cctv_007

I am starting this thread to capture a bunch of information in one spot to assist those with "bricked" cameras due failed firmware upgrades. I bought my first Dahua IP camera just a couple weeks ago. I was impressed & pretty happy with it, but upon reading about new capabilities in newer firmware, I decided to upgrade it. Then like many others on here, I lost access to the Web GUI and the camera was no longer functioning. I spent the last two weeks getting to know everything about these cameras and this thread will capture all this information. It will take me several weeks to document all the information so please be patient. There are a variety of problems that I will try my best to explain and share the possible solutions. I have gotten pretty comfortable with these cameras and have purposely bricked them to various degrees of severity just to validate the recovery process. Most people "brick" their cameras trying to upgrade the firmware. This is not a serious issue and it can be corrected very easily. The camera runs an upgrade service on port 3800. The configTool always shows a default port of 37777 but this is not an issue as it can do the upgrade on port 3800 anyway. Change your port to 3800 and use a firmware file lsted below and you are back in business. I will keep updating this post as I get more time to write all the details around recovery. I will also post links to over 40+ firmware files that and which cameras they will work with. It will take me a bit of time to capture all this information, so please be patient. BRICKED CAMERA? How can you tell? There are several types of "BRICKED" camera conditions and they have varying levels of severity and also varying levels of complexity for recovery. Most are simple and caused by bad firmware uploads. The worst will require a full rebuild of the partitions which load the kernel, software and all other data. 1. The first step in identifying the severity of your issue is to determine what still working on your camera. In order to do that, lets remove as many variables as possible to the troubleshooting process. If possible, connect the camera ethernet and PC ethernet on it's own switch and make sure that no vlan tagging is enabled on the switch. Next, you need to figure out if the IP address is still reacheable. Ping the last known ip address. The default address for most cameras is 192.168.1.108. If you don't know it you can use the arp/ping method to configure which adds as startic arp entry to a new ip address. (This feature is enabled on the camera by default) 2. Once you have a pingable IP, you need to know what services are still active on the camera. This can be done with a simple port scanner. I have added a link to below in tools. 3. Run the port scanner and record which ports are still open. In many cases port 23 and port 3800 will still be open. If this is your situation, it is a very simple fix. If no ports are open, you will need to do a full image load which is more complex. The typical ports that you would see are: 23 - Telnet access 80 - Web User interface 443 - SSL 554 - Real time streaming port 3800 - Upgrade Deamon 5000 - UPnP 37777 - TCP Video streaming 37778 - UDP Video Streaming 42323 - Real time remote runner Plus a whole bunch more of UDP ports and more TCP ports REPAIR WITH PORT 3800 Download a step by step guide (DAHUA IP Camera Recovery v1.0.pdf) with screen prints @ http://tinyurl.com/lbl3up7 1A. If port 3800 is open you can connect with the Dahua Config tool (link below in tools). I tdefault to port 37777 but change it to 3800 as this port where the upgrade daemon is listening. Port 37777 is a redirect but it won't work if your firmware has failed. Launch the config tool and click on login button. Type the IP address , username and password then port 3800. Open a know working firmware file and upload to the camera. 1B. If port 3800 is not open, go to the next step to enable port 3800. 2. If you have telnet access, you can login with putty. Link to putty below in tools. The default Web UI password is admin / admin. In older firmware the telnet account is root / vizxv In newer firmware the telnet account is admin / 7ujMko0+"web UI password" ---> 7ujmko0admin Once connected you can execute a ps command to see running processes. /usr/sbin/upgraded process is what listens on port 3800 for the firmware binary file. There is also another copy in /var/tmp/ A useful tip for watching the upgrade process is to kill the "upgraded" process that is running and re-launch it in the foreground to watch the upgrade. ~#>ps 625 root 0:00 [mtdblock3] 630 root 0:00 [mtdblock4] 635 root 0:00 [mtdblock5] 772 root 0:00 [ubi_bgt7d] 776 root 0:00 [ubifs_bgt7_0] 790 root 0:00 /sbin/telnetd 798 root 0:00 [OSA_796_1] 860 root 0:00 syshelper elper 60 861 root 0:00 /usr/sbin/upgraded 869 root 0:00 [dsplogd] 870 root 0:00 [encode_guard] 889 root 0:00 [flush-ubifs_6_0] 923 root 3:29 ./VideoDaemon AEWB AF TVOUT ~#> kill -9 861 ~#> /usr/sbin/upgraded [OSA-APP] OSA Build on Apr 19 2014 at 09:55:50. [OSA-APP] SVN NUM: 1609. [libpdi] libpdi.so Build on Apr 19 2014 at 10:06:34. [libpdi] SVN NUM: 13790. [libpdi] Flashtype = 4,patSize = 100000,rwSize = 800,ersSize = 20000 22:52:46|[crypt] crypt_open ok! Name: upgraded, bulid date: Apr 19 2014 09:17:58, svn: 255 [libpdi] >-------getSystemInfo-------> Fail to get env authcode! [libpdi] Get authcode error @@@@ buf = PZC4MU056W00XXX 22:52:52|[pdc] WARN (MISC_ioctl|493): Get SdCard cfg failed ! [libpdi] deviceType: IPC-HFW4300S-V2 [libpdi] processor: A5S88 [libpdi] hardwareVersion: 1.00 [libpdi] appAutoStart: 1 [libpdi] serialNumber: PZC4MU056W00XXX [libpdi] processorCount: 1 [libpdi] deviceClass: IPC [libpdi] noPtz: 1 [libpdi] noSdCard: 1 [libpdi] bandWidth: 48 [libpdi] <-------getSystemInfo-------< UPGRADED_MSG: Can't Open /mnt/mtd/Config/passwd UPGRADED_MSG: Login success! UPGRADED_MSG: Kill 976 successful [libpdi] Read: blkIndex: 1,pageIndex: 0,byteIndex: 0 ,fLag: ff [libpdi] Write: blkIndex: 1,pageIndex: 0,byteIndex: 0 ,fLag: 0 UPGRADED_MSG: reset_watchdog UPGRADED_MSG: Receive A4(alarm) UPGRADED_MSG: reset_watchdog UPGRADED_MSG: Receive A1(alive package) UPGRADED_MSG: reset_watchdog UPGRADED_MSG: Received : 29868252, FileSize : 29868252 UPGRADED_MSG: Download Complete UPGRADED_MSG: DoDownLoad success! UPGRADED_MSG: Flash init success UPGRADED_MSG: hwid file success! Fail to get env native! UPGRADED_ERR: LINE: 1074: invalid file: Install.lua UPGRADED_MSG: zip file total size: 40900220 [libpdi] >-------getSystemInfo-------> Fail to get env authcode! [libpdi] Get authcode error @@@@ buf = PZC4MU056W00XXX 22:53:10|[pdc] WARN (MISC_ioctl|493): Get SdCard cfg failed ! [libpdi] deviceType: IPC-HFW4300S-V2 [libpdi] processor: A5S88 [libpdi] hardwareVersion: 1.00 [libpdi] appAutoStart: 1 [libpdi] serialNumber: PZC4MU056W00XXX [libpdi] processorCount: 1 [libpdi] deviceClass: IPC [libpdi] noPtz: 1 [libpdi] noSdCard: 1 [libpdi] bandWidth: 48 [libpdi] <-------getSystemInfo-------< UPGRADED_MSG: packet.name: SD6XXX, board.name: IPC-HFW4300S-V2 UPGRADED_MSG: packet.hardver: , board.hardver: UPGRADED_MSG: packet.name: IPC-HX3XXX, board.name: IPC-HFW4300S-V2 UPGRADED_MSG: packet.hardver: , board.hardver: UPGRADED_MSG: Verify version success Header CRC Checking ... OK Image Name: kernel.img Image Type: kernel.img (gzip compressed) Data Size: 2546876 B, Bytes = 2.43 MB Load Address: 0XC80000 Data CRC Checking ... OK Programing start at: 0XC80000 [libpdi] write update Flag [libpdi] Read: blkIndex: 0,pageIndex: 0,byteIndex: 0 ,fLag: ff [libpdi] Write: blkIndex: 0,pageIndex: 0,byteIndex: 0 ,fLag: 55 [libpdi] Flash_createPartionTab:6 [libpdi] Erase Partion: 6 [libpdi] FlashErase: addr= 0x0xc80000,blkNum:44, blkSize:0x20000,len:0x580000 <5>UBIFS: un-mount UBI device 2, volume 0 <5>UBIFS: un-mount UBI device 4, volume 0 Upgrade : Complete Total 6%... Header CRC Checking ... OK Image Name: partition-x.cramfs.img Image Type: partition-x.cramfs.img (gzip compressed) Data Size: 4160 B, Bytes = 0.00 MB Load Address: 0X500000 Data CRC Checking ... OK Programing start at: 0X500000 [libpdi] Flash_createPartionTab:3 [libpdi] Erase Partion: 3 [libpdi] FlashErase: addr= 0x0x500000,blkNum:8, blkSize:0x20000,len:0x100000 Upgrade : Complete Total 6%... Header CRC Checking ... OK Image Name: romfs-x.ubifs.img Image Type: romfs-x.ubifs.img (gzip compressed) Data Size: 7340096 B, Bytes = 7.00 MB Load Address: 0X1200000 Data CRC Checking ... OK Programing start at: 0X1200000 [libpdi] Flash_createPartionTab:7 [libpdi] Erase Partion: 7 [libpdi] FlashErase: addr= 0x0x1200000,blkNum:64, blkSize:0x20000,len:0x800000 Upgrade : Complete Total 24%... Header CRC Checking ... OK Image Name: pd-x.ubifs.img Image Type: pd-x.ubifs.img (gzip compressed) Data Size: 1966144 B, Bytes = 1.88 MB Load Address: 0X940000 Data CRC Checking ... OK Programing start at: 0X940000 [libpdi] Flash_createPartionTab:5 [libpdi] Erase Partion: 5 [libpdi] FlashErase: addr= 0x0x940000,blkNum:26, blkSize:0x20000,len:0x340000 Upgrade : Complete Total 28%... Header CRC Checking ... OK Image Name: user-x.ubifs.img Image Type: user-x.ubifs.img (gzip compressed) Data Size: 21233728 B, Bytes = 20.25 MB Load Address: 0X2200000 Data CRC Checking ... OK Programing start at: 0X2200000 [libpdi] Flash_createPartionTab:9 [libpdi] Erase Partion: 9 [libpdi] FlashErase: addr= 0x0x2200000,blkNum:204, blkSize:0x20000,len:0x1980000 Upgrade : Complete Total 80%... Header CRC Checking ... OK Image Name: custom-x.ubifs.img Image Type: custom-x.ubifs.img (gzip compressed) Data Size: 1966144 B, Bytes = 1.88 MB Load Address: 0X600000 Data CRC Checking ... OK Programing start at: 0X600000 [libpdi] Flash_createPartionTab:4 [libpdi] Erase Partion: 4 [libpdi] FlashErase: addr= 0x0x600000,blkNum:26, blkSize:0x20000,len:0x340000 Upgrade : Complete Total 85%... Header CRC Checking ... OK Image Name: web-x.ubifs.img Image Type: web-x.ubifs.img (gzip compressed) Data Size: 5505088 B, Bytes = 5.25 MB Load Address: 0X1A00000 Data CRC Checking ... OK Programing start at: 0X1A00000 [libpdi] Flash_createPartionTab:8 [libpdi] Erase Partion: 8 [libpdi] FlashErase: addr= 0x0x1a00000,blkNum:64, blkSize:0x20000,len:0x800000 Upgrade : Complete Total 99%... [libpdi] Read: blkIndex: 0,pageIndex: 1,byteIndex: 0 ,fLag: ff [libpdi] Write: blkIndex: 0,pageIndex: 1,byteIndex: 0 ,fLag: aa Upgrade : Complete Total 100%... UPGRADED_MSG: will reboot system [libpdi] rebootSystem: i will reboot [libpdi] Read: blkIndex: 1,pageIndex: 0,byteIndex: 0 ,fLag: ff [libpdi] Write: blkIndex: 1,pageIndex: 0,byteIndex: 0 ,fLag: 0 [libpdi] pdi:system will reboot!! Here you can see each partition being loaded wit the individual img files. I will write a quick how to on loading each one individually at a later time. If you chose a valid firmware file, you will be back in working order. If you still have problems, repeat with another firmware file till you have a valid file. The IPC-HFW4300S-V2 is not natively compatible with all other 4300S firmware. I am in the process of writing a how to that explains how to over come this issue. UNBRICK WITH UBOOT via SERIAL NOTE: This section is coming soon... I'm gathering all the images I need for various camera types OTHER USEFUL INFORMATION (to be sorted later) The firmware consists of several images that are loaded into various partitions in flash in a UBI file system. You can load each partition separately if needed. More on this later.... (I'll put a guide together on flashing and recovering partitions) Once you telnet into the camera, there are number of useful binaries in the user shell that can help correct and diagnose some of the problems people are