Dahua Firmware Mod Kit + Modded Dahua Firmware

[Styleless]

Does anybody know if the hbdw4433r-zs has the same NAND-Eos as the hbdw4431r-zs?

 

[Илдар]

I try to extract.py NVR firmware and get:

osboxes@osboxes:/media/sf_vbox/nvr_hack/Dahua-Firmware-Mod-Kit$ ./extract.py ../DH_NVR4XXX-4KS2_Eng_V3.215.0000000.3.R.171106.bin
WARNING Autodetected config: NVR4XXX-4KS2
INFO Extracting 8 files to: 'DH_NVR4XXX-4KS2_Eng_V3.215.0000000.3.R.171106.bin.extracted'
INFO Processing 'Install.lua'.
INFO Processing 'u-boot.bin.img'.
INFO Processing 'uImage.img'.
INFO Processing 'romfs-x.squashfs.img'.

create_inode: failed to create symlink DH_NVR4XXX-4KS2_Eng_V3.215.0000000.3.R.171106.bin.extracted/romfs-x.squashfs.img.extracted/bin/[, because Read-only file system

create_inode: failed to create symlink DH_NVR4XXX-4KS2_Eng_V3.215.0000000.3.R.171106.bin.extracted/romfs-x.squashfs.img.extracted/bin/[[, because Read-only file system

create_inode: failed to create symlink DH_NVR4XXX-4KS2_Eng_V3.215.0000000.3.R.171106.bin.extracted/romfs-x.squashfs.img.extracted/bin/addgroup, because Read-only file system

.... many many similar text then....

create_inode: failed to create symlink DH_NVR4XXX-4KS2_Eng_V3.215.0000000.3.R.171106.bin.extracted/romfs-x.squashfs.img.extracted/usr/sbin/3gpp, because Read-only file system
INFO Processing 'web-x.squashfs.img'.
INFO Processing 'custom-x.squashfs.img'.
INFO Processing 'logo-x.squashfs.img'.
CRITICAL Missing dependency: 'cramfsck'
ERROR 'CramFS' handler returned non-zero return value for file: 'logo-x.squashfs.img.raw'
Traceback (most recent call last):
File "./extract.py", line 238, in <module>
extractor.Extract(args.source)
File "./extract.py", line 113, in Extract
raise Exception("Handler returned non-zero return value!")
Exception: Handler returned non-zero return value!


What I have to do? What the reason of the eror ?

 

[catcamstar]

I try to extract.py NVR firmware and get:

osboxes@osboxes:/media/sf_vbox/nvr_hack/Dahua-Firmware-Mod-Kit$ ./extract.py ../DH_NVR4XXX-4KS2_Eng_V3.215.0000000.3.R.171106.bin
*snip*
create_inode: failed to create symlink DH_NVR4XXX-4KS2_Eng_V3.215.0000000.3.R.171106.bin.extracted/romfs-x.squashfs.img.extracted/bin/[, because Read-only file system
*snip*

What I have to do? What the reason of the eror ?

I suspect your /media folder is a read-only filesystem. Copy everything in /tmp might help? Good luck!

 

[alastairstevenson]

What the reason of the eror ?

Various errors.
I think that errors creating symlinks are not fatal - as it indicates, squashfs is a read-only file system, so you cannot add or change the contents the result from the image being mounted.

The cramfs errors are likely because you don't have the cramfsprogs package installed.

But if you want to unpack the firmware .bin file, quite easily done by another method:
With your favourite HEX editor, change the fisrt 2 bytes of the .bin file from DH to PK and re-save.
It's now a proper ZIP archive - extract all files with unzip

 

[mentax]

I have some cameras in my collection - HDBW4631R-ZS and HDBW4433R-ZS both are Chinese hacked cams. Do you think with this tool I will be able to install latest firmware version with english language?

 

[cctvguynz]

It seems the TFTP method won't work on some new firmware Chinese cameras to downgrade them. Does anybody have any tips or tricks? I just get the failed message appear.

 

[riogrande75]

What failed message do you get?
I am pretty convinced with the right setup, you should succeed in downgrading via TFTP. Did that already a couple of times with my VTO2000.

 

[Bavilo]

Hi,

I have a IPC-HFW4431R-Z. Is this really the latest firmware? https://i.botox.bz/DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.bin


Thanks!

 

[cctvguynz]

What failed message do you get?
I am pretty convinced with the right setup, you should succeed in downgrading via TFTP. Did that already a couple of times with my VTO2000.

check.img appears to fail, and I then get failed.txt show up

TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending throu
gh gateway 192.168.1.1Download Filename 'check.img'.Download to address: 0x82000
000
Downloading: *
done
Bytes transferred = 10128 (2790 hex)

## Checking Image at 82000000 ...
Legacy image found
Image Name: check
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 10064 Bytes = 9.8 KiB
Load Address: 00000000
Entry Point: 00000000
Verifying Checksum ... OK
Programing start at: 0x00000000
Overflow Flash Part,Check packshop
flwrite error 1!
cmd Failed tftp 0x82000000 check.img; flwrite!
partition file version 2
rootfstype squashfs root /dev/mtdblock7
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
get bootargs info failed
cmdLine mem=85M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M

 

[tigerwillow1]

Hi,

I have a IPC-HFW4431R-Z. Is this really the latest firmware? https://i.botox.bz/DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.bin


Thanks!

Is it the latest firmware? I don't know.

It's the only one I know of that you can load onto a chinese market camera and end up with english on the GUI.

 

[riogrande75]

@cctvguynz: I guess there is somethin absolutely wrong in your commands.txt.
I need more info to be able to help you: What device, what firmware image and your commands.txt?

 

[veterinator]

Hello everyone. Can anyone help sticking English into IPC-HFW4233K-AS-LED cameras? I bought it on taobao and did not find out from the seller in which language the firmware was.

 

[lmk]

Hi all,

Unfortunately I have upgraded my VTO2000A to the latest SIP firmware (20180627). Now I am trying to go back to 20170425 one using TFTP method as I would like to get some additional languages in, but I got stuck at VTO2000A trying to download failed.txt just after upgrade_info_7db780a713a4.txt and romfs-x.cramfs.img gets transferred. No log is being received on 5002 which makes this really hard to debug.

@riogrande75 - have you managed to get yours up and running back again?

I am unsure if my upgrade_info_7db780a713a4.txt gets populated properly by Dahua_TFTPBackup. Can anyone share an archive of 20170425 SIP firmware containing upgrade_info_7db780a713a4.txt file?


Thanks,
lmk

 

[szczypior88888]

Hi guys is there possibility to turn the 3g by firmware moddification??? (in HCVR) If yes anyone can bring me some tips for doing it???

Another question: How to put some language by fw modding??
Thanks

 

[Jeeves]

I realize the camera isn't new; But I bricked my HDBW4421R-AS. It was running 2.400.0.28 when I tried to flash "DH_IPC-HX4X2X-Themis_EngSpn_N_Stream3_V2.620.0000002.0.R.170830" from the WebUI.

The camera took the firmware and rebooted and began boot looping. I could only reach it when it would ping for a while then go offline and then start pinging again.

I pulled the camera down and connected to the TX RX pins and using the steps here:
Dahua IPC EASY unbricking / recovery over TFTP
and
Dahua IPC unbricking / recovery over serial UART and TFTP

I flashed the camera with multiple versions of the firmware, both Cor35vet's modded firmware and the original DH-Themis-2.400.0.28.

Every time the camera boots now, the webUI doesn't start and the only port open is 3800.

Looking at the debug output I see the following:

hwid_value =IPC-HFW4421B:01:02:02:23:19:00:01:06:01:01:04:258:03:00:00:00:00:01:00:00:100
product_name =IPC-HFW4421B

sonia starts, and then I see the following:

4iav_check_sys_clock(1210): DSP Core clock real [216000000] lower than target [288000000].
4iav_check_sys_clock(1220): DRAM clock real [528000000] lower than target [564000000].
6S2L chip ID [2], DSP memory bandwidth [427 MB/s], limit [1287 MB/s].
[0;32;32m10:05:56|[AEW] get amba sensor id=4106
[m[0;32;32m10:05:56|[AEW] get amba vin_mode=28, vin_fps=20480000
[m[0;32;32m10:05:56|[AEW] get the product info: sensor id is 34, product type is 161.
[m[0;32;32m10:05:56|[AEW] ../src/s2l/mw_sensor_param.c::chooseCurParam:76 curParamType=0
[m[0;32;32m10:05:56|[libpdi] pIcrAewType = 0
[m[0;32;32m10:05:56|[AEW] File[../src/s2l/mw_sensor_param.c] Line[207], icrAewType=0
[m[0;32;32m10:05:56|[AEW] pMw_info->sensor.sensor_id is 26
  wb_param is cfg_wb_param!
[m[0;32;32m10:05:56|[AEW] lensType = 0
[m[0;32;32m10:05:56|[AEW] ../src/s2l/mw_sensor_param.c::chooseCurParam:76 curParamType=0
[m[0;32;32m10:05:56|[AEW] ====pMw_info->res.isp_pipeline=0====
[m>>> pipline:0, hdr_mode:0, expo_num:1, raw_pitch:0
>>> main:size 1920x1088, raw:2560x1440, resolution:10
[0;32;32m10:05:56|[AEW] get amba sensor id=4106
[m[0;32;32m10:05:56|[AEW] get amba vin_mode=28, vin_fps=20480000
[m[0;32;32m10:05:56|[AEW] get the product info: sensor id is 34, product type is 161.
[m[0;32;32m10:05:56|[AEW] ../src/s2l/mw_sensor_param.c::chooseCurParam:76 curParamType=0
[m[0;32;32m10:05:56|[libpdi] pIcrAewType = 0
[m[0;32;32m10:05:56|[AEW] File[../src/s2l/mw_sensor_param.c] Line[207], icrAewType=0
[m[0;32;32m10:05:56|[AEW] pMw_info->sensor.sensor_id is 26
  wb_param is cfg_wb_param!
[m[0;32;32m10:05:56|[AEW] lensType = 0
[m[0;32;32m10:05:56|[AEW] ../src/s2l/mw_sensor_param.c::chooseCurParam:76 curParamType=0
[m[0;32;32m10:05:56|[AEW] ====pMw_info->res.isp_pipeline=0====
[m>>> ====amba_img_dsp_set_af_statistics_exe ok====

>>> ====amba_img_dsp_get_af_statistics_ex ok====
>>> AlgoMode:0 FuncMode:0 ContextId:0 BatchId:0 ConfigId:0
>>> horizontal_filter1_mode:0 stage1-3_enb:1 1 1
>>> gain:188 476 -235 375 -184 276 -206
>>> shift:7 2 2 0
>>> bias_off:0 0 0 8 8 123 132
>>> horizontal_filter2_mode:0 stage1-3_enb:1 1 0
>>> gain:168 -273 -219 -152 -213 0 0
>>> shift:9 0 0 0
>>> bias_off:0 0 0 8 8 123 132

[0;32;32m10:05:57|[libencode] idlecount 0
[m[0;32;32m10:05:58|[libencode] idlecount 1
[mno translater fordsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
 filter 10
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
dsp_put_cmd(348): ===== DSP CMD Q is full. Wait for next INT!
handle_enc_msg(209): Vsync loss detected!
handle_enc_msg(209): Vsync loss detected!
init 3A done
loop start now
handle_enc_msg(209): Vsync loss detected!
handle_enc_msg(209): Vsync loss detected!

The line "handle_enc_msg(209): Vsync loss detected!" repeats until a crash occurs and the camera reboots.

If it matters, when all of the "run" commands they work, but pd-x.squashfs.img always fails with a timeout:

tftp 0x82000000 pd-x.squashfs.img; flwrite

However, I also have flashed .BIN's through Config Tool with the same issue.

I'd love some ideas if anyone has them. Thanks!

 

[riogrande75]

@lmk: Yes, mine is working fine again. With the TFTP method you can upgrade/downgrade from/to any version you want.
Hardest part is to get network connection directly at boottime. I tried it with a 10/100 MBit hub (for sniffing the whole stuff) but that did not work steady (=>failed.txt).
After using a 10/100 switch I got it baken.

 

[Jude201186]

I dared to upgrade my VTO2000A to latest 20180105 SIP FW and I advise anybody to NOT DO this!
There are some nice benefits built in the firmware but due to a brand new bootloader you are not able to upload something via TFTP anymore. It just requests "failed.txt" via TFTP, nothing else.
Also it seems that dahua f***** up the UART somehow: I don't get anything meaningful out of it now.

may i have your email ?

