How to - Fix your 15-beep-bootloop Hikvision DS-76xxN-Ex NVR, or convert to EN and make it updatable

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Here is a worked example of how to permanently change a Hikvision China language DS-76xxN-Ex NVR to an EN language device that will then take the stock EN/ML firmware.
I've used a few Hikvision CN NVRs, bought at low cost off Aliexpress, and typically installed 'hacked to English' firmware to gain access to the newer firmware fixes and added features.
I thought it was time to do something different, and maybe also help out any forum members who want to update their firmware, or to unbrick devices that are suffering from the '15 beep bootloop' after an update.

This example was carried out on a Hikvision DS-7608N-E2/8P purchased at very low cost as a 'bricked' device from an on-line marketplace. Not eBay.

**Note**
This basic method will not work when the NVR was manufactured with an encoded version of the 'hardware descriptor block' as opposed to the plaintext version shown as an example here.
That requires some extra work.

The steps are summarised as follows :
- Connect up to the NVR serial console using a 'serial TTL to USB convertor'.
- Gain access to the bootloader by interrupting the boot process.
- Start a normal tftp server such as from TFTP server and set IP addresses to match.
- Pull a copy of the (normally hidden and protected) first half of mtdblock1. This holds the device 'hardware descriptor block'.
- Do the equivalent of the 'classic MTD hack' to change the language byte from 02 (CN) to 01 (EN) and fix up the checksum as needed.
- Write the modded section back to mtdblock1
Job done!
And the DS-76xxN-Ex NVR is now upgradeable.


This is a transcript of how to extract the normally hidden first half of mtdblock1, that holds the familiar 'hardware descriptor block'.
Code:
Uploading the first (hidden) half of mtdblock1 to do the
MTD hack on the hardware descriptor (bootpara) block.
For convenience, just temporarily changing the device and tftp server IP addresses.

-------------------------------------------------------

HKVS #
HKVS #
HKVS # reset
resetting ...



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=8c:e7:48:76:bf:4d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Environment size: 458/4092 bytes
HKVS #
HKVS #
HKVS # help
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bubt    - Burn an boot image on the Boot Flash.

cmp     - memory compare
cp      - memory copy
cpld    - write cpld info to  encrypt media

cramfsload- cramfsload  - load binary file from a filesystem image
cramfsls- cramfsls      - list files in a directory (default /)
crc32   - checksum calculation
ddr     - ddr training function
erase_env- erase envirement info on flash

getinfo - print hardware information
go      - start application at address 'addr'
help    - print command description/usage
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
tftp    - tftp  - download or upload image via network using TFTP protocol
update  - Update the digicap of the device.

version - print monitor version
HKVS # setenv ipaddr 192.168.1.214
HKVS # setenv serverip 192.168.1.99
HKVS #
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd3 000000f4 00010000    SWKH............
8041e010: 00000002 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS # tftp 0x80400000 mtd1_part1 0x20000
MAC:   8C-E7-48-76-BF-4D
TFTP to server 192.168.1.99; our IP address is 192.168.1.214
Upload Filename 'mtd1_part1'.
Upload from address: 0x80400000, 0.128 MB to be send ...
Uploading: #    [ Connected ]
#
         0.128 MB upload ok.
HKVS #

This is a transcript of how to apply the modded first half of mtdblock1, showing that the NVR now boots normally, no more 15-beep bootloop, and shows as an EN language device.
In this case it's still running the EN/ML firmware that 'bricked' it. It was then updated to the latest firmware version via the web GUI.
Code:
This is the bootpara edit to change language to EN from CN.
It's the same layout and method as the MTD hack on R0 cameras.
The aim is to get to :
--------------------------------------
language = 1
devType:DS-7608N-E2/8P
--------------------------------------
Initially we have the 15-beep bootloop due to EN/ML firmware
being loaded on a CN language NVR - DS-7608N-E2/8P
-----------------------------------------------------------

!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device is illegal, Please call factory!!!!!!
!!!!!!!you Device buy in cn, you firmware is en err!!!!!!



