Dahua IPC EASY unbricking / recovery over TFTP

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
167
Reaction score
34
ok i'm struggling to get this working!!

I have a ipc-HDW5231r-ze that had a failled firmware update. It boots, come up in configtool (as 192.168.1.108) but then looses connection and goes into a boot loop)

I've tried a factory reset in config tool, hard reset directly on camera. I basically get a few seconds window to use the config tool after its booted to set it up but not enough time to flash any firmware before it reboots.

I have been trying this unbrick method for a few days but again not working. Firstly - will this method work or am i barking up the wrong tree?

secondly i tried the router method but i get

192.168254.254 Port 69 bind failed
No Static Interface read, waiting

repeating and nothing else.

I tried the direct connection method as described above, and it just sits on

Listening On: 192.168.254.254:69

i did a wireshark and found the following:

1641033019598.png

The camera comes up in config tool as 192.168.1.108 - not sure why in wireshark its showing 192.168.1.251 and also not sure why nothing is coming up.

So questions...
  • HELP... will this work or is this not suitable for my situation?
  • Should i factory reset my camera and try it when its uninitialized ? (it is very difficult to initialize it again as you have to catch it at just the right time in the boot loop cycle)

1641033221813.png

1641033243528.png

1641033268154.png

1641033288224.png

the camera does come up in wireshark too:

1641033448300.png

so not sure what 192.168.1.251 is and why the camera (@192.168.1.108 is not going to 192.168.254.254....)

help...
 

High-Tower

n3wb
Joined
Jan 16, 2019
Messages
5
Reaction score
0
Location
germany
@Jagradang

I have a HDW5231R ("old" one) and have install via Browser the new Image from Andy.
After that via Browser, i have the same effect, that you have (every ~40Seconds restart).
No Hard Reset with Button intern, has working.

I have buy last year an USB to TTL Converter (for my Dahua House Ring system, i have needed).
With that TTL Converter and the other manual i have fixed the problem with the restarts and install the Firmware from Andy (woks perfect).

The other Cams, i have updated with the Dahua ToolBox (that have working perfectly).

I don´t think, this method is working with the "restart" problem..
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
167
Reaction score
34
persistence pays off.. tried exactly what i did above and for some reason today it just worked!! straight in, reinstalled firmware and camera came up. Tried updating again in the config tool but that failed, but then went to the web browser and all updated succesfully. Re-configured and were back in business!
 
Joined
Dec 11, 2021
Messages
8
Reaction score
0
Location
Chitown
I have a couple SD52C225U-HNI"s that have been working great for the past 5 years or so. Like a fool, I upgraded the firmware after seeing Andy's post here, as it would be nice to get video without a plugin. Big mistake. One camera is stuck in a boot loop. The other one is so slow (auto tracking, zoom, focus), that it's unusable. I need to get these back to old firmware. I downloaded the firmware that was previously on both cams. Working with the bricked cam first, I followed the instructions from the OP the best I could. No success. Cam has been reset with button. The camera reboots every 50 seconds or so. During every reboot, I can ping it's address (192.168.1.108) ad see video for 10 seconds or so. Then it disconnects. Here's where I'm at:
Cam is connected directly to laptop with cat6 cable.
Cam is powered from 24vac power supply.
Laptop IPv4 is manually set to 192.168.254.254 and 255.255.0.0 subnet. No default gateway entered.
Laptop firewall is completely disabled.
Firmware was extracted to the root folder.
Commands.bat was run and successfully created a new upgrade_info_7db780a713a4.txt file in root folder.
TFTP server successfully mapped and listening on 192.168.254.254:69
Console.bat runs and monitors 192.168.254.254:5002
When the camera is powered up, nothing happens in either of the cmd windows, even though wireshark shows the camera making many requests.

This is where I'm stuck. Don't know what to do next. I've tried everything I can think of. The only thing that sticks in my mind is that I cannot enter any commands in either of the cmd windows. All I see is the flashing cursor. Can't type in anything or paste anything.

