Amazing Forum - Q About Gray Market Dahua

[claire]

Hello to everyone. I've really poured over this forum to understand things and it's been a terrific experience. Thanks to all you pros who contributed so much to helping noobs like me!

I read the Cliff Notes and Nayr's primers (all fabulous resources). I have a simple question about these cheap Chinese Dahuas. Some for sale say "upgradable" and they're typically a bit more expensive. But a lot of people report they work well right out-of-the-box. If you're smart about locking down your network and you're running something like Blue Iris why would you want to want to bother with upgrading the firmware? Even if the menus are Chinese there are simply guides to follow and Google Translate. All I need the camera to do is provide a reliable video feed. What am I missing?

Yet a lot of people seem worried about the need for firmware upgrades, and their concern seems mostly about security. I don't get it. Also, many of these Dahua cameras are identified as 'end-of-life' on the Dahua USA website, so it's unclear you can find the correct firmware even if you want to upgrade it?

 

[mat200]

Hello to everyone. I've really poured over this forum to understand things and it's been a terrific experience. Thanks to all you pros who contributed so much to helping noobs like me!

I read the Cliff Notes and Nayr's primers (all fabulous resources). I have a simple question about these cheap Chinese Dahuas. Some for sale say "upgradable" and they're typically a bit more expensive. But a lot of people report they work well right out-of-the-box. If you're smart about locking down your network and you're running something like Blue Iris why would you want to want to bother with upgrading the firmware? Even if the menus are Chinese there are simply guides to follow and Google Translate. All I need the camera to do is provide a reliable video feed. What am I missing?

Yet a lot of people seem worried about the need for firmware upgrades, and their concern seems mostly about security. I don't get it. Also, many of these Dahua cameras are identified as 'end-of-life' on the Dahua USA website, so it's unclear you can find the correct firmware even if you want to upgrade it?

Welcome Claire,

Please let us know if this topic is not well covered in the Cliff Notes and help us make those cliff notes better.

 

[claire]

Thanks mat200 - I certainly will. I've learned from this forum not to flash English firmware to a Chinese camera. If you buy an older camera I could understand wanting to get more up-to-date (backdoor patched) firmware for the camera, but finding a vetted image seems like a nightmare. If you buy a current camera with more recent firmware and it's working I couldn't quite understand why having the ability to upgrade matters much. If I can sort this out in my head I'd certainly contribute to the Cliff Notes for fellow noobs!

 

[Aengus4h]

Hi Claire

I tend to agree re updating firmware, so long as everything is working as it should be and you have things securely set up (isolated VLAN, vpn etc), then unless you actually need any fixes or feature changes then why take the risk. That said, if you buy grey and chinese version then future options are limited. Should the NVR fail for any reason (internal, lightening etc) or you want to support more cameras and you replace with a more recent one those grey cameras may not work, since manufacturers have gone down the path of crippling non-region devices in later firmware. So there are good reasons to buy international or correct region if you can, saves a lot of grief down the road. You would also then have the option of updating firmware if you need to.

HTH

 

[SkyLake]

Upgrading a firmware does not always mean that they patched a security hole or a security risk.

Sometimes they even fix previous firmware bugs that slipped thru, and can compromise a certain feature in the camera. Or they even add features to a camera.

In a firmware update for one of my camera's they fixed some issues of the previous firmware and even added a feature called (PFA, Predictive Focus Algorithm), that wasn't there in the previous one.

 

[claire]

I hear ya SkyLake. Additional features and fixing problems is a very good reason for wanting the ability to upgrade embedded software. I wonder how long Chinese manufacturers would stay interested considering the pace of cam technology. Finding Dahua firmware is a pain to sort, they don't make it easy. Firmware from @cor35vet seems more appealing. As for security, based on what I've learned in this forum I don't think I'd put much faith in Chinese manufacturers and their security patches. The consensus seems to be keep them in a subnet and keep it local - if you want access cams from outside let a program like Blue Iris access the feeds and serve it up via VPN.

