Dahua Firmware Mod Kit + Modded Dahua Firmware

[cor35vet]

I'm getting this error message when running the script.

Backing up cut: applet not found (cut: applet not found)
cp: can't stat '/dev/cut: applet not foundro': No such file or directory

Looks like cut isn't enabled in busybox.

 Currently defined functions:
        [, [[, ash, bash, cat, chmod, cp, dmesg, echo, egrep, env, fgrep,
        fsync, getty, grep, halt, ifconfig, init, insmod, ip, ipaddr, iplink,
        iproute, iprule, iptunnel, kill, killall, linuxrc, ln, login, ls,
        lsmod, lzcat, lzma, mkdir, mknod, mount, mv, netstat, ping, ping6,
        poweroff, ps, pwd, reboot, rm, rmmod, route, sed, seq, sh, sleep, sync,
        telnet, telnetd, test, tftp, tftpd, top, touch, ubiattach, ubidetach,
        ubimkvol, ubirmvol, ubirsvol, ubiupdatevol, udhcpc, umount, unlzma,
        unzip

cat /proc/mtd returns:

/var/tmp/nfs1 # cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "MinBoot"
mtd1: 00040000 00010000 "U-Boot"
mtd2: 00020000 00010000 "hwid"
mtd3: 00010000 00010000 "partition"
mtd4: 00180000 00010000 "Kernel"
mtd5: 00150000 00010000 "romfs"
mtd6: 00210000 00010000 "web"
mtd7: 00830000 00010000 "user"
mtd8: 00030000 00010000 "updateflag"
mtd9: 00070000 00010000 "config"
mtd10: 00010000 00010000 "product"
mtd11: 00020000 00010000 "custom"
mtd12: 000e0000 00010000 "backupker"
mtd13: 00050000 00010000 "backupfs"

You can just do this then:

cp "/dev/mtd0ro" "./mtd0_MinBoot"
cp "/dev/mtd1ro" "./mtd1_U-Boot"
cp "/dev/mtd2ro" "./mtd2_hwid"
cp "/dev/mtd3ro" "./mtd3_partition"
cp "/dev/mtd4ro" "./mtd4_Kernel"
cp "/dev/mtd5ro" "./mtd5_romfs"
cp "/dev/mtd6ro" "./mtd6_web"
cp "/dev/mtd7ro" "./mtd7_user"
cp "/dev/mtd8ro" "./mtd8_updateflag"
cp "/dev/mtd9ro" "./mtd9_config"
cp "/dev/mtd10ro" "./mtd10_product"
cp "/dev/mtd11ro" "./mtd11_custom"
cp "/dev/mtd12ro" "./mtd12_backupker"
cp "/dev/mtd13ro" "./mtd13_backupfs"

 

[akanarya]

Nope sorry, this is just so chinese cameras can be flashed to the latest english firmware.

Ok, thanks
Do you know a way to change the authorisation method of cam from digest to basic. Dahua says it is embedded in the firmware because of security issues but I need this

 

[cor35vet]

Ok, thanks
Do you know a way to change the authorisation method of cam from digest to basic. Dahua says it is embedded in the firmware because of security issues but I need this

I'd imagine changing this without access to the source code would be almost impossible.
So how about you just look into fixing your application hue.
CURL does digest just fine, you could also build a proxy to translate basic to digest.
Here is an example with python and libcurl supporting digest auth:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import logging
import socket
import pycurl
import time
import shlex
import subprocess

ALARM_DELAY = 90

PLAY_TEMPLATE = "gst-launch-1.0 playbin uri=\"rtsp://{user}:{pass}@{host}:554/cam/realmonitor?channel=1&subtype=0\" latency=300000000 audio-sink=\"autoaudiosink sync=false\""
URL_TEMPLATE = "http://{host}:{port}/cgi-bin/eventManager.cgi?action=attach&codes=%5B{events}%5D"

