R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.

[Pilaf]

Thank you, just updated 3 Hikvision 2132 mini domes from 5.1.2 to 5.4.5.
Great job and perfect tutorial on Youtube...and after the final reboot there was a huge surprise, no english language but dutch...thumbs up.

Update: had a problem with 5.4.5 RTSP connection both on synology and livecams pro app. After reading some tips from other topics the problem is solved by changing the admin password, the one I created after the update was (how strange) to complicated. Password is now, 1 character, 1 capital letter, some small letters and numbers but less than 15 in total.

 

[alastairstevenson]

Brilliant! That is a great result, well done!

 

[Plasman]

Were the DS-2CD2335-i cameras (Chinese origin firmware 5.3.6) subject to the backdoor exploit. I ask because suddenly 3 of my 10 cameras are not connecting to Blue Iris with a password error. I see the cameras in SADP but can no longer log in. Have I been hacked?

 

[alastairstevenson]

That specific model frequently has hacked firmware of indeterminate version origin. But stock firmware of 5.4.0 and almost all earlier versions had the backdoor vulnerability.
So yes, they could have been hacked, if you have allowed inbound access from the internet. Or if both your router and the cameras have UPnP enabled.
To fix this you could use the @bp2008 updated password reset tool in the sticky, or you could do a forum search for a method of extracting the configuration file, decrypting and decoding it to reveal the changed password.

 

[Plasman]

That specific model frequently has hacked firmware of indeterminate version origin. But stock firmware of 5.4.0 and almost all earlier versions had the backdoor vulnerability.
So yes, they could have been hacked, if you have allowed inbound access from the internet. Or if both your router and the cameras have UPnP enabled.
To fix this you could use the @bp2008 updated password reset tool in the sticky, or you could do a forum search for a method of extracting the configuration file, decrypting and decoding it to reveal the changed password.

Thanks very much. You and @bp2008 saved the day!! I first failed with ver 1.0 but then found bp2008's latest 1.1 reset tool and it worked!! So I must have been hacked. So for these Chinese cameras, is there a way to update to 5.4.1 or later (in English) to avoid this problem again?

 

[fraatti]

It's a long time ago when I read this forum last time. More than year ago I asked is it possible to upgrade my cam to safer firmware. Then it wasn't possible. Is anything changed with this? It is littebit difficult to start reading this thread from beginning. Thank you!

Camera model is DS-2CD-2035-I and current FW if (chinese hacked english?) V5.3.6_151215. Platform is G1

I have found following firmwares from european sites:
V5.4.41_Build170310/
V5.4.4_Build161116/
V5.4.4_Build170112/
V5.4.5_Build170124/
V5.4.6_Build170427 (only for vari focal models 26, 27, 2H)/
V5.5.0_Build170725/
V5.5.2_Build170905/
V5.5.3_Build171018/
V5.5.3_Build171025/
V5.5.4_Build171206/
V5.5.51_Build180314/
V5.5.51_Build180326 (Released) Focus issue/
ftp://ftp.hikvisioneurope.com/Product%20Firmware%202018/Front-ends/IP%20Camera/G1%20platform%20(DS-2CD2XX5,DS-2CD2XX3G0)/2XX5%202XX3(non-Fisheye)%20MultiLanguage/

 

[alastairstevenson]

It is littebit difficult to start reading this thread from beginning.

This thread is specific to R0 series cameras = DS-2CD2x32-I
The method is not suitable for G1 or G0 series cameras.

 

[osamielec]

HOW TO INSTAL TFTPD

 

[alastairstevenson]

tftpserv.exe is the Hikvision tftp updater tool - what's shown in your filesystem is the 64-bit version of the jounin.net tftp server.
You may need the 32-bit version.

Get the Hikvision tftp updater files from the second dropbox link here : Custom Firmware Downgrader 5.3.0 Chinese to 5.2.5 English

 

[osamielec]

maybe it will be useful. THANKS


This metod works to my new cam DS-2CD2142FWD-I ( v5.5.5)? must downgrade to 5.4.5
Help

 

[Mike Oz]

Awesome, unbricked my chinese 2432 today. Just wanted to say thanks a lot alastairstevenson!

 

[alastairstevenson]

You are welcome, I'm glad it worked for you.

 

[ryanpeiris]

Dear @alastairstevenson,

I desperately need your support. I made a stupid move. While I was following your guide on
"R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced" I started with Hikvision TFTP update everything was going well. But when I see the message "Completed file "C:\...\digicap.dav" Transmitted" I accidentally closed the TFTP tool thinking everything is completed, without waiting for "system update completed"

After realizing I have made a terrible mistake I tried to reinstall. But I can't seem to get the firmware reinstalled using Hikvision TFTP tool just stays on [192.0.0.128] initialized.
(Firewall is OFF)

When I ran Wireshark I can see ARP broadcast as "42 Who has 192.0.0.128? Tell 0.0.0.0 but TFTP doesn't seem to respond

Also if I had a continuous ping running I can see replies coming from 192.0.0.64 2-3 times after power on.

Why is my TFTP not responding..?
After about good 5 mins SADP tool shows up my camera in IP 192.168.1.64 | port 8000 | software V4.0.xxx | HTTPport : N/A

I tried running TFTP with changing my computer IP to 192.168.1.128. No luck

Please help !!!

 

[alastairstevenson]

But when I see the message "Completed file "C:\...\digicap.dav" Transmitted" I accidentally closed the TFTP tool thinking everything is completed, without waiting for "system update completed"

I doubt if that would cause any problem - I wouldn't have thought that the update program needs to maintain a channel to the tftp updater in order to process the update.

When I ran Wireshark I can see ARP broadcast as "42 Who has 192.0.0.128? Tell 0.0.0.0 but TFTP doesn't seem to respond

It's not the tftp updater that should respond to the ARP request - it's the Windows OS that should do that, independent of what programs are running.

Why is my TFTP not responding..?

At a low network level - the camera and PC have not connected.

After about good 5 mins SADP tool shows up my camera in IP 192.168.1.64 | port 8000 | software V4.0.xxx | HTTPport : N/A

This is indicative of the camera watchdog timer not being reset by the main davinci program, and triggering a reboot into min-system mode.
But with an IP address of 192.168.1.64 as opposed to the usual 192.0.0.64

Are the camera and the PC connected as normal to a switch / router, ie not connected directly (which can be troublesome with the tftp updater)?
Are you powering the camera with a 12v DC supply - which can work better with the tftp updater than the usual POE connection ?

Suggestion:
Power on the camera, and with the PC IP address set to 192.168.1.128 wait the 5 mins or so until the min-system state appears in SADP and see if a telnet connection to 192.1.168.64 connects.
I'm wondering if the min-system kernel in the camera is set to use 192.168.1.64 instead of the usual 192.0.0.64
I don't recall if that is set by the bootloader environment variables, which could easily be modified.

 

[R H]

Thanks for this, I've unbricked my camera successfully.

I used a Mac - for the initial upload I used the python tftp server here which handles the port 9978 handshake - scottlamb/hikvision-tftpd

This can't receive files, but I found my Mac had a built-in tftp server. It was a bit quirky, as it can't receive files if they don't exist so I had to create 0 byte files to be able to receive them then chmod it 777 so the server could write to it. I found a free GUI to start/stop the server in the Mac's App Store. The hex editor I used didn't support Checksum-16, but I found an old Windows netbook and used HxD in the end for that.

 

[ryanpeiris]

[QUOTE="
Suggestion:
Power on the camera, and with the PC IP address set to 192.168.1.128 wait the 5 mins or so until the min-system state appears in SADP and see if a telnet connection to 192.1.168.64 connects.
I'm wondering if the min-system kernel in the camera is set to use 192.168.1.64 instead of the usual 192.0.0.64
I don't recall if that is set by the bootloader environment variables, which could easily be modified."[/QUOTE]

Dear @alastairstevenson
Sorry, I tried what you've suggested (when camera stars detecting on SASP set computer IP to 192.168.1.128) still no luck.
Also Telnet does not connect to 192.168.1.64.

Yes I have connected camera directly to computer with 12v adaptor. With the same setup I was able to do the TFTP transfer initially, before I closed it. that time it communicated through IP 192.0.0.64

Any other other brilliant ideas I can try out..


I am so thankful to you for the support you are doing for the community.

 

[alastairstevenson]

You did well! *Edit* R H
Thanks for sharing - that will help others.

 

[redstorm666]

Hi,
Many thanks to the author of this brillant procedure.. I've successfuly unbricked my chineese camera (2CD2032F-I) and I'm now running the latest 5.4.5 firmware.
I've bricked it trying to flash the firmware (to fix backdoor issue, as my logs shows illegal access to my cams from Ukrainian hosts..).
Now that my first cam is back to life, I'll update the 2 others

Thanks for putting it all in a nice package/script.. the time you spent is much appreciated, as my afternoon could have ended with a bricked cam without you help.
cheers.

 

[alastairstevenson]

I've successfuly unbricked my chineese camera (2CD2032F-I) and I'm now running the latest 5.4.5 firmware.

Another good result! Well done, and thanks for posting.

But you might want to re-consider the external access - even with the updated firmware, there are considerable risks in allowing access to the whole internet.

 

[ryanpeiris]

Hi alastairstevenson

Do you think I should try recovery through serial port. Will that help..?