Bricked HDBW4421. Fixed firmware doesn't start (loops)

[Jeeves]

I realize the camera isn't the latest but I bricked my HDBW4421R-AS. It was running 2.400.0.28 when I tried to flash "DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830" from the WebUI.

The camera took the firmware and rebooted and began boot looping. I could only reach it when it would ping for a short while then go offline and then start pinging again.

I pulled the camera down and connected to the TX RX pins and using the steps here:
Dahua IPC EASY unbricking / recovery over TFTP
and
Dahua IPC unbricking / recovery over serial UART and TFTP

I have tried flashing the camera with multiple versions of firmware, both Cor35vet's modded firmware and the original DH-Themis-2.400.0.28.

Currently, every time the camera boots the webUI doesn't start (I have not been able to access it using the webUI since the failed flash) and often (depends on firmware) the only port open is 3800.

Looking at the debug output I see the following:

hwid_value =IPC-HFW4421B:01:02:02:23:19:00:01:06:01:01:04:258:03:00:00:00:00:01:00:00:100
product_name =IPC-HFW4421B

sonia starts, and then I see the following:

4iav_check_sys_clock(1210): DSP Core clock real [216000000] lower than target [288000000].
4iav_check_sys_clock(1220): DRAM clock real [528000000] lower than target [564000000].
6S2L chip ID [2], DSP memory bandwidth [427 MB/s], limit [1287 MB/s].
[0;32;32m10:05:56|[AEW] get amba sensor id=4106
[m[0;32;32m10:05:56|[AEW] get amba vin_mode=28, vin_fps=20480000
[m[0;32;32m10:05:56|[AEW] get the product info: sensor id is 34, product type is 161.
[m[0;32;32m10:05:56|[AEW] ../src/s2l/mw_sensor_param.c::chooseCurParam:76 curParamType=0
[m[0;32;32m10:05:56|[libpdi] pIcrAewType = 0
[m[0;32;32m10:05:56|[AEW] File[../src/s2l/mw_sensor_param.c] Line[207], icrAewType=0
[m[0;32;32m10:05:56|[AEW] pMw_info->sensor.sensor_id is 26
  wb_param is cfg_wb_param!
[m[0;32;32m10:05:56|[AEW] lensType = 0
[m[0;32;32m10:05:56|[AEW] ../src/s2l/mw_sensor_param.c::chooseCurParam:76 curParamType=0
[m[0;32;32m10:05:56|[AEW] ====pMw_info->res.isp_pipeline=0====
[m>>> pipline:0, hdr_mode:0, expo_num:1, raw_pitch:0
>>> main:size 1920x1088, raw:2560x1440, resolution:10
[0;32;32m10:05:56|[AEW] get amba sensor id=4106
[m[0;32;32m10:05:56|[AEW] get amba vin_mode=28, vin_fps=20480000
[m[0;32;32m10:05:56|[AEW] get the product info: sensor id is 34, product type is 161.
[m[0;32;32m10:05:56|[AEW] ../src/s2l/mw_sensor_param.c::chooseCurParam:76 curParamType=0
[m[0;32;32m10:05:56|[libpdi] pIcrAewType = 0
[m[0;32;32m10:05:56|[AEW] File[../src/s2l/mw_sensor_param.c] Line[207], icrAewType=0
[m[0;32;32m10:05:56|[AEW] pMw_info->sensor.sensor_id is 26
  wb_param is cfg_wb_param!
[m[0;32;32m10:05:56|[AEW] lensType = 0
[m[0;32;32m10:05:56|[AEW] ../src/s2l/mw_sensor_param.c::chooseCurParam:76 curParamType=0
[m[0;32;32m10:05:56|[AEW] ====pMw_info->res.isp_pipeline=0====
[m>>> ====amba_img_dsp_set_af_statistics_exe ok====

>>> ====amba_img_dsp_get_af_statistics_ex ok====
>>> AlgoMode:0 FuncMode:0 ContextId:0 BatchId:0 ConfigId:0
>>> horizontal_filter1_mode:0 stage1-3_enb:1 1 1
>>> gain:188 476 -235 375 -184 276 -206
>>> shift:7 2 2 0
>>> bias_off:0 0 0 8 8 123 132
>>> horizontal_filter2_mode:0 stage1-3_enb:1 1 0
>>> gain:168 -273 -219 -152 -213 0 0
>>> shift:9 0 0 0
>>> bias_off:0 0 0 8 8 123 132

[0;32;32m10:05:57|[libencode] idlecount 0
[m[0;32;32m10:05:58|[libencode] idlecount 1
[mno translater fordsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
 filter 10
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
handle_enc_msg(209): Vsync loss detected!
handle_enc_msg(209): Vsync loss detected!
init 3A done
loop start now
handle_enc_msg(209): Vsync loss detected!
handle_enc_msg(209): Vsync loss detected!

The line "handle_enc_msg(209): Vsync loss detected!" repeats until a crash occurs and the camera reboots.

If it matters, all of the "run" commands update over TFTP without an issue. However, the file "pd-x.squashfs.img" always fails with a timeout:

tftp 0x82000000 pd-x.squashfs.img; flwrite

I have also started "upgraded" by hand and flashed .BIN's through Config Tool to no success.

I originally posted this here but figured an actual post would be more useful.

Has anyone run into anything like this?

 

[alastairstevenson]

However, the file "pd-x.squashfs.img" always fails with a timeout:

Presumably the file does exist?
What happens if you execute the command manually instead of via the run command?

 

[Jeeves]

Presumably the file does exist?
What happens if you execute the command manually instead of via the run command?

1) The file does exist.

2)The only time I get to command line is when I set dh_keyboard 0 and appauto 0, thus allowing me Telnet and input by serial (since Sonia doesn't start).
If you mean by either of those, no. I have not tried to issue "tftp 0x82000000 pd-x.squashfs.img; flwrite" from telnet or serial, only as a command in upgrade_info_7db780A713a4.txt

3) I am unsure that this file matters for my situation at all. Since I can run "upgraded" which opens port 3800 for ConfigTool and then flash the firmware in its entirety to the camera.

 

[alastairstevenson]

I am unsure that this file matters for my situation at all.

Sure, but there does seem to be an error in handling it.
It's the Product Definition file. It may be important, though I've not looked at how it's used by the firmware.

As a bit of a long shot - it might be simple in the first instance to try a configuration settings reset.
This may to be possible via the bootloader cfgRestore command, if it has this.

 

[Jeeves]

Sure, but there does seem to be an error in handling it.
It's the Product Definition file. It may be important, though I've not looked at how it's used by the firmware.

As a bit of a long shot - it might be simple in the first instance to try a configuration settings reset.
This may to be possible via the bootloader cfgRestore command, if it has this.

I'm away from the camera currently, but I did some digging last night.

It appears that the /mnt/mtd/Config/ directory is empty. Reloading the firmware (via TFTP) doesn't change this. I can (by way of dh_keyboard 0 and appauto 0) gain access to busybox and telnet but running /sbin/upgraded and trying to flash the firmware over port 3800 results in:

Can't Open /mnt/mtd/Config/passwd
Can't Open /mnt/mtd/Config/Account1, will use system password
Account not exists.

Despite "will use system password", no variation of default passwords (admin:admin, root:vizxv, admin:7ujMko0admin, admin:7ujMko0) lets ConfigTool access the camera over port 3800, all result in a failed login.

I couldn't find examples of these files anywhere (understandably) and pulling *another* camera off the house wasn't appealing at the time (although, that would be a fix to at least see what the system should look like).

To elaborated on pd-x.squashfs.img; When running the commands from the bootloader:

run dr
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 pd-x.squashfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

The bootloader appears to request the romfs-x, kernel, user-x, web-x, data-x and custom-x just fine, then at the command "tftp 0x82000000 pd-x.squashfs.img; flwrite" the camera reboots (which is why the TFTP server shows "Client 192.168.1.108:2574 root\pd-x.squashfs.img, Timeout" since the file was not sent). If I left this for hours, it would flash the firmware over and over and over and never complete because it reboots and never hits "DONE" or the sleep command. When I remove this line from commands.txt the camera behaves as you would expect, flashing each, and then showing the .FLASHING_DONE line.

The contents of pd-x do seem to be important (particularly with my issues) as it has the DefaultAccount, ProductDefinition and "CustomConfig" files.

I also used TFTP to transfer the pd-x.squashfs.img to transfer the file to /tmp (tftp -g -r pd-x.squashfs.img 192.168.254.254), but it didn't appear that while in Busybox there was a way to flash that file (or any firmware).

I had not found a list of available bootloader commands. I'll attempt cfgRestore. It certainly seems something is out of whack. I had assumed the firmware would overwrite all of these important partitions, but it doesn't appear so?

Lastly (As this is getting long) the only file I have under my /usr/data/Strings is "SimpChinese". The camera was always IN English and I have only flashed English firmware. I have no idea why this exists but I am wondering if this was a Chinese camera and I had no way to identify such.

 

[alastairstevenson]

I also used TFTP to transfer the pd-x.squashfs.img to transfer the file to /tmp (tftp -g -r pd-x.squashfs.img 192.168.254.254), but it didn't appear that while in Busybox there was a way to flash that file (or any firmware).

You need to do this in the bootloader, not in the running system.

I had not found a list of available bootloader commands.

Usually the 'help' command will list them, while running the bootloader.

