Dahua Firmware Mod Kit + Modded Dahua Firmware

[Sergio Handal]

I always flash through webinterface. No problems.
Just make sure your camera doesn't turn off during flash - that's certain death.

Hello,

Thank you very much for your answerer.

I have tried to flash the camera with the file you sent me: "DH_IPC-HX4XXX-Eos_Eng_P_Stream3_V2.420.0000.21.R.20160724.bin" and I receive an error. Please see attached image.

On the version tab this is the information I have:

Device TypeIPC-HDW4431C-A
Software Version2.420.0000.21.R, Build Date: 2016-07-24
WEB Version3.2.1.364036
ONVIF Version2.42
PTZ Version
Camera Version
S/N2F01A41PAA00084

 

[cor35vet]

Ah, indeed.
The good old "[Unknown] error UpgradeCheck.cpp 190 tid:1034 Language not compare!" error. :')
I guess I did not patch that, I have updated the firmware in the OP.

A simple change if any of you are interested:
Log in to telnet on the camera, run: "killall sonia"
Run "sonia" right afterwards so "sonia" - the main application - will run in your terminal where you can study the output.
Now upload the firmware, you'll get the error from the post above me, look through the sonia log, you see this:

Using IDA we can search for the string "Language not compare!" and find following code very quickly:

Compare register R0 with literal value 0.
Branch (Jump) on "ne" - if comparison was successful to location...
Change the branch from BNE

to B (always branch):

and voila! (I sure hope dahua isn't reading this - inb4 next release all debug strings erased from FW)

I have also permanently enabled dh_keyboard = 0 so you will always have a serial shell on UART in case of a disaster.
Though I recommend logging in to telnet and running "dh_keyboard 0" before flashing a new firmware. So you don't end up like the guy on page 4 :v
Telnet is also enabled by default on my FW.

After this change I was able to flash the official english FW, however if you want to go back to "chinese" FW (my modded one for example) you'll have to change the chinese check.img or hwid file to identify itself as an english firmware. I can make an image that does this. Right now my firmware identifies itself as chinese so you can flash it on chinese cameras.

And looks like the english one does not wanna run on my camera: "[Manager] fatal tid:1001 Src/Locales.cpp:687 Language Not Compare!!Going to exit!"
Guess I need to reset the settings? Probably the guy on page 4 bricked his like this lol.
You probably should not flash the english firmware.

Edit: Definitely don't flash the english firmware, sonia does not start not even "upgraded" works.

 

[Sergio Handal]

Ah, indeed.
The good old "[Unknown] error UpgradeCheck.cpp 190 tid:1034 Language not compare!" error. :')
I guess I did not patch that, I have updated the firmware in the OP.

A simple change if any of you are interested:
Log in to telnet on the camera, run: "killall sonia"
Run "sonia" right afterwards so "sonia" - the main application - will run in your terminal where you can study the output.
Now upload the firmware, you'll get the error from the post above me, look through the sonia log, you see this:

Using IDA we can search for the string "Language not compare!" and find following code very quickly:

Compare register R0 with literal value 0.
Branch (Jump) on "ne" - if comparison was successful to location...
Change the branch from BNE

to B (always branch):

and voila! (I sure hope dahua isn't reading this - inb4 next release all debug strings erased from FW)

I have also permanently enabled dh_keyboard = 0 so you will always have a serial shell on UART in case of a disaster.
Though I recommend logging in to telnet and running "dh_keyboard 0" before flashing a new firmware. So you don't end up like the guy on page 4 :v
Telnet is also enabled by default on my FW.

After this change I was able to flash the official english FW, however if you want to go back to "chinese" FW (my modded one for example) you'll have to change the chinese check.img or hwid file to identify itself as an english firmware. I can make an image that does this. Right now my firmware identifies itself as chinese so you can flash it on chinese cameras.

