Jump to content
cctv_007

Dahua - Newer Eng firmware will not run but new Chinese ok

Recommended Posts

I have a IPC-HFW4300S-V2 purchased from Ali Express that won't natively take the newer English firmware files. I received the camera with an older 2.210 firmware and bricked it with the first upgrade attempt to the new firmware. I managed to recovery quite easily, but the newer firmware files still won't run without some crazy modifications at this point. I'm still trying to get the the root cause of the issue. I don't want to modify every new firmware that comes out before I can load it to my camera.

 

It will however take the same new version of the Chinese firmware files without modifications.

 

I've been comparing results with v2.420.0003.0 firmware (since I have both the Eng and Chinese versions)

 

I've run a number of traces on the /usr/bin/sonia and discovered a number of differences that jump out. I have been partially successful doing a serial based reload with newer files, but the latest (v2.420.0005.0) still won't work. The sonia process launches but does not open all the service ports and there seems to be issues with authentication for the services.

 

Anyone have any thoughts to share?

Edited by Guest

Share this post


Link to post
Share on other sites

I'm still looking into this issue, but I was away last week on business. These tests are performed on a IPC-HFW4300S-V2. It will load older ENG firmware files, new Chinese firmware files, but not new ENG firmware files without some heavy mods.

 

I have discovered a few interesting things..... the issue with the new firmware is that the process "sonia" which runs all the services, including http on port 80 fails to start properly on the V2 cameras.

 

This is the interesting part of the output of a trace on the sonia process with a new Chinese firmware...

 

[0m[32;40m13:28:20|[Manager] info CMagicBox::startDstTune readCMOS DstTune flag is 0.

[0m[36;40m13:28:20|[libInfra] debug ThreadBody Enter name = WatchDog, id = 1269, prior = N1, stack = 0x42424dcc

[0m[32;40m13:28:20|[Manager] info CMagicBox::m_systemInfo.noPtz == [1]

[0m[32;40m13:28:20|[Manager] info CMagicBox::m_systemInfo.noSdCard == [1]

[0m[32;40m13:28:20|[Manager] info CMagicBox::m_systemInfo.bandWidth == [48]

[0m[36;40m13:28:20|[Manager] debug setProductTransform: DeviceTypeTransform = {

"CEList" : {

"CE-C200" : "DH005",

"CE-C20S" : "DH005"

},

"General" : {

"Default" : "IP Camera"

}

}

 

[0m[37;40m13:28:20|trace Create Alarm Module>>>>>>>>>>>>>>>>

[0m[36;40m13:28:20|[libInfra] debug ThreadBody Enter name = [ConfigSaveTimer], id = 1270, prior = N64, stack = 0x42624dcc

[0mFail to get env peripheral!

[37;40m13:28:20|trace alarmInputs=[0], alarmpir=[0], Flashlight=[0]

[0m[33;40m13:28:20|[Manager] warn CCommonConfigManager::getConfig Alarm is Json::nullValue!

[0m[33;40m13:28:20|warn Src/Comm/Alarm.cpp:706 not support pir alarm.

[0m[33;40m13:28:20|[Manager] warn CCommonConfigManager::getConfig AlarmOut is Json::nullValue!

[0m[37;40m13:28:20|[Manager] trace CConsole::registerCmd had been register!!

[0m[37;40m13:28:20|[Manager] trace CConsole::registerCmd had been register!!

[0m[32;40m13:28:20|[Manager] info CLdapUserManager::initialize() tye login times is 3

[0m[37;40m13:28:20|[Manager] trace CConsole::registerCmd had been register!!

[0m[37;40m13:28:20|[Manager] trace CLog::attachFilter

[0m[32;40m13:28:20|[Manager] info SetLanguage(SimpChinese) load file:/mnt/custom/SimpChinese.txt

[0m[36;40m13:28:20|[libInfra] debug ThreadBody Enter name = Console, id = 1271, prior = N1, stack = 0x42824dcc

 

Here is the same version of the English firmware....

 

[0m[32;40m12:16:29|[libDatabase] info CLogSqliteOperate::isSynced insertRet : 1, removeRet : 1, updateRet : 1, line : 1256

[0m[32;40m12:16:29|[libDatabase] info CLogSqliteOperate::SqliteBackup vacuum use 50ms, iRet : 0, line : 1129

[0m[37;40m12:16:29|[libDatabase] trace backup_database(): start >>>

[0m[37;40m12:16:29|[libDatabase] trace match: log.db.%x

[0m[37;40m12:16:29|[libDatabase] trace log.db.1

[0m[37;40m12:16:29|[libDatabase] trace remove_database(): min(1), max(1)

[0m[37;40m12:16:29|[libDatabase] trace remove file: /mnt/mtd/Log/log.db.1

[0m[37;40m12:16:29|[libDatabase] trace backup_database(): finished successfully! elapsed(10)

[0m[32;40m12:16:29|[libDatabase] info CLogSqliteOperate::isSynced SqliteBackup use 60, line : 1264

[0m[33;40m12:16:29|[Manager] warn CMagicBox::setSubModuleInfo fail!

