Dahua IPC EASY unbricking / recovery over TFTP

[iTuneDVR]

If you still don't want open your device & connect dirrectly to TTL

Try this

start bin\ncat.exe -v -u -l -o log.log 192.168.254.254 5002

or

start bin\ncat.exe -v -u -l  192.168.254.254 5002 1>log.txt

and put this file here after update

What is the base firmware at you device & what firmware you think brick you device?
Erased config?

 

[eagle_eye]

It had the (nearly) first one with signature from Duhau:

V3.120.102600.0.R.20180620​

It was working fine, but only in English language - not very helpfull in German country side. Hence I want to upgrade to the later multi lanuage version:

V3.120.0000.0.R.20190222​

During this upgrade, it bricked.

Is there something to do something specific, when a signed version was uploaded? If so, please advice. ("Erase config"? How to do this?)

I will try the different parameter for ncat tomorrow.

 

[eagle_eye]

Hi,
short status update:
I am using pc2pc LAN cable.
I update the commands.txt as follows:

run dr​

run dk​

run du​

run dw​

tftp 0x82000000 pd-x.cramfs.img; flwrite​

tftp 0x82000000 data-x.cramfs.img; flwrite​

run dc​

tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW​

The result was:

c:\tmp>TFTPServer.bat​

​

accepting requests..​

Open TFTP Server MultiThreaded Version 1.64 Windows Built 2001​

​

starting TFTP...​

alias / is mapped to root\​

permitted clients: all​

server port range: all​

max blksize: 65464​

default blksize: 512​

default timeout: 60​

file read allowed: Yes​

file create allowed: No​

file overwrite allowed: No​

thread pool size: 1​

Listening On: 192.168.254.254:69​

Client 192.168.1.108:2270 root\failed.txt, File not found or No Access​

Client 192.168.1.108:2148 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served​

Client 192.168.1.108:2171 root\romfs-x.cramfs.img, 2118 Blocks Served​

Client 192.168.1.108:2079 root\kernel-x.cramfs.img, 1207 Blocks Served​

Client 192.168.1.108:3601 root\user-x.cramfs.img, 4239 Blocks Served​

Client 192.168.1.108:3059 root\web-x.cramfs.img, 960 Blocks Served​

Client 192.168.1.108:1188 root\pd-x.cramfs.img, 31 Blocks Served​

Client 192.168.1.108:1658 root\data-x.cramfs.img, 140 Blocks Served​

Client 192.168.1.108:3445 root\custom-x.cramfs.img, 9 Blocks Served​

Client 192.168.1.108:3504 root\.FLASHING_DONE_STOP_TFTP_NOW, 1 Blocks Served​

Client 192.168.1.108:3512 root\success.txt, File not found or No Access​

^CBatchvorgang abbrechen (J/N)? j​

Hence first cycle was done not correctly => failed.txt
BUT the script is doing it again and again. Hence I waited roughly 30 sec and then it was done again. Now successfully => success.txt.
BACK TO LIVE!
Now I'm struggling to put the new version

General_VTOXXX_Eng_P_16M_V3.120.0000.0.R.20190222.zip​

on it with GER lanuage package. I try to do this with VDPConfig.
When I am trying this, my VTO was bricked again

 

[riogrande75]

I did not find a western-europe language pack for this old fw so far - pls. ask dahua support for it or change to actual (SIP 2.0 V4.3) firmware.
For full functionality (an less bugs) pls. upgrade your VTH's to SIP2.0 firmware as well. I postet download link in VTO2000A firmware V4 thread.

 

[jonboy1081]

Hey All,

Newbie here and not 100% confident in what I'm doing, started step 2 and got the below response.

I have no idea how to do this step: Place the extracted .img files into the root directory

 

[iTuneDVR]

Image file real exist at the root dir & not blocked?
Show yor files (screenshot)
Try TFTPD32 instead of using soft.
Lot depends on the network settings of the equipment and the equipment itself.

 

[guho]

I know zape tried, but has anyone successfully used this TFTP method to flash Dahua fw onto Amcrest IP8M-T2499EW? I succeeded on Amcrest IP4M, but don't feel like brivking my new IP8Ms.

Sent from my SM-T827V using Tapatalk

 

[Comboy007]

I did not find a western-europe language pack for this old fw so far - pls. ask dahua support for it or change to actual (SIP 2.0 V4.3) firmware.
For full functionality (an less bugs) pls. upgrade your VTH's to SIP2.0 firmware as well. I postet download link in VTO2000A firmware V4 thread.

Do you have a link for the firmware file I can use to unbrick my VTO2000A-C with the TFTP method, I found an old link but this is not working anymore?

