Dahua Firmware Mod Kit + Modded Dahua Firmware

[alastairstevenson]

Different U-boot compiles can use different characters to go to the command prompt.
I've cameras that don't have the 'Control-U to stop' prompt that respond to Escape and Return.

 

[bob_vis]

Hello!
Thank you for your work!
I sew through the Web interface DH_IPC-HDW4431C-A. Need Russian.
It's okay. Tested.

 

[nayr]

i dont htink he has any russian translation files; you'll likely need to rip it off a Russian language camera and send it to him.

 

[cor35vet]

Hello!
Thank you for your work!
I sew through the Web interface DH_IPC-HDW4431C-A. Need Russian.
It's okay. Tested.

I don't understand what you said.
Do you need russian firmware for IPC-HDW4431C-A?

First post: Dahua Firmware Mod Kit + Modded Dahua Firmware

For Eos (3rd gen) cameras:

Spoiler

https://i.botox.bz/DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.bin
Software Version: 2.420.0000.22.R, Build Date: 2016-12-09
MD5Sum: 1b8850f822860259ed7d1fd63f18220d
SHASum: 8256ae16dbee7cfa0910dbef5228b2ef151d0a73

Compatible cameras according to Dahua:

Spoiler

DH-IPC-HDBW4231R,DH-IPC-HDBW4236R
DH-IPC-HDBW4431R,DH-IPC-HDBW4436R
DH-IPC-HDW4231C-A,DH-IPC-HDW4236C-A
DH-IPC-HDW4233C-A,DH-IPC-HDW4238C-A
DH-IPC-HDW4431C-A,DH-IPC-HDW4436C-A
DH-IPC-HDBW4431R-S,DH-IPC-HDBW4436R-S
DH-IPC-HDBW4233R-AS,DH-IPC-HDBW4238R-S
DH-IPC-HDBW4231R-AS,DH-IPC-HDBW4236R-AS
DH-IPC-HDBW4431R-AS,DH-IPC-HDBW4436R-AS
DH-IPC-HDBW4231R-VF,DH-IPC-HDBW4431R-VF
DH-IPC-HFW4231F,DH-IPC-HFW4236F,DH-IPC-HFW4431F,DH-IPC-HFW4436F
DH-IPC-HFW4231B,DH-IPC-HFW4236B,DH-IPC-HFW4431B,DH-IPC-HFW4436B
DH-IPC-HFW4231D,DH-IPC-HFW4236D,DH-IPC-HFW4431D,DH-IPC-HFW4436D
DH-IPC-HFW4231R-Z,DH-IPC-HFW4431R-Z,DH-IPC-HFW4231R-VF,DH-IPC-HFW4431R-VF
DH-IPC-HFW4231F-AS,DH-IPC-HFW4236F-AS,DH-IPC-HFW4431F-AS,DH-IPC-HFW4436F-AS
DH-IPC-HFW4231B-AS,DH-IPC-HFW4236B-AS,DH-IPC-HFW4431B-AS,DH-IPC-HFW4436B-AS
DH-IPC-HFW4231D-AS,DH-IPC-HFW4236D-AS,DH-IPC-HFW4431D-AS,DH-IPC-HFW4436D-AS
DH-IPC-HFW4231K-I4,DH-IPC-HFW4236K-I4,DH-IPC-HFW4431K-I4,DH-IPC-HFW4436K-I4
DH-IPC-HFW4231K-I6,DH-IPC-HFW4236K-I6,DH-IPC-HFW4431K-I6,DH-IPC-HFW4436K-I6
DH-IPC-HFW4233K-I4,DH-IPC-HFW4238K-I4,DH-IPC-HFW4233K-I6,DH-IPC-HFW4238K-I6
DH-IPC-HFW4231M-I1,DH-IPC-HFW4236M-I1,DH-IPC-HFW4431M-I1,DH-IPC-HFW4436M-I1
DH-IPC-HFW4231M-I2,DH-IPC-HFW4236M-I2,DH-IPC-HFW4431M-I2,DH-IPC-HFW4436M-I2
DH-IPC-HFW4233M-I1,DH-IPC-HFW4238M-I1,DH-IPC-HFW4233M-I2,DH-IPC-HFW4238M-I2
DH-IPC-HFW4233K-AS-I4,DH-IPC-HFW4238K-AS-I4,DH-IPC-HFW4233K-AS-I6,DH-IPC-HFW4238K-AS-I6
DH-IPC-HFW4431K-AS-I4,DH-IPC-HFW4436K-AS-I4,DH-IPC-HFW4431K-AS-I6,DH-IPC-HFW4436K-AS-I6
DH-IPC-HFW4233M-AS-I1,DH-IPC-HFW4238M-AS-I1,DH-IPC-HFW4233M-AS-I2,DH-IPC-HFW4238M-AS-I2
DH-IPC-HFW4431M-AS-I1,DH-IPC-HFW4436M-AS-I1,DH-IPC-HFW4431M-AS-I2,DH-IPC-HFW4436M-AS-I2

