Dahua IPC EASY unbricking / recovery over TFTP

Discussion in 'Dahua' started by cor35vet, Feb 22, 2017.

Share This Page

  1. Duvel

    Duvel n3wb

    Joined:
    Dec 11, 2018
    Messages:
    20
    Likes Received:
    6
    Location:
    USA
    Well, many thanks to @riogrande75 and @TheDude for their persistance in helping me out here!!

    Actually, the last post from @riogrande75 did it. I fetched his suggested 501655_General_Overseas_VTOXXX_Eng_P_16M_SIP_V1.000.00.0.R.20170425.zip file, and modified my comments.txt file like this:

    run dc
    run dk
    run dr
    run du
    run dw
    run dd
    tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
    sleep 5

    As @riogrande75 mentioned, I omitted pd-x.cramfs.img to be in my root folder as well as in my commands.txt, as he told me it was not working for him neither to get this one flashed.

    So this gave me back my old environment, which I was able to access via 192.168.1.110 (so yes, the manual is correct, this is the default IP the device gets).

    Once I got my old environment back, I used the new VDCConfig tool to search for the device. It was found instantly, hence I tried to flash it immediately with the newest firmware version: General_VTOXXX_Eng_P_16M_SIP_V4.000.0000000.5.R.20181030

    And, well, also this worked well, and showed in turn the newest Webservice 2.0 interface.
    This is great news, and good also to see I was able to revive my device.



    Wife will be happy. ;-))
    LOL.

    Again, many thanks for your persistence in helping me out here.
    Many kudos to all, and especially @riogrande75 and @TheDude who kept me going.

    Have all a nice weekend folks.
    Greetings.

    Duvel
     
    TheDude and alastairstevenson like this.
  2. Duvel

    Duvel n3wb

    Joined:
    Dec 11, 2018
    Messages:
    20
    Likes Received:
    6
    Location:
    USA
    Next challenge, upgrading my VTH1550CH, as also that one now seems to be dead.
    Guess I'll have to give that one the latest firmware as well.

    Not sure how I'll be able to do that, as I don't get any ping or IP whatsover.
    But that's for another thread.
     
  3. TheDude

    TheDude Getting the hang of it

    Joined:
    Sep 4, 2018
    Messages:
    72
    Likes Received:
    30
    Location:
    USA
    Excellent and glad to hear you got it working. When the update.img (run up) method does not work then yes, you must then use the individual files. I think maybe update.img method might only work if a device has more functionality still working. I just extracted update.img for another device and that is a full update but not in the same format. The update.img type is the full Linux filesystem which would mean that for it to work an existing Linux environment must be present and functional after the boot loader tries to start the main operating software. So when using the update.img the bootloader downloads that to temporary flash storage, then tries to start the main operating software which would then see the update and load that but if the main operating software is corrupt or will not start than the update would fail. So essentially if the only thing working is the bootloader then the individual files method must be used.
     
  4. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    759
    Likes Received:
    446
    I had a troublesome VTH too, but I was able to flash it through VDPConfig with General_VTH151X_Eng_P_V4.000.0000.0.R.20180622, so I was able to add additional IPC from my NVR on screen, which did not work with "elder" firmwares.
     
  5. veterinator

    veterinator n3wb

    Joined:
    Sep 12, 2017
    Messages:
    3
    Likes Received:
    0
  6. Sepulnation

    Sepulnation n3wb

    Joined:
    Dec 25, 2018
    Messages:
    1
    Likes Received:
    0
    Location:
    Prague
    Hey guys,

    I have Dahua VTO2111D-WP from China (I think) and today morning I upgraded it with English FW and Dahua is brick. I have a very similar behavior like Duvel (Dahua is switching between IP 192.168.1.108 and 110) and I am trying to recover Dahua via TFTP and it says "client 192.168.1.8:xxxx C:\Dahua_TFTPBackup\root\failed.txt, 1 blocks served". File failed.txt and success.txt I created manualy (desperate tries). Before I created these files, it says: "client 192.168.1.8:xxxx C:\Dahua_TFTPBackup\root\failed.txt, file not exist or no access".

    Please, look at my printscreen, if you see any mistake in my settings. I mean, I am doing something wrong from a very begining.

    Thank you!
     

    Attached Files:

  7. Duvel

    Duvel n3wb

    Joined:
    Dec 11, 2018
    Messages:
    20
    Likes Received:
    6
    Location:
    USA
    Hi,

    What worked for me is what I learned from @riogrande75 , who said that you don't need the pd-x.cramfs.img. So remove this one from you stack of .img files before you flash it, and of course also remove run dp from your commands.txt file (and then run commands.bat again of course). Basically, in the root folder, only keep the files you really need. So I always also removed the dm365.xxxboot.img file as well, and also remove the failed.txt and success.txt files (which I guess you added manually, but that's not needed), as you don't need those to flash with success.

