YetiMusk

n3wb
Joined
Sep 15, 2021
Messages
6
Reaction score
1
Location
Chicago, IL
I'll post an update tomorrow afternoon!

Thanks again!
Ok, so i'm able to interact with the NVR now but cannot figure out how to configure Tftpd64 correctly. I've read lots of posts and no one seems to talk about how to set it up. I've got the firmware file in the Tftpd64 folder, that folder is set as current director, server interface is set to 192.168.1.128 (NVR is at 192.168.1.2 according to SADP) and all i'm seeing in putty are a bunch of

T T T T T ...... followed by retry count exceeded; starting again.

I've tried telling the nvr its at 192.0.0.64 and the the server is at 192.0.0.128 (obviously set the ip address accordingly) and achieve similar results.

Point me in the right direction?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,450
Reaction score
5,471
Location
Scotland
server interface is set to 192.168.1.128 (NVR is at 192.168.1.2 according to SADP) and all i'm seeing in putty are a bunch of

T T T T T ...... followed by retry count exceeded; starting again.
T is for timeout.
Presumably the IP address are not matched and the NVR can't contact the tftp server..

The usual update dialogue at the bootloader when interrupted by Control-U asks for the address of the tftp server - this will be the PC IP address, and also asks what IP address to use for the NVR.
This needs to be an unused address in the same range as that used by the PC.
This is just a temporary address, and is not related to the address seen by SADP when the NVR has booted.

Can you confirm what dialogue you are seeing when you interrupt the bootloader?
I'm assuming it's the menu-driven update dialogue.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,450
Reaction score
5,471
Location
Scotland
Another possibility - some AV products have network access protection that may prevent the NVR from accessing the PC.
If so - temporarily disable the Windows firewall, so inbound access isn't blocked, and any AV that's running.
 

YetiMusk

n3wb
Joined
Sep 15, 2021
Messages
6
Reaction score
1
Location
Chicago, IL
Yes, it's the ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY...... followed by the press u/U key to upgrade

I've tried direct connection using 192.0.0.64 and 192.0.0.128 as well as through a switch using the same and 192.168.1.2 (what SADP sees the NVR as) 192.168.1.3 (open) with the laptop set to 192.168.1.128
 

YetiMusk

n3wb
Joined
Sep 15, 2021
Messages
6
Reaction score
1
Location
Chicago, IL
Another possibility - some AV products have network access protection that may prevent the NVR from accessing the PC.
If so - temporarily disable the Windows firewall, so inbound access isn't blocked, and any AV that's running.
Windows Firewall/Defender is disabled.

As a long shot - also try the tftpd32.
Some members have reported problems when using the tftp64.
Tried that and same result, T T T T T
 

YetiMusk

n3wb
Joined
Sep 15, 2021
Messages
6
Reaction score
1
Location
Chicago, IL
I literally just need to have the .dav file in the Ttftpd64/32 directory and run the program, correct? I tried some of the settings like disabling DHCP and setting Security to None as suggested in OPs post and same thing.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,450
Reaction score
5,471
Location
Scotland
I literally just need to have the .dav file in the Ttftpd64/32 directory and run the program, correct?
Yes, that's all that's needed, and IP addresses in the same range.
It should 'just work'.

There are other things you can try to figure this out :
After the Control-U bootloader interrupt, at the 'Update' menu, use the command 'b' to get to a bootloader prompt.

printenv will list the environment variables.
help will list the available commands. I'm hoping that 'ping' is amongst them.
Suggestion -

setenv serverip <PC_IP_address>
setenv ipaddr <NVR_IP_address>
ping <PC_IP_address>
ping <router_IP_address>

Maybe also try the update command 'update' or 'upf' if it exists.
 
Top