Body: Hi everyone,
I’m trying to install OpenIPC (or just a clean, custom Linux) on my Hikvision DS-2CD1043G0-IUF camera. I just dumped the full 16MB SPI flash using a CH341A programmer, but I'm stuck at the secure boot stage.
Hardware Specs:
- SoC: Fullhan FH8852V200 (CPU: CK810 / C-SKY architecture)
- Flash: 16MB SPI NOR (XMC XM25QH128C)
- RAM: 128MB
The Problem: The stock HKVS U-Boot is heavily locked down. It verifies Hikvision's proprietary mImage format (AES decryption + SHA + RSA signature check) via the <sbal_seboot> function. Unsigned images are immediately rejected, so I cannot boot the OpenIPC kernel. On top of that, standard memory/flash commands (sf, mw.b, tftpboot) are stripped from U-Boot.
The Goal: I need someone with reverse engineering experience to look at my dump and either:
- Patch the U-Boot (
mtd0) to bypass the signature check so it accepts unsigned kernels. - Find the AES keys (likely in
mtd2) to decrypt the file system / packing format. - Help compile an unlocked, open-source U-Boot for this specific FH8852V200 (CK810) board.
Here is the full 16MB Flash Dump: https://fromsmash.com/0iuQFxHacY-dt
Any help, patches, or pointers would be greatly appreciated. Thanks in advance!