Unbricking Hikvision IP Cameras (Repair, Reflash and TFTP Guide)

First, some background. You can skip that if you’re just here to unbrick your cameras, and understand a few things about how they are put together.

Hikvision – What do new buyers need to know?

Hikvision is a huge manufacturer. They make cameras under a lot of brand names. You may be buying Hikvision, and not even know it. Sadly, a lot of other IP cameras have inferior build quality, but better software.

In general, my opinion of Hikvision hardware is that it is really quite good. I have also extensively used
*Wyze cameras
*Ubiquti cameras
*Grandstream
*Reolink
*Amcrest

It is my opinion that Hikvision hardware is superior, but the other cameras are less dangerous. Particularly disappointing is Ubiquti cameras because the company apparently gets what they need to do for a good security camera experience, but they completely fall short on long-term reliability and build quality. They’re nearly good enough but fall short in just a few key areas (imho).

Conversely, it is nearly impossible to permanently kill a Hikvision camera. It is easy to brick one with a failed firmware update, and it is not well-documented how to recover. Hence this guide.

That said, Hikvision is taking the tiger by the tail, a bit. If you prefer a little less international intrigue and/or having the Rawling Virus in-a-jar on your network, I might recommend Reolink or Ubiquiti in a pinch.

Important: Hikvision Cameras labeled “EOL” are extremely problematic with regard to firmware versions and updates. ALWAYS ALWAYS check that a Hikvision camera you are buying new is not EOL and has recent firmware. For example, it is still possible to buy 2CD2085FWD-I 8 megapixel H265 PoE Hikvision cameras on Amazon. Do not do that unless you like pain and suffering; the current firmware versions are bugged and this version of that camera sucks. It was replaced by 2CD2085G-I (are you as frustrated reading these camera models as I am writing them down?)

Cloud camera services are for chumps. Don’t be a chump.

Hikvision Background

Hikvision (Pronounced High-Kay-Vision. Yes, really) is short for Hangzhou Hikvision Digital Technology Co, LTD. partially state-owned Chinese manufacturer and supplier of video surveillance equipment for civilian and military purposes, headquartered in Hangzhou, China.

The vision for robust camera equipment, and the implementation, is massively impressive. The hardware truly is incredible as it is able to, in real time, do face detection, people counting, detect and flag unattended baggage or packages, identify animals and much more.

The software, on the other hand, is not to idealistic American standards. It is apparent the software was not built with hardening or security in mind. The main problem is that the software is a bit opaque and the known security issues in the past have been jaw-droppingly bad.

However, the cameras do include a very well-documented SDK for software development. They also offer industry standard functionality such as web sockets and RTMP.

Even though they are a security nightmare they can, in some respects, be a great platform for video capture (3840x2160x20 fps for the models featured in this video).

Software Security

Hikvision is kinda sorta on the US blacklist. Is the security insecure because it has backdoors from China, or is it just dangerously insecure because it was not coded to any kind of software engineering standards? It’s not clear on that point. But it is absolutely imperative that, if you use this equipment, that it is not on the internet (even behind NAT).

In an ideal world there would be open firmware for these cameras, ideally from some third party. Some noted security researchers have really put a lot of work into trying to tear these down, and some have lamented that the boot sequence on these cameras seems incredibly obfuscated and needlessly complex. Why go to all the trouble given the past security weaknesses?

Some notable security lapses from discovered in the past:

https://www.cvedetails.com/vulnerability-list/vendor_id-13150/Hikvision.html

It’s unclear if this is a feature or a bug, but it is possible to use SSH to get a bash prompt. (Normally these cameras restrict ssh to the ‘psh’ shell, which only allows a limited set of commands).

ssh [email protected] /bin/sh
ssh [email protected] /bin/bash

YMMV on this one because newer firmwares kill that.

Hikvision is aware of their security reputation to the extent that they pay for Google ads whenever you search for “hikvision vulnerability”

The guide is a genuinely helpful guide for securing and configuring your Hikvision gear; they do want you to have secure gear to the extent that the criminals-du-jour are not exploiting the camera hardware to mine cryptocurrency or participate in DDoS attacks.

Why hack security cameras? In addition to the ability to stream video (and sometimes audio) for operational insight into the environment of the camera, typical Hikvision IP cameras have fairly powerful CPUs in them – they are ARM-based and typically fairly powerful. They do a lot of processing right on the camera which means that whether you deploy 10 or 100 cameras, the “backend” storage requirements tend to be pretty modest.

Almost all of these cameras feature an on-board microSD slot. If you intend to use local storage with the cameras, I highly recommend getting extremely high endurance microSD cards, designed for surveillance apps, which are only just starting to become marketed as such in the west.

Hikvision Cameras, How do they work, for recovery?

This was not well documented, and would have helped me save countless hours from the start, in helping a regional product distributor root-cause customer returns and camera failures.