So firmware upgrading for features/fixes is good, but upgrading for security maybe not so much since the smart bet is to keep them in the doghouse anyway? Does that sound right?

 

[claire]

Hi Aengus4h - boy, this "International" business is confusing. I think a lot of sellers have abused this term. I've seen a bunch of current sellers writing "International" and "Multi Language" and including terms like "OEM"... then, if you read carefully, you see "cannot be upgraded" or "please don't update". This isn't the kind of "International" camera you're describing! I've found a few saying "English Firmware" which could mean nothing more than hacked firmware with English language overlays. Thankfully I've found solid recommendations on this forum to sellers like Andy and a few others.

 

[mat200]

I hear ya SkyLake. Additional features and fixing problems is a very good reason for wanting the ability to upgrade embedded software. I wonder how long Chinese manufacturers would stay interested considering the pace of cam technology. Finding Dahua firmware is a pain to sort, they don't make it easy. Firmware from @cor35vet seems more appealing. As for security, based on what I've learned in this forum I don't think I'd put much faith in Chinese manufacturers and their security patches. The consensus seems to be keep them in a subnet and keep it local - if you want access cams from outside let a program like Blue Iris access the feeds and serve it up via VPN.

So firmware upgrading for features/fixes is good, but upgrading for security maybe not so much since the smart bet is to keep them in the doghouse anyway? Does that sound right?

Hi Claire,

Security Cameras as well as IoT firwmare updates in general are problematic.

You can not rely on any of those products to be secure from cyber attacks / breeches.

Having a product which you can not update at all is problematic in the following ways:
1) Factory reset - sometimes you need to return to do a reset and restart from scratch. Example account lock outs, unstable firmware update, breech / attack attempt caused failure.
2) Feature / compatibility update. Example new version of API, ONVIF, other.
3) Security / Bug fixes.

Cameras which can not be easily updated will typically mean more work on the owners part.

The big issue is that unsuspecting owners think their new affordable NVR + cameras are fully featured and secure - and able to connect to the internet with this easy to setup port forwarding.. and then get breeched and owned.

This is one reason why the Chinese market cameras are discouraged for purchase - only those who really know what they are doing and are willing to take the time and effort to properly manage and secure their systems should imho be purchasing products which puts the entire internet and themselves in riskier positions.

 

[Aengus4h]

I hear ya Claire, case of always reading the fine print, asking the vendor and assessing the truth of their answer if you can, or go with a known trusted one so you're sure of getting the right product and some support. So few these days do business the old fashioned way - give good service and get recommendations which leads to more business. Hiding behind the internet makes it easy to just do a poor job and then stop responding and its way too easy to fake review and feedback to "look good/honest" and pull in the next sucker...

TBH tho re cameras and other IoT stuff, it doesn't matter if they are chinese market, US UK EUR or any other. IoT stuff is a weak link and upgrades/updates will only be issued for a relatively short period if at all. Same with mobile phones that are dropped by manufacturer upgrade support within 2 years. Its just not worth their time given the value of the units, easier to encourage buyers to get the latest IoT gizmo than maintain the skills/knowledge of out of date software and the cost in staff time to back-fix every little thing. Its always best to segregate things to prevent vulnerabilities causing issues, that's how well set up businesses put CCTV, door controls etc into play and for good reason.

All the nest, amazon, google and other gadgets will go the same way no doubt, probably already have. Was almost tempted to get some home automation gear, but I really don't want to be relying on a 3rd party web service to provide the interlinking, no control over their security so that's already a vulnerability in mine when they get breached (and they probably will at some stage, just may not tell).

 

[claire]

Very grateful for your many thoughtful replies. This is very helpful and clear information. For the noobs among us, I think I'll write up "The Case for Purchasing Cameras Capable of Being Updated" that summarizes these many points. I've learned that security cam systems are complex, expensive and potentially dangerous. I've found it rough going trying to figure things out. Maybe I can help others by documenting my learning experience.

