Non-physical Dahua IPC reset?

[rasmusaj]

Hi,

Apologies if this has been covered elsewhere. I recently moved house and inherited a security system: x1 HIKVision NVR + x4 Dahua IPCs (HDW4433C-A). Long story short, I performed a factory reset on the NVR (stupidly, without writing anything down), then tried reconfiguring things. I was able to find the IP addresses of the four cameras on the network, but it looks like the previous owners / installers changed all the admin passwords; I had tried the usual suspects: "admin", "888888" etc, but didn't have any luck. Dahua's ConfigTool app gives me the option to perform a factory reset, but that function needs the original password, which is useless.

Anyway, I know there's an option to physically reset these cameras with a button, but my problem is they're mounted quite high up and are very challenging to access. Before I call in a professional, I was just wondering if anyone knows of a software tool that will help me perform a factory reset on the four cameras. I had read about Dahua's ConfigCleaner tool, but it doesn't seem to be available from any obvious source.

Unfortunately, the installer doesn't recall the camera passwords, and I don't have the contact details of the previous owner.

Cheers,

Anthony

 

[alastairstevenson]

I was just wondering if anyone knows of a software tool that will help me perform a factory reset on the four cameras.

Just a stray idea to try if you feel up to it, that I don't recall any posts about :
This method has been extensively used to apply firmware to Dahua cameras:

Dahua IPC EASY unbricking / recovery over TFTP

A successor of Dahua IPC unbricking / recovery over serial UART and TFTP I recommend you to read through the above thread first. If your camera still has a working bootloader (assume it does) then you can flash it easily, because: The camera tries to download a file called...

ipcamtalk.com

But it should be possible to use it to execute any available bootloader command.
Dahua cameras usually have the 'cfgRestore' bootloader command, which I have used directly in the serial console (requires physical access).
This resets the camera to the default configuration.
Maybe the tftp recovery method could be adapted to do the reset.

 

[rasmusaj]

Just a stray idea to try if you feel up to it, that I don't recall any posts about :
This method has been extensively used to apply firmware to Dahua cameras:

Dahua IPC EASY unbricking / recovery over TFTP

A successor of Dahua IPC unbricking / recovery over serial UART and TFTP I recommend you to read through the above thread first. If your camera still has a working bootloader (assume it does) then you can flash it easily, because: The camera tries to download a file called...

ipcamtalk.com

But it should be possible to use it to execute any available bootloader command.
Dahua cameras usually have the 'cfgRestore' bootloader command, which I have used directly in the serial console (requires physical access).
This resets the camera to the default configuration.
Maybe the tftp recovery method could be adapted to do the reset.

Thanks for these tips. I'll see what I can achieve. Forgot to mention I'm using macOS...

 

[alastairstevenson]

Forgot to mention I'm using macOS...

Well, that will be a bit of an obstacle.
If you can beg, borrow or steal a Windows laptop, out of curiosity I tried this reset possibility.
I used a Lorex E891ab (Dahua OEM model) that the generous and knowledgeable @pozzello donated to me to experiment with.
And it worked!

Referring to this 'how-to' thread :

Dahua IPC EASY unbricking / recovery over TFTP

A successor of Dahua IPC unbricking / recovery over serial UART and TFTP I recommend you to read through the above thread first. If your camera still has a working bootloader (assume it does) then you can flash it easily, because: The camera tries to download a file called...

ipcamtalk.com

The commands.txt file held this set of commands. Only the cfgRestore is relevant, the others were for interest :

printenv
help
cfgRestore
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

And this is the transcript of the console window:

Spoiler: ncat console window transcript

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\Dahua\Dahua_TFTPBackup>dir
Volume in drive C is Windows
Volume Serial Number is C2CA-4DC5

Directory of C:\Users\admin\Desktop\Dahua\Dahua_TFTPBackup

22/03/2021  11:35    <DIR>          .
22/03/2021  11:35    <DIR>          ..
22/03/2021  11:35    <DIR>          bin
22/02/2017  22:21               147 commands - Copy.txt
22/02/2017  21:23               110 Commands.bat
22/03/2021  11:36                83 commands.txt
22/02/2017  21:46                43 Console.bat
22/03/2021  11:35    <DIR>          root
22/02/2017  21:23                24 TFTPServer.bat
               5 File(s)            407 bytes
               4 Dir(s)  27,038,494,720 bytes free