    For me this worked to successfully flash both my VTO and my VTH and to unbrick them.

    Hope this helps for you as well.

    Duvel
     
    Last edited: Dec 27, 2018
  8. Markc_UK

    Markc_UK n3wb

    Joined:
    Nov 27, 2018
    Messages:
    4
    Likes Received:
    0
    Location:
    UK
    @riogrande75 @TheDude Sorry to trouble you guys, but I wonder if you could offer any advice the following issue. I see you helped @Duvel with a persistent problem he had when trying to unbrick a device.

    In my case, I (in complete ignorance of the whole AliExpress 'hacked' software scene) upgraded a china cam (HDBW4631R) which was supplied with English firmware. I used this fw https://www.dahuasecurity.com/support/downloadCenter/download-search?keyword=4631

    On attempting the update, it bricked. I did manage to recover (via TFTP) but it only seemed to work using the official Chinese firmware. As this is signed, it cannot be changed in anyway.

    The original (hacked?) firmware reported as 2.460.0000000.16.R 2017-09-04

    I did try a variety of firmware and command.txt combinations, but all (apart from the china fw) resulted in the same boot loop @Duvel described for his device. That said, this was a whole new learning process using trial and error, so maybe I made a few wrong moves.

    In your experience, do you believe it's possible to rollback to an earlier unsigned english version of a suitable firmware, or am I stuck?

    Appreciate any thoughts or guidance.
     
  9. jesd03

    jesd03 Getting the hang of it

    Joined:
    Apr 14, 2015
    Messages:
    148
    Likes Received:
    19
    hello can i recover VTH1550CH with this? i seem to have bricked whilst trying to flash firmware, it seems to ping for some time then drops and cycle continues.

    its pings on the IP i had assigned before.
     
  10. jesd03

    jesd03 Getting the hang of it

    Joined:
    Apr 14, 2015
    Messages:
    148
    Likes Received:
    19
    hi guys again

    i am not sure what could be wrong i flashing all the .img files but still got issues not, what is the run command for sign.img?
     
  11. jesd03

    jesd03 Getting the hang of it

    Joined:
    Apr 14, 2015
    Messages:
    148
    Likes Received:
    19
    issue fixed had to use sip version as that is what i had before.
     
  12. fred0503

    fred0503 n3wb

    Joined:
    Jan 10, 2019
    Messages:
    10
    Likes Received:
    0
    Location:
    Wales
    Hi,
    Can anyone help and tell me what i am going wrong? I have followed the instructions from the first post of this thread, but as you can see from the attached picture the firmware upgrade is failing on the last step.
    on the last line pd-x squashfs.img Timeout. When this happens it turns of my IP camera.
    The camera i am trying to fix is a dahua SD22204T-GN-W PTZ. The firmware i am using is from the Dahua website and is the latest version. This could be the problem as i cannot seem to find earlier versions of this software.
    Before i tried this firmware upgrade there was no ports open, but now port 22 is. Not sure if this could help me to fix it.

    Any help will be appreciated. TFTP Test.jpg
     
  13. TheDude

    TheDude Getting the hang of it

    Joined:
    Sep 4, 2018
    Messages:
    72
    Likes Received:
    30
    Location:
    USA
    Check the commands.txt file you edit for the individual lines. Edit that with something besides notepad. I use TextPad myself. With notepad it is probably adding extra spaces at the end or something. That messed me up once. Might not be the issue but it might be... then re-run the commands.bat and then try.
     
  14. authenticjt

    authenticjt n3wb

    Joined:
    Apr 20, 2018
    Messages:
    7
    Likes Received:
    1
    Try replacing tftp 0x82000000 pd-x.squashfs.img; flwrite with run pd in the commands.txt file.
     
  15. fred0503

    fred0503 n3wb

    Joined:
    Jan 10, 2019
    Messages:
    10
    Likes Received:
    0
    Location:
    Wales
    Thanks for the replies, but tried both suggestions and still have the same problem.
     
  16. TheDude

    TheDude Getting the hang of it

    Joined:
    Sep 4, 2018
    Messages:
    72
    Likes Received:
    30
    Location:
    USA
  17. fred0503

    fred0503 n3wb

    Joined:
    Jan 10, 2019
    Messages:
    10
    Likes Received:
    0
    Location:
    Wales
    Thanks TheDude for the download link. I am using the same firmware date you posted but your zip had a lot more files. I have run the test again using TheDude zip file and taken out tftp 0x82000000 pd-x.squashfs.img; flwrite from the commands.txt, camera still won't boot but does not turn off.
    I now have 2 ports open port 22 ssh and port 23 telnet.
    I have attached a copy of what was shown on Nmap but i cannot see/tell where it is failing.
     
