A successor of Dahua IPC unbricking / recovery over serial UART and TFTP
I recommend you to read through the above thread first.
If your camera still has a working bootloader (assume it does) then you can flash it easily, because:
The camera tries to download a file called "upgrade_info_7db780a713a4.txt" from a TFTP server running on 192.168.254.254 and executes the commands in said file in the bootloader (U-Boot) shell.
For more in-depth information, read this post: Dahua Firmware Mod Kit + Modded Dahua Firmware
Step 1, Configuring the network correctly.
The cameras IP is 192.168.1.108, the subnet mask is 255.255.255.0.
The camera uses 192.168.1.1 as gateway to connect to 192.168.254.254.
(It sends packets addressed to 192.168.254.254 to 192.168.1.1 because it's outside of the subnet)
There are two options to make the camera be able to reach your computer.
Option 1)
If you have a router on 192.168.1.1, add a static route to it which redirects all packets which are meant for 192.168.254.254 to your computer (mine is 192.168.1.4):
If your router doesn't have this function then it fucking sucks and doesn't deserve to be called a router.
Option 2)
Plug the camera straight into your computers ethernet jack OR plug it into an ethernet switch where ONLY your computer and the camera are on (that's EXACTLY TWO devices).
Now you need to add the IP 192.168.254.254 with a subnet mask of 255.255.0.0 to your NIC.
If you opted for Option 1 you must not do steps 5, 6 and 7. (Or at least don't use the same IP as your router ^^)
If you opted for Option 2 you need to do all steps.
(Please remember to undo the changes after you're done)
It certainly would be nice to know if your network setup even works now, wouldn't it?
You could try to capture all the traffic on your ethernet card with wireshark and see if you are receiving anything from the camera (192.168.1.108) when you power it up.
You can skip this ^ and come back to it if the stuff below isn't working.
Step 2, download this archive which has all the necessary tools (TFTP server, upgrade_info tool, netcat for console log):
There are three scripts in the archive:
To make things simpler I have prepared and tested a package for Eos cameras using my latest modded firmware:
Compatible cameras according to Dahua:
commands.txt from above link:
Step 3, flash it!
If you modified commands.txt, run Commands.bat.
Run TFTPServer.bat and Console.bat.
Power up your camera, it should start downloading from the TFTP server.
Close the TFTP server once you see "FLASHING_DONE_STOP_TFTP_NOW".
Done?
Thanks to @resegun for figuring out the magic behind upgrade_info_7db780a713a4.txt.
(If this helped you and you have some spare for a student: paypal.me/BotoX)
I recommend you to read through the above thread first.
If your camera still has a working bootloader (assume it does) then you can flash it easily, because:
The camera tries to download a file called "upgrade_info_7db780a713a4.txt" from a TFTP server running on 192.168.254.254 and executes the commands in said file in the bootloader (U-Boot) shell.
For more in-depth information, read this post: Dahua Firmware Mod Kit + Modded Dahua Firmware
Step 1, Configuring the network correctly.
The cameras IP is 192.168.1.108, the subnet mask is 255.255.255.0.
The camera uses 192.168.1.1 as gateway to connect to 192.168.254.254.
(It sends packets addressed to 192.168.254.254 to 192.168.1.1 because it's outside of the subnet)
There are two options to make the camera be able to reach your computer.
Option 1)
If you have a router on 192.168.1.1, add a static route to it which redirects all packets which are meant for 192.168.254.254 to your computer (mine is 192.168.1.4):
If your router doesn't have this function then it fucking sucks and doesn't deserve to be called a router.
Option 2)
Plug the camera straight into your computers ethernet jack OR plug it into an ethernet switch where ONLY your computer and the camera are on (that's EXACTLY TWO devices).
Now you need to add the IP 192.168.254.254 with a subnet mask of 255.255.0.0 to your NIC.
If you opted for Option 1 you must not do steps 5, 6 and 7. (Or at least don't use the same IP as your router ^^)
If you opted for Option 2 you need to do all steps.
(Please remember to undo the changes after you're done)
It certainly would be nice to know if your network setup even works now, wouldn't it?
You could try to capture all the traffic on your ethernet card with wireshark and see if you are receiving anything from the camera (192.168.1.108) when you power it up.
You can skip this ^ and come back to it if the stuff below isn't working.
Step 2, download this archive which has all the necessary tools (TFTP server, upgrade_info tool, netcat for console log):
There are three scripts in the archive:
- Commands.bat
- Reads commands.txt and generates upgrade_info_7db780a713a4.txt in root directory.
