Dahua IPC unbricking / recovery over serial UART and TFTP

Joined
Jun 17, 2014
Messages
26
Reaction score
2
Thanks the serial prompt at boot getting worse it only provide a weird hash. It’s not even complaining about finding the uboot.

How can I reflash it?
 
Last edited:

Fumble

n3wb
Joined
Mar 17, 2019
Messages
5
Reaction score
0
Location
US
I'm trying to recover a DH-TPC-SD8620N-B50Z30. It's an expensive camera, so I've been going slow. I have a USB to TTL (CP2102 STC) adapter and I made a cable to connect GND, RX, and TX to what I believe to be the UART port. Now, I have 4 similar ports in the vicinity so I'm not sure if I'm hitting the right one. I can get 1-2 characters of garbage but not the boot verbosity as previously mentioned.

I probed the ports and found VCC and GND, and swapped TX/RD multiple times on the UART port. I don't think it's totally dead since it does a PTZ sweep when it boots and if I sniff the network interface it's on its default IP of 192.168.1.108. It responds to ping, telnet, and SSH. I do not have login credentials. Attached is a picture of the port. I added 12" pigtails (before I took this pic) so it can rotate without chewing or shorting my USB TTL converter.

What're all the ports for? Anything else I can be doing? Input appreciated!IMG_4627.jpg
 
Last edited:

Corellon

Getting the hang of it
Joined
Mar 11, 2020
Messages
78
Reaction score
29
Location
Canada
I'm trying to recover a DH-TPC-SD8620N-B50Z30. It's an expensive camera, so I've been going slow. I have a USB to TTL (CP2102 STC) adapter and I made a cable to connect GND, RX, and TX to what I believe to be the UART port. Now, I have 4 similar ports in the vicinity so I'm not sure if I'm hitting the right one. I can get 1-2 characters of garbage but not the boot verbosity as previously mentioned.

I probed the ports and found VCC and GND, and swapped TX/RD multiple times on the UART port. I don't think it's totally dead since it does a PTZ sweep when it boots and if I sniff the network interface it's on its default IP of 192.168.1.108. It responds to ping, telnet, and SSH. I do not have login credentials. Attached is a picture of the port. I added 12" pigtails (before I took this pic) so it can rotate without chewing or shorting my USB TTL converter.

What're all the ports for? Anything else I can be doing? Input appreciated!
If it is responding to the network, I would suggest going the TFTP route, the arp for 192.168.1.1 is indicative of it looking for the gateway to contact 192.168.254.254. You can run most of the serial commands though the TFTP load file and view the output in the console, and while it doesn't give a live command prompt it would be a good indication of what is wrong, even with a serial connection you likely will need a TFTP server up and running anyways to reflash.
 

Fumble

n3wb
Joined
Mar 17, 2019
Messages
5
Reaction score
0
Location
US
If it is responding to the network, I would suggest going the TFTP route, the arp for 192.168.1.1 is indicative of it looking for the gateway to contact 192.168.254.254. You can run most of the serial commands though the TFTP load file and view the output in the console, and while it doesn't give a live command prompt it would be a good indication of what is wrong, even with a serial connection you likely will need a TFTP server up and running anyways to reflash.
Yep, you're absolutely correct. I setup TFTP and I can see it requesting the upgrade_info file:

Code:
01:35:59.654381 IP 192.168.1.108.netopia-vo3 > 192.168.254.254.tftp:  69 RRQ "upgrade_info_7db780a713a4.txt" octet timeout 1 tsize 0 blksize 1468
I dug deeper and found upgrade_info.py which will generate that file for me with the proper CRC and magic string. However, it seems I need the output of printenv via serial to get the addresses to build the the tftp command set. I created a inert upgrade_info_7db780a713a4.txt with just "printenv" hoping it would execute this via uboot and dump the contents somewhere on the network but no joy. It fell back to failed.txt and I'm back at square one. I tried another one with "setenv logserver 192.168.254.254" hoping that I could get remote syslog logging but got nothing.

Now I realize what you meant by it will show the output in the console. The problem is I appear to have a UART for "M" (motion?), UART for "S" (system?), a debug header, and some other connector I don't know much about. I spent a bunch of time earlier trying to dump output from them but I got zero. Thinking my CP2102 was trash I tried a saleae logic analyzer but either I couldn't get the trigger right or there was no output being displayed via serial. It's been years since I used it, so likely user error.
 
