Full firmware Backup/Dump for Dahua camera

[gianni253]

Hi,
I've just bought a couple of Dahua IPC-HDW4631C-A from Chinese Market with hacked english firmware (those one you shouldn't upgrade, hard reset, etc.etc.).
I wonder how to make a full firmware dump/backup to use just in case something should go wrong and a debrick/restore is needed to go back to original status.
I own TTL2USB adapter (3.3 or 5V) and CH341A Programmer with eeprom socket test clips.
Any help very appreciated.

 

[alastairstevenson]

I wonder how to make a full firmware dump/backup to use just in case something should go wrong and a debrick/restore is needed to go back to original status.

Quite a while back I bought a 'spares and repairs' Dahua HDW4431C-A hacked Chinese camera, probably similar to yours.
It suffered from a bootloop.

The camera was very easily fixed up by using the cfgrestore 'reset to defaults' command in the bootloader.
Before re-selling the camera I extracted the flash partitions and also the running filesystem.
The method used was to set the bootloader environment variables to enable the system log and get to a root shell after a power cycle -

setenv dh_keyboard 0
setenv appauto 0
saveenv

Then it was a matter of listing the flash partitions with
cat /proc/mtd
then mounting a NAS NFS share so the partitions could be copied out.
It would be something along the lines of :

mkdir /tmp
mount -t nfs -o nolock 192.168.1.201:/cctv1 /tmp
cat /dev/mtd0ro > /tmp/mtd0ro
cat /dev/mtd1ro > /tmp/mtd1ro
.
.
.
and so on.

My notes show that the bootloader also had the 'sf' flash utility command.
I didn't use it, but if it exists in your camera that would be a simple way to extract the flash data.

 

[gianni253]

Hi alastairstevenson,
many thanks for your answer.
That's the same approach I followed to dump Dahua NVR, with the only difference NVR has telnet access so it was quite easy and fast with the help of tftp.
After starting tftp server on my pc and listing mtd partitions, it was something like this:

# cat /dev/mtd0 > mtd0_dump
# tftp -l ./mtd0_dump -r mtd0_dump -p ip_of_my_pc
# rm mtd0_dump

and so on with other partitions ...
Now my question is: do we have other options to dump firmware ?
For example, what about dumping with an eeprom programmer ?
PROs and CONs of the two ways ? (with special regard to restore steps)

 

[alastairstevenson]

Now my question is: do we have other options to dump firmware ?

The sf (serial flash) command in the bootloader, in conjunction with tftp to transfer the file usually works OK if the command is available.
And I've also successfully used a CH341A programmer to do an 'in-situ' read when the camera/nvr is unpowered.

Writing modded data back is more problematic, if the kernel has been built to prohibit it, or to react against the attempt in another way, as Hikvision have done.

 

[gianni253]

Yes, I understand that signed firmware does not allow any modding, so this technique should be used for restore/unbricking purposes only.
But what if bootloader fails ? I guess the only way to go would be in situ (re)programming, provided we previously made a full dump by CH341A ... correct ?

 

[alastairstevenson]

I wasn't thinking of signed firmware.
When not using the firmware update programs this is being bypassed.
More the little traps that have been built in to the code to try to get in the way of things the modders would like to do and Hikvision would rather they didn't.