Dahua IPC EASY unbricking / recovery over TFTP

Discussion in 'Dahua' started by cor35vet, Feb 22, 2017.

Share This Page

  1. cor35vet

    cor35vet Pulling my weight

    Joined:
    Jun 23, 2016
    Messages:
    337
    Likes Received:
    200
    A successor of Dahua IPC unbricking / recovery over serial UART and TFTP
    I recommend you to read through the above thread first.

    If your camera still has a working bootloader (assume it does) then you can flash it easily, because:
    The camera tries to download a file called "upgrade_info_7db780a713a4.txt" from a TFTP server running on 192.168.254.254 and executes the commands in said file in the bootloader (U-Boot) shell.
    For more in-depth information, read this post: Dahua Firmware Mod Kit + Modded Dahua Firmware

    Step 1, Configuring the network correctly.
    The cameras IP is 192.168.1.108, the subnet mask is 255.255.255.0.
    The camera uses 192.168.1.1 as gateway to connect to 192.168.254.254.
    (It sends packets addressed to 192.168.254.254 to 192.168.1.1 because it's outside of the subnet)

    There are two options to make the camera be able to reach your computer.
    Option 1)
    If you have a router on 192.168.1.1, add a static route to it which redirects all packets which are meant for 192.168.254.254 to your computer (mine is 192.168.1.4):
    [​IMG]
    If your router doesn't have this function then it fucking sucks and doesn't deserve to be called a router.

    Option 2)
    Plug the camera straight into your computers ethernet jack OR plug it into an ethernet switch where ONLY your computer and the camera are on (that's EXACTLY TWO devices).


    Now you need to add the IP 192.168.254.254 with a subnet mask of 255.255.0.0 to your NIC.
    If you opted for Option 1 you must not do steps 5, 6 and 7. (Or at least don't use the same IP as your router ^^)
    If you opted for Option 2 you need to do all steps.

    [​IMG]
    (Please remember to undo the changes after you're done)

    It certainly would be nice to know if your network setup even works now, wouldn't it?
    You could try to capture all the traffic on your ethernet card with wireshark and see if you are receiving anything from the camera (192.168.1.108) when you power it up.
    You can skip this ^ and come back to it if the stuff below isn't working.

    Step 2, download this archive which has all the necessary tools (TFTP server, upgrade_info tool, netcat for console log):
    https://i.botox.bz/Dahua_TFTPBackup.zip

    There are three scripts in the archive:
    • Commands.bat
      • Reads commands.txt and generates upgrade_info_7db780a713a4.txt in root directory.
    • TFTPServer.bat
      • Starts TFTP server which serves the root directory on 192.168.254.254 (port 69 UDP)
    • Console.bat
      • Listens on 192.168.254.254 port 5002 UDP to receive the log from the camera after successfully downloading and running the given commands.
      • Could help you if you want to run a command and check the output.
        • For Example:
        • printenv and look for the HWID=IPC-HDW4431C:BLA:BLA
        • All firmware images have a check.img or hwid file with compatible HWIDs
        • You should not flash incompatible firmware
    If you looked at the thread I linked at the start of this post you should know what to do now:
    • Find working firmware for your camera.
    • Extract firmware using 7zip/WinRAR.
    • Confirm it is actually compatible using the HWID.
    • Place the extracted .img files into the root directory.
    • Write appropriate commands.txt to flash the img files onto the camera
      • Your camera should have some predefined ones in printenv, like:
      • dr=tftp 0x82000000 romfs-x.squashfs.img; flwrite
      • In this case you can run above by putting run dr into the commands.txt
      • Check the thread linked at the start for a description of all commands.
      • cfgRestore might be useful if you want to reset your camera.
    HOWEVER: NEVER FLASH THE BOOTLOADER, THERE IS NEVER A REASON TO!!! (unless it's gone, but then this tutorial won't help you ^^)

