Dahua IPC EASY unbricking / recovery over TFTP

Discussion in 'Dahua' started by cor35vet, Feb 22, 2017.

Share This Page

  1. fa355115

    fa355115 Getting the hang of it

    Joined:
    Oct 7, 2016
    Messages:
    186
    Likes Received:
    15
    Just another question I have and I see during my preparation work ... the process asks to copy the img file under the root directory ...
    I do not have an img file, but depending on where I get the firmware from, I get different files :

    Dahua france sent me a unique bin file
    Dahua NL sent me a zip file containing not only the zip file but also other files :

    [​IMG]

    Should I consider putting the complete package or only the bin file ? Asking because I am not sure what all those other files are, and using the VDPConfig or old Config tool, it only ask for the bin file !
     
  2. riogrande75

    riogrande75 Getting the hang of it

    Joined:
    Oct 19, 2017
    Messages:
    138
    Likes Received:
    32
    Just carry on, you should have all .img files already on your server (kernel-x.cramfs.img,...).
    Unless you are not flashing the bootloader (dm365_ubl...), you can flash whatever you want and will always have the chance to flash again with this setup.
     
  3. fa355115

    fa355115 Getting the hang of it

    Joined:
    Oct 7, 2016
    Messages:
    186
    Likes Received:
    15
    so you mean better copy all files and not only the .bin one ?
    Because some Dahua support countries only provide the .bin file and nothing else ... would that also work in that case ?
     
  4. riogrande75

    riogrande75 Getting the hang of it

    Joined:
    Oct 19, 2017
    Messages:
    138
    Likes Received:
    32
    A (dahua).bin file is just a archive conaining all neccessary files. The VTO will take the right files by it's own. Just give it a try.
     
  5. Go88cE

    Go88cE n3wb

    Joined:
    Nov 16, 2018
    Messages:
    9
    Likes Received:
    0
    Location:
    Australia
    Hi, newbie here.
    I have been trying to upgrade the firmware on my VTO2111D following the instructions at the beginning of this thread with zero success.

    I simply cannot get any connection to the tftp server.
    I connected the VTO directly to my laptop using ethernet cable. IP addresses where correct but nothing happens. I thought the reason may be because I'm using Mac and the Windows is running in VM, so I tried tftp sever on the Mac which was configured to have both 192.168.254.254 and 192.168.1.1 IP addresses and still nothing.
    Are there instructions on how to do this via Mac or a least Linux?

    My biggest question is how does the VTO know to which IP address to connect to look for firmware upgrade? Do I need to restart it in special mode? if so, how?

    BTW, I tried SSHing into the VTO and is rejecting the admin's account password. Is this normal?

    VTO is running v2.2 and trying to get it up to either 3.12 or 3.3 with SIP.

    Thanks in advance!
     
  6. riogrande75

    riogrande75 Getting the hang of it

    Joined:
    Oct 19, 2017
    Messages:
    138
    Likes Received:
    32
    Why not tryin to do it the easy (official) way? VDPconfig can do this 4 you even when running in a VM - just did that y'day.

    To your problem: I suggest to use a switch rather then connect the network cable directly. PC ethernet takes too long to get up (>1sec.), so VTO thinks there is no server and continue booting. Connected to a network switch keeps the PC port up even VTO is not powered on. Don't use a hub - I was never successful with that.
    If you are not sure if your server setup works, take any other machine in your network (RPi,..) and try to download something from TFTP server 192.168.254.254.

    Actually TFTP server is not bound to any OS, if you are experienced enough, you get it to work even on a mac. Also I highly recommend a network sniffer (e.g.wireshark) on the server to see, what's going on.

    Forget SSH access. What do you want it for? Dahua blocks almost everything, it's useless.
     
  7. Go88cE

    Go88cE n3wb

    Joined:
    Nov 16, 2018
    Messages:
    9
    Likes Received:
    0
    Location:
    Australia
    I already tried using the Config Tool (I'm guessing VDPconfig is same as Config Tool?) and it fails every time.
    I managed to upgrade the VTH but VTO would not accept. I did try few firmwares and no luck at all.
    Interesting thing with the VTH is that it upgraded to 3.<not sure>, but now when I try to upgrade it to v4.0 it fails with "login failed" error message. I have not change any passwords at all. Even trying to log into it via Config Tool, gives me invalid username or password and after few trie locks the account.