In firmwares before about 5.0.0 (this will vary hugely, more on that in a moment) ALL older Hikvision cameras were factory set at 192.0.0.64 and were programmed to try to load firmware from TFTP via 192.0.0.128 – even new Hikvision cameras will try to do this if they’re really, really screwed up.

Later, some of the documentation and newer firmware refer to 192.168.1.64 this is the default IP address of the camera on newer firmwares (~~5.0+)

The default TFTP server it tries to connect to in that case is 192.168.1.128

The TFTP server is a non-standard one however. Hikvision publishes a TFTP update tool, but it is buggy and does not work well on anything other than Windows XP.

Instead, I recommend this Python script put together by Scott Lamb:

If you are not familiar with what TFTP is, it is a trivial file transfer protocol. It is not built for speed, or redundancy, or reliability. Neither is the Hikvision update process. TFTP, and these IP addresses, are the cornerstone of being able to recover these cameras quickly and properly. You will waste a lot of time if you do not perform the firmware recoveries/updates from a hard-wired computer with a manually configured IP address.

Be aware that different regions (US, UK, Netherlands, EU, China/Asia Pacific) all have slightly different firmwares AND slightly different camera builds. It can be super annoying finding the right camera, and the right region, to download the correct version of the firmware.

image

All you have to do is copy the correct digicap.dav file that corresponds to your exact camera to the tftp directory and then run the hikvision_tftp.py file to start the tftp server.

image

It provides a lot of verbose output when it is working correctly (unlike Hikvision’s program), including a helpful progress indicator:

You must used a wired connection for this to be a reliable operation. TFTP is not a robust protocol, and neither is the Hikvision implementation.

Booting The Camera

During the camera bootup sequence, a “primary” block of flash in the boot loader establishes ethernet link and sets the camera IP to 192.168.1.64* and tries to contact 192.168.1.128 to tftp its firmware file. (On every boot. Don’t even have to hold the reset button…) The camera web gui has a few checks to prevent firmware downgrades, but the TFTP sequence may permit downgrades. It seems as though some regions of flash cannot be overwritten and you can get into weird situations.

It is possible to corrupt your newer-firmware camera so badly that it will revert to the old school 192.0.0.64 -> 192.0.0.128 – if that happens you should try to load the firmware again from that interface.

The box that the camera original came in tells you the exact firmware version that it ships with. This can be useful for getting to a “known good” starting position.

No matter what camera you have (except the 7+ year old ones) the firmware filename will be digicap.dav but the contents are highly specific to both the camera model and global region where it was sold (in some, but not all, cases).

In the YouTube video, I showed how to recover the 2CD2085G-I and it’s evil twin brother, the 2CD2085FWD-I using the hikvision TFTP python script (linked above) and the method I used to find the right firmware for the 'FWD (basically, binary search on the netherland’s website).

In this case, the failure of that particular camera was a head-scratcher. It means the distributor’s supplier must have improperly substituted a case of cameras meant for the Netherlands for US distribution.

Further Troubleshooting

If, upon setting your IP addresses correctly, you see no activity and the camera seems dead there are two options. The first is to use wireshark to observe the network and see what you can see:

sudo tcpdump -i eth0 -vv -e -nn ether proto 0x0806
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:21:58.804425 28:57:be:8a:aa:53 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 172.9.18.80 tell 172.9.18.100, length 46
16:22:00.805251 28:57:be:8a:aa:53 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 172.9.18.80 tell 172.9.18.100, length 46

This is a bit outside the scope of this document. In this case, this is some fabulously ancient Hikvision firmware using 172.9.18.80 IP addresses instead of 192.0.0.64 – but this is equipment so old it isn’t worth fixing IMHO

The second option is to attach a cable to the serial console. As these cameras run Linux under the hood, they do output to a built-in serial console. This may involve soldering or building a special console cable with a header such as:
image

This is not for the feint of heart, but it is a fun exercise. Happy hacking! Honorable mention toward that “Let’s do some custom open firmware for this killer hardware!”

12 Likes

Freaking hell. How many words per minute do you type?

Great video and write up. I think it’s terrifying that these devices are everywhere. If you were trying to imagine an ideal botnet for internet warfare, you would be hard pressed to come up with a better set of features. China subsidizing device costs only makes them more terrifying. I look forward to the DefCon postmortem lecture about HikVision a few years from now.

PS I’ve been a fan of your content since the old days W. Don’t know why I took so long to join the forums but here I am. Greets from South Africa

3 Likes

What if there are multiple cameras on the network?

Ooof. If I had knew… I bought 6x 5mp brand new HIKVision cameras a few months ago. And they are the DVR type, connected with coaxial cables (I got video baluns for them, so I could also inject POE along with data through one cat5e S/FTP cable). I paid $600 for the whole setup (DVR with cameras, video baluns, 2tb HDD, power bricks, UPS, Pi 4 2gb version with 16gb SD and charger and I had cables laying around). Unfortunately the DVR is not in a separate LAN, it’s on the same ISP router as my RPi that I run Wireguard on to connect to the DVR’s web interface to view the cameras (that LAN will pretty much become a botnet, I do update the Pi every month, so that Ubuntu is up-to-date).

I’m still working on a NAS for off-site backup of the video footage in another thread (related to old spinning rust with 5-6 years of uptime). I could have saved a few bucks and had the cameras on a switch separated from the Internet. Well, at least I slept in peace since I bought them, so the psychic profit and having them early was worth paying a little extra.

Only repair one camera at a time. Use a managed Poe switch to cordon off the other cameras. Or static arp tables.

But what if a customer just buys 2 brand new working cameras and puts them on the same network?

Do the cameras just not work, and then they have to call customer support?

That would be very stupid.

These might be for advanced users only, but still, having devices that don’t work just because you have 2 of them on the same network is stupid.

Greetings,

I am joining in for the bit mentioning “Hacking the hikvision”, I skimmed the guy’s blog post, though a big part of it is over my head, my conclusion is that he DID get a working root shell, and was able to get rid of a hard-coded backdoor login, which opens up the opportunity for all kinds of possibilities. If you say you have contacted the original author of the post, can you please elaborate on where the project met a dead-end? This comes as a huge Christmas present to my (and everybody else’s) desires for a complete open source NVR as I described in this thread (open-sourced cameras with good hardware, Raspberry pi as the NVR).

I have flashed some Xiaomi cameras replacing the bootloader on the chip (involved a bit of soldering work), but they come nowhere near the image and build quality of the units displayed on your video.

The original issue was patched but you can still get back via serial console

Some of those literally just ssh -c /bin/sh

So that runs a shell as an ssh command and good to go.

Great, so what is the issue with their software that makes it harder to load different firmware? If you can get root, and they run Linux, wouldn’t that mean that you can easily build, say, an RTSP server (v4l2rtspserver) and a bunch of other tools to make the camera do just what you want?

I wish I could help somehow

I apologise in advance if this is a dumb question but here goes. I have been looking back through the synology video that goes with the hikvision cameras here and was wondering if I had a nas with 1 eth port could I add one with the USB and still keep them segmented off of my main network?

I have a problem with my NVR after trying to upgrade the firmware. However when i use SADP tool to check my system its showing my IP address as 10.5.33.25 !!!
Does anyone know how I can still use the tftp with that IP address?

i did ask hikvision for a password reset, i can use the xml they sent to reset the password successfully on SADP however literally 5 seconds after i try to make changes via SADP to remove DHCP so i can modify the IP, it says incorrect password.

If anyone has come across this issue or know a fix please let me know.

thank you all.

Looking to buy cameras, so ‘ebay hunter’ here.

Do you all have known compatible (recovered) models to suggest?

It can be super annoying finding the right camera, and the right region, to download the correct version of the firmware.

Yeah, about that…
How the hell does one do that exactly?

I’ve got my hands on some old gear: DS-2CD2520F cameras and DS-7104NI-SL NVR and I can’t wrap my head around it, if I even have any upgrade options…

  • What even are the regions?
    If I start from us[.]hikvision[.]com, UK has no firmware, fw list on the EU site seems completely broken. Are we talking about www[.]hikvisioneurope[.]com/portal ? I see EU/UK here. EU seems to equal NL?

  • How does one find anything?

I am open to getting new gear as well. Let’s say I am looking for a 8-ch NVR. The site lists:

  • DS-7108NI-Q1
  • DS-7108NI-Q1/M
  • DS-7108NI-E1/M
  • DS-7108NI-E1/8P/M

Meanwhile, I can source DS-7108NI-K1/W/M locally.

The fw seems to be grouped by ‘series’ on the latter ‘portal’ which tracks the suffix?

Here are the FW options:

  • Q Series: 7100NI-Q1
  • E Series: 7100NI-E, “7600NI-E1(E2) 7700NI-E4”
  • K Series: 76 NI-K1
  • “Wifi” Series: 7100K1-W-M > 7108NI-E1-V-W (2y.o.)

An now the questions…

  • Which fw fits which device, if any?
  • How significant are the numbers and suffixes?
  • Do they really sell EOL products or products with no fw? Is 2y.o. EOL?
  • ??? Who the hell organizes stuff like this? Are HIKVISION devs even the same species?

hi i updated my cameras firmware via tftp but still cannot reset the password any ideas?

Hi, trying to use that python script I tried it on version 2.7.16 all the way to 3.10 and I keep getting a line error… any suggestions? On the Python version 3.10 I get line error on line 53. Version 2.17 I get line 1 as an error.