Dahua IPC EASY unbricking / recovery over TFTP

Alessio831

n3wb
Joined
Mar 28, 2019
Messages
11
Reaction score
0
Location
Italy
I have a problem in my sd59225u-hni after installing all the firmware with this method I can't install the ptz part
 

naponet

n3wb
Joined
May 28, 2019
Messages
1
Reaction score
0
Location
Lecce
Goodmorning everyone,
I am desperate.
They hacked my nvr dahua.
I found the password reset tool and entered another password, the problem is that the serial number has become 000000000000000000 !!!
Now I can't log in to the cloud anymore.
Help.
 

kurizma

n3wb
Joined
Jun 5, 2019
Messages
1
Reaction score
0
Location
California
Thanks. Used the tools and guide (after some modifications) to unbrick my QSEE NVR. Basically you setup the FTP server on your computer and extract the firmware .img files in there. Use the Commands.bat file to create the .txt file that the NVR is looking for to run commands and when the NVR boots it will look for your FTP server and file and run the commands. You can also find the file it is looking for if you console in with a null modem cable. For the NVR I removed all other commands and left just the TFTP part and was able to transfer the file firmware. Rebooted and everything is working now. Pretty simple process after understanding what it is doing.


Again, Thanks!
 

zape

Getting the hang of it
Joined
Sep 21, 2017
Messages
221
Reaction score
69
So I tried to convert my Amcrest IP8M-T2499EW to Dahua IPC-HDW4831EM-ASE
I used firmware DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.zip


This was what I got after 1st attempt:
Client 192.168.1.251:1425 root\failed.txt, File not found or No Access

I logged into camera web interface and reset to "Factory defaults"
After reboot I got this:

accepting requests..
Open TFTP Server MultiThreaded Version 1.64 Windows Built 2001

starting TFTP...
alias / is mapped to root\
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 60
file read allowed: Yes
file create allowed: No
file overwrite allowed: No
thread pool size: 1
Listening On: 192.168.254.254:69
Client 192.168.1.251:3327 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served
Client 192.168.1.251:1342 root\romfs-x.squashfs.img, 893 Blocks Served
Client 192.168.1.251:1169 root\kernel.img, 1046 Blocks Served
Client 192.168.1.251:1893 root\user-x.squashfs.img, 10430 Blocks Served
Client 192.168.1.251:2105 root\web-x.squashfs.img, 4384 Blocks Served
Client 192.168.1.251:2853 root\partition-x.cramfs.img, 6 Blocks Served
Client 192.168.1.251:4017 root\custom-x.squashfs.img, 70 Blocks Served
Client 192.168.1.251:2416 root\pd-x.squashfs.img, Timeout

All subsequent attempts ended up with this:

Client 192.168.1.251:1425 root\failed.txt, File not found or No Access

And I can no longer log into web interface
Bricked it.
 
Joined
Aug 10, 2019
Messages
15
Reaction score
0
Location
Argentina
Good afternoon, I'm trying to revive a vto2111d-wp. I wanted to update the firmware using Conftool (then I realized that I had to do it through VDP).
The update failed and the computer did not start anymore.
I read all the forum pages and I can't make it work,
Try the Duvel method, TheDude comments ...
The only thing I get is
starting TFTP ...
alias / is mapped to root \
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 60
file read allowed: Yes
file create allowed: No
file overwrite allowed: No
thread pool size: 1
Listening On: 192.168.254.254:69
Client 192.168.1.108:2599 root \ failed.txt, File not found or No Access
 

iTuneDVR

Pulling my weight
Joined
Aug 23, 2014
Messages
846
Reaction score
153
Location
Россия
Try reset VDP many time & possible request from vdp will catched by PC.
I saw many trouble situation when fry use this way.
Find TTL2USB adatper.
 
Joined
Aug 10, 2019
Messages
15
Reaction score
0
Location
Argentina
Try reset VDP many time & possible request from vdp will catched by PC.
I saw many trouble situation when fry use this way.
Find TTL2USB adatper.
Good afternoon, buy the USB ttl, I already have it connected, and what it throws on the console is:

UBL Version: 1.46t(DM365)09:30:17 Sep 2 2014
Oscillator: 24MHZ
ARM Rate: 432 MHZ
DDR Rate: 340 MHZ
BootMode: SPI
Starting SPI Memory Copy...
DONE


U-Boot 1.3.6 (jerry) (Sep 2 2014 - 09:44:01)

DRAM: 128 MB
SF: Got idcode c2 20 18 c2 20
In: serial
Out: serial
Err: serial
Ethernet PHY: GENERIC @ 0x01,id:1cc816
total gio 2
gio[22]=1
gio[25]=1
davinci_eth_open:no link
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Filename 'upgrade_info_7db780a713a4.txt'.
Load address: 0x80100000
Loading: WARN: emac_send_packet: No link

