alastairstevenson
Staff member
				
			Have you connected any of the devices up and powered them on?
It seems they are hard-coded as Chinese.
 It seems they are hard-coded as Chinese.
Just bought the harddisk drivers and installed them into NVR. Not connect and turn those DS-2CD3T86 cameras on yet.Have you connected any of the devices up and powered them on?
It seems they are hard-coded as Chinese.
I have a working decrypted/unsigned 5.6.3 digicap.dav that can be loaded straight into montecrypto's minisys update using serial.
You can also update using montecrypto's update app from root on a live cam using telnet/shell etc
So unsigned digicap.dav can be installed provided you have root without use of serial interface.
I am currently looking at the decryption routines that davinci uses.(was only posting in-case anyone else wanted to browse the code)

Это ростелеком?Anyone can share fulldump or just bootloader from G1 series (preferably 2CD2345F-IS)? My camera have custom bootloader, so it will not accept davicap.dav, it waiting for uimage to boot via tftp.
Attached my current bootloader if anyone interested.
This is the SO-IC8 chip right? Worth attaching it to a a plug and then into a smart chip reader? (I haven't bothered).The Hikvision camera has a security chip inside that stores the encrypted serial, model, mac etc. Same type of chip as a credit card.
The Hikvision firmware will read the camera data from that chip. It's bypassable but not easily.
I just wondered if it was worth buying and soldering another on it. Looked on digikey and they were pretty cheap.Yeah it's covered in another post somewhere. It's a watchdata EMV chip the kernel talks to when asked for the cameras parameters.
You could read the data off it, by simulating how the kernel talks to it (pin codes etc). But you don't really gain from that unless you can change it which the kernel doesn't know how to do.
And just be careful - 4 years ago I was playing with it and managed to brick the chip. So now on that camera I have to bypass it in software.
Have you checked out the contents of mtd3 - maybe around location 0x69c ?On my new G3 camera they don't even use an EMV chip which I found interesting.
A full installable firmware or tweaked files copied in via an mImage_g1?i made now a patched g1 firmware for latest version
its only first time installable with format / update procedure. after this you install everything you want. but of course new images should be patched too, otherwise you lock yourself out again. i used a abus IPCB68620 which is a g1 and used it as playground. i will check for the preapp hook and look if there is a alternate way.A full installable firmware or tweaked files copied in via an mImage_g1?
Do you have your own repacker?
I tried to use the pre_app_hook to boot via MicroSD but never succeeded.
its only first time installable with format / update procedure. after this you install everything you want. but of course new images should be patched too, otherwise you lock yourself out again. i used a abus IPCB68620 which is a g1 and used it as playground. i will check for the preapp hook and look if there is a alternate way.
and i dont need a own repacker. the one i have does unpack and repack the latest g1 firmware without issues
i just patched davinci_bak (which must recreated with hik_repack too) to remove all RSA checks. i daemon_fsp_app to disable the rsa check for davinci_bak
i patched net_process to remove the dropbear killing code. and of course i patched initrun.sh, but this is easy of course. i can also do the same for g3, but need some dumps first to extract the keys for modifying the hik_repack too