C:\Users\admin\Desktop\Dahua\Dahua_TFTPBackup>console
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Listening on 192.168.254.254:5002
gBootLogPtr:805ffe08.
NAND:  spi nand id=0x7f7f21c8
Special Nand id table Version 1.35
Nand ID: 0xC8 0x21 0x00 0x00 0x00 0x00 0x00 0x00
128 MiB
partition file version 2
rootfstype squashfs root /dev/mtdblock7
gParameter[0]:node=bootargs, parameter=mem=502M console=ttyS0,115200 root=/dev/m
tdblock7 root_slv=/dev/mtdblock14 rootfstype=squashfs mmz=256m@0xc4000000 mem_sl
v=80M rootflags=sync.
In:    serial
Out:   serial
Err:   serial
Net:   ethaddr:00:1f:54:35:a0:cb:
gmac RTL8201 phy base = 0 ,phyid = 0x1cc816
find 1 gmac phy
SynopGMAC: The data read from b2000020 is 00001037
PhyAddr[0x1cc816] : Autonegotiation Complete data = 7869
Link UP, loop_count = 131070
Phy Status = 0x786d
Link is up in FULL DUPLEX
Link is with 100M Speed
partition file version 2
rootfstype squashfs root /dev/mtdblock7
Using SynopGMAC-0 device
Download Filename 'upgrade_info_7db780a713a4.txt'.Downloading: ##       times: 0
s,      speed: 6.8 KiB/s
done
Bytes transferred = 143 (8f hex)
disable wdt
string value is 0
The end of file
cmd:(printenv) is not support!
cmd:(help) is not support!
config erased.
backup erased.
Using SynopGMAC-0 device
Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.Downloading: ##        times: 0
s,      speed: 0 Bytes/s
done
cmd:(sleep 5) is not support!
partition file version 2
rootfstype squashfs root /dev/mtdblock7
cmdLine mem=502M console=ttyS0,115200 root=/dev/mtdblock7 root_slv=/dev/mtdblock
14 rootfstype=squashfs mmz=256m@0xc4000000 mem_slv=80M rootflags=sync
Erasing Nand...
Erasing at 0x300000 -- 100% complete.
Writing to Nand... done
Erasing Nand...
Erasing at 0x300000 -- 100% complete.
Writing to Nand... done

And the tftp server console window :

Spoiler: tftp server console window

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\Dahua\Dahua_TFTPBackup>dir
Volume in drive C is Windows
Volume Serial Number is C2CA-4DC5

Directory of C:\Users\admin\Desktop\Dahua\Dahua_TFTPBackup

22/03/2021  11:35    <DIR>          .
22/03/2021  11:35    <DIR>          ..
22/03/2021  11:35    <DIR>          bin
22/02/2017  22:21               147 commands - Copy.txt
22/02/2017  21:23               110 Commands.bat
22/03/2021  11:36                83 commands.txt
22/02/2017  21:46                43 Console.bat
22/03/2021  11:35    <DIR>          root
22/02/2017  21:23                24 TFTPServer.bat
               5 File(s)            407 bytes
               4 Dir(s)  26,848,362,496 bytes free

C:\Users\admin\Desktop\Dahua\Dahua_TFTPBackup>commands
C:\Users\admin\Desktop\Dahua\Dahua_TFTPBackup>
C:\Users\admin\Desktop\Dahua\Dahua_TFTPBackup>tftpserver
Open TFTP Server MultiThreaded Version 1.64 Windows Built 2001


accepting requests..
starting TFTP...
alias / is mapped to root\
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 60
file read allowed: Yes
file create allowed: No
file overwrite allowed: No
thread pool size: 1
Listening On: 192.168.254.254:69
Client 192.168.1.251:4065 root\upgrade_info_7db780a713a4.txt, 1 Blocks Served
Client 192.168.1.251:1212 root\.FLASHING_DONE_STOP_TFTP_NOW, 1 Blocks Served
Client 192.168.1.251:1561 root\success.txt, File not found or No Access

And I listened in on the actual serial console :

