Dahua IPC EASY unbricking / recovery over TFTP

Can someone clearly confirm to me which pins are used on the VTO2000A for the serial connection?

If you look at the device, and have the power connector at the bottom left, then am I correct that this is the order of the pins at the connector at the bottom right?

RX TX GND VCC?

I can see my device is booting up and is replying to my pings on 192.168.1.108, however I don't seem to be able to get a serial connection setup through Putty with my UART connected to the device.
Settings in Putty are the ones mentioned in the post of serial connection with UART.

What am I overlooking? How can I know if I am still able to connect over serial?

Thank for your help.
 
Check post #61. If you have a USB-UART interface just connect TX and GND from the VTO to RX and GND of your UART device, open putty 115200,8,n,1 and then you should see the boot messages.
 
Duvel you do not want to do the procedure at the same time as I do using the VTO and computer connected to a switch ?
I will do it in a couple of days when My 2 questions above are answered.
Then we are 2 following the same procedure and will be easier to support each other ?

P.C. I will not use the USB-UART connection ... I think the connection through a switch as explained is better ...
 
@fa355115: I guess you do not really understand the TFTP upgrade process.
You NEED lan connection to do the TFTP upgrade in any case. Even there might be a way to do the flashing via UART, it's not that what is duscussed here.
UART is good to follow the process of the TFTP upgrade but is not really neccessary.
 
  • Like
Reactions: dvbit
ok, I though those were 2 different processes .. one like I will follow which is to connect both VTO and computer on the same switch, isolated from internet, then launch the "package"
The other one is connecting the VTO on the computer using USB and some connection device, no ?

Can you by chance answer my 2 questions related to how to launch the commands (command line window ?) and related to the commands.txt file ?

Many Thanks !!
 
I also posted this similarly in the other thread....

You are getting two very different methods confused here.
1 - there is the method of using a TTL serial cable and connecting to a device. This is where you manually type in commands at the devices boot prompt in a console window. That method is in the other thread here Dahua IPC unbricking / recovery over serial UART and TFTP
2 - there is the other method which is where you do NOT need a serial cable and are replying on the commands.txt file. The "easy" method. That method relies on the fact that almost all Dahua devices at boot will for a moment initialize a network connections and looks for a file named upgrade_info_7db780a713a4.txt on a TFTP server. That is the method used in THIS thread.

These are TWO DIFFERENT methods and used in totally different ways. The method in this thread does NOT need a serial cable connection.

For the purpose of clarity. The commands used in that file from the other thread are indeed some of the very same commands used at a console prompt in this thread.
There are also some commands that while valid for one device are not valid on another. Different devices have different file structures and a few devices have some files that others do not.
In either method a "run" command has a specific purpose and is ONLY for a very specific file.

These are ones that I know of, and again, not EVERY device has every one of these. NOTE - these are the "run" commands I figured out from my A46 and some from my DVR and others reading on these forums. Not likely that any device will have all of these but I thought it could be useful to know about as many as possible.
da=dhboot.bin.img (can also optionally load dhboot-min.bin.img or u-boot.bin.img depending on device)
dr=romfs-x.squashfs.img
dk=kernel.img
du=user-x.squashfs.img
dw=web-x.squashfs.img
dc=custom-x.squashfs.img
dt=data-x.squashfs.img
dp=partition-x.cramfs.img
dl=logo-x.squashfs.img
ds=tftp slave-x.squashfs.img
dx=u-boot_slave.bin.img
pd=pd-x.squashfs.img
pm=575s_PMX.bin.img (this is on my DVR but I do not have that file)
tk=uImage (my A46 showed this is hawthorn.dts.dtb. I have no idea what this one is, my firmware does not have that file but the printenv on my serial console did show it as a valid "run" type command)
up=update.img (if the firmware you want to flash has an update.img, use this one ONLY and skip all the others)
NOTE: each of these "run" commands can ONLY be used with the exact file name shown.

There are a few different ways that Dahua provides firmware and each is in a different format for loading in a different manner. There are two that are an "all in one" type of firmware which contain all of the different files. One will be named update.img which is the only "all in one" type that can be used with either this serial console method or the "easy" method in the other thread. The other "all in one" type is what you have which will be a firmware named "General_Multi3_VTO2000A_EngItlFreGetDutSpaPor_P_16M_V3.200.0000.0.R.20170912.bin" or something like that. That type of a firmware file is intended for updating firmware within the devices interface or one of the software tools and is not directly usable in this method or the "easy" method in the other thread. As it is that firmware file CANNOT be used with ANY of the "run" commands. Simply renaming that type of a firmware file will also NOT work. The third type of firmware that Dahua provides is broken into multiple individual parts and can ONLY be used via this serial console method or with the "easy" method in the other thread. Neither method is particularly "easy" for the average computer user though.

