Dahua Firmware Mod Kit + Modded Dahua Firmware

bashis

IPCT Contributor
Joined
May 27, 2017
Messages
87
Reaction score
118
This is my own developed tool, nothing to do with SDK at all (and tried on multiple FW versions).

But yes, the request is normal JSON via WebUI, and the most interesting part of the request is this to enable:
{"method": "configManager.setConfig", "session": 217419250, "params": {"table": {"Enable": true}, "name": "Telnet"}, "id": 21}

I'll release what I've been researching, when I'm done with the stuff
Dahua Enable / Disable Telnetd (JSON request for newer firmware)
(You will need to know login/password for the Dahua device to get this code running)
Can't gurantee that this will work with all Dahua, working with my IPC and should work with DVR/NVR/HDVR (with newer FW)... etc
(I know Dahua has been killing telnetd hard, deleted telnetd... and done lots of stupid stuff)

PoC/dahua-telnetd-json.py at master · mcw0/PoC · GitHub
 

mister7

n3wb
Joined
Jun 15, 2017
Messages
7
Reaction score
0
Dahua Enable / Disable Telnetd (JSON request for newer firmware)
(You will need to know login/password for the Dahua device to get this code running)
Can't gurantee that this will work with all Dahua, working with my IPC and should work with DVR/NVR/HDVR (with newer FW)... etc
(I know Dahua has been killing telnetd hard, deleted telnetd... and done lots of stupid stuff)

PoC/dahua-telnetd-json.py at master · mcw0/PoC · GitHub

Thank you for this! Doesn't seem to work on
DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.9.R.20170428.bin
[*] [Dahua Telnetd enable/disable [JSON] (2017 bashis <mcw noemail eu>)]

Remote target IP: 192.168.1.108
Remote target PORT: 80
[>] Requesting session ID
[<] 200 OK
Detected generation 3 encryption
[>] Logging in
[<] 200 OK
[<] Login OK
[>] Enable telnetd: True
[<] 200 OK
{u'session': 43411452, u'params': {u'options': None}, u'id': 1, u'result': True}
Logging out
[<] 200 OK
{u'session': 43411452, u'id': 10001, u'result': True}

telnet 192.168.1.108
Trying 192.168.1.108...
telnet: Unable to connect to remote host: Connection refused


nmap -v -sT -sV 192.168.1.108

Starting Nmap 7.01 ( Nmap: the Network Mapper - Free Security Scanner ) at 2017-10-24 11:24 PDT
NSE: Loaded 35 scripts for scanning.
Initiating Ping Scan at 11:24
Scanning 192.168.1.108 [2 ports]
Completed Ping Scan at 11:24, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:24
Completed Parallel DNS resolution of 1 host. at 11:24, 0.02s elapsed
Initiating Connect Scan at 11:24
Scanning 192.168.1.108 [1000 ports]
Discovered open port 554/tcp on 192.168.1.108
Discovered open port 80/tcp on 192.168.1.108
Discovered open port 49152/tcp on 192.168.1.108
Discovered open port 5000/tcp on 192.168.1.108
 
Last edited:

mister7

n3wb
Joined
Jun 15, 2017
Messages
7
Reaction score
0
Thanks for info, will look at that FW.
:~/git/Dahua-Firmware-Mod-Kit/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.9.R.20170428.bin.extracted/romfs-x.squashfs.img.extracted/sbin$ file ubifs_chk
ubifs_chk: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 2.6.16, BuildID[sha1]=d85428a1b7bff02bb0082d21451d1aa8fc5a5d40, not stripped
:~/git/Dahua-Firmware-Mod-Kit/DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.9.R.20170428.bin.extracted/romfs-x.squashfs.img.extracted/sbin$ file utelnetd
utelnetd: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

I believe most systems are armel and the new models are based on the armhf - likely a cleaned up version of telnetd.
 