Last edited:

Fumble

n3wb
Joined
Mar 17, 2019
Messages
5
Reaction score
0
Location
US
I re-ran the UART serial exercise - I found ground and ran through every pin of every connector and still no output after printenv in my TFTP upgrade_info_7db780a713a4.txt. One thing I did notice is "S_CS" and "M_CS" may abbreviate system and motion serial console. This connector had two grounds - I tested this out too. The only thing I haven't checked yet is mixing pins from headers. But I don't see how that would be productive since I always test ground to a internal chassis screw. The lack of interface here is very puzzling.
 

Corellon

Getting the hang of it
Joined
Mar 11, 2020
Messages
78
Reaction score
29
Location
Canada
By console I mean the console (Ncat) that is included in the TFTP (Click the link or check page one of this thread) package on this site, it reads the output from from the camera over the network during the tftp and displays the results.

It also has the batch file needed to generate the proper upgrade_info file by running commands.bat
 

Fumble

n3wb
Joined
Mar 17, 2019
Messages
5
Reaction score
0
Location
US
By console I mean the console (Ncat) that is included in the TFTP (Click the link or check page one of this thread) package on this site, it reads the output from from the camera over the network during the tftp and displays the results.

It also has the batch file needed to generate the proper upgrade_info file by running commands.bat
I didn't find the batch file in the TFTP download but I did try the one from Dahua IPC EASY unbricking / recovery over TFTP which includes a Python version which is what I'm using. Originally I was using Linux but I switched to Windows 10 to use the Hikvision TFTP tool you linked me to. I played around and realized my error is CRLF in upgrade_info text file, going back to Linux I'm able to TFTP update dr, dk, du, dw, and dc. However, my original symptom remains: only port 22 is open.

Web is not running, I can't use ConfigTool, and no other software I've tried can communicate with the camera.
 

Corellon

Getting the hang of it
Joined
Mar 11, 2020
Messages
78
Reaction score
29
Location
Canada
Are you able to setup a scenario where you have a TFTP server running on a machine with 192.168.254.254 netmask /24 or 255.255.255.0 and a gateway at 192.168.1.1 netmask /24 or 255.255.255.0.

Preferably it's a windows machine and you can just use the tftp server and console.bat files from the zip file (My apologizes I had the threads confused, thought it was page one of this thread not the other unbricking thread) or on a linux computer you should still have access to ncat and if you run it on port 5002 on ip 192.168.254.254 which the camera will attempt to connect to and stream the console to that ip/port.

CRFL in the upgrade_info file might be if your running the python script directly, I've always used a windows machine editing the commands.txt file with my desired payload and then running commands.bat to generate the info file. Short of that it might be a compatibility issue with the python version you have installed on the machine? CRFL is highly suggestive of a windows/linux cross platform issue.

When you run the update DR, DK, DU, DW, DC do you get any feedback on the NCAT port 5002? It should tell you which update is failing and likely why.
 

Xeontel

n3wb
Joined
Jan 26, 2020
Messages
4
Reaction score
0
Location
Tunisia
Hi

I came across this interesting thread, and was wondering if this method will work with this problem : DH-IPC-HDBW2300RP-Z issues

I have 6 of them showing the same symptoms, does it worth trying to recover them ?

Best Regards.
 

Corellon

Getting the hang of it
Joined
Mar 11, 2020
Messages
78
Reaction score
29
Location
Canada
Hi

I came across this interesting thread, and was wondering if this method will work with this problem : DH-IPC-HDBW2300RP-Z issues

I have 6 of them showing the same symptoms, does it worth trying to recover them ?

Best Regards.
Based on the other thread you should be able to do a TFTP recovery by installing the firmware again over TFTP, but you can also try using telnet since that seems to be open to you, with telnet you need to add "7ujMko0" (without the quotes) before the password you used example:
Web login:
Username: Admin
Password: Admin
Telnet login:
Username: Admin
Password: 7ujMko0Admin
 

radionerd

n3wb
Joined
May 15, 2016
Messages
26
Reaction score
13
My IPC-HFW5231E-Z5E bricked while uploading firmware DH_IPC-HX5X3X-Rhea_MultiLang_PN_Stream3_V2.800.0000015.0.R.200430

In the past I have recovered other Dahua cams using Easy TFTP and Serial TFTP. I'm stumped on this one. Wondering if these newer firmwares lock it from flash.

