ds-2cd2042 (R6 architecture) how to restore uBoot?

[Viktor_zhitomir]

Just bricked a camera trying commands through RS-232. Now camera nothing output to RS-232. Fully bricked. I think, I formatted NAND using command "nand test"
I can write NAND on programmer but what to write? Have anyone full image for R6 camera? Or maybe some ambarella tool to restore uBoot?

 

[alastairstevenson]

I think, I formatted NAND using command "nand test"

Oops!

I can write NAND on programmer but what to write? Have anyone full image for R6 camera?

Hello Viktor,
I don't have a NAND dump taken directly from the flash chip - but attached are copies of the individual flash partitions, and all the files concatenated into one, which should be the equivalent of the full flash dump.
This was taken from a DS-2CD2042WD-I running the 5.4.3 firmware that I bought on eBay, fixed up and re-sold.
If / when you succeed in re-writing the flash, you will need to reset to defaults (reset button on the back) to clear the password and existing settings.
You also should update the firmware as it's an old version vulnerable to the 'Hikvision backdoor'.

Your camera 'bootpara' info - MAC address, serial number etc should still be OK as it is not held in the flash memory.

Be aware that writing a full flash dump to a different camera does not allow for any bad blocks that the donor or the recipient camera may have, that does introduce another variable.

Here was the flash layout and status :

[    2.283628] ambarella-nand e0001000.nand: in ecc-[1]bit mode
[    2.289318] ambarella_nand: Use On Flash BBT
[    2.293640] NAND device: Manufacturer ID: 0x98, Chip ID: 0xf1 (Toshiba NAND 128MiB 3,3V 8-bit), 128MiB, page size: 2048, OOB size: 64
[    2.305880] Bad block table found at page 65472, version 0x01
[    2.311807] Bad block table found at page 65408, version 0x01
[    2.317740] nand_read_bbt: bad block at 0x000006000000
[    2.322948] 16 ofpart partitions found on MTD device amba_nand
[    2.328781] Creating 16 MTD partitions on "amba_nand":
[    2.333909] 0x000000000000-0x000000020000 : "bst"
[    2.339405] 0x000000020000-0x000000120000 : "bld"
[    2.344745] 0x000000120000-0x000000200000 : "ptb"
[    2.350108] 0x000000200000-0x000000280000 : "env"
[    2.355429] 0x000000280000-0x000000380000 : "sysflg"
[    2.361110] 0x000000380000-0x000000400000 : "param"
[    2.366642] 0x000000400000-0x000000500000 : "dpt"
[    2.372057] 0x000000500000-0x000000f00000 : "rcvy"
[    2.377568] 0x000000f00000-0x000001700000 : "krn_pri"
[    2.383277] 0x000001700000-0x000001f00000 : "krn_sec"
[    2.389062] 0x000001f00000-0x000004100000 : "app_pri"
[    2.394820] 0x000004100000-0x000006300000 : "app_sec"
[    2.400615] 0x000006300000-0x000006900000 : "cfg_pri"
[    2.406292] 0x000006900000-0x000006f00000 : "cfg_sec"
[    2.412029] 0x000006f00000-0x000007700000 : "dbg"
[    2.417430] 0x000007700000-0x000007f00000 : "syslog"

 

[Viktor_zhitomir]

Thanks a lot! I'll try to build an image and flash it by programmer (I will assemble simple NANDLite).
But maybe Ambarella can accept data through RS232 if uBoot lost? For example Apple phones and pads accept boot code through USB even if NAND is removed.

 

[alastairstevenson]

Thanks a lot! I'll try to build an image and flash it by programmer (I will assemble simple NANDLite).

You could try just the first 4 partitions to begin with.

But maybe Ambarella can accept data through RS232 if uBoot lost?

Very likely - but the enabling of that feature would have to be present on the Hikvision board.
I've no idea if they have done that or not - I'd guess probably not.

 

[Viktor_zhitomir]

hmmmm... In mtd_all there are 1Mb of image lost. It is exactly 127MB ))

 

[Viktor_zhitomir]

maybe it is at end of a file? Or somewhere a hole in partitions?

 

[alastairstevenson]

hmmmm... In mtd_all there are 1Mb of image lost. It is exactly 127MB ))

Sorry - I'm not sure what you mean.
It looks OK to me :

alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ ll mtd*
-rw-r--r-- 1 alastair alastair    131072 Sep  8  2017 mtd0ro
-rw-r--r-- 1 alastair alastair  35651584 Sep  8  2017 mtd10ro
-rw-r--r-- 1 alastair alastair  35651584 Sep  8  2017 mtd11ro
-rw-r--r-- 1 alastair alastair   6291456 Sep  8  2017 mtd12ro
-rw-r--r-- 1 alastair alastair   6291456 Sep  8  2017 mtd13ro
-rw-r--r-- 1 alastair alastair   8388608 Sep  8  2017 mtd14ro
-rw-r--r-- 1 alastair alastair   8388608 Sep  8  2017 mtd15ro
-rw-r--r-- 1 alastair alastair   1048576 Sep  8  2017 mtd1ro
-rw-r--r-- 1 alastair alastair    917504 Sep  8  2017 mtd2ro
-rw-r--r-- 1 alastair alastair    524288 Sep  8  2017 mtd3ro
-rw-r--r-- 1 alastair alastair   1048576 Sep  8  2017 mtd4ro
-rw-r--r-- 1 alastair alastair    524288 Sep  8  2017 mtd5ro
-rw-r--r-- 1 alastair alastair   1048576 Sep  8  2017 mtd6ro
-rw-r--r-- 1 alastair alastair  10485760 Sep  8  2017 mtd7ro
-rw-r--r-- 1 alastair alastair   8388608 Sep  8  2017 mtd8ro
-rw-r--r-- 1 alastair alastair   8388608 Sep  8  2017 mtd9ro
-rw-r--r-- 1 alastair alastair 133169152 Sep  2 13:55 mtd_all
-rw-r--r-- 1 alastair alastair       550 Sep  8  2017 mtd.txt
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x20000))
131072
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x100000))
1048576
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0xe0000))
917504
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x80000))
524288
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x100000))
1048576
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x80000))
524288
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x100000))
1048576
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0xa00000))
10485760
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x800000))
8388608
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x2200000))
35651584
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x2200000))
35651584
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x600000))
6291456
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x600000))
6291456
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x800000))
8388608
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x800000))
8388608
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $ echo $((0x7f00000))
133169152
alastair@PC-I5 ~/cctv/DS-2CD2042WD-I/contents_543 $

 

[Viktor_zhitomir]

I mean full NAND size is 1Gbit (128MBytes). But total size of files is 127MBytes. Somewhere 1 MB is lost. Maybe big partition is smaller then can be to remap badblocks or something... First partition mtd0ro must be written at phisical addr 0x00000000 of NAND?

 

[alastairstevenson]

2.417430] 0x000007700000-0x000007f00000 : "syslog"

The bootlog shows that not all the flash is used, see above.

First partition mtd0ro must be written at phisical addr 0x00000000 of NAND?

That's the bootstrap code, as a minimum you'll also need the bld (bootloader) and the ptb.

 

[Viktor_zhitomir]

Thanks! Will make a programmer and try. After that post here

 

[Viktor_zhitomir]

Hi all! At last I digged up this camera and trying to flash it. There is a NAND chip TC58BVG0S3HTA00, and it is erased fully (only FF all 1Gb).
NAND have 1Gbit of data+32Mbits of ECC.
NAND is organized as 1024blocks*(64pages*(2048bytes+64 bytesECC)). Programmer reads this as chain of data/ECC 2048-64-2048-64-.... I'll try to write only data skipping ECC (will insert 00 to ECC, because don't know what ECC algorithm is used). Also it is a question how to write LSB/MSB in forward/reverse order and 8/16/32 bits in each word...
Also have bad block at B:768, all pages. As I see, need to build bad block table at pages 65472,65408 (at 127+Mbyte, not readed in your dump.
It is not simple:-((( Many questions

 

[watchful_ip]

good luck

 

[Viktor_zhitomir]

But how to write it to NAND? Ambarella does not respond to COM-port with clean NAND. And for write by programmer - need to know how to calculate ECC (2048+64 organization) and MSB or LSB first (32 bits in CortexA9 as I understand) ?

 

[Viktor_zhitomir]

Now I trying to write it LSB of 32 bits first skipping ECC... ECC will remain FF.
-No effect. No any activity on COM
Will try MSB first...
-Some progress - LSB first+skipping ECC bytes - see by the oscilloscope some short pulses on TX from Ambarella but cannot read anything by CH340 and Hyperterminal...
-it output to COM bytes 1B 5B 34 6C 0D 0D 0A at speed 115200 but these symbols have no sense:-( But 0D 0A... seems that speed is correct
Maybe I add NAND chip description to programmer base incorrectly.

 

[Viktor_zhitomir]

At last! uBoot started. But it cannot find BADBlock list. How can I create it if I know badblock adress?

check bad block failed >> read spare data error.
check bad block failed >> read spare data error.

U-Boot 3.1.6-125131 (Apr 27 2015-13:51:29)
boards:125163
Boot From: NAND 2048 RC
SYS_CONFIG: 0x30064059 POC: 100
Cortex freq: 600000000
iDSP freq: 216000000
Dram freq: 564000000
Core freq: 216000000
AHB freq: 108000000
APB freq: 54000000
UART freq: 24000000
SD freq: 48000000
SDIO freq: 48000000
SDXC freq: 48000000
please check flash
please check flash
please check flash
init_boot_param:nand_read_data failed
ue
*** Warning - bad CRC, using default environment
crc=0xE8203608,env.crc=0x53464C47
Hit Ctrl+u to stop autoboot: 1
HKVS #

 

[Viktor_zhitomir]

fixed nand BBT table! uBoot starts with no errors! But how to download another parts of FW? For now flashed only mtd0ro(128k), mtd1ro(1M)

 

[alastairstevenson]

fixed nand BBT table! uBoot starts with no errors!

It would be good to share how you did that - to help others.

But how to download another parts of FW?

Use the help command at the bootloader prompt to find out what flash commands there are.
If there is 'sf' and 'tftp' then you can load and read/erase/write the flash.

 

[watchful_ip]

And a thanks would be nice

 

[alastairstevenson]

Here's mtd0 and mtd1 from a R6 with OOB data included.

I'm curious how you extracted these to include the OOB data.
I'd guess with a flash programmer.

 

[Viktor_zhitomir]

Thanks for all who helped! Trying comands with BBT bricked camera again (when operating with bbt table, reclaim all bads, as I remember - it writes to all NAND) - will desolder NAND and flash again.
Cannot see in help commands to write data in BIN format. Many comands require files in format ".dav" or something...