If the only type of firmware you can find for your device is the type intended for using in the devices web interface like "General_Multi3_VTO2000A_EngItlFreGetDutSpaPor_P_16M_V3.200.0000.0.R.20170912.bin" or something like that you can extract that to a folder. You would need 7zip or some other compressed file extractor. Extraction will also likely give you an error but still should extract the majority of the firmware files fine. Once extracted you should then have the individual .img files related to the commands listed above. Once you have those you can than put the relevant .img files in the root folder for your TFTP server and use them with the individual "run" commands from a console prompt.

I also do not know where that "tftp 0x82000000 pd-x.cramfs.img; flwrite" command came from. It is not on anything I have so I cannot tell you anything about it.
 
  • Like
Reactions: alastairstevenson
ok, fine, this is the one I want to use, as the TTL serial cable is definitely not an option for me, I will try this method without the serial cable and if not working, buy a new VTO.
so first important information I did'nt know, I have used 7zip to uncompress my original "General_Multi3_VTO2000A_EngItlFreGetDutSpaPor_P_16M_V3.200.0000.0.R.20170912.bin" file, and here is what I get :

Capture.JPG


I therefore better understand now the use of the dx commands in the commands.txt file, as I now see the content of the bin file !!
The commands.txt which was posted by another user in the other post who unbricked his VTO was the following :

run dc
run dr
run du
run dd
run dw
run dk
run up
tftp 0x82000000 pd-x.cramfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

... which more or less corresponds to 1 command per file (custom-x.cramfs, romfs-x.cramfs, user-x.cramfs, ...)
Now I am not sure about the order to be used, has it an importance ?
And the dm365_UBL_boot_16M.bin doesn't seem to have a correspondance ...
"dk" is also not the same as your "kernel.img" as I have "kernel-x.cramfs"
...

Not sure f someone can support me in giving the correct commands.txt file based on the content of my firmware file posted in the screenshot ?

Many thanks anyway, it progresses !
 
Leave the bootloader (dm365_UBL_boot_16M) as it is, you do not need to touch it.
If something fails with that one, you need JTAG ($$$) to recover the VTO again. Then it is "really" bricked.
 
Run up would be used only if you have an update.img file. If you do have that then you do not need to use any of the others as update.img internally contains all of the other files.

There will also be some files when a firmware is extracted that are not needed or used in this method like the dm365 and install files.

I'm not sure that the order they are loaded would matter.

I would also set Windows to show file extensions. Those files should all end with .img and it is best to be sure. I've also mentioned that some of the commands I listed before may be different depending on the device. I do not have a VTO so some of the commands might reference a different file name such as the kernel one you mentioned.
 
I confirm these are all img files :

Capture.JPG


I would like to know what commands.txt you would use please ...

run dc (for custom-x.squashfs.img)
run dr (for romfs-x.squashfs.img)
run dt (for data-x.squashfs.img), SHOULD I ADD THIS as it is not in the original commands.txt file ?
run dd CAN BE REMOVED ??
run dw (for web-x.squashfs.img)
run dk (for kernel-x.cramfs.img) ?
run du (for user-x.squashfs.img), SHOULD I ADD THIS as it is not in the original commands.txt file ?
run up (CAN BE REMOVED)
tftp 0x82000000 pd-x.cramfs.img; flwrite SHOULD I KEEP this as I have a "pd-x.cramfs.img" file ?
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5


Should I add a da for the dm365_ubl_boot_16M.bin.img ?
What is dd ?
Nothing is handling my "" file ... ??

Does it look good ?
 
I would try it this way myself. I'm not familiar with the tftp the pd-x file as no device I have uses a command like that and I do not have a VTO camera. I do not know that the run dd command is or does. I'd remove it.

run dc
run dr
run du
run dw
run dk
run dt
run pd
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

A compiled and ready to use upgrade_info file based on the commands I just listed is attached if you want to give it a try. This as well as the other files all need to be in the root folder. I would not mess with the dm365 file and yes if editing the commands.txt file you must remove command lines for any file you do not have or it will error out.
 

Attachments

sorry what is this file you provide and how should I use it ?
Should I not edit and copy a commands.txt file and put it in the package structure together with the console.bat and TfTPServer.bat ?

Also how do I run those files ? Should I open under windows a cmd window, go to the package directory and run the commands typing them from the black window ?
 
I'm unable to help further. I have to get to work. I'd strongly suggest re-reading this thread starting back from page 1.
 
No issue Dude ... take your time, I am gathering all necessary info before implementing the procedure ...
Just come back to me if ok for you when you have time.

much appreciated.
 
Check post #61. If you have a USB-UART interface just connect TX and GND from the VTO to RX and GND of your UART device, open putty 115200,8,n,1 and then you should see the boot messages.

Thanks, will try this.