I had not found a list of available bootloader commands. I'll attempt cfgRestore.

When in the bootloader - why not simply apply the pd-x.squashfs.img file using the command syntax
tftp 0x82000000 pd-x.squashfs.img; flwrite

 

[Jeeves]

When in the bootloader - why not simply apply the pd-x.squashfs.img file using the command syntax
tftp 0x82000000 pd-x.squashfs.img; flwrite

The message to stop U-Boot (with the * key) doesn't occur on my camera. I've held it, pressed repeatedly and the message prompting the user to press a key to stop it never appears.

So, there isn't a way to run anything in the bootloader except by passing the commands via the TFTP server, commands.txt and upgrade_info_7db780A713a4.txt.

You need to do this in the bootloader, not in the running system.

I assumed as much.

I'll put help in the commands.txt and see what options I have available to me.
Thanks!

 

[Jeeves]

First I pulled help from the bootloader:

?       - alias for 'help'
backup  - backup    - manual backup program.
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootf   - boot from flash
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cfgRestore- erase  config and backup partition.
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dhcp    - boot image via network using DHCP/TFTP protocol
echo    - echo args to console
editenv - edit environment variable
erasepart- erasepart
exit    - exit script
false   - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fdt     - flattened device tree utility commands
flwrite - flwrite - write data into FLASH memory
fsinfo  - print information about filesystems
fsload  - load binary file from a filesystem image
go      - start application at address 'addr'
gpio    - gpio test
help    - print command description/usage
hwid    - hwid      - set hardware id and save to flash
i2c     - I2C sub-system
icache  - enable or disable instruction cache
iminfo  - print header information for application image
itest   - return true/false on integer compare
kload   - kload  - load uImage file from parttion
lip     - lip      - set local ip address but not save to flash
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loady   - load binary file over serial line (ymodem mode)
logsend - get log buf
loop    - infinite loop on address range
ls      - list files in a directory (default /)
mac     - mac      - set mac address and save to flash
mcu     - mcu sub-system
md      - memory display
memsize - memsize        - set mem size
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - mmcinfo <dev num>-- display MMC info
mtest   - simple RAM read/write test
mw      - memory write (fill)
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
partition- print partition information
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
rdefault- rdefault    -recover default env
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
showvar - print local hushshell variables
sip     - sip      - set server ip address but not save to flash
sleep   - delay execution for some time
source  - run script from memory
sync_uboot- sync_uboot - sync uboot to uboot-bak
test    - minimal test like /bin/sh
tftpboot- tftpboot- boot image via network using TFTP protocol
true    - do nothing, successfully
usleep  - delay execution for some time
version - print monitor version

Using cfgRestore:

unsupport spi flash id!!!
U-Boot 2010.06-svn3070 (Mar 03 2016 - 04:24:40)
I2C:   ready
DRAM:  110 MiB
gBootLogPtr:00b80008.
spinor flash ID is 0xc81840c8
partition file version 2
rootfstype squashfs root /dev/mtdblock5
TEXT_BASE:01000000
Net:   Detected MACID:3c:ef:8c:77:ba:a0
PHY:0x001cc816,addr:0x00
phy RTL8201 init
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Download Filename 'upgrade_info_7db780a713a4.txt'.
Download to address: 0x5000000
Downloading: *. ICMP Host Redirect to 192.168.1.185  ICMP Host Redirect to 192.168.1.185 #################################################
done
Bytes transferred = 175 (af hex)
config erased.
config erased.
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.
Download to address: 0x82000000
Downloading: *. ICMP Host Redirect to 192.168.1.185 #
done

And then trying to boot, I see the language errors:

21:16:34|[libInfra] debug tid:264 ThreadBody Enter name = Console, id = 264, prior = N1, stack = 0x5e472e2c 
21:16:34|[Manager] debug TelnetHelper.cpp 110 tid:233 setTelnet interface handle_enc_msg(209): Vsync loss detected!
ok!!!!!!!!,110,Src/Helper/TelnetHelper.cpp
21:16:34|[libpdi] WARN  : Device has no crypt chip!
21:16:35|[libpdi] SimpChinese
21:16:34|[Manager] fatal Locales.cpp 676 tid:233 Src/Locales.cpp:676 Language Not Compare!!Going to exit!
21:16:34|[Manager] info tid:233 CMagicBox::exiting...

Full boot log that shows the "Vsync loss detected" issue is attached.

 

[alastairstevenson]

And then trying to boot, I see the language errors:

Which are tagged as 'fatal, going to exit' - presumably the cause of the bootloop, Vsync loss notwithstanding.

I don't know a lot about the internal workings of that specific model - I did fix up a bootloop HDW4431C-A a while back, but didn't do a lot of internal exploration and experimentation. So I'm guessing a bit.
You've loaded EngSpn firmware - the camera complains about language - is it a Chinese model?