  18. fred0503

    fred0503 n3wb

    Joined:
    Jan 10, 2019
    Messages:
    10
    Likes Received:
    0
    Location:
    Wales
    Ncat: Version 7.40 ( Ncat - Netcat for the 21st Century )
    Ncat: Listening on 192.168.254.254:5002
    .2 MiB
    Load Address: 01e00000
    Entry Point: 03a80000
    Verifying Checksum ... OK
    Programing start at: 0x01e00000
    write : 100%
    done

    ## Checking Image at 0309e0c0 ...
    Legacy image found
    Image Name: web
    Created: 2018-01-15 21:24:37 UTC
    Image Type: ARM Linux Standalone Program (uncompressed)
    Data Size: 7766016 Bytes = 7.4 MiB
    Load Address: 01600000
    Entry Point: 01e00000
    Verifying Checksum ... OK
    Programing start at: 0x01600000
    write : 100%
    done

    ## Checking Image at 03806100 ...
    Legacy image found
    Image Name: pd
    Created: 2018-01-15 21:25:05 UTC
    Image Type: ARM Linux Standalone Program (uncompressed)
    Data Size: 57344 Bytes = 56 KiB
    Load Address: 00940000
    Entry Point: 00c80000
    Verifying Checksum ... OK
    Programing start at: 0x00940000
    write : 100%
    done

    ## Checking Image at 03814140 ...
    Legacy image found
    Image Name: custom
    Created: 2018-01-15 21:25:08 UTC
    Image Type: ARM Linux Standalone Program (uncompressed)
    Data Size: 135168 Bytes = 132 KiB
    Load Address: 00600000
    Entry Point: 00940000
    Verifying Checksum ... OK
    Programing start at: 0x00600000
    write : 100%
    done

    ## Checking Image at 03835180 ...
    Legacy image found
    Image Name: partition
    Created: 2018-01-15 21:24:33 UTC
    Image Type: ARM Linux Standalone Program (uncompressed)
    Data Size: 4096 Bytes = 4 KiB
    Load Address: 00500000
    Entry Point: 00600000
    Verifying Checksum ... OK
    Programing start at: 0x00500000
    write : 100%
    done

    ## Checking Image at 038361c0 ...
    Legacy image found
    Image Name: kernel
    Created: 2018-01-15 21:24:33 UTC
    Image Type: ARM Linux Firmware (uncompressed)
    Data Size: 1728760 Bytes = 1.6 MiB
    Load Address: 00c80000
    Entry Point: 01200000
    Verifying Checksum ... OK
    Programing start at: 0x00c80000
    write : 100%
    done

    ## Checking Image at 039dc2f8 ...
    Legacy image found
    Image Name: CmdScript
    Created: 2018-01-15 21:25:08 UTC
    Image Type: ARM Linux Standalone Program (uncompressed)
    Data Size: 1011 Bytes = 1011 Bytes
    Load Address: c0000000
    Entry Point: c0001400
    Verifying Checksum ... OK
    exce update config script start!
    set da ' tftp 0x2000000 dhboot.bin.img; flwrite; tftp dhboot-min.bin.img;
    nand protect off;flwrite;nand protect on'
    set dr 'tftp 0x2000000 romfs-x.squashfs.img; flwrite'
    set dk 'tftp 0x2000000 kernel.img; flwrite'
    set du 'tftp 0x2000000 user-x.squashfs.img; flwrite'
    set dw 'tftp 0x2000000 web-x.squashfs.img; flwrite'
    set ds 'tftp 0x2000000 dsp-x.squashfs.img; flwrite'
    set dc 'tftp 0x2000000 custom-x.squashfs.img; flwrite'
    set dt 'tftp 0x2000000 data-x.squashfs.img; flwrite'
    set df 'tftp 0x2000000 fpga.img; flwrite'
    set up 'tftp 0x2000000 update.img; flwrite'
    set tk 'tftp 0x200100 hawthorn.dts.dtb;tftp 0x2000000 uImage;fdt addr 20
    0100;fdt set serial1 status ok;bootm 0x2000000'
    set bootcmd 'nand read 0x200100 0x60000 0x10000;kload 0x2000000; fdt ad
    dr 200100;fdt set serial1 status ok;bootm 0x2000000'
    setenv bootargs "console=ttyS0,115200 mem=110M root=/dev/mtdblock8 rootf
    stype=squashfs init=/linuxrc"
    set dm 'tftp 0x2000000 mcu-x.bin.img;flwrite'
    save
    Saving Environment to NAND...
    Erasing Nand...
    Erasing at 0x360000 -- 100% complete.
    Writing to Nand... done
    exce update config script complete!
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    fail to load bootargsParametersV22.txt
    fail to load bootargsParametersV21.txt
    Using ambarella mac device
    TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending throu
    gh gateway 192.168.1.1Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.Download
    to address: 0x82000000
    Downloading: #
    done
    write : 100%%
    done
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    fail to load bootargsParametersV22.txt
    fail to load bootargsParametersV21.txt
    Using ambarella mac device
    TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending throu
    gh gateway 192.168.1.1Download Filename 'web-x.squashfs.img'.Download to address
    : 0x2000000
    Downloading: *
    done
    Bytes transferred = 7766080 (768040 hex)
    do not find BOOT_IMG_NAME!
    Erasing update flag partition.
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8