Can you confirm that the order of where I think the pins are is actually correct?

If you look at the device, and have the power connector at the bottom left, then am I correct that this is the order of the pins at the connector at the bottom right?

RX TX GND VCC?
 
@rio, the TftpServer.bat and console etc ... you double click on them and let them work, or you launch them via a "cmd" black window ?
I think if I click on them to execute a window appears then disappears directly ... how do yo do it ?

Thanks !!
 
U gotta use a external power supply (12-24V) and connect it to your VTO. Then you can hook it up a "normal" ethernet switch.
Of course you can use a USB-TTL converter an connect it to the VTO's UART port to see whats going on - but you do not need it necessarily.

Weird, when I look at my VTO, I don't seem to find the pins you marked in purple in the pic in your previous post... Is yours also a VTO2000A or is it an other model?

Hence I was connecting it as per my other pic, however this is not the correct connector apparently....(below right)? Please confirm.

VTO2000A - 1.jpeg VTO2000A.jpg
 
I have no idea of a VTO has an actual connector..... every other Dahua camera I have looked at does not. They all have the row of 4 holes on the board that you see beside the led toward the upper edge of the board. That is the serial connection. You have to either get a set of leads with little pins that will fit in those holes pretty snugly, solder wires to them, or solder an actual connector to the board there.

Like I said though, I do not have one of those so maybe the VTO is unlike any other Dahua camera I've seen or looked at pictures of, which is a LOT of them and the VTO has an actual connector. Regardless this is the EASY UNBRICKING thread which has NO NEED OR USE for a serial connection. The serial connection is relevant to another thread. I pointed this out yesterday several posts up. Posting questions about the serial connection method in this thread just makes things more confusing for everyone and posting about the easy method in the other thread is just as confusing. If you go look in that thread you will find pictures of where others have connected to the holes in the circuit boards on Dahua cameras to access the serial interface.

Here is the other thread about the serial connection method. Dahua IPC unbricking / recovery over serial UART and TFTP

Sorry all - I'm pretty new here and not a mod but wow this gets confusing.
 
@Duvel: Off course, it's a VTO2000A. Can you take a closeup so that I can verify the differences?
Maybe we have a different HW-Version, that would explain it.
The connector you are connected to with ur PL2303 is the RS485 port, you will not get anything useful out of it with this usb-serial converter.
Anyhow the RS485 has nothing to do with unbricking.

TheDude is right, lets follow this in the unbricking thread.
 
I have no idea of a VTO has an actual connector..... every other Dahua camera I have looked at does not. They all have the row of 4 holes on the board that you see beside the led toward the upper edge of the board. That is the serial connection. You have to either get a set of leads with little pins that will fit in those holes pretty snugly, solder wires to them, or solder an actual connector to the board there.

Like I said though, I do not have one of those so maybe the VTO is unlike any other Dahua camera I've seen or looked at pictures of, which is a LOT of them and the VTO has an actual connector. Regardless this is the EASY UNBRICKING thread which has NO NEED OR USE for a serial connection. The serial connection is relevant to another thread. I pointed this out yesterday several posts up. Posting questions about the serial connection method in this thread just makes things more confusing for everyone and posting about the easy method in the other thread is just as confusing. If you go look in that thread you will find pictures of where others have connected to the holes in the circuit boards on Dahua cameras to access the serial interface.

Here is the other thread about the serial connection method. Dahua IPC unbricking / recovery over serial UART and TFTP

Sorry all - I'm pretty new here and not a mod but wow this gets confusing.

Hi there!

Hope you are doing well.
So, i moved back to ... square one. EASY method to start with before eventually turning to the SERIAL method.

(1) I made a DC12 connection to the device, which successfully powers up. I see a red light and a green light tuned on constantly. No blinking whatsoever (whereas if connected to the PoE switch, the red light stays on, the green one flashes constantly). Not sure though if that is a good or a bad sight.

(2) I then connected the device to a dedicated switch, to which I also connected my laptop. So far so good.

(3) Corrected my commands.txt file looking like this:

run up
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

(4) Did a run of the commands.bat file, and ended up with the upgrade_info_7db780a713a4.txt file looking like this:

CRC:1192382814
MagicString:c016dcd6-cdeb-45df-9fd0-e821bf0e1e62
run up
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

(5) Ensured that these three files and only these three files are in the root folder:

.FLASHING_DONE_STOP_TFTP_NOW
upgrade_info_7db780a713a4.txt
image.img

(6) Launched Console.bat (netcat) as well as the TFTPServer.bat files

(7) Launched another DOS box to ping on 192.168.1.108 activity

And here it all stalls, as there is no .108 address which replies. Hence, all the rest is idle too.

Does this mean I can forget the EASY method now, or am I overlooking again something?

Your advice appreciated, as always.

Duvel
 
Last edited: