R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

[alastairstevenson]

I've unbricked and anglophied my DS-2CD2032F-I. All good now.

Great! Another good result, well done.

 

[chrchi]

The original 'brick-fix tool' and 'enhanced mtd hack' has proven pretty useful for those with R0 cameras that had been bricked by doing a firmware update.
It's been even more useful to deal with the fallout from the 'Hikvision backdoor' disclosure where so many people are finding their cameras are being messed with from the internet, mischievously or maliciously, and need to update to safer firmware.
However - the rather techy original method to make the changes, and probably my not-very-clear instructions have been a challenge for some people.
* And I only just noticed this - my original .txt attachments were in Linux format, not Windows format, making them hard to read without proper line breaks. And no-one let me know! Dohh! *

So here is 'Brick-fix tool V2' aimed at making the process less complex, a bit automated and easier to use, with the following changes:

• After Brick-fix toolV2 has been installed using the Hikvision tftp updater, following the power cycle to activate and drop the payload, the camera will boot directly into 'min-system' mode with telnet and tftp access and a 'fixup' script ready and primed for use.
• No web GUI access or Windows shares are needed to move files in and out of the camera.
• The fixup script handles all the basics of extracting the original mtdblock6, importing and applying the user-modified mtdblock6 that has had the 'enhanced mtd hack', and initiating a firmware update.
• The Brick-fix toolV2 automatically writes a valid template into mtdblock1 that stops cameras that originally had firmware 5.2.0 or 5.2.8 from otherwise going into a bricked state when newer firmware is applied.
• Attached to this post are the resources required to convert your R0 / DS-2CD2x32 cameras into full English upgradeable devices.
• The brick-fix tool V2 in both EN and CN header language versions (brick_fixv2.zip).
• A required resource list and step-by-step guide to the fixup script.
• A description of how to do the 'enhanced mtd hack' with screenshot with a list of devType codes for those cameras that have the masqueraded values.
• A sample transcript of the fixup script going through all 3 stages - extract mtdblocks, import modded mtdblock6, apply firmware update.

edit 15Dec17 By popular request, a video worked example using a DS-2CD3332-I camera donated by a generous forum member.

edit 28Jan18 devType codes updated - thanks @hikcamuser

Resource List

• The Hikvision tftp updater tool and usage instructions, courtesy of @whoslooking - tftpserv
• A standard tftp server - tftpd32.452.zip at bottom of this thread.
• A telnet client. PuTTY is pretty good and widely used - Download: 64-Bit | 32-Bit
• The HxD hex editor - Downloads | mh-nexus
• Firmware files for R0 IP cameras - R0 series DS-2CD2x32x-Ixx IP camera firmware
• Hikvision's really useful SADP tool. This will find your Hikvision device on the LAN whatever it's IP address, allow 'activation', and change of IP address. - SADP Tool

Step By Step Guide:
Here are the steps to take when using the brick-fixV2 tool to recover a bricked camera, and running the fixup script to change the camera to English / upgradeable. The camera doesn't have to be bricked to run the brick-fix tool if all that's required is a helping hand doing the 'enhanced mtd hack'.

1. Create a folder on the local drive of your Windows PC to hold the Hikvision tftp updater, the chosen tftp server program (e.g. jouinin.net version), the unzipped 'brick-fixV2' files, and the Hikvision firmware to use for updating. The HxD hex editor should be installed on the PC.
2. With the PC and the camera each on a wired connection (not WiFi) set the PC IP address to 192.0.0.128, subnet mask to 255.255.255.0 The default gateway does not matter.
3. Make a copy of brickfixV2EN and name it as digicap.dav If the EN version does not work, e.g. "System update completed" is not displayed in step 5 or you don't get the login prompt when trying to telnet in step 8, try the CN version.
4. Start the Hikvision tftp updater tftpserve.exe and if a Windows firewall popup appears, click OK to accept what the program needs.
5. Power on the camera and observe the status messages in the tftp updater. Hopefully you will see 'System update completed' after 2 or 3 minutes.
6. Close the Hikvision tftp updater, delete the digicap.dev file from step 3 and make a copy of the Hikvision firmware to use for updating and name it digicap.dav.
7. Power down the camera. At this point the brickfixV2 tool has been installed but not yet activated. Power on the camera to activate the tool, it will then drop the payload, fix up mtdblock1 and reboot into min-system mode for telnet access.
8. Using PuTTY, start a telnet session to 192.0.0.64 and make sure the telnet radio button is selected. At the login prompt username=root password=12345. You should see a # prompt. The message "can't chdir to home directory '/root/'" isn't an error and can be ignored.
9. Start the normal tftp server (not the Hikvision tftp updater). If it's the jouinin.net version, the program is tftpd32.exe
   
