Dahua Cameras... Firmware / Region Locks

hook3m

Pulling my weight
Sep 8, 2015
393
229
USA
I thought only Hikvision locked down their cameras by region and specific firmware and Dahua was wide open. Today I was looking to purchase a Dahua on Ebay and noticed sellers are selling them like Hikvisions. "Chinese product / English Firmware /can't be upgraded" Lot's of Dahua ebay listings state firmware can't be upgraded just like the Chinese Hik's. Did Dahua make a change?
 
They are not locked, but there's Chinese only models that sellers are dropping English localization files onto.
 
They have english and chinese firmware images, the chinese ones have a check in the main server application (sonia) if there is any langauge loaded that is not SimpChinese.
The camera will quit if you modify the chinese firmware, so you have to patch sonia first (and upgraded has a check too to reject firmware with different language, so you can't flash english firmware on a chinese camera)
I've patched these things in my firmware with IDA Pro: https://www.ipcamtalk.com/showthread.php/13591-Dahua-Firmware-Mod-Kit-Modded-Dahua-Firmware

Right now there is no other signing/verification/crypto going on on the camera, but I've seen references in the code that suggest that they are working/have some cameras with this feature.
I've also requested GPL code for Das U-Boot (Bootloader), the Linux Kernel and BusyBox from Dahua. This way even if they fuck up future firmware we could find a way around it (cat and mouse game - I hope they don't do this however....)
 
  • Like
Reactions: randyth
Thanks... Was hoping buying Dahua online was less of a minefield than Hik.
 
Is there any physical difference in the hardware between the region variants? No 50/60Hz circuitry difference, or is that all taken care of by the SoC?

I noticed from logging in via telnet that my SD-22204T-GN uses the Ambarella S2L camera SoC which provides all of the camera's features in hardware. The spec sheet lists some additional useful hardware features that are apparently not implemented by Dahua - fish eye dewarping, and number plate and facial recognition. Seems odd to exclude decent tech which is onboard.
 
They have english and chinese firmware images, the chinese ones have a check in the main server application (sonia) if there is any langauge loaded that is not SimpChinese.
The camera will quit if you modify the chinese firmware, so you have to patch sonia first (and upgraded has a check too to reject firmware with different language, so you can't flash english firmware on a chinese camera)
I've patched these things in my firmware with IDA Pro: https://www.ipcamtalk.com/showthread.php/13591-Dahua-Firmware-Mod-Kit-Modded-Dahua-Firmware

You are godlike for acquiring this information and sharing the firmware!

One question out of curiosity: I understand from the above text that the checks are in the firmware and in the application server software (sonia).
Does that mean that once your modified firmware is flashed (and so sonia is patched), and afterwards an official US firmware is flashed, then your camera is now officially an US device (you can now always install any official US firmware provided they don't check in the future on a modified sonia) ?
 
You are godlike for acquiring this information and sharing the firmware!

One question out of curiosity: I understand from the above text that the checks are in the firmware and in the application server software (sonia).
Does that mean that once your modified firmware is flashed (and so sonia is patched), and afterwards an official US firmware is flashed, then your camera is now officially an US device (you can now always install any official US firmware provided they don't check in the future on a modified sonia) ?

Well, you'd certainly be able to flash a US firmware image if you have one that supports your device. I have not found an image for the newer Eos (gen 3) cameras, only previous Themis (gen 2) cameras.
And from that US image you'd also be able to flash another US image. Probably not the chinese one however, unless you change the chinese check.img.raw to English:
Code:
   "DefaultLanguage" : "SimpChinese",
   "DefaultVideoStandard" : "PAL",
   "SupportLanguages" : "SimpChinese",

I would not recommend using the US images as they seem to lack some features (H265 because of licensing issues...)
You are free to experiment however, the check.img will prevent you from flashing an incompatible firmware image.
 
Thank you for the answer and amazing work. Looks like things are about to get very interesting in the Dahua-universe (thanks to your findings everything is now wide-open).
I would have volunteered to experiment on my Themis camera (4421c) so we could get a modified themis-firmware too, but unfortunately I don't know anything about serial access.

I also wonder if an official firmware changelog is known (so we know whether it is interesting to update to a certain version).