    I'm thinking I should have purchased something double the price and not go trough this..
     
  8. riogrande75

    riogrande75 Getting the hang of it

    Joined:
    Oct 19, 2017
    Messages:
    138
    Likes Received:
    32
    No, ConfitTool is different. Open dahuatoolbox, scroll down and there you should get VDPconfig. With this, it should work using the correct port (3800 or 37777).
    Dahua devices are cool - but software lacks of a straight line. Read the forum an learn from other experienced users, then you will love 'em.
     
    Go88cE likes this.
  9. margan

    margan Young grasshopper

    Joined:
    Oct 27, 2018
    Messages:
    36
    Likes Received:
    1
    Location:
    Italy
    Hi,
    do the tools /skills described here useful to attempt to unbrick a vto3221 doorbell ? After an attempt to change port from 37777 to 3800 only, it seems blocked in a bootloop. Now the vto cant' be seen on the lan. With a port scanner the only ports opened are 21 and 22. But with putty there aren't commands useful to do anything in my hands.Moreover the access with SSH it seems intermittent. On the board I see similar holes for serial connection described here. Is it the only way now ? Thanks in advance for help !
     
  10. margan

    margan Young grasshopper

    Joined:
    Oct 27, 2018
    Messages:
    36
    Likes Received:
    1
    Location:
    Italy
    ....this is what I can see when ssh works:

    Code:
    login as: admin
    admin@192.168.1.110's password:
    Enter 'help' for a list of commands (dsh)
    
    #help
    
    Support Commands:
    
    shell                         help                          getDateInfo
    diagnose                      gethwid
    
    Please set UTF-8 character encoding format in terminal for displaying Qrcode
    #shell
    
    Domain Accounts:
    
     
  11. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,074
    Likes Received:
    3,502
    Location:
    Scotland
    What is the result from using the shell command?
     
  12. margan

    margan Young grasshopper

    Joined:
    Oct 27, 2018
    Messages:
    36
    Likes Received:
    1
    Location:
    Italy
    You can see it on the code posted, it asks for "Domain Account:"
    But I don't know the answer ! What "domain account" means ?
     
  13. Go88cE

    Go88cE n3wb

    Joined:
    Nov 16, 2018
    Messages:
    9
    Likes Received:
    0
    Location:
    Australia
    Thanks @riogrande75 hips, VDPconfig did the job.:goodpost:
     
  14. Nike

    Nike n3wb

    Joined:
    Nov 21, 2018
    Messages:
    19
    Likes Received:
    5
    Location:
    Canada
    This no longer works with new firmware that has sign.img.
    I don't see this stated in the first post. OP should be aware to modify 1st post.

    The idea here is to find a firmware for your camera that is around 2017 that doesn't have sign.img when you unpack it.
    Then,run Commands.bat, run TFTPServer.bat, run Console.bat.
    Power up your camera, and wait until its done.
    When its done, use VDPconfig to get your 2018 firmware (that has sign.img) the regular way.

    Now that your new firmware has sign.img in one of the partitions, I don't think you can ever go back to an older firmware.

    For example, in the future 2019 firmware, you would be able to go back to the 2018 firmware if you wanted to (because they are both signed), but not all the way back to 2017 firmware.

    Is this correct?
     
  15. riogrande75

    riogrande75 Getting the hang of it

    Joined:
    Oct 19, 2017
    Messages:
    138
    Likes Received:
    32
    No, with the TFTP trick you can go back and forward to any firmware you want. I did it many times.
    It's just important that you flash ALL partitions of the corrsponding image.
     
  16. TheDude

    TheDude Getting the hang of it

    Joined:
    Sep 4, 2018
    Messages:
    72
    Likes Received:
    31
    Location:
    USA
    I used this yesterday to work on another model camera and learned a few things.