Last edited:

alroy

n3wb
Joined
May 15, 2016
Messages
1
Reaction score
1
Hello everyone.
I have a question about the HCVR-S3.
Any changes in custom.lua file cause a system crash.
A custom.lua file, always accompanies with image. file (type of CHECKSUM...CRC...???).
Does anyone know how to properly modify the custom.lua file?
Thanks
 

strizek

n3wb
Joined
Jun 13, 2017
Messages
2
Reaction score
0
Hello,

we have a problem with sign.img file:

WARNING Autodetected config: NVR4XXX-4KS2
INFO Extracting 8 files to: 'DH_NVR4XXX-4KS2_Eng_V3.215.0000000.1.R.170902.bin.extracted'
INFO Processing 'Install.lua'.
INFO Processing 'u-boot.bin.img'.
INFO Processing 'uImage.img'.
INFO Processing 'romfs-x.squashfs.img'.
INFO Processing 'web-x.squashfs.img'.
INFO Processing 'custom-x.squashfs.img'.
INFO Processing 'logo-x.squashfs.img'.
WARNING Unrecognized file: 'sign.img'.

When we put it back into file this sign.img manually, then flashing fw impossible. (update failed)

Is there way, how to change language in newest fw file ? I think, dahua made some security changes, private key or etc.

thank you
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
Coincidentally somebody e-mailed me today about the same topic.
Also it has been asked in this and other threads a bunch of times.
Hi, sign.img is used on newer cameras / firmware to cryptographically sign the firmware. The camera will only accept signed firmware through the normal upgrade paths and you can not sign your own firmware because the signing key is obviously private. You can flash the firmware on port 3800 using configtool if the upgraded tool is running on the device (usually not). The upgraded tool can be started from telnet or a serial console. Otherwise you'd have to manually flash the device using the U-Boot bootloader, check out the Dahua recovery threads I made.
Check out the recovery link in my signature vvvvvvv
 

strizek

n3wb
Joined
Jun 13, 2017
Messages
2
Reaction score
0
thank you, but we need to change language and let users to normally use. Is there some way, how to disable this cryptocheck, or generate new private key ?
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
thank you, but we need to change language and let users to normally use. Is there some way, how to disable this cryptocheck, or generate new private key ?
I can disable the check by patching the sonia/Challenge binary in the new firmware.
But you have to get that new firmware onto the camera somehow...
 

Jeroen1000

Young grasshopper
Joined
Sep 26, 2016
Messages
42
Reaction score
13
Hi Cor35Vet,

You did a great job make the firmware more customizable. Thanks! The entire thread is an interesting read. I would like to ask your opinion on something. How hard would it be to identify the code responsible for a D/N shift and make it perform an extra action when it activates the IR-leds?

Alternatively, code that would continiously poll the status of the IR-leds (on or off) could work too. Don't know about the CPU-overhead though.

The extra action would be to adjust the focus to a pre-computed value depending on the IR-status (on or off). Dahua allows us to do this via an HTTP-call so that's probably the easy part:).
 

TVT73

Pulling my weight
Joined
Aug 29, 2016
Messages
406
Reaction score
108
Location
Germany
@Jeroen1000 to do this we must reverse engineer the binary source code. As I understand, cor35vet doesn´t need to compile it for his modifications. So I don´t believe it´s possible :(
 

Jeroen1000

Young grasshopper
Joined
Sep 26, 2016
Messages
42
Reaction score
13
@TVT73 Blast, I was afraid of that. But maybe...the IR-status or the position of the IR-cut filter can be queried/polled, as I pointed out above aka "the alternative way". Then it's a matter of querying it often enough to have fast response. That could be done with a cronjob on the camera itself.

Alas, I'm not into Linux enough to begin trying to do that:(
 

TVT73

Pulling my weight
Joined
Aug 29, 2016
Messages
406
Reaction score
108
Location
Germany
This would be a bad idea. You will reduce lifetime of the focus system. Therefore I suggested to dahua to use focus store points and recall them. And another reason why this is a bad idea, refocusing will give for a few seconds a defocused picture, and ivr and events are disabled at this time.

But it´s possible to read and call focus points from http api. But it´s much more work and I had lost so many time in this because of the malfunctioning profile switching with poe nvr´s, where i can´t control the cam by http api directly himselve.
 

