Dahua IPC unbricking / recovery over serial UART and TFTP

Discussion in 'Dahua' started by cor35vet, Jan 24, 2017.

Share This Page

  1. cor35vet

    cor35vet Pulling my weight

    Joined:
    Jun 23, 2016
    Messages:
    337
    Likes Received:
    204
    Easy recovery without serial: Dahua IPC EASY unbricking / recovery over TFTP

    Hello,

    I broke my camera by accident while messing with the firmware and had to recover it.
    Since I am not the only one that this has happened to and will probably not stay the last one: Here is a simple tutorial on how to unbrick your Dahua IP camera.

    Warning: The cameras serial port is 3.3 Volts, do not try to use RS232 which is 12 Volts!!

    For this you need:
    • A broken camera with the bootloader still working - assume it is working if you don't know.
      • If you know it is not working, look *here* and don't be afraid to ask
    • A serial UART device, such as:
      • Raspberry Pi or any other microcontroller/devboard with UART
      • USB to serial converter: These can be bought for *very* cheap from china:
      • Connection Settings:
        • Baud Rate: 115200
        • Parity: None
        • Bits: 8
        • Stopbits: 1
        • Flow control: None
        • (CR/LF Auto)
    • Working firmware.bin for your device, use the chinese one if you aren't sure!
    • A TFTP server
      • You should be able to figure this out by using Google.
    First of all you have to locate the RX (receive) and TX (transmit) pins on your camera:
    On my IPC-HFW4431M camera (and probably all other generation 3/Eos cameras) they can be found very easily:
    [​IMG]
    For other cameras this page on the Dahua wiki should prove useful: ResetIPCamera - Dahua Wiki
    On most devices the serial port consists of 4 pins/pinheads which are made up of VCC,GND,RX,TX.
    You can connect the GND (Ground, -) of your dongle to the metal casing of your camera.
    VCC (+) should not be connected.

    You can identify the TX (transmit) pin of your camera by connecting it (press wire against pin) with the RX pin of your serial device.
    Though be aware that some dongles swap the labels like so:
    Dongle says RX, but it is actually TX of the dongle and wants to be connected with RX of the other device.
    If you power up your camera and see text scrolling down your terminal you have found the right pin, keep trying if you don't ^^

    Now put a brick on your * key with your terminal window in focus.
    Try to find the RX (receive) pin of the camera and connect it with the TX pin of your dongle.
    Power up the camera, wait a second, if you see the following message you have succeeded:
    Code:
    U-Boot 2010.06-svn3089 (Jul 22 2016 - 19:15:59)
    DRAM:  1 GiB
    gBootLogPtr:80b80008.
    Check spi flash controller v350... Found
    Spi(cs1) ID: 0xC8 0x40 0x18 0xC8 0x40 0x18
    Spi(cs1): Block:64KB Chip:16MB Name:"GD25Q128"
    partition file version 2
    rootfstype squashfs root /dev/mtdblock7
    In:    serial
    Out:   serial
    Err:   serial
    TEXT_BASE:81000000
    Net:   PHY found at 3
    
    Hit any key to stop autoboot:  0
    > **********************
    

    Type help to see all available commands:
    Code:
    > help
    ?       - alias for 'help'
    base    - print or set address offset
    boot    - boot default, i.e., run 'bootcmd'
    bootd   - boot default, i.e., run 'bootcmd'
    bootf   - boot from flash
    bootm   - boot application image from memory
    bootp   - boot image via network using BOOTP/TFTP protocol
    cfgRestore- erase  config and backup partition.
    
    cmp     - memory compare
    cp      - memory copy
    crc32   - checksum calculation
    crypt   - crypt
    erasepart- erasepart
    
    exit    - exit script
    false   - do nothing, unsuccessfully
    fatinfo - print information about filesystem
    fatload - load binary file from a dos filesystem
    fatls   - list files in a directory (default /)
    flwrite - flwrite - write data into FLASH memory
    
    fsinfo  - print information about filesystems
    fsload  - load binary file from a filesystem image
    go      - start application at address 'addr'
    help    - print command description/usage
    hwid    - hwid      - set hardware id and save to flash
    
    kload   - kload  - load uImage file from parttion
    
    lip     - lip      - set local ip address but not save to flash
    
    loadb   - load binary file over serial line (kermit mode)
    loady   - load binary file over serial line (ymodem mode)
    logsend - get log buf
    loop    - infinite loop on address range
    ls      - list files in a directory (default /)
    mac     - mac      - set mac address and save to flash
    
    md      - memory display
    memsize - memsize        - set mem size
    
    mii     - MII utility commands
    mm      - memory modify (auto-incrementing address)
    mtest   - simple RAM read/write test
    mw      - memory write (fill)
    nm      - memory modify (constant address)
    partition- print partition information
    ping    - send ICMP ECHO_REQUEST to network host
    printenv- print environment variables
    rarpboot- boot image via network using RARP/TFTP protocol
    rdefault- rdefault    -recover default env
    
    reset   - Perform RESET of the CPU
    run     - run commands in an environment variable
    saveenv - save environment variables to persistent storage
    setenv  - set environment variables
    sf      - SPI flash sub-system
    showvar - print local hushshell variables
    sip     - sip      - set server ip address but not save to flash
    
    sleep   - delay execution for some time
    smi     - MII utility commands
    sync_uboot- sync_uboot - sync uboot to uboot-bak
    
    test    - minimal test like /bin/sh
    tftpboot- tftpboot- boot image via network using TFTP protocol
    true    - do nothing, successfully
    uartUp  - uartUp- update image via uart using uart4
    
    usleep  - delay execution for some time
    version - print monitor version
    >
    

    The guys from Dahua have done something right for once and added some helpful commands for us, type printenv to print the U-Boot Environment, you should be able to find these lines among other stuff:
    Code:
    ipaddr=192.168.1.108
    gatewayip=192.168.1.1
    netmask=255.255.255.0
    serverip=192.168.1.4
    
    da=tftp 0x82000000 dhboot.bin.img;flwrite;tftp 0x82000000 dhboot-min.bin.img;flwrite;
    dr=tftp 0x82000000 romfs-x.squashfs.img; flwrite;
    dk=tftp 0x82000000 kernel.img;flwrite;
    du=tftp 0x82000000 user-x.squashfs.img; flwrite
    dw=tftp 0x82000000 web-x.squashfs.img; flwrite
    dp=tftp 0x82000000 partition-x.cramfs.img;flwrite;
    dc=tftp 0x82000000 custom-x.squashfs.img; flwrite
    up=tftp 0x82000000 update.img;flwrite;
    tk=tftp 0x82000000 uImage;bootm;
    
    dh_keyboard=1
    appauto=1
    

    Use setenv to adjust the network settings:
    • ipaddr -> The IP address of the camera
      • setenv ipaddr 192.168.1.108
    • gatewayip -> The IP address of your networks gateway (router)
      • setenv gatewayip 192.168.1.1
    • netmask -> The netmask/subnet of your network
      • setenv netmask 255.255.255.0
    • servip -> The IP address of your computer (that runs the TFTP server)
      • setenv serverip 192.168.1.4
    You can test the connection to your PC by runing ping $serverip
    Code:
    > ping $serverip
    ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
    MAC:   00-12-34-56-78-91
    Using gmac device
    host 192.168.1.4 is alive
    
    (Okay actually I don't even know if Windows will reply to pings by default - so I guess you can ignore this for now)

    Extract the firmware image for your camera somewhere, use some ZIP program like 7zip. It might complain about invalid ZIP file (since Dahua changes the ZIP header from PK to DH) you can either fix the ZIP with a HEX editor or use another program to unzip it.

    Start the TFTP server and point it to the files you have extracted from the firmware image.

    And now for the final part: Flashing the firmware!
    I'll flash following partitions in order:
    • romfs (root linux filesystem with busybox)
    • kernel (The holy Linux Kernel)
    • user (Dahuas programs and kernel modules)
    • web (Webinterface)
    • partition ("Partition table" - text files which describe the layout on the flash chip)
    • custom (Language files)
    Do not flash the bootloader! There is no need to and when you fuck that up recovering is a lot harder.

    Run following commands one after eachother:
    Code:
    run dr
    run dk
    run du
    run dw
    run dp
    run dc
    

    Example output:
    Code:
    > run dr
    ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
    MAC:   3C-EF-8C-FA-E7-88
    Using gmac device
    TFTP from server 192.168.1.4; our IP address is 192.168.1.108
    Download Filename 'romfs-x.squashfs.img'.
    Download to address: 0x82000000
    Downloading: #################################################
    done
    Bytes transferred = 909376 (de040 hex)
    
    ## Checking Image at 82000000 ...
       Legacy image found
       Image Name:   romfs
       Image Type:   ARM Linux Standalone Program (gzip compressed)
       Data Size:    909312 Bytes = 888 KiB
       Load Address: 002f0000
       Entry Point:  003d0000
       Verifying Checksum ... OK
    Programing start at: 0x002f0000
    SPI probe: 16384 KiB hi_sfc at 0:0 is now current device
    
    write : 0%
    write : 0%
    write : 7%
    write : 14%
    write : 21%
    write : 28%
    write : 35%
    write : 42%
    write : 50%
    write : 57%
    write : 64%
    write : 71%
    write : 78%
    write : 85%
    write : 92%
    write : 100%
    done
    

    You can run save if you want to save the environment variables you have set (ipaddr, servip, ..).

    Run boot to boot the camera :)
    Congratulations!
    (If you just read this for fun and do not have a bricked camera I still suggest you to buy a serial UART dongle, they're cheaper than most snacks and you can save lots of devices with it!)
    (If this helped you and you have some spare for a student: paypal.me/BotoX)
     
    Last edited: Feb 22, 2017
  2. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,455
    Likes Received:
    3,197
    Location:
    Scotland
    That's a great post, well done and thanks for sharing!
    If / when I get a Dahua camera (not convinced I'll get good functionality with Hikvision NVRs) I suspect it will come in very useful.
    Dahua have included / retained a lot of useful functionality in their U-boot, unlike Hikvision who strip it to an almost useless state in pursuit of their 'let's make using our products difficult for our knowledgeable customers' stupid strategy.
     
  3. keithshlo

    keithshlo n3wb

    Joined:
    Sep 11, 2016
    Messages:
    21
    Likes Received:
    3
    Hi cor35vet, I finally got a chance to get a USB-to-RS232 adapter and make the connection. However, with the camera powered on, I can never get any response from the Putty terminal screen. Here is my connection setup. Please advise. Thanks a lot. DH4431CA.jpg
     
  4. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,350
    Likes Received:
    5,228
    Location:
    Denver, CO
    its TTL level signals not RS232
     
  5. Dodutils

    Dodutils Pulling my weight

    Joined:
    Dec 10, 2016
    Messages:
    434
    Likes Received:
    150
    Question for you :

    - are you sure you located the right RX/TX pins on the PCB ?
    - are you sure you inverted RX/TX on the RS232 so RX->TX and TX->RX
    - what is the TTL voltage of the camera because RS232 is 12V and I don't think the TTL of the camera work so high, I guess it's 5V or 3.3V, and @cor35vet did not tell to use a "classcial" USB-to-RS232 but a FTDI, I hope you did not killed your camera.
     
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,455
    Likes Received:
    3,197
    Location:
    Scotland
    @Dodutils Good question. I think you have hit the nail etc.
    That looks more like a classic RS-232 level interface, with no GND (ie +-3v - 15v bipolar signal levels) as opposed to a TTL level (0->+3v unipolar signal levels) interface.
    Another good option that @cor35vet has used is a 25 series SPI NOR programmer.
    If you have an SPI NOR chip, the USB CH341a works pretty well, even in situ.
     
  7. cor35vet

    cor35vet Pulling my weight

    Joined:
    Jun 23, 2016
    Messages:
    337
    Likes Received:
    204
    Put a warning in the OP about the voltage level and not to use RS232.
    Anyways since the current is next to none in those serial interfaces I think your cam should be fine, get a proper converter and try again.

    (I used a raspi for flashing the SPI flash on the camera as well if all else fails [eg bootloader], see: Dahua Firmware Mod Kit + Modded Dahua Firmware)
     
    ezpycoder, tangent and nayr like this.
  8. keithshlo

    keithshlo n3wb

    Joined:
    Sep 11, 2016
    Messages:
    21
    Likes Received:
    3
    Thanks very much everyone for your advice. I guess I need to wait for the proper adapter ordered from eBay. Hopefully, will get it by the end of the month.
     
  9. keithshlo

    keithshlo n3wb

    Joined:
    Sep 11, 2016
    Messages:
    21
    Likes Received:
    3
    I finally got a chance to get a USB-TTL dongle. I could make the connection successfully and get the terminal screen. However, I couldn't get to the command shell by holding * I even started holding the * key before powering up the camera. I am using Putty as the serial terminal client. Can you please advise? Do I need specific settings in the serial terminal client? Thanks a lot. DH terminal.jpg
     
  10. cor35vet

    cor35vet Pulling my weight

    Joined:
    Jun 23, 2016
    Messages:
    337
    Likes Received:
    204
    Are you even seeing any input? Most likely your cable is not corrected correctly (contact issues or wrong pin). Try playing around.
     