CAMERAS = [
    {
        "host": "192.168.1.108",
        "port": 80,
        "user": "admin",
        "pass": "admin",
        "events": "VideoMotion,CrossLineDetection,CrossRegionDetection,LeftDetection,SceneChange,TakenAwayDetection,FaceDetection,RioterDetection,MoveDetection,WanderDetection,CrossFenceDetection,ParkingDetection,NumberStat,RetrogradeDetection,TrafficJunction"
    }
]

class DahuaCamera():
    def __init__(self, master, index, camera):
        self.Master = master
        self.Index = index
        self.Camera = camera
        self.CurlObj = None
        self.Connected = None
        self.Reconnect = None

        self.Alarm = dict({
            "Active": None,
            "Last": None
        })
        self.Player = None

    def StartPlayer(self):
        if self.Player:
            return

        print("[{0}] StartPlayer()".format(self.Index))
        self.Master.OnStartPlayer()

        Command = PLAY_TEMPLATE.format(**self.Camera)
        Args = shlex.split(Command)
        self.Player = subprocess.Popen(Args,
                        stdin = subprocess.DEVNULL,
                        stdout = subprocess.DEVNULL,
                        stderr = subprocess.DEVNULL)

    def StopPlayer(self):
        if not self.Player:
            return

        print("[{0}] StopPlayer()".format(self.Index))
        self.Player.kill()
        self.Player.wait()
        self.Player = None
        self.Master.OnStopPlayer()

    def OnAlarm(self, State):
        print("[{0}] Alarm triggered! -> {1}".format(self.Index, "ON" if State else "OFF"))

        if State:
            self.StartPlayer()
        else:
            self.StopPlayer()

    def OnConnect(self):
        print("[{0}] OnConnect()".format(self.Index))
        self.Connected = True

    def OnDisconnect(self, reason):
        print("[{0}] OnDisconnect({1})".format(self.Index, reason))
        self.Connected = False
        self.StopPlayer()

    def OnTimer(self):
        if self.Player:
            self.Player.poll()
            if self.Player.returncode != None:
                self.StopPlayer()

        if self.Alarm["Active"] == False and time.time() - self.Alarm["Last"] > ALARM_DELAY:
            self.Alarm["Active"] = None
            self.Alarm["Last"] = None

            self.OnAlarm(False)

    def OnReceive(self, data):
        Data = data.decode("utf-8", errors="ignore")
        #print("[{0}]: {1}".format(self.Index, Data))

        for Line in Data.split("\r\n"):
            if Line == "HTTP/1.1 200 OK":
                self.OnConnect()

            if not Line.startswith("Code="):
                continue

            Alarm = dict()
            for KeyValue in Line.split(';'):
                Key, Value = KeyValue.split('=')
                Alarm[Key] = Value

            self.ParseAlarm(Alarm)

    def ParseAlarm(self, Alarm):
        print("[{0}] ParseAlarm({1})".format(self.Index, Alarm))

        if Alarm["Code"] not in self.Camera["events"].split(','):
            return

        if Alarm["action"] == "Start":
            if self.Alarm["Active"] == None:
                self.OnAlarm(True)
            self.Alarm["Active"] = True
        elif Alarm["action"] == "Stop":
            self.Alarm["Active"] = False
            self.Alarm["Last"] = time.time()


class DahuaMaster():
    def __init__(self):
        self.Cameras = []
        self.NumActivePlayers = 0

        self.CurlMultiObj = pycurl.CurlMulti()
        self.NumCurlObjs = 0

        for Index, Camera in enumerate(CAMERAS):
            DahuaCam = DahuaCamera(self, Index, Camera)
            self.Cameras.append(DahuaCam)
            Url = URL_TEMPLATE.format(**Camera)

            CurlObj = pycurl.Curl()
            DahuaCam.CurlObj = CurlObj

            CurlObj.setopt(pycurl.URL, Url)
            CurlObj.setopt(pycurl.CONNECTTIMEOUT, 30)
            CurlObj.setopt(pycurl.TCP_KEEPALIVE, 1)
            CurlObj.setopt(pycurl.TCP_KEEPIDLE, 30)
            CurlObj.setopt(pycurl.TCP_KEEPINTVL, 15)
            CurlObj.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_DIGEST)
            CurlObj.setopt(pycurl.USERPWD, "%s:%s" % (Camera["user"], Camera["pass"]))
            CurlObj.setopt(pycurl.WRITEFUNCTION, DahuaCam.OnReceive)

            self.CurlMultiObj.add_handle(CurlObj)
            self.NumCurlObjs += 1

    def OnStartPlayer(self):
        self.NumActivePlayers += 1
        if self.NumActivePlayers == 1:
            subprocess.run(["xset", "dpms", "force", "on"])