If you boot with appauto=0
What language files are in /mnt/custom
If no SimpChinese.txt maybe try copying the English.txt
Though that does seem too easy.

cd /mnt/custom
cp English.txt SimpChinese.txt

And take a look at what's defined in the i18n file for the language list and the default.

cat i18n

 

[Jeeves]

Which are tagged as 'fatal, going to exit' - presumably the cause of the bootloop, Vsync loss notwithstanding.

I don't know a lot about the internal workings of that specific model - I did fix up a bootloop HDW4431C-A a while back, but didn't do a lot of internal exploration and experimentation. So I'm guessing a bit.
You've loaded EngSpn firmware - the camera complains about language - is it a Chinese model?

If you boot with appauto=0
What language files are in /mnt/custom
If no SimpChinese.txt maybe try copying the English.txt
Though that does seem too easy.

cd /mnt/custom
cp English.txt SimpChinese.txt

And take a look at what's defined in the i18n file for the language list and the default.

cat i18n

I mentioned it previously that I was concerned about the Language of the camera.

The camera has never been Chinese (as far as I'm aware of) and except for that line in the logs, nothing lead me to knowing it was/wasn't a Chinese camera.

I've tried to modify the /mnt/custom directory before and I was unable to. It's mounted RO (IIRC).
I had tried to remount it as RW, the camera accepted the command, but it never made it RW.
I had used these steps the first time I saw the "SimpChinese" notice:
Loading new firmware on HFW4300S-V2 & Chinese Dahua cams - CCTV Forum

Edit: I have at various times loaded Cor35vet's firmware on the camera (which bypasses the Language check) to no avail.

 

[alastairstevenson]

I've tried to modify the /mnt/custom directory before and I was unable to. It's mounted RO (IIRC).

You are quite right, apologies - it's a squashfs ro partition in my HDW4431C-A so will also be in yours.
So that would mean modifying the extracted firmware file and applying it.

 

[Jeeves]

You are quite right, apologies - it's a squashfs ro partition in my HDW4431C-A so will also be in yours.
So that would mean modifying the extracted firmware file and applying it.

While I have most of the configuration to modify the firmware, it was easier to re-attempt upgrade using Cor35vet's Themis build.

00:38:27|[libInfra] debug tid:247 ThreadBody Enter name = Console, id = 247, prior = N1, stack = 0x5fe3fe2c 
00:38:27|[Manager] debug tid:218 setTelnet interface ok!!!!!!!!,110,Src/Helper/TelnetHelper.cpp
10:38:27|[libpdi] WARN  : Device has no crypt chip!
10:38:27|[libpdi] SimpChinese
10:38:27|[Manager] info tid:218 SetLanguage(English) load file:/mnt/custom/English.txt
10:38:27|[Manager] trace tid:218 CLocales::SetLanguage()===============>>>/mnt/custom/English.txt
10:38:27|[RemoteService] trace tid:218 setDefault DVRIP
10:38:27|[RemoteService] trace tid:218 AlarmServer setDefault
10:38:27|[RemoteService] trace tid:218 setDefault Qos config
10:38:28|[StreamSvr][Version.cpp:15]|INFO RegisterStreamSvrVersion, svnversion:336303 
10:38:27|[libInfra] info tid:218 [*] StreamSvr 3.0.0.336303 Built in 2016/ 8/ 1 [*]
10:38:28|[StreamApp][Version.cpp:16]|INFO RegisterStreamAppVersion, svnversion:336311 
10:38:27|[libInfra] info tid:218 [*] StreamApp 3.0.0.336311 Built in 2016/ 8/ 1 [*]
10:38:27|[libInfra] info tid:218 [*] NetApp 3.0.0.357884 Built in 2016/ 7/29 [*]
00:38:27|[NetApp-357884] debug tid:218 tid:218, Create eth0 success. [Src/BaseApp/NetInterFace.cpp:66]
10:38:27|[NetApp-357884] info tid:218   MAC IS  3c:ef:8c:77:ba:a0

The language issue seems to be resolved. The Config directory also has been repopulated.

~ # ls -la /mnt/mtd/Config/
total 33
-rw-r--r--    1      2348 Account1
-rw-r--r--    1        68 resolvip6.conf
-rw-r--r--    1         0 dial-ip
-rw-r--r--    1        38 resolv.conf
-rw-r--r--    1      2327 Sha1Account2
-rw-r--r--    1      6793 Config2
-rw-r--r--    1      6793 Config1
-rw-r--r--    1      2327 Sha1Account1
-rw-r--r--    1      6835 defaultConfig
-rw-r--r--    1        86 network
-rw-r--r--    1       128 logConfig
-rw-r--r--    1      2348 Account2
drwxr-xr-x    2         0 ppp
drwxr-xr-x    6         0 ..
drwxr-xr-x    3         0 .