 

[riogrande75]

As stated in the other thread, check this

 

[marianradu]

Hello

Can someone help me, i have probably a chineese IPC-HDBW4631R-ZS, i tried to update with this FW (DH_IPC-HX5X3X-Rhea_MultiLang_PN_Stream3_V2.800.0000012.0.R.190808.zip)
But it dont let me connect to the web.

Device-Type: IPC-HDBW4631R-ZS
Firmware: 2.460.0000000.16.R, Build Date: 2017-09-04
WEB-Version: 3.2.1.491565
ONVIF Version: 16.12(V2.4.0.485616)

Ping is possible, i also tried with TFTP but without success. here is the log:

*******************************************************

Ncat: Version 7.40 ( Ncat - Netcat for the 21st Century )
Ncat: Listening on 192.168.254.254:5002
gBootLogPtr:00b80008.
spinor flash ID is 0x1940ef
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
TEXT_BASE:01000000
Net: PHY:0x001cc816,addr:0x00
s3l phy RTL8201 init
partition file version 2
rootfstype squashfs root /dev/mtdblock5
MMC: sdmmc init
Using ambarella mac device
Download Filename 'upgrade_info_7db780a713a4.txt'.Downloading: 100%
## file size: 202 Bytes, times: 0s, speed: 24.4 KiB/s
done
Bytes transferred = 202 (ca hex)
Using ambarella mac device
Download Filename 'romfs-x.squashfs.img'.Downloading: 100% 100%
## file size: 2.8 MiB, times: 2s, speed: 1 MiB/s
done
Bytes transferred = 2902264 (2c48f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
[0;32mUBOOT_commonSwRsaVerify run successfully!
[0m
## Checking Image at 02000000 ...
Legacy image found
Image Name: romfs
Created: 2019-08-08 11:54:00 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2899968 Bytes = 2.8 MiB
Load Address: 01b80000
Entry Point: 01fd0000
Verifying Checksum ... OK
Programing start at: 0x01b80000 for romfs
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :f2749777, crc from flash is :f2749777
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'kernel.img'.Downloading: 100%
## file size: 1.5 MiB, times: 1s, speed: 1018.6 KiB/s
done
Bytes transferred = 1575384 (1809d8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
[0;32mUBOOT_commonSwRsaVerify run successfully!
[0m
## Checking Image at 02000000 ...
Legacy image found
Image Name: kernel
Created: 2019-08-08 11:52:32 UTC
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 1573088 Bytes = 1.5 MiB
Load Address: 01040000
Entry Point: 01200000
Verifying Checksum ... OK
Programing start at: 0x01040000 for kernel
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :67fdba11, crc from flash is :67fdba11
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'user-x.squashfs.img'.Downloading: 100%
## file size: 14.8 MiB, times: 14s, speed: 1 MiB/s
done
Bytes transferred = 15554808 (ed58f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
[0;32mUBOOT_commonSwRsaVerify run successfully!
[0m
## Checking Image at 02000000 ...
Legacy image found
Image Name: user
Created: 2019-08-08 11:53:28 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 15552512 Bytes = 14.8 MiB
Load Address: 000f0000
Entry Point: 01000000
Verifying Checksum ... OK
Programing start at: 0x000f0000 for user
write : 100%
done
crc from program is :ed82b853, crc from flash is :ed82b853
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'web-x.squashfs.img'.Downloading: 100%
## file size: 4.8 MiB, times: 4s, speed: 1 MiB/s
done
Bytes transferred = 5064952 (4d48f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
[0;32mUBOOT_commonSwRsaVerify run successfully!
[0m
## Checking Image at 02000000 ...
Legacy image found
Image Name: web
Created: 2019-08-08 11:53:07 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 5062656 Bytes = 4.8 MiB
Load Address: 01200000
Entry Point: 01880000
Verifying Checksum ... OK
Programing start at: 0x01200000 for web
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :35944947, crc from flash is :35944947
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'partition-x.cramfs.img'.Downloading: 100%
## file size: 10.2 KiB, times: 0s, speed: 426.8 KiB/s
done
Bytes transferred = 10488 (28f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
[0;32mUBOOT_commonSwRsaVerify run successfully!
[0m
## Checking Image at 02000000 ...
Legacy image found
Image Name: partition
Created: 2019-08-08 11:52:32 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 8192 Bytes = 8 KiB
Load Address: 000e0000
Entry Point: 000f0000
Verifying Checksum ... OK
Programing start at: 0x000e0000 for partition
write : 100%
done
crc from program is :bfb829ac, crc from flash is :bfb829ac
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'custom-x.squashfs.img'.Downloading: 100%
## file size: 734.2 KiB, times: 0s, speed: 987.3 KiB/s
done
Bytes transferred = 751864 (b78f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
[0;32mUBOOT_commonSwRsaVerify run successfully!
[0m
## Checking Image at 02000000 ...
Legacy image found
Image Name: custom
Created: 2019-08-08 11:55:46 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 749568 Bytes = 732 KiB
Load Address: 018a0000
Entry Point: 01970000
Verifying Checksum ... OK
Programing start at: 0x018a0000 for custom
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :9276625c, crc from flash is :9276625c
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'pd-x.squashfs.img'.Downloading: 100%
## file size: 82.2 KiB, times: 0s, speed: 733.4 KiB/s
done
Bytes transferred = 84216 (148f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
[0;32mUBOOT_commonSwRsaVerify run successfully!
[0m
## Checking Image at 02000000 ...
Legacy image found
Image Name: pd
Created: 2019-08-08 11:55:43 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 81920 Bytes = 80 KiB
Load Address: 01880000
Entry Point: 018a0000
Verifying Checksum ... OK
Programing start at: 0x01880000 for pd
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :98e9a557, crc from flash is :98e9a557
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.Downloading: ##
## file size: 0 Bytes, times: 0s, speed: 0 Bytes/s
done
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
cmdLine console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc

*******************************************************

Thanks for your help
ZHCIP

Hello. I have same type of camera. Mine it's bricked also. I'm doing some tests on it now. Can you, please write these commands in command.txt and paste the results of ncat log?

partition
help
printenv
ls
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

Mine camera only responds to ping on 192.168.1.108. Nothing else. Only sshd but I don't know the password for admin and I don't know if I do too much with ssh. I got this camera for testing now so any suggestions are appreciated. Thanks.

 

[Mael]

So I managed to brick my SD49225T-HN during a firmware upgrade. The camera's IP address is 10.255.200.208. With the bad firmware the camera seems to be caught in some sort of reboot loop. A continuous ping to 10.255.200.208 responds for about 40 seconds, then times out for about 10 seconds then starts responding again. I've tried resetting the camera back to factory defaults using the hardware reset switch, but it doesn't appear to be working. The IP address is stuck at 10.255.200.208. Can I use the procedure outlined in the first post to recover my camera with it running on 10.255.200.208? If so what do I need to modify?

 

[kuzco]

Hello, does anybody know how to change the HWID.
Have seen that you have to run "armbenv -s HWID xyz" in a terminal. Have connected my VTO2000a with ssh, but the command "armbenv" is unknown.
Any hint is welcome.

 

[msokolovich]

Hi, I had a registrar XVR5x08 and it was successfully flashed.
Today I try to flash the NVR4104-4KS2 registrar and gives out just that.
Client 192.168.1.108:2440 root \ ID_4J006B8PAZA40E7.txt, 1 Blocks Served

I suspect that the matter is in the structure of the firmware, 5108 had * .cramfs.img files and 4104 * .squashfs.img. Can someone tell me how to be?

 

[msokolovich]

NVR4104-4KS2
NVR4XXX-4KS2
Hello everybody! It turned out there was an incorrect file ID_XXXXXXXXXXXXXXXX.txt
I removed the lines first

CRC: 4050037456
MagicString: c016dcd6-cdeb-45df-9fd0-e821bf0e1e62

Then removed the run commands

I examined the install.lua firmware file and found the following:

local flashPartions =
{
boot = {baseAddr = 0x00000000, endAddr = 0x00300000}, - / 3M boot
env = {baseAddr = 0x00300000, endAddr = 0x00500000}, - / 2M env
uImage = {baseAddr = 0x00500000, endAddr = 0x00f00000}, - / 10M kernel
rootfs = {baseAddr = 0x00f00000, endAddr = 0x04500000}, - / 54M rootfs
web = {baseAddr = 0x04500000, endAddr = 0x04f00000}, - / 10M web
custom = {baseAddr = 0x04f00000, endAddr = 0x05100000}, - / 2M custom
logo = {baseAddr = 0x05100000, endAddr = 0x05400000}, - / 3M logo
config = {baseAddr = 0x05400000, endAddr = 0x05a00000}, - / 6M logs
logs = {baseAddr = 0x05a00000, endAddr = 0x06400000}, - / 10M config
extend1 = {baseAddr = 0x06400000, endAddr = 0x06c00000}, - / 8M extend1
backup = {baseAddr = 0x06c00000, endAddr = 0x07800000}, - / 12M backup
extend2 = {baseAddr = 0x07800000, endAddr = 0x08000000}, - / 8M extend2
}

