Dahua IPC EASY unbricking / recovery over TFTP

Well, many thanks to @riogrande75 and @TheDude for their persistance in helping me out here!!

Actually, the last post from @riogrande75 did it. I fetched his suggested 501655_General_Overseas_VTOXXX_Eng_P_16M_SIP_V1.000.00.0.R.20170425.zip file, and modified my comments.txt file like this:

run dc
run dk
run dr
run du
run dw
run dd
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

As @riogrande75 mentioned, I omitted pd-x.cramfs.img to be in my root folder as well as in my commands.txt, as he told me it was not working for him neither to get this one flashed.

So this gave me back my old environment, which I was able to access via 192.168.1.110 (so yes, the manual is correct, this is the default IP the device gets).

Once I got my old environment back, I used the new VDCConfig tool to search for the device. It was found instantly, hence I tried to flash it immediately with the newest firmware version: General_VTOXXX_Eng_P_16M_SIP_V4.000.0000000.5.R.20181030

And, well, also this worked well, and showed in turn the newest Webservice 2.0 interface.
This is great news, and good also to see I was able to revive my device.



Wife will be happy. ;-))
LOL.

Again, many thanks for your persistence in helping me out here.
Many kudos to all, and especially @riogrande75 and @TheDude who kept me going.

Have all a nice weekend folks.
Greetings.

Duvel
 
Next challenge, upgrading my VTH1550CH, as also that one now seems to be dead.
Guess I'll have to give that one the latest firmware as well.

Not sure how I'll be able to do that, as I don't get any ping or IP whatsover.
But that's for another thread.
 
Excellent and glad to hear you got it working. When the update.img (run up) method does not work then yes, you must then use the individual files. I think maybe update.img method might only work if a device has more functionality still working. I just extracted update.img for another device and that is a full update but not in the same format. The update.img type is the full Linux filesystem which would mean that for it to work an existing Linux environment must be present and functional after the boot loader tries to start the main operating software. So when using the update.img the bootloader downloads that to temporary flash storage, then tries to start the main operating software which would then see the update and load that but if the main operating software is corrupt or will not start than the update would fail. So essentially if the only thing working is the bootloader then the individual files method must be used.
 
Next challenge, upgrading my VTH1550CH, as also that one now seems to be dead.
Guess I'll have to give that one the latest firmware as well.

Not sure how I'll be able to do that, as I don't get any ping or IP whatsover.
But that's for another thread.

I had a troublesome VTH too, but I was able to flash it through VDPConfig with General_VTH151X_Eng_P_V4.000.0000.0.R.20180622, so I was able to add additional IPC from my NVR on screen, which did not work with "elder" firmwares.
 
Hey guys,

I have Dahua VTO2111D-WP from China (I think) and today morning I upgraded it with English FW and Dahua is brick. I have a very similar behavior like Duvel (Dahua is switching between IP 192.168.1.108 and 110) and I am trying to recover Dahua via TFTP and it says "client 192.168.1.8:xxxx C:\Dahua_TFTPBackup\root\failed.txt, 1 blocks served". File failed.txt and success.txt I created manualy (desperate tries). Before I created these files, it says: "client 192.168.1.8:xxxx C:\Dahua_TFTPBackup\root\failed.txt, file not exist or no access".

Please, look at my printscreen, if you see any mistake in my settings. I mean, I am doing something wrong from a very begining.

Thank you!
 

Attachments

  • settings.jpg
    settings.jpg
    309.6 KB · Views: 114
Hey guys,

I have Dahua VTO2111D-WP from China (I think) and today morning I upgraded it with English FW and Dahua is brick. I have a very similar behavior like Duvel (Dahua is switching between IP 192.168.1.108 and 110) and I am trying to recover Dahua via TFTP and it says "client 192.168.1.8:xxxx C:\Dahua_TFTPBackup\root\failed.txt, 1 blocks served". File failed.txt and success.txt I created manualy (desperate tries). Before I created these files, it says: "client 192.168.1.8:xxxx C:\Dahua_TFTPBackup\root\failed.txt, file not exist or no access".

Please, look at my printscreen, if you see any mistake in my settings. I mean, I am doing something wrong from a very begining.

Thank you!

Hi,

What worked for me is what I learned from @riogrande75 , who said that you don't need the pd-x.cramfs.img. So remove this one from you stack of .img files before you flash it, and of course also remove run dp from your commands.txt file (and then run commands.bat again of course). Basically, in the root folder, only keep the files you really need. So I always also removed the dm365.xxxboot.img file as well, and also remove the failed.txt and success.txt files (which I guess you added manually, but that's not needed), as you don't need those to flash with success.

For me this worked to successfully flash both my VTO and my VTH and to unbrick them.

Hope this helps for you as well.

Duvel
 
Last edited:
@riogrande75 @TheDude Sorry to trouble you guys, but I wonder if you could offer any advice the following issue. I see you helped @Duvel with a persistent problem he had when trying to unbrick a device.