Jeroen1000

Young grasshopper
Joined
Sep 26, 2016
Messages
42
Reaction score
13
If you can query the IR status you could just go to the focus point that was saved instead of a full refocus. I wasn't implying a full refocus actually. It would work exactly as using the HTTP API. The stored focus points can be saved in the tmp folder. How to focus is not the issue, it's more the when.
 

Jude201186

n3wb
Joined
Jul 6, 2017
Messages
13
Reaction score
0
Hi,

I've been hacking around with my Dahua camera and made a script to unpack and rebuild the firmware upgrade images.
Check out the Github for more info: GitHub - BotoX/Dahua-Firmware-Mod-Kit: Unpack and repack Dahua IP camera firmware upgrade images.

Give me firmware for my camera!
You can download the firmware image that fits your camera below and flash it to your camera or unpack and modify it more.
It will work on both Chinese and international models.
International cameras can flash back to official English firmware after using my modded firmware.
Chinese cameras will never work with official English firmware - they need to be patched.

For IPC-HX4XXX-Eos ("Eco-savvy 2.0" 3rd gen) cameras:
https://i.botox.bz/DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.bin
Software Version: 2.420.0000.22.R, Build Date: 2016-12-09
MD5Sum: 1332430392def5d9becd4e883d26f7d8
SHASum: 1bc476b78fd706b225243c12a334631971ea6a7c

Compatible cameras according to Dahua:
DH-IPC-HDBW4231R,DH-IPC-HDBW4236R
DH-IPC-HDBW4431R,DH-IPC-HDBW4436R
DH-IPC-HDW4231C-A,DH-IPC-HDW4236C-A
DH-IPC-HDW4233C-A,DH-IPC-HDW4238C-A
DH-IPC-HDW4431C-A,DH-IPC-HDW4436C-A
DH-IPC-HDBW4431R-S,DH-IPC-HDBW4436R-S
DH-IPC-HDBW4233R-AS,DH-IPC-HDBW4238R-S
DH-IPC-HDBW4231R-AS,DH-IPC-HDBW4236R-AS
DH-IPC-HDBW4431R-AS,DH-IPC-HDBW4436R-AS
DH-IPC-HDBW4231R-VF,DH-IPC-HDBW4431R-VF
DH-IPC-HFW4231F,DH-IPC-HFW4236F,DH-IPC-HFW4431F,DH-IPC-HFW4436F
DH-IPC-HFW4231B,DH-IPC-HFW4236B,DH-IPC-HFW4431B,DH-IPC-HFW4436B
DH-IPC-HFW4231D,DH-IPC-HFW4236D,DH-IPC-HFW4431D,DH-IPC-HFW4436D
DH-IPC-HFW4231R-Z,DH-IPC-HFW4431R-Z,DH-IPC-HFW4231R-VF,DH-IPC-HFW4431R-VF
DH-IPC-HFW4231F-AS,DH-IPC-HFW4236F-AS,DH-IPC-HFW4431F-AS,DH-IPC-HFW4436F-AS
DH-IPC-HFW4231B-AS,DH-IPC-HFW4236B-AS,DH-IPC-HFW4431B-AS,DH-IPC-HFW4436B-AS
DH-IPC-HFW4231D-AS,DH-IPC-HFW4236D-AS,DH-IPC-HFW4431D-AS,DH-IPC-HFW4436D-AS
DH-IPC-HFW4231K-I4,DH-IPC-HFW4236K-I4,DH-IPC-HFW4431K-I4,DH-IPC-HFW4436K-I4
DH-IPC-HFW4231K-I6,DH-IPC-HFW4236K-I6,DH-IPC-HFW4431K-I6,DH-IPC-HFW4436K-I6
DH-IPC-HFW4233K-I4,DH-IPC-HFW4238K-I4,DH-IPC-HFW4233K-I6,DH-IPC-HFW4238K-I6
DH-IPC-HFW4231M-I1,DH-IPC-HFW4236M-I1,DH-IPC-HFW4431M-I1,DH-IPC-HFW4436M-I1
DH-IPC-HFW4231M-I2,DH-IPC-HFW4236M-I2,DH-IPC-HFW4431M-I2,DH-IPC-HFW4436M-I2
DH-IPC-HFW4233M-I1,DH-IPC-HFW4238M-I1,DH-IPC-HFW4233M-I2,DH-IPC-HFW4238M-I2
DH-IPC-HFW4233K-AS-I4,DH-IPC-HFW4238K-AS-I4,DH-IPC-HFW4233K-AS-I6,DH-IPC-HFW4238K-AS-I6
DH-IPC-HFW4431K-AS-I4,DH-IPC-HFW4436K-AS-I4,DH-IPC-HFW4431K-AS-I6,DH-IPC-HFW4436K-AS-I6
DH-IPC-HFW4233M-AS-I1,DH-IPC-HFW4238M-AS-I1,DH-IPC-HFW4233M-AS-I2,DH-IPC-HFW4238M-AS-I2
DH-IPC-HFW4431M-AS-I1,DH-IPC-HFW4436M-AS-I1,DH-IPC-HFW4431M-AS-I2,DH-IPC-HFW4436M-AS-I2

