Dahua IPC EASY unbricking / recovery over TFTP

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
List the .img files in the tftp server root directory.
It looks like this for example is missing
TFTP from server 192.168.254.254; our IP address is 192.168.1.251; sending through gateway 192.168.1.1Download Filename 'romfs-x.squashfs.img'.Download to address: 0x2000000
Downloading: T T T
TFTP error: (0)
 

rrands1

n3wb
Joined
Oct 16, 2020
Messages
19
Reaction score
8
Location
Mesa, az
That file is there, I think... Path to this dir: C:\dahua\Dahua_TFTPBackup\root
View attachment 79557
note that my "install" file is 0 bytes, and that is what threw the error in 7-zip - I went to a different firmware file from Dahua, and that file there seemed to have the order of install - here is the contents from the different FW version (so assuming it won't work for me, but wanted to see what was in one anyway...

{
"Commands" : [
"burn kernel.img kernel",
"burn partition-x.cramfs.img partition",
"burn romfs-x.squashfs.img rootfs",
"burn pd-x.squashfs.img pd",
"burn user-x.squashfs.img user",
"burn custom-x.squashfs.img custom",
"burn web-x.squashfs.img web"
],
"Devices" : [
[ "IPC-HX3XXX", "1.00" ]
],
"Vendor" : "General"
}
/IPC_RestoreDefault
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
That file is there, I think
It is indeed.
It's not clear (at least to me) why the romfs-x.squashfs.img is inaccessible to the tftp server, yet the upgrade_info ... file is OK.
Just guessing here :
Presumably the .img files are rw as opposed to ro ?
 

rrands1

n3wb
Joined
Oct 16, 2020
Messages
19
Reaction score
8
Location
Mesa, az
It is indeed.
It's not clear (at least to me) why the romfs-x.squashfs.img is inaccessible to the tftp server, yet the upgrade_info ... file is OK.
Just guessing here :
Presumably the .img files are rw as opposed to ro ?
how do I check that? From a Windows FS perspective, they are RW to my account - is that different since the TFTP app is presenting Root up as some sort of share?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
starting TFTP...
alias / is mapped to root\
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 60
file read allowed: Yes
file create allowed: No
file overwrite allowed: No
thread pool size: 1
Listening On: 192.168.254.254:69
Client 192.168.1.251:3281 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served
Client 192.168.1.251:3445 root\romfs-x.squashfs.img, Timeout
Client 192.168.1.251:3464 root\failed.txt, 1 Blocks Served
Maybe configure what's not allowed to all 'Yes'.
 

rrands1

n3wb
Joined
Oct 16, 2020
Messages
19
Reaction score
8
Location
Mesa, az
I changed the .ini file to allow write to everything, but same result.. :(

But - in looking at your link in your sig, I found someone who ran into issues in a multi-nic machine, and my laptop has a dock, so has 3 nics - 2 wired & 1 wireless. I disabled the 2nd wired & the wireless & tried again... 1 time I got through the first file... but then it timed out, and I never got it to go that far again... :(

So, I moved the apps (and re-pointed static route) to my NVR box, and tried again from scratch. Still timing out, same errors. I have tried older / different FW versions, but same result. Also, every .img file I have downloaded says it's corrupt, both in WinRar & 7Zip - is that normal?? (It's the "install" file in each of them) - are you able to replicate that by chance?

Please help - I feel like I am close, but not sure what might be wrong! (I disabled Windows Defender as well, just FYI, in case it was causing issues...)


Thank you!

-randy
 

Rens

n3wb
Joined
Jan 18, 2021
Messages
2
Reaction score
0
Location
Netherlands
It doesn’t work to reanimate the IPC-HDB4431C-SA camera. The camera accesses the TFTP server receives a couple of files, then an error and it all starts pony and so on all the time. What to do?
Hello foxden, Where you able to revive your IPC-HDB4431C-SA camera?
Could you find the firmware somewhere?

With kind regards,

Rens
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Also, every .img file I have downloaded says it's corrupt, both in WinRar & 7Zip - is that normal?? (It's the "install" file in each of them) - are you able to replicate that by chance?
That's because the first header in the firmware files doesn't match the ZIP format.
The first 2 bytes are 'DH'.
If you change them to 'PK' with a hex editor then the file unzips normally.

