Hikvision FIRMWARE TOOLS - change language, extract files and create own firmware

Thanks, im reading your thread on the mtd hack right now, brilliant stuff.
First problem i see my fw doenst let me use smb for NAS, just straight NAS which i dont have, maybe it's better if first i install an intermediate firmware and then do the mtd hack? Any suggestion for such firmware?
Going to move on that thread now and read some more, eventually ill ask some questions over there, i am a bit green on cam related stuff and im afraid to mess it up.
 
Hiktools will not change the region of the camera.
It can change the language setting in the header of the firmware which can help avoid a chosen firmware being rejected on an update, and more usefully it can split and recreate the older versions of IPC and NVR firmware.
'RR' doesn't necessarily mean the camera is CH region - I think it's a catch-all for everything remaining after the main regions.

Yeah, the RR thing might have something to do with what just happened:
I dowloaded fw 5.2.0 from hivisioneurope, ran it with hiktools, had this result:

Magic number : 0x484B5753
iHeaderCheckSum : 0x0000C848 [51272]
iHeadTotalLen : 0x000004B8 [1208]
iFileNum : 0x0000001A [26]
iLanguage : 0x00000001 [1] EN/ML
iDeviceClass : 0x00000002
iOEMCode : 0x00000001
iFirmwareVer : 0xFFFFFFFF
iFeature: 0x01352510
Calculated CheckSum : 0x0000C848 [51272]

I tried the remote upgrade from web interface, and as expected i get "language mismatch".

So i use hiktools again with the command "hiktools lang digicap.dav 2"
and i get this result:

Magic number : 0x484B5753
iHeaderCheckSum : 0x0000C849 [51273]
iHeadTotalLen : 0x000004B8 [1208]
iFileNum : 0x0000001A [26]
iLanguage : 0x00000002 [2] CN
iDeviceClass : 0x00000002
iOEMCode : 0x00000001
iFirmwareVer : 0xFFFFFFFF
iFeature: 0x01352510
Calculated CheckSum : 0x0000C849 [51273]

I try the the remote upgrade again from web interface, and i get "language mismatch" again.
So the region is neither 1 or 2, as per the CCRR in the serial code, i guess.
 
Yes, @wzhick has helped many of us fix up some of the Hikvision firmware to work better for us.
But Hikvision (at least on the cameras) keep trying to put further blocks in the way.
They really need to take on board the fact that when they try to stop people making best use of their products, there are plenty of smart folks willing and able to figure their way round those obstacles. It's a pointless exercise that does harm to their brand.
Just look at the ready availability of Chinese-sourced IP cameras at good prices with EN/ML menus.
 
Last edited by a moderator:
Too true and good old CBX is doing very nicely from it, as is a few others, supplying firmware that has a MAC code lock down so the Chinese don't want to share it as it points to who it was given too..
Shame as its so easy to by pass the MAC lock down.
 
Interesting - for cameras, or NVRs, or both?
That may imply custom firmware for each device, given that the MAC address is supposed to be per-device.
Which would imply quite a neat automated build program, to get all the MD5 integrity checks in, and re-do the encryption.
Unless the MAC address is tacked on to the end of the firmware body, which would exclude it from the MD5 scope, and allow standardised firmware.
And therefore make it easy to bypass the MAC address lock.
Just guessing here ...
 
Too true and good old CBX is doing very nicely from it, as is a few others, supplying firmware that has a MAC code lock down so the Chinese don't want to share it as it points to who it was given too..
Shame as its so easy to by pass the MAC lock down.

Pretty sure CBX headed in to the sunset well over a year ago. Sent him some emails over that time and never got a response. Others have taken his place - but as long as can still buy cameras for crazy cheap prices (compared to UK prices anyway) that's fine with me :)
 
Last edited by a moderator:
not unless the sun set is in China, he stepped up the game and went straight to the money.

Toms made a few £ from us charging £11 a pop and swearing all to keep the secret, then let people that paid for his service out in the cold. but this is nothing to the Chinese market.

UK prices are now down to £67+vat for the 2332 so start to be more competitive at last.

Adi-global still to cash sales over the counter but just don't look like a diyer, make sure you know what you want and you'll get it at trade prices.

I've just had 10 4line cameras for £210 Inc each not to shabby.
 
Last edited by a moderator:
You would have to change the (encrypted) "start.sh" Linux startup script, and change the "logo.jpg" logo image file.
And re-package those changes into the firmware, knowing how to handle the tamper protection.
Possible, but not easy unless you know how.
This is how it works:
Code:
echo "----------<2> show logo ----------"
mv -f /home/app/res/logo.jpg /home/app/
echo "show logo $(date)"
/home/app/exec/showlogo
 
Hey, you guys are the bomb figuring all this out!! Kudos.

My problem, looking for gentle suggestions, is that I have 5 DS-2CD3335-I cams. 4 of them are running firmware 5.3.8 build 106801, one of them is 5.3.3 build 150803.
A friend was helping me install the cams and managed to change the password and then forget what he used (putz!) on one cam. I've tried going back to the seller on ebay for a DeviceKey to reset the password sing SADP, but of 3 attempts, none worked.