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0

This program will upgrade software.
*******************************************************
*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *
*  Don't reset machine,or anything that interrupt it. *
*  The upgrade process must finish in 10 minutes!     *
*  If this program fails,machine might be unusable,   *
*  and you will need to reflash again.                *
*  If you find this too risky,power off machine now.  *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS #
HKVS #
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=177M console=ttyS0,115200n8
ethaddr=8c:e7:48:76:bf:4d
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Environment size: 458/4092 bytes
HKVS # setenv serverip 192.168.1.99
HKVS # setenv ipaddr 192.168.1.214
HKVS #
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd3 000000f4 00010000    SWKH............
8041e010: 00000002 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS # tftp 0x80400000 mtd1_part1_mod
MAC:   8C-E7-48-76-BF-4D
TFTP from server 192.168.1.99; our IP address is 192.168.1.214
Download Filename 'mtd1_part1_mod'.
Download to address: 0x80400000
Downloading: #################################################
done
Bytes transferred = 131072 (20000 hex)
HKVS #
HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd2 000000f4 00010000    SWKH............
8041e010: 00000001 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS # sf erase 0x10000 0x20000
Erasing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf write 0x80400000 0x10000 0x20000
Writing at 0x30000 -- 100% complete.
HKVS #
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS #
HKVS # md 0x8041e000 80
8041e000: 484b5753 00000cd2 000000f4 00010000    SWKH............
8041e010: 00000001 0000002a 00000001 00000000    ....*...........
8041e020: 00000000 00000000 00000000 00080008    ................
8041e030: 00000000 48e78c02 8c4dbf76 bf7648e7    .......Hv.M..Hv.
8041e040: 3130324e 32373034 32373433 30323038    N201407234728020
8041e050: 01003937 00010101 02020002 01010001    79..............
8041e060: 00000000 0000a137 00000000 00000000    ....7...........
8041e070: 00000000 00000000 00000000 00000000    ................
8041e080: 00000000 00000000 00000000 00000000    ................
8041e090: 00000000 00000000 00000000 00000000    ................
8041e0a0: 00000000 00000000 00000000 00000000    ................
8041e0b0: 00000000 00000000 00000000 00000000    ................
8041e0c0: 00000000 00000000 00000000 000000b1    ................
8041e0d0: 0000014f 00000000 00000000 00000000    O...............
8041e0e0: 00000000 00000000 00000000 00000000    ................
8041e0f0: 00006662 00000000 00000000 00000000    bf..............
8041e100: ffffffff ffffffff ffffffff ffffffff    ................
8041e110: ffffffff ffffffff ffffffff ffffffff    ................
8041e120: ffffffff ffffffff ffffffff ffffffff    ................
8041e130: ffffffff ffffffff ffffffff ffffffff    ................
8041e140: ffffffff ffffffff ffffffff ffffffff    ................
8041e150: ffffffff ffffffff ffffffff ffffffff    ................
8041e160: ffffffff ffffffff ffffffff ffffffff    ................
8041e170: ffffffff ffffffff ffffffff ffffffff    ................
8041e180: ffffffff ffffffff ffffffff ffffffff    ................
8041e190: ffffffff ffffffff ffffffff ffffffff    ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff    ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff    ................
HKVS #
HKVS #
HKVS #
HKVS # reset
resetting ...



U-Boot 2010.06-svn (Jan 23 2014 - 16:38:55)

Hit any key to stop autoboot:  0
### CRAMFS load complete: 3181672 bytes loaded to 0x80400000
timeout for link [5000]!
MAC:   8C-E7-48-76-BF-4D
|NUL ethaddr| TFTP server not found
## Booting kernel from Legacy Image at 80400000 ...
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.16.1 (2016-06-29 13:49:45 CST)
Starting udev:      [ OK ]
Sat Feb 16 12:08:48 UTC 2019
----------<1> tar guir webs ----------
----------<2> show logo ----------
show logo Sat Feb 16 12:08:57 UTC 2019
mv: can't rename '/home/app/exec/pppd': No such file or directory
mv: can't rename '/home/app/exec/pppoe': No such file or directory
mv: can't rename '/home/app/exec/ss': No such file or directory
mv: can't rename '/home/app/exec/dropbear': No such file or directory
mv: can't rename '/home/app/exec/dropbearkey': No such file or directory
/home/start.sh: line 29: dropbearkey: not found
chmod: /usr/bin/dvrCmd/dvrtools: No such file or directory
----------<3> load hisi sdk ----------
The system mem size is 0x1
/
load 3535 ok
----------<4> del no use res ----------
mv: can't rename '/home/app/res/adAudio.jpg': No such file or directory
/home/start.sh: line 79: ./pppoed: not found
iSCSI daemon with pid=918 started!!!! the device is not toe !!!


