Manage to extract, modify and build the firmware successfully, but failed to upgrade on device. Dahua does a checksum on recently firmware so that modifying firmware is not easy to achieve.
Any one know how to change/bypass the checksum?
Any one know how to change/bypass the checksum?
You mean the sign.img file right? No way to crack/bypass the check where it is used.
But if you flash through upgraded (port 3800) it doesn't check the sign.img, you have to start upgraded via shell/telnet.
Or you can also flash the images via U-Boot shell from TFTP, check my signature 'recovery' for more info.
Sorry but this firmware is using UBIFS which I can't be arsed to add support for.
Have you tried using Dahua Enable Telnet ?
This firmware is older so it should work?
Yes. It's returns OK in browser. But putty not connect (connection refused). Should i reboot camera after that API Call?
ADD: After reboot nothing happened. No connection.
Last edited:
Try to enable telnet on NVR4xxx-4ks2 but got error Internal Server Error
Try to scan if NVR open port 3800, but only port 554 and 80 were opened
Try to sniff if NVR connect to TFTP via ip 192.168.254.254 but got no message from NVR
Only remain method is using serial cable but when I opened the nvr box, saw the board, then I told myself that "Oh, that so crazy to hack the nvr only to change the language", then I give up and put the nvr's cover back....
Connecting three wires isn't as hard as you make it out to be
And yeah 3800 is only available when the main application crashes or something like that ...
Ok @cor35vet, you make me change my mind. But the most important thing is that I did not know where to wire, he he. Can you show me? I suspect the 4 pins jack in white plastic?Connecting three wires isn't as hard as you make it out to be
And yeah 3800 is only available when the main application crashes or something like that ...
Attachments
Last edited:
The simplest thing would be to hook up GND of your UART dongle to ground of the NVR and then just try all of the pins on the connecter and the smaller 4pin with the RXD of your dongle.
If you get anything you found it! If not then try again with the TXD since they are swapped sometimes.
If you get anything you found it! If not then try again with the TXD since they are swapped sometimes.
Thank you @cor35vet . I have a question, if I connect VCC pin to the ground of serial port, what will happen? Do I burn sthing? Because when trying to detect the port, I accidentially connect the vcc pin to the ground (the metal pointer of multimetters is too big compared to posion of 2 pins vcc and ground too near together on serial port) and Nvr is rebooted...... did I brick the nvr?
the voltage just drops to 0 and thus the NVR reboots, usually these things are short-circuit protected so nothing happens.
I mean you can just check if the NVR still works right lol?
When vcc and ground pins were shorted, i heard small voice of sthing like a click (or maybe my heartbeat lol), I thought nvr is bricked but it booted up again. I checked and it seemed it still could connect to camera and hdd, record video, etc... Everything seems fine. Actually, I shorted those pins 2 times =)), my hand is so shaking...
RustySpoons
n3wb
- Aug 31, 2017
- 10
- 0
Just come across this really interesting thread! - I have been messing around with some Lorex camera's as they are now discontinued in a store in the UK and sold off at a reduced price.
I picked up a bullet and a dome camera and trying so hard to figure out what the actual Dahua model of them are so I can somehow flash Generic firmware.
The Lorex model numbers are:
Mini Dome - LNE3142
Bullet - LNE3143
I've had a look with telnet and can see its running a Ambarella S2L CPU, it's sold as a 1080P camera but one thing that seems a bit strange is the max bit-rate is 10240
Looking at the Lorex Docs it's listed as having an actual resolution as H: 2048 V: 1536 which says to me it might have a 3mp sensor - However 1080P is the only available resolution, but I can select 10240 bit rate.
Specs here: https://www.lorextechnology.com/downloads/ip-cameras/LNE3142/LNE3142B_Specs_R2.pdf
But the bullet is listed as 1920x1080 and states a Sony Exmor Sensor, however that also has a 10240 bit rate and the image quality is identical to the dome.
Specs for that here:
https://www.lorextechnology.com/downloads/ip-cameras/LNB3153/LNB3153_Series_Specs_R5.pdf
The image quality seems really good on these and FAR better than a HFW-1200S I have here, it is also really good in low light.
If anyone can tell me any way to find out what the actual Dahua model is and especially a way to get a generic firmware on it would be gratefully appreciated.
I don't mind tinkering at all with it and no stranger to hacking devices and getting serial access on things.
If there are any commands I can type or tools I can use then please let me know
I picked up a bullet and a dome camera and trying so hard to figure out what the actual Dahua model of them are so I can somehow flash Generic firmware.
The Lorex model numbers are:
Mini Dome - LNE3142
Bullet - LNE3143
I've had a look with telnet and can see its running a Ambarella S2L CPU, it's sold as a 1080P camera but one thing that seems a bit strange is the max bit-rate is 10240
Looking at the Lorex Docs it's listed as having an actual resolution as H: 2048 V: 1536 which says to me it might have a 3mp sensor - However 1080P is the only available resolution, but I can select 10240 bit rate.
