Dahua Firmware Mod Kit + Modded Dahua Firmware

[alastairstevenson]

And oh wow look at that, the new firmware is packed different than all the ones before.

You probably figured this already - I just had a look out of curiosity. I've not looked at Dahua firmware before.
The file appears to be a regular zip file but with a slightly mangled first file local file header for 'hwid', possibly to confuse any attempted unzip activity.
Contents of Install are :

{
"Commands" : [
"burn kernel.img kernel",
"burn partition-x.cramfs.img partition",
"burn romfs-x.squashfs.img rootfs",
"burn pd-x.squashfs.img pd",
"burn user-x.squashfs.img user",
"burn custom-x.squashfs.img custom",
"burn web-x.squashfs.img web"
],
"Devices" : [
[ "IPC-HX3XXX", "1.00" ]
],
"Vendor" : "General"
}
//IPC_RestoreDefault

 

[cor35vet]

I actually haven't taken a look at it anymore - not in the mood right now ^^
But have you been able to extract all the files in the archive?

 

[alastairstevenson]

I did extract the files, list as attached:
And the presumed compatibility list.
And unlike Hikvsion - they don't seem to be encrypted.
A couple of samples attached.

 

[cor35vet]

I am a very lazy person, would be helpful to know how you patched the zipfile so I can extract it without further research :v

 

[alastairstevenson]

You will be disappointed ....
I did nothing fancy, I just used the stock Linux unzip, which is quite forgiving and resilient.
"UnZip 6.00 of 20 April 2009, by Debian. Original by Info-ZIP."

 

[cor35vet]

Well okay LOL.
I guess my download was just corrupt hahahahah.
I'll look at the FW tomorrow™ then.

(To clarify: I redownloaded it and everything was working as expected.)

 

[alastairstevenson]

I guess my download was just corrupt hahahahah.

The file appears to be a regular zip file but with a slightly mangled first file local file header for 'hwid', possibly to confuse any attempted unzip activity.

So much for my ill-thought-out speculation! Lol!

 

[cor35vet]

Well this is not good: https://p.botox.bz/view/raw/82d0773a
Was sitting for hours trying to figure this out, no clue.

I think they are check-summing the sonia binary and causing a crash somewhere if it doesn't match.
Changing any byte in the application makes it segfault at the same spot.
Help appreciated lol.

 

[marigo]

Hi cor35vet,

Today I decided to flash my DH-IPC-HFW4431-R-Z with the image provided. (DH_IPC-HX4XXX-Eos.bin)
It sounds that the camera is in bootloop. I can hear the clicking of rebooting. ICMP echo stops for 10 seconds and then is the camera online again.

What could be wrong?

 

[cor35vet]

Hi cor35vet,

Today I decided to flash my DH-IPC-HFW4431-R-Z with the image provided. (DH_IPC-HX4XXX-Eos.bin)
It sounds that the camera is in bootloop. I can hear the clicking of rebooting. ICMP echo stops for 10 seconds and then is the camera online again.

What could be wrong?

telnet into the camera as quick as possible, run: "killall sonia" then "appauto 0" and reboot it
when it starts again telnet into it and run "sonia" - you should see the error on the last dozen lines, paste them here.

Telnet is enabled by default, check Dahua Enable Telnet how to connect.

 

[marigo]

bummer..

Telnet access is down. Only open ports are TCP 3800 and 49152.
I hope I didn't brick the cam...

I see that it is online via de configtool. Can I do something with this tool?
This is a few seconds/minutes later after the camera has rebooted.

 

[cor35vet]

Ugh, how long does it take for the cam to restart?
You can flash a new firmware via configtool using port 3800 but if the camera bootloops then that's not a good idea xd
You could try connecting to the cam with configtool on port 3800 and let it sit for a few minutes - see if it bootloops.
That service resets the watchdog timer when you're connected, it'd still bootloop if sonia is killing the camera.

Telnet should be online when 3800 is online.... Try again? :v

 

[marigo]

I noticed that the configtool is only working when the camera is online for a minute.
But you're right that the loop is killing the tcp connection after I have connection via the config tool.

it's not going to work. Can't get in the camera.
Is there a way to hard reset? And restore original firmware?

In totall the camera is 2 minutes online before rebooting.

Can I use the patch in your post and try to upload it via configtool?
Dahua Firmware Mod Kit + Modded Dahua Firmware

I should have red this whole tread. It souds like this is a special camera from China which is different then the rest of the series.

Does anyone have the original firmware (IPC-HFW4431R-Z) of this (China market) camera?

 

[marigo]

If I connect via configtool and change the port from 37777 to 3800 the camera will stay "online" and I have an option to "upgrade" with a compatible image file.

What are my options? because I haven't got the original firmware.

 

[cor35vet]

That sounds good. I really don't understand why telnet would not work however.....
I can't know what is causing sonia to die without you having telnet access or UART serial console.

As to what firmware to flash, someone here said they had the same problem with the current one and used the previous beta one here: https://i.botox.bz/DH_IPC-HX4XXX-Eos_BETA.bin

 

[marigo]

Uhg, I was to fast when I saw some original file from dahua itself.

DH_IPC-HX4XXX-Eos_Chn_PN_Stream3_V2.420.0000.22.R.20161209.bin

I flashed it via configtool. Now I have only TCP 3800 available and cannot connect via configtool anymore.
I thought I could fix it with this original file....

 

[cor35vet]

ConfigTool should still work if port 3800 is open....
Well, you can open it up - get a USB to UART thingy and get root that way - maybe?
Probably not since dh_keyboard is 1 by default, lol.

 

[marigo]

Whoow...The camera was on second floor and I just powercycled it. It's working again. pffff.
Happy, now

It's all Chinese for now but I have a web interface and I've got video.
Thanks man! Cheers!

Configtool is also working again.

 

[cor35vet]

Now is probably a good idea to telnet into it and run "dh_keyboard 0" - just in case.

I cross-compiled utelnetd (a very small telnet server) for this camera while working on the latest chinese firmware (where telnet seems to be broken), could build an image with that as it should always work and not depend on dahuas crap.

Also not getting further with the new FW...
As mentioned before it checksums itself and crashes on futex(2) - Linux manual page syscall...

I could make an english only FW I guess without touching the binary.

 

[marigo]

I've tried to enable Telnet via the link provided in this forum.
http://<ip-address>/cgi-bin/configManager.cgi?action=setConfig&Telnet.Enable=true

It's says: "ok" but telnet is not accessible. Via a portscan port 23 also doens't show up.

Maybe I can try the "DH_IPC-HX4XXX-Eos_BETA.bin"?