However, the webUI never starts, and the the "vsync loss" is still present.

Looking at the last lines of the log (before it reboots), this is what is there. I don't see an actual cause so far. Any ideas?

10:38:48|[ENC_DRV] Before Adjust: left 88, right 176, top 72, bottom 144
10:38:48|[ENC_DRV] After Adjust: left 320, right 640, top 180, bottom 360

10:38:48|[libenc] set cover done,streamid=0,index=1
10:38:48|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
20:38:48|[libencode] Got a command = 12, waitAck = 1, chId = 1.
10:38:48|[libencode] bdLeft 22 bdTop 18 bdRight 44 bdBottom 36
10:38:48|[libenc] set cover done,streamid=1,index=1
10:38:48|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0

10:38:48|[libencode] Got a command = 12, waitAck = 1, chId = 2.
10:38:48|[libenc] set cover done,streamid=2,index=1
10:38:48|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:48|[libencode] Got a command = 12, waitAck = 1, chId = 0.


10:38:48|[libenc] cover index 2 enble 0 left 176 right 264 top 144 bottom 216
10:38:48|[ENC_DRV] Privacy mask[0]: app refer[704x576], real refer[2560x1440], offset [0,0]

10:38:48|[ENC_DRV] Before Adjust: left 176, right 264, top 144, bottom 216
10:38:48|[ENC_DRV] After Adjust: left 640, right 960, top 360, bottom 540
10:38:48|[libenc] set cover done,streamid=0,index=2
10:38:48|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:48|[libencode] WARN  : dup Jpeg export, dump it 
10:38:48|[libencode] Got a command = 12, waitAck = 1, chId = 1.
10:38:48|[libencode] bdLeft 44 bdTop 36 bdRight 66 bdBottom 54
10:38:48|[libenc] set cover done,streamid=1,index=2
10:38:48|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:48|[libencode] Got a command = 12, waitAck = 1, chId = 2.
10:38:48|[libenc] set cover done,streamid=2,index=2
10:38:48|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:48|[NetProt-359601] info tid:238 [tid:0238] Extracting device type once for device [Src/ssdp/Ssdp.cpp:1016]
10:38:48|[NetProt-359601] info tid:238 [tid:0238] Extracting UDN for device [Src/ssdp/Ssdp.cpp:1028]
10:38:48|[NetProt-359601] info tid:238 [tid:0238] Extracting device type [Src/ssdp/Ssdp.cpp:1029]
10:38:48|[NetProt-359601] info tid:238 [tid:0238] Extracting UDN for device [Src/ssdp/Ssdp.cpp:1053]
10:38:48|[NetProt-359601] info tid:238 [tid:0238] deafult iframe is eth0 [Src/ssdp/Ssdp.cpp:2494]
10:38:48|[NetProt-359601] info tid:238 [tid:0238] get ip by iframe: eth0 [Src/ssdp/Ssdp.cpp:2499]
10:38:48|[NetProt-359601] trace tid:238 Src/ssdp/Ssdp.cpp,2225: dst ip is 192.168.1.22, and response location ip is 192.168.1.108
10:38:48|[NetProt-359601] info tid:238 [tid:0238] deafult iframe is eth0 [Src/ssdp/Ssdp.cpp:2494]
10:38:48|[NetProt-359601] info tid:238 [tid:0238] get ip by iframe: eth0 [Src/ssdp/Ssdp.cpp:2499]
10:38:48|[NetProt-359601] trace tid:238 Src/ssdp/Ssdp.cpp,2225: dst ip is 192.168.1.22, and response location ip is 192.168.1.108
10:38:48|[libencode] Got a command = 12, waitAck = 1, chId = 0.
[
m[0m0000000000000000000000
0000000000000000000000
0000000000000000000000
0000000000000000000000
0000000000000000000000
0000000000000000000000
00000000000
00000000000
0000000000000000000000
0000000000000000000000
0000000000000000000000
0000000000000000000000
0000000000000000000000
0000000000000000000000
0000000000000000000
000
0000000000000000000000
0000000000000000000000
0000000000000000000000
0000000000000000000000
10:38:48|[libenc] cover index 3 enble 0 left 264 right 352 top 216 bottom 288
10:38:48|[ENC_DRV] Privacy mask[0]: app refer[704x576], real refer[2560x1440], offset [0,0]