Is there a way to pull the firmware from one of the other DS-2CD3335-I cams and upload to #5?

I also have a HIK DVR that also is a Chinese hacked version. When the cameras arrived all worked together great, but without the password, I've a lovely paperweight.

I tried the hiktools tool, but the ""Magic number", etc, etc are all way different in the 5.3.8 firmware (I downloaded from HIK China, took a whole day at about 50 B/s)
Here's what i get in hiktools:

Head raw data(108b) :
00000000 8A FF F7 B6 56 EF DD D3 D6 B9 A3 AB BF CB B5 BE ....V...........
00000010 E0 9B E4 D7 CB DD D3 BA 46 5C 54 40 34 4A 41 45 ........F\T@4JAE
00000020 43 01 29 35 22 2C 45 46 5C 54 40 34 84 8C 88 FD C.)5",EF\T@4....
00000030 CE E0 FA ED E1 8B 88 92 9A 8E F9 85 8E 88 FC BC ................
00000040 E7 F8 EF E3 8A 8F 93 9B 8D FA 84 8F 8B FC 8E CE ................
00000050 FA EF E2 BA 37 6E AB 62 3B 79 BF B9 55 1E D3 6F ....7n.b;y..U▲.o
00000060 B1 D3 BA B9 62 8D A5 CA C5 69 C7 41

Head decoded data(108b) :
00000000 30 32 4B 48 80 25 00 00 6C 00 00 00 00 00 00 00 02KH.%..l.......
00000010 2D 27 1A 01 01 00 00 00 FF FF FF FF FF FF FF FF -'→.............
00000020 FF FF FF FF FF FF FF FF FF FF FF FF 31 32 32 30 ............1220
00000030 30 36 30 30 32 31 31 31 31 31 32 30 30 32 31 00 060021111120021.
00000040 31 32 32 30 30 36 30 30 32 31 31 31 31 31 32 30 1220060021111120
00000050 30 32 31 00 8E CD 00 DD F0 CC 01 03 98 A2 2D B9 021...........-.
00000060 6C 00 00 00 C1 26 1A 01 70 D7 7D 8C

Magic number : 0x484B3230
iHeaderCheckSum : 0x00002580 [9600]
iHeadTotalLen : 0x0000006C [108]
iFileNum : 0x00000000 [0]
iLanguage : 0x011A272D [18491181]
iDeviceClass : 0x00000001
iOEMCode : 0xFFFFFFFF
iFirmwareVer : 0xFFFFFFFF
iFeature: 0xFFFFFFFF
Calculated CheckSum : 0x00002580 [9600]

Full decoded data (with full files block):
00000000 30 32 4B 48 80 25 00 00 6C 00 00 00 00 00 00 00 02KH.%..l.......
00000010 2D 27 1A 01 01 00 00 00 FF FF FF FF FF FF FF FF -'→.............
00000020 FF FF FF FF FF FF FF FF FF FF FF FF 31 32 32 30 ............1220
00000030 30 36 30 30 32 31 31 31 31 31 32 30 30 32 31 00 060021111120021.
00000040 31 32 32 30 30 36 30 30 32 31 31 31 31 31 32 30 1220060021111120
00000050 30 32 31 00 8E CD 00 DD F0 CC 01 03 98 A2 2D B9 021...........-.
00000060 6C 00 00 00 C1 26 1A 01 70 D7 7D 8C


Thanks for any suggestions,
Tim
 
Thanks for that note - now I need to go back and start harassing the seller....

Interesting note though, on the 5.3.8 firmware is that if I run hiktools and change the language, it may not appear as per the hiktool notes at the beginning of the thread, but it does in fact change the language. Whether this means anything or not, I've no idea, I'm just saying.....

1 Stock-unchanged.JPG 2 Lang 1 - Chinese.JPG 3 Lang 2 - Eng-Multi.JPG

But having said all of that, does anyone have a hacked version 5.3.8 build 160108 firmware for the DS-2D3xxx series (these are the eyeballs and bullets)
 
Hello!
{Excuse the "clumsy" English (Google Translate)}

tell me how to extract the files from the recorder firmware that they could be run on a computer and make computer similarity DVR / NVR

PS HDD expensive (6GB), and a computer, you can put a few on 2GB
 
tell me how to extract the files from the recorder firmware that they could be run on a computer and make computer similarity DVR / NVR
The English is fine.
You would need to do a lot more than simply extract the files.
This is 'embedded Linux' that is compiled to run in a particular hardware environment / NVR board using an ARM CPU and a specialised DSP.
But there is a good choice of Windows NVR software - check out the forum sections for Blue Iris, Milestone and various others.
 
I know about NVR for windows and even in the same place using
but... as always there are different "but":
windows too much itself loads the computer hardware, as opposed to * nix systems, respectively spent valuable resources that could be spent on more processing chambers golichestva

and the computer has the ability to connect an (almost) unlimited number of HDD

moreover, such a system can run without a graphical interface, which again subtract the load
 
or if there is, the source NVR windows, could be recompiled under *nix

can suddenly, one that is, they (the source)