Dahua Firmware Mod Kit + Modded Dahua Firmware

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
With this firmware, TFTP stops with this message:

Open TFTP Server MultiThreaded Version 1.64 Windows Built 2001

starting TFTP...
alias / is mapped to root\
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 60
file read allowed: Yes
file create allowed: No
file overwrite allowed: No
thread pool size: 1
Listening On: 192.168.254.254:69
Client 192.168.1.108:1615 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served
Client 192.168.1.108:1774 root\romfs-x.squashfs.img, 896 Blocks Served
Client 192.168.1.108:2315 root\kernel.img, 1044 Blocks Served
Client 192.168.1.108:3378 root\user-x.squashfs.img, 10260 Blocks Served
Client 192.168.1.108:4087 root\web-x.squashfs.img, 4337 Blocks Served
Client 192.168.1.108:1785 root\partition-x.cramfs.img, 6 Blocks Served
Client 192.168.1.108:2161 root\custom-x.squashfs.img, 26 Blocks Served
Client 192.168.1.108:2574 root\pd-x.squashfs.img, Timeout

Result of the printenv:

Ncat: Version 7.40 ( Ncat - Netcat for the 21st Century )
Ncat: Listening on 192.168.254.254:5002
gBootLogPtr:00b80008.
spinor flash ID is 0x1940ef
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
TEXT_BASE:01000000
Net: Detected MACID:3c:ef:8c:c6:48:17
PHY:0x03625cc6,addr:0x01
switch mv88e6020, phy BCM54811 init
MMC: sdmmc init
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'upgrade_info_7db780a713a4.txt'.Download to address: 0x5000000
Downloading: *
done
Bytes transferred = 72 (48 hex)
bootdelay=3baudrate=115200ipaddr=192.168.1.108serverip=192.168.1.1autoload=yesgatewayip=192.168.1.1netmask=255.255.255.0dh_keyboard=1sysbackup=1logserver=127.0.0.1loglevel=4 autosip=192.168.254.254autolip=192.168.1.108autogw=192.168.1.1autonm=255.255.255.0pd=tftp 0x02000000 pd-x.squashfs.img; flwriteethact=ambarella macBSN=2G05AB9PAQ00162HWID=IPC-HDBW5231EP-Z-S2:01:02:05:4A:21:00:01:0F:01:01:04:2D0:03:00:00:04:00:01:00:00:100hwidEx=00:02:00:00:00:00:00:00:00:00:00:00:00:00:00:00devalias=IPC-HDBW5231E-Zda=tftp 0x2000000 dhboot.bin.img; flwrite; tftp dhboot-min.bin.img;flwritedr=tftp 0x2000000 romfs-x.squashfs.img; flwritedk=tftp 0x2000000 kernel.img; flwritedu=tftp 0x2000000 user-x.squashfs.img; flwritedw=tftp 0x2000000 web-x.squashfs.img; flwritedc=tftp 0x2000000 custom-x.squashfs.img; flwritedt=tftp 0x2000000 data-x.squashfs.img; flwritedp=tftp 0x02000000 partition-x.cramfs.img;flwriteup=tftp 0x2000000 update.img; flwritetk=tftp 0x200100 hawthorn.dts.dtb;tftp 0x2000000 uImage;bootm 0x2000000bootcmd=sf read 0x200100 0x8000 0x8000;sf read 0x2000000 0xf0000 0x180000;bootm 0x2000000bootargs=console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrcethaddr=3C:EF:8C:C6:48:17appauto=1ID=2GPAW7EF49C6021stdin=serialstdout=serialstderr=serialfilesize=48fileaddr=5000000
Environment size: 1346/131068 bytes
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
cmdLine console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc
Okay nice, thanks for the printenv.
I fixed the archive and re-uploaded it: https://i.botox.bz/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.14.R.20170720.zip
Telnet is enabled by default on port 2300 on that one btw.
 

dartec

n3wb
Joined
Sep 18, 2017
Messages
16
Reaction score
0

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
well you can edit commands.txt
remove the line which says run pd
then run Commands.bat to regenerate the upgrade_info_7db780a713a4.txt
It should still work fine since the product definition shouldn't change much, can always flash it through the webui later: https://i.botox.bz/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.14.R.20170720.bin
But judging from the printenv output I don't get why it's not working :/
Having serial UART would be quiet useful.
 

