Видеодомофон Hikvision DS-KH6210, DS-KH6320, русификация китайского интерфейса

Кратко о домофонии компании hikvision можно узнать со страницы FAQ на сайте hikvision, там же присутствует рекомендация:
Настройку необходимо осуществлять на АНГЛИЙСКОМ ЯЗЫКЕ. Сменить язык на русский вы можете после.

Ко мне иногда обращаются с просьбами о помощи в русификации или хотя бы о смене китайского интерфейса устройств на английский язык.

Вопрос, откуда в народ попадают девайсы с китайским интерфейсом, ответ прост, компания hikvision — китайская компания. Полное наименование — Hikvision Digital Technology Co., Ltd.. Штаб-квартира компании расположена в Ханчжоу. Продукция компании имеет деление на внешний и внутренний рынок, стоимость на внутреннем рынке в разы меньше чем на внешнем. Поэтому наши соотечественники приобретают на китайских торговых площадках оригинальные фирменные девайсы с китайским интерфейсом.

Это не подделка а зачастую оборудование имеет лучшие потребительские качества чем аналоги для европейского рынка. Так как новые опции тестируются внутри страны и только позже эти функции экспортируют в мир.

Основные отличия устройств это только китайский интерфейс, без возможности смены или выбора другого языка а также локализация облачного сервиса, кроме того европейские устройства не работают с оборудованием для внутреннего рынка…

И самое главное, все эти различия задаются программным обеспечением оборудования.

Использовав возможности поиска в интернете можно узнать что появилось сообщество в котором пользователи обмениваются опытом и методиками распаковки и модернизации прошивок. В частности метод о котором я расскажу был опубликован нашим соотечественником с ником Ivan1985 на форуме ipcamtalk.com

Речь идет о редактировании оригинальной версии прошивки домофонов первого поколения, выпущенных для внутреннего рынка китая, для возможности работы в мультиязычном формате в связке с европейскими версиями оборудования и програмного обеспечения…

1. I downloaded firmware VIS_11_H5_INDOOR_EN_STD_V1.5.0_180622 from www.hikvisioneurope.com/portal and tried to unpack it by using the hikpack tool, but this tool does not support the intercom indoor monitors, so I used fwtype = k41:
hikpack -t k41 -x digicap.dav -o img
Magic : 484b5753
hdr_crc : 00001bd4 (OK)
lang_id : 00000001
date_hex: 00000000
devclass: 000003e8
File: cramfs.img, CRC OK
WARN: missing new_20.bin trailer file
Extra tail at the end of dav, 64 bytes, maybe firmware id?

2. There were 3 extracted files:
cramfs.img - Compressed ROMFS file
dav_header - Header file (108 bytes)
dav_extra_tail - extra tail (64 bytes)

The header file format is clearly defined in the forum.

4. dav_extra_tail file analysis for H5 platform devices:
- offset 0x00: 16 bytes, MD5 hash of cramfs.img file
- offset 0x10: 4 bytes (little endian) -> size of next (FW ID) field in 16 bit words
- offset 0x14: maybe FW ID?

5. The next task was to create firmware packer/unpacker:
I have found the python scripts to unpack/repack the DAV files for IPC R0 series
(neobit/hikvision) and updated these scripts for intercom indoor monitors H5 series (attached).
Python version 3 and cryptodome python library are needed to run the scripts.
Attachments
packFirmwareH5.zip

Unpacking and decryption of Compressed ROMFS image file (cramfs.img) for intercom indoor monitors based on H5 platform:

1. Cramfs.img can be opened by the cramfs tools or by 7zip.

It contains next files:
- app.tar.lzma -> encrypted file
- audio.tar.lzma -> encrypted file
- dec
- digicapkeyArm.ko
- dvrCmd.tar.gz
- dvrCmd2.tar.gz
- hicore.tar.lzma -> encrypted file
- hisi.tar.lzma -> encrypted file
- logo.tar.gz
- logo.tar.lzma -> encrypted file
- misc.tar.lzma -> encrypted file
- overseas.tar.lzma
- ramdisk.gz
- showlogo
- start.sh -> encrypted file
- uImage
- version

There are several encrypted files.
The Triple DES ECB Cipher algorithm is used for another HIKVISION devices, so it is also used for this image.