Based on official English firmware with following noteworthy changes:
  • English, French, Spanish and Russian language.
  • PAL/NTSC
  • Unlocked additional web GUI features/options.
    • Disable P2P: Network -> TCP/IP -> Easy4ip
  • Hacked Playback to also work with NAS/NFS.
    • Playback tab will be enabled when you have an SD card (default) or enabled NAS/NFS feature. (F5 after you added a NAS)
    • Added option to select NAS instead of SD, obviously...
    • I barely tested it but it seemed to play fine... feedback welcome.
    • FTP can not be supported, stop using it, it's awful.
  • Unlocked all IVS modes.
  • Disabled "CloudUpgradeServer".
  • Telnet enabled permanently on port 2300.

For IPC-HX4XXX-NAND-Eos (-ZS models) cameras:
https://i.botox.bz/General_IPC-HX4XXX-NAND-Eos_EngChnFraSpaRus_PN_Stream3_V2.420.0000.21.R.20160724.bin
Software Version: 2.420.0000.21.R, Build Date: 2016-07-24
MD5Sum: c9ce325783ef99f8c476e861ebd4f82a
SHASum: 119f03c9a35509fb81393aa6653ace884873e57d

Compatible cameras (guessed):
IPC-HDBW4231R-ZS
IPC-HDBW4431R-ZS

Based on Chinese firmware with following noteworthy changes:
  • English, Chinese, French, Spanish and Russian language.
  • PAL/NTSC
  • Unlocked additional web GUI features/options.
    • Disable P2P: Network -> TCP/IP -> Easy4ip
  • Unlocked all IVS modes.
  • Disabled "CloudUpgradeServer".

For IPC-HX4X2X-Themis ("Eco-savvy 2.0" 2nd gen) cameras:
https://i.botox.bz/DH_IPC-HX4X2X-Themis.bin
Software Version: 2.400.0000.34.R, Build Date: 2016-08-01
MD5Sum: 3a6d937e453c91202ab64542d83f1a38
SHASum: c5bfae26ff027d5c3a2c03e73dcbb9cf3e978759