    To make things simpler I have prepared and tested a package for Eos cameras using my latest modded firmware:
    https://i.botox.bz/DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.zip
    Compatible cameras according to Dahua:
    DH-IPC-HDBW4231R,DH-IPC-HDBW4236R
    DH-IPC-HDBW4431R,DH-IPC-HDBW4436R
    DH-IPC-HDW4231C-A,DH-IPC-HDW4236C-A
    DH-IPC-HDW4233C-A,DH-IPC-HDW4238C-A
    DH-IPC-HDW4431C-A,DH-IPC-HDW4436C-A
    DH-IPC-HDBW4431R-S,DH-IPC-HDBW4436R-S
    DH-IPC-HDBW4233R-AS,DH-IPC-HDBW4238R-S
    DH-IPC-HDBW4231R-AS,DH-IPC-HDBW4236R-AS
    DH-IPC-HDBW4431R-AS,DH-IPC-HDBW4436R-AS
    DH-IPC-HDBW4231R-VF,DH-IPC-HDBW4431R-VF
    DH-IPC-HFW4231F,DH-IPC-HFW4236F,DH-IPC-HFW4431F,DH-IPC-HFW4436F
    DH-IPC-HFW4231B,DH-IPC-HFW4236B,DH-IPC-HFW4431B,DH-IPC-HFW4436B
    DH-IPC-HFW4231D,DH-IPC-HFW4236D,DH-IPC-HFW4431D,DH-IPC-HFW4436D
    DH-IPC-HFW4231R-Z,DH-IPC-HFW4431R-Z,DH-IPC-HFW4231R-VF,DH-IPC-HFW4431R-VF
    DH-IPC-HFW4231F-AS,DH-IPC-HFW4236F-AS,DH-IPC-HFW4431F-AS,DH-IPC-HFW4436F-AS
    DH-IPC-HFW4231B-AS,DH-IPC-HFW4236B-AS,DH-IPC-HFW4431B-AS,DH-IPC-HFW4436B-AS
    DH-IPC-HFW4231D-AS,DH-IPC-HFW4236D-AS,DH-IPC-HFW4431D-AS,DH-IPC-HFW4436D-AS
    DH-IPC-HFW4231K-I4,DH-IPC-HFW4236K-I4,DH-IPC-HFW4431K-I4,DH-IPC-HFW4436K-I4
    DH-IPC-HFW4231K-I6,DH-IPC-HFW4236K-I6,DH-IPC-HFW4431K-I6,DH-IPC-HFW4436K-I6
    DH-IPC-HFW4233K-I4,DH-IPC-HFW4238K-I4,DH-IPC-HFW4233K-I6,DH-IPC-HFW4238K-I6
    DH-IPC-HFW4231M-I1,DH-IPC-HFW4236M-I1,DH-IPC-HFW4431M-I1,DH-IPC-HFW4436M-I1
    DH-IPC-HFW4231M-I2,DH-IPC-HFW4236M-I2,DH-IPC-HFW4431M-I2,DH-IPC-HFW4436M-I2
    DH-IPC-HFW4233M-I1,DH-IPC-HFW4238M-I1,DH-IPC-HFW4233M-I2,DH-IPC-HFW4238M-I2
    DH-IPC-HFW4233K-AS-I4,DH-IPC-HFW4238K-AS-I4,DH-IPC-HFW4233K-AS-I6,DH-IPC-HFW4238K-AS-I6
    DH-IPC-HFW4431K-AS-I4,DH-IPC-HFW4436K-AS-I4,DH-IPC-HFW4431K-AS-I6,DH-IPC-HFW4436K-AS-I6
    DH-IPC-HFW4233M-AS-I1,DH-IPC-HFW4238M-AS-I1,DH-IPC-HFW4233M-AS-I2,DH-IPC-HFW4238M-AS-I2
    DH-IPC-HFW4431M-AS-I1,DH-IPC-HFW4436M-AS-I1,DH-IPC-HFW4431M-AS-I2,DH-IPC-HFW4436M-AS-I2
    commands.txt from above link:
    run dr
    run dk
    run du
    run dw
    run dp
    run dc
    tftp 0x82000000 pd-x.squashfs.img; flwrite
    tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
    sleep 5

    Step 3, flash it!
    If you modified commands.txt, run Commands.bat.
    Run TFTPServer.bat and Console.bat.
    Power up your camera, it should start downloading from the TFTP server.
    Close the TFTP server once you see "FLASHING_DONE_STOP_TFTP_NOW".
    Done?

    Thanks to @resegun for figuring out the magic behind upgrade_info_7db780a713a4.txt.
    (If this helped you and you have some spare for a student: paypal.me/BotoX)
     
    Nike, JAW, xyvyx and 11 others like this.
  2. mcx

    mcx Pulling my weight

    Joined:
    Mar 26, 2014
    Messages:
    97
    Likes Received:
    102
    Thanks @cor35vet !

    It took few minutes to get my HDW5231R-Z live again. I deleted 3 last lines from commands.txt then few clicks and wait for a while.:)

    The camera came with fw dated 2016 07 05 and has time sync failure. So I decided to upgrade but because I'm half blind idiot I chose wrong fw...result - boot loop.o_O

    I made a lil donation trough Paypal.
     
    ezpycoder, nayr and cor35vet like this.
  3. iTuneDVR

    iTuneDVR Getting the hang of it

    Joined:
    Aug 23, 2014
    Messages:
    357
    Likes Received:
    40
    Location:
    www.iTuneDVR.ru
    Cor35vet!
    Very good research!!
    But, one thing:
    This instruction in the hands of people with bad intentions will turn into a weapon that can be easily deduced Dahua equipment failure.
    Good people, be very careful and attentive in your network!!!
     