Specs here: https://www.lorextechnology.com/downloads/ip-cameras/LNE3142/LNE3142B_Specs_R2.pdf
But the bullet is listed as 1920x1080 and states a Sony Exmor Sensor, however that also has a 10240 bit rate and the image quality is identical to the dome.
Specs for that here:
https://www.lorextechnology.com/downloads/ip-cameras/LNB3153/LNB3153_Series_Specs_R5.pdf
The image quality seems really good on these and FAR better than a HFW-1200S I have here, it is also really good in low light.
If anyone can tell me any way to find out what the actual Dahua model is and especially a way to get a generic firmware on it would be gratefully appreciated.
I don't mind tinkering at all with it and no stranger to hacking devices and getting serial access on things.
If there are any commands I can type or tools I can use then please let me know
Last edited:
Dump the flash with backup_mtd.sh in the thread here and PM it to me.Just come across this really interesting thread! - I have been messing around with some Lorex camera's as they are now discontinued in a store in the UK and sold off at a reduced price.
I picked up a bullet and a dome camera and trying so hard to figure out what the actual Dahua model of them are so I can somehow flash Generic firmware.
The Lorex model numbers are:
Mini Dome - LNE3142
Bullet - LNE3143
I've had a look with telnet and can see its running a Ambarella S2L CPU, it's sold as a 1080P camera but one thing that seems a bit strange is the max bit-rate is 10240
Looking at the Lorex Docs it's listed as having an actual resolution as H: 2048 V: 1536 which says to me it might have a 3mp sensor - However 1080P is the only available resolution, but I can select 10240 bit rate.
Specs here: https://www.lorextechnology.com/downloads/ip-cameras/LNE3142/LNE3142B_Specs_R2.pdf
But the bullet is listed as 1920x1080 and states a Sony Exmor Sensor, however that also has a 10240 bit rate and the image quality is identical to the dome.
Specs for that here:
https://www.lorextechnology.com/downloads/ip-cameras/LNB3153/LNB3153_Series_Specs_R5.pdf
The image quality seems really good on these and FAR better than a HFW-1200S I have here, it is also really good in low light.
If anyone can tell me any way to find out what the actual Dahua model is and especially a way to get a generic firmware on it would be gratefully appreciated.
I don't mind tinkering at all with it and no stranger to hacking devices and getting serial access on things.
If there are any commands I can type or tools I can use then please let me know
Dahua Firmware Mod Kit + Modded Dahua Firmware
RustySpoons
n3wb
- Aug 31, 2017
- 10
- 0
RustySpoons
n3wb
- Aug 31, 2017
- 10
- 0
I'm getting this error message when running the script.
Looks like cut isn't enabled in busybox.
cat /proc/mtd returns:
Code:
Backing up cut: applet not found (cut: applet not found)
cp: can't stat '/dev/cut: applet not foundro': No such file or directoryLooks like cut isn't enabled in busybox.
Code:
Currently defined functions:
[, [[, ash, bash, cat, chmod, cp, dmesg, echo, egrep, env, fgrep,
fsync, getty, grep, halt, ifconfig, init, insmod, ip, ipaddr, iplink,
iproute, iprule, iptunnel, kill, killall, linuxrc, ln, login, ls,
lsmod, lzcat, lzma, mkdir, mknod, mount, mv, netstat, ping, ping6,
poweroff, ps, pwd, reboot, rm, rmmod, route, sed, seq, sh, sleep, sync,
telnet, telnetd, test, tftp, tftpd, top, touch, ubiattach, ubidetach,
ubimkvol, ubirmvol, ubirsvol, ubiupdatevol, udhcpc, umount, unlzma,
unzipcat /proc/mtd returns:
Code:
/var/tmp/nfs1 # cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00010000 "MinBoot"
mtd1: 00040000 00010000 "U-Boot"
mtd2: 00020000 00010000 "hwid"
mtd3: 00010000 00010000 "partition"
mtd4: 00180000 00010000 "Kernel"
mtd5: 00150000 00010000 "romfs"
mtd6: 00210000 00010000 "web"
mtd7: 00830000 00010000 "user"
mtd8: 00030000 00010000 "updateflag"
mtd9: 00070000 00010000 "config"
mtd10: 00010000 00010000 "product"
mtd11: 00020000 00010000 "custom"
mtd12: 000e0000 00010000 "backupker"
mtd13: 00050000 00010000 "backupfs"
Last edited:
akanarya
n3wb
- Sep 1, 2017
- 5
- 0
Hi
Sorry i am at vocation now, because of that I couldn't read the all thread.
I have hf 8231 box camera. Can I use this modded firmware for this cam?
I want to change authorisation method of the cam from digest to basic for a specific purpose. Does this firmware work for this purpose? Thanks a lot.
Sorry i am at vocation now, because of that I couldn't read the all thread.
I have hf 8231 box camera. Can I use this modded firmware for this cam?
I want to change authorisation method of the cam from digest to basic for a specific purpose. Does this firmware work for this purpose? Thanks a lot.
Nope sorry, this is just so chinese cameras can be flashed to the latest english firmware.