    The Commands.txt file for one. I was changing it with notepad and that kept putting a space or something at the very end. Whenever you change Commands.txt you then need to run Commands.bat. Commands.bat generates a new upgrade_info_7db780a713a4.txt file in the root folder that has the changes you made. I kept getting an error after TFTP that I would see in the console ncat window. I finally figured out that if I edit the Commands.txt file with Textpad and make sure to delete anything after "sleep 5" line that the error went away.

    I also figured out in firmware. Some firmware comes in different format. One is a all in one type of package which will be a file named "update.img". If the firmware you want to use has the update.img than ONLY use that and the "run up" command in your Commands.txt. It would then look like this

    "run up
    tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
    sleep 5"

    The update.img is a different version of the firmware that has a flat file system which contains all of the others within. When you use the update.img file you do NOT need any of the others. The others are just a way to flash individual parts of the overall firmware. I also discover earlier I had a command "run dt" but that was making it look for "data-x.squashfs.img" which I did not have on the A46 cam I was trying to flash.

    Finally with serial port I find the following commands and some others in looking around. This might help you determine what files are for each "run" command. So any of these in the Commands.txt would be run followed by the two letters. Then you must save the Commands.txt (there must NOT be any spaces or extra lines past "sleep 5") and run Commands.bat. Each file for any run command MUST be copied to the "root" folder.

    NOTE - these are ones I figured out from my A46 and some from my DVR and others reading on these forums. Not likely that any device will have all of these but I thought it could be useful to know about as many as possible.
    da=dhboot.bin.img (can also optionally load dhboot-min.bin.img or u-boot.bin.img depending on device)
    dr=romfs-x.squashfs.img
    dk=kernel.img
    du=user-x.squashfs.img
    dw=web-x.squashfs.img
    dc=custom-x.squashfs.img
    dt=data-x.squashfs.img
    dp=partition-x.cramfs.img
    dl=logo-x.squashfs.img
    ds=tftp slave-x.squashfs.img
    dx=u-boot_slave.bin.img
    pd=pd-x.squashfs.img
    pm=575s_PMX.bin.img (this is on my DVR but I do not have that file)
    tk=uImage (my A46 showed this is hawthorn.dts.dtb. I have no idea what this one is, my firmware does not have that file but the printenv on my serial console did show it as a valid "run" type command)
    up=update.img (if the firmware you want to flash has an update.img, use this one ONLY and skip all the others)

    I try to run the one to get web interface back on A46 from another thread. That does not work with the new A46 firmware. It brick my camera which is why I was trying to figure this out. I did and this helped me recover it. :)
     
    Nike and alastairstevenson like this.
  17. TheDude

    TheDude Getting the hang of it

    Joined:
    Sep 4, 2018
    Messages:
    72
    Likes Received:
    31
    Location:
    USA
    It looks like you only have 2 pins connected on the serial connection when you need 3. There should be a ground pin, a TX (transmit) pin, and a RX (receive) pin.

    If you have an update.img file for the device then use that. Your commands.txt file should be

    run up
    tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
    sleep 5

    There cannot be any spaces or blank lines after sleep 5. Notepad kept putting a space in there when I was editing the commands.txt file which can cause errors so I edited the file with textpad which took care of that. Just after sleep 5 have the cursor there and hit delete until you are sure there is nothing after. Then you run the commands.bat file which will generate a new upgrade_info_7db780a713a4.txt file in the root folder. Then in the root folder you should have just the update.img file, the upgrade_info_7db780a713a4.txt file, and the .FLASHING_DONE_STOP_TFTP_NOW file.
     
  18. TheDude

    TheDude Getting the hang of it

    Joined:
    Sep 4, 2018
    Messages:
    72
    Likes Received:
    31
    Location:
    USA
    Ah - actually I just realized this. The "commands" file update method is using a network connection. With a direct serial connection you need to use a terminal program like Putty and just type the commands directly into the console which is a totally different method of accessing and updating a Dahua device. You still need TFTP and a network connection though. Really - you should be able to get it going without the serial connection at all as long as the device does still connect to the network. You need to go back through the first post in this thread and make sure the networking stuff is all configured correctly.