Compatible cameras according to Dahua:
DH-IPC-HDW4120C-A,DH-IPC-HDW4125C-A
DH-IPC-HDW4221C-A,DH-IPC-HDW4226C-A
DH-IPC-HDW4421C-A,DH-IPC-HDW4426C-A
DH-IPC-HDW4120C-A-V2,DH-IPC-HDW4125C-A-V2
DH-IPC-HDW4120S,DH-IPC-HDW4125S,DH-IPC-HDW4221S,DH-IPC-HDW4226S
DH-IPC-HDW4320S,DH-IPC-HDW4325S,DH-IPC-HDW4421S,DH-IPC-HDW4426S
DH-IPC-HDW4120C,DH-IPC-HDW4125C,DH-IPC-HDW4221C,DH-IPC-HDW4226C
DH-IPC-HDW4320C,DH-IPC-HDW4325C,DH-IPC-HDW4421C,DH-IPC-HDW4426C
DH-IPC-HDBW4120R,DH-IPC-HDBW4125R,DH-IPC-HDBW4120R-AS,DH-IPC-HDBW4125R-AS
DH-IPC-HDBW4221R,DH-IPC-HDBW4226R,DH-IPC-HDBW4221R-AS,DH-IPC-HDBW4226R-AS
DH-IPC-HDBW4421R,DH-IPC-HDBW4426R,DH-IPC-HDBW4421R-AS,DH-IPC-HDBW4426R-AS
DH-IPC-HFW4120B,DH-IPC-HFW4125B,DH-IPC-HFW4120D,DH-IPC-HFW4125D
DH-IPC-HFW4221B,DH-IPC-HFW4226B,DH-IPC-HFW4221D,DH-IPC-HFW4226D
DH-IPC-HFW4320B,DH-IPC-HFW4325B,DH-IPC-HFW4320D,DH-IPC-HFW4325D
DH-IPC-HFW4421B,DH-IPC-HFW4426B,DH-IPC-HFW4421D,DH-IPC-HFW4426D
DH-IPC-HFW4120F,DH-IPC-HFW4125F,DH-IPC-HFW4120F-AS,DH-IPC-HFW4125F-AS
DH-IPC-HFW4120B-AS,DH-IPC-HFW4125B-AS,DH-IPC-HFW4120D-AS,DH-IPC-HFW4125D-AS
DH-IPC-HFW4221B-AS,DH-IPC-HFW4226B-AS,DH-IPC-HFW4221D-AS,DH-IPC-HFW4226D-AS
DH-IPC-HFW4421B-AS,DH-IPC-HFW4426B-AS,DH-IPC-HFW4421D-AS,DH-IPC-HFW4426D-AS

For IPC-HX8XXX-Demeter (Pinhole) cameras:
https://i.botox.bz/DH_IPC-HX8XXX-Demeter_Eng_P_V2.400.0000.10.R.20160314.bin
MD5Sum: 21a05c0520a5e511cb476f1608505df1
SHASum: cdb1e0b219d4586c50e74ba80019b34e958f06cb

Compatible cameras according to HWID:
IPC-HDBW8281-PC
IPC-HDBW8281-Z
IPC-HF8101
IPC-HF8201
IPC-HF8281
IPC-HF8291E-4GT
IPC-HF8301
IPC-HF8351E-4GT
IPC-HFW8101
IPC-HFW8106
IPC-HFW8201
IPC-HFW8206
IPC-HFW8281
IPC-HFW8281E-IRA
IPC-HFW8286
IPC-HFW8301
IPC-HFW8306
IPC-HUM8101
IPC-HUM8101-0280B

NVRs:


TIP: Reset your camera to default config before updating, seems like Dahua messed something up so sonia will crash on certain configs...

PLEASE POST HERE IF YOU HAVE MORE LANGUAGES [OR A CAMERA WITH ANOTHER LANGUAGE]


These cameras have checks in place (HWID) so you can't flash the wrong firmware, hopefully this should prevent you from bricking your camera.

Experts can also use https://i.botox.bz/flashcp (from mtd-utils compiled with Hi3516a SDK) to flash .raw images to partitions on the camera from it's busybox shell.
This is useful while messing around, testing changes so you don't have to flash the full upgrade image every time.

WARNING: DO NOT FLASH THE OFFICIAL ENGLISH FIRMWARE ON CHINESE HARDWARE!
It won't start and you'll have to flash your camera back to the chinese one manually (over telnet or TFTP recovery)
And if you really want to try then at least do "appauto 0" to stop sonia from autostarting before flashing.
I personally always add permanent telnet to the image I am flashing with Dahua-Firmware-Mod-Kit, like so: Add utelnetd server · BotoX/DH_IPC-HX4XXX-Eos@2ddf0f5 · GitHub

Also, thanks to @nayr for chatting with me on IRC :v
(If this helped you and you have some spare for a student: paypal.me/BotoX)
(If shit hit the fan and you bricked your camera: Dahua IPC unbricking / recovery over serial UART and TFTP)
Hi,

I've been hacking around with my Dahua camera and made a script to unpack and rebuild the firmware upgrade images.
Check out the Github for more info: GitHub - BotoX/Dahua-Firmware-Mod-Kit: Unpack and repack Dahua IP camera firmware upgrade images.