- TFTPServer.bat
- Starts TFTP server which serves the root directory on 192.168.254.254 (port 69 UDP)
- Console.bat
- Listens on 192.168.254.254 port 5002 UDP to receive the log from the camera after successfully downloading and running the given commands.
- Could help you if you want to run a command and check the output.
- For Example:
- printenv and look for the HWID=IPC-HDW4431C:BLA:BLA
- All firmware images have a check.img or hwid file with compatible HWIDs
- You should not flash incompatible firmware
- Find working firmware for your camera.
- Extract firmware using 7zip/WinRAR.
- Confirm it is actually compatible using the HWID.
- Place the extracted .img files into the root directory.
- Write appropriate commands.txt to flash the img files onto the camera
- Your camera should have some predefined ones in printenv, like:
- dr=tftp 0x82000000 romfs-x.squashfs.img; flwrite
- In this case you can run above by putting run dr into the commands.txt
- Check the thread linked at the start for a description of all commands.
- cfgRestore might be useful if you want to reset your camera.
To make things simpler I have prepared and tested a package for Eos cameras using my latest modded firmware:
Compatible cameras according to Dahua:
DH-IPC-HDBW4231R,DH-IPC-HDBW4236R
DH-IPC-HDBW4431R,DH-IPC-HDBW4436R
DH-IPC-HDW4231C-A,DH-IPC-HDW4236C-A
DH-IPC-HDW4233C-A,DH-IPC-HDW4238C-A
DH-IPC-HDW4431C-A,DH-IPC-HDW4436C-A
DH-IPC-HDBW4431R-S,DH-IPC-HDBW4436R-S
DH-IPC-HDBW4233R-AS,DH-IPC-HDBW4238R-S
DH-IPC-HDBW4231R-AS,DH-IPC-HDBW4236R-AS
DH-IPC-HDBW4431R-AS,DH-IPC-HDBW4436R-AS
DH-IPC-HDBW4231R-VF,DH-IPC-HDBW4431R-VF
DH-IPC-HFW4231F,DH-IPC-HFW4236F,DH-IPC-HFW4431F,DH-IPC-HFW4436F
DH-IPC-HFW4231B,DH-IPC-HFW4236B,DH-IPC-HFW4431B,DH-IPC-HFW4436B
DH-IPC-HFW4231D,DH-IPC-HFW4236D,DH-IPC-HFW4431D,DH-IPC-HFW4436D
DH-IPC-HFW4231R-Z,DH-IPC-HFW4431R-Z,DH-IPC-HFW4231R-VF,DH-IPC-HFW4431R-VF
DH-IPC-HFW4231F-AS,DH-IPC-HFW4236F-AS,DH-IPC-HFW4431F-AS,DH-IPC-HFW4436F-AS
DH-IPC-HFW4231B-AS,DH-IPC-HFW4236B-AS,DH-IPC-HFW4431B-AS,DH-IPC-HFW4436B-AS
DH-IPC-HFW4231D-AS,DH-IPC-HFW4236D-AS,DH-IPC-HFW4431D-AS,DH-IPC-HFW4436D-AS
DH-IPC-HFW4231K-I4,DH-IPC-HFW4236K-I4,DH-IPC-HFW4431K-I4,DH-IPC-HFW4436K-I4
DH-IPC-HFW4231K-I6,DH-IPC-HFW4236K-I6,DH-IPC-HFW4431K-I6,DH-IPC-HFW4436K-I6
DH-IPC-HFW4233K-I4,DH-IPC-HFW4238K-I4,DH-IPC-HFW4233K-I6,DH-IPC-HFW4238K-I6
DH-IPC-HFW4231M-I1,DH-IPC-HFW4236M-I1,DH-IPC-HFW4431M-I1,DH-IPC-HFW4436M-I1
DH-IPC-HFW4231M-I2,DH-IPC-HFW4236M-I2,DH-IPC-HFW4431M-I2,DH-IPC-HFW4436M-I2
DH-IPC-HFW4233M-I1,DH-IPC-HFW4238M-I1,DH-IPC-HFW4233M-I2,DH-IPC-HFW4238M-I2