BusyBox v1.16.1 (2016-06-29 13:49:45 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

BusyBox v1.2.1 Protect Shell (psh)
Enter 'help' for a list of davinci system commands.
.
.

[snip lots of serial console chat]
.
.

 $$$$$$$$$$$$$ iAoChans[4] $$$$$$$$$$$$$

#
#
# getHardInfo
Start at 2019-02-16 12:09:04
Serial NO :0820140723AARR472802079WCVU
V3.4.80 build 160718
softBase:/Platform/trunk:0
KernelVersion: V1.0.0 build 160629
dspSoftVersion: V5.0 build 160716
codecVersion: V5.0 build 160716
hardwareVersion = 0x0
encodeChans = 0
decodeChans = 8
alarmInNums = 0
alarmOutNums = 0
flashsize = 0x0
ramSize = 0x20000000
networksNums = 1
language = 1
devType:DS-7608N-E2/8P
bootPartition = 1
randomCode =
#
#
# help
Support Commands:
GetAnrCfgInfo                   GetAnrProcess                   GetAnrRecordList
ShowIpcAbility                  accessDvrSwitch                 channelPlayback
clearDisksMode                  ctrlArchDebug                   decStat
disableHB                       disableHik264                   dspStatus
dvrLogInfo                      dt                              enableHB
enableHik264                    enableWatchdog                  errputClose
errputOpen                      get3GMode                       getCMS
getCycleReboot                  getDbgCtrl                      getHardInfo
getIp                           getLastErrorInfo                getPlayTestCtrl
getPort                         getServerInfo                   guiChkCfg
guiEnterMenuCount               guiPrtScr                       guiStatus
helpm                           helpu                           i2cRead
megaDspConfig                   miscCmd                         netstat
outputClose                     outputOpen                      partRecDetails
ping                            printPart                       pthreadInfo
recorderChanInfo                recorderFileInfo                recorderFileKeyFrame
recorderHDIdle                  recorderMediaInfo               recorderPAllocFile
recorderParam                   recorderSegExtraInfo            recorderStatus
sendATCom                       set3GPrint                      set3GEnable
searchInfo                      setGateway                      setIp
setlang                         setMtu                          setoutputmode
setPrint                        show8107coreUseInfo             showCurPlayChanFileInfo
showDeviceTemp                  showIpcMemInfo                  showNetIpcmInfo
showNetLinksInfo                showPlayChanStatus              showPlayClipFile
showPlayScreenInfo              showPlayStatus                  showPlayTime
showPreviewInfo                 showShareSvcInfo                showSpareWorkStatus
showTagSysInfo                  showUserInfo                    showpu
t1                              t2                              transcodeResStatus
getDateInfo                     dmesg                           help

#
 

Akmal

n3wb
Joined
Aug 7, 2019
Messages
5
Reaction score
0
Location
Uzbekistan
"Do the equivalent of the 'classic MTD hack' to change the language byte from 02 (CN) to 01 (EN) and fix up the checksum as needed" please show me where i must fix the numbers in the mtd hack
 

Akmal

n3wb
Joined
Aug 7, 2019
Messages
5
Reaction score
0
Location
Uzbekistan
I never use mtd hack tool so i don't understand how to do it please help
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
"Do the equivalent of the 'classic MTD hack' to change the language byte from 02 (CN) to 01 (EN) and fix up the checksum as needed" please show me where i must fix the numbers in the mtd hack
Below is a screenshot of the 'mtd_part1' and 'mtd_part1_mod' extracts as shown using the Hex Editor HxD.
These are referenced in the first post of this thread.

Circled in red are the language byte (originally at 02=Chinese, changed to 01=EN) and the checksum bytes which are reduced by 1 when the language byte is changed from 02 to 01.

upload_2019-8-7_22-17-56.png
 

Akmal

n3wb
Joined
Aug 7, 2019
Messages
5
Reaction score
0
Location
Uzbekistan
U-Boot 2010.06-svn (Jun 09 2015 - 18:34:20)

Protected at offset:0,size:20000 Protection status:[0xf88]=>[0xf8b].
Hit ctrl+u to stop autoboot: 0

This program will upgrade software.
*******************************************************
* ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY! *
* Don't reset machine,or anything that interrupt it. *
* The upgrade process must finish in 10 minutes! *
* If this program fails,machine might be unusable, *
* and you will need to reflash again. *
* If you find this too risky,power off machine now. *
*******************************************************