Spoiler: serial console transcript

hello world
DDR_SIZE:512M
LOAD DDR512M32bit_CFG...
DDR training start...
DDR training done.
Found a Narmal img
Load @ 0x00040000 to 0xC0800000, size = 56704
Done!
Jump to 0xC0800000

hello world
spi nand id=0x7f7f21c8
Special Nand id table Version
Nand ID: 0xC8 0x21 0x00 0x00 0x00 0x00 0x00 0x00
boot from spi_nand
uboot start address:200000.
find uboot


U-Boot 2010.06-svn7376 (Oct 10 2019 - 18:50:05)
DRAM:  24 MiB
gBootLogPtr:805ffe08.
NAND:  spi nand id=0x7f7f21c8
Special Nand id table Version 1.35
Nand ID: 0xC8 0x21 0x00 0x00 0x00 0x00 0x00 0x00
128 MiB
partition file version 2
rootfstype squashfs root /dev/mtdblock7
gParameter[0]:node=bootargs, parameter=mem=502M console=ttyS0,115200 root=/dev/mtdblock7 root_slv=/dev/mtdblock14 rootfstype=squashfs mmz=256m@0xc4000000 mem_slv=80M rootflags=sync.
In:    serial
Out:   serial
Err:   serial
Net:   ethaddr:00:1f:54:35:a0:cb:
gmac RTL8201 phy base = 0 ,phyid = 0x1cc816
find 1 gmac phy
SynopGMAC: The data read from b2000020 is 00001037
PhyAddr[0x1cc816] : Autonegotiation Complete data = 7869
Link UP, loop_count = 131070
Phy Status = 0x786d
Link is up in FULL DUPLEX
Link is with 100M Speed

partition file version 2
rootfstype squashfs root /dev/mtdblock7
Using SynopGMAC-0 device
Download Filename 'upgrade_info_7db780a713a4.txt'.
Downloading: ## times: 0s,      speed: 6.8 KiB/s
done
Bytes transferred = 143 (8f hex)
disable wdt
string value is 0
The end of file
cmd:(printenv) is not support!
cmd:(help) is not support!
config erased.
backup erased.
Using SynopGMAC-0 device
Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.
Downloading: ## times: 0s,      speed: 0 Bytes/s
done
cmd:(sleep 5) is not support!
partition file version 2
rootfstype squashfs root /dev/mtdblock7
cmdLine mem=502M console=ttyS0,115200 root=/dev/mtdblock7 root_slv=/dev/mtdblock14 rootfstype=squashfs mmz=256m@0xc4000000 mem_slv=80M rootflags=sync
Erasing Nand...
Erasing at 0x300000 -- 100% complete.
Writing to Nand... done
Erasing Nand...
Erasing at 0x300000 -- 100% complete.
Writing to Nand... done
Using SynopGMAC-0 device
Download Filename 'success.txt'.
Downloading: *
TFTP error: (1)'File not found'
Not retrying...
Erasing Nand...
Erasing at 0x300000 -- 100% complete.
Writing to Nand... done
Support backupVer:2
state:ff,err_count:00
cmdLine mem=502M console=ttyS0,115200 root=/dev/mtdblock7 root_slv=/dev/mtdblock14 rootfstype=squashfs mmz=256m@0xc4000000 mem_slv=80M rootflags=sync
hmagic=0xffffffff
dh7200 start wdt ,period=120s
partition file version 2
rootfstype squashfs root /dev/mtdblock7
load slave-kernel from spi nand [0x2100000] to [0x81ffffc0] len = 0x1558e4
curVer:V1.4 <= newVer:V2.0,verCompare success!
UBOOT_commonSwRsaVerify run successfully!
partition file version 2
rootfstype squashfs root /dev/mtdblock7
cmdLine mem=502M console=ttyS0,115200 root=/dev/mtdblock7 root_slv=/dev/mtdblock14 rootfstype=squashfs mmz=256m@0xc4000000 mem_slv=80M rootflags=sync
mem_addr = 82000000
Done.
warn: kernel crc check don't open
partition file version 2
rootfstype squashfs root /dev/mtdblock7
curVer:V1.4 <= newVer:V2.0,verCompare success!
UBOOT_commonSwRsaVerify run successfully!
   Loading Kernel Image ...OK
OK
partition file version 2
rootfstype squashfs root /dev/mtdblock7
cmdLine mem=502M console=ttyS0,115200 root=/dev/mtdblock7 root_slv=/dev/mtdblock14 rootfstype=squashfs mŠmz=256m@0xc4000000 mem_slv=80M rootflags=sync
crashflasg:1, logmagic:54410011.

