Unbricking bootloader

riogrande75

Pulling my weight
Oct 19, 2017
413
142
AUSTRIA
Playing with new firmware versions on my dahua VTH5241DW-S1, I flashed once again the wrong image => device bricked.
Off course I'm aware of UART / TFTP methods for unbricking. This time I made the mistake, flashing a obviously too old bootloader which does not support the flash from this board.
I ended up in uboot with
Code:
Environment SPI flash not initialized
Initializing the flash with sf probe command in uboot gives following message:
Code:
SF: Unsupported Winbond ID 4019

Even If I would download all images into ram (ethernet is working fine) and boot it up, I'm afraid the uboot commands for accessing nand in linux will not work anyway.
Any ideas on how I could unbrick my device?

Here a complete bootlog with tftp trying to flash latest bootloader:
Code:
Checking DDR......OK

UBL Version: 1.46t(DM365)09:30:17 Sep  2 2014
 Oscillator: 24MHZ
 ARM Rate: 432 MHZ
 DDR Rate: 340 MHZ
 BootMode: SPI
Starting SPI Memory Copy...
DONE


U-Boot 1.3.6 (jerry) (Mar 28 2017 - 19:34:15)

DRAM:  128 MB
SF: Got idcode ef 40 19 00 00
SF: Unsupported Winbond ID 4019
*** Warning - probe error, using default environment

*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Ethernet PHY: GENERIC @ 0x01,id:1cc816
total gio 2
gio[22]=1
gio[25]=1
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Filename 'upgrade_info_7db780a713a4.txt'.
Load address: 0x80100000
Loading: #
done
Bytes transferred = 180 (b4 hex)
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Filename 'dm365_ubl_boot_16M.bin.img'.
Load address: 0x82000000
Loading: ##################
done
Bytes transferred = 260240 (3f890 hex)

## Checking Image at 0x82000000 ...
   Header CRC Checking ... OK
   Image Name:   uboot
   Image Type:   ARM Linux Firmware (uncompressed)
   Data Size:    260176 Bytes = 254.1 kB
   Load Address: 02000000
   Entry Point:  02040000
   Data CRC Checking ... OK
Programing start at: 0x00000000
Environment SPI flash not initialized
Environment SPI flash not initialized
Environment SPI flash not initialized
write : 0%Environment SPI flash not initialized
Environment SPI flash not initialized
Environment SPI flash not initialized
write : 25%Environment SPI flash not initialized
Environment SPI flash not initialized
Environment SPI flash not initialized
write : 50%Environment SPI flash not initialized
Environment SPI flash not initialized
write : 100%
done
Failed to Handle a line
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Filename 'failed.txt'.
Load address: 0x80200000
Loading: *
TFTP error: 'File not found or No Access' (1)
Not retrying...
==>use default images
Environment SPI flash not initialized
Error when Got kernel from SPI flash!
Environment SPI flash not initialized
Error when Got kernel from SPI flash!
DHBOOT# setenv HWID VTH5241D:0:4:2:1D:5:4:1:9:3:3:1:1B0:0:2:0:6:0:0:1
DHBOOT# saveenv
Saving Environment to SPI Flash...
Environment SPI flash not initialized
DHBOOT# sf probe 0:0
SF: Got idcode ef 40 19 00 00
SF: Unsupported Winbond ID 4019
Failed to initialize SPI flash at 0:0
DHBOOT#
 
If there is no hack to replace the uboot from uboot itself, I guess I need to flash the spi chip with a external tool.
Think I could solder some wires temporarily on the chip itself and flash it.
 
Soldering wires to the chip and doing it via 3rd party method has been done by people investigating security in the past.
Or JTAG but good luck asking Dahua for that tool.


From bad memory and mostly forgetting 15yrs+ ago, this page may help:

I remember doing sf commands for another vendor back way when, and remember incompatible SPi chips but it was too long ago to remember without having a go at it.
What I'm not sure of is if we setup the flash size with sf before or after writing the bootloader.
The other thing is if teh dahua bootloader supports loading from mmc aka sd card.