I feel like I am close, but not sure what might be wrong!
It's not clear to me either, you've checked and changed the obvious things.
Maybe try another tftp server - such as the Jounin one here :
 

rrands1

n3wb
Joined
Oct 16, 2020
Messages
19
Reaction score
8
Location
Mesa, az
That's because the first header in the firmware files doesn't match the ZIP format.
The first 2 bytes are 'DH'.
If you change them to 'PK' with a hex editor then the file unzips normally.


It's not clear to me either, you've checked and changed the obvious things.
Maybe try another tftp server - such as the Jounin one here :
Thank you, I will give that a try and I also plan on trying it direct to the computer instead of through a couple switches as it is set up right now… Do you know if that “install“ file is required or is that optional?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Do you know if that “install“ file is required or is that optional?
Code:
   "Commands" : [
      "burn kernel.img kernel",
      "burn partition-x.cramfs.img partition",
      "burn romfs-x.squashfs.img rootfs",
      "burn pd-x.squashfs.img pd",
      "burn user-x.squashfs.img user",
      "burn custom-x.squashfs.img custom",
      "burn web-x.squashfs.img web"
   ],
I believe the Install file is only used as instructions for the normal update program as opposed to the tftp update method, the contents of which are user-generated.
 

rrands1

n3wb
Joined
Oct 16, 2020
Messages
19
Reaction score
8
Location
Mesa, az
@alastairstevenson - OK - we are making progress! Thank you for the help so far! I got some time so hooked the camera to a switch with nothing but the BlueIris PC on it, and configged as per the instructions at the start of this - first time through it hung on one of the IMG files, but then I changed the address in the commands.txt to point to 0200000, and it worked fine after that! I did a hard reset & things seem to be working as expected. Thank you so much for sticking with me!

-randy
 
Last edited:

tibimakai

Known around here
Joined
May 8, 2017
Messages
1,005
Reaction score
513
Location
Los Angeles
If I get only the first two lines of the U-boot, and the camera keeps restarting, what that means?

UBL_loadImg bakVersion=20, bootversion=20

U-boot 2010.6-svn8102 (Jun 4 2020 - 20:44:05)

There is anything that can be done?
Should I use this method, or the other method?
 

tibimakai

Known around here
Joined
May 8, 2017
Messages
1,005
Reaction score
513
Location
Los Angeles
I have tried this method, and It seems like it won't start Console.bat. It comes up with some errors. Windows 10 Defender won't let it run, that is what I think it's happening here.
How to get around that? I have tried disabling Defender, but it is still a no go.
 

tibimakai

Known around here
Joined
May 8, 2017
Messages
1,005
Reaction score
513
Location
Los Angeles
ncat.exe error: The code execution cannot proceed because MSVCR120.dll was not found. Reinstalling the program may fix this problem.
I'm not good at this.
I have managed to set the camera up with a switch and pc. Changed the network settings.
The starts and it shows the update line and then the fail line.
Most likely I'm not doing something right, with the firmware. I don't understand what exactly I have to do.
I have extracted the firmware and pasted it into the root directory. That is where all the files/folders(bin, root, Commands, Console, TFTP server, etc.) are, right?
Most likely I have to edit the DH/RN as well.
I appreciate all your work that you have done here, but for some of us, this is very hard to understand, it is not easy at all.
I have never used tftp servers and such.
Thank you.
 

rrands1

n3wb
Joined
Oct 16, 2020
Messages
19
Reaction score
8
Location
Mesa, az
You have to install a MS redistributable package - see below for help (note that I ran into this too, and had to install one of the packages this takes you to - the first one didn’t have what I needed, so I tried the others until it worked, (sorry - forget ehich one now...))

 

cawauk

n3wb
Joined
Feb 3, 2021
Messages
3
Reaction score
1
Location
UK
A successor of Dahua IPC unbricking / recovery over serial UART and TFTP
I recommend you to read through the above thread first.

If your camera still has a working bootloader (assume it does) then you can flash it easily, because:
The camera tries to download a file called "upgrade_info_7db780a713a4.txt" from a TFTP server running on 192.168.254.254 and executes the commands in said file in the bootloader (U-Boot) shell.
For more in-depth information, read this post: Dahua Firmware Mod Kit + Modded Dahua Firmware

Step 1, Configuring the network correctly.
The cameras IP is 192.168.1.108, the subnet mask is 255.255.255.0.
The camera uses 192.168.1.1 as gateway to connect to 192.168.254.254.
(It sends packets addressed to 192.168.254.254 to 192.168.1.1 because it's outside of the subnet)

There are two options to make the camera be able to reach your computer.
Option 1)
If you have a router on 192.168.1.1, add a static route to it which redirects all packets which are meant for 192.168.254.254 to your computer (mine is 192.168.1.4):

If your router doesn't have this function then it fucking sucks and doesn't deserve to be called a router.