2. Locking into dec file, it can be found next strings:
"Usage: ./dec FILEin FILEout", "/dev/decryptkey", "set key err %d"

The IDA interactive disassemble is needed to analyse the dec file.
This file contains several functions: "decrypt_sec", "des3_ede_setkey".
These functions are part of Cryptographic API.
The link to the Cryptographic API source code (Linux source code: crypto/des_generic.c (v5.1.5) - Bootlin, Linux source code: include/crypto/des.h (v5.1.5) - Bootlin)

static void des3_ede_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key, unsigned int keylen);
The 3DES key lenght is 24 bytes.

Disassembled code:
.text:0000D304 loc_D304 ; CODE XREF: decrypt_abstract_api+54j
.text:0000D304 SUB R3, R11, #-var_194
.text:0000D308 MOV R0, R3 ; struct crypto_tfm *tfm
.text:0000D30C LDR R1, [R11,#var_1A0] ; const u8 *key
.text:0000D310 LDR R2, [R11,#var_1A4] ; unsigned int keylen
.text:0000D314 BL des3_ede_setkey
.text:0000D318 MOV R3, R0
.text:0000D31C STR R3, [R11,#var_14]
.text:0000D320 LDR R3, [R11,#var_14]
.text:0000D324 CMP R3, #0
.text:0000D328 BEQ loc_D340
.text:0000D32C LDR R3, =aSetKeyErrD ; "set key err %d"
.text:0000D330 MOV R0, R3 ; format
.text:0000D334 LDR R1, [R11,#var_14]
.text:0000D338 BL printf
.text:0000D33C B loc_D3D0

The DES key is read by ioctrl function, so DES key is not part of the image.

3. Extracting the DES key:
Dec file is not encrypted and can be patched to read key over UART interface (by using printf function).
Some programming skills and understanding of the ARM instruction set are needed to create this patch.

To create DAV file with patched dec file:
- Create cramfs.img file: mkfs.cramfs -v img cramfs.img
- Set Chinese language attibute in the header file (header offset 0x10: set byte = 0x02)
- Pack dagicap.dav file by using repackFirmwareH5.py

Load DAV file by using TFTP tool.

The link to description how to set UART connection to Hik cameras UART connection to recover Hik cameras
The same is applicable for intercom indoor monitors (the UART connector is hidden under the sticker at back side of the monitor).
The USB-to-UART_TTL converter with 3V logical levels and PuTTY software are needed.

UART settings:
- speed: 115200 baud
- data bits: 8
- stop bits: 1
- Parity: None
- Flow control: None

The UART log, if everything is correctly done:

hisfc300_spi_probe:Block protect enabled!
Hit any key to stop autoboot: 0
### CRAMFS load complete: 2289552 bytes loaded to 0x80400000
### CRAMFS load complete: 1206447 bytes loaded to 0x80800000
timeout for link [5000]!
## Booting kernel from Legacy Image at 80400000 ...
## Loading init Ramdisk from Legacy Image at 80800000 ...
Loading Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
init started: BusyBox v1.16.1 (2016-08-19 14:10:59 CST)
Fri May 17 23:16:16 UTC 2019

Starting udev: [ OK ]
DES key 1292042785
DES key 303108950
DES key 1292042753
DES key 303108182
DES key 1292042753
DES key 487658070

The full 3DES_KEY: 2102034D561311120102034D561011120102034D5612111D

4. Files decryption:
openssl can be used to decrypt/encrypt the files.
It suppports des-ede3 (Triple DES EDE in ECB mode).

