Dahua IPC EASY unbricking / recovery over TFTP

[gpilot]

I have a successful connection via UART and TFTP, but each "run" commands ends up with an error message: "[ERR0002:]The img header be changed!"

Have compared the BL, and have seen that the old version was:
"U-Boot 2010.06-svn5354 (Jan 31 2018 - 21:02:02)"
now the new has:
U-Boot 2010.06-svn6470 (Dec 11 2018 - 16:27:39)

While I can't help (yet) what you are dealing with is that newer firmwares past 2019, maybe 2020, are signed. I am told by a reliable source that the partition structure may be changed.

I am in the same position as you. Downgrade attempts (I used serial and tftp to flash each file in the extracted firmware.bin) result in the error you received.

I did not attempt to flash the bootloader, however I now believe this to be necessary. When you flash firmware with the new bootloader I believe it is verifying the signature of some or part of the partition header. So its doubtful to me whether you can downgrade without getting access to the flash chip directly. I don't know (yet) how to disable those checks or if there is some way access to the flash rom from the PCb(s). and not flashing through the existing bootloader. Hopefully I am wrong.

If you succeed please tell!! If I find a way I'll post here.

Good luck

 

[kuzco]

Does anybody know which IPC is running a processor=HI3516CV300 and mem=128M ?
Thanks.

Update: I know that I have the wrong uBoot, so that I do get this error message:
mboot type error, quit upgrade! ImageName=hisi3516cv300-nand, imageName=ssc325-spinand, svn_version=0x2fdb
So again, does anybody know which IPC is running a processor=HI3516CV300 and mem=128M ?

 

[Gerbenst]

Recovered my IPC-HDBW5231E-ZE!
Saved my day and camera! Trickie thing I needed to pay attention to is to unpack by 7zip the .bin firmware and paste it into /root.
Wireshark is also a very handy tip, off course with an external switch in between and no direct connection.

 

[RaZoRa]

Hi guy's i'm looking for firmware for IPC-HFW2120RP-Z , thanks alot.

 

[AlwaysSomething]

I just bought a T5442T-ZE from Andy to match another camera I bought last year. It came with an older firmware and needed to upgrade it to match my other camera. Before Wittaj says another OCD case, I don't upgrade unless there is a reason and the reason was the SmartIR and a few other things (which is why I bought the same camera). My other camera is also on the same firmware I wanted to upgrade to.

Camera was defaulted and firmware applied using the web GUI. The webpage eventually timed out and never came back. I went to check the camera and now its on 192.168.1.251 and not accessible. Tried resetting using the button all ways to Sunday (power on, power off, 10 seconds, 30 seconds, 1 minutes, 2 minutes, etc) nothing worked.

Found this thread and I'm getting the following error:

root\failed.txt, File not found or No Access

Even though I'm connecting successfully I tried both direct connect and using a dummy switch no other devices (camera and PC only).

If my understanding is correct, the command.txt file should contain the files listed and in the order of the "Install" file found in the firmware.

Here is the contents of install file from the firmware I got from Andy's site just yesterday (EmpireTech IPC-HX5XXX-Volt_MultiLang_NP_Stream3_V2.840.15OG00D.0.R.220818.bin):

Spoiler

{
"Commands" : [
"burn dhboot.bin.img bootloader",
"burn kernel_min.img kernel_min",
"burn romfs_min-x.squashfs.img romfs_min",
"burn kernel.img kernel",
"burn partition-x.cramfs.img partition",
"burn romfs-x.squashfs.img rootfs",
"burn custom-x.squashfs.img custom",
"burn firmware-x.squashfs.img firmware"
],
"Devices" : [
[ "IPC-HX3XXX", "1.00" ]
],
"Vendor" : "General"
}
/IPC_RestoreDefault

Now there was no custom-x.squashfs.img in the bin file which was strange, I found the thread where Looney posted the same version firmware and compared and it also did not have the custom-x.squashfs.img file. I tried with my commands with both the custom-x.squashfs.img file in there (even though I thought it would fail) and without. It didn't matter.

Since the file didn't exist I did not add it to my latest commands.txt file.

