Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral
  1. Thanks for pointing those out Maniaxx (won't let me update the OP though). PSH basically a custom shell that locks you in to only issuing a handful of (useless) commands, doesn't allow environment variables, in-line expansion, redirection or any other means to gain access to base functions (cat, grep, etc..) so any "mods" are out of the question at that point. The davinci binary - essentially the brains of the whole system - periodically checks to validate the initrd and other key filesystems with known CRC values - a mismatch invokes a reboot (which is supposed to overwrite it with the original copy, which in most cases in the one we've modified in the firmware) so unfortunately it would seem my "ASH" fix is a temporary one.
  2. Here's the modified v5.3 CN file, throw that in your "/temp" directory you're using, run hiktool create and see if that works. If it does, double check what you're doing to re-make that file. If it doesn't - something else at fault here; my hiktools is "05r" - perhaps there's a bug in your release? http://www.filedropper.com/iefiletar
  3. Sounds familiar. In summary... There's talk of changing the hardware code in other threads But I didn't find anything that worked, hence all my posts above Regardless of which way you go - you either need need to hack a firmware to get rid of psh so you can modify the hardware code, or hack a firmware so that your chinese firmware talks english. If you end up finding the "Ultimate fix" - please share!
  4. v5.3: Manual language fix (again - involves firmware modding, linux commands, do at own risk) This is to get the web interface of a Chinese 2CD2xx2 cam, running Chinese v5.3 firmware (eg: IPC_R0_CN_STD_5.3.0_150513) to default to english, auto detect browser language and allow language selection via the login drop-down box at the top right. There are other methods (I think) but this is what I did to solve the "language mismatch" problem when you upload the multi-lang (english) firmware (eg: IPC_R0_EN_STD_5.3.0_150513) to a Chinese model camera. Note that firmware names may differ depending on where you download it 1 - Download the multi-lang firmware (eg: IPC_R0_EN_STD_5.3.0_150513) 2 - Download the Chinese firmware (eg: IPC_R0_CN_STD_5.3.0_150513) 3 - See original post in this thread "Get ASH back on V5.3 (PSH restrictions)", follow steps 1-7 for each firmware (except change the directory name from temp, and create 2 subdirs - "en" and "cn" - extract the respective firmware there) For the rest, I use linux so I'll just show the commands with some explanation along the way (if you can interpret that to your set of windows tools) # Ok, so let's say we've copied the extracted English digicam.dav files to /work/english # and the Chinese digicam.dav files are in /work/chinese # First, we want to extract the Chinese IEfile.tar.gz - this is an lzma'd tarball (not gzip) user@host:/work# mkdir cnwebs user@host:/work# cd cnwebs user@host:/work/cnwebs# cat ../chinese/IEfile.tar.gz | lzma -d | tar -cf - # You'll see a directories called doc and codebase, a few web script pages. # Now for the english webs... user@host:/work/cnwebs# cd ... user@host:/work# mkdir enwebs user@host:/work# cd enwebs user@host:/work/enwebs# cat ../english/IEfile.tar.gz | lzma -d | tar -cf - # Next we want to extract all the lang files from the English firmware (IElang.tar) user@host:/work/enwebs# cd .. user@host:/work# mkdir enlangs user@host:/work# cd enlangs user@host:/work/enlangs# tar -xvf ../english/IElang.tar # We're left with a bunch of tar.gz lang