[0m[32;40m12:16:29|[Manager] info CMagicBox::onConfigAutoMaintain day = [2], hour = [2], min = [0], enable = [true]

[0m[32;40m12:16:29|[Manager] info CMagicBox::startDstTune readCMOS DstTune flag is 0.

[0m[36;40m12:16:29|[libInfra] debug ThreadBody Enter name = WatchDog, id = 1040, prior = N1, stack = 0x4269fdcc

[0m[32;40m12:16:29|[Manager] info CMagicBox::m_systemInfo.noPtz == [1]

[0m[32;40m12:16:29|[Manager] info CMagicBox::m_systemInfo.noSdCard == [1]

[0m[32;40m12:16:29|[Manager] info CMagicBox::m_systemInfo.bandWidth == [0]

[0m[36;40m12:16:29|[Manager] debug setProductTransform: DeviceTypeTransform = {

"CEList" : {

"CE-C200" : "DH005",

"CE-C20S" : "DH005"

},

"General" : {

"Default" : "IP Camera"

}

}

 

[0m[37;40m12:16:29|trace Create Alarm Module>>>>>>>>>>>>>>>>

[0mFail to get env peripheral!

[37;40m12:16:29|trace alarmInputs=[0], alarmpir=[0], Flashlight=[0]

[0m[33;40m12:16:29|[Manager] warn CCommonConfigManager::getConfig Alarm is Json::nullValue!

[0m[33;40m12:16:29|warn Src/Comm/Alarm.cpp:706 not support pir alarm.

[0m[33;40m12:16:29|[Manager] warn CCommonConfigManager::getConfig AlarmOut is Json::nullValue!

[0m[37;40m12:16:29|[Manager] trace CConsole::registerCmd had been register!!

[0m[37;40m12:16:29|[Manager] trace CConsole::registerCmd had been register!!

[0m[32;40m12:16:29|[Manager] info CLdapUserManager::initialize() tye login times is 3

[0m[37;40m12:16:29|[Manager] trace CConsole::registerCmd had been register!!

[0m[37;40m12:16:29|[Manager] trace CLog::attachFilter

[0m[35;40m12:16:29|[Manager] fatal Src/Locales.cpp:630 Language Not Compare!!Going to exit!

[0m[36;40m12:16:29|[libInfra] debug ThreadBody Enter name = Console, id = 1041, prior = N1, stack = 0x4289fdcc

[0muser name:password:

[32;40m12:16:29|[Manager] info CLocalClient::CLocalClient(0x0x1c755c0)>>>>>>

[0mTime : Thu Feb 26 12:16:29 2015

 

=========================== TRACE START ===================================

Tid:1041, Exception type : SIGSEGV

PC:[0x00701574] (0x007014f8--0x0070158f) Unknown

PC:[0x4037ee70] (0x4037ee68--0x4037ee7f) __default_rt_sa_restorer_v2 + [0x0]

PC:[0x401653a0] (0x4016539c--0x401656b0) pthread_mutex_lock + [0x4]

PC:[0x005fcdb0] (0x005fcda4--0x005fcdbb) Unknown

PC:[0x0002dbcc] (0x0002db90--0x0002dbeb) Unknown

PC:[0x004ef278] (0x004ef218--0x004ef357) Unknown

PC:[0x0050e080] (0x0050dcdc--0x0050e5c7) Unknown

PC:[0x0050e88c] (0x0050e5c8--0x0050e973) Unknown

PC:[0x0050eb98] (0x0050e974--0x0050ecef) Unknown

PC:[0x0050ed40] (0x0050ecfc--0x0050ed6b) Unknown

PC:[0x004d8294] (0x004d8164--0x004d839f) Unknown

PC:[0x004d8458] (0x004d83a8--0x004d8487) Unknown

PC:[0x00600708] (0x00600624--0x0060077f) Unknown

PC:[0x40163038] (0x40162f44--0x40163474) start_thread + [0xf4]

PC:[0x404297a8] (0x4042976c--0x404297ac) clone + [0x88]

PC:[0x00000000](Failed to locate address)=========================== TRACE END ===================================

 

The app fails and exits when checking the Locales which don't match. There appears to be some issue only when loading sonia from English version of the firmware files. I've checked this with 5 different 2.42 English firmware files and all exhibit the same error. '

 

Usually the Lang can be set in /usr/custom/i18n and another instance exists in /usr/data/Strings/i18n (seen below)

 