Option 2)
Plug the camera straight into your computers ethernet jack OR plug it into an ethernet switch where ONLY your computer and the camera are on (that's EXACTLY TWO devices).


Now you need to add the IP 192.168.254.254 with a subnet mask of 255.255.0.0 to your NIC.
If you opted for Option 1 you must not do steps 5, 6 and 7. (Or at least don't use the same IP as your router ^^)
If you opted for Option 2 you need to do all steps.


(Please remember to undo the changes after you're done)

It certainly would be nice to know if your network setup even works now, wouldn't it?
You could try to capture all the traffic on your ethernet card with wireshark and see if you are receiving anything from the camera (192.168.1.108) when you power it up.
You can skip this ^ and come back to it if the stuff below isn't working.

Step 2, download this archive which has all the necessary tools (TFTP server, upgrade_info tool, netcat for console log):

There are three scripts in the archive:
  • Commands.bat
    • Reads commands.txt and generates upgrade_info_7db780a713a4.txt in root directory.
  • TFTPServer.bat
    • Starts TFTP server which serves the root directory on 192.168.254.254 (port 69 UDP)
  • Console.bat
    • Listens on 192.168.254.254 port 5002 UDP to receive the log from the camera after successfully downloading and running the given commands.
    • Could help you if you want to run a command and check the output.
      • For Example:
      • printenv and look for the HWID=IPC-HDW4431C:BLA:BLA
      • All firmware images have a check.img or hwid file with compatible HWIDs
      • You should not flash incompatible firmware
If you looked at the thread I linked at the start of this post you should know what to do now:
  • Find working firmware for your camera.
  • Extract firmware using 7zip/WinRAR.
  • Confirm it is actually compatible using the HWID.
  • Place the extracted .img files into the root directory.
  • Write appropriate commands.txt to flash the img files onto the camera
    • Your camera should have some predefined ones in printenv, like:
    • dr=tftp 0x82000000 romfs-x.squashfs.img; flwrite
    • In this case you can run above by putting run dr into the commands.txt
    • Check the thread linked at the start for a description of all commands.
    • cfgRestore might be useful if you want to reset your camera.
HOWEVER: NEVER FLASH THE BOOTLOADER, THERE IS NEVER A REASON TO!!! (unless it's gone, but then this tutorial won't help you ^^)