    ## Checking Image at 02000000 ...
    Legacy image found
    Image Name: web
    Created: 2018-01-15 21:24:37 UTC
    Image Type: ARM Linux Standalone Program (uncompressed)
    Data Size: 7766016 Bytes = 7.4 MiB
    Load Address: 01600000
    Entry Point: 01e00000
    Verifying Checksum ... OK
    Programing start at: 0x01600000
    write : 100%
    done
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    fail to load bootargsParametersV22.txt
    fail to load bootargsParametersV21.txt
    Using ambarella mac device
    TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending throu
    gh gateway 192.168.1.1Download Filename 'update.img'.Download to address: 0x2000
    000
    Downloading: T T
    done
    Bytes transferred = 27117355 (19dc72b hex)
    Erasing update flag partition.
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8

    ## Checking Image at 02000040 ...
    Legacy image found
    Image Name: romfs
    Created: 2018-01-15 21:24:35 UTC
    Image Type: ARM Linux Kernel Image (uncompressed)
    Data Size: 1466368 Bytes = 1.4 MiB
    Load Address: 01200000
    Entry Point: 01600000
    Verifying Checksum ... OK
    Programing start at: 0x01200000
    write : 100%
    done

    ## Checking Image at 02166080 ...
    Legacy image found
    Image Name: user
    Created: 2018-01-15 21:24:54 UTC
    Image Type: ARM Linux Standalone Program (uncompressed)
    Data Size: 15958016 Bytes = 15
     
    Last edited: Jan 22, 2019
  19. fred0503

    fred0503 n3wb

    Joined:
    Jan 10, 2019
    Messages:
    10
    Likes Received:
    0
    Location:
    Wales
    Hi, from the information in my pervious post can anyone tell me why my camera is stuck rebooting? There is an error i can see in partitions, which says;
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    partition file version 2
    rootfstype squashfs root /dev/mtdblock8
    fail to load bootargsParametersV22.txt
    fail to load bootargsParametersV21.txt
    Can anyone tell me if this is why and is there anyway to fix this?
    If someone can help it will be much appreciated. Thanks
     
  20. intelcom

    intelcom n3wb

    Joined:
    Oct 12, 2016
    Messages:
    5
    Likes Received:
    0
    Hi,

    Can someone help me to fix the Commands.bat for my VTO?

    I have serial access and the printenv command give that:

    DHBOOT# printenv
    bootcmd=fsload;bootm 80800000
    bootdelay=3
    baudrate=115200
    bootfile="uImage"
    single=0
    da=protect off all; tftp 81a00000 dm365_ubl_boot_16M.bin.img;flwrite
    dc=tftp 81a00000 custom-x.cramfs.img; flwrite
    dr=tftp 81a00000 romfs-x.cramfs.img; flwrite
    du=tftp 81a00000 user-x.cramfs.img; flwrite
    dd=tftp 81a00000 data-x.cramfs.img; flwrite
    dw=tftp 81a00000 web-x.cramfs.img; flwrite
    dg=tftp 81a00000 gui-x.cramfs.img; flwrite
    dk=tftp 81a00000 kernel-x.cramfs.img; flwrite
    up=tftp 81a00000 update.img; flwrite
    tk=tftp 80800000 uImage; bootm 80800000
    gionum=22.25
    gioval=1.1
    dh_com=0
    compile_time=Nov 27 2012 19:04:05
    ID=000000000000000000
    ethaddr=90:02:a9:9c:43:34
    netmask=255.255.255.0
    serverip=192.168.1.1
    ipaddr=192.168.1.109
    armbenv=-s HWID VTO6210B:0:4:1:3:5:0:1:2:3:3:0:1B0:6:0:0:4:0:0:0
    dh_keyboard=1
    HWID=VTO6110B:0:4:1:3:5:0:1:2:3:3:0:1B0:6:0:0:4:0:0:0
    appauto=1
    bootargs=console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs ,nolock mem=90M newmem=96M video=davincifb:vid0=OFF:vid1=OFF:eek:sd0=OFF:eek:sd1=OFF
    stdin=serial
    stdout=serial
    stderr=serial
    ver=U-Boot 1.3.6 (jerry) (Oct 30 2018 - 10:30:03)

    Environment size: 1103/16380 bytes
    DHBOOT#
    DHBOOT#

    Thanks.