I know the bootloader on dahua can be done via the bootloader but the TFTP command people on here often report is broken, so perhaps best to do it all via serial manually loading the files.
If you try to run the application via a network load it then it should at least drop into the shell because it wont run "sonia" since there are no env entries to instruct it to.

I maybe be talking nonsense since it was a long time ago last I did this. But hope it works out for you.
Cant fathom the chicken and egg situation where if the bootloader cannot recognise the flash chip how on earth it got loaded in the first place ?
 
  • Like
Reactions: riogrande75
It seems, I have the same issue with my VTH5241 like riogrande75. After flashing a new firmware my VTH is bricked. Have tried to re-image, but the VTH is still silent.
"Environment SPI flash not initialized ". I can "setenv dh_keyvoard 0", but I am not able to saveenv.
Any hint is welcome:
Code:
Checking DDR......OK

UBL Version: 1.46t(DM365)09:30:17 Sep  2 2014
Oscillator: 24MHZ
ARM Rate: 432 MHZ
DDR Rate: 340 MHZ
BootMode: SPI
Starting SPI Memory Copy...
DONE


U-Boot 1.3.6 (jerry) (Mar 28 2017 - 19:34:15)

DRAM:  128 MB
SF: Got idcode ef 40 19 00 00
SF: Unsupported Winbond ID 4019
*** Warning - probe error, using default environment

*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Ethernet PHY: GENERIC @ 0x01,id:1cc816
total gio 2
gio[22]=1
gio[25]=1
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Filename 'upgrade_info_7db780a713a4.txt'.
Load address: 0x80100000
Loading:
TFTP error: 'File not found' (1)
Not retrying...
Fail to get info file!
Init error!
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Filename 'failed.txt'.
Load address: 0x80200000
Loading:
TFTP error: 'File not found' (1)
Not retrying...
==>use default images
Environment SPI flash not initialized
Error when Got kernel from SPI flash!
Environment SPI flash not initialized
Error when Got kernel from SPI flash!
DHBOOT# setenv dh_keyboard 0
DHBOOT# setenv appauto 0
DHBOOT# protect off all
DHBOOT# printenv
bootargs=console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs ,nolock mem=70M video=davincifb:vid0=OFF:vid1=OFF:osd0=OFF:osd1=OFF
bootcmd=fsload
bootdelay=3
baudrate=115200
ethaddr=00:01:5b:00:33:44
eth1addr=00:01:5b:00:55:66
eth2addr=00:01:5b:00:77:88
ipaddr=192.168.1.108
serverip=192.168.1.1
netmask=255.255.255.0
bootfile="uImage"
single=0
ID=000000000000000000
da=protect off all;tftp 81a00000 dm365_ubl_boot_16M.bin.img;flwrite
dc=tftp 81a00000 custom-x.cramfs.img; flwrite
dr=tftp 81a00000 romfs-x.cramfs.img; flwrite
du=tftp 81a00000 user-x.cramfs.img; flwrite
dd=tftp 81a00000 data-x.cramfs.img; flwrite
dw=tftp 81a00000 web-x.cramfs.img; flwrite
dg=tftp 81a00000 gui-x.cramfs.img; flwrite
dk=tftp 81a00000 kernel-x.cramfs.img; flwrite
up=tftp 81a00000 update.img; flwrite
tk=tftp 80800000 uImage; bootm 80800000
gionum=22.25
gioval=1.1
dh_com=0
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
autonm=255.255.255.0
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 1.3.6 (jerry) (Mar 28 2017 - 19:34:15)
dh_keyboard=0
appauto=0

Environment size: 1064/16380 bytes
DHBOOT# saveenv
Saving Environment to SPI Flash...
Environment SPI flash not initialized

--------------------------

Have also set ID and HWID, but saveenv does not work.

After setting HWID (without saveenv) and some othe parameters, I have uploaded all image with "tftp 0x81a0000 ..." nad have started "bootm".

Code:
## Booting kernel from Legacy Image at 81a00000 ...
   Image Name:   data
   Image Type:   ARM Linux Kernel Image (gzip compressed)
   Data Size:    331776 Bytes = 324 kB
   Load Address: 033e0000
   Entry Point:  035e0000
   Verifying Checksum ... OK
   Uncompressing---Kernel Image ... Error: Bad gzipped data
GUNZIP: uncompress or overwrite error - must RESET board to recover
 
Last edited:
Can you pls. post the commands you used (set hwid,...)?
If we get the device booted up with this method, at least until it is visible in ConfigTool, we could try to flash it with a known good firmware.
Hopefully the config tool uses another method than the "tftp... ;flwrite" to write the bootloader in the background. If not, I guess there is no way arround to play with JTAG/serial programmer like a arduino.
 
Let me summarize the things.
Before the VTH was broken, the env. has the following settings (check with the Dahua-Script)

Code:
[Console]# uboot printenv
{
  "id": 31,
  "params": {
    "table": {
      "appauto": "1",
      "autogw": "192.168.1.1",
      "autolip": "192.168.1.108",
      "autonm": "255.255.255.0",
      "autosip": "192.168.254.254",
      "baudrate": "115200",
      "bootargs": "console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs,nolock mem=190M newmem=190M video=davincifb:vid0=OFF:vid1=OFF:osd0=OFF:osd1=OFF",
      "bootcmd": "fsload",
      "bootdelay": "3",
      "bootfile": "\"uImage\"",
      "da": "protect off all;tftp 81a00000 dm365_ubl_boot_16M.bin.img;flwrite",
      "dc": "tftp 81a00000 custom-x.cramfs.img; flwrite",
      "dh_keyboard": "1",
      "dk": "tftp 81a00000 kernel-x.cramfs.img; flwrite",
      "dr": "tftp 81a00000 romfs-x.cramfs.img; flwrite",
      "du": "tftp 81a00000 user-x.cramfs.img; flwrite",
      "dw": "tftp 81a00000 web-x.cramfs.img; flwrite",
      "eth1addr": "00:01:5b:00:55:66",
      "ethaddr": "9C:14:63:5C:4A:CA",
      "fileaddr": "81A00000",
      "filesize": "D25C00",
      "HWID": "VTH5241D:0:4:2:1D:5:4:1:11:3:3:1:1B0:0:2:0:6:0:0:1",
      "ID": "4M00C84PAZ51005",
      "ipaddr": "192.168.1.108",
      "netmask": "255.255.255.0",
      "serverip": "192.168.1.1",
      "stderr": "serial",
      "stdin": "serial",
      "stdout": "serial",
      "tk": "tftp 80800000 uImage; bootm 80800000",
      "up": "tftp 81a00000 update.img; flwrite",
      "ver": "U-Boot 1.3.6 (jerry) (May  8 2018 - 17:18:39)",
      "wifiaddr": "9C:14:63:5C:4A:DE"
    }
  },
  "result": true,
  "session": 2147483641
}


After I have flashed the VTH5222 FW, I see the following environment (checked with "printenv" in NCOM):
Code:
bootargs=console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs,nolock mem=70M video=davincifb:vid0=OFF:vid1=OFF:osd0=OFF:osd1=OFF
bootcmd=fsload
bootdelay=3
baudrate=115200
ethaddr=00:01:5b:00:33:44
eth1addr=00:01:5b:00:55:66
eth2addr=00:01:5b:00:77:88
ipaddr=192.168.1.108
serverip=192.168.1.1
netmask=255.255.255.0
bootfile="uImage"
single=0
ID=000000000000000000
da=protect off all;tftp 81a00000 dm365_ubl_boot_16M.bin.img;flwrite
dc=tftp 81a00000 custom-x.cramfs.img; flwrite
dr=tftp 81a00000 romfs-x.cramfs.img; flwrite
du=tftp 81a00000 user-x.cramfs.img; flwrite
dd=tftp 81a00000 data-x.cramfs.img; flwrite
dw=tftp 81a00000 web-x.cramfs.img; flwrite
dg=tftp 81a00000 gui-x.cramfs.img; flwrite
dk=tftp 81a00000 kernel-x.cramfs.img; flwrite
up=tftp 81a00000 update.img; flwrite
tk=tftp 80800000 uImage; bootm 80800000
gionum=22.25
gioval=1.1
dh_com=0
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
autonm=255.255.255.0
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot 1.3.6 (jerry) (Mar 28 2017 - 19:34:15)
dh_keyboard=1
appauto=1

Due to that, I have set the following environment:
Code:
set ID 4M00C84PAZ51005
set HWID VTH5241D:0:4:2:1D:5:4:1:11:3:3:1:1B0:0:2:0:6:0:0:1
set bootargs console=ttyS0,115200n8 root=/dev/mtdblock4 rootfstype=cramfs,nolock mem=190M newmem=190M video=davincifb:vid0=OFF:vid1=OFF:osd0=OFF:osd1=OFF
set dh_keyboard 0
set appauto 0
set fileaddr 81A00000
Have NOT set filesize. I think this a value of the broken FW.

After that I have "uploaded" the images (from the FW 1.0 Incl. loader) or working FW 4.3 (incl. loader and sign) and started "boot":
Code:
tftp 0x81a00000 *.img
.....

Hope this helps.

A "bootm" ends up in:
Code:
Wrong Image Format for bootm command
ERROR: can't get kernel image!

Code:
DHBOOT# bootm 81a00000
## Booting kernel from Legacy Image at 81a00000 ...
   Image Name:   uboot
   Image Type:   ARM Linux Firmware (uncompressed)
   Data Size:    260236 Bytes = 254.1 kB
   Load Address: 02000000
   Entry Point:  02040000
   Verifying Checksum ... OK
Wrong Image Type for bootm command
ERROR: can't get kernel image!
 
Last edited:
Looking at your post it seems that you tried to boot uboot out of uboot - this does not work (wrong image type...).
Try to load kernel and boot it. As rootfs I suggest to use a prepared sdcard (root=/dev/mmcblk0) - maybe this works.
 
Last edited:
Just for my understanding:
  • do the setenv things I have done before, but
    Code:
    set bootargs console=ttyS0,115200n8 root=/dev/mmcblk0 rootfstype=cramfs,nolock mem=190M newmem=190M video=davincifb:vid0=OFF:vid1=OFF:osd0=OFF:osd1=OFF
    (have to check the device name) and store all *.img to mmcblk0
  • "tftp 0x81a00000 kernel-x.cramfs.img"
  • "bootm"
 
First we have to find the devicename for the sdcard slot in uboot. Usually it's /dev/mmcblk0, but I'm not sure. Could be sdmmc as well. Maybe you are lucky with "mmc" or "mmcinfo" command.
Then you have to prepare the sdcard, donno if this can be done in uboot at all. You might have to do it on a linux machine.
 
I am still struggling to reactivate my VTH.

Have uploaded kernel-x.cramfs.img and tried to boot. The systems starts to decompress, but I do get an error.

DHBOOT# tftp 0x82000000 kernel-x.cramfs.img
TFTP from server 192.168.1.1; our IP address is 192.168.1.108
Filename 'kernel-x.cramfs.img'.
Load address: 0x82000000
################################################################
#################################################################
#################################
done
Bytes transferred = 1828012 (1be4ac hex)
DHBOOT# bootm

## Booting kernel from Legacy Image at 82000000 ...
Image Name: linux
Image Type: ARM Linux Kernel Image (gzip compressed)
Data Size: 1827948 Bytes = 1.7 MB
Load Address: 02080000
Entry Point: 02280000
Verifying Checksum ... OK
Uncompressing---Kernel Image ... Error: Bad gzipped data
GUNZIP: uncompress or overwrite error - must RESET board to recover
Checking DDR......OK

Have searched a lot and some comments are that the decompression is using the same memory I have used to upload the kernel-x.
For upload I have used 0x82000000, but the ouput is telling me that the decompression is uisng 0x02080000 !?
 
Last edited: