TFTP Rescue with signed firmware
- Thread starter alekslyse
- Start date
riogrande75
Pulling my weight
If you flash ALL images (sign.img as well) it should work.
If not, just flash an old non-signed image (if available) and then upgrade the official way.
If not, just flash an old non-signed image (if available) and then upgrade the official way.
- Dec 15, 2017
- 135
- 45
Im a bit confused how to setup the configuration file. Do you have an example on how the file actually should look for that camera?
riogrande75
Pulling my weight
riogrande75
Pulling my weight
Well, this is in fact the most relevant file.
Exchange the first 2 bytes in the header of the image from DH to PK - save it - then you should be able to extract "Install".
Then you have a clue, what images the upgrade process would install. Here a example of a VTO2000A:
Exchange the first 2 bytes in the header of the image from DH to PK - save it - then you should be able to extract "Install".
Then you have a clue, what images the upgrade process would install. Here a example of a VTO2000A:
Code:
{
"Commands" : [
"burn dm365_ubl_boot_16M.bin.img bootloader",
"burn custom-x.cramfs.img custom",
"burn pd-x.cramfs.img pd",
"burn kernel-x.cramfs.img kernel",
"burn romfs-x.cramfs.img rootfs",
"burn user-x.cramfs.img user",
"burn web-x.cramfs.img web",
"burn data-x.cramfs.img data",
"burn gui-x.cramfs.img gui",
"burn pcm-x.cramfs.img pcm"
],
"Devices" : [
[ "VTO2000A", "1.00" ],
[ "VTO2000A-2", "1.00" ]
],
"Vendor" : "General"
}riogrande75
Pulling my weight
Simply open .bin file with a editor (e.g. notepad++), replace DH at the beginning with PK and save it. Rename it as .zip and extract Install from it.
Better to use a dedicated hex editor, like Frhed or others.
It won't strip out or filter characters when saving the edited file.
It won't strip out or filter characters when saving the edited file.
- Dec 15, 2017
- 135
- 45
Ok I managed to extract the install file. How do I use this?
{
"Commands" : [
"burn dhboot-min.bin.img bootloader",
"burn dhboot.bin.img bootloader",
"burn kernel.img kernel",
"burn partition-x.cramfs.img partition",
"burn romfs-x.squashfs.img rootfs",
"burn pd-x.squashfs.img pd",
"burn user-x.squashfs.img user",
"burn custom-x.squashfs.img custom",
"burn web-x.squashfs.img web",
"burn user1-x.squashfs.img user1",
"burn blob.img blob",
"burn dhboot-min-halfstart.bin.img bootloader",
"burn mcu.bin.img mcu"
],
"Devices" : [
[ "SD6XXX", "1.00" ],
[ "IPC-HX3XXX", "1.00" ],
[ "IPC-HX4XXX", "1.00" ],
[ "IPC-HX5XXX", "1.00" ],
[ "IPC-HX8XXX", "1.00" ]
],
"Vendor" : "General"
}
//IPC_RestoreDefault
{
"Commands" : [
"burn dhboot-min.bin.img bootloader",
"burn dhboot.bin.img bootloader",
"burn kernel.img kernel",
"burn partition-x.cramfs.img partition",
"burn romfs-x.squashfs.img rootfs",
"burn pd-x.squashfs.img pd",
"burn user-x.squashfs.img user",
"burn custom-x.squashfs.img custom",
"burn web-x.squashfs.img web",
"burn user1-x.squashfs.img user1",
"burn blob.img blob",
"burn dhboot-min-halfstart.bin.img bootloader",
"burn mcu.bin.img mcu"
],
"Devices" : [
[ "SD6XXX", "1.00" ],
[ "IPC-HX3XXX", "1.00" ],
[ "IPC-HX4XXX", "1.00" ],
[ "IPC-HX5XXX", "1.00" ],
[ "IPC-HX8XXX", "1.00" ]
],
"Vendor" : "General"
}
//IPC_RestoreDefault
riogrande75
Pulling my weight
riogrande75
Pulling my weight
mtcl1
n3wb
- Aug 8, 2017
- 2
- 0
Hi,
May I know how you manage to do it? I was trying many times without success. May you share your ''Commands.txt'' file?
Regards
- Dec 15, 2017
- 135
- 45
Here is the config - add the latest firmware to the root folder (the one published on this forum).