In my case, I (in complete ignorance of the whole AliExpress 'hacked' software scene) upgraded a china cam (HDBW4631R) which was supplied with English firmware. I used this fw https://www.dahuasecurity.com/support/downloadCenter/download-search?keyword=4631

On attempting the update, it bricked. I did manage to recover (via TFTP) but it only seemed to work using the official Chinese firmware. As this is signed, it cannot be changed in anyway.

The original (hacked?) firmware reported as 2.460.0000000.16.R 2017-09-04

I did try a variety of firmware and command.txt combinations, but all (apart from the china fw) resulted in the same boot loop @Duvel described for his device. That said, this was a whole new learning process using trial and error, so maybe I made a few wrong moves.

In your experience, do you believe it's possible to rollback to an earlier unsigned english version of a suitable firmware, or am I stuck?

Appreciate any thoughts or guidance.
 
hello can i recover VTH1550CH with this? i seem to have bricked whilst trying to flash firmware, it seems to ping for some time then drops and cycle continues.

its pings on the IP i had assigned before.
 
hi guys again

i am not sure what could be wrong i flashing all the .img files but still got issues not, what is the run command for sign.img?
 
Hi,
Can anyone help and tell me what i am going wrong? I have followed the instructions from the first post of this thread, but as you can see from the attached picture the firmware upgrade is failing on the last step.
on the last line pd-x squashfs.img Timeout. When this happens it turns of my IP camera.
The camera i am trying to fix is a dahua SD22204T-GN-W PTZ. The firmware i am using is from the Dahua website and is the latest version. This could be the problem as i cannot seem to find earlier versions of this software.
Before i tried this firmware upgrade there was no ports open, but now port 22 is. Not sure if this could help me to fix it.

Any help will be appreciated.TFTP Test.jpg
 
Check the commands.txt file you edit for the individual lines. Edit that with something besides notepad. I use TextPad myself. With notepad it is probably adding extra spaces at the end or something. That messed me up once. Might not be the issue but it might be... then re-run the commands.bat and then try.
 
Thanks TheDude for the download link. I am using the same firmware date you posted but your zip had a lot more files. I have run the test again using TheDude zip file and taken out tftp 0x82000000 pd-x.squashfs.img; flwrite from the commands.txt, camera still won't boot but does not turn off.
I now have 2 ports open port 22 ssh and port 23 telnet.
I have attached a copy of what was shown on Nmap but i cannot see/tell where it is failing.
 
Ncat: Version 7.40 ( Ncat - Netcat for the 21st Century )
Ncat: Listening on 192.168.254.254:5002
.2 MiB
Load Address: 01e00000
Entry Point: 03a80000
Verifying Checksum ... OK
Programing start at: 0x01e00000
write : 100%
done

## Checking Image at 0309e0c0 ...
Legacy image found
Image Name: web
Created: 2018-01-15 21:24:37 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 7766016 Bytes = 7.4 MiB
Load Address: 01600000
Entry Point: 01e00000
Verifying Checksum ... OK
Programing start at: 0x01600000
write : 100%
done

## Checking Image at 03806100 ...
Legacy image found
Image Name: pd
Created: 2018-01-15 21:25:05 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 57344 Bytes = 56 KiB
Load Address: 00940000
Entry Point: 00c80000
Verifying Checksum ... OK
Programing start at: 0x00940000
write : 100%
done

## Checking Image at 03814140 ...
Legacy image found
Image Name: custom
Created: 2018-01-15 21:25:08 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 135168 Bytes = 132 KiB
Load Address: 00600000
Entry Point: 00940000
Verifying Checksum ... OK
Programing start at: 0x00600000
write : 100%
done

## Checking Image at 03835180 ...
Legacy image found
Image Name: partition
Created: 2018-01-15 21:24:33 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 4096 Bytes = 4 KiB
Load Address: 00500000
Entry Point: 00600000
Verifying Checksum ... OK
Programing start at: 0x00500000
write : 100%
done

## Checking Image at 038361c0 ...
Legacy image found
Image Name: kernel
Created: 2018-01-15 21:24:33 UTC
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 1728760 Bytes = 1.6 MiB
Load Address: 00c80000
Entry Point: 01200000
Verifying Checksum ... OK
Programing start at: 0x00c80000
write : 100%
done