experiencing. One of the helpful steps is to kill the /var/tmp/upgraded process and run it in the foreground so you can see what is going on and easily capture error messaged. The /var/tmp/upgraded process is what opens the port 3800 and allows you to connect to the camera with the config tool if your web services have failed. There is also another copy in usr/sbin/. Also, in there is a command to reset all the parameters back to factory defaults (username, password, ip address back to 192.168.1.108 etc.) This can be accomplished with /sbin/clearparam. Another issue that people run into is the constant reboot issue. This can be caused by a failed process. The main application which provides all the camera capabilities (web interface, streaming, etc.) is /usr/bin/sonia. This process is what makes most firmware different from version to version (sort of). There are also changes to the web partition which contains the web server pages that /usr/bin sonia hosts on port 80. The sonia process is invoked by a shell script in init.d and if the process is killed, the camera reboots after a few minutes. This has cause many people issues when trying to "unbrick" the camera since you only have a few minutes between reboots. To stop the reboots you can update the flash. There is a parameter called appauto that tells the camera to auto start /us/bin/sonia. If you want the camera to start and not invoke the shell script that launches sonia, you need to set appauto to 0. This will stop the camera from rebooting when sonia is not running. This cam be accomplished by running '/sbin/appauto 0'. To turn it back on, just run /sbin/appauto 1. This writes the boot parameter in flash that the kernel reads before starting the process. You can check the current status of the appauto bootparameter with 'cat /proc/dahua/bootpara' It will only show what the parameter was when you booted up, so if you changes it you need to reboot to see the change in /proc/dahua/bootpara. Realtime streaming URL - rtsp://192.168.1.108/cam/realmonitor?channel=1&subtype=0&proto=Onvif You can change the subtype to 1 for the secondary stream also you can add user:password@ in front of the IP address if you have the permissions set requiring it. You can use the HTTP API to configure some parameters that are not yet in the web UI. For instance, another member discovered he could enable NFS through the web UI in addition to the local SD card. This config is not possible through the web interface as you need to pick one or the other. These documents details the API of Dahua video products (links provided to some of the versions below). Programmers or users can access and configure Dahua video products through the API. Every setting of the camera is available through the API whereas only a small number are available through the WEB interface. The document with version 1.10 is available with firmware version 2.0 and above. This document with version 1.20, 1.21, 1.22, 1.23,1.24,1,25,1,26,1,27,1,28 is available with firmware 2.210 and above.This document with version 1. 29 ,1.30, 1.31, 1.32, 1.33, 1.34, 1.35, 1.36 is available with firmware 2.210 and above.This document with version 1.37 is available with firmware 2.212, 2.4 and above. I have also done a bit of testing around the tftp process that is invoked in u-boot that looks for upgrade_info_7db780a713a4.txt and failed.txt. I think with a little more work, I'll figure out if there is a recovery method using tftp without serial access. This would be necessary if you lose telnet access and need to rebuild the kernel partition that hosts telnetd. Tools DAHUA IP Camera Recovery v1.0.pdf....................... http://tinyurl.com/lbl3up7 Port Scanner .................................................. http://tinyurl.com/q53pojg Putty .............................................................. http://tinyurl.com/lvbbmsq Tftp Server ..................................................... http://tinyurl.com/m46wnhe Dahua Docs & Tools DAHUA_HTTP_API 1.0 .pdf ................................................ http://tinyurl.com/lb43lga DAHUA_HTTP_API_1.23.pdf ................................................ http://tinyurl.com/lrwye3k DAHUA_HTTP_API_FOR_IPC 1.28.pdf ........................................ http://tinyurl.com/kskrcay DAHUA_HTTP_API_FOR_IPC&SD-V1.36.pdf .................................... http://tinyurl.com/mooccf9 DAHUA_HTTP_API_FOR_IPC&SD-V1.37.pdf .................................... http://tinyurl.com/kvyddfp DAHUA_HTTP_API_FOR_DVR_V1.29.pdf ....................................... http://tinyurl.com/klc72tr General_ConfigTool_Eng_V1.0.5.R.120428.zip ........................ http://tinyurl.com/mwlzbb3 General_ConfigTool_Eng_V1.06.1.T.120807.zip ........................ http://tinyurl.com/leudphu General_ConfigTool_Eng_V1.07.2.R.130304.zip ....................... http://tinyurl.com/obs5ud7 General_ConfigTool_Eng_V1.07.3.R.130701.zip ....................... http://tinyurl.com/o6p628f <---- Use this one General_ConfigTool_Eng_V2.00.0.R.140410.zip ........................ http://tinyurl.com/nbqtgev Firmware Files Firmware files are grouped by camera type and video signal (NTSC --> Eng_N / PAL --> Eng_P / or BOTH --> Eng_NP) Files are ordered by version number with the latest Firmware in blue. Files with DH_ prefix are DAHUA direct firmware files and those with General_ prefix are general release for OEM cameras but I've had good luck with both. DH_IPC-HX1100_Eng_NP_V2.210.0000.3.R.20140416.bin .................................................. http://tinyurl.com/m2jf3qv General_IPC-HX3(2)XXX_Eng_N_V2.210.0001.0.R.20130517.bin ............................................... http://tinyurl.com/q98zg9x General_IPC-HX3(2)XXX_Eng_P_V2.210.0001.0.R.20130517.bin ................................................ http://tinyurl.com/nekapn3 General_IPC-HX3(2)XXX_Eng_NP_V2.210.0001.0.R.20130517.bin ............................................. http://tinyurl.com/p59ym6z General_IPC-HX3(2)XXX_Eng_P_V2.211.0000.0.R.20130726.bin ................................................ http://tinyurl.com/my54r9z General_IPC-HX3(2)XXX_Eng_N_V2.212.0000.0.R.20131206.bin ............................................... http://tinyurl.com/lrvtm2z General_IPC-HX3(2)XXX_Eng_P_V2.212.0000.0.R.20131206.bin ................................................ http://tinyurl.com/n9rv23n General_IPC-HX3(2)XXX_Eng_N_V2.212.0001.0.R.20131224.bin ............................................... http://tinyurl.com/l5kg2d9 General_IPC-HX3(2)XXX_Eng_P_V2.212.0001.0.R.20131224.bin ................................................ http://tinyurl.com/q6c2gox DH_IPC-HX3(2)XXX_Eng_NP_8M_V2.212.0000.4.R.20140307.bin ............................................... http://tinyurl.com/mnzx33h DH_IPC-HX3(2)XXX_Eng_NP_8M_V2.212.0000.5.R.20140326.bin ............................................... http://tinyurl.com/ke285w5 DH_IPC-HX3(2)XXX_Eng_NP_8M_V2.212.0000.6.R.20140419.bin ............................................... http://tinyurl.com/mllzcox General_IPC-HX3(2)XXX_Eng_P_V2.420.0000.0.R.20140414.bin ................................................ http://tinyurl.com/nftaogy DH_IPC-HX3(2)XXX_Eng_N_V2.420.0000.0.R.20140414.bin .................................................... http://tinyurl.com/ma5q64d General_IPC-HX5(4)XXX_Eng_P_V2.210.0000.2.R.20130821.bin ................................................. http://tinyurl.com/pdcdmdk General_IPC-HX5(4)XXX_Eng_N_V2.210.0000.4.R.20130911.bin ........................................................ http://tinyurl.com/pdoxjzj General_IPC-HX5(4)XXX_Eng_P_V2.210.0000.9.R.20131217.bin ........................................................ http://tinyurl.com/p3g4t54 General_IPC-HX5(4)XXX_Eng_N_V2.210.0000.10.R.20140111.bin ...................................................... http://tinyurl.com/mnjpd79 General_IPC-HX5(4)XXX_Eng_P_V2.210.0000.12.R.20140225.bin ...................................................... http://tinyurl.com/nssnph6 DH_IPC-HX5(4)XXX_Eng_NP_V2.210.0000.12.R.20140225.bin ..................................................... http://tinyurl.com/lcjr8xv DH_IPC-HX5(4)XXX_Eng_NP_V2.210.0000.16.R.20140421.bin ..................................................... http://tinyurl.com/k67gu9u DH_IPC-HX5(4)XXX_Eng_NP_V2.210.0000.18.R.20140429.bin .................................................... http://tinyurl.com/n779scx General_IPC-HX5(4)XXX_Eng_N_V2.210.0000.21.R.20140613.bin ...................................................... http://tinyurl.com/qd2thhe General_IPC-HX5(4)XXX_Eng_P_V2.210.0000.21.R.20140613.bin ...................................................... http://tinyurl.com/p8q75b4 General_IPC-HX5(4)XXX_Eng_N_V2.400.0000.0.R.20131231.bin ........................................................ http://tinyurl.com/kmd7hu9 DH_IPC-HX5(4)XXX_Eng_N_Stream3_V2.420.0000.0.R.20140419.bin .................................................. http://tinyurl.com/mb75g2n DH_IPC-HX5(4)XXX_Eng_P_Stream3_V2.420.0002.0.R.20140621.bin ............................................ http://tinyurl.com/laj29k5 General_IPC-HX5(4)XXX_Eng_N_Stream3_V2.420.0000.0.R.20140419.bin ......................................... http://tinyurl.com/mzw85fz General_IPC-HX5(4)XXX_Eng_P_Stream3_V2.420.0000.0.R.20140419.bin ......................................... http://tinyurl.com/ov6krph General_IPC-HX5(4)XXX_Eng_P_Stream3_P2P_V2.420.0000.0.R.20140419.bin ................................. http://tinyurl.com/oxgblkq General_IPC-HX5(4)XXX_Eng_N_Stream3_V2.420.0002.0.R.20140621.bin ......................................... http://tinyurl.com/kejg3fv General_IPC-HX5(4)XXX_Eng_P_Stream3_V2.420.0002.0.R.20140621.bin ......................................... http://tinyurl.com/pfmevdu General_IPC-HX5(4)XXX_Eng_N_Stream3_V2.420.0003.0.R.20140930.bin ............................................... http://tinyurl.com/kchslos General_IPC-HX5(4)XXX_Eng_N_V2.420.0003.0.R.20140930.bin ........................................................ http://tinyurl.com/ok4f8fx General_IPC-HX5(4)XXX_Eng_N_Stream3_V2.420.0005.0.R.20141205.bin .............................................. http://tinyurl.com/qbrfg3k General_IPC-HX5(4)XXX_Eng_P_Stream3_V2.420.0005.0.R.20141205.bin ......................................... http://tinyurl.com/ot99vgw DH_IPC-HX8XXX_Eng_NP_V2.400.0000.2.R.20140506.bin .......................................................... http://tinyurl.com/lbar98x I will also post the bare metal img files when I get some time which contain the firmware and all the img files including the update.img that can be used for serial recovery. I have just started the process of uploading firmware... There are much more to come as well as many more camera models. Also if you have any you want to share please PM me what you have and where I can link them to this thread. Thanks to Euly for sharing firmware files! ___________________________________ IMPORTANT NOTE FOR IPC-HFW4300S-V2 CAMERAS The new camera appears to have differences (a few that I already found) that makes some of the general firmware incompatible with them. I have found a workaround, but it is complex. I will try to summarize it in a separate thread in the following weeks. I will also repackage the newest firmware files in versions that will work for the V2 cameras. Stay tuned! In the meantime, you can use General_IPC-HX5(4)XXX_Eng_N_V2.210.0000.21.R.20140613.bin or the PAL equivalent to recover your camera. Well, that's all I have time to share for now, but I'll do my best to put together a comprehensive guide to the inner workings of these cameras and a guide to unbrick in any failed software situation. Thanks and take care. Rob