Notes:
The DES algorithm works with 64 bits (8 bytes) blocks, so the files have to be aligned by 8 bytes before decryption.
The lenght of all encrypted files are not aligned by 8 bytes.
The last byte of each encrypted file in the image contains information about the alignment (number of unused bytes at the end of decrypted file).

The decryption sequence:
- remove last byte from the encrypted file (this byte defines the number of unused bytes at the end of decrypted file)
- decrypt file:
openssl des-ede3 -d -in in_filename -out out_filename -K 2102034D561311120102034D561011120102034D5612111D -nopad
- Remove unused bytes at the end of decrypted file

Decrypted start.sh file is attached.

5. Files encryption sequence:
- if file is not aligned by 8 bytes -> add bytes (0x00) to the end of file to fix it.
- if file is aligned by 8 bytes -> add 8 bytes (0x00) to the end of file!!!
- encrypt file:
openssl des-ede3 -e -in in_filename -out out_filename -K 2102034D561311120102034D561011120102034D5612111D -nopad
- add one byte with the number of unused bytes to the end of encrypted file
Attachments
dec_start.zip
863 bytesViews: 33
dec_start.zip
863 bytesViews: 16

Firmware update by using Batch Configuration Tool:

1. Connect device to network and power on it
2. Wait some time before device is started
3. Run as administrator the Batch Configuration Tool
4. You shall see the information about all Hikvision devices at the bottom part of the screen.
5. The needed device shall be selected by click on the box before device ID. (see attached screenshot #1)
6. The security column provides the information about the device activation state.
if device is "inacive", click "Activate" button and set device password. (see attached screenshot #2)
7. Device IP address configuration.
The device IP address is shown in the "IPv4 Address" column. The default address intercom devices is 192.0.0.64.
To change IP device address (if needed), click "Edit network parameters" button and define the fixed IP address or enable DHCP.
The admin password shall be entered to apply the changes. (see attached screenshot #3)
8. Click "Add" button and enter password to add device to upper part of the screen. (see attached screenshot #4)
9. Select device at the upper part of the screen by click on the box before device ID
and click "Remote configuration" button in the "Operation" column (see attached screenshot #5)
10. Select "System Maintenance" in "Remote configuration" menu and select path to DAV file.
Click Upgrade button (see attached screenshot #6).
11. After firmware upgrade, reboot the device.

If you have intercom based on H5 platform with Chinese interface please use VIS_11_H5_INDOOR_V1.5.0_181101 firmware to change the language to English.
After upgrade intercom device by this firmware, the device is switched into "inactive" state, so you shall activate device and configure IP address to load the VIS_11_H5_INDOOR_V1.5.0_181102 firmware.
Attachments
screenshots.zip

There are scripts to unpack/decrypt and encrypt/repack firmware (digicap.dav) for Hikvision IP Video Intercom and IP Door Bells devices (see attached).

To run scripts: Linux (tested on Ubuntu), Python3 and cryptodome python library are needed.

To unpack/decrypt firmware:
1) Copy digicap.dav file to the folder with scripts
2) Run script: ./unpack.sh
3) Unpacked and decrypted firmware is located in the /digicap.dav_unpacked/img folder

To encrypt/repack firmware:
1) Run script: ./repack.sh
2) repack_digicap.dav file is created.

The main application file is hicore and it is located in the hicore.tar.lzma archive.

To extract hicore file:
tar --lzma -xvpf hicore.tar.lzma

To create hicore.tar.lzma archive:
chmod 755 hicore
tar -cvf hicore.tar hicore
lzma -z hicore.tar
chmod 644 hicore.tar.lzma
rm hicore

Note: The 3DEC key for IP Video Intercom and IP Door Bells devices is stored in the .rodata section of the digicapkeyArm.ko (24 bytes at file offset 0x2C0)
Attachments
scripts.zip

The language code patch for intercom indoor monitors based on H5 platform:

1. I have found, how the language code is patched in the VIS_11_H5_INDOOR_STD_V1.5.0_181101 firmware (This firmware was attached to my previous post)

The patched file is hicore.
The patched function is GET_BOOT_PARAMS.