And looks like the english one does not wanna run on my camera: "[Manager] fatal tid:1001 Src/Locales.cpp:687 Language Not Compare!!Going to exit!"
Guess I need to reset the settings? Probably the guy on page 4 bricked his like this lol.
You probably should not flash the english firmware.

Edit: Definitely don't flash the english firmware, sonia does not start not even "upgraded" works.

Hello cor35vet,

As I understand your post I won’t be able to Flash my camera with the original Firmware because is in English.

What you suggest me to return to the original?

Best regards,

Sergio.

 

[cor35vet]

Hello cor35vet,

As I understand your post I won’t be able to Flash my camera with the original Firmware because is in English.

What you suggest me to return to the original?

Best regards,

Sergio.

I can try to patch the english firmware I guess.
But I doubt it's that anyways, try another FTP server maybe? Or use NFS...

 

[nippit]

thanks to @cor35vet Ive managed to flash my NVR 4216-4k to a Chinese firmware, and then converted it back to english successfully.. now to hack all the features enabled if we can figure out how.

This is a great little tool, should be doable to change languages or rebrand devices without too much trouble.. if your determined and savvy enough.

attached proof, firmware was applied from: 大华股份 and was entirely Chinese before modification.

Hi nayr,

When i found this tread i thought we can do the same for NVRs.

I have DH-NVR 4xxxx

大华股份

what steps did you follow?

cheers

 

[nayr]

there's a newer english version than that, and newer Chinese version.. but neither provided me w/IVS and I saw no other gains so I'm back to my original firmware.

i backed up my flash and then wrote the custom partition back after it went to Chinese; took a browser cache nuke and a bit of work getting everything happy but it worked.

 

[nippit]

there's a newer english version than that, and newer Chinese version.. but neither provided me w/IVS and I saw no other gains so I'm back to my original firmware.

i backed up my flash and then wrote the custom partition back after it went to Chinese; took a browser cache nuke and a bit of work getting everything happy but it worked.

I have checked both the .fi and .cz FTPs and the dahuatech.com, this is the latest I can find.

I am new top these Dahua stuff, but it seems very similar issues to hik.

I haven't managed to get @cor35vet tool running yet. At this stage (for now) i need to get english text on the screen.
telnet is all killed on the NVRs, but i can easily access to Uboot via serial.
I can install any firmaware (forcefully) but i get all the string names instead of the language since the firmware can not find the language file.
I thought i can edit the mtd0 files directly from the uboot cli, however failed to find a way.

cheers
Sorry I am really a noob on this at the mooment.

 

[nayr]

telnet worked on my nvr, just dumped the mtd to nfs and then restored it with flascp on nfs

what exactly are you wanting to do or fix?

 

[nippit]

telnet worked on my nvr, just dumped the mtd to nfs and then restored it with flascp on nfs

what exactly are you wanting to do or fix?

Thank you so much.

At the moment all i need is to convert the language on the NVR to English. (anything else is not priority)

so basically if i can rename the language files for english to simplified Chinese, i am done.

I am sure someone run the firmware kit update (Firmware Kit For DVRNVR) on these NVRs, that removes the telnet, it isa MFC windows file. I remember looking at the logs i found lying around.

So i definitely dont have telnet, unless i re enable it, some how.

I can access Uboot CLI i have increased the boot delay to 10, so i can stop boot easily. (but commands available are very limited.)

cheers

 

[nippit]

telnet worked on my nvr, just dumped the mtd to nfs and then restored it with flascp on nfs

what exactly are you wanting to do or fix?

I may be missing something so obvious to you.

 

[kasperskie]

Hi,

I'm trying to unbrick a HDW4431C-A which is stuck in a bootloop after flashing DH_IPC-HX4XXX-Eos_Eng_P_Stream3_V2.420.0000.21.R.20160724.bin
..