10:38:48|[ENC_DRV] Before Adjust: left 264, right 352, top 216, bottom 288
10:38:48|[ENC_DRV] After Adjust: left 960, right 1280, top 540, bottom 720
10:38:48|[libenc] set cover done,streamid=0,index=3
10:38:48|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:48|[libencode] WARN  : dup Jpeg export, dump it 
00:38:49|[] debug tid:258 tracepoint: Src/CommonConfigManager.cpp, 1117.
10:38:49|[libencode] Got a command = 12, waitAck = 1, chId = 1.
10:38:49|[libencode] bdLeft 66 bdTop 54 bdRight 88 bdBottom 72
10:38:49|[libenc] set cover done,streamid=1,index=3
10:38:49|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:49|[libencode] Got a command = 12, waitAck = 1, chId = 2.
10:38:49|[libenc] set cover done,streamid=2,index=3
10:38:49|[Unknown] info DevVideoEnc.cpp 1005 tid:218 CDevVideoEnc::parseConfig SVCTLayer:1 :1
10:38:49|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:49|[Unknown] warn DevVideoEnc.cpp 1131 tid:218 Src/Media/DevVideoEnc.cpp:1131, inFormat is the same, do nothing
10:38:49|[Unknown] trace DevVideoEnc.cpp 1162 tid:218 CDevVideoEnc::setFormat channel = 0, stream = 0, size = [704, 576], fps = 0.000000, gop = 0, bitratectrl = 0, bitrate = 0 kbps, quality = 4,pack = 0, type = 3, h264profile = 3, priority = 0,----isVideoChanged = 0 encodePolicy=0----
10:38:49|[Unknown] info DevVideoEnc.cpp 1191 tid:218 Src/Media/DevVideoEnc.cpp:1191 format is same, do nothing.
10:38:49|[Unknown] trace DevVideoEnc.cpp 786 tid:218 ----libMedia-------CDevVideoEnc:setWorkFormat: width: 704, height: 576 m_stream:0
10:38:49|[libaudio] set audio encoder's format:depth=16,freq=16000,type=audioEncG711A,packetPeriod=0,srcs=1,stream=0
10:38:49|[libaudio] set frequency=16000 to codec
10:38:49|[SPF] format unchanged!
10:38:49|[libaudio] set audioDetect enable = 0, vad_sensitive = 5
10:38:49|[Unknown] trace DevAudioEnc.cpp 285 tid:218 CDevAudioEnc::stop():m_enable:1,m_run:0,@stream:0
00:38:49|[Unknown] trace DevAudioEnc.cpp 266 tid:218 CDevAudioEnc::start():m_enable:0,m_run:0,@stream:0 @channel 0
10:38:49|[Unknown] info DevVideoEnc.cpp 1005 tid:218 CDevVideoEnc::parseConfig SVCTLayer:1 :1
10:38:49|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:49|[Unknown] trace DevVideoEnc.cpp 1162 tid:218 CDevVideoEnc::setFormat channel = 0, stream = 1, size = [704, 576], fps = 
0.000000, gop = 0, bitratectrl = 0, bitrate = 0 kbps, quality = 4,pack = 0, type = 3, h264profile = 3, priority unsupport spi flash id!!!


U-Boot 2010.06-svn3070 (Mar 03 2016 - 04:24:40)
I2C:   ready
DRAM:  110 MiB
gBootLogPtr:00b80008.
spinor flash ID is 0xc81840c8
partition file version 2
rootfstype squashfs root /dev/mtdblock5
TEXT_BASE:01000000
Net:   Detected MACID:3c:ef:8c:77:ba:a0
PHY:0x001cc816,addr:0x00
phy RTL8201 init

 

[alastairstevenson]

I don't see an actual cause so far. Any ideas?

I don't see one either - it's not obvious why the sudden reboot.

 

[Jeeves]

I don't see one either - it's not obvious why the sudden reboot.

Found the cause, it's the VSync Loss.

10:38:47|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:48|Blind detect is happened!
10:38:48|[libencode] Got a command = 12, waitAck = 1, chId = 1.
10:38:48|[libencode] bdLeft 0 bdTop 0 bdRight 22 bdBottom 18
10:38:48|[libenc] set cover done,streamid=1,index=0
10:38:47|[Unknown] trace DevVideoIn.cpp 3741 tid:218 Src/Media/DevVideoIn.cpp:3741,rotate state: 0
10:38:48|[libencode] ERROR  (HEARTB_vsyncStateDetect|116): Can't recover vsync loss, reboot system
10:38:48|[libencode] Got a command = 12, waitAck = 1, chId = 2.
10:38:48|[libpdi] Read: blkIndex: 1,pageIndex: 0,byteIndex: 0 ,fLag: ff
10:38:48|[libpdi] Write: blkIndex: 1,pageIndex: 0,byteIndex: 0 ,fLag: 0
10:38:48|[libpdi] pdi:system will reboot!!
10:38:48|[libenc] set cover done,streamid=2,index=0

I also noticed this (though I'm not sure if it matters since the VSync loss seems to be the reboot/problem);

PDITools - Portable Dynamic Interposition Tool
English is loaded despite calling for Chinese (Cor35vet's work):

10:38:27|[libpdi] SimpChinese
10:38:27|[Manager] info tid:218 SetLanguage(English) load file:/mnt/custom/English.txt
10:38:27|[Manager] trace tid:218 CLocales::SetLanguage()===============>>>/mnt/custom/English.txt

Then LibEnc comments about Chinese:

10:38:37|[libenc] VIDEO_moduleInit done with status 0.
10:38:37|[Unknown] info DevVideoEnc.cpp 299 tid:218 CDevVideoEnc::CDevVideoEnc>>>>maxMemSize: 7340032 Bytes packetnum=672
10:38:37|[libenc] Language: SimpChinese
10:38:37|[libenc] get streamid[0] caps,titleCount=4,coverCount=4,snapFps=1.000000

Immediately after starting Sonia it calls the camera a "HF5421E", this is never mentioned anywhere else.
You can also see it starting the HeartBeat task for Sonia.

10:38:21|[libCapture]
10:38:21|[libCapture]  Video Server - (C) 2011-2013 ZheJiang Dahua Technology.
10:38:21|[libCapture]
10:38:21|[libCapture]  AEWB   : Auto Exposure and Auto White balance Enable.
10:38:21|[libCapture]  TVOUT  : TV Out Enalbe(PAL/NTSC).
10:38:21|[libCapture]  DSP    : DSP Enalbe
10:38:21|[libCapture]  VNF    : VIDEO Noise Filter is ENABLED
10:38:21|[libCapture]  TNF    : Temporal Noise Filter is ENABLED
10:38:21|[libCapture]
10:38:21|[libCapture]  Example # ./VideoDaemon AEWB VNF &.
10:38:21|[libCapture]
10:38:21|[libCapture]  nPrdtLineId   = 2
10:38:21|[libCapture]  nSensorId   = 34
10:38:21|[libCapture]  nPrdModelId   = 161
10:38:21|[libCapture]  nHwVersionId   = 0
10:38:21|[libCapture] Product name:HF5421E!
10:38:21|CFG_prvInit_HF5421E
10:38:21|[OSA-APP] cmdTsk     Task   pid=218   tid=219
10:38:21|HEARTB_Init
10:38:21|[OSA-APP] heartB_Tsk Task   pid=218   tid=220

I'm not familiar enough with ProductTransforms, but it doesn't seem to list my camera:

10:38:27|anager] debug tid:218 setProductTransform: DeviceTypeTransform = {
   "General" : {
      "Default" : "IP Camera",
      "IPC-EB5500
" : "IP Camera",
      "IPC-EB600" : "IP Camera",
      "IPC-EBW600" : "IP Camera",
      "IPC-HDBW4800E" : "IP Camera",
      "IPC-HF5120E" : "IP Camera",
      "IPC-HF5121E" : "IP Camera",
      "IPC-HF5221E" : "IP Camera",
      "IPC-HF81200E" : "IP Camera",
      "IPC-HFW4800E" : "IP Camera",
      "IPC-HFW5401" : "IP Camera"
   }
}

Dh3InitIPC configLib
IntelliLibConfig:{
   "IPC" : null
}

I cleaned the log a bit. Error wise, this is what I see:

I'm thinking I might just try loading the Chinese firmware if I can find it. I have no clue what the VSync error is about. If all else fails I can always revert.

 

[Jeeves]

The other thing I wondered; Is since I flashed a newer version firmware, including the bootloader (I'd assume). If flashing the bootloader would be appropriate.

I'm deeply curious what tells the camera it must use Chinese/etc.

 

[alastairstevenson]

Immediately after starting Sonia it calls the camera a "HF5421E", this is never mentioned anywhere else.

Could the 'Vsync' be a feature of this model, that yours does not have, therefore the firmware considers the lack of it a fatal error?

 

[Jeeves]

Could the 'Vsync' be a feature of this model, that yours does not have, therefore the firmware considers the lack of it a fatal error?

I would assume that to be the standard 'vsync':

Vertical Sync signal (VSYNC)

Searching for Amberella and VSYNC I find very little information, but it all seems to point towards a signal that is not being acquired. But I do not know for certain. There are no damaged wires, and before digging into the firmware this was a working camera.

I found this in code comments related to the S2L board;

/**
* The data structure are read by DSP at each video output frame.
* DSP reads the data structure after the DMA completion of the
* output data. ARM receives each Vout interrrupt at vsync
* rising edge.
*/

In the kernel, vout_support is 0.