Give me firmware for my camera!
You can download the firmware image that fits your camera below and flash it to your camera or unpack and modify it more.
It will work on both Chinese and international models.
International cameras can flash back to official English firmware after using my modded firmware.
Chinese cameras will never work with official English firmware - they need to be patched.

For IPC-HX4XXX-Eos ("Eco-savvy 2.0" 3rd gen) cameras:
https://i.botox.bz/DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.bin
Software Version: 2.420.0000.22.R, Build Date: 2016-12-09
MD5Sum: 1332430392def5d9becd4e883d26f7d8
SHASum: 1bc476b78fd706b225243c12a334631971ea6a7c

Compatible cameras according to Dahua:
DH-IPC-HDBW4231R,DH-IPC-HDBW4236R
DH-IPC-HDBW4431R,DH-IPC-HDBW4436R
DH-IPC-HDW4231C-A,DH-IPC-HDW4236C-A
DH-IPC-HDW4233C-A,DH-IPC-HDW4238C-A
DH-IPC-HDW4431C-A,DH-IPC-HDW4436C-A
DH-IPC-HDBW4431R-S,DH-IPC-HDBW4436R-S
DH-IPC-HDBW4233R-AS,DH-IPC-HDBW4238R-S
DH-IPC-HDBW4231R-AS,DH-IPC-HDBW4236R-AS
DH-IPC-HDBW4431R-AS,DH-IPC-HDBW4436R-AS
DH-IPC-HDBW4231R-VF,DH-IPC-HDBW4431R-VF
DH-IPC-HFW4231F,DH-IPC-HFW4236F,DH-IPC-HFW4431F,DH-IPC-HFW4436F
DH-IPC-HFW4231B,DH-IPC-HFW4236B,DH-IPC-HFW4431B,DH-IPC-HFW4436B
DH-IPC-HFW4231D,DH-IPC-HFW4236D,DH-IPC-HFW4431D,DH-IPC-HFW4436D
DH-IPC-HFW4231R-Z,DH-IPC-HFW4431R-Z,DH-IPC-HFW4231R-VF,DH-IPC-HFW4431R-VF
DH-IPC-HFW4231F-AS,DH-IPC-HFW4236F-AS,DH-IPC-HFW4431F-AS,DH-IPC-HFW4436F-AS
DH-IPC-HFW4231B-AS,DH-IPC-HFW4236B-AS,DH-IPC-HFW4431B-AS,DH-IPC-HFW4436B-AS
DH-IPC-HFW4231D-AS,DH-IPC-HFW4236D-AS,DH-IPC-HFW4431D-AS,DH-IPC-HFW4436D-AS
DH-IPC-HFW4231K-I4,DH-IPC-HFW4236K-I4,DH-IPC-HFW4431K-I4,DH-IPC-HFW4436K-I4
DH-IPC-HFW4231K-I6,DH-IPC-HFW4236K-I6,DH-IPC-HFW4431K-I6,DH-IPC-HFW4436K-I6
DH-IPC-HFW4233K-I4,DH-IPC-HFW4238K-I4,DH-IPC-HFW4233K-I6,DH-IPC-HFW4238K-I6
DH-IPC-HFW4231M-I1,DH-IPC-HFW4236M-I1,DH-IPC-HFW4431M-I1,DH-IPC-HFW4436M-I1
DH-IPC-HFW4231M-I2,DH-IPC-HFW4236M-I2,DH-IPC-HFW4431M-I2,DH-IPC-HFW4436M-I2
DH-IPC-HFW4233M-I1,DH-IPC-HFW4238M-I1,DH-IPC-HFW4233M-I2,DH-IPC-HFW4238M-I2
DH-IPC-HFW4233K-AS-I4,DH-IPC-HFW4238K-AS-I4,DH-IPC-HFW4233K-AS-I6,DH-IPC-HFW4238K-AS-I6
DH-IPC-HFW4431K-AS-I4,DH-IPC-HFW4436K-AS-I4,DH-IPC-HFW4431K-AS-I6,DH-IPC-HFW4436K-AS-I6
DH-IPC-HFW4233M-AS-I1,DH-IPC-HFW4238M-AS-I1,DH-IPC-HFW4233M-AS-I2,DH-IPC-HFW4238M-AS-I2
DH-IPC-HFW4431M-AS-I1,DH-IPC-HFW4436M-AS-I1,DH-IPC-HFW4431M-AS-I2,DH-IPC-HFW4436M-AS-I2