packages, let's expand them too. user@host:/work/enlangs# for f in *.tar.gz; do tar -xvf $f; done # Clean up the old tar files user@host:/work/enlangs# rm *.gz # Next we get the english doc/xml/Languages.xml file (which has the list of all the supported languages) # and append it to the Chinese language file (which only lists Chinese) # while retaining the chinese xml entry user@host:/work/enlangs# cd ../cnwebs/doc/xml user@host:/work/cnwebs/doc/xml# cat ../../../enwebs/doc/xml/Languages.xml >> Languages.xml # A bit of file editing, open Languages.xml up and delete the </Languages> line (about line 7) along # with the next 2 lines which look like "<?xml [cut]" and "<Languages>\n" so the xml is contiguous. # Then remove 'default="true"' from to the chinese <Language> tag, to the english # tag (The '<Language>' preceeding '<value>en</value>') so it looks like: # ... # <Language default="true"> # <value>en</value> # ... # Now copy over all the language packs from enlang/ to this directory user@host:/work/cnwebs/doc/xml# cp -pr ../../enlangs/* . # Now we hack up the javascript that chooses the language # in cnwebs/doc/script there's login.js - we need to fine the text "chinese" (including quotes) and change it to something random. user@host:/work/cnwebs/doc/xml# cd ../script # Using sed: user@host:/work/cnwebs/doc/xml/script# sed -i 's/"chinese"/"hacked"/g' login.js # or manually do it with your desired text editor # All that's left is to re-make the IEfiles.tar.gz user@host:/work/cnwebs/doc/script# cd ../.. user@host:/work/cnwebs# tar -cf - * | lzma -z -9 > ../chinese/IEfile.tar.gz # Copy /work/chinese/IEfile.tar.gz back to your C:\hiktools05r\cn folder, make sure the digicap.dav file in C:\hiktools05r\ is the chinese # version, and run: C:\hiktools05r\hiktools.exe create digicap.dav cn # The C:\hiktools05r\cn.dav is now multi-lang, update via the TFTP Auto Update application. NOTES: Some Chinese text will still appear (like in the video overlay) because some binaries are compiled that way - but for the most part, you'll be able to navigate around the web interface in your desired language. Reset your cookies in the web browser, else the login page may remember you as using Chinese last time and set it to that (though you should still be able to select English in the drop-down menu).
  5. There are members on here that far exceed my level, I'm guessing you could be included in that list, which would mean your post should be interpreted as extreme sarcasm. Anyway - There's a gap between intermediate "tinkerers" like myself and the information available on the web to get you started digging around the system, I just wanted to give others a hand getting into things rather than spending hours gathering all that I already have. I've revised the SSH access method in the OP.
  6. I guess it's about taking more control of the unit. I was one of those who got the chinese model hardware (on a 2cd2023), and at version 5.1.x it always failed CIFS storage so I had to upgrade to get that working, but as a result was left with chinese language on the web interface or a dead unit with the "language mismatch" issue. Using some of the above methods I hacked up the webs tarball to include xml language files from another digicam.dav firmware file, added some static bindings to use and got the english web interface back that way. From this point, I'm just putting all that I find online so others may get better idea on how to improve the camera firmware - like adding features that may help others (syslogd, scp, custom web pages and so on). Ultimately - I just like to know how things work inside-out.
