Easy recovery without serial: Dahua IPC EASY unbricking / recovery over TFTP
Hello,
I broke my camera by accident while messing with the firmware and had to recover it.
Since I am not the only one that this has happened to and will probably not stay the last one: Here is a simple tutorial on how to unbrick your Dahua IP camera.
Warning: The cameras serial port is 3.3 Volts, do not try to use RS232 which is 12 Volts!!
For this you need:
On my IPC-HFW4431M camera (and probably all other generation 3/Eos cameras) they can be found very easily:
For other cameras this page on the Dahua wiki should prove useful: ResetIPCamera - Dahua Wiki
On most devices the serial port consists of 4 pins/pinheads which are made up of VCC,GND,RX,TX.
You can connect the GND (Ground, -) of your dongle to the metal casing of your camera.
VCC (+) should not be connected.
You can identify the TX (transmit) pin of your camera by connecting it (press wire against pin) with the RX pin of your serial device.
Though be aware that some dongles swap the labels like so:
Dongle says RX, but it is actually TX of the dongle and wants to be connected with RX of the other device.
If you power up your camera and see text scrolling down your terminal you have found the right pin, keep trying if you don't ^^
Now put a brick on your * key with your terminal window in focus.
Try to find the RX (receive) pin of the camera and connect it with the TX pin of your dongle.
Power up the camera, wait a second, if you see the following message you have succeeded:
Type help to see all available commands:
The guys from Dahua have done something right for once and added some helpful commands for us, type printenv to print the U-Boot Environment, you should be able to find these lines among other stuff:
Use setenv to adjust the network settings:
(Okay actually I don't even know if Windows will reply to pings by default - so I guess you can ignore this for now)
Extract the firmware image for your camera somewhere, use some ZIP program like 7zip. It might complain about invalid ZIP file (since Dahua changes the ZIP header from PK to DH) you can either fix the ZIP with a HEX editor or use another program to unzip it.
Start the TFTP server and point it to the files you have extracted from the firmware image.
And now for the final part: Flashing the firmware!
I'll flash following partitions in order:
Run following commands one after eachother:
Example output:
You can run save if you want to save the environment variables you have set (ipaddr, servip, ..).
Run boot to boot the camera
Congratulations!
(If you just read this for fun and do not have a bricked camera I still suggest you to buy a serial UART dongle, they're cheaper than most snacks and you can save lots of devices with it!)
(If this helped you and you have some spare for a student: paypal.me/BotoX)
Hello,
I broke my camera by accident while messing with the firmware and had to recover it.
Since I am not the only one that this has happened to and will probably not stay the last one: Here is a simple tutorial on how to unbrick your Dahua IP camera.
Warning: The cameras serial port is 3.3 Volts, do not try to use RS232 which is 12 Volts!!
For this you need:
- A broken camera with the bootloader still working - assume it is working if you don't know.
- If you know it is not working, look *here* and don't be afraid to ask
- A serial UART device, such as:
- Raspberry Pi or any other microcontroller/devboard with UART
- USB to serial converter: These can be bought for *very* cheap from china:
- For example the CP2102 USB to UART bridge worked very well for me
- Replace FT232 6Pin USB 2.0 to TTL UART Module Serial Converter CP2102 STC | eBay
- A serial terminal application such as: Putty, GtkTerm, tons of others??
- Connection Settings:
- Baud Rate: 115200
- Parity: None
- Bits: 8
- Stopbits: 1
- Flow control: None
- (CR/LF Auto)
- Working firmware.bin for your device, use the chinese one if you aren't sure!
- A TFTP server
- You should be able to figure this out by using Google.
On my IPC-HFW4431M camera (and probably all other generation 3/Eos cameras) they can be found very easily:
On most devices the serial port consists of 4 pins/pinheads which are made up of VCC,GND,RX,TX.
You can connect the GND (Ground, -) of your dongle to the metal casing of your camera.
VCC (+) should not be connected.
You can identify the TX (transmit) pin of your camera by connecting it (press wire against pin) with the RX pin of your serial device.
Though be aware that some dongles swap the labels like so:
Dongle says RX, but it is actually TX of the dongle and wants to be connected with RX of the other device.
If you power up your camera and see text scrolling down your terminal you have found the right pin, keep trying if you don't ^^
Now put a brick on your * key with your terminal window in focus.
Try to find the RX (receive) pin of the camera and connect it with the TX pin of your dongle.
Power up the camera, wait a second, if you see the following message you have succeeded:
Code:
U-Boot 2010.06-svn3089 (Jul 22 2016 - 19:15:59)
DRAM: 1 GiB
gBootLogPtr:80b80008.
Check spi flash controller v350... Found
Spi(cs1) ID: 0xC8 0x40 0x18 0xC8 0x40 0x18
Spi(cs1): Block:64KB Chip:16MB Name:"GD25Q128"
partition file version 2
rootfstype squashfs root /dev/mtdblock7
In: serial
Out: serial
Err: serial
TEXT_BASE:81000000
Net: PHY found at 3
Hit any key to stop autoboot: 0
> **********************Type help to see all available commands:
Code:
> help
? - alias for 'help'
base - print or set address offset
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootf - boot from flash
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cfgRestore- erase config and backup partition.