I have a IPC-HFW4300S-V2 purchased from Ali Express that won't natively take the newer English firmware files. I received the camera with an older 2.210 firmware and bricked it with the first upgrade attempt to the new firmware. I managed to recovery quite easily, but the newer firmware files still won't run without some crazy modifications at this point. I'm still trying to get the the root cause of the issue. I don't want to modify every new firmware that comes out before I can load it to my camera. It will however take the same new version of the Chinese firmware files without modifications. I've been comparing results with v2.420.0003.0 firmware (since I have both the Eng and Chinese versions) I've run a number of traces on the /usr/bin/sonia and discovered a number of differences that jump out. I have been partially successful doing a serial based reload with newer files, but the latest (v2.420.0005.0) still won't work. The sonia process launches but does not open all the service ports and there seems to be issues with authentication for the services. Anyone have any thoughts to share?

You can get a lot more information on this and other Dahua related details including links to firmware from my other thread @ viewtopic.php?f=19&t=44928 But for now here is the simplest way I know to-date to load the newest firmware on IPC-HFW4300S-V2 and other Chinese Dahua cameras ordered on AliExpress.... I'm still working on a permanent fix that will last after another firmware update, but I've had many emails about this so I thought I'd post a quick update. 1. Use the config tool or web UI to load the newest firmware (General_IPC-HX5(4)XXX_Eng_N_Stream3_V2.420.0005.0.R.20141205.bin) 2. Your camera will appear bricked (no web ui) but the only issue preventing it from working is the language settings (which prevents sonia from loading) 3. Login into the camera with Telnet (user: admin / password: 7ujMko0{web ui password} 4. You will need to perform a few edits, so you need to make mounts read/write \> mount -o remount rw /usr \> mount -o remount rw /mnt/custom 5. Rename files \> mv /usr/data/Strings/English.txt /usr/data/Strings/SimpChinese.txt \> mv /mnt/custom/English.txt /mnt/custom/SimpChinese.txt 6. Edit files with vi ---> /usr/data/Strings/i18n & /mnt/custom/i18n. Change the following: "DefaultLanguage" : "English", ------> SimpChinese "DefaultVideoStandard" : "NTSC", "DevStringFiles" : [ "StringsEn.txt" ], "HTMLStringFiles" : [ "webEN.json" ], "Languages" : [ "English" ], ------> SimpChinese "VideoStandards" : [ "NTSC" ], "WebStringFiles" : [ "webEN.lang" ] (Tips for using vi: press "i" for insert then ESC when done editing, then type :w to write then type :q! to exit) type reboot to restart the camera and you will have a working New English firmware. These changes will need to be repeated if you upgrade to another firmware since these partitions are erased an re-flashed during an upgrade. I'm really trying to get to the root cause of why the camera seems hard-coded to Chinese and I will update as I uncover more information. Thanks, Rob

I'm going to try General_IPC-HX5(4)XXX_Eng_N_Stream3_V2.420.0000.8.R.20150202.bin tomorrow. I'll let you know once I test it.

In theory, this could be done quite easily. All you need is a portable internet connection (cell with data), a network camera, and power. But as mentioned by boogieman, the practicality of it all is where the challenges come up. Power is the biggest issue. A cell with data turned on sending a continuous data stream will not last very long, the camera itself needs power (12v @ 2-3w) will require a big battery. Then there's the issue of concealment. All these batteries will be hard to hide "in plain sight". What you're looking for is something custom built for this type of application. It would likely be small, low power, have built-in SIM card slot and battery capacity for a "reasonable" viewing window. You're looking for a Super Secret Stealth Spycam with remote viewing ... LOL! Anything worthwhile in this category will be big $$$.

DH_HCVRxx04HG(P)-X_Eng_N_V3.200.0001.19.R.20140901.zip ....................... http://tinyurl.com/ovdux2z

You are correct... as the demands go up, so does the price from Chinese internet sources. It's basic economics. Pretty soon, the cost benefits of buying direct will be null and the cost will adjust accordingly.