After running the commands.bat to create the new, start the tftp server and if you see the camera pull the first file, just let it run, on next boot it will do the next one
run dr
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 sign.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5
After running the commands.bat to create the new, start the tftp server and if you see the camera pull the first file, just let it run, on next boot it will do the next one
run dr
run dk
run du
run dw
run dp
run dc
tftp 0x82000000 sign.img; flwrite
tftp 0x82000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5
Hello,
I have the problem with a VTO2000-2 that it is in an infinite boot loop. With logging enabled (dh_keyboard 0) it seems to have a problem with the signature. Thanks to @riogrande75 for the hint
Booting:
<ESC>[0;32;31m[libdvr] ERROR (../src/net/net.c|SetGateWay|906): SIOCADDRT
SIOCADDRT: Network is unreachable
<ESC>[m<ESC>[0;32;31m[libdvr] ERROR (../src/net/net.c|SetEthAttr|123netinit uses obsolete (PF_INET,SOCK_PACKET)
2): SetGateWay error
IP: <192.168.178.11> netmask: <255.255.255.0>
Gateway: <192.168.178.1>
<ESC>[m[libdvr] set success
<ESC>[0;32;32m[libdvr]
libdvr.so Build time: Jun 13 2018 at 00:24:14.
<ESC>[m<ESC>[0;32;32m[libdvr] SVN NUM: 7773.
<ESC>[mIPV6: only init eth0
"netinit6 help" for help
eth0:
MAC: <38:af:29:ba:e3:45>
IPV6: <2008::6> preFixLen: <112>
<ESC>[1;33m[libdvr] WARN (../src/net/network6.c|NetWorkDelIP|981): del ip failed:No such device or address
<ESC>[mIPV6 Gateway: <2008::1>
/usr/etc/imod: line 271: /var/usr/VideoDaemon: not found
... crypto start ....
DH:: [reliableenvvalidate:951] crypto dir=/usr/SigFileList,buf pos=4
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
<ESC>[0;32;32m[libdvr]
libdvr.so Build time: Jun 13 2018 at 00:24:14.
<ESC>[m<ESC>[0;32;32m[libdvr] SVN NUM: 7773.
<ESC>[monly init eth2"netinit help" for help
/proc/sys/vm/drop_caches
imod end...
falied---filename:[/usr/SigFileList] signfile [/usr/Data_Signature]
Restarting system.
Following commands were executed with the software V3.120:
run dr
run dk
run du
run dw
run dd
tftp 0x82000000 pd-x.cramfs.img; flwrite
run da
tftp 0x82000000 sign.img; flwrite
While last command I received the following error:
tftp 0x82000000 sign.img; flwrite
TFTP from server 192.168.178.96; our IP address is 192.168.178.150
Filename 'sign.img'.
Load address: 0x82000000
Loading: #
done
Bytes transferred = 128 (80 hex)
DestAddr=0x523e0823 invalid!
DestAddr: 0x2000000~0x4200000
DHBOOT#
The destination address is defined in the sign.img file itself. So the question is, where are the valid ranges (0x2000000~0x4200000) defined? Is there a partition for definition of the addresses which could be corrupted?
I would be grateful for any hints on how to fix this, thank you in advance.
Environment
printenv
bootcmd=fsload
bootdelay=3
baudrate=115200
eth1addr=00:01:5b:00:55:66
eth2addr=00:01:5b:00:77:88
netmask=255.255.255.0
bootfile="uImage"
single=0
da=protect off all;tftp 81a00000 dm365_ubl_boot_16M.bin.img;flwrite
dc=tftp 81a00000 custom-x.cramfs.img; flwrite
dr=tftp 81a00000 romfs-x.cramfs.img; flwrite
du=tftp 81a00000 user-x.cramfs.img; flwrite
dd=tftp 81a00000 data-x.cramfs.img; flwrite
dw=tftp 81a00000 web-x.cramfs.img; flwrite
dg=tftp 81a00000 gui-x.cramfs.img; flwrite
dk=tftp 81a00000 kernel-x.cramfs.img; flwrite
up=tftp 81a00000 update.img; flwrite
tk=tftp 80800000 uImage; bootm 80800000
gionum=22.25
gioval=1.1
dh_com=0
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
autonm=255.255.255.0
ID=4H008F1PAZ97C61
ethaddr=38:AF:29:BA:E3:45
HWID=VTO2000A:0:4:1:3:5:0:1:9:3:3:0:1B0:0:0:0:0:0:0:0
bootargs=console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs,nolock mem=90M newmem=90M video=davincifb:vid0=OFF:vid1=OFF
sd0=OFFsd1=OFF
dh_keyboard=0
serverip=192.168.178.96
ipaddr=192.168.178.150
filesize=B040
fileaddr=81A00000
appauto=0
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 1.3.6 (jerry) (Jul 24 2017 - 11:11:23)
I have the problem with a VTO2000-2 that it is in an infinite boot loop. With logging enabled (dh_keyboard 0) it seems to have a problem with the signature. Thanks to @riogrande75 for the hint
Booting:
<ESC>[0;32;31m[libdvr] ERROR (../src/net/net.c|SetGateWay|906): SIOCADDRT
SIOCADDRT: Network is unreachable
<ESC>[m<ESC>[0;32;31m[libdvr] ERROR (../src/net/net.c|SetEthAttr|123netinit uses obsolete (PF_INET,SOCK_PACKET)
2): SetGateWay error
IP: <192.168.178.11> netmask: <255.255.255.0>
Gateway: <192.168.178.1>
<ESC>[m[libdvr] set success
<ESC>[0;32;32m[libdvr]
libdvr.so Build time: Jun 13 2018 at 00:24:14.
<ESC>[m<ESC>[0;32;32m[libdvr] SVN NUM: 7773.
<ESC>[mIPV6: only init eth0
"netinit6 help" for help
eth0:
MAC: <38:af:29:ba:e3:45>
IPV6: <2008::6> preFixLen: <112>
<ESC>[1;33m[libdvr] WARN (../src/net/network6.c|NetWorkDelIP|981): del ip failed:No such device or address
<ESC>[mIPV6 Gateway: <2008::1>
/usr/etc/imod: line 271: /var/usr/VideoDaemon: not found
... crypto start ....
DH:: [reliableenvvalidate:951] crypto dir=/usr/SigFileList,buf pos=4
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
<ESC>[0;32;32m[libdvr]
libdvr.so Build time: Jun 13 2018 at 00:24:14.
<ESC>[m<ESC>[0;32;32m[libdvr] SVN NUM: 7773.
<ESC>[monly init eth2"netinit help" for help
/proc/sys/vm/drop_caches
imod end...
falied---filename:[/usr/SigFileList] signfile [/usr/Data_Signature]
Restarting system.
Following commands were executed with the software V3.120:
run dr
run dk
run du
run dw
run dd
tftp 0x82000000 pd-x.cramfs.img; flwrite
run da
tftp 0x82000000 sign.img; flwrite
While last command I received the following error:
tftp 0x82000000 sign.img; flwrite
TFTP from server 192.168.178.96; our IP address is 192.168.178.150
Filename 'sign.img'.
Load address: 0x82000000
Loading: #
done
Bytes transferred = 128 (80 hex)
DestAddr=0x523e0823 invalid!
DestAddr: 0x2000000~0x4200000
DHBOOT#
The destination address is defined in the sign.img file itself. So the question is, where are the valid ranges (0x2000000~0x4200000) defined? Is there a partition for definition of the addresses which could be corrupted?
I would be grateful for any hints on how to fix this, thank you in advance.
Environment
printenv
bootcmd=fsload
bootdelay=3
baudrate=115200
eth1addr=00:01:5b:00:55:66
eth2addr=00:01:5b:00:77:88
netmask=255.255.255.0
bootfile="uImage"
single=0
da=protect off all;tftp 81a00000 dm365_ubl_boot_16M.bin.img;flwrite
dc=tftp 81a00000 custom-x.cramfs.img; flwrite
dr=tftp 81a00000 romfs-x.cramfs.img; flwrite
du=tftp 81a00000 user-x.cramfs.img; flwrite
dd=tftp 81a00000 data-x.cramfs.img; flwrite
dw=tftp 81a00000 web-x.cramfs.img; flwrite
dg=tftp 81a00000 gui-x.cramfs.img; flwrite
dk=tftp 81a00000 kernel-x.cramfs.img; flwrite
up=tftp 81a00000 update.img; flwrite
tk=tftp 80800000 uImage; bootm 80800000
gionum=22.25
gioval=1.1
dh_com=0
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
autonm=255.255.255.0
ID=4H008F1PAZ97C61
ethaddr=38:AF:29:BA:E3:45
HWID=VTO2000A:0:4:1:3:5:0:1:9:3:3:0:1B0:0:0:0:0:0:0:0
bootargs=console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs,nolock mem=90M newmem=90M video=davincifb:vid0=OFF:vid1=OFF
sd0=OFFsd1=OFFdh_keyboard=0
serverip=192.168.178.96
ipaddr=192.168.178.150
filesize=B040
fileaddr=81A00000
appauto=0
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 1.3.6 (jerry) (Jul 24 2017 - 11:11:23)
Attachments
riogrande75
Pulling my weight
I'd use FW 4.3 since 3.120 was not even signed. All parts need to fit together - very important is off course the bootloader.
sorry for my english!
updating my vto2000a it seems that it has died... it gives light but it doesn't do anything else...
everything came out updating to this firmware:
General_VTOXXX-data_EngTurSlkPldHgrFinCzeBul_P_16M_SIP_PART_V4.300.0000003.0.R.20190612
but from configtool it gave no problems, the update was ok
Do you have any manual to try to rescue?
thank you