IP Cam Talk

Welcome to the new IPCT! If you are having an issue logging in, please clear your cookies / cache.

Dahua IPC EASY unbricking / recovery over TFTP

cor35vet

IPCT Contributor
A successor of Dahua IPC unbricking / recovery over serial UART and TFTP
I recommend you to read through the above thread first.

If your camera still has a working bootloader (assume it does) then you can flash it easily, because:
The camera tries to download a file called "upgrade_info_7db780a713a4.txt" from a TFTP server running on 192.168.254.254 and executes the commands in said file in the bootloader (U-Boot) shell.
For more in-depth information, read this post: Dahua Firmware Mod Kit + Modded Dahua Firmware

Step 1, Configuring the network correctly.
The cameras IP is 192.168.1.108, the subnet mask is 255.255.255.0.
The camera uses 192.168.1.1 as gateway to connect to 192.168.254.254.
(It sends packets addressed to 192.168.254.254 to 192.168.1.1 because it's outside of the subnet)

There are two options to make the camera be able to reach your computer.
Option 1)
If you have a router on 192.168.1.1, add a static route to it which redirects all packets which are meant for 192.168.254.254 to your computer (mine is 192.168.1.4):

If your router doesn't have this function then it fucking sucks and doesn't deserve to be called a router.

Option 2)
Plug the camera straight into your computers ethernet jack OR plug it into an ethernet switch where ONLY your computer and the camera are on (that's EXACTLY TWO devices).


Now you need to add the IP 192.168.254.254 with a subnet mask of 255.255.0.0 to your NIC.
If you opted for Option 1 you must not do steps 5, 6 and 7. (Or at least don't use the same IP as your router ^^)
If you opted for Option 2 you need to do all steps.


(Please remember to undo the changes after you're done)

It certainly would be nice to know if your network setup even works now, wouldn't it?
You could try to capture all the traffic on your ethernet card with wireshark and see if you are receiving anything from the camera (192.168.1.108) when you power it up.
You can skip this ^ and come back to it if the stuff below isn't working.

Step 2, download this archive which has all the necessary tools (TFTP server, upgrade_info tool, netcat for console log):
https://i.botox.bz/Dahua_TFTPBackup.zip

There are three scripts in the archive:
  • Commands.bat
    • Reads commands.txt and generates upgrade_info_7db780a713a4.txt in root directory.
  • TFTPServer.bat
    • Starts TFTP server which serves the root directory on 192.168.254.254 (port 69 UDP)
  • Console.bat
    • Listens on 192.168.254.254 port 5002 UDP to receive the log from the camera after successfully downloading and running the given commands.
    • Could help you if you want to run a command and check the output.
      • For Example:
      • printenv and look for the HWID=IPC-HDW4431C:BLA:BLA
      • All firmware images have a check.img or hwid file with compatible HWIDs
      • You should not flash incompatible firmware
If you looked at the thread I linked at the start of this post you should know what to do now:
  • Find working firmware for your camera.
  • Extract firmware using 7zip/WinRAR.
  • Confirm it is actually compatible using the HWID.
  • Place the extracted .img files into the root directory.
  • Write appropriate commands.txt to flash the img files onto the camera
    • Your camera should have some predefined ones in printenv, like:
    • dr=tftp 0x82000000 romfs-x.squashfs.img; flwrite
    • In this case you can run above by putting run dr into the commands.txt
    • Check the thread linked at the start for a description of all commands.
    • cfgRestore might be useful if you want to reset your camera.
HOWEVER: NEVER FLASH THE BOOTLOADER, THERE IS NEVER A REASON TO!!! (unless it's gone, but then this tutorial won't help you ^^)