  11. keithshlo

    keithshlo n3wb

    Joined:
    Sep 11, 2016
    Messages:
    21
    Likes Received:
    3
    Yes, on the attached screen shot, there are some blocky characters. Everytime I hit * , I get one more blocky character. I even tried using other serial terminal programs like Termite. Same result. I don't know if special settings are needed to send an input to the camera? What terminal program did you use? I only have Windows PC. Please advise. Thanks a lot.
     
  12. cor35vet

    cor35vet Pulling my weight

    Joined:
    Jun 23, 2016
    Messages:
    337
    Likes Received:
    204
    The big fat blocks are supposed to be your * ?
    Well that doesn't seem right... They should be *
    Something is wrong, I can only say it worked flawlessly for me on linux with gtkterm
     
  13. tangent

    tangent IPCT Contributor

    Joined:
    May 12, 2016
    Messages:
    3,832
    Likes Received:
    2,479
    Open the connection, hold down the * key, power on camera. Other keys may work too depends on boot loader.
    If it fails and you get garbled chars on screen try again and then try lowering the baud rate some, but don't go too slow.

    On windows I recommend using RealTerm: Serial/TCP Terminal
     
  14. keithshlo

    keithshlo n3wb

    Joined:
    Sep 11, 2016
    Messages:
    21
    Likes Received:
    3
    I got it working finally, by connecting the ground pin of the USB dongle to the camera's ground pinhole. Then, the camera took my keyboard inputs. I could then successfully restore my bricked camera. Thank you so much for your help.

    By the way, I noticed that the new firmware dated 2016-12-09 no longer has the IVS options. I used to get "Tripwire", "Intrusion", "Loitering", etc. Now, I only get one tab.

    DH-IVS.jpg

    I already tried to clear the browser cache. Also, I reset camera settings to default. Do I need special ways to enable IVS in the new firmware? Thanks a lot for your advice.
     
    cor35vet and alastairstevenson like this.
  15. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,350
    Likes Received:
    5,228
    Location:
    Denver, CO
    you can run all the IVS at the same time now, its been condensed to a single window:
    [​IMG]
     
    dahuaximon, ezpycoder and keithshlo like this.
  16. keithshlo

    keithshlo n3wb

    Joined:
    Sep 11, 2016
    Messages:
    21
    Likes Received:
    3
    Thanks very much for the info. I can access the IVS features now.
     
  17. KCulver

    KCulver Getting the hang of it

    Joined:
    Jan 12, 2017
    Messages:
    114
    Likes Received:
    16
    I'm still struggling with this and trying to restore the camera using the serial interface method. have some time to try before I am out of time to return the camera. As to the 4 pin UART connector, there is no indication on the board what the pin out is. I've tried each one and I do get a blue led on the cp2101 but only gibberish on the screen. I am using putty. Is there any way I can identify which pins are tx/rx?
     
  18. tangent

    tangent IPCT Contributor

    Joined:
    May 12, 2016
    Messages:
    3,832
    Likes Received:
    2,479
    expand spoilers in first post
     
  19. keithshlo

    keithshlo n3wb

    Joined:
    Sep 11, 2016
    Messages:
    21
    Likes Received:
    3
    If you have the camera 4431CA like mine, please refer to the post

    Dahua Firmware Mod Kit + Modded Dahua Firmware

    cor35vet told me the pinholes from left to right are
    RX, TX, GND, VCC

    If you get gibberish on the screen, please make sure to configure the serial connection speed as indicated in the first post by cor35vet.

    Hope it works out for you.
     
  20. KCulver

    KCulver Getting the hang of it

    Joined:
    Jan 12, 2017
    Messages:
    114
    Likes Received:
    16
    20170218_094411.jpg 20170218_100300.jpg 20170218_100859.jpg 20170218_100910.jpg

    I'm still unsuccessful. I've tried (looking left to right) RX TX GND VCC as well as (looking right to left) VCC GND TX RX. I was able to get a continuous scrolling of gibberish but nothing in english. This continues as long as there is power. I've tried making a GND connection from the Dongle to an UART pin as well as from the dongle to a ground connection on the camera. My camera has a 4 pin micro molex - I wish there was some way to identify the pins so I would at least know that I am toying with correct pins.