Camera bricked after region changer hack

klasipca

Banned
Joined
Mar 27, 2014
Messages
3,146
Reaction score
750
Camera bricked after region changer hack *RECOVERED*

II followed all the steps exactly as listed in the other thred and my camera is bricked now. It appears TFTP method still works as I was able to re-upload firmware, but I can't ping the camera or see it with hik tools. The camera had hacked 5.2.0 firmware. Is there steps how to de-brick it with UART? I opened the cam and I see there is a port where to plug it in, but not sure what I need to buy for it and couldn't find anything on the actual procedure. Any help appreciated.

EDIT: Resolved!
 
Last edited by a moderator:

jordanb

Young grasshopper
Joined
Feb 11, 2015
Messages
96
Reaction score
2
Location
Scotland
What about if you drop your pc down to the same IP range as the camera and try pinging it?
 

klasipca

Banned
Joined
Mar 27, 2014
Messages
3,146
Reaction score
750
I just tried setting to 192.0.0.128 and it wouldn't ping
 

acvb

Getting the hang of it
Joined
Mar 30, 2014
Messages
156
Reaction score
24
I'm sure the guys who released or uphold the "free" hack idea, will help you to unbrick your camera.
 

klasipca

Banned
Joined
Mar 27, 2014
Messages
3,146
Reaction score
750
Actually I can ping to it and also telnet, just not sure what to do next.
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
Was this a 5.2.5 camera with 5.2.0 firmware on it? Try to telnet into the camera (Putty on WIndows is free and works well). See if you can log in as admin and 12345 (or whatever your password was), if not, try root and 12345. Issue a df command and let me know what it returns. In putty, just highlight the area with the mouse, then do ctrl-v to paste it here.

Is this using the region code hack with mtd5 & 6 or using the IEfile.tar.gz hack?
 

klasipca

Banned
Joined
Mar 27, 2014
Messages
3,146
Reaction score
750
It was 5.1.0 camera with 5.2.0 firmware. I had the IEfile.tar.gz hack on it and then when I tried your region code hack I messed it up by changing wrong byte in mtd6 file. My fault obviously for not reading instructions carefully, but it's probably best to update instructions and list that users should update offset 16 not 16th byte which is what I've done. So, at this point I can telnet to it using root/12345 credentials:


(none) login: root
Password:
login: can't chdir to home directory '/root/'
# df
Filesystem 1K-blocks Used Available Use% Mounted on
mdev 48900 0 48900 0% /dev
/dev/ubi1_0 20264 11864 7348 62% /dav
/dev/ubi2_0 20264 11864 7348 62% /dav_sec
/dev/ubi3_0 1300 16 1184 1% /davinci
/dev/ubi4_0 1300 16 1184 1% /config
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
Ahh, so you want a second crack at changing MTD6, that makes sense. Here's the 411, I have not figured out how to mount cifs, so may not be an option, but you are in luck, this special "root" version has an ftp server daemon in busybox. Just enter - ftpd &. Then log in with FTP from your PC with the root and 12345 password and FTP the fixed MTD6 back to the camera, like in /tmp or root, check to see if space is available with df -h command for /tmp and /. Then FTP the erase and nadnwrite and run it from there, like /tmp/nandwrite /tmp/mtd6_temp /dev/mtd6. Never done it this way, but it's a chance.
 

klasipca

Banned
Joined
Mar 27, 2014
Messages
3,146
Reaction score
750
Not giving up hope... :)

So I was able to to ftp mtd5/mtd6, but there is no flash_eraseall command available. Is there any other way to delete those?
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
Not that I know if, just FTP flash_eraseall, erase the flash, delete the command, then copy nandwrite over, do that, erase the files and reboot.
 

klasipca

Banned
Joined
Mar 27, 2014
Messages
3,146
Reaction score
750
That doesn't work if I simply ftp flash_eraseall file from mutil to the tmp folder. It gives Permission denied when I try to run it
 

klasipca

Banned
Joined
Mar 27, 2014
Messages
3,146
Reaction score
750
(none) login: root
Password:
login: can't chdir to home directory '/root/'
# ls
lib usr bin etc dev digicap.dav
sbin home dav sys proc test
davinci config dav_sec VERSION init
# cd test
# ls
mtd5_temp.bak mtd6_temp.bak flash_eraseall
# /flash_eraseall /dev/mtd5
-sh: /flash_eraseall: not found
# flash_eraseall /dev/mtd5
-sh: flash_eraseall: Permission denied


I ftp two files ._flash_eraseall & flash_eraseall from the sbin folder


Update:

It turned out that I could just delete mtd5 /mtd6 file using ftp client. Then I tried several things:

1. Tried manually copying these files via ftp and it seemed to work, although the permissions were different and the size. I rebooted and permissions and file size look normal, so I am not sure if any changes were done

2. I tried using nandflash command, but got an error:


# nandwrite /dev/mtd6 /test/mtd6_temp.bak
nandwrite: can't open '/dev/mtd6': No such file or directory



3. Then I tried copying existing file and run the command again:


# nandwrite /dev/mtd6 /test/mtd6_temp.bak
nandwrite: ioctl 0x80204d01 failed: Inappropriate ioctl for device
 
Last edited by a moderator:

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
Do a chmod 777 flash_eraseall and the same for nandwrite. Execute it by going to that directory and entering ./flash_eraseall /dev/mtd6 and then ./nandwrite command. Check my first post for syntax but I believe you have it backwards on the nandwrite command.
 

klasipca

Banned
Joined
Mar 27, 2014
Messages
3,146
Reaction score
750
My unsuccessful attempts so far:

(none) login: root
Password:
Login incorrect
(none) login: root
Password:
login: can't chdir to home directory '/root/'
# ls
lib davinci home bin dav_sec sys tmp proc
sbin usr config dav etc VERSION dev init
# mkdir test
# ls
lib davinci home bin dav_sec sys tmp proc test
sbin usr config dav etc VERSION dev init
# cd test
# chmod 777 flash_eraseall
# ls
flash_erase flash_eraseall
# flash_eraseall /dev/mtd6
flash_eraseall has been replaced by `flash_erase <mtddev> 0 0`; please use it
./flash_eraseall: exec: line 4: flash_erase: Permission denied
# chmod 777 flash_erase
# flash_eraseall /dev/mtd6
flash_eraseall has been replaced by `flash_erase <mtddev> 0 0`; please use it
Erasing 128 Kibyte @ 60000 -- 100 % complete
# nandwrite /test/mtd6_temp.bak /dev/mtd6
nandwrite: can't open '/test/mtd6_temp.bak': No such file or directory
# ls
flash_eraseall flash_erase
# flash_erase /dev/mtd6
flash_erase: error!: no start erase block specified
flash_erase: error!: no erase block count specified
flash_erase: error!: Try `--help' for more information
# ls
flash_eraseall flash_erase mtd5_temp.bak mtd6_temp.bak
# flash_erase /dev/mtd6
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
With this message, it means you didn't read what I posted. The syntax would be ./nandwrite -o /dev/mtd6 mtd6_temp.bak. Don't use the handwrite that's on the camera.

# nandwrite /test/mtd6_temp.bak /dev/mtd6
nandwrite: can't open '/test/mtd6_temp.bak': No such file or directory
 

copex

Getting the hang of it
Joined
Feb 15, 2015
Messages
225
Reaction score
79
Location
Cumbria,England
Hi, dont know if it will help, this is a log of the comands as i typed them, path worked %100

# ./nanddump -nof mtd5_temp /dev/mtd5
Block size 131072, page size 2048, OOB size 64
Dumping data starting at 0x00000000 and ending at 0x00080000...
#
# ./nanddump -nof mtd6_temp /dev/mtd6
Block size 131072, page size 2048, OOB size 64
Dumping data starting at 0x00000000 and ending at 0x00080000...
#
# ./flash_eraseall /dev/mtd5
flash_eraseall has been replaced by `flash_erase <mtddev> 0 0`; please use it
Erasing 128 Kibyte @ 60000 -- 100 % complete
# ./flash_eraseall /dev/mtd6
flash_eraseall has been replaced by `flash_erase <mtddev> 0 0`; please use it
Erasing 128 Kibyte @ 60000 -- 100 % complete
# ./nandwrite -o /dev/mtd5 mtd5_temp
Writing data to block 0 at offset 0x0
Writing data to block 1 at offset 0x20000
Writing data to block 2 at offset 0x40000
Writing data to block 3 at offset 0x60000
# ./nandwrite -o /dev/mtd6 mtd6_temp
Writing data to block 0 at offset 0x0
Writing data to block 1 at offset 0x20000
Writing data to block 2 at offset 0x40000
Writing data to block 3 at offset 0x60000
#
 

harrijs

Young grasshopper
Joined
May 8, 2014
Messages
50
Reaction score
12
Can you post the output of
cat flash_erase
? It looks like there are some parameters that are being passed incorrectly or not at all in the script. I don't have a camera to test this on, but I do have extensive (>10 years) unix/linux experience. It looks like you guys are getting close on this.
 

networkcameracritic

Getting the hang of it
Joined
Mar 10, 2014
Messages
719
Reaction score
203
Yes, do not cat it, it may mess up your telnet session. These are programs that are part of the open source MTDUtils.
 
Top