Based off of official English firmware with following noteworthy changes:

• English, French, Spanish and Russian language.
• PAL/NTSC
• Unlocked some web GUI features/options.
  • Disable P2P: Network -> TCP/IP -> Easy4ip
• Hacked Playback to also work with NAS/NFS.
  • Playback tab will be enabled when you have an SD card (default) or enabled NAS/NFS feature. (F5 after you added a NAS)
  • Added option to select NAS instead of SD, obviously...
  • I barely tested it but it seemed to play fine... feedback welcome.
  • FTP can not be supported, stop using it, it's awful.
• Unlocked all IVS modes.
• Disabled "CloudUpgradeServer".
• Telnet enabled permanently on port 2300.

Has russian language, need to switch it in the settings:

Though not everything is translated because the translation I got from another user was from 2014-2015, should be good enough though.

 

[bob_vis]

I don't understand what you said.

This is Google translator!
Thank you very much for your work!
Everything is working!

 

[bob_vis]

Have something to fix!

 

[nayr]

use IE (not Edge) or Safari, or SmartPSS.. looks like your on chrome and its not loading browser plugin.

 

[keithshlo]

I found a local store that sells electronic parts. I would like to know if I can use the following to restore my camera.

USB To RS232 TTL UART Auto Converter Cable Adapter Module For Arduino

Please advise. Thanks very much for your help.

 

[cor35vet]

I found a local store that sells electronic parts. I would like to know if I can use the following to restore my camera.

USB To RS232 TTL UART Auto Converter Cable Adapter Module For Arduino

Please advise. Thanks very much for your help.

Yes, it should work just the same.

 

[resegun]

TFTP is not going to work unless someone figures out how to use "upgrade_info_7db780a713a4.txt"
I'd love to be the one that figures it out but I have no idea how to load the bootloader into IDA.

I've spent some time reversing how the bootloader tries to do this update. It turns out that "upgrade_info_7db780a713a4.txt" contains a bunch of u-boot commands which are executed in sequence (with a couple of extra lines at the beginning of the file).
The first line contains the crc32 of the rest of the file, while the second line contains a fixed string.

So the upgrade file looks like:

CRC:<crc32 (in decimal) of the rest of the file, starting from the next line>
MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62
command1
command2
command3
...

Note that u-boot does not check the 'CRC' and 'MagicString' labels (I made them up, you can put anything there), it just scans the line until it finds the ':', and whathever finds after that is the crc32 (1st line) or the magic string (2nd line).
The text file can use LF or CR/LF as line separators.

In case of failure (e.g. "upgrade_info_7db780a713a4.txt" not found, crc32 does not match, magic string does not match, etc.), the bootloader tries to transfer a file named "failed.txt", otherwise it tries to transfer a file named "success.txt". It does not seem to do anything with the content of the file (as a matter of facts, it also ignores if the transfer succeeds or fails).

The network configuration is based on the following environment variables (with the default value listed next to them):

Camera IP config:

autolip 192.168.1.108
autogw 192.168.1.1
autonm 255.255.255.0

TFTP server IP:

autosip 192.168.254.254

Note that the camera and the TFTP server are on different networks, so make sure to configure your network properly in order for the TFTP transfer to take place.

The following is simple python script to generate the "upgrade_info_7db780a713a4.txt" from a file containig a list of commands:

#!/usr/bin/env python
import zlib
import sys
input_file=sys.argv[1]
with open(input_file, 'rb') as cmdfile:
    data=cmdfile.read()
    checksumed_data = b'MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62\n' + data
    crc = zlib.crc32(checksumed_data) & 0xffffffff
    crc_str = str(crc).encode("ascii")
    output_data = b'CRC:' + crc_str + b'\n' + checksumed_data
    with open("upgrade_info_7db780a713a4.txt", 'wb') as outfile:
        outfile.write(output_data)

As a test, I created a simple command file which contains a ping to the TFTP server IP address. In this way, I can figure out if the command is effectively executed by u-boot by looking at the packet capture.

Text file with the command(s) to execute:

> cat commands.txt
ping 192.168.254.254

Generate the corresponding "upgrade_info_7db780a713a4.txt":

> ./generate_upgrade_info.py commands.txt

Resulting file:

> cat upgrade_info_7db780a713a4.txt
CRC:2819959008
MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62
ping 192.168.254.254

After booting the camera, I can see from the tftp server logs that u-boot transfers both "upgrade_info_7db780a713a4.txt" and "success.txt":

Feb 13 20:41:36 linux in.tftpd[4237]: connect from ::ffff:192.168.1.108 (::ffff:192.168.1.108)
Feb 13 20:41:36 linux tftpd[4238]: tftpd: trying to get file: upgrade_info_7db780a713a4.txt
Feb 13 20:41:36 linux tftpd[4238]: tftpd: serving file from /srv/tftp
Feb 13 20:41:36 linux in.tftpd[4239]: connect from ::ffff:192.168.1.108 (::ffff:192.168.1.108)
Feb 13 20:41:36 linux tftpd[4240]: tftpd: trying to get file: success.txt
Feb 13 20:41:36 linux tftpd[4240]: tftpd: serving file from /srv/tftp

Also, the packet capture shows the same TFTP transfers, and the ping to the TFTP server IP address, confirming that the command has been executed by u-boot:

57   14.951755   192.168.1.108   192.168.254.254   TFTP   111   Read Request, File: upgrade_info_7db780a713a4.txt, Transfer type: octet, timeout=1, tsize=0, blksize=1468
58   14.956915   192.168.254.254   192.168.1.108   TFTP   131   Data Packet, Block: 1 (last)
59   14.959557   192.168.1.108   192.168.254.254   TFTP   60   Acknowledgement, Block: 1
62   15.153631   192.168.1.108   192.168.254.254   ICMP   60   Echo (ping) request  id=0x0000, seq=0/0, ttl=255 (reply in 63)
63   15.153902   192.168.254.254   192.168.1.108   ICMP   42   Echo (ping) reply    id=0x0000, seq=0/0, ttl=63 (request in 62)
91   15.563283   192.168.1.108   192.168.254.254   TFTP   93   Read Request, File: success.txt, Transfer type: octet, timeout=5, tsize=0, blksize=1468
92   15.568086   192.168.254.254   192.168.1.108   TFTP   55   Data Packet, Block: 1 (last)
93   15.570812   192.168.1.108   192.168.254.254   TFTP   60   Acknowledgement, Block: 1

It should be possible to flash the firmware using the same u-boot commands described in Dahua IPC unbricking / recovery over serial UART and TFTP (I haven't tried since I have no need at this moment).

 

[cor35vet]

I've spent some time reversing how the bootloader tries to do this update. It turns out that "upgrade_info_7db780a713a4.txt" contains a bunch of u-boot commands which are executed in sequence (with a couple of extra lines at the beginning of the file).
The first line contains the crc32 of the rest of the file, while the second line contains a fixed string.

So the upgrade file looks like:

CRC:<crc32 (in decimal) of the rest of the file, starting from the next line>
MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62
command1
command2
command3
...

Note that u-boot does not check the 'CRC' and 'MagicString' labels (I made them up, you can put anything there), it just scans the line until it finds the ':', and whathever finds after that is the crc32 (1st line) or the magic string (2nd line).
The text file can use LF or CR/LF as line separators.

In case of failure (e.g. "upgrade_info_7db780a713a4.txt" not found, crc32 does not match, magic string does not match, etc.), the bootloader tries to transfer a file named "failed.txt", otherwise it tries to transfer a file named "success.txt". It does not seem to do anything with the content of the file (as a matter of facts, it also ignores if the transfer succeeds or fails).

The network configuration is based on the following environment variables (with the default value listed next to them):

Camera IP config:

autolip 192.168.1.108
autogw 192.168.1.1
autonm 255.255.255.0

TFTP server IP:

autosip 192.168.254.254

Note that the camera and the TFTP server are on different networks, so make sure to configure your network properly in order for the TFTP transfer to take place.

The following is simple python script to generate the "upgrade_info_7db780a713a4.txt" from a file containig a list of commands:

#!/usr/bin/env python
import zlib
import sys
input_file=sys.argv[1]
with open(input_file, 'rb') as cmdfile:
    data=cmdfile.read()
    checksumed_data = b'MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62\n' + data
    crc = zlib.crc32(checksumed_data) & 0xffffffff
    crc_str = str(crc).encode("ascii")
    output_data = b'CRC:' + crc_str + b'\n' + checksumed_data
    with open("upgrade_info_7db780a713a4.txt", 'wb') as outfile:
        outfile.write(output_data)

As a test, I created a simple command file which contains a ping to the TFTP server IP address. In this way, I can figure out if the command is effectively executed by u-boot by looking at the packet capture.

Text file with the command(s) to execute:

> cat commands.txt
ping 192.168.254.254

Generate the corresponding "upgrade_info_7db780a713a4.txt":

> ./generate_upgrade_info.py commands.txt

Resulting file:

> cat upgrade_info_7db780a713a4.txt
CRC:2819959008
MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62
ping 192.168.254.254

After booting the camera, I can see from the tftp server logs that u-boot transfers both "upgrade_info_7db780a713a4.txt" and "success.txt":

Feb 13 20:41:36 linux in.tftpd[4237]: connect from ::ffff:192.168.1.108 (::ffff:192.168.1.108)
Feb 13 20:41:36 linux tftpd[4238]: tftpd: trying to get file: upgrade_info_7db780a713a4.txt
Feb 13 20:41:36 linux tftpd[4238]: tftpd: serving file from /srv/tftp
Feb 13 20:41:36 linux in.tftpd[4239]: connect from ::ffff:192.168.1.108 (::ffff:192.168.1.108)
Feb 13 20:41:36 linux tftpd[4240]: tftpd: trying to get file: success.txt
Feb 13 20:41:36 linux tftpd[4240]: tftpd: serving file from /srv/tftp

Also, the packet capture shows the same TFTP transfers, and the ping to the TFTP server IP address, confirming that the command has been executed by u-boot:

57   14.951755   192.168.1.108   192.168.254.254   TFTP   111   Read Request, File: upgrade_info_7db780a713a4.txt, Transfer type: octet, timeout=1, tsize=0, blksize=1468
58   14.956915   192.168.254.254   192.168.1.108   TFTP   131   Data Packet, Block: 1 (last)
59   14.959557   192.168.1.108   192.168.254.254   TFTP   60   Acknowledgement, Block: 1
62   15.153631   192.168.1.108   192.168.254.254   ICMP   60   Echo (ping) request  id=0x0000, seq=0/0, ttl=255 (reply in 63)
63   15.153902   192.168.254.254   192.168.1.108   ICMP   42   Echo (ping) reply    id=0x0000, seq=0/0, ttl=63 (request in 62)
91   15.563283   192.168.1.108   192.168.254.254   TFTP   93   Read Request, File: success.txt, Transfer type: octet, timeout=5, tsize=0, blksize=1468
92   15.568086   192.168.254.254   192.168.1.108   TFTP   55   Data Packet, Block: 1 (last)
93   15.570812   192.168.1.108   192.168.254.254   TFTP   60   Acknowledgement, Block: 1

It should be possible to flash the firmware using the same u-boot commands described in Dahua IPC unbricking / recovery over serial UART and TFTP (I haven't tried since I have no need at this moment).

YOU ARE A GOD!!!
You should definitely tell us (me especially :v) how you reversed the bootloader, I failed at loading it into IDA Pro since it requires manual loading and I have never bothered with how that works.

I will expand/replace my unbrick tutorial with your findings.

Edit: This means easy restoring and dumping of firmware, getting root access to basically every dahua camera without messing with serial!

 

[resegun]

YOU ARE A GOD!!!
You should definitely tell us (me especially :v) how you reversed the bootloader, I failed at loading it into IDA Pro since it requires manual loading and I have never bothered with how that works.

I will expand/replace my unbrick tutorial with your findings.

Edit: This means easy restoring and dumping of firmware, getting root access to basically every dahua camera without messing with serial!

This is the way I loaded dhboot.bin.img extracted from DH_IPC-HX4XXX-Eos_Chn_PN_Stream3_V2.420.0000.22.R.20161209.bin.

First of all, load the file into IDA as usual (as "U-Boot image", just uncheck "Enabled" under "Analysis" while loading the file, so it does not start auto analysis).

IDA will load the bootloader at address 0x90000 (the address it finds in the u-boot header, but at this point it does not matter if that is not the real load address).
The objective is to move the segment later so it matches the address space layout after u-boot performs relocation.

As a reference, let's take the u-boot source code shipped with the Hi3516A SDK (it's not the same, but it can give us some hints).

Let's try to identify first the entry point (_start).

From u-boot-2010.06/arch/arm/cpu/hi3516a/start.S:

.globl _start
_start: b       reset
        ldr     pc, _undefined_instruction
        ldr     pc, _software_interrupt
        ldr     pc, _prefetch_abort
        ldr     pc, _data_abort
        ldr     pc, _not_used
        ldr     pc, _irq
        ldr     pc, _fiq

_undefined_instruction: .word undefined_instruction
_software_interrupt:    .word software_interrupt
_prefetch_abort:        .word prefetch_abort
_data_abort:            .word data_abort
_not_used:              .word not_used
_irq:                   .word irq
_fiq:                   .word fiq
_pad:                   .word 0x12345678 /* now 16*4=64 */
__blank_zone_start:
.fill 1024*4,1,0
__blank_zone_end:

Note that the word at _pad has value 0x12345678, so it's pretty straightforward to identify its location using IDA "Search->Sequence of bytes..." (looking for the value 78 56 34 12 since little endian). We can then go back a few instruction to the location of the first instruction (b reset):

seg000:00090800                 DCB 0x1A      <=== THIS IS "b reset" (at label _start)
seg000:00090801                 DCB    4
seg000:00090802                 DCB    0
seg000:00090803                 DCB 0xEA ; O
seg000:00090804                 DCB 0x14
seg000:00090805                 DCB 0xF0 ; =
seg000:00090806                 DCB 0x9F ; ƒ
[...]
seg000:00090837                 DCB 0x81 ; ü
seg000:00090838                 DCB 0xA0 ; á
seg000:00090839                 DCB 0x14
seg000:0009083A                 DCB    0
seg000:0009083B                 DCB 0x81 ; ü
seg000:0009083C                 DCB 0x78 ; x    <=== THIS IS 0x12345678
seg000:0009083D                 DCB 0x56 ; V    <===
seg000:0009083E                 DCB 0x34 ; 4    <===
seg000:0009083F                 DCB 0x12        <===

Point the cursor at 0x00090800 and press 'c' to convert to code:

seg000:00090800 ; ---------------------------------------------------------------------------
seg000:00090800                 B               unk_91870 <=== "b reset"
seg000:00090800 ; ---------------------------------------------------------------------------

The "reset" code from start.S looks like:

reset:
        /*
         *  read system register REG_SC_GEN2
         *  check if ziju flag
         */
        ldr     r0, =SYS_CTRL_REG_BASE
        ldr     r1, [r0, #REG_SC_GEN2]
        ldr     r2, =0x7a696a75          /* magic for "ziju" */
        cmp     r1, r2
        bne     normal_start_flow
        mov     r1, sp                   /* save sp */
        str     r1, [r0, #REG_SC_GEN2]  /* clear ziju flag */

        /* init PLL/DDRC/pin mux/... */
        ldr     r0, _blank_zone_start
        ldr     r1, _TEXT_BASE
        sub     r0, r0, r1
        ldr     r1, =RAM_START_ADRS
        add     r0, r0, r1
        mov     r1, #0x0                 /* flags: 0->normal 1->pm */
        bl      init_registers           /* init PLL/DDRC/... */

        ldr     r0, =SYS_CTRL_REG_BASE
        ldr     r1, [r0, #REG_SC_GEN2]
        mov     sp, r1                   /* restore sp */
        ldr     r1, [r0, #REG_SC_GEN3]
        mov     pc, r1                   /* return to bootrom */

From IDA, the equivalent code looks like:

seg000:00091870 loc_91870                               ; CODE XREF: seg000:00090800
seg000:00091870                 LDR             R0, =0x20050000
seg000:00091874                 LDR             R1, [R0,#0x140]
seg000:00091878                 LDR             R2, =0x7A696A75
seg000:0009187C                 CMP             R1, R2
seg000:00091880                 BNE             loc_918E0   <== THIS IS "normal_start_flow"
seg000:00091884                 MOV             R1, SP
seg000:00091888                 STR             R1, [R0,#0x140]
seg000:0009188C                 LDR             R0, =0x81000040
seg000:00091890                 LDR             R1, =0x81000000
seg000:00091894                 SUB             R0, R0, R1
seg000:00091898                 LDR             R1, =0x4010500
seg000:0009189C                 ADD             R0, R0, R1
seg000:000918A0                 MOV             R1, #0
seg000:000918A4                 BL              unk_91CF8
seg000:000918A8                 LDR             R0, =0x20050000
seg000:000918AC                 LDR             R1, [R0,#0x140]
seg000:000918B0                 MOV             SP, R1
seg000:000918B4                 LDR             R1, [R0,#0x144]
seg000:000918B8                 MOV             PC, R1

Follow the link to the "normal_start_flow" (loc_918E0), which contains the code doing relocation.

From start.S, this is the part of "normal_start_flow" which relocates the code from _start to _TEXT_BASE, and then jumps to the C code at _start_armboot:

[...]
        @ relocate U-Boot to RAM
        adrl    r0, _start              @ r0 <- current position of code
        ldr     r1, _TEXT_BASE          @ test if we run from flash or RAM
        cmp     r0, r1                  @ don't reloc during debug
        beq     stack_setup

        ldr     r2, _armboot_start
        ldr     r3, _bss_start
        sub     r2, r3, r2              @ r2 <- size of armboot
        add     r2, r0, r2              @ r2 <- source end address

copy_loop:                              @ copy 32 bytes at a time
        ldmia   r0!, {r3 - r10}         @ copy from source address [r0]
        stmia   r1!, {r3 - r10}         @ copy to   target address [r1]
        cmp     r0, r2                  @ until source end addreee [r2]
        ble     copy_loop
[...]
        ldr     pc, _start_armboot      @ jump to C code

_start_armboot: .word start_armboot

The equivalent from IDA:

seg000:000919C8                 ADRL            R0, loc_90800     <=== loc_90800 = _start
seg000:000919D0                 LDR             R1, =0x81000000   <=== THIS IS _TEXT_BASE
seg000:000919D4                 CMP             R0, R1
seg000:000919D8                 BEQ             loc_919FC
seg000:000919DC                 LDR             R2, =0x81000000
seg000:000919E0                 LDR             R3, =0x8102E4B4
seg000:000919E4                 SUB             R2, R3, R2
seg000:000919E8                 ADD             R2, R0, R2
seg000:000919EC
seg000:000919EC loc_919EC                               ; CODE XREF: seg000:000919F8j
seg000:000919EC                 LDMIA           R0!, {R3-R10}
seg000:000919F0                 STMIA           R1!, {R3-R10}
seg000:000919F4                 CMP             R0, R2
seg000:000919F8                 BLE             loc_919EC
[...]
seg000:00091A2C                 LDR             PC, =0x81001808   <=== THIS IS _start_armboot
seg000:00091A2C ; ---------------------------------------------------------------------------
seg000:00091A30 dword_91A30     DCD 0x81001808          ; DATA XREF: seg000:00091A2C
seg000:00091A34 ; ---------------------------------------------------------------------------

So we have:
1 - what is at 0x00090800 will be at 0x81000000 after relocation;
2 - the address of _start_armboot after relocation is 0x81001808.

Because of [1], we need to adjust the segment start address to be 0x81000000 - (0x00090800-0x00090000) = 0x80fff800

In IDA: "View->Open Subview->Segments"

Right click on the only segment listed, choose "Move segment(s)", and enter the address calculated above (0x80fff800)

Now you can jump to address 0x81001808 (corresponding to _start_armboot) and press 'c' to start the analysis.

 

[Cyph]

I am wondering if these modded firmware have the "phone home" feature (lol) disabled by default or we have to go in and disable it after flashing? Thanks.

 

[cor35vet]

I am wondering if these modded firmware have the "phone home" feature (lol) disabled by default or we have to go in and disable it after flashing? Thanks.

The latest version disables the "CloudUpgradeServer" which phones home and tells china the software version, languages, serial number, etc.
But Easy4IP still has to be manually disabled in the Network->TCP/IP tab.
I have not checked if it does any more phoning home other than that. (Though according to Dahua IPC-HDW4431C-A trying to make outside connection it does not)

 

[mat200]

So, to summarize: I have two HDW4431C-A cameras:

This one has a socket soldered to it and quipped with a 32GB SD card
Device Type IPC-HDW4431C-A
Software Version 2.420.0000.17.R, build : 2016-03-13
WEB Version 3.2.1.331232
ONVIF Version 2.4.2

-- and --

This one is stock.
Device Type IPC-HDW4431C-A
Software Version 2.420.0000.21.R, Build Date: 2016-07-24
WEB Version 3.2.1.364036
ONVIF Version 2.42

[... edited ..]

I also tried checking all the /dev/mtd* devices without any joy.

Thanks to all who contributed to the thread that got me started.

Curious if you ever got the SD card you soldered on to work with the HDW4431C-A

Thank You

 

[Cyph]

Awesome work! Firmware works on my IPW-4431R-Z. No bricking!

 

[Crazykiller]

Hey,
great work on this. I was just trying to flash this firmware to my camera, which is not mentioned in the supported list. Seems ist really not supported. I supposed it might fit, because it seems to be a Version 3 model as well.
Device TypeIPC-HDBW4431R-ZS
Software Version2.420.0000.21.R, Build Date: 2016-07-24
WEB Version3.2.1.364036
ONVIF Version2.42
S/N 2Kxxxxxxxxxxxxx
Copyright 2015,All Rights Reserved.

I'm a Little confused of Copyright 2015... but well...
While trying to Flash i get an error with advise to reboot device with chinese character buttons... so i don't really know which one i hit

 

[cor35vet]

Check this post for -ZS firmware: Dahua Firmware Mod Kit + Modded Dahua Firmware

 

[Crazykiller]

hey @cor35vet,
thanks for the hint to the right post. I tried to apply it to my 4431R-ZS and it seems to work, because I have the other languages too, now. But it's still the older Firmware from July. I hoped to get an actual one for the 4431R-ZS.
Also still have Problems with the plugin for IE. Does anyone else experience that? I also own a HFW1320S-W and a HDW4421EM-AS which work both with same plugin. If I connect to the HDBW4431R-ZS I have to install another plugin which overwrites the other one and which is not compatible with the other cams

 

[nayr]

h265 cameras use a different plugin, would require your old cameras to get a firmware update