Dahua Firmware Mod Kit + Modded Dahua Firmware

OKAY LOL I just tried it again for shits and giggles to get a U-Boot console while I was failing miserably before.
You have to hold down * key before and during the camera boots and make sure that RX and TX are connected correctly <- this must be where I fucked up. At least it was a good learning experience ^^

U-Boot 2010.06-svn3089 (Jul 22 2016 - 19:15:59)
DRAM: 1 GiB
gBootLogPtr:80b80008.
Check spi flash controller v350... Found
Spi(cs1) ID: 0xC8 0x40 0x18 0xC8 0x40 0x18
Spi(cs1): Block:64KB Chip:16MB Name:"GD25Q128"
partition file version 2
rootfstype squashfs root /dev/mtdblock7
In: serial
Out: serial
Err: serial
TEXT_BASE:81000000
Net: PHY found at 3

Hit any key to stop autoboot: 0
> ********************************************
Unknown command '********************************************' - try 'help'
> help
? - alias for 'help'
base - print or set address offset
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootf - boot from flash
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cfgRestore- erase config and backup partition.

cmp - memory compare
cp - memory copy
crc32 - checksum calculation
crypt - crypt
erasepart- erasepart

exit - exit script
false - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
flwrite - flwrite - write data into FLASH memory

fsinfo - print information about filesystems
fsload - load binary file from a filesystem image
go - start application at address 'addr'
help - print command description/usage
hwid - hwid - set hardware id and save to flash

kload - kload - load uImage file from parttion

lip - lip - set local ip address but not save to flash

loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
logsend - get log buf
loop - infinite loop on address range
ls - list files in a directory (default /)
mac - mac - set mac address and save to flash

md - memory display
memsize - memsize - set mem size

mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nm - memory modify (constant address)
partition- print partition information
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
rdefault- rdefault -recover default env

reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
showvar - print local hushshell variables
sip - sip - set server ip address but not save to flash

sleep - delay execution for some time
smi - MII utility commands
sync_uboot- sync_uboot - sync uboot to uboot-bak

test - minimal test like /bin/sh
tftpboot- tftpboot- boot image via network using TFTP protocol
true - do nothing, successfully
uartUp - uartUp- update image via uart using uart4

usleep - delay execution for some time
version - print monitor version
>

I will make a tutorial right now on how to unbrick your camera using only serial and a TFTP server on your PC.
Using this cheap thing here: Replace FT232 6Pin USB 2.0 to TTL UART Module Serial Converter CP2102 STC
And connecting two wires:
IPC-HFW4431M-SERIAL-UART.jpg
 
As an eBay Associate IPCamTalk earns from qualifying purchases.
  • Like
Reactions: tangent, alastairstevenson, keithshlo and 1 other person
on a lot of boot loaders holding down any key does the job. sometimes they ask for a password at that point.
 
cor35vet said:
If they turn off that means that the camera started, are you sure it doesn't ping?
Telnet should be running on it at the least but it could be that the camera is bootlooping so you need to be quick?
Click to expand...

Hi cor35vet, I finally had a chance to take down the camera from the eave. This time, when I tried to start it up, I could see that the IR lights stayed on all the time. What does that mean? Does it mean the bootloader is not functional? Please let me know what can be done. Thanks a lot for your advice.
 
keithshlo said:
Hi cor35vet, I finally had a chance to take down the camera from the eave. This time, when I tried to start it up, I could see that the IR lights stayed on all the time. What does that mean? Does it mean the bootloader is not functional? Please let me know what can be done. Thanks a lot for your advice.
Click to expand...
Mmmh, sucks :/
The bootloader should be good still.
It is stuck somewhere - probably the same that happened on my camera too, sorry for that - I updated the firmware within a few minutes after posting it and was hoping that noone has flashed it D:

However I have written up a tutorial here on how to rescue your camera: Dahua IPC unbricking / recovery over serial UART and TFTP
In your case I think it should suffice if you simply ran: setenv dh_keyboard 0 and save then boot.
On the bright side: The dongle is dirt cheap, it's a learning experience and the dongle might prove itself useful again later? ^^
 
Thanks very much cor35vet for your help. I just opened up my camera. The circuit board looks different than yours. Please see attached.

dahua 4431CA.jpg

In the top right corner, there are two available places near the screw where I can attach the wires. One has two holes and the other one has 4 holes. I am not sure where I should attach my two wires. Please advise. Thanks a lot for your help.
 
  • Like
Reactions: fabads
its going to be that 4 pad, if you look carefully at his image he has 4 pads and the same silk screen arround em..
 
Last edited:
The 2 pad one is probably the reset "button". And yeah it has to be the 4 pin, it's the same silk screen around as on mine, just rotated.
I'd guess the two pads on the left: RX, TX.
The one on the far right should be +3.3V and the one next to it GND.

So looking at the picture and labeling them from left to right:
RX, TX, GND, VCC

GND is also nicely visible as it doesn't have a "leg", it's just the ground plane.
 
  • Like
Reactions: keithshlo and nayr
Thanks for your expert advice. You guys are super. I'll order the CP2102 dongle then. It'll be a learning experience for me. Will keep you posted.
 
It might become a waiting experience because chinese new year is around the corner :/
Not sure if you have any radio shack close to you (if they still exist) or something like that which might have these things.
Or there are some on amazon.com for <$5 depending on how quick you wanna get the camera going.
 
Thanks for the hint. I would love to get the camera going again asap. However, I live in Canada and may not be able to get things from Amazon.com. Amazon.ca has the dongle but it's sold by 3rd party sellers. The item is also shipped from China (>15 business days).
 
The other pins are mostly useful if you're using special software to use it for other protocols.
 
Thanks to everyone for your valuable advice. The US seller doesn't ship to Canada. I ordered the items from the Chinese sellers. Guess I'll have to wait until the end of next month. Will keep you posted.
 
I connected serial comms according to this picture which shows a 4431C-A board.
Note that I could read the serial output at 115kbps, but never achieved interrupting u-boot with '*' which has worked for me in the past with other dahua products.

Would be curious to find out whether others will succeed.
 

Attachments

  • IMG_5288.JPG
    IMG_5288.JPG
    1.8 MB · Views: 107
If you have telnet access do dh_keyboard 1 to get a shell on serial, then you can check if you can type anything, if that works run reboot and hold down ******************. That worked for me.
 
Why didn't I think of that one before... might give this another shot ;)
ps, I think you meant setting it to 0, not 1 ...
 
For the sake of science, just tried the '*' interrupting again and it works, I can now fiddle around in u-boot ;)
Found out as mentioned earlier by cor35vet that it is very important to already press '*' before connecting power again.

Note that my FTDI dongle was set at 3.3v using its onboard jumper.
 
Last edited:
You must log in or register to reply here.
Top Bottom