Using easy method I tried several points 0x82000000 and 0x02000000 before hooking up serial and doing a printenv

Code:
>printenv
bootargs=console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc
bootcmd=sf read 0x2000000 0x1040000 0x1c0000;bootm 0x2000000
bootdelay=3
baudrate=115200
ethaddr=00:12:34:56:78:9A
ipaddr=192.168.1.108
serverip=192.168.1.1
autoload=yes
gatewayip=192.168.1.1
netmask=255.255.255.0
mp_autotest=0
ID=000000000000000000
da=tftp 0x02000000 dhboot.bin.img; flwrite;tftp dhboot-min.bin.img;flwrite
dr=tftp 0x02000000 romfs-x.squashfs.img; flwrite
dk=tftp 0x02000000 kernel.img; flwrite
du=tftp 0x02000000 user-x.squashfs.img; flwrite
dw=tftp 0x02000000 web-x.squashfs.img; flwrite
dp=tftp 0x02000000 partition-x.cramfs.img;flwrite
dc=tftp 0x02000000 custom-x.squashfs.img; flwrite
up=tftp 0x02000000 update.img; flwrite
tk=tftp 0x02000000 uImage; bootm
dh_keyboard=1
appauto=1
sysbackup=1
logserver=127.0.0.1
loglevel=4
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
autonm=255.255.255.0
pd=tftp 0x02000000 pd-x.squashfs.img; flwrite
stdin=serial
stdout=serial
stderr=serial
ethact=ambarella mac

Environment size: 1035/131068 bytes
>
after printenv set command.txt to:
run dr
run dk
run du
run dw
run dp
run dc
tftp 0x02000000 pd-x.squashfs.img; flwrite
tftp 0x02000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

This was the 1st error.txt from when I sent default command.txt (0x82000000)
Code:
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Listening on 192.168.254.254:5002
gBootLogPtr:00b80008.
spinor flash ID is 0x1940ef
*** Warning - bad CRC, using default environment

sync..
buf no align with 8 bytes,len:0x800
Fail to write spi flash from :40000 in 0 chip.
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to parse HWID
fail to parse bootargsParametersV2.text info
fail to init bootargsParametersV2
TEXT_BASE:01000000
Net:   PHY:0x03625cc6,addr:0x01
s3l 55k+bcm54811 init
sd update init:HWID is missing!
partition file version 2
rootfstype squashfs root /dev/mtdblock5
Using ambarella mac device
Download Filename 'upgrade_info_7db780a713a4.txt'.Downloading: 100%
  ## file size: 202 Bytes,      times: 0s,      speed: 14.6 KiB/s
done
Bytes transferred = 202 (ca hex)
Using ambarella mac device
Download Filename 'romfs-x.squashfs.img'.Downloading: 100%
  ## file size: 3.2 MiB,        times: 6s,      speed: 474.6 KiB/s
done
Bytes transferred = 3303672 (3268f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
[0;32mUBOOT_commonSwRsaVerify run successfully!
[0m
## Checking Image at 02000000 ...
   Legacy image found
   Image Name:   romfs
   Created:      2020-04-30   7:22:56 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    3301376 Bytes = 3.1 MiB
   Load Address: 01b80000
   Entry Point:  01fd0000
   Verifying Checksum ... OK
Programing start at: 0x01b80000 for romfs
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 96%__do_write_flashSpi: error!
flwrite error 1!
cmd Failed run dr!
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
get bootargs info failed
cmdLine console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc
ERROR:
write : 96%__do_write_flashSpi: error!
flwrite error 1!
cmd Failed run dr!
 

radionerd

n3wb
Joined
May 15, 2016
Messages
26
Reaction score
13
boot responds:
Code:
U-Boot 2010.06-svn6390 (Feb 19 2020 - 12:04:41)

[QUOTE]boot[/QUOTE]

SPI probe: 32768 KiB W25Q256FV at 0:0 is now current device

   Verifying Checksum ... Bad Data CRC

ERROR: can't get kernel image!

try:kload 0x2000000 fail to get partinfo

failed!
Partition:
Code:
>partition

fail to uncompress

fail to load partition.txt from e0000

fail to load partition file

partition isn't exist
bdinfo
Code:
>bdinfo

arch_number = 0x23283041

env_t       = 0x00000000

boot_params = 0x00200000

DRAM bank   = 0x00000000

-> start    = 0x00200000

-> size     = 0x07600000

ethaddr     = 00:12:34:56:78:9A

ip_addr     = 192.168.1.108

baudrate    = 115200 bps
 
Last edited:

mikelikes

n3wb
Joined
Apr 8, 2020
Messages
11
Reaction score
0
Location
AU
If I had to try something that's where I would start (aside from programming the flash chip with an external tool)
Hi Corellon, is there a thread thread that talks about the tools required to flash a chip with an external tool? I have an issue with a camera a few pages back on this thread and I would like to try this as a last resort.
 

arni7

n3wb
Joined
Feb 28, 2017
Messages
12
Reaction score
0
Hello The HDWB5431EP-Z camera does not start after uploading the wrong software, PING 192.168.1.108 - 9934 ms, 192.168.1.108 -1 ms, 192.168.1.108 -1 ms, 192.168.1.108 -1 ms, time out, time out appears. I undressed, I want to save using TFTP, I don't know if it is possible? Maybe a TTL interface? I have two RS 232 sockets and 4 soldering holes where to connect TTL, which method to save?
 

Attachments

Corellon

Getting the hang of it
Joined
Mar 11, 2020
Messages
78
Reaction score
29
Location
Canada
Hi Corellon, is there a thread thread that talks about the tools required to flash a chip with an external tool? I have an issue with a camera a few pages back on this thread and I would like to try this as a last resort.
I recall there being a thread that talks about using an external programmer but I don't have a link to it handy, it was something I came across while researching my own problem, It's not a very convenient process and requires getting the write programmer for the right type of chip on your camera. Some have alligator clamps so you don't have to pull or desolder the chip but I can't speak much on the topic from my own experience other then it is possible as a last resort but not something I would like to attempt myself.
 

arni7

n3wb
Joined
Feb 28, 2017
Messages
12
Reaction score
0
Anyone have an idea?


Using ambarella mac device
Download Filename 'romfs-x.squashfs.img'.
Downloading: 100%
## file size: 3.2 MiB, times: 3s, speed: 1000 KiB/s
done
Bytes transferred = 3303672 (3268f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
UBOOT_commonSwRsaVerify run successfully!

## Checking Image at 02000000 ...
Legacy image found
Image Name: romfs
Created: 2019-12-02 7:54:56 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 3301376 Bytes = 3.1 MiB
Load Address: 01b80000
Entry Point: 01fd0000
Verifying Checksum ... OK
Programing start at: 0x01b80000 for romfs
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :67101962, crc from flash is :67101962
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'kernel.img'.
Downloading: 100%
## file size: 1.5 MiB, times: 1s, speed: 1.1 MiB/s
done
Bytes transferred = 1576064 (180c80 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
UBOOT_commonSwRsaVerify run successfully!

## Checking Image at 02000000 ...
Legacy image found
Image Name: kernel
Created: 2019-12-02 7:45:28 UTC
Image Type: ARM Linux Firmware (uncompressed)
Data Size: 1573768 Bytes = 1.5 MiB
Load Address: 01040000
Entry Point: 01200000
Verifying Checksum ... OK
Programing start at: 0x01040000 for kernel
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :53e32f63, crc from flash is :53e32f63
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'user-x.squashfs.img'.
Downloading: 100%
## file size: 14.3 MiB, times: 12s, speed: 1.1 MiB/s
done
Bytes transferred = 14944504 (e408f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
UBOOT_commonSwRsaVerify run successfully!

## Checking Image at 02000000 ...
Legacy image found
Image Name: user
Created: 2019-12-02 7:54:24 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 14942208 Bytes = 14.3 MiB
Load Address: 000f0000
Entry Point: 01000000
Verifying Checksum ... OK
Programing start at: 0x000f0000 for user
write : 100%
done
crc from program is :e2b5181, crc from flash is :e2b5181
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'web-x.squashfs.img'.
Downloading: 100%
## file size: 4.8 MiB, times: 4s, speed: 1.1 MiB/s
done
Bytes transferred = 5064952 (4d48f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
UBOOT_commonSwRsaVerify run successfully!

## Checking Image at 02000000 ...
Legacy image found
Image Name: web
Created: 2019-12-02 7:53:47 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 5062656 Bytes = 4.8 MiB
Load Address: 01200000
Entry Point: 01880000
Verifying Checksum ... OK
Programing start at: 0x01200000 for web
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :ec5844d1, crc from flash is :ec5844d1
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'partition-x.cramfs.img'.
Downloading: 100%
## file size: 10.2 KiB, times: 0s, speed: 352.5 KiB/s
done
Bytes transferred = 10488 (28f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
UBOOT_commonSwRsaVerify run successfully!

## Checking Image at 02000000 ...
Legacy image found
Image Name: partition
Created: 2019-12-02 7:45:28 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 8192 Bytes = 8 KiB
Load Address: 000e0000
Entry Point: 000f0000
Verifying Checksum ... OK
Programing start at: 0x000e0000 for partition
write : 100%
done
crc from program is :95b9011c, crc from flash is :95b9011c
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
Using ambarella mac device
Download Filename 'custom-x.squashfs.img'.
Downloading: 100%
## file size: 734.2 KiB, times: 0s, speed: 1 MiB/s
done
Bytes transferred = 751864 (b78f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
UBOOT_commonSwRsaVerify run successfully!

## Checking Image at 02000000 ...
Legacy image found
Image Name: custom
Created: 2019-12-02 8:01:14 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 749568 Bytes = 732 KiB
Load Address: 018a0000
Entry Point: 01970000
Verifying Checksum ... OK
Programing start at: 0x018a0000 for custom
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :752edf27, crc from flash is :752edf27
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
tftp 0x2000000 pd-x.squashfs.img; flwrite
Using ambarella mac device
Download Filename 'pd-x.squashfs.img'.
Downloading: 100%
## file size: 82.2 KiB, times: 0s, speed: 883.8 KiB/s
done
Bytes transferred = 84216 (148f8 hex)
curVer:V1.4 <= newVer:V1.4,verCompare success!
UBOOT_commonSwRsaVerify run successfully!

## Checking Image at 02000000 ...
Legacy image found
Image Name: pd
Created: 2019-12-02 8:01:08 UTC
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 81920 Bytes = 80 KiB
Load Address: 01880000
Entry Point: 018a0000
Verifying Checksum ... OK
Programing start at: 0x01880000 for pd
SPI probe: 32768 KiB W25Q256FV at 0:1 is now current device
write : 100%
done
crc from program is :0, crc from flash is :0
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
tftp 0x2000000 .FLASHING_DONE_STOP_TFTP_NOW
Using ambarella mac device
Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.
Downloading: ##
## file size: 0 Bytes, times: 0s, speed: 0 Bytes/s
done
sleep 5
boot
Wrong Image Format for bootm command
ERROR: can't get kernel image!
try:kload 0x2000000 succeed!
Verifying Checksum ... OK
partition file version 2
rootfstype squashfs root /dev/mtdblock5
curVer:V1.4 <= newVer:V1.4,verCompare success!
UBOOT_commonSwRsaVerify run successfully!
Loading Kernel Image ...OK
OK
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
Adjust Memory Allocation, dram_size=0x8200000, dsp_ram.start=0x8400000, dsp_ram.size=0x17c00000
Adjust Memory Allocation, dram_size=0x8200000, dsp_ram.start=0x8400000, dsp_ram.size=0x17c00000
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file

Starting kernel ...
partition file version 2
rootfstype squashfs root /dev/mtdblock5
half-boot found, check bst
▒UBL_loadImg bakVersion=20, bootVersion=20

U-Boot 2010.06-svn8102 (Jun 04 2020 - 20:44:05)

soft
 

Corellon

Getting the hang of it
Joined
Mar 11, 2020
Messages
78
Reaction score
29
Location
Canada
It's been encountered before that at some point Dahua ran out of space on some of the partitions and realigned the partition boundaries. During a web upgrade it upgrades and aligns properly but during a TFTP flash it doesn't update the partition pointers so it actually overwrites portions.

See if you can flash an older version of the firm ware or locate the version just before the partition boundary changed.
 
Top