I agree with vcka... I contacted Dahua for support with my camera when I bricked it. They offered basic support, but suggested I contact the reseller directly. It was purchased on Ali Express and in every sense appears to be a proper Dahua not a copy. It has all the proper packaging, stickers, model information etc. Only issue is that it was meant for distribution in China. Sites like Ali Express are selling these cameras outside the "intended" region. Internet access does that! The reality is that the Chinese market is opening up to the rest of the world and people are drawn to potentially save alot of money on products made and sold in China. Once products gets into distribution and are marked up by resellers for various markets the price doubles and triples what the retail price is in China. The reseller industry charges this much because they add value in support, warranty and services, but for many are only interested in the bottom dollar price for the product. In their case these Chinese retail avenues are great. Dahua sells more product and the only person likely to suffer from this is the customer when they are stuck and need support. For some it's a risk worth taking. Anyway, this thread is getting off-topic and maybe anew thread on the merits of Chinese direct Internet sales would be more apropos.

Cool! That's not exatcly the same experience I have been having, but it's very interesting. Thanks!

I'm not sure what you are referring to, but I don't recall anyone asking for firmware from real cameras to open it up for others. Nor do I think anyone has stated that they are trying to help Chinese copy real software. The binaries that provide the functionality for the camera have not been de-compilled or reverse engineered. We have just been exploring the structure and operation of the cameras. It's no different than logging into your print server, digital billboards, Apple TV, or any other Linux based device to see how it's put together. I bought a few cameras and I believe them to be the real deal but the fact remains that support sucks big time! Just because I bought them from from Chinese resellers does not make them fake. These products are in high demand and many people don't want to pay 3 times the price giving a cut to distribution, resellers and integrators. Sure you get support from these channels, but most support is mediocre at best and many people are capable of supporting themselves if the information is made available. As a person who like to take things apart and see how they work, I have spent some time looking into the inner workings of these little computers. I bricked one of my cameras on my first attempt to update it and took it upon myself to figure out how it all works. I've since realized that my cameras are locked to Chinese firmware and due to my inquisitive nature will figure out how it's done. There are tons of posts and threads on other manufacturers cameras and how to unlock Chinese firmware. It's no different than people unlocking their cell phones, tablets etc. The point is that sharing information that we learn from our own efforts is a good thing. These cameras have many issues that the manufacturer should and could address if they cared about the quality of their products. A company who does not share firmware updates publicly is only encouraging people to dig deeper. Had I had access to firmware when I bricked my camera, I would have reloaded it and been done with it. But because it wasn't, I was left to fend for myself and get things resolved. There is nothing "special" about these cameras that has been disclosed in these forums beyond what can reasonably be discovered with an ounce of common sense, a little time and the desire to do so. I'm not expert in any of this stuff and I was able to figure all this out with minimal effort. As far as the statement "With all back door openings to there software being posted to everyone"... There are no backdoor openings being posted to everyone and if there was it would be in the interest of the company to know about them and fix them. They ARE a security company by the way!

I think by process of elimination that I am getting close.

Very nice vcka! What I'm after is trying to get to the root cause of what is blocking the General release ENG Firmware files from loading on the camera without modification. The camera seems to have something that blocks English firmware from running. It will load just fine, but the sonia process fails on a language check. This behavior would indicate that there is a setting outside the firmware partitions that is checked for what language is allowed to run on the camera. Many of the cameras off AliExpress seem to be locked to Chinese on the newer firmware. I posted a simple work around, but it would be nice to understand what is blocking it from running, then to correct it and be able to load regular firmware without modification.

I have an IPC-HDW4300C so I'll test it out on there a little later tonight. The service that does the upgrade varies from firmware to firmware. Some version block firmware by language or compatibility, but ultimately it can all be corrected quite easily if you make a mistake. ConfigTool on port 3800 is the simplest way to load firmware and will work even if the web UI is down. I will be working on a list of firmware and a compatible camera list to facilitate the process.

Try by ConfigTool:3800 Yes... the config tool on port 3800 is the best method. Another workaround is to load an older firmware first. (Eg. General_IPC-HX5(4)XXX_Eng_N_V2.210.0000.21.R.20140613.bin) This one works well because it does not block any new firmware loads through port 37777 but I would still recommend you use the ConfigTool on port 3800.

Here's what I believe to be true at this point. 1. There doesn't appear to be any env variables set in uboot that affect language. 2. The following img are part of the firmware bin file check.img <----- this is possibly related but I have not fully investigated custom-x.ubifs.img dhboot.bin.img kernel.img partition-x.cramfs.img pd-x.ubifs.img romfs-x.ubifs.img user-x.ubifs.img web-x.ubifs.img 3. The mtd partitions are: mtd0: 00100000 00020000 "U-Boot" <---- Uboot mtd1: 00100000 00020000 "hwid" <----- loaded with env variables from uboot mtd2: 00100000 00020000 "updateflag" <---- ??? Is this the key to solving this issue? contains binary data. Will review mtd3: 00100000 00020000 "partition" <---- loaded from img in firmware update mtd4: 00340000 00020000 "custom" <---- loaded from img in firmware update mtd5: 00340000 00020000 "product" <---- loaded from img in firmware update mtd6: 00580000 00020000 "Kernel" <---- loaded from img in firmware update mtd7: 00800000 00020000 "romfs" <---- loaded from img in firmware update mtd8: 00800000 00020000 "web" <---- loaded from img in firmware update mtd9: 01980000 00020000 "user" <---- loaded from img in firmware update mtd10: 00400000 00020000 "syslog" mtd11: 00400000 00020000 "config" <----- connected to HWID (see /usr/etc/checkHWID.sh) May be indirectly related mtd12: 00400000 00020000 "backup" Somewhere outside the data that is flashed by the firmware, exists a language/China flag that is used and compared to when running the newer firmware.... The hunt continues....

This is driving me nuts!!!!! So I can get the newest firmware to run V2.420.0005.0.R.20141205 by changing 2 files in 2 locations. mv English.txt to SimpChinese.txt in /usr/data/Strings & /mnt/custom modify i18n & change language to SimpChinese in /usr/data/Strings & /mnt/custom These changes will allow all the new firmware to work, but I still can't find the root cause. Somewhere outside the partitions that get flashed by the firmware, there is a flag that makes the camera "require" chinese firmware.... If you load any 2.42 version of English firmware, you will need to fake it by renaming the key files to Chinese. I want to find what the Chinese flag is on the camera so I can change it and then load English firmware without modifications. Arghhhhh!

Can you print the output of dd if=/dev/mtd/1 bs=4096 count=1 2>&1 I was chasing a lead in this area early this week, and I just had another thought. I'd like to close the loop on this one.

I just remembered something interesting about the HWID... I'm looking at my old notes. I was playing around with changing the HWID the other day in uboot, but I forgot to update mtd1 with the changes. I'll try that now.

There is a location set to china in Onvif, but I tried removing this with no effect on firmware loads

Yes... or we need to make the the firmware native=1 true by adding in the Chinese language files to the firmware.

You're wrong! Why is it that the V1 cameras will take this firmware and not the V2 cameras? This is what I am trying to uncover. THe Chinese language file is necessary for loading on V2 cameras, but it is not an issue for V1 cameras. The custom UBI image is part of the firmware updates, so every time we flash a new firmware we will need to fix the custom UBI partition?

Yes, this was the only way I could get it to work too, but I can't find the reason why this is happening. Somewhere there is a dependency on the Chinese language and I'm still trying to get to the source of the issue.

I'm still looking into this issue, but I was away last week on business. These tests are performed on a IPC-HFW4300S-V2. It will load older ENG firmware files, new Chinese firmware files, but not new ENG firmware files without some heavy mods. I have discovered a few interesting things..... the issue with the new firmware is that the process "sonia" which runs all the services, including http on port 80 fails to start properly on the V2 cameras. This is the interesting part of the output of a trace on the sonia process with a new Chinese firmware... [0m[32;40m13:28:20|[Manager] info CMagicBox::startDstTune readCMOS DstTune flag is 0. [0m[36;40m13:28:20|[libInfra] debug ThreadBody Enter name = WatchDog, id = 1269, prior = N1, stack = 0x42424dcc [0m[32;40m13:28:20|[Manager] info CMagicBox::m_systemInfo.noPtz == [1] [0m[32;40m13:28:20|[Manager] info CMagicBox::m_systemInfo.noSdCard == [1] [0m[32;40m13:28:20|[Manager] info CMagicBox::m_systemInfo.bandWidth == [48] [0m[36;40m13:28:20|[Manager] debug setProductTransform: DeviceTypeTransform = { "CEList" : { "CE-C200" : "DH005", "CE-C20S" : "DH005" }, "General" : { "Default" : "IP Camera" } } [0m[37;40m13:28:20|trace Create Alarm Module>>>>>>>>>>>>>>>> [0m[36;40m13:28:20|[libInfra] debug ThreadBody Enter name = [ConfigSaveTimer], id = 1270, prior = N64, stack = 0x42624dcc [0mFail to get env peripheral! [37;40m13:28:20|trace alarmInputs=[0], alarmpir=[0], Flashlight=[0] [0m[33;40m13:28:20|[Manager] warn CCommonConfigManager::getConfig Alarm is Json::nullValue! [0m[33;40m13:28:20|warn Src/Comm/Alarm.cpp:706 not support pir alarm. [0m[33;40m13:28:20|[Manager] warn CCommonConfigManager::getConfig AlarmOut is Json::nullValue! [0m[37;40m13:28:20|[Manager] trace CConsole::registerCmd had been register!! [0m[37;40m13:28:20|[Manager] trace CConsole::registerCmd had been register!! [0m[32;40m13:28:20|[Manager] info CLdapUserManager::initialize() tye login times is 3 [0m[37;40m13:28:20|[Manager] trace CConsole::registerCmd had been register!! [0m[37;40m13:28:20|[Manager] trace CLog::attachFilter [0m[32;40m13:28:20|[Manager] info SetLanguage(SimpChinese) load file:/mnt/custom/SimpChinese.txt [0m[36;40m13:28:20|[libInfra] debug ThreadBody Enter name = Console, id = 1271, prior = N1, stack = 0x42824dcc Here is the same version of the English firmware.... [0m[32;40m12:16:29|[libDatabase] info CLogSqliteOperate::isSynced insertRet : 1, removeRet : 1, updateRet : 1, line : 1256 [0m[32;40m12:16:29|[libDatabase] info CLogSqliteOperate::SqliteBackup vacuum use 50ms, iRet : 0, line : 1129 [0m[37;40m12:16:29|[libDatabase] trace backup_database(): start >>> [0m[37;40m12:16:29|[libDatabase] trace match: log.db.%x [0m[37;40m12:16:29|[libDatabase] trace log.db.1 [0m[37;40m12:16:29|[libDatabase] trace remove_database(): min(1), max(1) [0m[37;40m12:16:29|[libDatabase] trace remove file: /mnt/mtd/Log/log.db.1 [0m[37;40m12:16:29|[libDatabase] trace backup_database(): finished successfully! elapsed(10) [0m[32;40m12:16:29|[libDatabase] info CLogSqliteOperate::isSynced SqliteBackup use 60, line : 1264 [0m[33;40m12:16:29|[Manager] warn CMagicBox::setSubModuleInfo fail! [0m[32;40m12:16:29|[Manager] info CMagicBox::onConfigAutoMaintain day = [2], hour = [2], min = [0], enable = [true] [0m[32;40m12:16:29|[Manager] info CMagicBox::startDstTune readCMOS DstTune flag is 0. [0m[36;40m12:16:29|[libInfra] debug ThreadBody Enter name = WatchDog, id = 1040, prior = N1, stack = 0x4269fdcc [0m[32;40m12:16:29|[Manager] info CMagicBox::m_systemInfo.noPtz == [1] [0m[32;40m12:16:29|[Manager] info CMagicBox::m_systemInfo.noSdCard == [1] [0m[32;40m12:16:29|[Manager] info CMagicBox::m_systemInfo.bandWidth == [0] [0m[36;40m12:16:29|[Manager] debug setProductTransform: DeviceTypeTransform = { "CEList" : { "CE-C200" : "DH005", "CE-C20S" : "DH005" }, "General" : { "Default" : "IP Camera" } } [0m[37;40m12:16:29|trace Create Alarm Module>>>>>>>>>>>>>>>> [0mFail to get env peripheral! [37;40m12:16:29|trace alarmInputs=[0], alarmpir=[0], Flashlight=[0] [0m[33;40m12:16:29|[Manager] warn CCommonConfigManager::getConfig Alarm is Json::nullValue! [0m[33;40m12:16:29|warn Src/Comm/Alarm.cpp:706 not support pir alarm. [0m[33;40m12:16:29|[Manager] warn CCommonConfigManager::getConfig AlarmOut is Json::nullValue! [0m[37;40m12:16:29|[Manager] trace CConsole::registerCmd had been register!! [0m[37;40m12:16:29|[Manager] trace CConsole::registerCmd had been register!! [0m[32;40m12:16:29|[Manager] info CLdapUserManager::initialize() tye login times is 3 [0m[37;40m12:16:29|[Manager] trace CConsole::registerCmd had been register!! [0m[37;40m12:16:29|[Manager] trace CLog::attachFilter [0m[35;40m12:16:29|[Manager] fatal Src/Locales.cpp:630 Language Not Compare!!Going to exit! [0m[36;40m12:16:29|[libInfra] debug ThreadBody Enter name = Console, id = 1041, prior = N1, stack = 0x4289fdcc [0muser name:password: [32;40m12:16:29|[Manager] info CLocalClient::CLocalClient(0x0x1c755c0)>>>>>> [0mTime : Thu Feb 26 12:16:29 2015 =========================== TRACE START =================================== Tid:1041, Exception type : SIGSEGV PC:[0x00701574] (0x007014f8--0x0070158f) Unknown PC:[0x4037ee70] (0x4037ee68--0x4037ee7f) __default_rt_sa_restorer_v2 + [0x0] PC:[0x401653a0] (0x4016539c--0x401656b0) pthread_mutex_lock + [0x4] PC:[0x005fcdb0] (0x005fcda4--0x005fcdbb) Unknown PC:[0x0002dbcc] (0x0002db90--0x0002dbeb) Unknown PC:[0x004ef278] (0x004ef218--0x004ef357) Unknown PC:[0x0050e080] (0x0050dcdc--0x0050e5c7) Unknown PC:[0x0050e88c] (0x0050e5c8--0x0050e973) Unknown PC:[0x0050eb98] (0x0050e974--0x0050ecef) Unknown PC:[0x0050ed40] (0x0050ecfc--0x0050ed6b) Unknown PC:[0x004d8294] (0x004d8164--0x004d839f) Unknown PC:[0x004d8458] (0x004d83a8--0x004d8487) Unknown PC:[0x00600708] (0x00600624--0x0060077f) Unknown PC:[0x40163038] (0x40162f44--0x40163474) start_thread + [0xf4] PC:[0x404297a8] (0x4042976c--0x404297ac) clone + [0x88] PC:[0x00000000](Failed to locate address)=========================== TRACE END =================================== The app fails and exits when checking the Locales which don't match. There appears to be some issue only when loading sonia from English version of the firmware files. I've checked this with 5 different 2.42 English firmware files and all exhibit the same error. ' Usually the Lang can be set in /usr/custom/i18n and another instance exists in /usr/data/Strings/i18n (seen below) { "AllLanguages" : [ "English", "SimpChinese", "TradChinese", "Italian", "Spanish", "Japanese", "Russian", "French", "German", "Portugal", "Turkey", "Poland", "Romanian", "Hungarian", "Finnish", "Estonian", "Korean", "Farsi", "Dansk", "Czechish", "Bulgaria", "Slovakian", "Slovenia", "Croatian", "Dutch", "Greek", "Ukrainian", "Swedish", "Serbian", "Vietnamese", "Lithuanian", "Filipino", "Arabic", "Catalan", "Latvian" ], "DefaultLanguage" : "SimpChinese", "DefaultVideoStandard" : "PAL", "DevStringFiles" : [ "StringsCn.txt" ], "HTMLStringFiles" : [ "webCN.json" ], "Languages" : [ "SimpChinese" ], "VideoStandards" : [ "PAL" ], "WebStringFiles" : [ "webCN.lang" ] } You can get the new English firmware to load with some heavy changes to a number of files, but I still can't understand the root/cause of why these Eng files won't run on the V2 cameras. What's weird is that all the partitions are written with the English firmware files, so I'm not sure at the moment where it's still getting the Chinese locale with the English firmware... More to come.

Can anyone with an IPC-HFW4300S, please do me a favor and telnet into the camera and share past the output of 'cat /proc/dahua/bootpara' for me? the HWID has the firmware version number in the string and I'm wondering what other people have for that environment variable. I'm doing some research on this since it appears to have some bearing on the camera not taking some of the newer firmware files. 1. Telnet into the camera username:admin password 7ujMko0{web UI password} 2. Run 'cat /proc/dahua/bootpara' 3. Copy the output in a post along with your current firmware version and date. Please share! Thanks, Rob

LOL! Don't expect immediate replies to your post. After a few days you might have 50+ view and 5-10 replies. (That's if it a hot topic) If I understand what you are saying, you upgraded your firmware to a version that has the iVideon client. You connect the camera to iVideon and embedded the video into your webpage which has a login prior to viewing the video. You are concerned because the web stream URL can be retrieved from the properties, then it can be used to view the video directly from iVideon? In this case you would have to mask the URL in your webpage. There are a number of masking techniques and any half decent web developer can help you with this.