To make things simpler I have prepared and tested a package for Eos cameras using my latest modded firmware:
https://i.botox.bz/DH_IPC-HX4XXX-Eos_EngFraSpaRus_PN_Stream3_V2.420.0000.22.R.20161209.zip
Compatible cameras according to Dahua:
DH-IPC-HDBW4231R,DH-IPC-HDBW4236R
DH-IPC-HDBW4431R,DH-IPC-HDBW4436R
DH-IPC-HDW4231C-A,DH-IPC-HDW4236C-A
DH-IPC-HDW4233C-A,DH-IPC-HDW4238C-A
DH-IPC-HDW4431C-A,DH-IPC-HDW4436C-A
DH-IPC-HDBW4431R-S,DH-IPC-HDBW4436R-S
DH-IPC-HDBW4233R-AS,DH-IPC-HDBW4238R-S
DH-IPC-HDBW4231R-AS,DH-IPC-HDBW4236R-AS
DH-IPC-HDBW4431R-AS,DH-IPC-HDBW4436R-AS
DH-IPC-HDBW4231R-VF,DH-IPC-HDBW4431R-VF
DH-IPC-HFW4231F,DH-IPC-HFW4236F,DH-IPC-HFW4431F,DH-IPC-HFW4436F
DH-IPC-HFW4231B,DH-IPC-HFW4236B,DH-IPC-HFW4431B,DH-IPC-HFW4436B
DH-IPC-HFW4231D,DH-IPC-HFW4236D,DH-IPC-HFW4431D,DH-IPC-HFW4436D
DH-IPC-HFW4231R-Z,DH-IPC-HFW4431R-Z,DH-IPC-HFW4231R-VF,DH-IPC-HFW4431R-VF
DH-IPC-HFW4231F-AS,DH-IPC-HFW4236F-AS,DH-IPC-HFW4431F-AS,DH-IPC-HFW4436F-AS
DH-IPC-HFW4231B-AS,DH-IPC-HFW4236B-AS,DH-IPC-HFW4431B-AS,DH-IPC-HFW4436B-AS
DH-IPC-HFW4231D-AS,DH-IPC-HFW4236D-AS,DH-IPC-HFW4431D-AS,DH-IPC-HFW4436D-AS
DH-IPC-HFW4231K-I4,DH-IPC-HFW4236K-I4,DH-IPC-HFW4431K-I4,DH-IPC-HFW4436K-I4
DH-IPC-HFW4231K-I6,DH-IPC-HFW4236K-I6,DH-IPC-HFW4431K-I6,DH-IPC-HFW4436K-I6
DH-IPC-HFW4233K-I4,DH-IPC-HFW4238K-I4,DH-IPC-HFW4233K-I6,DH-IPC-HFW4238K-I6
DH-IPC-HFW4231M-I1,DH-IPC-HFW4236M-I1,DH-IPC-HFW4431M-I1,DH-IPC-HFW4436M-I1
DH-IPC-HFW4231M-I2,DH-IPC-HFW4236M-I2,DH-IPC-HFW4431M-I2,DH-IPC-HFW4436M-I2
DH-IPC-HFW4233M-I1,DH-IPC-HFW4238M-I1,DH-IPC-HFW4233M-I2,DH-IPC-HFW4238M-I2
DH-IPC-HFW4233K-AS-I4,DH-IPC-HFW4238K-AS-I4,DH-IPC-HFW4233K-AS-I6,DH-IPC-HFW4238K-AS-I6
DH-IPC-HFW4431K-AS-I4,DH-IPC-HFW4436K-AS-I4,DH-IPC-HFW4431K-AS-I6,DH-IPC-HFW4436K-AS-I6
DH-IPC-HFW4233M-AS-I1,DH-IPC-HFW4238M-AS-I1,DH-IPC-HFW4233M-AS-I2,DH-IPC-HFW4238M-AS-I2
DH-IPC-HFW4431M-AS-I1,DH-IPC-HFW4436M-AS-I1,DH-IPC-HFW4431M-AS-I2,DH-IPC-HFW4436M-AS-I2
commands.txt from above link:
run dr
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 pd-x.squashfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

Step 3, flash it!
If you modified commands.txt, run Commands.bat.
Run TFTPServer.bat and Console.bat.
Power up your camera, it should start downloading from the TFTP server.
Close the TFTP server once you see "FLASHING_DONE_STOP_TFTP_NOW".
Done?

Thanks to @resegun for figuring out the magic behind upgrade_info_7db780a713a4.txt.
(If this helped you and you have some spare for a student: paypal.me/BotoX)
 

mcx

Pulling my weight
Thanks @cor35vet !

It took few minutes to get my HDW5231R-Z live again. I deleted 3 last lines from commands.txt then few clicks and wait for a while.:)

The camera came with fw dated 2016 07 05 and has time sync failure. So I decided to upgrade but because I'm half blind idiot I chose wrong fw...result - boot loop.o_O

I made a lil donation trough Paypal.
 

iTuneDVR

Getting the hang of it
Cor35vet!
Very good research!!
But, one thing:
This instruction in the hands of people with bad intentions will turn into a weapon that can be easily deduced Dahua equipment failure.
Good people, be very careful and attentive in your network!!!
 

nayr

IPCT Contributor
if it requires manual routes on your router, or a direct connection to the device.. using this for an attack vector would be highly unlikely unless your specifically targeted.
 

iTuneDVR

Getting the hang of it
It needs only a chance for the realization of such a scenario, but a lot of options to find the weak link, and .....
Huge colossi fall, but here ..;)
 
Watching the output in a terminal, I see it gets this far:

Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Download Filename 'pd-x.squashfs.img'.
Download to address: 0x82000000
Downloading: *
Everything else appears to transfer in fine. I tried to transfer everything except that image by running the run commands in the order specified in the first thread, but after booting it now says

>boot
Wrong Image Format for bootm command
ERROR: can't get kernel image!
try:kload 0x2000000 succeed!
## Booting kernel from Legacy Image at 02000000 ...
Image Name: Linux-3.10.50
Created: 2016-07-29 20:12:42 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1514824 Bytes = 1.4 MiB
Load Address: 00208000
Entry Point: 00208000
Verifying Checksum ... OK
Loading Kernel Image ...OK
OK
partition file version 2
rootfstype squashfs root /dev/mtdblock5

Starting kernel ...
crashflasg:1, logmagic:54410011.
unknown core,use back
And doesn't dump me to a prompt. This is the full output when I start the camera:

load uboot


U-Boot 2010.06-svn2603 (May 15 2015 - 04:17:02)
I2C: ready
DRAM: 110 MiB
gBootLogPtr:00b80008.
spinor flash ID is 0xc81840c8partition file version 2
rootfstype squashfs root /dev/mtdblock5
TEXT_BASE:01000000
Net: Detected MACID:00:12:34:56:78:9a
PHY:0x001cc816,addr:0x00
phy RTL8201 init

state:ff,err_count:04
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192. 168.1.1
Download Filename 'upgrade_info_7db780a713a4.txt'.
Download to address: 0x5000000
Downloading: *
Retry count exceeded; starting again
Try again use backup_serverip
*** ERROR: `serverip' not set
Failed to get info.txt
Fail to get info file!
Init error!
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192. 168.1.1
Download Filename 'failed.txt'.
Download to address: 0x2000000
Downloading: *
Retry count exceeded; starting again
SPI probe: 16384 KiB W25Q128FV at 0:0 is now current device
Wrong Image Format for bootm command
ERROR: can't get kernel image!
try:kload 0x2000000 succeed!
## Booting kernel from Legacy Image at 02000000 ...
Image Name: Linux-3.10.50
Created: 2016-07-29 20:12:42 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1514824 Bytes = 1.4 MiB
Load Address: 00208000
Entry Point: 00208000
Verifying Checksum ... OK
Loading Kernel Image ...OK
OK
partition file version 2
rootfstype squashfs root /dev/mtdblock5

Starting kernel ...
crashflasg:1, logmagic:54410011.
unknown core,use back​

Any thoughts?
 

cor35vet

IPCT Contributor
Looks like you flashed the wrong firmware? Which camera is that and which firmware did you use.
Also printenv and paste the HWID
 

Allodo

n3wb
I've an bricked VTO2000A and try to unbrick it.
Therefore I connected it over an Switch an changed the IP of my PC. So far so good.

I run Wireshark, an when I connect the VTO I get following Info from Wireshark: Source 192.168.1.108 Destination 192.168.254.254 Protocol TFTP:
Read Request, File: upgrade_info_7db780A713a4.txt, Transfer type: octet, timeout=1, blksize=1468

I think this sounds good so far, because Wireshark recognises an answer of my VTO.

Then I open an Powershell (Win10) an change into the Dahua_TFTP-Folder to execute Console.bat. But the only thing I see on command-line is:
NCat: Listening on 192.168.254.254:5002
and nothing more will happen :(

So I've tried the same with my second VTO which is always working fine, but there is the same behaviour with NCat.
The only info I try to get is for the Command.txt so I can Flash the Firmware.

Does anyone have the info for command.txt or tell me, why NCat is doing nothing?

