Hi all,
I'm trying to recover a Hikvision DS-2CD7A26G0/P-IZS camera and would really appreciate help from anyone with the same or similar model.
An accidental bootloader command erased most of the NAND flash. The camera was running V5.6.10 build 200107. I have full UART access to the bootloader which is intact, so the camera is recoverable — I just need the right file.
Hardware:
The problem is that the rcvy kernel stored in NAND is AES encrypted using a key burned into the SoC. When I serve a standard Linux kernel (OpenIPC uImage for Hi3519V101) as mImage_h3, it writes fine but fails to boot because the bootloader tries to decrypt it and gets garbage. I need the genuine encrypted rcvy image that Hikvision use for this platform.
What I have already tried:
Thanks
I'm trying to recover a Hikvision DS-2CD7A26G0/P-IZS camera and would really appreciate help from anyone with the same or similar model.
An accidental bootloader command erased most of the NAND flash. The camera was running V5.6.10 build 200107. I have full UART access to the bootloader which is intact, so the camera is recoverable — I just need the right file.
Hardware:
- SoC: HiSilicon Hi3519V101
- NAND: Spansion S34ML04G200TFI00 512MB SLC, TSOP48 package
- Bootloader: U-Boot 2010.06-508459
The problem is that the rcvy kernel stored in NAND is AES encrypted using a key burned into the SoC. When I serve a standard Linux kernel (OpenIPC uImage for Hi3519V101) as mImage_h3, it writes fine but fails to boot because the bootloader tries to decrypt it and gets garbage. I need the genuine encrypted rcvy image that Hikvision use for this platform.
What I have already tried:
- Serving the OpenIPC uImage.hi3519v101 as mImage_h3 — writes to NAND but fails with offset out of range and crc error as the bootloader cannot decrypt a plaintext kernel
- Extracting what I think is the rcvy blob from digicap.dav (V5.6.10 build 200107) — same result, suggesting my offset calculation is wrong or the file structure is different to what I expect
- Manipulating the sysflg partition to try to trigger automatic TFTP recovery — the bootloader keeps resetting the flags before the threshold is reached
- I have a full raw NAND dump (570MB with OOB) taken after the erase confirming the partition layout
- A raw NAND dump from any working DS-2CD7A26G0/P-IZS or similar Hi3519V101 based Hikvision camera. Even just the rcvy partition (8MB) would be enough. If you have a working camera and Linux access you can get it with: dd if=/dev/mtd5 of=rcvy.bin — that single file would likely fix my camera completely.
- The mImage_h3 file if anyone has previously extracted it or has access to Hikvision's recovery tools.
- Any advice from someone who has done a similar UART recovery on a Hi3519V101 based Hikvision camera.
Thanks