To make things simpler I have prepared and tested a package for Eos cameras using my latest modded firmware:
Compatible cameras according to Dahua:
DH-IPC-HDBW4231R,DH-IPC-HDBW4236R
DH-IPC-HDBW4431R,DH-IPC-HDBW4436R
DH-IPC-HDW4231C-A,DH-IPC-HDW4236C-A
DH-IPC-HDW4233C-A,DH-IPC-HDW4238C-A
DH-IPC-HDW4431C-A,DH-IPC-HDW4436C-A
DH-IPC-HDBW4431R-S,DH-IPC-HDBW4436R-S
DH-IPC-HDBW4233R-AS,DH-IPC-HDBW4238R-S
DH-IPC-HDBW4231R-AS,DH-IPC-HDBW4236R-AS
DH-IPC-HDBW4431R-AS,DH-IPC-HDBW4436R-AS
DH-IPC-HDBW4231R-VF,DH-IPC-HDBW4431R-VF
DH-IPC-HFW4231F,DH-IPC-HFW4236F,DH-IPC-HFW4431F,DH-IPC-HFW4436F
DH-IPC-HFW4231B,DH-IPC-HFW4236B,DH-IPC-HFW4431B,DH-IPC-HFW4436B
DH-IPC-HFW4231D,DH-IPC-HFW4236D,DH-IPC-HFW4431D,DH-IPC-HFW4436D
DH-IPC-HFW4231R-Z,DH-IPC-HFW4431R-Z,DH-IPC-HFW4231R-VF,DH-IPC-HFW4431R-VF
DH-IPC-HFW4231F-AS,DH-IPC-HFW4236F-AS,DH-IPC-HFW4431F-AS,DH-IPC-HFW4436F-AS
DH-IPC-HFW4231B-AS,DH-IPC-HFW4236B-AS,DH-IPC-HFW4431B-AS,DH-IPC-HFW4436B-AS
DH-IPC-HFW4231D-AS,DH-IPC-HFW4236D-AS,DH-IPC-HFW4431D-AS,DH-IPC-HFW4436D-AS
DH-IPC-HFW4231K-I4,DH-IPC-HFW4236K-I4,DH-IPC-HFW4431K-I4,DH-IPC-HFW4436K-I4
DH-IPC-HFW4231K-I6,DH-IPC-HFW4236K-I6,DH-IPC-HFW4431K-I6,DH-IPC-HFW4436K-I6
DH-IPC-HFW4233K-I4,DH-IPC-HFW4238K-I4,DH-IPC-HFW4233K-I6,DH-IPC-HFW4238K-I6
DH-IPC-HFW4231M-I1,DH-IPC-HFW4236M-I1,DH-IPC-HFW4431M-I1,DH-IPC-HFW4436M-I1
DH-IPC-HFW4231M-I2,DH-IPC-HFW4236M-I2,DH-IPC-HFW4431M-I2,DH-IPC-HFW4436M-I2
DH-IPC-HFW4233M-I1,DH-IPC-HFW4238M-I1,DH-IPC-HFW4233M-I2,DH-IPC-HFW4238M-I2
DH-IPC-HFW4233K-AS-I4,DH-IPC-HFW4238K-AS-I4,DH-IPC-HFW4233K-AS-I6,DH-IPC-HFW4238K-AS-I6
DH-IPC-HFW4431K-AS-I4,DH-IPC-HFW4436K-AS-I4,DH-IPC-HFW4431K-AS-I6,DH-IPC-HFW4436K-AS-I6
DH-IPC-HFW4233M-AS-I1,DH-IPC-HFW4238M-AS-I1,DH-IPC-HFW4233M-AS-I2,DH-IPC-HFW4238M-AS-I2
DH-IPC-HFW4431M-AS-I1,DH-IPC-HFW4436M-AS-I1,DH-IPC-HFW4431M-AS-I2,DH-IPC-HFW4436M-AS-I2
commands.txt from above link:
run dr
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 pd-x.squashfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

Step 3, flash it!
If you modified commands.txt, run Commands.bat.
Run TFTPServer.bat and Console.bat.
Power up your camera, it should start downloading from the TFTP server.
Close the TFTP server once you see "FLASHING_DONE_STOP_TFTP_NOW".
Done?

Thanks to @resegun for figuring out the magic behind upgrade_info_7db780a713a4.txt.
(If this helped you and you have some spare for a student: paypal.me/BotoX)
Thank you, thank you, thank you!!!!

Without your post, I would never have revived my bricked AMCREST IP2M-841W.
So thank you again!
I followed your steps and had a few hesitations/hickups along the way I thought I should share:

1.
It wasn't clear to me that the firmware from amcrest, a .bin file, was in fact a package which could be opened with 7zip to extract the .img files. I eventually figured it out before flashing.
2.
I didn't understand your statement of not flashing the boot files, but after downloading your custom eos rom file to compare to the amcrest files, I saw two additional files called dhboot.bin.img and dhboot-min.bin.img with the amcrest files, so I removed these from the folder.
3.
All files were successfully transferred, except pd-x.squashfs.img which showed 'Timeout'. I have no idea why.
4.
The tftpserver was running in a loop. I never got to the "FLASHING_DONE_STOP_TFTP_NOW" message. Maybe I did something wrong, but after the 5th loop flashing, I figured out roughly when to close the server whilst watching activity in Wireshark (as soon as "Read Request, File: upgrade_info_7db780a713a4.txt" appeared for the 6th time).

Immediately after, the PTZ began on boot (which it wasn't doing since bricking). You can't imagine how happy I was; Amcrest's IP Tool could now see the camera again!

At this point, I decided to flash the Amcrest BIN file again using the Amcrest IP Tool to make sure 'boot' files I hadn't included in the TFTP folder and the 'timeout' squashfs.img were correctly loaded.

The flash was successful and I have a fully working camera again.

So thank you thank you thank you!!!
 
Top