   
   At this point, Stage 1 of 3 is ready to be executed.
   At the telnet command prompt, type:
   /dav/fixup.sh
   and watch the on-screen messages.​
   
   
   ​
   ​
   • On success with Stage 1, check the PC folder that the tftp server is running in for the presence of the file 'mtd6ro_orig'. You may have to hit F5 to refresh. Make a copy of mtd6ro_orig rename to mtd6ro_mod. Do the 'enhanced mtd hack' on it, using the instructions in the spoiler below.
10. Spoiler: Enhanced MTD Hack Instructions

    These are the steps that are used to do the 'enhanced mtd hack' to mtdblock6 in an R0 IP camera.
    

    • Extract a copy of mtdblock6 from the camera. The 'Brick-fixV2 tool / fixup script' will conveniently do this for you, or it could be done manually by other methods.
    • Make a copy of the mtdblock6 file and name it mtd6ro_mod
    • Open it with the HxD hex editor.
    • Referring to this image
      View attachment 24161
    • Check / change as needed the language byte at location 0x10 to ensure it is 01
    • Check the devType value in locations 0x64 and 0x65

    [*]

    ​

    If the value shown is FF98 - then the FF value needs to be replaced with the true numeric value. Ideally the true value is determined from the 'devType' line from the prtHardInfo shell command, but as that is going to be unavailable on a bricked camera use this (partial) cross-reference list, paying careful attention to the exact model number.
    
    There is some slight uncertainty here - it would be good if any forum members could confirm / supplement the content.
    
    devType - Model
    2698 - DS-2CD2032F-I
    2698 - DS-2CD2032F-IW
    0598 - DS-2CD2032-I
    0698 - DS-2CD2132-I
    1E98 - DS-2CD2132F-IS
    1E98 - DS-2CD2132F-IWS
    0798 - DS-2CD2232-I5
    0898 - DS-2CD2332-I
    1298 - DS-2CD2432F-IW
    1498 - DS-2CD2532F-IS
    1098 - DS-2CD2632F-IS
    0E98 - DS-2CD2732F-IS
    0698 - DS-2CD3132-I
    1C23 - DS-2DE2103-DE3/W
    2198 - DS-2CD2T32-I8​

    
    
    

    ​
    ​
    
    
    ​
    Spoiler: Enhanced MTD Hack Instructions

    ​

    • Replace the FF in location 0x64 with the first 2 digits of the numeric devType value.
    • If location 0x64 already has a 2-digit numeric value, no change is needed.
    • Starting at location 0x09, drag to select and highlight a length of F4 bytes, as shown he the HxD bottom status bar.

    [*]

    Using the Analysis / Checksum menu, double-click Checksum-16 to calculate the new checksum. This will show as a 2 byte value in the Checksums tab at the bottom of the screen. These need to be applied using the correct 'endian-ness', which is the reverse of how the values are presented on the screen.
    
    The left hand byte (0x0C in the screenshot) is the most significant byte and should be used in location 0x05
    
    The right hand byte (0x5F in the screenshot) is the least significant byte and should be used in location 0x04
    
    Use your own just-calculated values - not those from the screenshot.
    
    Click File | Save and the mtd6ro_mod file has had the 'enhanced mtd hack' and is ready to be applied to the camera.
    
    This is done during Stage 2 of the fixup script in the brick-fixV2 tool.​

    
    

    
    Good luck!​

    
    

    ​
    ​
    ​
    ​
    
    
    
    At this point, Stage 2 of 3 is ready to be executed.
    At the telnet command prompt, type:
    /dav/fixup.sh
    and watch the on-screen messages.
    
    This will bring in the modified mtd6ro_mod and apply it to the camera to convert it to English / upgradeable.
    
    At this point, Stage 3 of 3 is ready to be executed.
    At the telnet command prompt, type:
    /dav/fixup.sh
    and watch the on-screen messages.
    
    This will attempt a firmware update using the Hikvision firmware file digicap.dav that you placed in the same folder as the tftp server.​
11. Assuming a successful result, shut down the tftp server and power cycle the camera. Interestingly, on testing I did find that a straight jump to the 5.4.5 firmware version worked OK. YMMV. But worth trying.
12. Start SADP and check for the camera presence running the firmware version used for the update.
13. If you used the 5.4.5 firmware, the camera will require 'activation' with your choice of strong password.
    If already active, if earlier firmware was used for the upgrade, log in with the admin password=12345
    Change the IP address to what you want the camera to use.

How To Upgrade

1. Rename the firmware to digicap.dav
2. Put the firmware under the same folder of this TFTP
3. Set the IP of computer as 192.0.0.128
4. Camera's IP can be anyone.
5. Run the tftpserv.exe
6. Power off and power on the DVR/DVS/IPC. The device will search the new firmware and upgrade it automatically.
7. Please wait until TFTP shows "Device [192.0.0.64] system update completed!" It takes about 5 minutes.
8. Close the TFTP before the camera reboots.
9. DVR/DVS/IPC will restart automatically after upgrading.

you saved my day Thanks for the detailed guide.

 

[alastairstevenson]

Excellent! Well done for getting there.

 

[fritz614]

The camera I have is dated from 2015. When I put my cameras on a new router, this one was not working well. It would be sporadic on showing a picture and showing up in SADP. I played around with ports and finally was able to get it working on port 80 consistently. I did not want it on that port, so I changed it to 1080 and that appears to be the trigger for bricking it, or at least me not being able to access it anymore, SADP or web interface.

I have a DS-2CD3132-I running firmware V5.2.5build 141201 with the partial serial number having the CCCH (09CCCH522). I tried running the brick2fix on page 1 of this thread. I was able to connect to camera by laptop-switch-camera with 12v wall wart. I would only get this far:
[2023-01-21 08:11:14] TFTP server[192.0.0.128] initialized
[2023-01-21 08:11:24] Device[192.0.0.64] test tftpserver
[2023-01-21 08:11:32] Connect client[192.0.0.64] success
[2023-01-21 08:11:32] Start file[C:\Flash\digicap.dav] transmitting
[2023-01-21 08:11:49] Completed file[C:\Flash\digicap.dav] transmit

I gave up and noticed in my SADP that the camera was now running, but with a new IP of 192.168.1.64. It was now showing a firmware of: V4.0.8build 150401 I was unable to log into it via web page and unable to make changes via SADP.

Searching some other threads, I found a few different firmwares to "throw" at it. One of them (English version) was actually able to connect and complete the setup with the tftpserver and bring the camera back to its original state and I am now able to login and view camera, but with the same "bad" firmware and serial with the CCCH.

What firmware to I need to get this camera to be up to date and not hackable?

 

[Oleglevsha]

The camera I have is dated from 2015. When I put my cameras on a new router, this one was not working well. It would be sporadic on showing a picture and showing up in SADP. I played around with ports and finally was able to get it working on port 80 consistently. I did not want it on that port, so I changed it to 1080 and that appears to be the trigger for bricking it, or at least me not being able to access it anymore, SADP or web interface.