I would appreciate any advice on what to try next. Thank you

Command windows:
CMD's.jpg

Laptop setup:
Setup.jpg

Root Folder:
Root Folder.jpg

Wireshark log:
 

Attachments

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
167
Reaction score
34
I have a couple SD52C225U-HNI"s that have been working great for the past 5 years or so. Like a fool, I upgraded the firmware after seeing Andy's post here, as it would be nice to get video without a plugin. Big mistake. One camera is stuck in a boot loop. The other one is so slow (auto tracking, zoom, focus), that it's unusable. I need to get these back to old firmware. I downloaded the firmware that was previously on both cams. Working with the bricked cam first, I followed the instructions from the OP the best I could. No success. Cam has been reset with button. The camera reboots every 50 seconds or so. During every reboot, I can ping it's address (192.168.1.108) ad see video for 10 seconds or so. Then it disconnects. Here's where I'm at:
Cam is connected directly to laptop with cat6 cable.
Cam is powered from 24vac power supply.
Laptop IPv4 is manually set to 192.168.254.254 and 255.255.0.0 subnet. No default gateway entered.
Laptop firewall is completely disabled.
Firmware was extracted to the root folder.
Commands.bat was run and successfully created a new upgrade_info_7db780a713a4.txt file in root folder.
TFTP server successfully mapped and listening on 192.168.254.254:69
Console.bat runs and monitors 192.168.254.254:5002
When the camera is powered up, nothing happens in either of the cmd windows, even though wireshark shows the camera making many requests.

This is where I'm stuck. Don't know what to do next. I've tried everything I can think of. The only thing that sticks in my mind is that I cannot enter any commands in either of the cmd windows. All I see is the flashing cursor. Can't type in anything or paste anything.

I would appreciate any advice on what to try next. Thank you

Command windows:
View attachment 114527

Laptop setup:
View attachment 114528

Root Folder:
View attachment 114529

Wireshark log:
Your ip is wrong...

Set the laptop to
192.168.1.1
255.255.255.0

in the advanced section add an additional IP -
192.168.254.254
255.255.0.0

give that a try
 
Joined
Dec 11, 2021
Messages
8
Reaction score
0
Location
Chitown
Your ip is wrong...

Set the laptop to
192.168.1.1
255.255.255.0

in the advanced section add an additional IP -
192.168.254.254
255.255.0.0

give that a try
Thanks for the help! Unfortunately, the behavior is the same with those setting. Both cmd windows just sit there waiting.
 

Attachments

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
167
Reaction score
34
Thanks for the help! Unfortunately, the behavior is the same with those setting. Both cmd windows just sit there waiting.
i found mine kept failling with a direct connection so i tried it with a basic dumb switch and it worked.. might be worth a shot?
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
167
Reaction score
34
OK, got it to connect and flash, but still stuck in boot loop.
That looks like it didn't complete. There should be another line with success.txt to show it completed.

Check your commands.txt file.

I used this

run dr
run dk
run du
run dw
run dp
run dc
tftp 0x02000000 romfs-x.squashfs.img; flwrite
tftp 0x02000000 kernel.img; flwrite
tftp 0x02000000 user-x.squashfs.img; flwrite
tftp 0x02000000 web-x.squashfs.img; flwrite
tftp 0x02000000 partition-x.cramfs.img;flwrite
tftp 0x02000000 custom-x.squashfs.img; flwrite
tftp 0x82000000 pd-x.squashfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5
 
Joined
Dec 11, 2021
Messages
8
Reaction score
0
Location
Chitown
That looks like it didn't complete. There should be another line with success.txt to show it completed.

Check your commands.txt file.

I used this

run dr
run dk
run du
run dw
run dp
run dc
tftp 0x02000000 romfs-x.squashfs.img; flwrite
tftp 0x02000000 kernel.img; flwrite
tftp 0x02000000 user-x.squashfs.img; flwrite
tftp 0x02000000 web-x.squashfs.img; flwrite
tftp 0x02000000 partition-x.cramfs.img;flwrite
tftp 0x02000000 custom-x.squashfs.img; flwrite
tftp 0x82000000 pd-x.squashfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5
I was using the default file that comes with the download:
run dr
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 pd-x.squashfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

I tried your text and the results were the same, except it wrote every file twice. It seems like the camera is rebooting before it can finish. I have never got a success in the TFTP Server window and the results in the NCAT window are always cut short in the middle of doing something. After that, there is no response from any command.
 
Joined
Dec 11, 2021
Messages
8
Reaction score
0
Location
Chitown
Well, I have given up on trying to flash older firmware on this cam. I have about 6 hours invested in this and just can't see wasting any more. The camera is still stuck in a boot loop, but I can log into it for 10 seconds or so. Then it reboots and I have to wait for another 10 second window. I was able to log in quick and view the " version" page. The version page for the bricked cam is the same as the working cam except for the PTZ version. See pics below. The bricked cam has a newer PTZ version. Not sure how that happened, but I assume that is what is causing the boot loop. Is there any way to locate and install just the PTZ firmware? I'm willing to give that a shot. Thanks!