  7. Improve busybox (temporarily, at least): (Ubuntu cross-compile) apt-get install build-essentials gcc-arm-linux-gnueabi ncurses-dev mkdir target wget http://www.busybox.net/downloads/busybox-1.23.2.tar.bz2 tar -xvf busybox-1.23.2.tar.bz2 cd busybox-1.23.2.tar.bz2 # <if> using my .config (attached) gunzip dot.config.gz cp dot.config .config # <else> CONFIG_PREFIX=../target CROSS_COMPILE=arm-linux-gnueabi- make menuconfig # <end> CONFIG_PREFIX=../target CROSS_COMPILE=arm-linux-gnueabi- make CONFIG_PREFIX=../target CROSS_COMPILE=arm-linux-gnueabi- make install # Done. Notes: Make it static (~1.5MB) then upload to /dav (should have the room) If you don't make it static, then you'll need to implement a whole buildroot with gcc etc.. that uses the libc that's currently on the system (ls /lib/libc*) else download that and build it as well. dot.config.gz attached is static with most sub-commands: Currently defined functions: [, [[, acpid, addgroup, adduser, adjtimex, arp, ash, awk, base64, basename, bash, blkid, blockdev, bunzip2, bzcat, bzip2, cal, cat, catv, chattr, chgrp, chmod, chown, chpasswd, chroot, cksum, comm, conspy, cp, cpio, cryptpw, cttyhack, cut, date, dd, delgroup, deluser, depmod, devmem, df, dirname, dmesg, dnsdomainname, du, echo, egrep, env, expand, expr, false, fdisk, fgrep, find, free, freeramdisk, fsck, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, head, hexdump, hostid, hostname, hwclock, id, ifconfig, init, insmod, ionice, iostat, kill, killall, killall5, klogd, last, less, linux32, linux64, linuxrc, ln, logger, login, logread, losetup, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat, makedevs, makemime, md5sum, mdev, mesg, mkdir, mke2fs, mkfifo, mkfs.ext2, mknod, mkpasswd, mkswap, modinfo, modprobe, more, mount, mpstat, mv, nanddump, nandwrite, netstat, nice, passwd, ping, ping6, pivot_root, pkill, poweroff, ps, pwd, rdate, rdev, readlink, readprofile, realpath, reboot, renice, reset, rev, rm, rmdir, rmmod, route, rtcwake, script, scriptreplay, sed, sendmail, setarch, setserial, sh, shuf, sleep, sort, strings, stty, su, sulogin, swapoff, swapon, switch_root, sync, sysctl, syslogd, tail, tar, telnet, telnetd, test, time, timeout, top, touch, tr, true, tty, ttysize, ubiattach, ubidetach, ubimkvol, ubirmvol, ubirsvol, ubiupdatevol, umount, uname, unexpand, unlink, unlzma, unlzop, unxz, unzip, uptime, users, vlock, volname, wall, watch, watchdog, wc, wget, who, whoami, xz, xzcat, yes, zcat I believe other users on this forum have also built their own and have made that available (link pending). dot.config.gz
  8. NAND partitions... rcvy - recovery partition, includes generic filesystem, kernel, initrd, etc.. dpt param - System parameters, serial, model, and several encoded partitions of data. env - Environment parameters, serial, model, boot parameters ano_ptb hal bld - Bootloader (amBoot flavour, U-Boot 1.3.x based) dbg - Reserved for debug, not used afaik cfg_pri - ubifs mounted to /config, contains sqlite3 database of web/application level config cfg_sec - as above, secondary partition app_pri - mounted to /dav via /usr/sbin/mount_app; webs, tars, general runtime application and data app_sec - as above rmd_pri - initrd rmd_sec - as above, second partition krn_pri - kernel krn_sec - as above, second parition ptb - bst -
