Hikvision - Clearing Passwords and/or Loading Firmware via TTL Serial

[Moby80]

Nem hiszem, hogy ez egy Hikvision OEM eszköz - különösen, ha a bootloader részleteit nézzük.


Ez megerősíti, hogy nem Hikvision.


Ezek gépspecifikusak lesznek.
Hova töltötted be a memóriába?


ha így van, akkor a firmware kissé nyers lehet, ami felveti annak a lehetőségét, hogy az adminisztrátori jelszó akár sima szövegként is megtalálható egy fájlban a rendszerben.
Amire szükség van, az a fájlrendszerben való áttekintés és annak felépítésének áttekintése.


Ez pont az a fajta rejtvény, amit szeretek megoldani.
De mivel a módszernek nyomkövetésre és hibákra kell épülnie, ez kissé kanyargós lehet ezen a közegen.


Ez a soros konzolon, a webes grafikus felhasználói felületen, vagy mindkettőn van?
Érdekes lenne látni a teljes rendszerindítási naplót, esetleg becsomagolni és fájlként csatolni, mert általában hosszú.
Hasznos lenne látni a partíciók elrendezését és a használt fájlrendszerek típusait.

Íme néhány kezdeti, felső szintű javaslat:

A hozzáférés megszerzését kétféleképpen közelíteném meg.
Először is, valószínű, hogy a rendszerbetöltővel ki lehet nyerni egy teljes flash memóriakártyát.
De attól függ, hogy könnyen ki lehet-e venni a készülékből.
Bár a memóriakijelző (md) működne, hosszadalmas és sok órát venne igénybe.
A legegyszerűbb az lenne, ha a tftp kifelé is tudna fájlokat másolni, és nem csak a rendszerindításhoz lenne fixen beprogramozva.
A szintaxis egy kis feltárása megerősíti, hogy képes-e fájlokat küldeni.
Például
tftp 0x82000000 tesztfájl 0x1000

Úgy tűnik, hogy elérhetők a soros flash parancsok.
Ha igen, próbáld meg

sf szonda 0
sf beolvasás 0x82000000 0x0 0x1000000
tftp 0x82000000 allflash.bin 0x1000000

Egy másik lehetőség a teljesen elindított környezet kihasználása egy root shell használatával.
Egy gyakori, működő módszer a bootargs környezeti változó lecserélése a következőre:

setenv bootargs mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:768K(boot),2304K(dva110000),13M(rootfs) init=/bin/sh
mentési környezet
visszaállítás

És nézd meg, hogy becsapódik-e egy héjba.
Ha igen, akkor a rendszerindítást manuálisan kell elvégezni.
Nézd meg, hogy
/etc/init.d/rcS
még mindig gyökérhéjat hagy maga után.
Ha nem,
macska /etc/init.d/rcS
hogy megvizsgálja, hogyan fejezi be az rcS az inicializálást, és manuálisan végezze el a lépéseket, elkerülve azt, amelyik a fő alkalmazást hívja meg.

A jelszavak egy konfigurációs területen lesznek tárolva.
A teljes sorozatnapló valószínűleg jó nyomokat ad.
A partíciónevek is segíthetnek.
Például,
macska /proc/mtd
és
hegy
helyszínekre mutathatott volna.

Sok szerencsét!

Hello!
I would like to ask for your help because I have this recorder and I don't have the password.
Unfortunately, unfortunately, I am not as professional as the previous colleague, because I cannot set up and run TFTP.
Furthermore, it is not clear how to replace the bootargs environment variable.
Did this happen in the case of a fully started system?
I connected with Putty as described with the ST232CN adapter, but it only read unintelligible signals. Could there be a problem with the encoding?
Are you sending the bootargs to the device via TFTP?
Please help me. M.

 

[freextr]

I don't know if it's case-sensitive - but if it doesn't get you to the bootloader prompts, use a lower-case b

Then use either
printenv
or if that is ignored
setenv ';printenv'

and check out the values shown against
serverip
ipaddr
These are what are used for the tftp updater, may be 192.168.1.128 instead of the old 192.0.0.128

If the firmware filesize is larger than 32MB, the Hikvision tftp updater won't handle it, in which case either use a standard tftp server and the command :
setenv ';update'

or the Scott Lamb tftp updater Python2 clone :

GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP

Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd

github.com

I had the same problem as @Madorion had. I'm trying to resurrect a indoor station (DS-KH6351-WTE1) as when I power it on it just shows a person icon. I have the serial connection established and have the PC and indoor station connected to a switch (tried also the two connected directly same problem). The PC static IP is 192.0.0.128 and using TFTP32 by Jounin. After some time I figured out what use command b means - for anyone reading it means pressing the letter b when asked to press the letter u after canceling the normal boot with any key.

You can see in the extract from putty here is my normal boot without interrupting it with - Hit any key to stop autoboot: 0 :

U-Boot 2017.09-svn528740 (Dec 02 2022 - 20:21:41 +0800)


DRAM:  128 MiB

MMC:   dwmmc@10300000: 0

*** Warning - bad CRC, using default environment


In:    uart@0x18400000

Out:   uart@0x18400000

Err:   uart@0x18400000


Current Mode: Release.

Net:   eth0: ethernet@1b800000

### CRAMFS load complete: 8965 bytes loaded to 0x40000000

Hit any key to stop autoboot:  0

### CRAMFS load complete: 2403040 bytes loaded to 0x40008000

### CRAMFS load complete: 870348 bytes loaded to 0x41000000

### CRAMFS load complete: 22675 bytes loaded to 0x41800000

### CRAMFS load complete: 824 bytes loaded to 0x41810000

Signature verification uImage OK.

Signature verification ramdisk.gz OK.

## Booting kernel from Legacy Image at 40008120 ...

   Image Name:   Linux-4.9.138

   Image Type:   ARM Linux Kernel Image (uncompressed)

   Data Size:    2402688 Bytes = 2.3 MiB

   Load Address: 40008000

   Entry Point:  40008000

   Verifying Checksum ... OK

## Loading init Ramdisk from Legacy Image at 41000120 ...

   Image Name:   ramdisk_xxx_CPL-HZV-AVI-GEN-74-1

   Image Type:   ARM Linux RAMDisk Image (gzip compressed)

   Data Size:    869996 Bytes = 849.6 KiB

   Load Address: 00000000

   Entry Point:  00000000

   Verifying Checksum ... OK

## Flattened Device Tree blob at 41800000

   Booting using the fdt blob at 0x41800000

   Loading Kernel Image ... OK

   Loading Ramdisk to 45f2b000, end 45fff66c ... OK

   reserving fdt memory region: addr=41800000 size=6000

   Loading Device Tree to 45f22000, end 45f2afff ... OK


Starting kernel ...


init started: BusyBox v1.34.1 (2024-07-15 11:33:44 CST)

Starting mdev:      [ OK ]

mntpath decompress

len decompress  0

chmod: loadko.sh: Read-only file system

mmz_start: 0x46000000, mmz_size: 32M

show logo Fri Jan  2 02:07:46 UTC 1970

---not show logo

start decompress  Fri Jan  2 02:07:46 UTC 1970

rm: can't remove '/home/app/app.tar.lzma': No such file or directory

tar: unexpected EOF

tar: short read

rm: can't remove '/home/app/vistalk.tar.lzma': No such file or directory

rm: can't remove '/home/app/misc.tar.lzma': No such file or directory

rm: can't remove '/home/app/audio.tar.lzma': No such file or directory

end decompress  Fri Jan  2 02:07:53 UTC 1970

cp: can't stat '/home/app/cam_default.xml': No such file or directory

rm: can't remove '/home/app/cam_default.xml': No such file or directory

chmod: /home/app/HCIoTMT: No such file or directory

path:/home/app/log4j_path  size = 0x100000  sync 0x5000   level 1 storage level ime 1800 s

/home/app/log4j_path/log.4j open !!!!

log4j_main_halt start do accept loop

BusyBox v1.2.1 Protect Shell (psh svn641615) Build Time: Nov 27 2023:14:49:21

Enter 'help' for a list system commands.


Random number is:120450069

So if anyone is struggling like me when interrupting the boot with any key and after being asked to press the letter u like here:

This program will upgrade software.

*******************************************************

*  ATTENTION!! PLEASE READ THIS NOTICE CAREFULLY!     *

*  Don't reset machine,or anything that interrupt it. *

*  The upgrade process must finish in 10 minutes!     *

*  If this program fails,machine might be unusable,   *

*  and you will need to reflash again.                *

*  If you find this too risky,power off machine now.  *

*******************************************************


Now press [u/U] key to upgrade software:b

You need to press letter b if not you end up in entering the IP of the device and IP of your TFTPD server infinitely.
After pressing b this happens:

Now press [u/U] key to upgrade software:b

U-Boot# update

Do you want to erase devcfg partition after update? (y/n/q): y

ethernet@1b800000 Waiting for PHY auto negotiation to complete. done

Using ethernet@1b800000 device

TFTP from server 192.0.0.128; our IP address is 192.0.0.64

Filename 'digicap.dav'.

Load address: 0x40000000

Loading: #################################################################

         ####################################################

         6.5 MiB/s

done

Bytes transferred = 17867520 (110a300 hex)

UPD info:header verification ok! file_num=2

UPD info:file[devType.list] date is encrypted

UPD debug:unsupported device_type

digicap update failure.

So to my next problem now. I downloaded the firmware from hikvision Europe website (DS-KH6351-WTE1) and as seen here I get the error unsupported device_type.
Also I bricked the device when I upgraded the firmware over iVMS but forgot to extract digicap.dav first - I dont know how it started the process if I sent the zip file or is this also ok and the whole time the firmware is not the right one.
Anyone can help me please?

 

[freextr]

Forgot to say that the firmware which was used for the upgrade was not the latest one and I cant really say which version it was. Now after reading the PDF of the latest firmware I see that the current device firmware must not be older than V2.2.92_build241008 to accept the V2.2.108_250718 which is the latest.
I tried with this v2.2.92 firmware and it went through at least I think. here is the output:

U-Boot# update
Do you want to erase devcfg partition after update? (y/n/q): y
ethernet@1b800000 Waiting for PHY auto negotiation to complete. done
Using ethernet@1b800000 device
TFTP from server 192.0.0.128; our IP address is 192.0.0.64
Filename 'digicap.dav'.
Load address: 0x40000000
Loading: #################################################################
         ######################################
         6.2 MiB/s
done
Bytes transferred = 15721216 (efe300 hex)
UPD info:header verification ok! file_num=2
UPD info:file[devType.list] date is encrypted
UPD info:file date is encrypted
===>>> Enter dec
<<<=== Out   dec

I could not do anything in the terminal any more so I restarted the device with toggling power.
now the boot looks like this and with the command help I get those options which were not available before.

SIT
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMOFB
MLE
RBE
SPL Nor Load!
SPL Nor flash boot!
Secure boot enable
Secure verify ok
LzmaDecode start
LzmaDecode end(0)


U-Boot 2017.09-svn528740 (Dec 02 2022 - 20:21:41 +0800)

DRAM:  128 MiB
MMC:   dwmmc@10300000: 0
*** Warning - bad CRC, using default environment

In:    uart@0x18400000
Out:   uart@0x18400000
Err:   uart@0x18400000

Current Mode: Release.
Net:   eth0: ethernet@1b800000
### CRAMFS load complete: 8965 bytes loaded to 0x40000000
Hit any key to stop autoboot:  0
### CRAMFS LOAD ERROR<ffffffff> for uImage!
### CRAMFS load complete: 863052 bytes loaded to 0x41000000
### CRAMFS load complete: 22675 bytes loaded to 0x41800000
U-Boot# help
?       - alias for 'help'
base    - print or set address offset
bdinfo  - print Board Info structure
blk     - blk sub-system
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bubt    - update uboot image
cmp     - memory compare
cp      - memory copy
cramfsload- load binary file from a filesystem image
cramfsls- list files in a directory (default /)
ddr_info- ddr training info molchip soc
env     - environment handling commands
eraseenv- eraseenv environment variables from persistent storage
ext4load- load binary file from a Ext4 filesystem
ext4ls  - list files in a directory (default /)
ext4size- determine a file's size
fdt     - flattened device tree utility commands
go      - start application at address 'addr'
hdb     - update HDB info
help    - print command description/usage
logo    - show boot logo.

loop    - infinite loop on address range
lzmadec - lzma uncompress a memory region
md      - memory display
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
phdb    - print HDB info
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reboot  - reboot molchip soc
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
tftpboot- boot image via network using TFTP protocol
update  - update digicap image
version - print monitor, compiler and linker version

On the screen I still have only the icon. What can I try next?

 

[freextr]

Funny thing I had an option to download two v2.2.92 versions one is STD other is NEU. So I tried with the other one and it looks like I was just impatient. at the

===>>> Enter dec
<<<=== Out   dec

I just had to wait a minute or less and after it completed the flash.
Maybe my mistakes help someone

 

[freextr]

With the v2.2.92 working and being presented with a welcome screen I still want the latest version. So retried to TFTPD the latest v2.2.108 and again I get the error UPD debug:unsupported device_type
Now the device after reboot still works but with v2.2.92 FW