Disassembled code:
.text:0003C53C update_language_code__loc_3C53C ; CODE XREF: GET_BOOT_PARAMS__sub_3C36C+1C0j
.text:0003C53C LDR R3, =dword_7344FC
.text:0003C540 STR R4, [R3]
.text:0003C544 MOV R3, #1 ; Load language code 1 (EN)
.text:0003C548 LDR R4, =device_boot_params_addr__dword_A55594
.text:0003C54C LDRB R2, [R4,#0x80]
.text:0003C550 STR R3, [R4,#0x10] ; Store language code (offset 0x10 in the boot params array)
.text:0003C554 CMP R2, #0
.text:0003C558 BNE loc_3C56C
.text:0003C55C BL sub_37B78

2. The disassembled code for the original firmware VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319:
.text:0003CF9C loc_3CF9C ; CODE XREF: GET_BOOT_PARAMS__sub_3CDCC+1C0j
.text:0003CF9C LDR R3, =dword_7B4468
.text:0003CFA0 STR R4, [R3]
.text:0003CFA4 LDR R4, =device_boot_params_addr_dword_B1E33C ;
.text:0003CFA4 ; --------------
.text:0003CFA4 ; Language patch:
.text:0003CFA8 LDRB R3, [R4,#0x80] ; Load language code 1 (EN) -> MOV R3, #1
.text:0003CFAC CMP R3, #0 ; Store language code (offset 0x10 in the boot params array) -> STR R3, [R4,#0x10]
.text:0003CFB0 BNE loc_3CFE4 ; Keep existing functionality -> LDRB R3, [R4,#0x80]
.text:0003CFB4 LDR R3, [R4,#0x10] ; Keep existing functionality -> CMP R3, #0
.text:0003CFB8 CMP R3, #1 ; Keep existing functionality -> BNE loc_3CFE4
.text:0003CFBC BNE loc_3CFD4 ; Keep existing functionality -> NOP
.text:0003CFC0 BL sub_38600

The language patch implementation is defined in comments.

3. I created the patched version VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319 firmware (see attached).
Also attached original and patched hicore files.

4. Loading of the patched firmware:
If you have Chinese interface:
- load VIS_11_H5_INDOOR_STD_V1.5.0_181101 firmware
- activate device
- load VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319_PATCHED firmware.
- reset device configuration

If you already have patched to English firmware:
- load VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319_PATCHED firmware.
- reset device configuration
Attachments
VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319_PATCHED.zip
13.2 MBViews: 49
hicore.zip
7.2 MBViews: 39

Link to the VIS_11_H5_INDOOR_EN_STD_V1.5.1_190319 firmware (device DS-KH8301-WT): KH serie-Hikvision

This firmware version supports Polish language: http://www.hikvisioneurope.com/portal/portal/Technical Materials/07 Video Intercom/00 Product Firmware/IP Video Intercom/Baseline/V1.5.0 Build 180929 EN FR PT IT ES DE PL CZ NL/Indoor Station & Master Station/VIS_11_H5_INDOOR_EN_STD_V1.5.0_181019.zip

I think you can modify "overseas.tar.lzma\overseas.tar\string\gui_value11.cfg" file and repack it.

Используя публикации автора можно выполнить прошивку домофона и в результате использовать его как европейскую версию без ограничений!

P.S.

В крайней на сегодня версии прошивки внутренней панели домофона DS-KH6320-WTE1, VIS_INDOOR_R0_EN_STD_V2.1.46_build220607, есть возможность загрузить свой рингтон через программу iVMS-4200, на мой взгляд процедура не сложная но толком не описана, в частности максимальный размер файла, поэтому предлагаю для скачивания кастомную прошивку с измененными рингтонами, которую можно скачать в нашем файловом архиве