Dahua IPC unbricking / recovery over serial UART and TFTP

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
208
Easy recovery without serial: Dahua IPC EASY unbricking / recovery over TFTP

Hello,

I broke my camera by accident while messing with the firmware and had to recover it.
Since I am not the only one that this has happened to and will probably not stay the last one: Here is a simple tutorial on how to unbrick your Dahua IP camera.

Warning: The cameras serial port is 3.3 Volts, do not try to use RS232 which is 12 Volts!!

For this you need:
  • A broken camera with the bootloader still working - assume it is working if you don't know.
    • If you know it is not working, look *here* and don't be afraid to ask
  • A serial UART device, such as:
    • Raspberry Pi or any other microcontroller/devboard with UART
    • USB to serial converter: These can be bought for *very* cheap from china:
    • Connection Settings:
      • Baud Rate: 115200
      • Parity: None
      • Bits: 8
      • Stopbits: 1
      • Flow control: None
      • (CR/LF Auto)
  • Working firmware.bin for your device, use the chinese one if you aren't sure!
  • A TFTP server
    • You should be able to figure this out by using Google.
First of all you have to locate the RX (receive) and TX (transmit) pins on your camera:
On my IPC-HFW4431M camera (and probably all other generation 3/Eos cameras) they can be found very easily:
For other cameras this page on the Dahua wiki should prove useful: ResetIPCamera - Dahua Wiki
On most devices the serial port consists of 4 pins/pinheads which are made up of VCC,GND,RX,TX.
You can connect the GND (Ground, -) of your dongle to the metal casing of your camera.
VCC (+) should not be connected.

You can identify the TX (transmit) pin of your camera by connecting it (press wire against pin) with the RX pin of your serial device.
Though be aware that some dongles swap the labels like so:
Dongle says RX, but it is actually TX of the dongle and wants to be connected with RX of the other device.
If you power up your camera and see text scrolling down your terminal you have found the right pin, keep trying if you don't ^^

Now put a brick on your * key with your terminal window in focus.
Try to find the RX (receive) pin of the camera and connect it with the TX pin of your dongle.
Power up the camera, wait a second, if you see the following message you have succeeded:
Code:
U-Boot 2010.06-svn3089 (Jul 22 2016 - 19:15:59)
DRAM:  1 GiB
gBootLogPtr:80b80008.
Check spi flash controller v350... Found
Spi(cs1) ID: 0xC8 0x40 0x18 0xC8 0x40 0x18
Spi(cs1): Block:64KB Chip:16MB Name:"GD25Q128"
partition file version 2
rootfstype squashfs root /dev/mtdblock7
In:    serial
Out:   serial
Err:   serial
TEXT_BASE:81000000
Net:   PHY found at 3

Hit any key to stop autoboot:  0
> **********************

Type help to see all available commands:
Code:
> help
?       - alias for 'help'
base    - print or set address offset
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootf   - boot from flash
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cfgRestore- erase  config and backup partition.

cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
crypt   - crypt
erasepart- erasepart

exit    - exit script
false   - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
flwrite - flwrite - write data into FLASH memory

fsinfo  - print information about filesystems
fsload  - load binary file from a filesystem image
go      - start application at address 'addr'
help    - print command description/usage
hwid    - hwid      - set hardware id and save to flash

kload   - kload  - load uImage file from parttion

lip     - lip      - set local ip address but not save to flash

loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
logsend - get log buf
loop    - infinite loop on address range
ls      - list files in a directory (default /)
mac     - mac      - set mac address and save to flash

md      - memory display
memsize - memsize        - set mem size

mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
partition- print partition information
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
rdefault- rdefault    -recover default env

reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
showvar - print local hushshell variables
sip     - sip      - set server ip address but not save to flash

sleep   - delay execution for some time
smi     - MII utility commands
sync_uboot- sync_uboot - sync uboot to uboot-bak

test    - minimal test like /bin/sh
tftpboot- tftpboot- boot image via network using TFTP protocol
true    - do nothing, successfully
uartUp  - uartUp- update image via uart using uart4

usleep  - delay execution for some time
version - print monitor version
>

The guys from Dahua have done something right for once and added some helpful commands for us, type printenv to print the U-Boot Environment, you should be able to find these lines among other stuff:
Code:
ipaddr=192.168.1.108
gatewayip=192.168.1.1
netmask=255.255.255.0
serverip=192.168.1.4

da=tftp 0x82000000 dhboot.bin.img;flwrite;tftp 0x82000000 dhboot-min.bin.img;flwrite;
dr=tftp 0x82000000 romfs-x.squashfs.img; flwrite;
dk=tftp 0x82000000 kernel.img;flwrite;
du=tftp 0x82000000 user-x.squashfs.img; flwrite
dw=tftp 0x82000000 web-x.squashfs.img; flwrite
dp=tftp 0x82000000 partition-x.cramfs.img;flwrite;
dc=tftp 0x82000000 custom-x.squashfs.img; flwrite
up=tftp 0x82000000 update.img;flwrite;
tk=tftp 0x82000000 uImage;bootm;

dh_keyboard=1
appauto=1

Use setenv to adjust the network settings:
  • ipaddr -> The IP address of the camera
    • setenv ipaddr 192.168.1.108
  • gatewayip -> The IP address of your networks gateway (router)
    • setenv gatewayip 192.168.1.1
  • netmask -> The netmask/subnet of your network
    • setenv netmask 255.255.255.0
  • servip -> The IP address of your computer (that runs the TFTP server)
    • setenv serverip 192.168.1.4
You can test the connection to your PC by runing ping $serverip
Code:
> ping $serverip
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   00-12-34-56-78-91
Using gmac device
host 192.168.1.4 is alive
(Okay actually I don't even know if Windows will reply to pings by default - so I guess you can ignore this for now)

Extract the firmware image for your camera somewhere, use some ZIP program like 7zip. It might complain about invalid ZIP file (since Dahua changes the ZIP header from PK to DH) you can either fix the ZIP with a HEX editor or use another program to unzip it.

Start the TFTP server and point it to the files you have extracted from the firmware image.

And now for the final part: Flashing the firmware!
I'll flash following partitions in order:
  • romfs (root linux filesystem with busybox)
  • kernel (The holy Linux Kernel)
  • user (Dahuas programs and kernel modules)
  • web (Webinterface)
  • partition ("Partition table" - text files which describe the layout on the flash chip)
  • custom (Language files)
Do not flash the bootloader! There is no need to and when you fuck that up recovering is a lot harder.

Run following commands one after eachother:
Code:
run dr
run dk
run du
run dw
run dp
run dc

Example output:
Code:
> run dr
ETH0: PHY(phyaddr=-1, rmii) link UP: DUPLEX=FULL : SPEED=100M
MAC:   3C-EF-8C-FA-E7-88
Using gmac device
TFTP from server 192.168.1.4; our IP address is 192.168.1.108
Download Filename 'romfs-x.squashfs.img'.
Download to address: 0x82000000
Downloading: #################################################
done
Bytes transferred = 909376 (de040 hex)

## Checking Image at 82000000 ...
   Legacy image found
   Image Name:   romfs
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    909312 Bytes = 888 KiB
   Load Address: 002f0000
   Entry Point:  003d0000
   Verifying Checksum ... OK
Programing start at: 0x002f0000
SPI probe: 16384 KiB hi_sfc at 0:0 is now current device

write : 0%
write : 0%
write : 7%
write : 14%
write : 21%
write : 28%
write : 35%
write : 42%
write : 50%
write : 57%
write : 64%
write : 71%
write : 78%
write : 85%
write : 92%
write : 100%
done

You can run save if you want to save the environment variables you have set (ipaddr, servip, ..).

Run boot to boot the camera :)
Congratulations!
(If you just read this for fun and do not have a bricked camera I still suggest you to buy a serial UART dongle, they're cheaper than most snacks and you can save lots of devices with it!)
(If this helped you and you have some spare for a student: paypal.me/BotoX)
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,642
Reaction score
3,747
Location
Scotland
That's a great post, well done and thanks for sharing!
If / when I get a Dahua camera (not convinced I'll get good functionality with Hikvision NVRs) I suspect it will come in very useful.
Dahua have included / retained a lot of useful functionality in their U-boot, unlike Hikvision who strip it to an almost useless state in pursuit of their 'let's make using our products difficult for our knowledgeable customers' stupid strategy.
 

keithshlo

n3wb
Joined
Sep 11, 2016
Messages
21
Reaction score
3
Hi cor35vet, I finally got a chance to get a USB-to-RS232 adapter and make the connection. However, with the camera powered on, I can never get any response from the Putty terminal screen. Here is my connection setup. Please advise. Thanks a lot.DH4431CA.jpg
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
441
Reaction score
150
Hi cor35vet, I finally got a chance to get a USB-to-RS232 adapter and make the connection. However, with the camera powered on, I can never get any response from the Putty terminal screen. Here is my connection setup. Please advise. Thanks a lot.View attachment 15071
Question for you :

- are you sure you located the right RX/TX pins on the PCB ?
- are you sure you inverted RX/TX on the RS232 so RX->TX and TX->RX
- what is the TTL voltage of the camera because RS232 is 12V and I don't think the TTL of the camera work so high, I guess it's 5V or 3.3V, and @cor35vet did not tell to use a "classcial" USB-to-RS232 but a FTDI, I hope you did not killed your camera.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
11,642
Reaction score
3,747
Location
Scotland
@Dodutils Good question. I think you have hit the nail etc.
That looks more like a classic RS-232 level interface, with no GND (ie +-3v - 15v bipolar signal levels) as opposed to a TTL level (0->+3v unipolar signal levels) interface.
Another good option that @cor35vet has used is a 25 series SPI NOR programmer.
If you have an SPI NOR chip, the USB CH341a works pretty well, even in situ.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
208
Put a warning in the OP about the voltage level and not to use RS232.
Anyways since the current is next to none in those serial interfaces I think your cam should be fine, get a proper converter and try again.

(I used a raspi for flashing the SPI flash on the camera as well if all else fails [eg bootloader], see: Dahua Firmware Mod Kit + Modded Dahua Firmware)
 

keithshlo

n3wb
Joined
Sep 11, 2016
Messages
21
Reaction score
3
Thanks very much everyone for your advice. I guess I need to wait for the proper adapter ordered from eBay. Hopefully, will get it by the end of the month.
 

keithshlo

n3wb
Joined
Sep 11, 2016
Messages
21
Reaction score
3
I finally got a chance to get a USB-TTL dongle. I could make the connection successfully and get the terminal screen. However, I couldn't get to the command shell by holding * I even started holding the * key before powering up the camera. I am using Putty as the serial terminal client. Can you please advise? Do I need specific settings in the serial terminal client? Thanks a lot.DH terminal.jpg
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
208
Are you even seeing any input? Most likely your cable is not corrected correctly (contact issues or wrong pin). Try playing around.
 

keithshlo

n3wb
Joined
Sep 11, 2016
Messages
21
Reaction score
3
Yes, on the attached screen shot, there are some blocky characters. Everytime I hit * , I get one more blocky character. I even tried using other serial terminal programs like Termite. Same result. I don't know if special settings are needed to send an input to the camera? What terminal program did you use? I only have Windows PC. Please advise. Thanks a lot.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
208
The big fat blocks are supposed to be your * ?
Well that doesn't seem right... They should be *
Something is wrong, I can only say it worked flawlessly for me on linux with gtkterm
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
3,860
Reaction score
2,533
Yes, on the attached screen shot, there are some blocky characters. Everytime I hit * , I get one more blocky character. I even tried using other serial terminal programs like Termite. Same result. I don't know if special settings are needed to send an input to the camera? What terminal program did you use? I only have Windows PC. Please advise. Thanks a lot.
Open the connection, hold down the * key, power on camera. Other keys may work too depends on boot loader.
If it fails and you get garbled chars on screen try again and then try lowering the baud rate some, but don't go too slow.

On windows I recommend using RealTerm: Serial/TCP Terminal
 

keithshlo

n3wb
Joined
Sep 11, 2016
Messages
21
Reaction score
3
I got it working finally, by connecting the ground pin of the USB dongle to the camera's ground pinhole. Then, the camera took my keyboard inputs. I could then successfully restore my bricked camera. Thank you so much for your help.

By the way, I noticed that the new firmware dated 2016-12-09 no longer has the IVS options. I used to get "Tripwire", "Intrusion", "Loitering", etc. Now, I only get one tab.

DH-IVS.jpg

I already tried to clear the browser cache. Also, I reset camera settings to default. Do I need special ways to enable IVS in the new firmware? Thanks a lot for your advice.
 

KCulver

Getting the hang of it
Joined
Jan 12, 2017
Messages
117
Reaction score
19
I'm still struggling with this and trying to restore the camera using the serial interface method. have some time to try before I am out of time to return the camera. As to the 4 pin UART connector, there is no indication on the board what the pin out is. I've tried each one and I do get a blue led on the cp2101 but only gibberish on the screen. I am using putty. Is there any way I can identify which pins are tx/rx?
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
3,860
Reaction score
2,533
I'm still struggling with this and trying to restore the camera using the serial interface method. have some time to try before I am out of time to return the camera. As to the 4 pin UART connector, there is no indication on the board what the pin out is. I've tried each one and I do get a blue led on the cp2101 but only gibberish on the screen. I am using putty. Is there any way I can identify which pins are tx/rx?
expand spoilers in first post
 

keithshlo

n3wb
Joined
Sep 11, 2016
Messages
21
Reaction score
3
If you have the camera 4431CA like mine, please refer to the post

Dahua Firmware Mod Kit + Modded Dahua Firmware

cor35vet told me the pinholes from left to right are
RX, TX, GND, VCC

If you get gibberish on the screen, please make sure to configure the serial connection speed as indicated in the first post by cor35vet.

Hope it works out for you.
 

KCulver

Getting the hang of it
Joined
Jan 12, 2017
Messages
117
Reaction score
19
20170218_094411.jpg 20170218_100300.jpg 20170218_100859.jpg 20170218_100910.jpg
I got it working finally, by connecting the ground pin of the USB dongle to the camera's ground pinhole. Then, the camera took my keyboard inputs. I could then successfully restore my bricked camera. Thank you so much for your help.

By the way, I noticed that the new firmware dated 2016-12-09 no longer has the IVS options. I used to get "Tripwire", "Intrusion", "Loitering", etc. Now, I only get one tab.

View attachment 15110

I already tried to clear the browser cache. Also, I reset camera settings to default. Do I need special ways to enable IVS in the new firmware? Thanks a lot for your advice.
expand spoilers in first post

I'm still unsuccessful. I've tried (looking left to right) RX TX GND VCC as well as (looking right to left) VCC GND TX RX. I was able to get a continuous scrolling of gibberish but nothing in english. This continues as long as there is power. I've tried making a GND connection from the Dongle to an UART pin as well as from the dongle to a ground connection on the camera. My camera has a 4 pin micro molex - I wish there was some way to identify the pins so I would at least know that I am toying with correct pins.
 
Top