Finally got telnet access back by fast repeated loading of the telnet HTTP enable URL and scripted login to telnet to set appauto 0, hooray ..
This after I remembered the IP which I had set just before bricking it with the firmware upgrade, all this time I was attempting to use the default 192.168.1.108 which it only uses to boot with ;(

Now before I will start another flash attempt I actually would like to do the following :

• backup all /dev/mtd partitions :
  • Tried this already but didn't work using dd as it has not been compiled into busy box (says missing applet).
    Update: In the mean time I have now cross compiled busy box with dd support ..
• Allow uboot to be interruptable :
  • Would this be achieved by updating /dev/mtd1 with bootdelay=3 using flashcp ?
    I think i read somewhere that the uboot env is crc protected, so not sure if I can trivially change this ..
• Check whether I have a 'Chinese' or 'English' cam : How can I check this ?

Assuming it was actually a 'Chinese' version, I would like to flash the special Eos version prepared by Cor35vet.

My plan is then to perform in telnet:
killall upgraded
upgraded

and then use the web-ui to upload new firmware (or should i use configtool of a certain version with port 3800 ?)

Can someone confirm this would indeed be the right sequence ?

 

[kasperskie]

Finally restored my cam back to working condition by flashing Cam35Vets firmware version !

For the ones interested :

I used the config tool v1 to flash Cor35Vets EOS version, but sonia was still not starting after it flashed succesfully & rebooted, immediately failing on the language check.
I then tried to flash DH_IPC-HX4XXX-Eos_Eng_P_Stream3_V2.420.0000.15.R.20160107.bin, which failed the same check.

However, flashing Cor35Vets version a second time resulted in a working Sonia ?!

 

[EvgenioZ]

Hi!

Just flashedhttps://i.botox.bz/DH_IPC-HX4XXX-Eos.bin (Software Version: 2.420.0000.21.R, Build Date: 2016-07-24) for HDW4431C - web interface not working. Previously installed firmware was 2.460....

Now have:
evgeny@evgeny-pc:~$ telnet 192.168.1.108 23
Trying 192.168.1.108...
telnet: Unable to connect to remote host: Connection refused
evgeny@evgeny-pc:~$ telnet 192.168.1.108 80
Trying 192.168.1.108...
telnet: Unable to connect to remote host: Connection refused

Port 3800 is opened.

How can I unbrick camera and have opportunities of 2.420 firmware?

Thanks!

 

[EvgenioZ]

Update: https://i.botox.bz/DH_IPC-HX4XXX-Eos_BETA.bin solved this issue. Now works fine.

 

[cor35vet]

I'm back from vacation, if you guys were wondering why I wasn't answering :v

Update: https://i.botox.bz/DH_IPC-HX4XXX-Eos_BETA.bin solved this issue. Now works fine.

That is odd? The latest one is almost the same as the Eos_BETA, i think i just added russian language to it and always enable the UART console.
Maybe try flashing again?

 

[EvgenioZ]

Flashed 2 times - boot loop again. Beta works fine.

 

[Sergio Handal]

I can try to patch the english firmware I guess.
But I doubt it's that anyways, try another FTP server maybe? Or use NFS...

What you tink will happen if I flash the Chinise Version on my Camera that has the menu in English.

Chinise Version: http://download.dahuatech.com/kitDownload.php?filepath=DH_IPC-HX4XXX-Eos_Chn_PN_Stream3_V2.420.0000.22.R.20161209.bin

 

[nayr]

it will become a Chinese language camera

 

[Sergio Handal]

it will become a Chinese language camera

Edit: Definitely don't flash the english firmware, sonia does not start not even "upgraded" works.

Why cor35vet then is telling me not to flash the English version?

The only thing I would like is to have the last English Version on my Camera and not the modified one.

cor35vet modified version is in English but is based on Chinise version I think.

 

[cor35vet]

And oh wow look at that, the new firmware is packed different than all the ones before.
Looks very weird, first files are zipfiles and then it ends and binwalk says a bunch of xz data.
7zip und unzzip didn't work. Time to sleep.