 

[Ham]

You can just do this then:

cp "/dev/mtd0ro" "./mtd0_MinBoot"
cp "/dev/mtd1ro" "./mtd1_U-Boot"
cp "/dev/mtd2ro" "./mtd2_hwid"
cp "/dev/mtd3ro" "./mtd3_partition"
cp "/dev/mtd4ro" "./mtd4_Kernel"
cp "/dev/mtd5ro" "./mtd5_romfs"
cp "/dev/mtd6ro" "./mtd6_web"
cp "/dev/mtd7ro" "./mtd7_user"
cp "/dev/mtd8ro" "./mtd8_updateflag"
cp "/dev/mtd9ro" "./mtd9_config"
cp "/dev/mtd10ro" "./mtd10_product"
cp "/dev/mtd11ro" "./mtd11_custom"
cp "/dev/mtd12ro" "./mtd12_backupker"
cp "/dev/mtd13ro" "./mtd13_backupfs"

Hi, I wanna ask how can I use these backup? I brick one of the camera and I get backup by your way on another camera, when I upload rom by tfpt, it said as below, I have tried use hex editor to cut the FF part of file and rename as the name it should

TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'pd-x.squashfs.img'.Download to address: 0x2000000
Downloading: *
done
Bytes transferred = 3407872 (340000 hex)

## Checking Image at 02000000 ...
Unknown image format!
   Bad Image Info
flwrite error 1!
cmd Failed tftp 0x2000000 pd-x.squashfs.img; flwrite!

I also got issue when use uImage.py, error happens to on original firmware (from here) or backup

[07:04:00] openhabian@OpenhabianPi-Server:~/Dahua-Firmware-Mod-Kit/test$ python3 ~/Dahua-Firmware-Mod-Kit/uImage.py -x partition-x.cramfs.img
Traceback (most recent call last):
  File "/home/openhabian/Dahua-Firmware-Mod-Kit/uImage.py", line 555, in <module>
    main()
  File "/home/openhabian/Dahua-Firmware-Mod-Kit/uImage.py", line 542, in main
    imageExtract(image)
  File "/home/openhabian/Dahua-Firmware-Mod-Kit/uImage.py", line 441, in imageExtract
    filename = d['name'].rstrip('\0')
TypeError: Type str doesn't support the buffer API
[07:04:14] openhabian@OpenhabianPi-Server:~/Dahua-Firmware-Mod-Kit/test$ python ~/Dahua-Firmware-Mod-Kit/uImage.py -x partition-x.cramfs.img
  File "/home/openhabian/Dahua-Firmware-Mod-Kit/uImage.py", line 279
    print("Image name:\t", end='')
                              ^
SyntaxError: invalid syntax

please kindly advise what to do.

 

[DZLK]

I have a IPC-HDW4631C-A and tried to update it with the firmware for IPC-HDW4631EM-ASE "[PAL]DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.7.R.20170306" but then it boot looped. After that I was able to flash
DH_IPC-HX5X3X-Rhea_Chn_PN_Stream3_V2.622.0000000.18.R.20171110.bin via TFTP. Now the cam is working again but all in Chinese. Does your firmware also work for this model? I would like to have it in english.

/edit

Now modded the chinese firmware by replacing the simplechinese.txt with English and modified the files where the language settings are. Furthermore I replaced the html in the help folder. But this is not working, after flashing it with tftp the camera is still in boot loop.

In a second attempt I just replaced the content of the simplechinese.txt by the english content.This ends in the same result.

I think the problem is because the new firmware is signed. Does anyone successfully modded a newer firmware?

Hello, finally did you fix it IPC-HDW4631C-A and get English back?

Now i have the cam IPC-HDW4631C-A with hacked End Rus Esp - how i can to make the dump of hacked firmware ???

 

[anhnga]

Hi @cor35vet!

My Dahua NVR model is 单盘位经济型NVR 21HS-S1系列 - 1盘位 - 浙江大华技术股份有限公司
It is local chinese products, and only chinese language.
I need translate to my local vietnamese language or english language.
Can you help me to do that!
Thank you so much !

PS: I've try your solution Dahua Firmware Mod Kit, but not successful to setup the squashfs-tools and cramfs in ubuntu linux 14.04 LTS
So can't extract the firmware to learn how to translate chinese language to vietnamese...

here the my dahua Nvr firmware: MEGA

@cor35vet, Can you help me!