    If you want to use the serial cable method of working with the device you need to read up in another thread to get familiar with the commands. This thread is instructions on using the serial console connection. Dahua IPC unbricking / recovery over serial UART and TFTP

    There are some overlapping concepts in use but the "easy" method in this thread using the "commands.txt" and other files in this thread are a totally different method than when using the serial console connection.
     
  19. TheDude

    TheDude Getting the hang of it

    Joined:
    Sep 4, 2018
    Messages:
    72
    Likes Received:
    31
    Location:
    USA
    Okay using the method you started with. After you update the commands.txt file you are then also running the commands.bat file too right? That is required to update the upgrade_info_7db780a713a4.txt file. It does look like in the short time that it is indeed finding the TFTP server (your computer) and it gets the upgrade_info_7db780a713a4.txt file but then gives a file not found error of some sort. I just looked at a upgrade_info file I've used and it looks like this

    -in notepad showing it on one line

    CRC:45627193MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62run uptftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOWsleep 5

    - in textpad it shows on multiple lines
    CRC:45627193
    MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62
    run dw
    tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
    sleep 5

    The difference with what yours showed on one line above that you posted is spaces in certain places like between run up and tftp.
    Try it with this one - attached. Since the upgrade_info file is not really specific to a device it should work fine. The only thing that is really changed in it is when the commands are changed. Just save and copy this to your root folder and give it a try.

    I'm thinking it may be some sort of formatting issue in the commands.txt file you are editing that is getting goofy when the commands.bat is run to update it. I think the reason the net connection drops so fast is that after it errors the bootloader then moves on and starts trying to boot the device. It only makes that connection active for a bit during the part of the boot process where it looks for the upgrade_info file. If that is not found than the connection is dropped and the boot process continues.

    As far as using the serial console you should see output in the Putty console if the cable is connected right and the settings for the port, speed, etc are right as soon as you apply power to the device. You should then see text telling you that you can press a key to abort the boot process (press the * key) and be able to work at the console level. If you do not see anything in the Putty console window then something is not connected or configured right.
     

    Attached Files:

  20. fa355115

    fa355115 Getting the hang of it

    Joined:
    Oct 7, 2016
    Messages:
    186
    Likes Received:
    15
    Hello, I want to use the procedure to ubrick a VTO2000A

    If you looked at the thread I linked at the start of this post you should know what to do now:
    • Find working firmware for your camera.
    • Extract firmware using 7zip/WinRAR.
    • Confirm it is actually compatible using the HWID.
    • Place the extracted .img files into the root directory.
    • Write appropriate commands.txt to flash the img files onto the camera
      • Your camera should have some predefined ones in printenv, like:
      • dr= tftp 0x82000000 romfs-x.squashfs.img; flwrite
      • In this case you can run above by putting run dr into the commands.txt
      • Check the thread linked at the start for a description of all commands.
      • cfgRestore might be useful if you want to reset your camera.
    ... but I have 2 questions concerning the bold :

    1. The "firmware of My VTO2000 I got from Dahua is in fact 1 single bin file, this is sufficient I guess ?

    2. Does someone has the commands.txt to be used for a the Dahua VTO2000A ? The original commands.txt which is on the first thread of this post is :

    run dr
    run dk
    run du
    run dw
    run dp
    run dc
    tftp 0x82000000 pd-x.squashfs.img; flwrite
    tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
    sleep 5

    ... where the commands.txt I found from so who used it for a VTO2000 is :

    run dc
    run dr
    run du
    run dd
    run dw
    run dk
    run up
    tftp 0x82000000 pd-x.cramfs.img; flwrite
    tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
    sleep 5

    ... besides the differences between the dc / dk commands, I also see the name of the .img file is different. What is that file because the only one I have is a bin file which is the firmware, but this "pd-x.squashfs.img" or "pd-x.cramfs.img" is nowhere in the package ??

    Many thanks !!
     
    Last edited: Dec 10, 2018