I have a DS-2CD3132-I running firmware V5.2.5build 141201 with the partial serial number having the CCCH (09CCCH522). I tried running the brick2fix on page 1 of this thread. I was able to connect to camera by laptop-switch-camera with 12v wall wart. I would only get this far:
[2023-01-21 08:11:14] TFTP server[192.0.0.128] initialized
[2023-01-21 08:11:24] Device[192.0.0.64] test tftpserver
[2023-01-21 08:11:32] Connect client[192.0.0.64] success
[2023-01-21 08:11:32] Start file[C:\Flash\digicap.dav] transmitting
[2023-01-21 08:11:49] Completed file[C:\Flash\digicap.dav] transmit

I gave up and noticed in my SADP that the camera was now running, but with a new IP of 192.168.1.64. It was now showing a firmware of: V4.0.8build 150401 I was unable to log into it via web page and unable to make changes via SADP.

Searching some other threads, I found a few different firmwares to "throw" at it. One of them (English version) was actually able to connect and complete the setup with the tftpserver and bring the camera back to its original state and I am now able to login and view camera, but with the same "bad" firmware and serial with the CCCH.

What firmware to I need to get this camera to be up to date and not hackable?

IP камера Hikvision R0 DS-2CD2x32 изменяем китайца в европу!

IP камера Hikvision R0 DS-2CD2x32 изменяем китайца в европу! - все подробности в блоге компании ALARMSYSTEM, системы безопасности и видеонаблюдение в Волгограде и области.

alarmsystem-cctv.ru

https://alarmsystem-cctv.ru/wp-content/uploads/download/%D0%9F%D1%80%D0%BE%D1%88%D0%B8%D0%B2%D0%BA%D0%B8/Hikvision/IP%20Cam/R0/service/digicap.dav

use the firmware file that you download from this link, if you flash the camera using tftp
If the Chinese version of the firmware is currently installed in the camera, you can use the web interface to update the camera with this file, without changing
if you currently have a hacked firmware version in your camera and the interface is in English or there is a choice of multilingual support, change the language flag in the firmware to 1 using the utility hiktools.exe , and also download the file via the update menu in the camera's web interface.
After that, your camera will turn into a full-fledged European version, which can be flashed with firmware from the European support site.
One condition is to start the firmware with the desired version 5.3.x and consistently bring it to the latest version...

 

[fritz614]

If the Chinese version of the firmware is currently installed in the camera, you can use the web interface to update the camera with this file, without changing


How can I tell if the current firmware is Chinese or or a hacked one? I am able to see English on the web and there were options given for other languages as well. I did use the hiktool to look at the firmware I used this morning (not yours) and it had 2 for the language.

 

[alastairstevenson]

was able to get it working on port 80 consistently. I did not want it on that port, so I changed it to 1080 and that appears to be the trigger for bricking it, or at least me not being able to access it anymore,

It's been the case that changing the HTTP port away from 80 on early versions of R0 firmware caused unreliable operation.
There is no real reason to change the HTTP port, the advice is to leave it at 80.

I have a DS-2CD3132-I running firmware V5.2.5build 141201 with the partial serial number having the CCCH (09CCCH522)

The serial number suggests a CN region camera.

It was now showing a firmware of: V4.0.8build 150401 I was unable to log into it via web page and unable to make changes via SADP.

That apparent firmware version suggests the camera is operating in 'min-system Recovery Mode' which is entered due to a firmware fault that stops a normal bootup.

What firmware to I need to get this camera to be up to date and not hackable?

Just use the BrickfixV2 method to convert to EN and allow updates to the latest stock EN/ML firmware.
As so many other have done successfully.
There are 2 versions of firmware provided - EN or CN language headers, depending on the language status of the camera.

 

[fritz614]

It's been the case that changing the HTTP port away from 80 on early versions of R0 firmware caused unreliable operation.
There is no real reason to change the HTTP port, the advice is to leave it at 80.


The serial number suggests a CN region camera.