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
crypt - crypt
erasepart- erasepart
exit - exit script
false - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
flwrite - flwrite - write data into FLASH memory
fsinfo - print information about filesystems
fsload - load binary file from a filesystem image
go - start application at address 'addr'
help - print command description/usage
hwid - hwid - set hardware id and save to flash
kload - kload - load uImage file from parttion
lip - lip - set local ip address but not save to flash
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
logsend - get log buf
loop - infinite loop on address range
ls - list files in a directory (default /)
mac - mac - set mac address and save to flash
md - memory display
memsize - memsize - set mem size
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nm - memory modify (constant address)
partition- print partition information
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
rdefault- rdefault -recover default env
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
showvar - print local hushshell variables
sip - sip - set server ip address but not save to flash
sleep - delay execution for some time
smi - MII utility commands
sync_uboot- sync_uboot - sync uboot to uboot-bak
test - minimal test like /bin/sh
tftpboot- tftpboot- boot image via network using TFTP protocol
true - do nothing, successfully
uartUp - uartUp- update image via uart using uart4
usleep - delay execution for some time
version - print monitor version
>The guys from Dahua have done something right for once and added some helpful commands for us, type printenv to print the U-Boot Environment, you should be able to find these lines among other stuff:
Code:
ipaddr=192.168.1.108
gatewayip=192.168.1.1
netmask=255.255.255.0
serverip=192.168.1.4
da=tftp 0x82000000 dhboot.bin.img;flwrite;tftp 0x82000000 dhboot-min.bin.img;flwrite;
dr=tftp 0x82000000 romfs-x.squashfs.img; flwrite;
dk=tftp 0x82000000 kernel.img;flwrite;
du=tftp 0x82000000 user-x.squashfs.img; flwrite
dw=tftp 0x82000000 web-x.squashfs.img; flwrite
dp=tftp 0x82000000 partition-x.cramfs.img;flwrite;
dc=tftp 0x82000000 custom-x.squashfs.img; flwrite
up=tftp 0x82000000 update.img;flwrite;
tk=tftp 0x82000000 uImage;bootm;
dh_keyboard=1
appauto=1Use setenv to adjust the network settings:
- ipaddr -> The IP address of the camera
- setenv ipaddr 192.168.1.108
- gatewayip -> The IP address of your networks gateway (router)
- setenv gatewayip 192.168.1.1
- netmask -> The netmask/subnet of your network
- setenv netmask 255.255.255.0
- servip -> The IP address of your computer (that runs the TFTP server)
- setenv serverip 192.168.1.4
Code:
> ping $serverip
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC: 00-12-34-56-78-91
Using gmac device
host 192.168.1.4 is aliveExtract the firmware image for your camera somewhere, use some ZIP program like 7zip. It might complain about invalid ZIP file (since Dahua changes the ZIP header from PK to DH) you can either fix the ZIP with a HEX editor or use another program to unzip it.
Start the TFTP server and point it to the files you have extracted from the firmware image.
And now for the final part: Flashing the firmware!
I'll flash following partitions in order:
- romfs (root linux filesystem with busybox)
- kernel (The holy Linux Kernel)
- user (Dahuas programs and kernel modules)
- web (Webinterface)
- partition ("Partition table" - text files which describe the layout on the flash chip)
- custom (Language files)
Run following commands one after eachother:
Code:
run dr
run dk
run du
run dw
run dp
run dcExample output:
Code:
> run dr
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC: 3C-EF-8C-FA-E7-88
Using gmac device
TFTP from server 192.168.1.4; our IP address is 192.168.1.108
Download Filename 'romfs-x.squashfs.img'.
Download to address: 0x82000000
Downloading: #################################################
done
Bytes transferred = 909376 (de040 hex)
## Checking Image at 82000000 ...
Legacy image found
Image Name: romfs
Image Type: ARM Linux Standalone Program (gzip compressed)
Data Size: 909312 Bytes = 888 KiB
Load Address: 002f0000
Entry Point: 003d0000
Verifying Checksum ... OK
Programing start at: 0x002f0000
SPI probe: 16384 KiB hi_sfc at 0:0 is now current device
write : 0%
write : 0%
write : 7%
write : 14%
write : 21%
write : 28%
write : 35%
write : 42%
write : 50%
write : 57%
write : 64%
write : 71%
write : 78%
write : 85%
write : 92%
write : 100%
doneYou can run save if you want to save the environment variables you have set (ipaddr, servip, ..).
Run boot to boot the camera
Congratulations!
(If you just read this for fun and do not have a bricked camera I still suggest you to buy a serial UART dongle, they're cheaper than most snacks and you can save lots of devices with it!)
(If this helped you and you have some spare for a student: paypal.me/BotoX)
Last edited:
As an eBay Associate IPCamTalk earns from qualifying purchases.