dartec

n3wb
Joined
Sep 18, 2017
Messages
16
Reaction score
0
well you can edit commands.txt
remove the line which says run pd
then run Commands.bat to regenerate the upgrade_info_7db780a713a4.txt
It should still work fine since the product definition shouldn't change much, can always flash it through the webui later: https://i.botox.bz/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.14.R.20170720.bin
But judging from the printenv output I don't get why it's not working :/
Having serial UART would be quiet useful.
Now the camera is in a boot loop, it's not accessible by the webui. Can you please path the latest firmware, maybe this is a reason why cannot boot.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
setenv appauto 0
setenv dh_keyboard 0
boot

into commands.txt etc.
then let it start like that and try to telnet on port 2300
then you can run upgraded and flash on port 3800 with configtool
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
Eh works just fine, except there is no config for the NVR4XXX-4KS2 so it uses the NVR4XXX-4K one.
I mean come on learn to read and debug, this is a tool for developers.
Anyways I've added a config for the NVR4XXX-4KS2: add NVR4XXX-4KS2 config · BotoX/Dahua-Firmware-Mod-Kit@92590c6 · GitHub
 

nhocti

n3wb
Joined
Mar 21, 2017
Messages
23
Reaction score
1
Eh works just fine, except there is no config for the NVR4XXX-4KS2 so it uses the NVR4XXX-4K one.
I mean come on learn to read and debug, this is a tool for developers.
Anyways I've added a config for the NVR4XXX-4KS2: add NVR4XXX-4KS2 config · BotoX/Dahua-Firmware-Mod-Kit@92590c6 · GitHub
Strange, I got error as below, not for missing NVR4XXX-4KS2 setting. I created this setting couple month and it worked just fine with old firmware . The new firmware (Sep 2, 2017) change from ZX to K or something else compression

Update: Ah, the firmware file from dahuasecurity can be extracted OK, but the file from dahuatech is the one I get the issue below:
http://download.dahuatech.com/kitDownload.php?filepath=DH_NVR4XXX-4KS2_Chn_V3.215.0000000.1.R.170902.bin

Code:
WARNING Autodetected config: NVR4XXX-4KS2
Traceback (most recent call last):
  File "./extract.py", line 238, in <module>
    extractor.Extract(args.source)
  File "./extract.py", line 61, in Extract
    self.ZipFile = zipfile.ZipFile(self.SourceFile)
  File "/usr/lib/python3.4/zipfile.py", line 937, in __init__
    self._RealGetContents()
  File "/usr/lib/python3.4/zipfile.py", line 978, in _RealGetContents
    raise BadZipFile("File is not a zip file")
zipfile.BadZipFile: File is not a zip file
 
Last edited:

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
The latest version of python is 3.6.2 ....

~/Dahua/Dahua-Firmware-Mod-Kit/extract.py DH_NVR4XXX-4KS2_Eng_V3.215.0000000.1.R.170902.bin
WARNING Autodetected config: NVR4XXX-4KS2
INFO Extracting 8 files to: 'DH_NVR4XXX-4KS2_Eng_V3.215.0000000.1.R.170902.bin.extracted'
INFO Processing 'Install.lua'.
INFO Processing 'u-boot.bin.img'.
INFO Processing 'uImage.img'.
INFO Processing 'romfs-x.squashfs.img'.
INFO Processing 'web-x.squashfs.img'.
INFO Processing 'custom-x.squashfs.img'.
INFO Processing 'logo-x.squashfs.img'.
WARNING Unrecognized file: 'sign.img'.
 

nhocti

n3wb
Joined
Mar 21, 2017
Messages
23
Reaction score
1
Update: Ah, the firmware file from dahuasecurity can be extracted OK, but the file from dahuatech is the one I get the issue below:
http://download.dahuatech.com/kitDownload.php?filepath=DH_NVR4XXX-4KS2_Chn_V3.215.0000000.1.R.170902.bin

Code:
WARNING Autodetected config: NVR4XXX-4KS2
Traceback (most recent call last):
  File "./extract.py", line 238, in <module>
    extractor.Extract(args.source)
  File "./extract.py", line 61, in Extract
    self.ZipFile = zipfile.ZipFile(self.SourceFile)
  File "/usr/lib/python3.4/zipfile.py", line 937, in __init__
    self._RealGetContents()
  File "/usr/lib/python3.4/zipfile.py", line 978, in _RealGetContents
    raise BadZipFile("File is not a zip file")
zipfile.BadZipFile: File is not a zip file
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
Update: Ah, the firmware file from dahuasecurity can be extracted OK, but the file from dahuatech is the one I get the issue below:
http://download.dahuatech.com/kitDownload.php?filepath=DH_NVR4XXX-4KS2_Chn_V3.215.0000000.1.R.170902.bin

Code:
WARNING Autodetected config: NVR4XXX-4KS2
Traceback (most recent call last):
  File "./extract.py", line 238, in <module>
    extractor.Extract(args.source)
  File "./extract.py", line 61, in Extract
    self.ZipFile = zipfile.ZipFile(self.SourceFile)
  File "/usr/lib/python3.4/zipfile.py", line 937, in __init__
    self._RealGetContents()
  File "/usr/lib/python3.4/zipfile.py", line 978, in _RealGetContents
    raise BadZipFile("File is not a zip file")
zipfile.BadZipFile: File is not a zip file
It seems to be 7zipped, I'll see if I can add support for that.
 

nhocti

n3wb
Joined
Mar 21, 2017
Messages
23
Reaction score
1
Dahua has made data signature check for all file in its latest firmware. Not sure if we can flash the img file via console after modifying the content...
Update: after modifying, flashing new firmware, device keeps rebooting :)
 
Last edited:

jrf

Getting the hang of it
Joined
Sep 12, 2017
Messages
169
Reaction score
93
I am new and I apologize if I'm missing something. I have 2 HFW4431R-Z cameras that are new and got them from Sincerity Trade on Ali from a link on this forum. Cameras installed fine and were fine...until today when I went to log in to one and was presented with a chinese login page. That had never happened over the last week or so since I put them on my network. Sure enough look in my firewall and see multiple connections from both heading to china. Even though...I thought I had turned just about everything I could off. So I head here...find the firmware in the first post and update. Both cameras show the correct firmware according to the first post now...however...both still phoning home to china. Easy enough to create a rule to block ALL my IP cams from going beyond my NVR but still....did I miss something? I thought this firmware was going to prevent that?

Have not noticed this with the 5231R-Zs that I got from Andy (will clearly only buy from him moving forward)

Sorry if I missed it in the 21 pages so far...and thanks...just another lurker who has been trying to learn from you guys/gals.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
I am new and I apologize if I'm missing something. I have 2 HFW4431R-Z cameras that are new and got them from Sincerity Trade on Ali from a link on this forum. Cameras installed fine and were fine...until today when I went to log in to one and was presented with a chinese login page. That had never happened over the last week or so since I put them on my network. Sure enough look in my firewall and see multiple connections from both heading to china. Even though...I thought I had turned just about everything I could off. So I head here...find the firmware in the first post and update. Both cameras show the correct firmware according to the first post now...however...both still phoning home to china. Easy enough to create a rule to block ALL my IP cams from going beyond my NVR but still....did I miss something? I thought this firmware was going to prevent that?

Have not noticed this with the 5231R-Zs that I got from Andy (will clearly only buy from him moving forward)

Sorry if I missed it in the 21 pages so far...and thanks...just another lurker who has been trying to learn from you guys/gals.
Could you post a dump that I can open in wireshark and look at?
I can also check on my cameras this week.
 

jrf

Getting the hang of it
Joined
Sep 12, 2017
Messages
169
Reaction score
93
Sorry, I only have the IPs that they were connected to. I could dive into the logs to see what it's currently blocking. 120.26.214.139, 101.37.106.77, 120.55.198.179 and there was one in the 121 range.
 

Oleglevsha

Getting the hang of it
Joined
Jan 25, 2015
Messages
299
Reaction score
77
Location
Россия г.Волгоград
There are three versions of what happened.
1. IP camera received Automatic updates from the update server
check the current firmware version
2. Ip camera has repaired the firmware from backup after a malfunction
3. You have been hacked...
Update the firmware with the version from Cor35vet.
 

jrf

Getting the hang of it
Joined
Sep 12, 2017
Messages
169
Reaction score
93
There are three versions of what happened.
1. IP camera received Automatic updates from the update server
check the current firmware version
2. Ip camera has repaired the firmware from backup after a malfunction
3. You have been hacked...
Update the firmware with the version from Cor35vet.
I believe #1 happened first...no other way to explain how it went from english to chinese. However my password worked to get in. Then figuring out the menus from my other camera I got to the part to change the language...only chinese was available. So then I came here and grabbed Cor35vet's firmware. Was able to flash the camera and it came back up with english. I logged in and checked the version and I see this: 2.420.0000.22.R, Build Date: 2016-12-09 so all looks good...however it was still trying to talk out. Hopefully I'll have a few minutes today to get some log data from my firewall.

Just snagged this real quick:
08:03:13 Oct 03 UDP packet dropped 192.168.XXX.XXX, 60670 -> 120.26.247.28, 8800
 

gtr33m

n3wb
Joined
Oct 11, 2017
Messages
3
Reaction score
0
Location
Melbourne

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
I flashed:
https://i.botox.bz/DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.bin
Software Version: 2.420.0000.22.R, Build Date: 2016-12-09
MD5Sum: 1332430392def5d9becd4e883d26f7d8
SHASum: 1bc476b78fd706b225243c12a334631971ea6a7c

on to a IPC-HDW4431C-A without issue. Information says the firmware has been loaded, however I don't get the extra IVS modes. Specifically I am looking for people counting. Is this possible?
People counting is definitely not possible on this camera.
Everything that is available has been unlocked.
 

tooway

n3wb
Joined
Oct 15, 2017
Messages
1
Reaction score
0
Hi all, I own a ip ptz camera SD59225U-HNI 2Mp pal (it's like 59230, but zoom is 25x) and would to add another language translation.

Latest Dahua official firmware is DH_SD-Eos_Eng_P_Stream3_V2.600.0000.3.R.20170630
In Dahua-Firmware-Mod-Kit those with the "EOS" word in description are:
HX4XXX-Eos4
HX4XXX-Eos
HX4XXX-NAND-Eos
HX8XXX-Eos
Does anybody know which of these profiles (if any) is suitable to unpack and repack .bin file?
 
Top