Now press [u/U] key to upgrade software: b
HKVS # printenv
bootcmd=tftp 0x80400000 $(bootfile);bootm 0x80400000;
default=cramfsload 0x80400000 uImage;
sec=tftp 0x80400000 uImage_sec;bootm 0x80400000;
verify=n
bootdelay=1
baudrate=115200
mdio_intf=rgmii
ipaddr=192.0.0.64
serverip=192.0.0.128
gatewayip=192.0.0.1
netmask=255.255.255.0
bootfile=uImage
phyaddr1=7
bootargs=mem=524M console=ttyS0,115200n8
ethaddr=c4:2f:90:ae:33:87
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 2010.06-svn (Jun 09 2015 - 18:34:20)

Environment size: 458/4092 bytes
HKVS # help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bubt - Burn an boot image on the Boot Flash.
burnrouter- Burn an boot image to the router flash from host board.
cpld - write cpld info to encrypt media
cramfsload- cramfsload - load binary file from a filesystem image
cramfsls- cramfsls - list files in a directory (default /)
crc32 - checksum calculation
ddr - ddr training function
erase_env- erase envirement info on flash
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mw - memory write (fill)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
tftp - tftp - download or upload image via network using TFTP protocol
update - Update the digicap of the device.
version - print monitor version
HKVS # setenv ipaddr 192.168.1.214
HKVS # setenv serverip 192.168.1.99
HKVS # sf probe 0
16384 KiB hi_sfc at 0:0 is now current device[4K erase supported]
HKVS # sf read 0x80400000 0x10000 0x20000

HKVS # md 0x8041e000 80
8041e000: cd1b4aeb 282f7f79 31febc9e 647ac0f9 .J..y./(...1..zd
8041e010: 3bfc1d56 86ade71b 6dd1c7f7 57938df4 V..;.......m...W
8041e020: bbd7a7e1 ea1ed980 fd96b537 4c314155 ........7...UA1L
8041e030: 2bd539eb 0cdbfaa5 ba7df6b8 53b8d018 .9.+......}....S
8041e040: 71b6929c 544b0d2a 9c282665 47dba1b1 ...q*.KTe&(....G
8041e050: d94ac243 1c1f7b1a 356f6c44 0f19c81f C.J..{..Dlo5....
8041e060: ccd224e4 dec4af4c bbd7a7e1 ea1ed980 .$..L...........
8041e070: bbd7a7e1 ea1ed980 bbd7a7e1 ea1ed980 ................
8041e080: bbd7a7e1 ea1ed980 bbd7a7e1 ea1ed980 ................
8041e090: bbd7a7e1 ea1ed980 bbd7a7e1 ea1ed980 ................
8041e0a0: bbd7a7e1 ea1ed980 bbd7a7e1 ea1ed980 ................
8041e0b0: bbd7a7e1 ea1ed980 bbd7a7e1 ea1ed980 ................
8041e0c0: bbd7a7e1 ea1ed980 a9af8162 62a928ab ........b....(.b
8041e0d0: 3b076714 6907648e bbd7a7e1 ea1ed980 .g.;.d.i........
8041e0e0: bbd7a7e1 ea1ed980 bbd7a7e1 ea1ed980 ................
8041e0f0: 2b76aa74 ef7e595d bbd7a7e1 ea1ed980 t.v+]Y~.........
8041e100: ffff8d80 ffffffff ffffffff ffffffff ................
8041e110: ffffffff ffffffff ffffffff ffffffff ................
8041e120: ffffffff ffffffff ffffffff ffffffff ................
8041e130: ffffffff ffffffff ffffffff ffffffff ................
8041e140: ffffffff ffffffff ffffffff ffffffff ................
8041e150: ffffffff ffffffff ffffffff ffffffff ................
8041e160: ffffffff ffffffff ffffffff ffffffff ................
8041e170: ffffffff ffffffff ffffffff ffffffff ................
8041e180: ffffffff ffffffff ffffffff ffffffff ................
8041e190: ffffffff ffffffff ffffffff ffffffff ................
8041e1a0: ffffffff ffffffff ffffffff ffffffff ................
8041e1b0: ffffffff ffffffff ffffffff ffffffff ................
8041e1c0: ffffffff ffffffff ffffffff ffffffff ................
8041e1d0: ffffffff ffffffff ffffffff ffffffff ................
8041e1e0: ffffffff ffffffff ffffffff ffffffff ................
8041e1f0: ffffffff ffffffff ffffffff ffffffff ................
HKVS #
 