Retry count exceeded; starting again
Fail to get info file!
Init error!
davinci_eth_open:no link
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Filename 'failed.txt'.
Load address: 0x80200000
Loading: WARN: emac_send_packet: No link

Retry count exceeded; starting again
==>use default images
.......
## Booting kernel from Legacy Image at 80007fc0 ...
Image Name: Linux-2.6.18_pro500-davinci_evm-
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1771112 Bytes = 1.7 MB
Load Address: 80008000
Entry Point: 80008000
Verifying Checksum ... OK
XIP Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux...................................................................................................................... done, booting the kernel.

It doesn't do anything else nor can I enter commands.
I await your comments, thank you very much
 
Joined
Aug 10, 2019
Messages
15
Reaction score
0
Location
Argentina
DHBOOT# help
? - alias for 'help'
askenv - get environment variables from stdin
autoscr - run script from memory
base - print or set address offset
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
cpll - chang PLL multiplier
crc32 - checksum calculation
dhcp - invoke DHCP client to obtain IP/boot params
echo - echo args to console
erase - erase FLASH memory
flinfo - print FLASH memory information
flwrite - write data into FLASH memory
fsload - load binary file from a filesystem image
gpio init - set gionum to gioval
go - start application at address 'addr'
help - print online help
flwrite - write hwid into FLASH memory
id - set product id and save to flash
iminfo - print header information for application image
imxtract- extract a part of a multi-image
itest - return true/false on integer compare
kload - load uImage file from flash
lip - set local ip address but not save to flash
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
mac - set mac address and save to flash
md - memory display
meminit - memset 0xcc
memsize - set mem size
mii - MII utility commands
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
recover default env
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
saves - save S-Record file over serial line
setenv - set environment variables
sf - SPI flash sub-system
sip - set server ip address but not save to flash
sleep - delay execution for some time
tftpboot- boot image via network using TFTP protocol
version - print monitor version
DHBOOT#
 
Joined
Aug 10, 2019
Messages
15
Reaction score
0
Location
Argentina
DHBOOT# printenv
bootcmd=fsload
bootdelay=3
baudrate=115200
eth1addr=00:01:5b:00:55:66
eth2addr=00:01:5b:00:77:88
ipaddr=192.168.1.108
serverip=192.168.1.1
netmask=255.255.255.0
bootfile="uImage"
dh_keyboard=1
appauto=1
single=0
da=protect off all;tftp 81a00000 dm365_ubl_boot_16M.bin.img;flwrite
dc=tftp 81a00000 custom-x.cramfs.img; flwrite
dr=tftp 81a00000 romfs-x.cramfs.img; flwrite
du=tftp 81a00000 user-x.cramfs.img; flwrite
dd=tftp 81a00000 data-x.cramfs.img; flwrite
dw=tftp 81a00000 web-x.cramfs.img; flwrite
dg=tftp 81a00000 gui-x.cramfs.img; flwrite
dk=tftp 81a00000 kernel-x.cramfs.img; flwrite
up=tftp 81a00000 update.img; flwrite
tk=tftp 80800000 uImage; bootm 80800000
gionum=22.25
gioval=1.1
dh_com=0
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
autonm=255.255.255.0
HWID=VTO2111D:0:4:1:1d:5:0:1:9:3:3:0:1B0:0:2:0:0:0:0:0
bootargs=console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs,nolock mem=90M video=davincifb:vid0=OFF:vid1=OFF:eek:sd0=OFF:eek:sd1=OFF
filesize=C868A8
fileaddr=81A00000
ID=3H0423CPAN00004
wifiaddr=14:A7:8B:00:D4:70
ethaddr=14:A7:8B:00:D9:4B
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 1.3.6 (jerry) (Sep 2 2014 - 09:44:01)

Environment size: 1176/16380 bytes
DHBOOT# setenv dh_keyboard 0
DHBOOT# saveenv
Saving Environment to SPI Flash...
Erasing SPI flash...Writing to SPI flash...done
DHBOOT#
 
Joined
Aug 10, 2019
Messages
15
Reaction score
0
Location
Argentina
What are the modules that I should install? sorry so many questions but now that I have console management I would not want to break it
 
Joined
Aug 10, 2019
Messages
15
Reaction score
0
Location
Argentina
Working !!!!! Run line by line from the console and lift perfectly.
run dr
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

I enclose images in case anyone needs:
red cable pin 1 rx from pcb to tx from usb ttl
yellow pin 2 tx cable from pcb to usb ttl rx
black gnd cable

All thanks to iTuneDVR, thank you very much, greetings from Argentina!
 

Attachments

Top