  9. Format of initrd NAND partitions (rmd_pri/rmd_sec): Note: 4MiB each (1024*1024*4) 64-byte header [offset]:[length] 0:4 = 1a d9 60 16 (magic? I don't know, doesn't change afaik) 4:8 = 0xFF 12:4 = initrd's gzip'd size 16:4 = load address (in RAM) 00 00 a0 c0 (0xc0a00000) 20:4 = 0xFF 24:4 = 4b 44 4d 52 (KDMR = RMDK, ramdisk magic) 28:* = 0xFF [*]gzip'd ext2 image (actual initrd) [*]trailing 0xff's to make 4MiB Uncompressed initrd image is a 8MiB ext2 filesystem Filesystem volume name: <none> Last mounted on: <not available> Filesystem UUID: <none> Filesystem magic number: 0xEF53 Filesystem revision #: 0 (original) Filesystem features: (none) Default mount options: (none) Filesystem state: clean Errors behavior: Unknown (continue) Filesystem OS type: Linux Inode count: 824 Block count: 8192 Reserved block count: 0 Free blocks: 1650 Free inodes: 597 First block: 1 Block size: 1024 Fragment size: 1024 Blocks per group: 8192 Fragments per group: 8192 Inodes per group: 824 Inode blocks per group: 103 Last mount time: n/a Last write time: Fri Mar 20 20:38:26 2015 Mount count: 0 Maximum mount count: 20 Last checked: Fri Mar 20 20:38:26 2015 Check interval: 0 (<none>) Reserved blocks uid: 0 (user root) Reserved blocks gid: 0 (group root) Group 0: (Blocks 1-8191) Primary superblock at 1, Group descriptors at 2-2 Block bitmap at 3 (+2), Inode bitmap at 4 (+3) Inode table at 5-107 (+4) 1650 free blocks, 597 free inodes, 43 directories Free blocks: 6542-8191 Free inodes: 228-824 Modifying nand initrd Note that while this seems to match all the requirements - I still haven't successfully got it to boot a modified initrd. There's going to be a checksum somewhere I'm missing... To be continued... Method: Extract initrd: dd if=rmd_pri bs=64 skip=1 of=initrd.gz gunzip initrd.gz mount -o loop initrd ./path/to/mount Re-making initrd, here's a mediocre script. At least it'll give you an idea of what's required. PS: make sure you unmount it first PPS: Note: _NO SIZE CHECKS_ Use at own risk. #!/bin/sh if [ $# -ne 2 ]; then echo "Bad argument count" echo "Usage: $0 [headerfile] [ext2imgfile]" exit 1 elif [ ! -f "$1" ]; then echo "Bad header file: $1" echo " Hint: To get header file:" echo " dd if=4MB_nand_img bs=64 count=1 of=header.bin" exit 1 elif [ ! -f "$2" ]; then echo "Bad ext2 image: $2" echo " Hint: To get ext2 file:" echo " dd if=4MB_nand_img bs=64 skip=1 | gunzip - > initrd.ext2.img" exit 1 fi if [ -f initrd.gz ]; then echo "Warning, this program will overwrite initrd.gz - please remove first" exit 1; fi # Compress ext2 image cat $2 | gzip -9 > initrd.gz echo -n "Get size of gzip'd initrd: " NEWSIZE=$(stat --format=%s initrd.gz) echo $NEWSIZE echo -n "Convert that size into sed-translateable bytes: " SIZEHDR=`printf "%08X" $NEWSIZE | sed 's/[A-F0-9]\{2\}/\\\\x& /g' | tac -s' ' | sed 's/ //g'` echo "$NEWSIZE = '$SIZEHDR'" echo "Look for 0x35a12e00 in the old header (old initrd size) and replace with '$SIZEHDR' (new initrd size)" # TODO: Size may vary, replace the 4th DWORD (byte offset 12, length = 4) cat $1 | sed "s/\\x35\\xa1\\x2e\\x00/$SIZEHDR/g" > header.new echo "Concat new header and new initrd > initrd.temp" cat header.new initrd.gz > initrd.temp echo -n "Get size update: " NEWSIZE=$(stat --format=%s initrd.temp) echo "$NEWSIZE bytes" echo -n "Find the difference between that and 4MiB: " TRAILER=$(expr 4194304 - $NEWSIZE) echo "$TRAILER bytes" echo "Generate trailing 0xff's in trailer.new" dd if=/dev/zero bs=$TRAILER count=1 | sed 's/\x00/\xff/g' > trailer.new echo "Append trailer to initrd.temp > initrd.nandready" cat initrd.temp trailer.new > initrd.nandready echo "Done." To write back to nand, match the /dev/mtdX with the mtd backup script output in previous post. In my system, rmd_pri is /dev/mtd11. On PC: cat initrd.nandready | ssh root@camip "cat - > /dav/newinitrd" On cam: nandwrite /dev/mtd11 /dav/newinitrd reboot.
  10. RE: ALL POSTS: Use at own risk. Just a braindump of what I've been meddling with recently... Get ASH back on V5.3 (PSH restrictions) (Involves TFTP firmware flash process - very much do at own risk) Get your hands on "hiktools05r.rar" (3rd party firmware file editor, ~9KB) and "Auto Update.rar" (Hikvision tftp update application, ~176KB) - don't ask me for them, source them yourself. Get your hands on the digicam.dav v5.3 firmware of your choice. Extract hiktools05r, and get a command prompt to that directory (eg: C:\hiktools05r>) Copy digicam.dav to C:\hiktools05r Make a subdirectory called "temp" (C:\hiktools05r> mkdir temp) C:\hiktools05r> hiktools.exe split digicam.dav temp (hiktools05r extracts all the firmware files) Edit C:\hiktools05r\temp\initrun.sh with wordpad (turn off line wrap) or your favourite text editor other than notepad (notepad doesn't support unix text file linebreaks) and append "sed -i 's/psh/ash/g' /etc/profile" (without the double quotes) and save. Alternatively, by command line: C:\hiktools05r> echo sed -i 's/psh/ash/g' /etc/profile >> temp\initrun.sh Re-make the firmware by: C:\hiktools05r> hiktools.exe create digicam.dav temp The new file will be c:\hiktools05r\temp.dav - copy that to the Auto Update directory where tftpserv.exe is, rename as digicap.dav and upload to the camera (process not covered here). Move files around without scp PC to Cam cat [localfile] | ssh root@camip "cat - > [fileoncam]" Cam to PC ssh root@camip "cat [fileoncam]" > [localfile] NB: Try not to use gzip/tar/other filters - the CPU isn't that fast and it's best to just copy direct bytes. If you need to compress something, do it prior to the transfer. Backup all your nand partitions First - Upload a script file to cam (eg. /root/readmtd.cam.sh) #!/bin/sh LIST= for m in /sys/class/mtd/mtd*[0-9]; do #echo `cat $m/name` = `cat $m/size` SIZE=`cat $m/size` NAME=`cat $m/name` echo "MTDNAME=$NAME" echo "SIZE=$SIZE" MTD=`echo "$m" | sed 's/^.*\///g'` echo "COUNT=\`expr $SIZE / 2048 \`" echo "sshpass -p _PASS_ ssh root@_CAMIP_ \"dd if=/dev/$MTD bs=2048 count=\$COUNT\" > mtd-$MTDNAME.bin" echo done Then on PC, run: ssh root@camip "sh /root/readmtd.cam.sh" > readmtd.pc.sh readmtd.pc.sh will be filled with remote ssh commands to pull each nand partition off the camera - note the fields to replace: Where [pass] is the cam's ssh root password (same as admin), and [camip] is the camera's ip/fqdn sed -i 's/_PASS_/[pass]/g' readmtd.pc.sh sed -i 's/camip/[camip]/g' readmtd.pc.sh Files received (example): -rw-r--r-- 1 root root 25165824 Jun 26 16:19 mtd-app_pri.bin -rw-r--r-- 1 root root 25165824 Jun 26 16:18 mtd-app_sec.bin -rw-r--r-- 1 root root 1048576 Jun 26 16:18 mtd-bld.bin -rw-r--r-- 1 root root 131072 Jun 26 16:19 mtd-bst.bin -rw-r--r-- 1 root root 4194304 Jun 26 16:18 mtd-cfg_pri.bin -rw-r--r-- 1 root root 4194304 Jun 26 16:18 mtd-cfg_sec.bin -rw-r--r-- 1 root root 16777216 Jun 26 16:18 mtd-dbg.bin -rw-r--r-- 1 root root 1048576 Jun 26 16:18 mtd-dpt.bin -rw-r--r-- 1 root root 524288 Jun 26 16:18 mtd-env.bin -rw-r--r-- 1 root root 1048576 Jun 26 16:18 mtd-hal.bin -rw-r--r-- 1 root root 8388608 Jun 26 16:17 mtd-krn_pri.bin -rw-r--r-- 1 root root 8388608 Jun 26 16:19 mtd-krn_sec.bin -rw-r--r-- 1 root root 524288 Jun 26 16:18 mtd-param.bin -rw-r--r-- 1 root root 1048576 Jun 26 16:19 mtd-ptb.bin -rw-r--r-- 1 root root 10485760 Jun 26 16:18 mtd-rcvy.bin -rw-r--r-- 1 root root 4194304 Jun 26 16:19 mtd-rmd_pri.bin -rw-r--r-- 1 root root 4194304 Jun 26 16:19 mtd-rmd_sec.bin To be continued...