Hikvision DS-2CD2032-I

[mroek 0]

The tftp process should start before general system boot.

So Ill try the tftp method if some one gets me the firmware and what the tftp address is.

Yes, the TFTP-process is part of the bootloader, and runs before the actual boot.

There is a guide (and software) to the TFTP-process at Hikvisions site:

 

http://www.hikvisioneurope.com/portal/index.php?dir=Z%20OLD/Technical%20Materials/Special%20Tools/TFTP-Auto-Update/

 

You have to download each file separately, as they haven't bothered to put them in an archive.

 

I am also willing to try a hex edit of the Chinese version changing the three bytes to match the US and see if it flashes to the camera. If I edit the Chinese version and change those three bytes then we know its in the firmware. The real trick would be to this, if I modify those three bytes to match the us version of the firmware and it flashes...will the Day be in Chinese?

That's useless. If you modify those three bytes to match the US, then it will be binary identical to the US, and thus will not flash to the camera.

 

Subsequently if that works then one should be able to modify the US version and flash it to a Chinese camera, which I cant test because I don't have a Chinese camera.

so some one post some firmwares, and the tftp IP so I can get a started!

The TFTP IP is 192.0.0.128 (a rather odd address), but you will find all the details in the document at the link I posted.

I have a copy of the Chinese v5 firmware if you want it, but I don't want to post it in public, so PM me with your email and I'll send it to you.

[zikronix 0]

yes modify the three bytes is technically useless, its more a proof of concept. I the point Im wondering is if my weekday would turn to Chinese!

[FastEddy 0]

I have a copy of the Chinese v5 firmware if you want it, but I don't want to post it in public, so PM me with your email and I'll send it to you.

Just curious...why the secrecy? Why not post it in public? Other than people that are trying to resolve the language mismatch, who really cares? Are you going to inflame some Chinese distributor and cause the prices of Chinese cameras to skyrocket?

That's useless. If you modify those three bytes to match the US, then it will be binary identical to the US, and thus will not flash to the camera.

I think the questions to be resolved are that (to my knowledge) nobody has shown that those three bytes are the lone factor causing the language mismatch error and upgrading via the tftp process with a hex-edited firmware may be a viable option.

[zikronix 0]

I have a copy of the Chinese v5 firmware if you want it, but I don't want to post it in public, so PM me with your email and I'll send it to you.

Just curious...why the secrecy? Why not post it in public? Other than people that are trying to resolve the language mismatch, who really cares? Are you going to inflame some Chinese distributor and cause the prices of Chinese cameras to skyrocket?

That's useless. If you modify those three bytes to match the US, then it will be binary identical to the US, and thus will not flash to the camera.

I think the questions to be resolved are that (to my knowledge) nobody has shown that those three bytes are the lone factor causing the language mismatch error and upgrading via the tftp process with a hex-edited firmware may be a viable option.

 

 

Well I know the EU and the US version are Identical...which is to be expected

 

He just sent me the firmware....standby

 

EDIT: according to the TFTP it took the firmware...but something is weird. Here, when I rebooted the camera I was able to get into it, but It all looks the same.

 

What build number is this firmware you sent me?

[elevatedthinking 0]

sounds like a fun project, let us know your findings!

[elevatedthinking 0]

Can you check to see if the firmware version is currently the same as the previous version prior to tftp'ing? I haven't poked around too much with this, I guess I am asking whether you can see a version number or something to see if it took

[zikronix 0]

Well it hasn't worked yet, im trying some other things and poking around in telnet.

[zikronix 0]

Can you check to see if the firmware version is currently the same as the previous version prior to tftp'ing? I haven't poked around too much with this, I guess I am asking whether you can see a version number or something to see if it took

 

 

Already been there done that. I don't know what version he sent me, this camera has 13402 on it, I expected 13805 when I was done that is not what I got. I was still on 13402.

 

I did attempt a web upgrade after that and I got the language mismatch, which doesnt surprise me.

 

Now Im upgrading to us, 13805...and gonna try the tftp again.

 

When Im done with that im going to play with some hex stuff, and inspect the board for points that maybe could be soldered together to enable write? or version info

[mroek 0]

I haven't flashed this firmware myself, because my distributor said it was the same that was factory installed on my cameras.

And as I said, a binary compare to the V5.0.0.build.130412 downloaded from Hikvision Europe is almost identical (except the three bytes as mentioned).

[zikronix 0]

I haven't flashed this firmware myself, because my distributor said it was the same that was factory installed on my cameras.

And as I said, a binary compare to the V5.0.0.build.130412 downloaded from Hikvision Europe is almost identical (except the three bytes as mentioned).

 

It took it. Everything is still in English however...

pictures coming. stand by

 

It did not convert the camera to Chinese, it still will not take the Chinese firmware update via the web, It also does not flip the bit to english

[elevatedthinking 0]

So that means that the value used to identify the language of the cam is part of the hardware itself? Seems logical since it took the Chinese firmware and still didn't update the lang

[zikronix 0]

So that means that the value used to identify the language of the cam is part of the hardware itself? Seems logical since it took the Chinese firmware and still didn't update the lang

 

correct which is pretty much inline with what I said above. Im sure the hardware is "identical" and it is a value flashed in the ROM of the device.

 

In telnet there is an option under set called OPTIND with a value of 1 on a us cam. I tired setting this to 2 with no luck, not even sure that's the option but hey its worth trying!

 

Going to look for jumpers, or bridged and un bridged solder points.

[zikronix 0]

Before, tftp, and after

 

After update it still wont take the Chinese version via the web, language is still all in English, time zone changes to china though, which is what im guessing the 3 byte difference is. Additionally the camera doesn't reboot after tftp like the instructions say. I also didn't have a power adapter everything was done via POE

 

There is a 4pin JP1 header on this swann dome, with out doing the research I suspect this could be the interface for modifying read only parameters. Much like I used to do with remote control hacking. The traces from the JP1 do go to at least one of the chips. It could simply be the alarm and audio input, IDK I could be totally wrong, and I wont know until I wire up my tty adapter to it and sniff it.

 

 

Anyway Im don't for today. you all have a Nice weekend. I hope this helps.

 

 

 

[buellwinkle 0]

I would bet the firmware is identical once loaded in the camera, but the camera checks the language code to figure out what to display. If that's true, then finding the needle in the haystack would be where it checks in the firmware, and modify that. If only they provided the source code The other is to change the unicode for the days of the week in Chinese to whatever language you wanted, that would probably be way easier to find.

[zikronix 0]

I would bet the firmware is identical once loaded in the camera, but the camera checks the language code to figure out what to display. If that's true, then finding the needle in the haystack would be where it checks in the firmware, and modify that. If only they provided the source code The other is to change the unicode for the days of the week in Chinese to whatever language you wanted, that would probably be way easier to find.

 

 

no doubt this is exactly what is going on. Like I said, Ill try to query that jp1 see if there is anything on it or if it is truly the alarm and audio input....if it is then back to square one! Im not about to start jtag'ing a camera. If that JP1 doesn't provide then im out! LOL

[mroek 0]

So that means that the value used to identify the language of the cam is part of the hardware itself? Seems logical since it took the Chinese firmware and still didn't update the lang

 

correct which is pretty much inline with what I said above. Im sure the hardware is "identical" and it is a value flashed in the ROM of the device.

 

In telnet there is an option under set called OPTIND with a value of 1 on a us cam. I tired setting this to 2 with no luck, not even sure that's the option but hey its worth trying!

 

Going to look for jumpers, or bridged and un bridged solder points.

I don't think this is a physical thing, I'm quite sure it is something in a special flash area (possibly protected).

 

The OPTIND value is 1 on my genuine Chinese version also, so that's probably not related.

The JP1 connector is most likely (99% sure) a serial port (like you said), and it might provide access to interesting things.

 

Another interesting conjecture is that these cameras are much like Gopro Hero2, which uses the same Ambarella CPU/DSP. If so, then the bootloader is probably AMBOOT, and probably accessible from JP1. Another interesting thing to note is that if it is, then the Linux is actually running in a thread (almost like it is virtualized) on a different RTOS (called PrKERNEL).

 

It might also be that to gain access to the AMBOOT bootloader, you'd have to do the same as on the Gopro Hero2, which is to short tx/rx briefly while powering up the camera. Here's a thread with some info on that:

 

http://goprouser.freeforums.org/stickie-hero2-firmware-studies-t4961-30.html

 

It will be interesting to see what you find out regarding JP1, zikronix. Good job so far, and interesting that the Chinese firmware was flashable through TFTP. At least that means it might be possible for us with Chinese cameras to flash the Euro/US version through that method to avoid the language mismatch error. It will not fix the weekday problem, but at least we can use the publicly available updates.

[buellwinkle 0]

Would it be possible to find the unicode for say Saturday in the binary? In Chinese that would be 星期六 but in unicode, hex would be 661F 671F 516D if you can change that, maybe you can have it say Sat.

[zikronix 0]

Maybe but remember the firmware only differs by three bytes. That's coming from some where else. I'm assuming that 3 bytes is the time zone setting when I flashed the Chinese I got the time zone of China, when I flashed the US I got some other zone

[mroek 0]

What Buellwinkle suggest could possibly be viable, but there are some gotchas:

 

1) There might be checksums that would no longer be valid (causing flashing a modified firmware to fail)

2) They might not be using unicode

3) The text could possibly be compressed in the firmware binary, making it more difficult to find and to modify

 

The unicode string you suggested (searched in both endians) is nowhere to be found in the firmware binary, which might suggest that 2) is true.

[mroek 0]

Any more news here?

Zikronix, have you been able to connect to the bootloader (with a serial connection) yet?

[zikronix 0]

No I have not just because I've been busy I pull the camera on Friday and mess with it

[cliff369 0]

Does someone have this camera that has tried to use it with Avigilon sw ?

I'm curious if motion detection works via the onvif driver. I know on Hikvision's website states they

are compatible now with them.

 

if you don't have Avigilon software you can goto their website under support and download the

5.0 server software and it will give you a 30day trial.

 

would really appreciate it if someone could test this.

thanks

[buellwinkle 0]

The Avigilon experts have said posted several times that this camera does work and motion detection works. I can also personally attest that it works with Synology Surveillance Station, BlueIris and Milestone.

[FastEddy 0]

One of the things I would like to have is multi-camera playback, so that if you had several different views of an event that occurred at a given point in time, you can "sync" the different views in time for playback. Does Avigilon offer that feature?

 

And it always bothers me when the price of something is only hinted at and whispered about...it's probably true that if you have to ask, you can't afford it.

[ak357 0]

One of the things I would like to have is multi-camera playback, so that if you had several different views of an event that occurred at a given point in time, you can "sync" the different views in time for playback. Does Avigilon offer that feature?

 

 

Absolutely u can do it