I'm wary of purchasing Chinese goods, but I have from time-to-time and managed to locate honest suppliers to work with. In the cam world I'd say that most Chinese suppliers are highly suspect and should be avoided. Regarding IoT devices, I'm not using anything I can't control and trust. Consumers that purchase these devices without thinking are playing Russian roulette with their privacy and, as you all have pointed out, putting others at risk to. Yet the learning curve is so steep as to ensure consumers are unlikely to fully comprehend the risks or have the time to protect themselves even if they wanted to. I'll certainly be recommending this forum to everyone as a premium source of knowledge.

 

[looney2ns]

Most all of this has been discussed on this board many times and in the cliff notes.

• Don't purchase cams from Ebay or Amazon.
• Unless you have gone to the companies International website.
• Searched for the "exact" Model number you are looking at.
• If not found, its most likely a China Region cam...avoid it.
• Current firmware for Dahua's NVR's, will NOT work with the China Region cams.
• It is not hard at all to find Firmware for legit, non-Chinese market cams.
• Firmware updates run the risk of breaking features or removing features or at worst bricking the cam if things go south.
• Study the Cliff Notes on a real computer screen, not your 5" phone.
• We have a member here that is has been vetted that is a Vendor for Dahua cams.
• EmpireTech Andy
• If it's not broke, don't fix it. OCD is curable.

 

[mat200]

FYI - Here is a recent example of a member who thought he was getting a Dahua Starlight camera getting defrauded by a Chinese vendor who sold him on a "4MP Starlight" camera.

Corridor setup Dahua IPC-HFW4433F-ZSA 4MP Starlight Bullet Varifocal

Had he searched the model on google he would have found the following link in the first page of returned results
Informations about Dahua IPC-HFW4433F-ZSA

In that thread:

Fenderman on the 2nd post: "hacked china region camera...avoid..."

Also in the first page of results you see no link to a Dahua website - typically an indication that the camera model is not available outside of China.

 

[aristobrat]

I wonder how long Chinese manufacturers would stay interested considering the pace of cam technology.

One cool thing (at least to me) is that Dahua seems to base firmware updates on camera platforms, and at least with the Starlights, the platforms seem to live longer than the individual camera models. For example, when Dahua releases a firmware update for the HX5X3X-Rhea platform (which they just did a week or so ago, adding a feature many people have been wanting: the ability for the camera to automatically switch between day/night profiles based on how bright it is outside), that firmware update works on the original Starlight 5231 vari-focal model (from 2016, which Dahua has since stopped making), as well as the latest 5X3X models.

Finding Dahua firmware is a pain to sort, they don't make it easy.

Hmm, at least for the various Starlight models that I have, Dahua directly links to the firmware from the camera's product page on their website. In addition, @EMPIRETECANDY (the trusted vendor most here buy their Dahua stuff from) has a good working relationship with Dahua support and will often post firmware updates here before they make it to the Dahua website.

 

[claire]

Sorry for the confusion. Finding firmware at US Dahua is indeed pretty straight forward. I was referring to people that might purchase an "upgradable" camera from a Chinese seller where the model number doesn't clearly link to a model listed on the U.S. Dahua site. It seems to me that buying a Chinese camera where the seller claims it can be upgraded is problematic if you can't find a vetted firmware... @cor35vet being the lifeline.

The Cliff Notes are great - I've read them several times. Still had questions though.

 

[SkyLake]

The "International" site is just as easy

Clicking on the magnifying glass in the top right on the Dahua site, and filling in the correct model number, will give all the information someone would need.

 

[mat200]

...
The Cliff Notes are great - I've read them several times. Still had questions though.

Hi Claire,

Please let us know what additional improvements can be made in the cliff notes.

Thank You

 

[claire]

Will do!