Here is my commands.txt file:

Spoiler

tftp dhboot.bin.img; flwrite
tftp kernel_min.img; flwrite
tftp romfs_min-x.squashfs.img; flwrite
tftp kernel.img; flwrite
tftp partition-x.cramfs.img; flwrite
tftp romfs-x.squashfs.img; flwrite
tftp firmware-x.squashfs.img; flwrite
tftp .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

Here is my upgrade_info_7db780a713a4.txt file generated from the commands.bat file:

Spoiler

CRC:610819149
MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62
tftp dhboot.bin.img; flwrite
tftp kernel_min.img; flwrite
tftp romfs_min-x.squashfs.img; flwrite
tftp kernel.img; flwrite
tftp partition-x.cramfs.img; flwrite
tftp romfs-x.squashfs.img; flwrite
tftp firmware-x.squashfs.img; flwrite
tftp .FLASHING_DONE_STOP_TFTP_NOW
sleep 5
1v

Here is the output from my TFTPServer.bat command:

Spoiler

accepting requests..
Open TFTP Server MultiThreaded Version 1.64 Windows Built 2001

starting TFTP...
alias / is mapped to root\
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 60
file read allowed: Yes
file create allowed: No
file overwrite allowed: No
thread pool size: 1
Listening On: 192.168.254.254:69
Client 192.168.1.251:2168 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served
Client 192.168.1.251:2657 root\dhboot.bin.img, 210 Blocks Served
Client 192.168.1.251:3378 root\kernel_min.img, 1042 Blocks Served
Client 192.168.1.251:1653 root\romfs_min-x.squashfs.img, 2563 Blocks Served
Client 192.168.1.251:1089 root\kernel.img, 1773 Blocks Served
Client 192.168.1.251:2994 root\partition-x.cramfs.img, 13 Blocks Served
Client 192.168.1.251:3569 root\romfs-x.squashfs.img, Timeout
Client 192.168.1.251:1821 root\failed.txt, File not found or No Access

I did increase the timeout in the ini file from 60 to 500 but when I ran it again it said timeout was 255 (I guess that is the max). Rerunning again didn't change the result so didn't include that capture (this post will be long enough as is.

Here is the Console.bat output which nothing appeared in until the TFTPServer.bat finished running:

Spoiler

Ncat: Version 7.40 ( Ncat - Netcat for the 21st Century )
Ncat: Listening on 192.168.254.254:5002
T T T T T T T T T T
Retry count exceeded; starting again
cmd Failed tftp romfs-x.squashfs.img; flwrite!
partition file version 2
rootfstype squashfs root /dev/mtdblock12
cmdLine mem=400M root=/dev/mtdblock12 rootfstype=squashfs
Erasing NAND...
Erasing at 0x460000 -- 100% complete.
Writing to NAND... OK
←[0;31menv save ok. please check if it is necessary!
←[0mAUF_sendLog size = 16384
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
1 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
gSwitchBootPart = 0
cmdLine mem=400M root=/dev/mtdblock12 rootfstype=squashfs
DGS info:start addr=0x98f7c000
dgsBufStart:0x98f7c000
partition file version 2
rootfstype squashfs root /dev/mtdblock12
dgs offset:0x1700000 size:0x100000
[DGS]gs_BootCreate
[DGS]:readPtrC:0 writePtr:16 covered:0
[DGS]gs_BootCreate end
Get ddr freq:1800
can not found ddr cfg magic, so exit!!!
SDUPDATE_init
SD_parseBootargs
SD_update: ETH net controler
phy_addr=0, phy_id=1cc820
phy RTL8201G init
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'upgrade_info_7db780a713a4.txt'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: file size: 339 Bytes time: 0.002s speed: 165 KiB/s
done
Bytes transferred = 339 (153 hex)
string value is 0
The end of file
cmdListNode->cmd = tftp dhboot.bin.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'dhboot.bin.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 300.4 KiB time: 0.062s speed: 4.7 MiB/s
done
Bytes transferred = 307632 (4b1b0 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mpBootImg addr=0x82000040
Erasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: boot
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 305336 Bytes = 298.2 KiB
Load Address: 00200000
Entry Point: 00300000
Verifying Checksum ... OK
Programing start at: 0x00200000 for boot
write : 100%
done
crc from program is :e5c244a9, crc from flash is :e5c244a9
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp kernel_min.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'kernel_min.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 1.5 MiB time: 0.306s speed: 4.8 MiB/s
done
Bytes transferred = 1528920 (175458 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: kernel_min
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 1526624 Bytes = 1.5 MiB
Load Address: 01800000
Entry Point: 01a00000
Verifying Checksum ... OK
Programing start at: 0x01800000 for kernel_min
write : 100%
done
crc from program is :a760e87a, crc from flash is :a760e87a
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp romfs_min-x.squashfs.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'romfs_min-x.squashfs.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 3.6 MiB time: 0.744s speed: 4.8 MiB/s
done
Bytes transferred = 3762424 (3968f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: romfs_min
Image Type: ARM Linux Standalone Program (gzip compressed)
Data Size: 3760128 Bytes = 3.6 MiB
Load Address: 01a00000
Entry Point: 01e80000
Verifying Checksum ... OK
Programing start at: 0x01a00000 for romfs_min
write : 100%
done
crc from program is :d69d0d7e, crc from flash is :d69d0d7e
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp kernel.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'kernel.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 2.5 MiB time: 0.517s speed: 4.8 MiB/s
done
Bytes transferred = 2602744 (27b6f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: kernel
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 2600448 Bytes = 2.5 MiB
Load Address: 02500000
Entry Point: 02900000
Verifying Checksum ... OK
Programing start at: 0x02500000 for kernel
write : 100%
done
crc from program is :c8a54dd0, crc from flash is :c8a54dd0
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp partition-x.cramfs.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'partition-x.cramfs.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 18.2 KiB time: 0.005s speed: 3.6 MiB/s
done
Bytes transferred = 18680 (48f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: partition
Image Type: ARM Linux Standalone Program (gzip compressed)
Data Size: 16384 Bytes = 16 KiB
Load Address: 01680000
Entry Point: 01700000
Verifying Checksum ... OK
Programing start at: 0x01680000 for partition
write : 100%
done
crc from program is :f601c91a, crc from flash is :f601c91a
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp romfs-x.squashfs.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'romfs-x.squashfs.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading:

I did have a wireshark running but forgot to save it for the last run. Of course I just realized that as I'm trying to attach it. I did capture the first run when I had custom-x.squashfs.img file in the commands. It is attached if that helps. I can run this again and capture it if it will help. I'd do it now but I've spent countless hours trying to fix this and need to get out office before I go insane.

Since my eyes are exhausted looking at this, can anyone see something I am doing wrong or missed? It's still communicating (although on 192.168.1.251 and not 192.168.1.108) so it's not completely dead.

Thanks in advance.

 

[AlwaysSomething]

I forgot, here is a list of the files in the bin:

 

[AlwaysSomething]

Status update.

After reading the messages again I ended up adding a blank files to root called "failed.txt" and "success.txt" and got further along. I never get the "FLASHING_DONE_STOP_TFTP_NOW" message and it seems to start the process over again. From the console output I see that:

cmdsleep 5) is not support!

so I guess it is not waiting the 5 seconds and going right back into the loop.

I also read all the threads again and changed the order of the img files in the command file and removed the dhboot.bin.img from the list.

Here were the last to command files I tried:

Commands attempt 14:

Spoiler

tftp romfs_min-x.squashfs.img; flwrite
tftp romfs-x.squashfs.img; flwrite
tftp kernel_min.img; flwrite
tftp kernel.img; flwrite
tftp partition-x.cramfs.img; flwrite
tftp sign.img; flwrite
tftp check.img; flwrite
tftp .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

Commands attempt 14 console output:
There was an error on the sign.img so removed it for the next attempt (15)

Spoiler

Ncat: Version 7.40 ( Ncat - Netcat for the 21st Century )
Ncat: Listening on 192.168.254.254:5002
100% file size: 1.5 MiB time: 0.304s speed: 4.8 MiB/s
done
Bytes transferred = 1528920 (175458 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: kernel_min
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 1526624 Bytes = 1.5 MiB
Load Address: 01800000
Entry Point: 01a00000
Verifying Checksum ... OK
Programing start at: 0x01800000 for kernel_min
write : 100%
done
crc from program is :a760e87a, crc from flash is :a760e87a
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp kernel.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'kernel.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 2.5 MiB time: 0.515s speed: 4.8 MiB/s
done
Bytes transferred = 2602744 (27b6f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: kernel
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 2600448 Bytes = 2.5 MiB
Load Address: 02500000
Entry Point: 02900000
Verifying Checksum ... OK
Programing start at: 0x02500000 for kernel
write : 100%
done
crc from program is :c8a54dd0, crc from flash is :c8a54dd0
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp partition-x.cramfs.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'partition-x.cramfs.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 18.2 KiB time: 0.006s speed: 3 MiB/s
done
Bytes transferred = 18680 (48f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: partition
Image Type: ARM Linux Standalone Program (gzip compressed)
Data Size: 16384 Bytes = 16 KiB
Load Address: 01680000
Entry Point: 01700000
Verifying Checksum ... OK
Programing start at: 0x01680000 for partition
write : 100%
done
crc from program is :f601c91a, crc from flash is :f601c91a
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp sign.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'sign.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: file size: 128 Bytes time: 0.001s speed: 125 KiB/s
done
Bytes transferred = 128 (80 hex)
[ERR0002:]over read addr!
flwrite - flwrite - write data into FLASH memory


