Here are the two links:
Ty
As an Amazon Associate IPCamTalk earns from qualifying purchases.
Here are the two links:
Ty
alastairstevenson
Staff member
Those look ok.
Looking at the detail in your USB convertor link - it looks like it's already wired for a null modem type of connection.
So - try connecting it directly into the NVR without using the null modem cable.
Looking at the detail in your USB convertor link - it looks like it's already wired for a null modem type of connection.
So - try connecting it directly into the NVR without using the null modem cable.
I have tried all the possible combinations with the different cables that I have, direct etc...getting the same result of a black screen in Putty.
alastairstevenson
Staff member
Try connecting pins 2 and 3 together and see if the characters that you type appear on the screen.
That will confirm that the convertor and PuTTY are working ok.
That will confirm that the convertor and PuTTY are working ok.
Hi, alastairstevenson
Ok, I did what you tell me (pins 2 and 3 together) using only this cable (photo) allows to type characters (Putty), that means this cable has Cord Cross TX RX line for data?
Supposedly I should only use this cable for this process?
Anyway, I had already tried and it didn't work, I keep trying...
Any other suggestions? or is this just passed away?
That red light on the motherboard is normal? (Photo)
Any other type of communication discarding ethernet And RS232 to make communication on this motherboard?
Thank you very much for your time and suggestions.
Attachments
alastairstevenson
Staff member
The idea of connecting 2 and 3 together and seeing if characters you type are repeated is to confirm that the PC and PuTTY is working ok.
It seems like it is, so the problem must be with the NVR.
It seems like it is, so the problem must be with the NVR.
Hey guys,
I have a similar situation to the others before me, I got a DVR with a password protection, and I'd like to reset it.
I've managed to connect to the TTL serial, so I can see the console and write to it, however, if I interrupt it at boot, it will just give me the basic commands like printenv and such, and the tftp transfer keeps timing out, so I'm not sure what else to do.
I have a similar situation to the others before me, I got a DVR with a password protection, and I'd like to reset it.
I've managed to connect to the TTL serial, so I can see the console and write to it, however, if I interrupt it at boot, it will just give me the basic commands like printenv and such, and the tftp transfer keeps timing out, so I'm not sure what else to do.
alastairstevenson
Staff member
That may be due to a network configuration.
At the bootloader :
Please show the result of using printenv, the IP address of the PC, and specify what tftp server you are using.
Also the result of using the help command.
To make it easy for us and you, use the 'code' tags in the menu bar in the post to paste in the text from the serial terminal (PuTTY?).
What firmware are you attempting to load?
Is it the same firmware as is already installed, confirmed by SADP?
Sorry for being rather short yesterday, I was a bit tired and stressed out at the end of the day about not being able to solve the issue at the proverbial "finish line".
My device is a TechSon TC-DVR SS3004AHD - this is a Hungarian brand that knocks off Chinese brands, so I'm not surprised that it has a Hikvision-like hardware inside.
A previous flat owner left it at a rented flat, so it doesn't really matter if I cannot get it to work (the 1TB WD Purple is ultimately still valuable), but you know, it would be nice if I could.
Being a 30-something programmer (previously back-end, now front-end developer) by trade who also dabbles with Arduino from time to time, this looked like a cool challenge.
The device boots up nicely, but it is password-protected and I've tried a couple of the common passwords (like 000000, 666666, 123456, "password" and such) to no avail.
I've attached pictures of the inside, so you can see the hardware as well as the writing at the back of the device, which I suppose means that it had version 3.4.4.U of the firmware initially, and then later it got upgraded to 3.4.5U.
After soldering some pins to the UART and a bit of playing around, I've successfully connected my FTDI232, so I can read and write to the console using PuTTY.
If I don't interrupt the device, after booting up, it asks for a login user and password (also tried things, no luck)
If I interrupt the boot sequence, I have a "hisilicon" prompt with a set of u-boot commands:
Code:
U-Boot 2010.06 (Jun 19 2014 - 11:30:32)
DRAM: 256 MiB
Check spi flash controller v300. found
Spi(cs1) ID: 0x01 0x20 0x18 0x03 0x01 0x00
Spi(cs1): Block:64KB Chip:16MB Name:"S25FL128P-1"
In: serial
Out: serial
Err: serial
current hi352xx version 201406191112
current used param offset 11111111111111111
current do_check_flash_boot_param
current prod net 100m
init gpio led setting
dev 0 set background color!
dev 2 set background color!
dev 0 opened!
dev 2 opened!
jpeg decoding ...
<<addr=0x80080000, size=0xae14, vobuf=0x8fd00000>>
mmu_enable
<<imgwidth=480, imgheight=320, linebytes=960>>
decode success!!!!
dev 0 set background color!
dev 2 set background color!
dev 0 opened!
vo hd 0 end
dev 2 opened!
vo cvbs end
graphic layer 0 opened!
graphic layer 2 opened!
USB: scanning bus for devices... 2 USB Device(s) found
0 Storage Device(s) found
judge ddr init
user init finish.
Hit any key to stop autoboot: 0
hisilicon #
hisilicon # help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
decjpg - jpgd - decode jpeg picture.
ext2load- load binary file from a Ext2 filesystem
ext2ls - list files in a directory (default /)
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
setvobg - setvobg - set vo backgroud color.
- setvobg [dev color]
sf - SPI flash sub-system
startgx - startgx - open graphics layer.
- startgx [layer addr stride x y w h]
startvo - startvo - open interface of vo device.
- startvo [dev type sync]
stopgx - stopgx - close graphics layer.
- stopgx [layer]
stopvo - stopvo - close interface of vo device.
- stopvo [dev]
tftp - tftp - download or upload image via network using TFTP protocol
usb - USB sub-system
usbboot - boot from USB device
version - print monitor version
hisilicon #Printenv displays the following:
Code:
hisilicon # printenv
baudrate=115200
ethaddr=00:00:23:34:45:66
bootfile="uImage"
bootcmd=sf probe 0;sf read 0x82000000 0x0C0000 0x240000;bootm 0x82000000
phyintfx=1
auversion=2
auversion0=53a259c3
auversion1=52143d1c
bootargs=mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:768K(boot),2304K(dva110000),13M(rootfs)
auversion2=55e66f47
bootdelay=3
ipaddr=192.168.2.123
serverip=192.168.2.2
netmask=255.255.254.0
stdin=serial
stdout=serial
stderr=serial
verify=n
jpeg_addr=0x80080000
jpeg_size=0xae14
vobuf=0x8fd00000
ver=U-Boot 2010.06 (Jun 19 2014 - 11:30:32)
Environment size: 619/131068 bytesI have tftpd64 running on a windows machine that I've set up as a tftp server on my local network (192.168.2.x), and I've already set my computer's IP address is for the serverip variable and a random IP for ipaddr.
If I have a uImage file, it starts downloading when I run tftp, but it times out about halfway. I've also added a screenshot of my tftp server settings to this post.
I've run SADP on my network but sadly, no luck there either, it doesn't show any devices, I'm not sure why, probably because it's not exactly a Hikvision hardware?
If you could help me identifying the correct firmware that I should use to reset this device, as well as find out why it times out, that would be great.
Let me know if you need any other info.
Regards,
Greg
Attachments
alastairstevenson
Staff member
I don't believe it's a Hikvision OEM device - especially when seeing the bootloader details.
That's a confirmation it's not Hikvision.
These are going to be machine-specific.
Where in memory did you load it to?
if so - the firmware may be a bit crude, giving the possibility that the admin password may even be in plaintext in a file in the system.
What's needed is the ability to look around the file system and see how it's organised.
This is just the sort of puzzle that I quite like tackling.
But given what must be a trail and error approach, could be a bit tortuous over this medium.
Is this on the serial console, or the web GUI, or both?
It would be interesting to see the full boot log, maybe zip it up and attach as a file as it's usually lengthy.
It would be useful to see the partition layout and the types of file systems in use.
Here are some initial top-level suggestions :
I'd approach gaining access in a couple of ways.
First of all, it's likely that the bootloader can be used to extract a full flash dump.
It does depend though on being able to easily extract it from the device.
Although a memory display (md) would work, it's lengthy and would take many hours.
Easiest would be if tftp can also transfer files out, and not just hardcoded for booting.
A little exploration of the syntax will confirm if it can send files.
For example
tftp 0x82000000 testfile 0x1000
It looks like serial flash commands are available.
If so, try
sf probe 0
sf read 0x82000000 0x0 0x1000000
tftp 0x82000000 allflash.bin 0x1000000
Another option is to make use of the fully booted environment by trying for a root shell.
A common method that may work is to replace the bootargs environment variable with
setenv bootargs mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:768K(boot),2304K(dva110000),13M(rootfs) init=/bin/sh
saveenv
reset
And see if it boots to a shell.
If so - the bootup will need to be manually completed.
See if
/etc/init.d/rcS
still leaves a root shell.
If not,
cat /etc/init.d/rcS
to examine how rcS completes the initialisation and do the steps manually, avoiding the one that invokes the main app.
The passwords will be held in a configuration area.
The full serial log will likely provides good clues.
The partition names can also help.
For example,
cat /proc/mtd
and
mount
could point to locations.
Good luck!
Let me just tell you that you are amazing!
I've started to quote and reply to your answer line by line, and everything you've written down has worked!
First, the copy via tftp worked and I got the .bin file, although I didn't know what to do with it.
And then I've tried your bootargs change, and it gave me the full root access!
A Hungarian forum I've read previously has mentioned that a very similar product to mine, a TechSon SS3004+ (could be the exact same as my SS3004AHD, who knows) has the password in a config.dat file as plain text under /mnt/mtd/config - but his product didn't ask for a password so he could just look at it.
Based on that information coupled with the root access I had thanks to your bootargs change suggestion, I could successfully look at the config.dat file, where the password was (if you're curious, it was 010203 - duh!).
So I can now successfully log in and use the device, thanks to you!
alastairstevenson
Staff member
alastairstevenson
Staff member
It's a full image of the flash contents, it could be split down into the component partitions and the relevant contents unpacked, file systems extracted etc.
Useful for exploring when other access is blocked.
But your direct access to the running system was easier.
I got the TTL cable working with putty , and I'm able to type characters in the terminal and see them on screen (during most of the boot process)
But no matter what ctrl+u is not doing anything, I can't stop uboot. I tried to disconnect the ground and tx/Rx works.. I guess it's just there for safety or reliability?
Anyway any advice on how to get ctrl+u to work to stop uboot would be nice
But no matter what ctrl+u is not doing anything, I can't stop uboot. I tried to disconnect the ground and tx/Rx works.. I guess it's just there for safety or reliability?
Anyway any advice on how to get ctrl+u to work to stop uboot would be nice
alastairstevenson
Staff member
That's a good indication that your serial TTL connection is OK.
The character to interrupt varies with the model / brand of NVR.
What are you connecting to?
And often - you'd need to keep Control-U pressed long enough to auto-repeat before powering on the device.
Try also Control-C and *
Hi mates, I've a DS-H216Q that was running (if I don't remember wrong) an old 2017 version 3.1, I've updated it to the latest DS-H216Q_V4.21.100_200508 and now I can't login more, it doesn't give any result at the web logon page, even if I use wrong password. The Hikvision service for password recovery sent me the xml but didn't work. I believe there configuration of old FW corrupting the new FW, probably they never tested upgrading on version 4 from a too old FW.
SADP see it and shows the new FW, but also there it refuses password, I've tried also with HDMI, there also anything works.
I think the only chance I've is to use the serial port but instead of loading the FW I would try to clear only the configuration memory, any way to do it safely?
I can upload again the entire dav, I'm just guessing if really this process will erase the config file too.
I'll just type "update"? (first I'll be sure to have tftp ready with file and proper IP address). Thank you a lot
SADP see it and shows the new FW, but also there it refuses password, I've tried also with HDMI, there also anything works.
I think the only chance I've is to use the serial port but instead of loading the FW I would try to clear only the configuration memory, any way to do it safely?
I can upload again the entire dav, I'm just guessing if really this process will erase the config file too.
I'll just type "update"? (first I'll be sure to have tftp ready with file and proper IP address). Thank you a lot