===============================
u_code version = 2016/2/2 251452.251496
===============================
hwid_value =IPC-HFW4421B:01:02:02:23:19:00:01:06:01:01:04:258:03:00:00:00:00:01:00:00:100
product_name =IPC-HFW4421B
lens_type =0
fvideo_chip = 34
10:37:53|[pdc] FlashTotalSize = 0xc0045802 10:37:53|[pdc] Both of Chief and Backup File CRC check OK! [m [OSA-APP] OSA Build on Aug 1 2016 at 19:43:08. [OSA-APP] SVN NUM: 4472. [libpdi] libpdi.so Build on Jul 28 2016 at 03:19:12. [libpdi] SVN NUM: 27977. [libpdi] Get fpga upgrade cfg failed, use default [libpdi] Support backup partition !!! [libpdi] Flashtype = 3,patSize = 40000,rwSize = 10000,ersSize = 10000 [libpdi] WARN : Device has no crypt chip! [libpdi] phyaddr= 0x6ffe000, memLen= 0x2000 Fail to get env hwidEx! [libpdi] can't find commLen cfg  [Systools]: Build on Aug 1 2016 at 17:18:10. [Systools]:SVN NUM: 26038. hwidValue == 0
vout_support =0
cap_vout =
dspChip = 25
wifi = 0
------cap_wifi = 0
product=IPC-HF4421E
Default manual len in manual
manual
IPC-HFW4421B
cap_dsp = DSP
appauto=0...

The DSP clock is also slower that expected and is warned about:

iav_check_sys_clock(1200): IDSP clock real [216000000] lower than target [240000000].
iav_check_sys_clock(1210): DSP Core clock real [216000000] lower than target [288000000].
iav_check_sys_clock(1220): DRAM clock real [528000000] lower than target [564000000].

 

[Jeeves]

Ambarella (video?) device (/dev/iav):

do {
        if (msg->err_code == ERR_CODE_VSYNC_LOSS) {
            iav->err_vsync_lost = 1;
            if (!iav->err_vsync_handling) {
                iav_debug("Vsync loss detected!\n");
                wake_up_interruptible(&iav->err_wq);
                break;
            }
        } else {
            iav->err_vsync_lost = 0;
        }

Things seem to point to a deeper issue. Hm.

 

[dahua_fanboy]

Hi, guys!

Exactly the same happened to me as it did to Jeeves
(Bricked HDBW4421. Fixed firmware doesn't start (loops))

I bricked my DAHUA IPC HDBW4421E by
mistakenly flashing it with
"DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830" from the WebUI.

Symptoms are exactly the same as Jeeves reports.

I'll try to save the cam by following the thread, but I have one
more problem than Jeeves had as I cannot even determine where
the serial RX an TX pins are on the circuit board.

(Obviously, Jeeves found the RX & TX pins himself.)

Can any of you gentlemen help me out by indicating on the two attached images, where
the serial connection is supposed to be?


I would really be grateful for a response
by someone in the great Ipcamtalk community!

(Am also writing to Jeeves.)

** Kind regards!

-----------------------------

I realize the camera isn't the latest but I bricked my HDBW4421R-AS. It was running 2.400.0.28 when I tried to flash "DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830" from the WebUI.

The camera took the firmware and rebooted and began boot looping. I could only reach it when it would ping for a short while then go offline and then start pinging again.

I pulled the camera down and connected to the TX RX pins and using the steps here:
Dahua IPC EASY unbricking / recovery over TFTP
and
Dahua IPC unbricking / recovery over serial UART and TFTP

I have tried flashing the camera with multiple versions of firmware, both Cor35vet's modded firmware and the original DH-Themis-2.400.0.28.
(...)

 

[Jeeves]

Hi, guys!

Exactly the same happened to me as it did to Jeeves
(Bricked HDBW4421. Fixed firmware doesn't start (loops))

I bricked my DAHUA IPC HDBW4421E by
mistakenly flashing it with
"DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830" from the WebUI.

Symptoms are exactly the same as Jeeves reports.

I'll try to save the cam by following the thread, but I have one
more problem than Jeeves had as I cannot even determine where
the serial RX an TX pins are on the circuit board.

(Obviously, Jeeves found the RX & TX pins himself.)

Can any of you gentlemen help me out by indicating on the two attached images, where
the serial connection is supposed to be?


I would really be grateful for a response
by someone in the great Ipcamtalk community!

(Am also writing to Jeeves.)

** Kind regards!

-----------------------------

I do not browse here often, but the pins should be easy to figure out.
In our photos, they are visible as holes in the second photo, they do not have actual pins.

I believe this has 3 holes, so RX, TX, GND, but the photo on the bottom is a decent example.
This PDF shows connection methods (on page 6, I believe):

https://dahuawiki.com/images/b/b0/IP_Camera_RS232_Operation_Instructor.pdf

I never recovered the camera. I ended up binning it.