Usage:
flwrite DestAddr
- write data into DestAddr(0xA0000000~0xA4000000)
cmd Failed tftp sign.img; flwrite!
partition file version 2
rootfstype squashfs root /dev/mtdblock12
cmdLine mem=400M root=/dev/mtdblock12 rootfstype=squashfs
Erasing NAND...
Erasing at 0x460000 -- 100% complete.
Writing to NAND... OK
←[0;31menv save ok. please check if it is necessary!
←[0mAUF_sendLog size = 16384
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
write : 100%
done
crc from program is :e6da794d, crc from flash is :e6da794d
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp kernel_min.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'kernel_min.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 1.5 MiB time: 0.304s speed: 4.8 MiB/s
done
Bytes transferred = 1528920 (175458 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: kernel_min
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 1526624 Bytes = 1.5 MiB
Load Address: 01800000
Entry Point: 01a00000
Verifying Checksum ... OK
Programing start at: 0x01800000 for kernel_min
write : 100%
done
crc from program is :a760e87a, crc from flash is :a760e87a
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp kernel.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'kernel.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 2.5 MiB time: 0.513s speed: 4.8 MiB/s
done
Bytes transferred = 2602744 (27b6f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: kernel
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 2600448 Bytes = 2.5 MiB
Load Address: 02500000
Entry Point: 02900000
Verifying Checksum ... OK
Programing start at: 0x02500000 for kernel
write : 100%
done
crc from program is :c8a54dd0, crc from flash is :c8a54dd0
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp partition-x.cramfs.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'partition-x.cramfs.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 18.2 KiB time: 0.005s speed: 3.6 MiB/s
done
Bytes transferred = 18680 (48f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: partition
Image Type: ARM Linux Standalone Program (gzip compressed)
Data Size: 16384 Bytes = 16 KiB
Load Address: 01680000
Entry Point: 01700000
Verifying Checksum ... OK
Programing start at: 0x01680000 for partition
write : 100%
done
crc from program is :f601c91a, crc from flash is :f601c91a
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp sign.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'sign.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: file size: 128 Bytes time: 0.001s speed: 125 KiB/s
done
Bytes transferred = 128 (80 hex)
[ERR0002:]over read addr!
flwrite - flwrite - write data into FLASH memory


Usage:
flwrite DestAddr
- write data into DestAddr(0xA0000000~0xA4000000)
cmd Failed tftp sign.img; flwrite!
partition file version 2
rootfstype squashfs root /dev/mtdblock12
cmdLine mem=400M root=/dev/mtdblock12 rootfstype=squashfs
Erasing NAND...
Erasing at 0x460000 -- 100% complete.
Writing to NAND... OK
←[0;31menv save ok. please check if it is necessary!
←[0mAUF_sendLog size = 16384
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
write : 100%
done
crc from program is :e6da794d, crc from flash is :e6da794d
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp kernel_min.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'kernel_min.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 19 %

Commands attempt 14 upgrade_info_7db780a713a4 output (you can see it went into a loop so I stopped it):

Spoiler

accepting requests..
Open TFTP Server MultiThreaded Version 1.64 Windows Built 2001

starting TFTP...
alias / is mapped to root\
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 255
file read allowed: Yes
file create allowed: No
file overwrite allowed: No
thread pool size: 1
Listening On: 192.168.254.254:69
Client 192.168.1.251:2220 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served
Client 192.168.1.251:2708 root\romfs_min-x.squashfs.img, 2563 Blocks Served
Client 192.168.1.251:2144 root\romfs-x.squashfs.img, 27245 Blocks Served
Client 192.168.1.251:1948 root\kernel_min.img, 1042 Blocks Served
Client 192.168.1.251:3293 root\kernel.img, 1773 Blocks Served
Client 192.168.1.251:2125 root\partition-x.cramfs.img, 13 Blocks Served
Client 192.168.1.251:2700 root\sign.img, 1 Blocks Served
Client 192.168.1.251:3869 root\failed.txt, 1 Blocks Served
Client 192.168.1.251:2346 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served
Client 192.168.1.251:2835 root\romfs_min-x.squashfs.img, 2563 Blocks Served
Client 192.168.1.251:2267 root\romfs-x.squashfs.img, 27245 Blocks Served
Client 192.168.1.251:2081 root\kernel_min.img, 1042 Blocks Served
Client 192.168.1.251:3426 root\kernel.img, 1773 Blocks Served
Client 192.168.1.251:2256 root\partition-x.cramfs.img, 13 Blocks Served
Client 192.168.1.251:2831 root\sign.img, 1 Blocks Served
Client 192.168.1.251:4000 root\failed.txt, 1 Blocks Served

Commands attempt 15:

Spoiler

printenv
tftp romfs_min-x.squashfs.img; flwrite
tftp romfs-x.squashfs.img; flwrite
tftp kernel_min.img; flwrite
tftp kernel.img; flwrite
tftp partition-x.cramfs.img; flwrite
tftp .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

Commands attempt 15 console output:

Spoiler

Ncat: Version 7.40 ( Ncat - Netcat for the 21st Century )
Ncat: Listening on 192.168.254.254:5002
100% file size: 1.5 MiB time: 0.308s speed: 4.7 MiB/s
done
Bytes transferred = 1528920 (175458 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: kernel_min
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 1526624 Bytes = 1.5 MiB
Load Address: 01800000
Entry Point: 01a00000
Verifying Checksum ... OK
Programing start at: 0x01800000 for kernel_min
write : 100%
done
crc from program is :a760e87a, crc from flash is :a760e87a
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp kernel.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'kernel.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 2.5 MiB time: 0.516s speed: 4.8 MiB/s
done
Bytes transferred = 2602744 (27b6f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: kernel
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 2600448 Bytes = 2.5 MiB
Load Address: 02500000
Entry Point: 02900000
Verifying Checksum ... OK
Programing start at: 0x02500000 for kernel
write : 100%
done
crc from program is :c8a54dd0, crc from flash is :c8a54dd0
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp partition-x.cramfs.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'partition-x.cramfs.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: 100% file size: 18.2 KiB time: 0.006s speed: 3 MiB/s
done
Bytes transferred = 18680 (48f8 hex)
Otp version is 0x00000000, Flash version is 0x00000000
←[0;32mUBOOT_commonSwRsaVerify run successfully!
←[0mErasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12

## Checking Image at 82000000 ...
Legacy image found
Image Name: partition
Image Type: ARM Linux Standalone Program (gzip compressed)
Data Size: 16384 Bytes = 16 KiB
Load Address: 01680000
Entry Point: 01700000
Verifying Checksum ... OK
Programing start at: 0x01680000 for partition
write : 100%
done
crc from program is :f601c91a, crc from flash is :f601c91a
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp .FLASHING_DONE_STOP_TFTP_NOW
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename '.FLASHING_DONE_STOP_TFTP_NOW'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading: file size: 0 Bytes
done
cmdListNode->cmd = sleep 5
cmdsleep 5) is not support!
partition file version 2
rootfstype squashfs root /dev/mtdblock12
cmdLine mem=400M root=/dev/mtdblock12 rootfstype=squashfs
Erasing NAND...
Erasing at 0x460000 -- 100% complete.
Writing to NAND... OK
←[0;31menv save ok. please check if it is necessary!
←[0mAUF_sendLog size = 16384
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
write : 100%
done
crc from program is :e6da794d, crc from flash is :e6da794d
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
partition file version 2
rootfstype squashfs root /dev/mtdblock12
gParameter[0]:node=bootargs, parameter=mem=400M console=ttyS0,115200 root=/dev/mtdblock11 rootfstype=squashfs.
gParameter[1]:node=hi3516ddrFreq, parameter=hi3516ddrFreq=1800.
cmdListNode->cmd = tftp kernel_min.img; flwrite
ETH net controler
phy_addr=0, phy_id=1cc820
ip175g no found! phy_id1 = 0xffff, phy_id2 = 0xffff
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Filename 'kernel_min.img'.Default Load Address: 0x82000000,Download to address: 0x82000000
Loading:

I didn't save the upgrade since it's basically the same as attempt 14 (goes into a loop)

Unfortunately I still don't have a working camera but I think I am getting closer. Hopefully someone has an idea.

 

[Peebuste]

Hi!

Camera SD6AL245U-HNI-IR PTZ got suddenly into a boot loop.

Whilt TFTP'ing I got in the log:

[SKIP]
erase : 38%
erase : 39%
erase : 39%Skip bad block 0x02bc0000
erase : 40%
erase : 41%
[SKIP]
write : 40%
write : 41%
write : 42%Skip bad block 0x02bc0000
write : 42%
write : 43%
[SKIP]

Does this mean, that camera's storage is dead?

Camera is still in the boot loop.

 

[medyou]

hy everyones,
i can ping my camera in 192.168.1.108 but when i start flashing i get this message
starting TFTP
alias /is mapped to root\
permitted clients: all
server port rang: all
max blksize: 65464
default blksize: 512
default timeout: 60
file read allowed: yes
file created allowed: no
file overwrite allowed: no
thread pool size: 1
listening on: 192.168.254.254:96
client 192.168.1.251:2882 root\failed.txt 1 blocks Served
client 192.168.1.251:2882 root\failed.txt 1 blocks Served
client 192.168.1.251:2882 root\failed.txt 1 blocks Served
client 192.168.1.251:3283 root\failed.txt 1 blocks Served
client 192.168.1.251:2882 root\failed.txt 1 blocks Served
client 192.168.1.251:2882 root\failed.txt 1 blocks Served
client 192.168.1.251:2882 root\failed.txt 1 blocks Served

and this continue, i don't know why i'm getting this adresse
anyone can help !!?

 

[Focster]

Hey, everybody.
I got a DH-IPC-HFW4433F-ZSA camera.



Received it in a state of not booting.
I managed to download the firmware DH_IPC-HX4XXX-Eos_Chn_PN_Stream3_V2.680.0000000.46.R.231027.bin via tftp.

The camera started up, I can access its web interface (only in Chinese) or configure it via SmartPSS.

I can add the camera to the Dahua recorder (Europe) on the old firmware of the recorder.
I can NOT add a camera to Dahua (Europe) on the new firmware of the recorder 4+....

Is there any broken firmware for this camera, so that it works with Dahua recorders (not Chinese) with firmware version 4+...??

 

[DeadTinker]

Hey gang!

I have an Amcrest IP8M-T2499EW that seemed to have kicked the bucket after a few months of operating, and I stumbled across this thread hoping to try and salvage it. I was able to get serial comms working and confirmed that the U-boot was working properly, but I am unable to get any ethernet communication to/from the camera. The Amcrest IP scanner (or IP Config) tool didn't work, and no real communications were ever picked up by Wireshark. However, every time the unit powered up, there would be a flurry of Wireshark activity which makes me think it is sending something, but I was never able to ping the unit, nor was I able to ping my computer from the serial console of the camera. To be clear, I had the unit powered on my bench using a lab supply, and then connected directly to the laptop's USB->Ethernet adapter.

As a hail mary, set up the TFTP server as documented in this post, but the camera only ever said something to the effect of "too many attempts" when trying to connect, and the TFTP script/server never indicated it "heard" anything from the camera. I also connected an ethernet tester (one of the Amazon style cheapies) and it seemed to indicate the cabling was OK. Rudimentary multimeter checks (just ohming) didn't indicate any opens or high-resistance on the ethernet isolation transformer's windings.

Any of you folks experienced something similar? Or have any ideas where to go from here?

 

[austwhite]

Sorry if I missed something, but is there a new link to the tools needed to perform this? The link in the OP seems to be dead now

 

[sorg]

@austwhite : See page 22 of this thread. Someone reposted the tools on mediafire.

On my side, i am trying to unbrick my VTH2621.

Looks like the dr, dk, etc... are not set on this device...
See the logs:

Tftp print, localip:'192.168.1.108', serverip:'192.168.254.254', netmask:'255.255.255.0', ethaddr:'c0:39:5a:76:d4:14'.
Download Filename : 'upgrade_info_7db780a713a4.txt'.
Downloading: 100%
## fileSize:202 Bytes, blksize:16268, blockNr:2, times:0s speed:202 Bytes/s.
done
linestring:CRC:4050037456.
linestring:MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62.
linestring:run dr.
linestring:run dk.
linestring:run du.
linestring:run dw.
linestring:run dp.
linestring:run dc.
linestring:tftp 0x82000000 pd-x.squashfs.img; flwrite.
linestring:tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW.
linestring:sleep 5.
cmd:(run dr) is not support!
cmd:(run dk) is not support!
cmd:(run du) is not support!
cmd:(run dw) is not support!
cmd:(run dp) is not support!
cmd:(run dc) is not support!
eth0 link is up...

Tftp print, localip:'192.168.1.108', serverip:'192.168.254.254', netmask:'255.255.255.0', ethaddr:'c0:39:5a:76:d4:14'.
Download Filename : 'pd-x.squashfs.img'.
Downloading: 0%
Downloading: 45%
Downloading: 90%
Downloading: 100%
## fileSize:70.2 KiB, blksize:16268, blockNr:6, times:0s speed:70.2 KiB/s.
done
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0x19c1b60 ...
Legacy image found
Image Name: pd
Image Type: ARM Linux Standalone Program (gzip compressed)
Data Size: 69632 Bytes = 68.00 kB = 0.07 MB
Load Address: 02280000
Entry Point: 02480000
Verifying Checksum ... OK
crc from program is :0xb75037b5
flwrite ok!
eth0 link is up...

Tftp print, localip:'192.168.1.108', serverip:'192.168.254.254', netmask:'255.255.255.0', ethaddr:'c0:39:5a:76:d4:14'.
Download Filename : '.FLASHING_DONE_STOP_TFTP_NOW'.
Downloading: 100%
## fileSize:0 Bytes, blksize:16268, blockNr:2, times:1s speed:0 Bytes/s.
done
auf run upgrade, run command failed
auf: failed to run upgrade cmd, ret is -1
eth0 link is up...

So, i tried to create a crude command.txt with only the printenv command, and here is the desapointing result:


Tftp print, localip:'192.168.1.108', serverip:'192.168.254.254', netmask:'255.255.255.0', ethaddr:'c0:39:5a:76:d4:14'.
Download Filename : 'upgrade_info_7db780a713a4.txt'.
Downloading: 100%
## fileSize:73 Bytes, blksize:16268, blockNr:2, times:0s speed:73 Bytes/s.
done
linestring:CRC:3544530790.
linestring:MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62.
linestring:printenv.
cmd:(printenv) is not support!
eth0 link is up...

Tftp print, localip:'192.168.1.108', serverip:'192.168.254.254', netmask:'255.255.255.0', ethaddr:'c0:39:5a:76:d4:14'.
Download Filename : 'success.txt'.
Downloading:
TFTP error: 'File not found' (1)
TFTP Do Download failed
tftp Download file success.txt failed


Any ideas ?

 

[anthony1337]

Hi, i'm trying to unbrick my VTH5221D intercom internal unit - i've taken all those steps from the first post and nothing moves after i click on TFTPSever.bat (listening on: 192.168.254.254:69 is the last line).
I've plugged the unit directly into my laptop's ethernet and set the IP to:
General:
IP: 192.168.1.1.
Subnet: 255.255.255.0
Advanced:
added IP: 192.168.254.254 and subnet: 255.255.0.0.

Downloaded scripts and unpacked the firmware (image) General_VTH52X1D_Eng_P_SIP_V4.300.0000000.4.R.20190319 to root folder of the downloaded Dahua_TFTPBackup folder. (attached root pic)
Then i'm not sure if i have to change the original commands.txt file? I player around with it and changed it in notepad++ but to no different result. Can somebody let me know what commands exactly do i need to put in, based on my root folder images?

After i saved commands.txt file i ran commands.bat file, tftpserver.bat and consolde.bat. Then i plugged in power cable into the vth unit.

What step did i mess up? Perhaps just the commands.txt file isn't appropriate for my device?

Kindly help.

Thanks!

 

[taherpour77]

if it requires manual routes on your router, or a direct connection to the device.. using this for an attack vector would be highly unlikely unless your specifically targeted.

 

[DamnLag]

I am plugged in directly to my camera with my laptop IP set to 192.168.254.254, subnet 255.255.255.0 but when I run any of the bat files I never get anything it just says listening. Can anyone offer any advice? I assume its something stupid I'm missing