Bricked Cam:

Bricked Version.jpg

Working cam:

Working Version.jpg
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
167
Reaction score
34
There is also something that was mentioned about a failed.txt that shouod stop the boot loop and allow you to flash from the config tool but not sure. I think it was just add an empty failed.txt file in the root folder. Maybe research that and see
 
Joined
Dec 11, 2021
Messages
8
Reaction score
0
Location
Chitown
There is also something that was mentioned about a failed.txt that shouod stop the boot loop and allow you to flash from the config tool but not sure. I think it was just add an empty failed.txt file in the root folder. Maybe research that and see
I'll look into that. Thanks. Any way to flash just the PTZ firmware?
 

cybernetics1d

Young grasshopper
Joined
Nov 1, 2018
Messages
40
Reaction score
20
Location
North America
Quick questions to anyone who has successfully flashed Lorex camera using this method. Does the camera needs to be factory reset first? If that's not needed and you're currently using manual static ip with that particular camera, does that camera needs to be changed back to DHCP mode so it can try to connect to 192.168.1.1 to find 192.168.254.254?
 

jazzy1

Getting the hang of it
Joined
Mar 23, 2015
Messages
286
Reaction score
36
I'll look into that. Thanks. Any way to flash just the PTZ firmware?
Hey! I am trying to unbrick a 49225 PTZ Dahua cam....I'm having a heck of a time locating where to connect my TFTP cable to it so I can re-flash the firmware....did yours have a specific port? could you post a photo or send me one??
Or has anyone else here already gone through unbricking a 49225 PTZ?

Thanks!!!!
 

kompish

n3wb
Joined
Feb 18, 2022
Messages
1
Reaction score
0
Location
Serbia
Hello im new here, can i get new download link because old one is broken. thx
 

richtj99

Getting the hang of it
Joined
May 11, 2016
Messages
159
Reaction score
17
Hi - I read this entire thread. I have a Dahua SD50225U-HNI and it has been down for a while. I was about to give up but someone pointed me in this direction so...

I downloaded this firmware: DH_SD-Eos_EngSpnFrn_N_Stream3_V2.623.0000000.1.R.180627.bin

extracted it, I have the Dahua_TFTPbackup.zip - followed the instructions and I am still having an issue where the camera wont leave 192.168.1.108. I think I am missing something (might have messed something up over my 25 attempts).

This is my latest:

Code:
c:\Users\Rich\Documents\Dahua_TFTPBackup>TFTPServer.bat

accepting requests..
Open TFTP Server MultiThreaded Version 1.64 Windows Built 2001

starting TFTP...
alias / is mapped to root\
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 60
file read allowed: Yes
file create allowed: No
file overwrite allowed: No
thread pool size: 1
Listening On: 192.168.254.254:69
Client 192.168.1.108:3856 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served
Client 192.168.1.108:3936 root\kernel.img, 1800 Blocks Served
Client 192.168.1.108:1065 root\partition-x.cramfs.img, 3 Blocks Served
Client 192.168.1.108:1065 root\romfs-x.squashfs.img, 645 Blocks Served
Client 192.168.1.108:1065 root\pd-x.squashfs.img, 157 Blocks Served
Client 192.168.1.108:1065 root\user-x.squashfs.img, 12556 Blocks Served
Client 192.168.1.108:1065 root\custom-x.squashfs.img, 121 Blocks Served
Client 192.168.1.108:1065 root\web-x.squashfs.img, 5048 Blocks Served
Client 192.168.1.108:1066 root\.FLASHING_DONE_STOP_TFTP_NOW, 1 Blocks Served
Client 192.168.1.108:1065 root\success.txt, File not found or No Access
Client 192.168.1.108:1065 root\success.txt, File not found or No Access
^CTerminate batch job (Y/N)? y
I think this is OK?

The console results are:

Code:
c:\Users\Rich\Documents\Dahua_TFTPBackup>Console.bat
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Listening on 192.168.254.254:5002
gBootLogPtr:80b80008.
NAND:  Check nand flash controller v610. found
Special NAND id table Version 1.36
Nand ID: 0xC2 0xF1 0x80 0x95 0x02 0x00 0x00 0x00
NAND_ECC_NONE selected by board driver. This is not recommended !!
128 MiB
partition file version 2
rootfstype squashfs root /dev/mtdblock7
fail to load bootargsParametersV22.txt
fail to load bootargsParametersV21.txt
fail to init bootargsParametersV2
In:    serial
Out:   serial
Err:   serial
TEXT_BASE:81000000
Net:   PHY found at 1
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'upgrade_info_7db780a713a4.txt'.Download to address: 0x84000000
Downloading: *
Retry count exceeded; starting again
SD Product try auto upgrade times.
SD try times:1
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'upgrade_info_7db780a713a4.txt'.Download to address: 0x84000000
Downloading: *
Retry count exceeded; starting again
SD try times:2
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'upgrade_info_7db780a713a4.txt'.Download to address: 0x84000000
Downloading: *
done
Bytes transferred = 425 (1a9 hex)
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'kernel.img'.Download to address: 0x82000000
Downloading: *
done
Bytes transferred = 2641160 (284d08 hex)
do not find BOOT_IMG_NAME!
Erasing update flag partition.