Based on this, I generated such lines in the ID file

tftp 0x00000000 u-boot.bin.img; flwrite
tftp 0x00500000 uImage.img; flwrite
tftp 0x00f00000 romfs-x.squashfs.img; flwrite
tftp 0x04500000 web-x.squashfs.img; flwrite
tftp 0x04f00000 custom-x.squashfs.img; flwrite
tftp 0x05100000 logo-x.squashfs.img; flwrite

The firmware was successful

 

[rgpdahua]

Hello, I have a camera DH-IPC-HFW81200EP-Z , the problem it has is that is always rebooting, and when its booting in wireshark i see that is looking for the file upgrade_info_7db780a713a4.txt and then reboot again. Sometimes the camera works well, so it doesnt keep into the while rebooting and works well. What should i do for solve this? Thanks in advance I attach an image with the firmware version. Thanks in advance

 

[onealpha]

Thank you. I did a firmware update on two of my IPC-HDW5231R-Z cameras I bought from Andy in 2018. The first one went perfectly. The second one left me with a camera that would reboot about every 1 minute. Reset did nothing and I was unable to do anything with this camera. This thread saved my camera, it took the updated firmware and is working normally now. Thanks

 

[XrayZ]

Is it possible to recover (unbrick) DVR through net RJ45 port ? I have NVR4104 and it hasn`t UART jack and i have a some difficulties to find connector and solder it now. I try to downgrade my NVR from last 4xx bugzy firmware back to working 3xx firmware through web interface, i left it in working process but dont hear beep at the end.
During boot i see Dahua logo, then usual Dahua 4squares 1-2sec for camera windows and then HDMI signal lost and monitor off. NVR answers on ping command.
Is it possible to recover it without UART ?

I start read FAQ at the start, but some strings and info are missed. Is this FAQ fully comliant also with NVR recovering ?

 

[mythosmc]

The serial interface is still OK.
I switched from PC to RPi. Now I don't see gibberish anymore. However when trying to send files over TFTP I'm getting the following message after sending completion: " ER0002:The IMG header be changed!"
View attachment 41859
Any ideas?
Thank you.

I have flashed DH_IPC-HX5X3X-Rhea_MultiLang_NP_Stream3_Market_V2.800.0000013.0.R.191202 to my IPC-HDBW4631R-ZS and it has bricked my camera! I attempted to use: DH_IPC-HX5X3X-Rhea_Eng_P_Stream3_V2.460.0000.14.R.20170720 provided here on the forums with no luck.. I ALSO run into the "HEADER be changed!" error

Using ambarella mac device
Download Filename 'romfs-x.squashfs.img'.Downloading: 100%
## file size: 1.3 MiB, times: 1s, speed: 1.2 MiB/s
done
Bytes transferred = 1314880 (141040 hex)
[ERR0002:]The img header be changed!
cmd Failed run dr!
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
cmdLine console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc


Is my camera now a paperweight because i decided to upgrade it!??!!?


Looks like ssh port 22 comes up on 192.168.1.108 for a short time.. does anyone know the password?

 

[katcha]

Is it possible to recover (unbrick) DVR through net RJ45 port ? I have NVR4104 and it hasn`t UART jack and i have a some difficulties to find connector and solder it now. I try to downgrade my NVR from last 4xx bugzy firmware back to working 3xx firmware through web interface, i left it in working process but dont hear beep at the end.
During boot i see Dahua logo, then usual Dahua 4squares 1-2sec for camera windows and then HDMI signal lost and monitor off. NVR answers on ping command.
Is it possible to recover it without UART ?

I start read FAQ at the start, but some strings and info are missed. Is this FAQ fully comliant also with NVR recovering ?

How stupid was I when deiced to give another try to update my NVR4104 to the newer version 4. I had issues every time with it, but was able to downgrade NVR back to v3.216. This time even after reading your post I did the same try and got the exact issue you have - it boots up with Dahua logo, then opens 4 squares for 2 seconds and then disconnects the monitor. Ping is OK. But the refuses to connect with Config Utility or any other standard means.
Dear forum gurus - is there any way to recover the NVR from this issue?

 

[happycat]

Looking at posts here seems to me that IPC-HDW5231R-something series are particularly prone to bricking. One of mine, never tried upgrades, not connected to internet, started bootlooping and I managed to restore it with the tftp recovery procedure. (thanks @cor35vet)
Now it works but some menus show the old firmware settings: day-night profile is missing, sub-stream1 and sub-stream2 resolution choices are different from the other cameras I have (same model+firmware). Yes I did a default after upgrading (more than twice) but of course I didn't default before. Maybe I should have restored and old firmware and then upgrade it, fact is I don't know what was there in the first place, this camera was from Andy in 2018.