Based on official English firmware with following noteworthy changes:
  • English, French, Spanish and Russian language.
  • PAL/NTSC
  • Unlocked additional web GUI features/options.
    • Disable P2P: Network -> TCP/IP -> Easy4ip
  • Hacked Playback to also work with NAS/NFS.
    • Playback tab will be enabled when you have an SD card (default) or enabled NAS/NFS feature. (F5 after you added a NAS)
    • Added option to select NAS instead of SD, obviously...
    • I barely tested it but it seemed to play fine... feedback welcome.
    • FTP can not be supported, stop using it, it's awful.
  • Unlocked all IVS modes.
  • Disabled "CloudUpgradeServer".
  • Telnet enabled permanently on port 2300.

For IPC-HX4XXX-NAND-Eos (-ZS models) cameras:
https://i.botox.bz/General_IPC-HX4XXX-NAND-Eos_EngChnFraSpaRus_PN_Stream3_V2.420.0000.21.R.20160724.bin
Software Version: 2.420.0000.21.R, Build Date: 2016-07-24
MD5Sum: c9ce325783ef99f8c476e861ebd4f82a
SHASum: 119f03c9a35509fb81393aa6653ace884873e57d

Compatible cameras (guessed):
IPC-HDBW4231R-ZS
IPC-HDBW4431R-ZS

Based on Chinese firmware with following noteworthy changes:
  • English, Chinese, French, Spanish and Russian language.
  • PAL/NTSC
  • Unlocked additional web GUI features/options.
    • Disable P2P: Network -> TCP/IP -> Easy4ip
  • Unlocked all IVS modes.
  • Disabled "CloudUpgradeServer".

For IPC-HX4X2X-Themis ("Eco-savvy 2.0" 2nd gen) cameras:
https://i.botox.bz/DH_IPC-HX4X2X-Themis.bin
Software Version: 2.400.0000.34.R, Build Date: 2016-08-01
MD5Sum: 3a6d937e453c91202ab64542d83f1a38
SHASum: c5bfae26ff027d5c3a2c03e73dcbb9cf3e978759