Uncompressing Linux... done, booting the kernel.
ŠLinux version 3.0.8+ (jenkins@7c39265179a6) (gcc version 6.3.0 (C-SKY Tools V3.2.6 uClibc-0.9.33.2 Linux-3.0.8 abiv2 B20171209) ) #504 PREEMPT Tue Dec 10 03:12:27 CST 2019
Linux C-SKY port done by C-SKY Microsystems co.,ltd.  www.c-sky.com
appauto=1
dh_keyboard=0
ethaddr0=0:1f:54:35:a0:cb
ethaddr1=0:0:0:0:0:0
wifiAddr=0:12:34:56:78:91
lip0=-64.-88.1.108
lip1=0.0.0.0
id=ND011903099188
parse_tag_fs_mountcmd
gLogRamRes: start=0xdf57e000;size=0x80000
Dahua DH7200 inside
CPU revision is: 0x04840683 (CK810MF)
FPU revision is: VFP(V2)
Determined physical RAM map:
memory: 80000000 @ 01800000 type 99
gMemRelimitAddr:0xdf5fe000,gMemRelimitSize:0x2000
mmz : start = 0xc4000000, size = 256M
mem_slv : size = 80M
User-defined physical RAM map:
memory: 1f600000 @ c0000000 (usable)
Reserve realmem size 336M: region[ 0xc2000000 - 0xd7000000]
Zone PFN ranges:
  Normal   0x000c0000 -> 0x000df600
  HighMem  empty
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x000c0000 -> 0x000df600
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 127508
Kernel command line: mem=502M console=ttyS0,115200 root=/dev/mtdblock7 root_slv=/dev/mtdblock14 rootfstype=squashfs mmz=256m@0xc4000000 mem_slv=80M rootflags=sync
dh_keyboard:0

This was the hoped-for action - which was successful :

Download Filename 'upgrade_info_7db780a713a4.txt'.
Downloading: ## times: 0s,      speed: 6.8 KiB/s
done
Bytes transferred = 143 (8f hex)
disable wdt
string value is 0
The end of file
cmd:(printenv) is not support!
cmd:(help) is not support!
config erased.
backup erased.
Using SynopGMAC-0 device
Download Filename '.FLASHING_DONE_STOP_TFTP_NOW'.
Downloading: ## times: 0s,      speed: 0 Bytes/s
done
cmd:(sleep 5) is not support!

 

[rasmusaj]

In theory, I should be able to do this with macOS, but I think I have a few obstacles. Firstly, the camera is configured to an odd IP address: 192.168.10.120 (I don't know how problematic that is, but I can't change it). Secondly, wireshark is seeing nothing when I filter for tftp. The only thing I see from wireshark that vaguely relates to the camera is an innocuous ARP request

No. Time Source Destination Protocol Length Info
101589 3491.033361 Zhejiang_db:35:04 Broadcast ARP 60 Gratuitous ARP for 192.168.10.120 (Reply)

 

[alastairstevenson]

Firstly, the camera is configured to an odd IP address: 192.168.10.120 (I don't know how problematic that is, but I can't change it)

That's not a problem - the IP address used when fully booted is not what is used when the bootloader is probing for the tftp server, they are separately configured.

Secondly, wireshark is seeing nothing when I filter for tftp. The only thing I see from wireshark that vaguely relates to the camera is an innocuous ARP request

Unless you have on the macOs device the tftp server set up and listening on 192.168.254.254 and a gateway on 192.168.1.1 that provides a route to that address - wireshark will not see that traffic.
Even with wireshark in promiscuous mode, the macOs device will only capture broadcasts and packets that are specifically associated with it's own network address, unless you are using a switch with a snooping facility such as port replication.

101589 3491.033361 Zhejiang_db:35:04 Broadcast ARP 60 Gratuitous ARP for 192.168.10.120 (Reply)

That's a normal broadcast that occurs when a device is preparing to activate an interface on a specific IP address.