## Checking Image at 039dc2f8 ...
Legacy image found
Image Name: CmdScript
Created: 2018-01-15 21:25:08 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 1011 Bytes = 1011 Bytes
Load Address: c0000000
Entry Point: c0001400
Verifying Checksum ... OK
exce update config script start!
set da 'tftp 0x2000000 dhboot.bin.img; flwrite; tftp dhboot-min.bin.img;
nand protect off;flwrite;nand protect on'
set dr 'tftp 0x2000000 romfs-x.squashfs.img; flwrite'
set dk 'tftp 0x2000000 kernel.img; flwrite'
set du 'tftp 0x2000000 user-x.squashfs.img; flwrite'
set dw 'tftp 0x2000000 web-x.squashfs.img; flwrite'
set ds 'tftp 0x2000000 dsp-x.squashfs.img; flwrite'
set dc 'tftp 0x2000000 custom-x.squashfs.img; flwrite'
set dt 'tftp 0x2000000 data-x.squashfs.img; flwrite'
set df 'tftp 0x2000000 fpga.img; flwrite'
set up 'tftp 0x2000000 update.img; flwrite'
set tk 'tftp 0x200100 hawthorn.dts.dtb;tftp 0x2000000 uImage;fdt addr 20
0100;fdt set serial1 status ok;bootm 0x2000000'
set bootcmd 'nand read 0x200100 0x60000 0x10000;kload 0x2000000; fdt ad
dr 200100;fdt set serial1 status ok;bootm 0x2000000'
setenv bootargs "console=ttyS0,115200 mem=110M root=/dev/mtdblock8 rootf
stype=squashfs init=/linuxrc"
set dm 'tftp 0x2000000 mcu-x.bin.img;flwrite'
save
Saving Environment to NAND...
Erasing Nand...
Erasing at 0x360000 -- 100% complete.
Writing to Nand... done
exce update config script complete!
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8
fail to load bootargsParametersV22.txt
fail to load bootargsParametersV21.txt
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending throu
gh gateway 192.168.1.1Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.Download
to address: 0x82000000
Downloading: #
done
write : 100%%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8
fail to load bootargsParametersV22.txt
fail to load bootargsParametersV21.txt
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending throu
gh gateway 192.168.1.1Download Filename 'web-x.squashfs.img'.Download to address
: 0x2000000
Downloading: *
done
Bytes transferred = 7766080 (768040 hex)
do not find BOOT_IMG_NAME!
Erasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8

## Checking Image at 02000000 ...
Legacy image found
Image Name: web
Created: 2018-01-15 21:24:37 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 7766016 Bytes = 7.4 MiB
Load Address: 01600000
Entry Point: 01e00000
Verifying Checksum ... OK
Programing start at: 0x01600000
write : 100%
done
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8
fail to load bootargsParametersV22.txt
fail to load bootargsParametersV21.txt
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending throu
gh gateway 192.168.1.1Download Filename 'update.img'.Download to address: 0x2000
000
Downloading: T T
done
Bytes transferred = 27117355 (19dc72b hex)
Erasing update flag partition.
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8

## Checking Image at 02000040 ...
Legacy image found
Image Name: romfs
Created: 2018-01-15 21:24:35 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1466368 Bytes = 1.4 MiB
Load Address: 01200000
Entry Point: 01600000
Verifying Checksum ... OK
Programing start at: 0x01200000
write : 100%
done

## Checking Image at 02166080 ...
Legacy image found
Image Name: user
Created: 2018-01-15 21:24:54 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 15958016 Bytes = 15
 
Last edited:
Hi, from the information in my pervious post can anyone tell me why my camera is stuck rebooting? There is an error i can see in partitions, which says;
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8
partition file version 2
rootfstype squashfs root /dev/mtdblock8
fail to load bootargsParametersV22.txt
fail to load bootargsParametersV21.txt
Can anyone tell me if this is why and is there anyway to fix this?
If someone can help it will be much appreciated. Thanks
 
Hi,

Can someone help me to fix the Commands.bat for my VTO?

I have serial access and the printenv command give that:

DHBOOT# printenv
bootcmd=fsload;bootm 80800000
bootdelay=3
baudrate=115200
bootfile="uImage"
single=0
da=protect off all;tftp 81a00000 dm365_ubl_boot_16M.bin.img;flwrite
dc=tftp 81a00000 custom-x.cramfs.img; flwrite
dr=tftp 81a00000 romfs-x.cramfs.img; flwrite
du=tftp 81a00000 user-x.cramfs.img; flwrite
dd=tftp 81a00000 data-x.cramfs.img; flwrite
dw=tftp 81a00000 web-x.cramfs.img; flwrite
dg=tftp 81a00000 gui-x.cramfs.img; flwrite
dk=tftp 81a00000 kernel-x.cramfs.img; flwrite
up=tftp 81a00000 update.img; flwrite
tk=tftp 80800000 uImage; bootm 80800000
gionum=22.25
gioval=1.1
dh_com=0
compile_time=Nov 27 2012 19:04:05
ID=000000000000000000
ethaddr=90:02:a9:9c:43:34
netmask=255.255.255.0
serverip=192.168.1.1
ipaddr=192.168.1.109
armbenv=-s HWID VTO6210B:0:4:1:3:5:0:1:2:3:3:0:1B0:6:0:0:4:0:0:0
dh_keyboard=1
HWID=VTO6110B:0:4:1:3:5:0:1:2:3:3:0:1B0:6:0:0:4:0:0:0
appauto=1
bootargs=console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs ,nolock mem=90M newmem=96M video=davincifb:vid0=OFF:vid1=OFF:osd0=OFF:osd1=OFF
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 1.3.6 (jerry) (Oct 30 2018 - 10:30:03)

Environment size: 1103/16380 bytes
DHBOOT#
DHBOOT#

Thanks.