  4. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,350
    Likes Received:
    5,202
    Location:
    Denver, CO
    if it requires manual routes on your router, or a direct connection to the device.. using this for an attack vector would be highly unlikely unless your specifically targeted.
     
    cor35vet likes this.
  5. iTuneDVR

    iTuneDVR Getting the hang of it

    Joined:
    Aug 23, 2014
    Messages:
    357
    Likes Received:
    40
    Location:
    www.iTuneDVR.ru
    It needs only a chance for the realization of such a scenario, but a lot of options to find the weak link, and .....
    Huge colossi fall, but here ..;)
     
  6. iTuneDVR

    iTuneDVR Getting the hang of it

    Joined:
    Aug 23, 2014
    Messages:
    357
    Likes Received:
    40
    Location:
    www.iTuneDVR.ru
  7. camera5690

    camera5690 n3wb

    Joined:
    Mar 16, 2017
    Messages:
    3
    Likes Received:
    0
    Watching the output in a terminal, I see it gets this far:

    Using ambarella mac device
    TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
    Download Filename 'pd-x.squashfs.img'.
    Download to address: 0x82000000
    Downloading: *
    Everything else appears to transfer in fine. I tried to transfer everything except that image by running the run commands in the order specified in the first thread, but after booting it now says

    >boot
    Wrong Image Format for bootm command
    ERROR: can't get kernel image!
    try:kload 0x2000000 succeed!
    ## Booting kernel from Legacy Image at 02000000 ...
    Image Name: Linux-3.10.50
    Created: 2016-07-29 20:12:42 UTC
    Image Type: ARM Linux Kernel Image (uncompressed)
    Data Size: 1514824 Bytes = 1.4 MiB
    Load Address: 00208000
    Entry Point: 00208000
    Verifying Checksum ... OK
    Loading Kernel Image ...OK
    OK
    partition file version 2
    rootfstype squashfs root /dev/mtdblock5

    Starting kernel ...
    crashflasg:1, logmagic:54410011.
    unknown core,use back
    And doesn't dump me to a prompt. This is the full output when I start the camera:

    load uboot


    U-Boot 2010.06-svn2603 (May 15 2015 - 04:17:02)
    I2C: ready
    DRAM: 110 MiB
    gBootLogPtr:00b80008.
    spinor flash ID is 0xc81840c8partition file version 2
    rootfstype squashfs root /dev/mtdblock5
    TEXT_BASE:01000000
    Net: Detected MACID:00:12:34:56:78:9a
    PHY:0x001cc816,addr:0x00
    phy RTL8201 init

    state:ff,err_count:04
    Using ambarella mac device
    TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192. 168.1.1
    Download Filename 'upgrade_info_7db780a713a4.txt'.
    Download to address: 0x5000000
    Downloading: *
    Retry count exceeded; starting again
    Try again use backup_serverip
    *** ERROR: `serverip' not set
    Failed to get info.txt
    Fail to get info file!
    Init error!
    Using ambarella mac device
    TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192. 168.1.1
    Download Filename 'failed.txt'.
    Download to address: 0x2000000
    Downloading: *
    Retry count exceeded; starting again
    SPI probe: 16384 KiB W25Q128FV at 0:0 is now current device
    Wrong Image Format for bootm command
    ERROR: can't get kernel image!
    try:kload 0x2000000 succeed!
    ## Booting kernel from Legacy Image at 02000000 ...
    Image Name: Linux-3.10.50
    Created: 2016-07-29 20:12:42 UTC
    Image Type: ARM Linux Kernel Image (uncompressed)
    Data Size: 1514824 Bytes = 1.4 MiB
    Load Address: 00208000
    Entry Point: 00208000
    Verifying Checksum ... OK
    Loading Kernel Image ...OK
    OK
    partition file version 2
    rootfstype squashfs root /dev/mtdblock5

    Starting kernel ...
    crashflasg:1, logmagic:54410011.
    unknown core,use back​

    Any thoughts?
     
  8. cor35vet

    cor35vet Pulling my weight

    Joined:
    Jun 23, 2016
    Messages:
    337
    Likes Received:
    200
    Looks like you flashed the wrong firmware? Which camera is that and which firmware did you use.
    Also printenv and paste the HWID
     
  9. Allodo

    Allodo n3wb

    Joined:
    Feb 23, 2017
    Messages:
    12
    Likes Received:
    3
    I've an bricked VTO2000A and try to unbrick it.
    Therefore I connected it over an Switch an changed the IP of my PC. So far so good.

    I run Wireshark, an when I connect the VTO I get following Info from Wireshark: Source 192.168.1.108 Destination 192.168.254.254 Protocol TFTP:
    Read Request, File: upgrade_info_7db780A713a4.txt, Transfer type: octet, timeout=1, blksize=1468

    I think this sounds good so far, because Wireshark recognises an answer of my VTO.

    Then I open an Powershell (Win10) an change into the Dahua_TFTP-Folder to execute Console.bat. But the only thing I see on command-line is:
    NCat: Listening on 192.168.254.254:5002
    and nothing more will happen :(

    So I've tried the same with my second VTO which is always working fine, but there is the same behaviour with NCat.
    The only info I try to get is for the Command.txt so I can Flash the Firmware.

    Does anyone have the info for command.txt or tell me, why NCat is doing nothing?

    Thx Forward :)
     
  10. cor35vet

    cor35vet Pulling my weight

    Joined:
    Jun 23, 2016
    Messages:
    337
    Likes Received:
    200
    On older bootloaders it won't send the console output over the network so you either have to work blind or get a serial interface.
     
  11. Allodo

    Allodo n3wb

    Joined:
    Feb 23, 2017
    Messages:
    12
    Likes Received:
    3
    Okay, thx for quick Reply. Then I try it with Commands.txt as above ;)
     
  12. iTuneDVR

    iTuneDVR Getting the hang of it

    Joined:
    Aug 23, 2014
    Messages:
    357
    Likes Received:
    40
    Location:
    www.iTuneDVR.ru
    Find TTL at your device and recover all as usual.

    Or you need start TFTPServer.bat (start bin\opentftpserverMT -v)
    Read topic post more carefully, so that everything becomes clear to you ;)
     
  13. Allodo

    Allodo n3wb

    Joined:
    Feb 23, 2017
    Messages:
    12
    Likes Received:
    3
    I've tried it and TFTP seems to upgrade Firmware so far, but then I get an error with an failed.txt.

    This was shown while updating-Process:
    Listeninig On: 192.168.254.254:69
    Client 192.168.1.108:1920 root\upgade_info_7db780a713a4.txt 1 Blocks Served
    Client 192.168.1.108:1920 root\romfs-x.cramfs.img, 2113 Blocks Served
    Client 192.168.1.108:1920 root\kernel-x.cramfs.img, 1207 Blocks Served
    Client 192.168.1.108:1920 root\user-x.cramfs.img, 4239 Blocks Served
    Client 192.168.1.108:1920 root\web-x.cramfs.img, 960 Blocks Served
    Client 192.168.1.108:1920 root\failed.txt File not found or No Access
     
  14. iTuneDVR

    iTuneDVR Getting the hang of it

    Joined:
    Aug 23, 2014
    Messages:
    357
    Likes Received:
    40
    Location:
    www.iTuneDVR.ru
    In mean at your root\ no file failed.txt

    Of couse when al is all right bootloader ask success.txt

    Need more details if recover realy failed.
     
  15. Allodo

    Allodo n3wb

    Joined:
    Feb 23, 2017
    Messages:
    12
    Likes Received:
    3
    Yeah Succeded :)

    I only made an File called failed.txt in root-Folder and then, after flashing everything nothing more happens.
    Then I made an ping on 192.168.1.110 and get an answer. I now flashed Firmware normally with Config-Tool and everything works fine now :)

    Thx a lot for help :)
     
    cor35vet likes this.
  16. iTuneDVR

    iTuneDVR Getting the hang of it

    Joined:
    Aug 23, 2014
    Messages:
    357
    Likes Received:
    40
    Location:
    www.iTuneDVR.ru
  17. jefk

    jefk n3wb

    Joined:
    Jan 2, 2018
    Messages:
    2
    Likes Received:
    0
    Hello

    Can anybody please post the commands.txt file for the VTO (I have vto2111d-wp) ? When I power on the vto all i get is:

    Listening On: 192.168.254.254:69
    Client 192.168.1.108:2601 root\failed.txt, 1 Blocks Served.

    I assume, that my commands are not ok. On the board one red light is on and one yellow is blinking all the time.

    Thanks
     
    Last edited: Jan 2, 2018
  18. Marco99

    Marco99 n3wb

    Joined:
    Jan 27, 2018
    Messages:
    5
    Likes Received:
    0
    I've also a bricked my VTO211D-WP and get the same "Client 192.168.1.108:3123 root\failed.txt, 1 Blocks Served" result.

    Anyone know the right commands?

    Thanks
     
  19. jefk

    jefk n3wb

    Joined:
    Jan 2, 2018
    Messages:
    2
    Likes Received:
    0
    Commands are fine. If this is all you get, you will have to use serial connection to unbrick your device.
     
  20. badruby

    badruby n3wb

    Joined:
    Apr 7, 2018
    Messages:
    1
    Likes Received:
    0
    i cant get this to work. followed the guide. However i cant even se the calls being made in wireshark.

    Model IPC-HDBW4431R-ZS