That apparent firmware version suggests the camera is operating in 'min-system Recovery Mode' which is entered due to a firmware fault that stops a normal bootup.


Just use the BrickfixV2 method to convert to EN and allow updates to the latest stock EN/ML firmware.
As so many other have done successfully.
There are 2 versions of firmware provided - EN or CN language headers, depending on the language status of the camera.

OK, I will try this method again, proly tomorrow. The 1st time I tried this, it would not allow the update to complete. Maybe I will have different results now that the camera is accessible. I will let you know.

 

[fritz614]

It's been the case that changing the HTTP port away from 80 on early versions of R0 firmware caused unreliable operation.
There is no real reason to change the HTTP port, the advice is to leave it at 80.


The serial number suggests a CN region camera.


That apparent firmware version suggests the camera is operating in 'min-system Recovery Mode' which is entered due to a firmware fault that stops a normal bootup.


Just use the BrickfixV2 method to convert to EN and allow updates to the latest stock EN/ML firmware.
As so many other have done successfully.
There are 2 versions of firmware provided - EN or CN language headers, depending on the language status of the camera.

OK, got the mtd6_orig out of the camera, I am not sure where to find my devtype to modify the file. On the video, I see one for my cam being 0698. I saw on another thread, the person used 1E98. I am just lost when it comes to this part.

UPDATE
I used the 0698 for the code for my camera and it worked. I was able to apply and upload and camera is now working.


Right now, it is running Firmware 5.3.0 build 150814
Can I now upgrade to most recent firmware via the webpage? If so, do I need to go in steps or go right to the current version of 5.4.5_170401 ????

Thanks again for all the help!

 

[alastairstevenson]

I used the 0698 for the code for my camera and it worked. I was able to apply and upload and camera is now working.

Good! well done.

Can I now upgrade to most recent firmware via the webpage? If so, do I need to go in steps or go right to the current version of 5.4.5_170401 ????

You could have gone straight to 5.4.5 during the last stage of the BrickfixV2 process - however now that the camera is running normally, I suggest you do it in 2 steps, 5.4.0 then 5.4.5

 

[fritz614]

It's been the case that changing the HTTP port away from 80 on early versions of R0 firmware caused unreliable operation.
There is no real reason to change the HTTP port, the advice is to leave it at 80.


The serial number suggests a CN region camera.


That apparent firmware version suggests the camera is operating in 'min-system Recovery Mode' which is entered due to a firmware fault that stops a normal bootup.


Just use the BrickfixV2 method to convert to EN and allow updates to the latest stock EN/ML firmware.
As so many other have done successfully.
There are 2 versions of firmware provided - EN or CN language headers, depending on the language status of the camera.

I am getting an error now that it is unable to transfer the mtd6r0_orig out via tftp. I have it open and running like shown in the video. One thing i did notice was when I opened the tftp.exe, i had to select from the dropdown the 192.0.0.64 address. IN the video, it shows as being the first to show when opening filer. Is there a setting in there that needs ticked?

OK, I will try this method again, proly tomorrow. The 1st time I tried this, it would not allow the update to complete. Maybe I will have different results now that the camera is accessible. I will let you know.

OK, got the mrd6_orig out of the camera, I am not sure where to find my devtype to modify the file.

Good! well done.


You could have gone straight to 5.4.5 during the last stage of the BrickfixV2 process - however now that the camera is running normally, I suggest you do it in 2 steps, 5.4.0 then 5.4.5

Great!! My camera is fixed and updated!! Add 1 more to your list of cameras kept out of the land fill!!

Now, I have 2 more Hik cameras:
DS-2CD3135F-IS running V5.3.3_150803
DS-2CD2335-I running V5.3.6_151221

both of them have in their serial number the "AACH"

Can both of these be updated with the 5.4.5 via web interface?