Compatible cameras according to Dahua:
DH-IPC-HDW4120C-A,DH-IPC-HDW4125C-A
DH-IPC-HDW4221C-A,DH-IPC-HDW4226C-A
DH-IPC-HDW4421C-A,DH-IPC-HDW4426C-A
DH-IPC-HDW4120C-A-V2,DH-IPC-HDW4125C-A-V2
DH-IPC-HDW4120S,DH-IPC-HDW4125S,DH-IPC-HDW4221S,DH-IPC-HDW4226S
DH-IPC-HDW4320S,DH-IPC-HDW4325S,DH-IPC-HDW4421S,DH-IPC-HDW4426S
DH-IPC-HDW4120C,DH-IPC-HDW4125C,DH-IPC-HDW4221C,DH-IPC-HDW4226C
DH-IPC-HDW4320C,DH-IPC-HDW4325C,DH-IPC-HDW4421C,DH-IPC-HDW4426C
DH-IPC-HDBW4120R,DH-IPC-HDBW4125R,DH-IPC-HDBW4120R-AS,DH-IPC-HDBW4125R-AS
DH-IPC-HDBW4221R,DH-IPC-HDBW4226R,DH-IPC-HDBW4221R-AS,DH-IPC-HDBW4226R-AS
DH-IPC-HDBW4421R,DH-IPC-HDBW4426R,DH-IPC-HDBW4421R-AS,DH-IPC-HDBW4426R-AS
DH-IPC-HFW4120B,DH-IPC-HFW4125B,DH-IPC-HFW4120D,DH-IPC-HFW4125D
DH-IPC-HFW4221B,DH-IPC-HFW4226B,DH-IPC-HFW4221D,DH-IPC-HFW4226D
DH-IPC-HFW4320B,DH-IPC-HFW4325B,DH-IPC-HFW4320D,DH-IPC-HFW4325D
DH-IPC-HFW4421B,DH-IPC-HFW4426B,DH-IPC-HFW4421D,DH-IPC-HFW4426D
DH-IPC-HFW4120F,DH-IPC-HFW4125F,DH-IPC-HFW4120F-AS,DH-IPC-HFW4125F-AS
DH-IPC-HFW4120B-AS,DH-IPC-HFW4125B-AS,DH-IPC-HFW4120D-AS,DH-IPC-HFW4125D-AS
DH-IPC-HFW4221B-AS,DH-IPC-HFW4226B-AS,DH-IPC-HFW4221D-AS,DH-IPC-HFW4226D-AS
DH-IPC-HFW4421B-AS,DH-IPC-HFW4426B-AS,DH-IPC-HFW4421D-AS,DH-IPC-HFW4426D-AS

For IPC-HX8XXX-Demeter (Pinhole) cameras:
https://i.botox.bz/DH_IPC-HX8XXX-Demeter_Eng_P_V2.400.0000.10.R.20160314.bin
MD5Sum: 21a05c0520a5e511cb476f1608505df1
SHASum: cdb1e0b219d4586c50e74ba80019b34e958f06cb

Compatible cameras according to HWID:
IPC-HDBW8281-PC
IPC-HDBW8281-Z
IPC-HF8101
IPC-HF8201
IPC-HF8281
IPC-HF8291E-4GT
IPC-HF8301
IPC-HF8351E-4GT
IPC-HFW8101
IPC-HFW8106
IPC-HFW8201
IPC-HFW8206
IPC-HFW8281
IPC-HFW8281E-IRA
IPC-HFW8286
IPC-HFW8301
IPC-HFW8306
IPC-HUM8101
IPC-HUM8101-0280B

NVRs:


TIP: Reset your camera to default config before updating, seems like Dahua messed something up so sonia will crash on certain configs...

PLEASE POST HERE IF YOU HAVE MORE LANGUAGES [OR A CAMERA WITH ANOTHER LANGUAGE]


These cameras have checks in place (HWID) so you can't flash the wrong firmware, hopefully this should prevent you from bricking your camera.

Experts can also use https://i.botox.bz/flashcp (from mtd-utils compiled with Hi3516a SDK) to flash .raw images to partitions on the camera from it's busybox shell.
This is useful while messing around, testing changes so you don't have to flash the full upgrade image every time.

WARNING: DO NOT FLASH THE OFFICIAL ENGLISH FIRMWARE ON CHINESE HARDWARE!
It won't start and you'll have to flash your camera back to the chinese one manually (over telnet or TFTP recovery)
And if you really want to try then at least do "appauto 0" to stop sonia from autostarting before flashing.
I personally always add permanent telnet to the image I am flashing with Dahua-Firmware-Mod-Kit, like so: Add utelnetd server · BotoX/DH_IPC-HX4XXX-Eos@2ddf0f5 · GitHub

Also, thanks to @nayr for chatting with me on IRC :v
(If this helped you and you have some spare for a student: paypal.me/BotoX)
(If shit hit the fan and you bricked your camera: Dahua IPC unbricking / recovery over serial UART and TFTP)
 

Speed666

Getting the hang of it
Joined
Sep 19, 2015
Messages
167
Reaction score
91
Jude - no. You try to earn money on other's work and sell cams on Aliexpress. Go somewhere else.
 
Top