This is my own developed tool, nothing to do with SDK at all (and tried on multiple FW versions).
But yes, the request is normal JSON via WebUI, and the most interesting part of the request is this to enable:
{"method": "configManager.setConfig", "session": 217419250, "params": {"table": {"Enable": true}, "name": "Telnet"}, "id": 21}
I'll release what I've been researching, when I'm done with the stuff
Dahua Enable / Disable Telnetd (JSON request for newer firmware)
(You will need to know login/password for the Dahua device to get this code running)
Can't gurantee that this will work with all Dahua, working with my IPC and should work with DVR/NVR/HDVR (with newer FW)... etc
(I know Dahua has been killing telnetd hard, deleted telnetd... and done lots of stupid stuff)
Dahua Enable / Disable Telnetd (JSON request for newer firmware)
(You will need to know login/password for the Dahua device to get this code running)
Can't gurantee that this will work with all Dahua, working with my IPC and should work with DVR/NVR/HDVR (with newer FW)... etc
(I know Dahua has been killing telnetd hard, deleted telnetd... and done lots of stupid stuff)
Thank you for this! Doesn't seem to work on
DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.9.R.20170428.bin
[*] [Dahua Telnetd enable/disable [JSON] (2017 bashis <mcw noemail eu>)]
Remote target IP: 192.168.1.108 Remote target PORT: 80
[>] Requesting session ID
[<] 200 OK Detected generation 3 encryption
[>] Logging in
[<] 200 OK
[<] Login OK
[>] Enable telnetd: True
[<] 200 OK
{u'session': 43411452, u'params': {u'options': None}, u'id': 1, u'result': True} Logging out
[<] 200 OK
{u'session': 43411452, u'id': 10001, u'result': True}
telnet 192.168.1.108
Trying 192.168.1.108...
telnet: Unable to connect to remote host: Connection refused
nmap -v -sT -sV 192.168.1.108
Starting Nmap 7.01 ( Nmap: the Network Mapper - Free Security Scanner ) at 2017-10-24 11:24 PDT
NSE: Loaded 35 scripts for scanning.
Initiating Ping Scan at 11:24
Scanning 192.168.1.108 [2 ports]
Completed Ping Scan at 11:24, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:24
Completed Parallel DNS resolution of 1 host. at 11:24, 0.02s elapsed
Initiating Connect Scan at 11:24
Scanning 192.168.1.108 [1000 ports]
Discovered open port 554/tcp on 192.168.1.108
Discovered open port 80/tcp on 192.168.1.108
Discovered open port 49152/tcp on 192.168.1.108
Discovered open port 5000/tcp on 192.168.1.108
Hello everyone.
I have a question about the HCVR-S3.
Any changes in custom.lua file cause a system crash.
A custom.lua file, always accompanies with image. file (type of CHECKSUM...CRC...???).
Does anyone know how to properly modify the custom.lua file?
Thanks
WARNING Autodetected config: NVR4XXX-4KS2
INFO Extracting 8 files to: 'DH_NVR4XXX-4KS2_Eng_V3.215.0000000.1.R.170902.bin.extracted'
INFO Processing 'Install.lua'.
INFO Processing 'u-boot.bin.img'.
INFO Processing 'uImage.img'.
INFO Processing 'romfs-x.squashfs.img'.
INFO Processing 'web-x.squashfs.img'.
INFO Processing 'custom-x.squashfs.img'.
INFO Processing 'logo-x.squashfs.img'.
WARNING Unrecognized file: 'sign.img'.
When we put it back into file this sign.img manually, then flashing fw impossible. (update failed)
Is there way, how to change language in newest fw file ? I think, dahua made some security changes, private key or etc.
Coincidentally somebody e-mailed me today about the same topic.
Also it has been asked in this and other threads a bunch of times.
Hi, sign.img is used on newer cameras / firmware to cryptographically sign the firmware. The camera will only accept signed firmware through the normal upgrade paths and you can not sign your own firmware because the signing key is obviously private. You can flash the firmware on port 3800 using configtool if the upgraded tool is running on the device (usually not). The upgraded tool can be started from telnet or a serial console. Otherwise you'd have to manually flash the device using the U-Boot bootloader, check out the Dahua recovery threads I made.
thank you, but we need to change language and let users to normally use. Is there some way, how to disable this cryptocheck, or generate new private key ?
thank you, but we need to change language and let users to normally use. Is there some way, how to disable this cryptocheck, or generate new private key ?
You did a great job make the firmware more customizable. Thanks! The entire thread is an interesting read. I would like to ask your opinion on something. How hard would it be to identify the code responsible for a D/N shift and make it perform an extra action when it activates the IR-leds?
Alternatively, code that would continiously poll the status of the IR-leds (on or off) could work too. Don't know about the CPU-overhead though.
The extra action would be to adjust the focus to a pre-computed value depending on the IR-status (on or off). Dahua allows us to do this via an HTTP-call so that's probably the easy part.
@Jeroen1000 to do this we must reverse engineer the binary source code. As I understand, cor35vet doesn´t need to compile it for his modifications. So I don´t believe it´s possible
@TVT73 Blast, I was afraid of that. But maybe...the IR-status or the position of the IR-cut filter can be queried/polled, as I pointed out above aka "the alternative way". Then it's a matter of querying it often enough to have fast response. That could be done with a cronjob on the camera itself.
Alas, I'm not into Linux enough to begin trying to do that
This would be a bad idea. You will reduce lifetime of the focus system. Therefore I suggested to dahua to use focus store points and recall them. And another reason why this is a bad idea, refocusing will give for a few seconds a defocused picture, and ivr and events are disabled at this time.
But it´s possible to read and call focus points from http api. But it´s much more work and I had lost so many time in this because of the malfunctioning profile switching with poe nvr´s, where i can´t control the cam by http api directly himselve.
If you can query the IR status you could just go to the focus point that was saved instead of a full refocus. I wasn't implying a full refocus actually. It would work exactly as using the HTTP API. The stored focus points can be saved in the tmp folder. How to focus is not the issue, it's more the when.
Give me firmware for my camera!
You can download the firmware image that fits your camera below and flash it to your camera or unpack and modify it more.
It will work on both Chinese and international models.
International cameras can flash back to official English firmware after using my modded firmware.
Chinese cameras will never work with official English firmware - they need to be patched.
For IPC-HX4XXX-Eos ("Eco-savvy 2.0" 3rd gen) cameras:
TIP: Reset your camera to default config before updating, seems like Dahua messed something up so sonia will crash on certain configs...
PLEASE POST HERE IF YOU HAVE MORE LANGUAGES [OR A CAMERA WITH ANOTHER LANGUAGE]
These cameras have checks in place (HWID) so you can't flash the wrong firmware, hopefully this should prevent you from bricking your camera.
Experts can also use https://i.botox.bz/flashcp (from mtd-utils compiled with Hi3516a SDK) to flash .raw images to partitions on the camera from it's busybox shell.
This is useful while messing around, testing changes so you don't have to flash the full upgrade image every time.
WARNING: DO NOT FLASH THE OFFICIAL ENGLISH FIRMWARE ON CHINESE HARDWARE!
It won't start and you'll have to flash your camera back to the chinese one manually (over telnet or TFTP recovery)
And if you really want to try then at least do "appauto 0" to stop sonia from autostarting before flashing.
I personally always add permanent telnet to the image I am flashing with Dahua-Firmware-Mod-Kit, like so: Add utelnetd server · BotoX/DH_IPC-HX4XXX-Eos@2ddf0f5 · GitHub
Give me firmware for my camera!
You can download the firmware image that fits your camera below and flash it to your camera or unpack and modify it more.
It will work on both Chinese and international models.
International cameras can flash back to official English firmware after using my modded firmware.
Chinese cameras will never work with official English firmware - they need to be patched.
For IPC-HX4XXX-Eos ("Eco-savvy 2.0" 3rd gen) cameras:
TIP: Reset your camera to default config before updating, seems like Dahua messed something up so sonia will crash on certain configs...
PLEASE POST HERE IF YOU HAVE MORE LANGUAGES [OR A CAMERA WITH ANOTHER LANGUAGE]
These cameras have checks in place (HWID) so you can't flash the wrong firmware, hopefully this should prevent you from bricking your camera.
Experts can also use https://i.botox.bz/flashcp (from mtd-utils compiled with Hi3516a SDK) to flash .raw images to partitions on the camera from it's busybox shell.
This is useful while messing around, testing changes so you don't have to flash the full upgrade image every time.
WARNING: DO NOT FLASH THE OFFICIAL ENGLISH FIRMWARE ON CHINESE HARDWARE!
It won't start and you'll have to flash your camera back to the chinese one manually (over telnet or TFTP recovery)
And if you really want to try then at least do "appauto 0" to stop sonia from autostarting before flashing.
I personally always add permanent telnet to the image I am flashing with Dahua-Firmware-Mod-Kit, like so: Add utelnetd server · BotoX/DH_IPC-HX4XXX-Eos@2ddf0f5 · GitHub
.