Thx Forward :)
 

cor35vet

IPCT Contributor
I've an bricked VTO2000A and try to unbrick it.
Therefore I connected it over an Switch an changed the IP of my PC. So far so good.

I run Wireshark, an when I connect the VTO I get following Info from Wireshark: Source 192.168.1.108 Destination 192.168.254.254 Protocol TFTP:
Read Request, File: upgrade_info_7db780A713a4.txt, Transfer type: octet, timeout=1, blksize=1468

I think this sounds good so far, because Wireshark recognises an answer of my VTO.

Then I open an Powershell (Win10) an change into the Dahua_TFTP-Folder to execute Console.bat. But the only thing I see on command-line is:
NCat: Listening on 192.168.254.254:5002
and nothing more will happen :(

So I've tried the same with my second VTO which is always working fine, but there is the same behaviour with NCat.
The only info I try to get is for the Command.txt so I can Flash the Firmware.

Does anyone have the info for command.txt or tell me, why NCat is doing nothing?

Thx Forward :)
On older bootloaders it won't send the console output over the network so you either have to work blind or get a serial interface.
 

iTuneDVR

Getting the hang of it
Find TTL at your device and recover all as usual.

Or you need start TFTPServer.bat (start bin\opentftpserverMT -v)
Read topic post more carefully, so that everything becomes clear to you ;)
 

Allodo

n3wb
I've tried it and TFTP seems to upgrade Firmware so far, but then I get an error with an failed.txt.

This was shown while updating-Process:
Listeninig On: 192.168.254.254:69
Client 192.168.1.108:1920 root\upgade_info_7db780a713a4.txt 1 Blocks Served
Client 192.168.1.108:1920 root\romfs-x.cramfs.img, 2113 Blocks Served
Client 192.168.1.108:1920 root\kernel-x.cramfs.img, 1207 Blocks Served
Client 192.168.1.108:1920 root\user-x.cramfs.img, 4239 Blocks Served
Client 192.168.1.108:1920 root\web-x.cramfs.img, 960 Blocks Served
Client 192.168.1.108:1920 root\failed.txt File not found or No Access
 

iTuneDVR

Getting the hang of it
but then I get an error with an failed.txt.
.....
Client 192.168.1.108:1920 root\failed.txt File not found or No Access
In mean at your root\ no file failed.txt

Of couse when al is all right bootloader ask success.txt

Need more details if recover realy failed.
 

Allodo

n3wb
Yeah Succeded :)

I only made an File called failed.txt in root-Folder and then, after flashing everything nothing more happens.
Then I made an ping on 192.168.1.110 and get an answer. I now flashed Firmware normally with Config-Tool and everything works fine now :)

Thx a lot for help :)
 

jefk

n3wb
I've tried it and TFTP seems to upgrade Firmware so far, but then I get an error with an failed.txt.

This was shown while updating-Process:
Listeninig On: 192.168.254.254:69
Client 192.168.1.108:1920 root\upgade_info_7db780a713a4.txt 1 Blocks Served
Client 192.168.1.108:1920 root\romfs-x.cramfs.img, 2113 Blocks Served
Client 192.168.1.108:1920 root\kernel-x.cramfs.img, 1207 Blocks Served
Client 192.168.1.108:1920 root\user-x.cramfs.img, 4239 Blocks Served
Client 192.168.1.108:1920 root\web-x.cramfs.img, 960 Blocks Served
Client 192.168.1.108:1920 root\failed.txt File not found or No Access
Hello

Can anybody please post the commands.txt file for the VTO (I have vto2111d-wp) ? When I power on the vto all i get is:

Listening On: 192.168.254.254:69
Client 192.168.1.108:2601 root\failed.txt, 1 Blocks Served.

I assume, that my commands are not ok. On the board one red light is on and one yellow is blinking all the time.

Thanks
 
Last edited:
I've also a bricked my VTO211D-WP and get the same "Client 192.168.1.108:3123 root\failed.txt, 1 Blocks Served" result.

Anyone know the right commands?

Thanks
 

jefk

n3wb
Commands are fine. If this is all you get, you will have to use serial connection to unbrick your device.
 

badruby

n3wb
i cant get this to work. followed the guide. However i cant even se the calls being made in wireshark.

Model IPC-HDBW4431R-ZS

 
Top