Akmal

n3wb
Joined
Aug 7, 2019
Messages
5
Reaction score
0
Location
Uzbekistan
Alastair thank you for your reply, and i am sorry for may stupid questions and my english because i am from Uzbekistan. In my country there is no Hikvision service center so have to do flesh nvr for my own, please help me what i must to do at this moment in my situation now
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
i am sorry for may stupid questions and my english because i am from Uzbekistan.
Your English is fine - and don't worry about the questions, they are OK.
Check your 'Conversations' for a possible solution to the NVR problem.
 

qman56

n3wb
Joined
Feb 4, 2020
Messages
2
Reaction score
0
Location
UUS
Hey, would this method work for Chinese version and language NVR DS-7800NB-K1? I just want to change the language to english from chinese. Can't update firmware (blocked): Current is 3.4.106 build 190712 Chinese Language
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Maybe it would, maybe it wouldn't.
The problem would be if the flash area is encrypted as opposed to being in plain form.
Easyy enough to try out with access to the serial console.
 
Joined
Mar 21, 2020
Messages
3
Reaction score
0
Location
lebanon
hi, I was able to extract mtd1_part1 (renamed to .txt to be able to attach). I was not able to update this file from 02 to 01. anyone can help me to update the attached file? Thank You.
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I was not able to update this file from 02 to 01.
That's because the bootpara data in the file is encoded, not plaintext.

What model is the NVR?
What is its status, is it currently bricked with the 15-beep bootloop, or do you just want to update the firmware?
 
Joined
Mar 21, 2020
Messages
3
Reaction score
0
Location
lebanon
That's because the bootpara data in the file is encoded, not plaintext.

What model is the NVR?
What is its status, is it currently bricked with the 15-beep bootloop, or do you just want to update the firmware?
NVR DS-6708Ni-e2 and it is bricked with 15-beep bootloop after it was updated with firmware ds-76xxni-e1e2p_usa_firmware_3.4.96_181107.
Thank you
 

nbellego

n3wb
Joined
Sep 29, 2019
Messages
3
Reaction score
0
Location
paris
Here is a worked example of how to permanently change a Hikvision China language DS-76xxN-Ex NVR to an EN language device that will then take the stock EN/ML firmware.
I've used a few Hikvision CN NVRs, bought at low cost off Aliexpress, and typically installed 'hacked to English' firmware to gain access to the newer firmware fixes and added features.
I thought it was time to do something different, and maybe also help out any forum members who want to update their firmware, or to unbrick devices that are suffering from the '15 beep bootloop' after an update.

This example was carried out on a Hikvision DS-7608N-E2/8P purchased at very low cost as a 'bricked' device from an on-line marketplace. Not eBay.

Note
This basic method will not work when the NVR was manufactured with an encoded version of the 'hardware descriptor block' as opposed to the plaintext version shown as an example here.
That requires some extra work.

The steps are summarised as follows :
  • Connect up to the NVR serial console using a 'serial TTL to USB convertor'.
  • Gain access to the bootloader by interrupting the boot process.
  • Start a normal tftp server such as from TFTP server and set IP addresses to match.
  • Pull a copy of the (normally hidden and protected) first half of mtdblock1. This holds the device 'hardware descriptor block'.
  • Do the equivalent of the 'classic MTD hack' to change the language byte from 02 (CN) to 01 (EN) and fix up the checksum as needed.
  • Write the modded section back to mtdblock1
Job done!
And the DS-76xxN-Ex NVR is now upgradeable.


Hello
I'm a newbee on how to brick an HIK NVR. And sorry to brush up an old post.
I have some OEMed HIK NVR that I want to bring it back to hik one (in term of firmware).

My first (stupid) questions are :
  • where do you buy a serial TTL to USB convertor and whcih model is the best
  • where do you plug it on the NVR ?
Thanks
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I have some OEMed HIK NVR that I want to bring it back to hik one (in term of firmware).
This thread is for NVRs that have been bricked with the 15-beep bootloop.
The method is not relevant for normal firmware updates.

where do you buy a serial TTL to USB convertor and whcih model is the best
Look for PL2303TA USB to serial TTL convertor on your local eBay.
You will also need a wired connector - look for 4-pin 1.5mm ZH JST wired connector on eBay, usually sold in 10-packs.

where do you plug it on the NVR ?
It varies with the NVR - but look for the 4-pin white connector, like this :
 
Top