DH-IPC-HFW4233K-AS-I4,DH-IPC-HFW4238K-AS-I4,DH-IPC-HFW4233K-AS-I6,DH-IPC-HFW4238K-AS-I6
DH-IPC-HFW4431K-AS-I4,DH-IPC-HFW4436K-AS-I4,DH-IPC-HFW4431K-AS-I6,DH-IPC-HFW4436K-AS-I6
DH-IPC-HFW4233M-AS-I1,DH-IPC-HFW4238M-AS-I1,DH-IPC-HFW4233M-AS-I2,DH-IPC-HFW4238M-AS-I2
DH-IPC-HFW4431M-AS-I1,DH-IPC-HFW4436M-AS-I1,DH-IPC-HFW4431M-AS-I2,DH-IPC-HFW4436M-AS-I2
DH-IPC-HDBW4431R,DH-IPC-HDBW4436R
DH-IPC-HDW4231C-A,DH-IPC-HDW4236C-A
DH-IPC-HDW4233C-A,DH-IPC-HDW4238C-A
DH-IPC-HDW4431C-A,DH-IPC-HDW4436C-A
DH-IPC-HDBW4431R-S,DH-IPC-HDBW4436R-S
DH-IPC-HDBW4233R-AS,DH-IPC-HDBW4238R-S
DH-IPC-HDBW4231R-AS,DH-IPC-HDBW4236R-AS
DH-IPC-HDBW4431R-AS,DH-IPC-HDBW4436R-AS
DH-IPC-HDBW4231R-VF,DH-IPC-HDBW4431R-VF
DH-IPC-HFW4231F,DH-IPC-HFW4236F,DH-IPC-HFW4431F,DH-IPC-HFW4436F
DH-IPC-HFW4231B,DH-IPC-HFW4236B,DH-IPC-HFW4431B,DH-IPC-HFW4436B
DH-IPC-HFW4231D,DH-IPC-HFW4236D,DH-IPC-HFW4431D,DH-IPC-HFW4436D
DH-IPC-HFW4231R-Z,DH-IPC-HFW4431R-Z,DH-IPC-HFW4231R-VF,DH-IPC-HFW4431R-VF
DH-IPC-HFW4231F-AS,DH-IPC-HFW4236F-AS,DH-IPC-HFW4431F-AS,DH-IPC-HFW4436F-AS
DH-IPC-HFW4231B-AS,DH-IPC-HFW4236B-AS,DH-IPC-HFW4431B-AS,DH-IPC-HFW4436B-AS
DH-IPC-HFW4231D-AS,DH-IPC-HFW4236D-AS,DH-IPC-HFW4431D-AS,DH-IPC-HFW4436D-AS
DH-IPC-HFW4231K-I4,DH-IPC-HFW4236K-I4,DH-IPC-HFW4431K-I4,DH-IPC-HFW4436K-I4
DH-IPC-HFW4231K-I6,DH-IPC-HFW4236K-I6,DH-IPC-HFW4431K-I6,DH-IPC-HFW4436K-I6
DH-IPC-HFW4233K-I4,DH-IPC-HFW4238K-I4,DH-IPC-HFW4233K-I6,DH-IPC-HFW4238K-I6
DH-IPC-HFW4231M-I1,DH-IPC-HFW4236M-I1,DH-IPC-HFW4431M-I1,DH-IPC-HFW4436M-I1
DH-IPC-HFW4231M-I2,DH-IPC-HFW4236M-I2,DH-IPC-HFW4431M-I2,DH-IPC-HFW4436M-I2
DH-IPC-HFW4233M-I1,DH-IPC-HFW4238M-I1,DH-IPC-HFW4233M-I2,DH-IPC-HFW4238M-I2
DH-IPC-HFW4233K-AS-I4,DH-IPC-HFW4238K-AS-I4,DH-IPC-HFW4233K-AS-I6,DH-IPC-HFW4238K-AS-I6
DH-IPC-HFW4431K-AS-I4,DH-IPC-HFW4436K-AS-I4,DH-IPC-HFW4431K-AS-I6,DH-IPC-HFW4436K-AS-I6
DH-IPC-HFW4233M-AS-I1,DH-IPC-HFW4238M-AS-I1,DH-IPC-HFW4233M-AS-I2,DH-IPC-HFW4238M-AS-I2
DH-IPC-HFW4431M-AS-I1,DH-IPC-HFW4436M-AS-I1,DH-IPC-HFW4431M-AS-I2,DH-IPC-HFW4436M-AS-I2
run dr
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 pd-x.squashfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 pd-x.squashfs.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5
Step 3, flash it!
If you modified commands.txt, run Commands.bat.
Run TFTPServer.bat and Console.bat.
Power up your camera, it should start downloading from the TFTP server.
Close the TFTP server once you see "FLASHING_DONE_STOP_TFTP_NOW".
Done?
Thanks to @resegun for figuring out the magic behind upgrade_info_7db780a713a4.txt.
(If this helped you and you have some spare for a student: paypal.me/BotoX)
