Dahua Firmware Mod Kit + Modded Dahua Firmware

Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
@cor35vet I noticed today the Themis firmware on my IPC-HDW4421C-A camera does not include any Audio settings. I presume this is simply a configuration option in some file somewhere. Would you happen to know which file or setting this may be? The 4421C hardware definitely includes a built-in microphone. I found a firmware screen from an AliExpress vendor, which is attached. Hopefully, I can tweak something to get the audio working in the firmware. Thanks!!

FYI: There appears to be a much later v600 firmware for Themis dated 2016-12-19 at this link:
ftp://ftp.asm.cz/Dahua/kamerove_systemy/_Firmware/04IPC/IPC-HX4X2X-Themis/General/20161219/General_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.bin

IPC-HDW4421C Version Info.jpg IPC-HDW4421C Setup Video No Audio.jpg Ali Vendor Image with Audio.jpg
 
Last edited:
Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
The good news is, @cor35vet provided a hacked version of the .600.0005 firmware for me to test today. The better news is, it successfully loaded and rebooted on my 4421C-A camera. :D Not so good is the mic/audio is still missing on the web pages. I'm going to have to take one of these cameras down this weekend and disassemble it, to verify whether or not there is actually a microphone installed. There's SUPPOSED to be one, and the pinhole is there on the camera, but you just never know.

Thanks, @cor35vet !!!
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
Quoting my PM with him:
Okay, here it is: https://i.botox.bz/DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.bin

However they have added a sign.img to cryptographically sign the releases from now on.
This means that you can't flash modified firmware anymore.
I have replaced the key they use for signing in the firmware with my own: https://p.botox.bz/view/raw/8299e9ed
BUT the check is not being done on port 3800 when using ConfigTool, so that is good.
They have also updated the bootloader, I have excluded that update from the .bin because I am afraid they might have removed the possibility to do recovery via TFTP.

So yeah good luck, I hope it won't kill your camera :V
I also found the signing code in sonia, could sign my own firmware kek.
Just going to disable it on the next version. Fucking Dahua.

Bad news for new cameras though, with the new firmware upgraded is not running by default, only after sonia exits.
So we need to find a way to exit/crash sonia in order to upgrade the firmware on a camera that is running the unmodified new firmware.
They have also updated the bootloader, I did not look into the changes but it could be that they made our life harder there too :/

Edit: I forgot to add that I don't have a Themis camera so I can't play with this too much.
They haven't added this to Eos yet. They did on the latest chinese 20170313, guess I will look at it!
 
Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
Still pursuing the missing Audio in the web interface, I found the Dahua HTTP API document, and used this URL to get the audio config information:
Code:
http://192.168.1.108:80/cgi-bin/configManager.cgi?action=getConfig&name=Encode

table.Encode[0].ExtraFormat[0].Audio.Bitrate=64
table.Encode[0].ExtraFormat[0].Audio.Compression=G.711A
table.Encode[0].ExtraFormat[0].Audio.Depth=16
table.Encode[0].ExtraFormat[0].Audio.Frequency=44000
table.Encode[0].ExtraFormat[0].Audio.Pack=DHAV
table.Encode[0].ExtraFormat[0].AudioEnable=false
So it appears the audio is simply not enabled. I seriously wish telnet/ssh access were available, so I could do more research on the running camera. Now I'm going to have to bring it inside and connect to the console port to research it. Well, I was planning on bringing it down anyway. Now I have two reasons for doing so.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
Still pursuing the missing Audio in the web interface, I found the Dahua HTTP API document, and used this URL to get the audio config information:
Code:
http://192.168.1.108:80/cgi-bin/configManager.cgi?action=getConfig&name=Encode

table.Encode[0].ExtraFormat[0].Audio.Bitrate=64
table.Encode[0].ExtraFormat[0].Audio.Compression=G.711A
table.Encode[0].ExtraFormat[0].Audio.Depth=16
table.Encode[0].ExtraFormat[0].Audio.Frequency=44000
table.Encode[0].ExtraFormat[0].Audio.Pack=DHAV
table.Encode[0].ExtraFormat[0].AudioEnable=false
So it appears the audio is simply not enabled. I seriously wish telnet/ssh access were available, so I could do more research on the running camera. Now I'm going to have to bring it inside and connect to the console port to research it. Well, I was planning on bringing it down anyway. Now I have two reasons for doing so.
telnet is on port 2300
 

AKalm

Young grasshopper
Joined
Dec 2, 2014
Messages
79
Reaction score
12
Trying to use putty to open a telnet session on port 2300, the window simply closes. :(
Should be port 23, if the same happens, it must be sonia crashing all the time. What I did I logged in very fast and typed appauto 0 and hit enter (did succesfully after 30 tries), so when next time boots, it won't try to start sonia. When you've done what you wanted, don't forget to enter appauto 1
 
Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
Should be port 23, if the same happens, it must be sonia crashing all the time. What I did I logged in very fast and typed appauto 0 and hit enter (did succesfully after 30 tries), so when next time boots, it won't try to start sonia. When you've done what you wanted, don't forget to enter appauto 1
Thanks for that pointer. I've run nmap against it, and there's no telnet ports open at any time.
 

AKalm

Young grasshopper
Joined
Dec 2, 2014
Messages
79
Reaction score
12
Thanks for that pointer. I've run nmap against it, and there's no telnet ports open at any time.
I see, my cam had telnet open all the time. Keep in mind it might have a reboot-loop so you'll kind of have to catch it. Otherwise you're cam's firmware is not running telnet by default - your next step would be serial connection
 
Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
I see, my cam had telnet open all the time. Keep in mind it might have a reboot-loop so you'll kind of have to catch it. Otherwise you're cam's firmware is not running telnet by default - your next step would be serial connection
Definitely. I don't believe it's in a reboot loop, because the video is constant. I'm going to have to take it down eventually, to investigate the lack of audio. At that time, I'll use the serial port to connect and review the kernel messages and device hierarchy. Also, whether or not there's actually a microphone element connected inside the camera. Never can be too certain when buying NOS 2015 cameras from AliExpress.
 

AKalm

Young grasshopper
Joined
Dec 2, 2014
Messages
79
Reaction score
12
Definitely. I don't believe it's in a reboot loop, because the video is constant. I'm going to have to take it down eventually, to investigate the lack of audio. At that time, I'll use the serial port to connect and review the kernel messages and device hierarchy. Also, whether or not there's actually a microphone element connected inside the camera. Never can be too certain when buying NOS 2015 cameras from AliExpress.
Have you tried this to enable telnet?
Enter to the browser:
Code:
http://<ip-address>/cgi-bin/configManager.cgi?action=setConfig&Telnet.Enable=true
 
Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
Have you tried this to enable telnet?
Enter to the browser:
Code:
http://<ip-address>/cgi-bin/configManager.cgi?action=setConfig&Telnet.Enable=true
Yup, been there, done that, still no port 23 or 2300 or 2323. :(
I suspect Sonia is killing any telnetd process it finds, often.
 
Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
I think they might have just killed /bin/login
I made utelnetd open /bin/sh instead, try it out: https://i.botox.bz/DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.INSECURE.bin
Loaded okay using the Dahua Config Tool, the configManager call to enable Telnet returned 'OK', but still unable to connect. Tried ports 23, 2300, and 2323. No successful connections, unfortunately. I'll definitely have to bring the camera indoors and connect to the console/serial port to see what's going on.
 

beingaware

Pulling my weight
Joined
Mar 16, 2017
Messages
217
Reaction score
179
Location
Australia
Looks like most of the issues people are having is when they use the config tool to upload the firmware.

Was going to suggest trying it from the Camera web gui rather then via the config tool next time. :)
 

iTuneDVR

Pulling my weight
Joined
Aug 23, 2014
Messages
846
Reaction score
153
Location
Россия
user-x.squashfs.img\data\ss\pubkey.pem
from INSECURE firmware
Code:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD6AGTKWZz7rAiqivyooKhhdM3w
NhaXry/BzEbzYGe8DQqTI5FZfRjpMQpS9R/lx48ArQXVAcSrODZdjWwM94k3ee8t
KNtQLcupRQMIafKX83Rdo6wOF+KujCA/W93u5QnaE8sxH85cWAgXxR0klxh2hT2V
1NnHsNwZVDd+q+XeXwIDAQAB
-----END PUBLIC KEY-----
from orifinal DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.bin
Size: 13422612
SHA1: C1ABE2C27BA8241DF66812D4115481F63538DEE5
SHA256: A14D1C20A6F167C1040725D9341251C3189E0F8F703191267F752D1F07586AE6

Code:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC4Y0NDlaRdkzAiiV9xASAS03O
jQ5NZeUGUPaywFOwyzEmONUiv6kqSacdnwMlQdcjrTBoXGyBVnv20WySOUIyvXA2
wynVvW2xbPVB/WhA+bQYNiZH8JvfPEG0fHFtHOPxFqI8i/uu56Oa8Rcj8lLgBOvL
UmrtpAJSWzH8xNHUQwIDAQAB
-----END PUBLIC KEY-----
Comments pls?
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
user-x.squashfs.img\data\ss\pubkey.pem
from INSECURE firmware
Code:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD6AGTKWZz7rAiqivyooKhhdM3w
NhaXry/BzEbzYGe8DQqTI5FZfRjpMQpS9R/lx48ArQXVAcSrODZdjWwM94k3ee8t
KNtQLcupRQMIafKX83Rdo6wOF+KujCA/W93u5QnaE8sxH85cWAgXxR0klxh2hT2V
1NnHsNwZVDd+q+XeXwIDAQAB
-----END PUBLIC KEY-----
from orifinal DH_IPC-HX4X2X-Themis_Eng_P_Stream3_V2.600.0005.0.R.20161219.bin
Size: 13422612
SHA1: C1ABE2C27BA8241DF66812D4115481F63538DEE5
SHA256: A14D1C20A6F167C1040725D9341251C3189E0F8F703191267F752D1F07586AE6

Code:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC4Y0NDlaRdkzAiiV9xASAS03O
jQ5NZeUGUPaywFOwyzEmONUiv6kqSacdnwMlQdcjrTBoXGyBVnv20WySOUIyvXA2
wynVvW2xbPVB/WhA+bQYNiZH8JvfPEG0fHFtHOPxFqI8i/uu56Oa8Rcj8lLgBOvL
UmrtpAJSWzH8xNHUQwIDAQAB
-----END PUBLIC KEY-----
Comments pls?
Quoting my PM with him:


I also found the signing code in sonia, could sign my own firmware kek.
Just going to disable it on the next version. Fucking Dahua.

Bad news for new cameras though, with the new firmware upgraded is not running by default, only after sonia exits.
So we need to find a way to exit/crash sonia in order to upgrade the firmware on a camera that is running the unmodified new firmware.
They have also updated the bootloader, I did not look into the changes but it could be that they made our life harder there too :/

Edit: I forgot to add that I don't have a Themis camera so I can't play with this too much.
They haven't added this to Eos yet. They did on the latest chinese 20170313, guess I will look at it!
 

iTuneDVR

Pulling my weight
Joined
Aug 23, 2014
Messages
846
Reaction score
153
Location
Россия
Cor35vet!
Thanks.
I was inattentive and missed that your message.
When the equipment falls into your hands, you usually find ways to deal with it ;)
The main thing is not to hang your hands!

if the dahua fantasy ends in pdc, then ... ;)
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
user-x.squashfs.img\data\ss\pubkey.pem
from INSECURE firmware
Maybe I'm being stupid - but what's the deal about finding a 'Public key' ?
It's intended to be public after all.
Now, if it was a 'Private key' that would be different.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
Maybe I'm being stupid - but what's the deal about finding a 'Public key' ?
It's intended to be public after all.
Now, if it was a 'Private key' that would be different.
The public key is used to verify the digital signature in the sign.img file. The proper signature can only be created with the corresponding private key. I swapped out dahuas public key with my own so we can sign our own images in case upgraded and tftp method fail in that guys camera.

He was worried why I've changed the key, it could mean ill intent without knowing what it is used for.
 
Top