    def OnStopPlayer(self):
        self.NumActivePlayers -= 1
        if self.NumActivePlayers == 0:
            subprocess.run(["xset", "dpms", "force", "off"])

    def OnTimer(self):
        for Camera in self.Cameras:
            Camera.OnTimer()

    def Run(self, timeout = 1.0):
        while 1:
            Ret, NumHandles = self.CurlMultiObj.perform()
            if Ret != pycurl.E_CALL_MULTI_PERFORM:
                break

        while 1:
            Ret = self.CurlMultiObj.select(timeout)
            if Ret == -1:
                self.OnTimer()
                continue

            while 1:
                Ret, NumHandles = self.CurlMultiObj.perform()

                if NumHandles != self.NumCurlObjs:
                    _, Success, Error = self.CurlMultiObj.info_read()

                    for CurlObj in Success:
                        Camera = next(filter(lambda x: x.CurlObj == CurlObj, self.Cameras))
                        if Camera.Reconnect:
                            continue

                        Camera.OnDisconnect("Success")
                        Camera.Reconnect = time.time() + 5

                    for CurlObj, ErrorNo, ErrorStr in Error:
                        Camera = next(filter(lambda x: x.CurlObj == CurlObj, self.Cameras))
                        if Camera.Reconnect:
                            continue

                        Camera.OnDisconnect("{0} ({1})".format(ErrorStr, ErrorNo))
                        Camera.Reconnect = time.time() + 5

                    for Camera in self.Cameras:
                        if Camera.Reconnect and Camera.Reconnect < time.time():
                            self.CurlMultiObj.remove_handle(Camera.CurlObj)
                            self.CurlMultiObj.add_handle(Camera.CurlObj)
                            Camera.Reconnect = None

                if Ret != pycurl.E_CALL_MULTI_PERFORM:
                    break

            self.OnTimer()

if __name__ == '__main__':
    logging.basicConfig(level=logging.DEBUG)

    Master = DahuaMaster()
    Master.Run()

 

[akanarya]

Thanks for the code,
My application can handle digest authorisation. However my application needs faster transfers because of that I want to switch from digest to basic
In fact ftp does better, but if cam send the image with the same file name it would be better

 

[Graatz]

Hello Cor35vet,

Can you mod this firmware too? Is for the DH-IPC-HDBW4233R-S-V2

DH_IPC-HX4XXX-Eos4_Chn_PN_Stream3_V2.600.0000.4.R.20170605.bin

Thanks!

 

[cor35vet]

Hello Cor35vet,
Can you mod this firmware too? Is for the DH-IPC-HDBW4233R-S-V2
DH_IPC-HX4XXX-Eos4_Chn_PN_Stream3_V2.600.0000.4.R.20170605.bin
Thanks!

Eos4 has signature verification so you will have to flash your camera using this method: Dahua IPC EASY unbricking / recovery over TFTP
If you are okay with that then yeah I can patch it.
(Also please don't use unnecessary text formatting)

 

[Graatz]

Excuse me for my tekstformat. Yes I am OK with recovery over TFTP. So please give it a try. I will let you know if it works.

 

[RustySpoons]

HUGE thank you to cor35vet for his work and looking at my firmware.

I just flashed a cheap Lorex camera to Full Dahua firmware and its improved it 100%, I can post before and after pictures of the images on here, but not sure if it's allowed in this thread as it might be classed as clutter or off topic?
NEVER have I seen firmware make such a difference to something.

 

[cor35vet]

HUGE thank you to cor35vet for his work and looking at my firmware.

I just flashed a cheap Lorex camera to Full Dahua firmware and its improved it 100%, I can post before and after pictures of the images on here, but not sure if it's allowed in this thread as it might be classed as clutter or off topic?
NEVER have I seen firmware make such a difference to something.

I guess noone would mind if they're in a spoiler.

Also he has a Lorex LNB3143R (actually is IPC-HFW4221B:01:02:02:36:18:00:01:00:00:00:00:258:00:00:00:00:00:01:00:00:100) that he flashed with DH_IPC-HX4X2X-Themis firmware.
Was quiet easy: Get shell access, "killall upgraded", "upgraded", connect with ConfigTool on port 3800 and flash the dahua firmware.

 

[RustySpoons]

One of these is the old firmware, I will let anyone guess

 

[RustySpoons]

Right now to flash my friends Real Dahua I have here LOL!

 

[dartec]

Patched the region check from the Rhea firmware and added telnet on port 2300:
https://i.botox.bz/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.9.R.20170428.bin

Edit: Apparently telnet is not working, need to check if same version (chinese) Eos firmware does this too (since I only have Eos cams) and how to fix it.

I've also committed the HX5X3X-Rhea config to Dahua-Firmware-Mod-Kit and improved the dependency checks:
Add HX5X3X-Rhea config · BotoX/Dahua-Firmware-Mod-Kit@2657184 · GitHub

Hi,
I try to use these moded by you firmware on the cameras IPC-HDBW5231R-Z and an all of them I have an error message that:

But I was able to update with the same file camera IPC-HDBW5231E-Z.

Can you please patch the latest firmware for camera IPC-HDBW5231R-Z link below:
http://dtech.pl/pub/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.10.R.20170523.bin

My cameras details are:

Many Thanks

 

[cor35vet]

Hi,
I try to use these moded by you firmware on the cameras IPC-HDBW5231R-Z and an all of them I have an error message that:

But I was able to update with the same file camera IPC-HDBW5231E-Z.

Can you please patch the latest firmware for camera IPC-HDBW5231R-Z link below:
http://dtech.pl/pub/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.10.R.20170523.bin

My cameras details are:

Many Thanks

Because Dahua has added the sign.img garbage to these cameras. (firmware signature verification)
That way it's not possible to flash modified firmware through the web interface anymore.
So you'll have to use this method instead to flash the camera: Dahua IPC unbricking / recovery over serial UART and TFTP

I'll go patch this FW now and them make a package where all you'll have to do is set up your network correctly, run the script, plug in the camera and wait.
Gonna remove the region and sign.img verification and try to include telnet on port 2300 (got a new cross compiler but can't test because no such camera).

 

[cor35vet]

Would it be possible for someone with a IPC-HX5X3X-Rhea camera to go into telnet and cat /dev/mtd1ro or do printenv from u-boot and send me either of those?

A drawback with flashing the cameras through the recovery method is that you can flash the wrong firmware onto your camera.
But since we won't be touching the bootloader it is not too big of an issue.

 

[dartec]

Because Dahua has added the sign.img garbage to these cameras. (firmware signature verification)
That way it's not possible to flash modified firmware through the web interface anymore.
So you'll have to use this method instead to flash the camera: Dahua IPC unbricking / recovery over serial UART and TFTP

I'll go patch this FW now and them make a package where all you'll have to do is set up your network correctly, run the script, plug in the camera and wait.
Gonna remove the region and sign.img verification and try to include telnet on port 2300 (got a new cross compiler but can't test because no such camera).

Thx, I will try to go with recovery.

 

[cor35vet]

Thx, I will try to go with recovery.

Wysłane z mojego SM-G930F przy użyciu Tapatalka

Wait a bit I'll cook up something a little more automated and easier today.
Also going to patch the latest firmware for this camera.

If you can get telnet or shell access to your camera however that'd be great and run cat /dev/mtd1ro

 

[dartec]

Wait a bit I'll cook up something a little more automated and easier today.
Also going to patch the latest firmware for this camera.

If you can get telnet or shell access to your camera however that'd be great and run cat /dev/mtd1ro

I cannot access with the telnet on port 2300 or port 23, a port is closed:

 

[cor35vet]

Okay, you can try following this tutorial: Dahua IPC EASY unbricking / recovery over TFTP
using this package: https://i.botox.bz/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.14.R.20170720.zip

 

[dartec]

Okay, you can try following this tutorial: Dahua IPC EASY unbricking / recovery over TFTP
using this package: https://i.botox.bz/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.14.R.20170720.zip

When I try to use it I got this info from TFT and nothing more, a camera is restarting and operating normally without a firmware update.
This is error message I have:

In file root\failed.txt no info file is 0 size.

After it window with Console.bat is black

 

[cor35vet]

When I try to use it I got this info from TFT and nothing more, a camera is restarting and operating normally without a firmware update.
This is error message I have:

In file root\failed.txt no info file is 0 size.

After it window with Console.bat is black

Get a serial uart adapter, everything else is just guesswork. I can't really do much without having a camera at hand myself