## Checking Image at 82000000 ...
   Legacy image found
   Image Name:   kernel
   Image Type:   ARM Linux Firmware (uncompressed)
   Data Size:    2641096 Bytes = 2.5 MiB
   Load Address: 00d00000
   Entry Point:  01200000
   Verifying Checksum ... OK
Programing start at: 0x00d00000
write : 100%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock7
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'partition-x.cramfs.img'.Download to address: 0x82000000
Downloading: *
done
Bytes transferred = 4160 (1040 hex)
do not find BOOT_IMG_NAME!
Erasing update flag partition.

## Checking Image at 82000000 ...
   Legacy image found
   Image Name:   partition
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    4096 Bytes = 4 KiB
   Load Address: 00500000
   Entry Point:  00600000
   Verifying Checksum ... OK
Programing start at: 0x00500000
write : 100%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock7
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'romfs-x.squashfs.img'.Download to address: 0x82000000
Downloading: *
done
Bytes transferred = 946240 (e7040 hex)
do not find BOOT_IMG_NAME!
Erasing update flag partition.

## Checking Image at 82000000 ...
   Legacy image found
   Image Name:   romfs
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    946176 Bytes = 924 KiB
   Load Address: 01200000
   Entry Point:  01a00000
   Verifying Checksum ... OK
Programing start at: 0x01200000
write : 100%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock7
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'pd-x.squashfs.img'.Download to address: 0x82000000
Downloading: *
done
Bytes transferred = 229440 (38040 hex)
do not find BOOT_IMG_NAME!
Erasing update flag partition.

## Checking Image at 82000000 ...
   Legacy image found
   Image Name:   pd
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    229376 Bytes = 224 KiB
   Load Address: 00980000
   Entry Point:  00d00000
   Verifying Checksum ... OK
Programing start at: 0x00980000
write : 100%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock7
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'user-x.squashfs.img'.Download to address: 0x82000000
Downloading: *
done
Bytes transferred = 18432064 (1194040 hex)
do not find BOOT_IMG_NAME!
Erasing update flag partition.

## Checking Image at 82000000 ...
   Legacy image found
   Image Name:   user
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    18432000 Bytes = 17.6 MiB
   Load Address: 02200000
   Entry Point:  03a80000
   Verifying Checksum ... OK
Programing start at: 0x02200000
write : 100%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock7
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'custom-x.squashfs.img'.Download to address: 0x82000000
Downloading: *
done
Bytes transferred = 176192 (2b040 hex)
do not find BOOT_IMG_NAME!
Erasing update flag partition.

## Checking Image at 82000000 ...
   Legacy image found
   Image Name:   custom
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    176128 Bytes = 172 KiB
   Load Address: 00600000
   Entry Point:  00980000
   Verifying Checksum ... OK
Programing start at: 0x00600000
write : 100%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock7
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'web-x.squashfs.img'.Download to address: 0x82000000
Downloading: *
done
Bytes transferred = 7409728 (711040 hex)
do not find BOOT_IMG_NAME!
Erasing update flag partition.

## Checking Image at 82000000 ...
   Legacy image found
   Image Name:   web
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    7409664 Bytes = 7.1 MiB
   Load Address: 01a00000
   Entry Point:  02200000
   Verifying Checksum ... OK
Programing start at: 0x01a00000
write : 100%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock7
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Using gmac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.Download to address: 0x82000000
Downloading: *
done
partition file version 2
rootfstype squashfs root /dev/mtdblock7
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
get bootargs info failed
cmdLine mem=256M console=ttyS0,115200 root=/dev/mtdblock7 rootfstype=squashfs
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   14-A7-8B-7D-7F-5D
Still not working though - it seems to be 'alive' sort of - at least to flash but not sure what to try next?

I would appreciate any help!

Thanks,
Rich
 
Top