Thanks again for your help

 

[Terra]

Hallo zusammen
Es funktioniert wieder!
Nachdem ich nach einem Firmware Update zwei meiner DS-2CD2532F-IS geschrottet hatte musste ich mich etwas schlau machen, wie und ob man die IPCam's wieder zum laufen bringt.
Ich habe nach einiger Recherche dieses grossartige Forum gefunden und konnte die IPCam's mit viel Lesen, Anleitung, Video, BrickfixV2, Server, Putty, HexEditer usw. wieder zum laufen bringen.
Zwei Anläufe hat es gebaucht und etwas Geduld. Wer GENAU lesen kann ist im Vorteil. Schritt für Schritt.
Auf der DS-2CD2532F-IS war eine CHINA Firmware drauf V5.2.5 build 141201.



Nun läuft alles wieder! Super Giga-Mega-Dankeschön an alle die Cracks die das ermöglichen, die IPCams's wieder zum leben zu erwecken.
Das wäre hiermit meine Rückmeldung und mein Dankeschön ans Team.

Danke, Lieber Gruss aus der Schweiz

Michael

 

[martinbvbvbv]

I've attempted this, and I might be looking at a brick. First try, I was able to upload the brickfix2EN.dav file, and it said System update completed.

Hi guys, I had almost the same situation! While I was uploading brickfix2EN.dav file, the system said "Competed file transmit" only. Obviously I had to try to upload brickfixV2CN version.
after that the situation was the same:

Then I rebooted the camera, and... nothing. I'm never able to telnet to it. And attempting to reupload a dav file with the Hik TFP server, I get: Device[192..0.0.64] test tftpserver. Then, nothing.

After many tries I had only " Device[192..0.0.64] test tftpserver."
Finally I decided to delete working folder, create a new one and extracted the source files again and I get "System update Completed". I just had to make new working folder. Now my camera works fine!
Thank you alastairstevenson!

 

[nutu]

Hi
One more DS-2CD2132F-IS is alive again.
Thanks a lot and wery good work "alastairstevensson" , ten points.
Nutu

 

[alastairstevenson]

Great! Well done, and thanks for sharing.

 

[Robertomcat]

Hello, good afternoon! I'm Roberto, from Valencia.

This is my first comment on the forum, as I have registered because I see that there is a lot of interesting content about Hikvision cameras. Thanks for that.

Here you have commented many about the problem of firmware updates of Chinese cameras. I currently have a camera purchased on Aliexpress model: DS-2CD2387G2-LSU/SL and I have not had any problem when updating, and this morning I bought another camera identical to the model I posted, but with 4mp DS-2CD2347G2-LSU/SL. I understand that I won't have any problems with the upgrade either.

These newer models sold on Aliexpress may be that they already come with firmware suitable for all regions of the world?

I also have another camera dedicated to weather, model: DS-2CD2087G2-L but this one I already bought on Amazon Spain, because I was still afraid to buy the cameras on Aliexpress, and the truth is that after having tested two cameras of the Reolink brand, I no longer want anything else that does not have the ColorVu technology, and to be absolute owner of all the camera settings. It is spectacular.

Thanks for all the help you provide. This post is by way of quasi-presentation, because I have not found another place to make the presentation.

Here is the view of the weather camera. Best regards!

https://www.youtube.com/@quatretondalivewebcameteo/featured

 

[dsadsaddsa]

Two more DS-2CD2032F-I cameras un-bricked !
Very well written instructions.
Thank you very much for all the hard work!

 

[alastairstevenson]

Well done! Yet another good result.

 

[victorclaessen]

Still going strong in 2023. Another DS-2CD2132F-I rescued from the dump! Thanks

 

[Dazzler24]

After some initial hiccups (user errors) I too have joined this prestigious club of HIKVISION resurrectors here in the land downunder!
Many and all thanks go to Alastair for the great detailed tutorial plus files and tools required - Tapadh leibh. I owe you a wee dram or two.

Camera's 'saved' and updated direct to RO series FW - V5.4.8 :-
DOME DS-2CD2132F-IS
Bullet DS-2CD2032-I