{

"AllLanguages" : [

"English",

"SimpChinese",

"TradChinese",

"Italian",

"Spanish",

"Japanese",

"Russian",

"French",

"German",

"Portugal",

"Turkey",

"Poland",

"Romanian",

"Hungarian",

"Finnish",

"Estonian",

"Korean",

"Farsi",

"Dansk",

"Czechish",

"Bulgaria",

"Slovakian",

"Slovenia",

"Croatian",

"Dutch",

"Greek",

"Ukrainian",

"Swedish",

"Serbian",

"Vietnamese",

"Lithuanian",

"Filipino",

"Arabic",

"Catalan",

"Latvian"

],

"DefaultLanguage" : "SimpChinese",

"DefaultVideoStandard" : "PAL",

"DevStringFiles" : [ "StringsCn.txt" ],

"HTMLStringFiles" : [ "webCN.json" ],

"Languages" : [ "SimpChinese" ],

"VideoStandards" : [ "PAL" ],

"WebStringFiles" : [ "webCN.lang" ]

}

 

You can get the new English firmware to load with some heavy changes to a number of files, but I still can't understand the root/cause of why these Eng files won't run on the V2 cameras.

 

What's weird is that all the partitions are written with the English firmware files, so I'm not sure at the moment where it's still getting the Chinese locale with the English firmware...

 

 

More to come.

Share this post


Link to post
Share on other sites

How did you started the trace?

Did you rewrite uboot partition?

And what about config partition, and backup partition. Config1 file and etc...

And what are the differences between check.img file in eng and ch FW...

[0m[35;40m12:16:29|[Manager] fatal Src/Locales.cpp:630 Language Not Compare!!Going to exit!

If you do not modifie i18 file, just replace contents /mnt/custom/SimChinis.txt to Eglish.txt contents,

sonia will start without errors, so somewhere is parameter that this camera is region/China.

Look to your camera config from onvif manager - youll find regional/China in english fw its only regional/

...

I think config partition and uboot is most interested parts.

What do you think about this:

dd if=/dev/mtd/1 bs=4096 count=1 2>&1 | grep -m 1 ^HWID=

 

Maybe there is localization info in this mtd device?

Share this post


Link to post
Share on other sites

Maybe somebody can paste (dd if=/dev/mtd/1 bs=4096 count=1 2>&1) output of native= parameter, from english firmware.

Share this post


Link to post
Share on other sites

I think config partition and uboot is most interested parts.

What do you think about this:

dd if=/dev/mtd/1 bs=4096 count=1 2>&1 | grep -m 1 ^HWID=

Maybe there is localization info in this mtd device?

You're wrong!

Share this post


Link to post
Share on other sites

I managed to flash eng firmware, but i need to rename file English.txt to SimpChinese.txt in custom-x.ubifs.img. Any help? After that there will be full flashable firmware from web or upgrade tool.

Share this post


Link to post
Share on other sites
I managed to flash eng firmware, but i need to rename file English.txt to SimpChinese.txt in custom-x.ubifs.img. Any help? After that there will be full flashable firmware from web or upgrade tool.

 

 

Yes, this was the only way I could get it to work too, but I can't find the reason why this is happening. Somewhere there is a dependency on the Chinese language and I'm still trying to get to the source of the issue.

Share this post


Link to post
Share on other sites

I think config partition and uboot is most interested parts.

What do you think about this:

dd if=/dev/mtd/1 bs=4096 count=1 2>&1 | grep -m 1 ^HWID=

Maybe there is localization info in this mtd device?

You're wrong!

 

Why is it that the V1 cameras will take this firmware and not the V2 cameras? This is what I am trying to uncover. THe Chinese language file is necessary for loading on V2 cameras, but it is not an issue for V1 cameras. The custom UBI image is part of the firmware updates, so every time we flash a new firmware we will need to fix the custom UBI partition?

Edited by Guest

Share this post


Link to post
Share on other sites

UPGRADED_MSG: native 1

UPGRADED_MSG: verify_native failed

 

 

dd if=/dev/mtd/1 bs=4096 count=1 2>&1

displays native=1 in china fw. So it has to be changed to 0, i think.

 

 

I think config partition and uboot is most interested parts.

What do you think about this:

dd if=/dev/mtd/1 bs=4096 count=1 2>&1 | grep -m 1 ^HWID=

Maybe there is localization info in this mtd device?

You're wrong!

Share this post


Link to post
Share on other sites

Yes... or we need to make the the firmware native=1 true by adding in the Chinese language files to the firmware.

Share this post


Link to post
Share on other sites

I can repack img file, but the size somehow is a little bit larger. I think its because of different lzo libraries.

Edited by Guest

Share this post


Link to post
Share on other sites

I just remembered something interesting about the HWID... I'm looking at my old notes. I was playing around with changing the HWID the other day in uboot, but I forgot to update mtd1 with the changes. I'll try that now.

Share this post


Link to post
Share on other sites
UPGRADED_MSG: native 1

UPGRADED_MSG: verify_native failed

 

 

dd if=/dev/mtd/1 bs=4096 count=1 2>&1

displays native=1 in china fw. So it has to be changed to 0, i think.

 

 

I think config partition and uboot is most interested parts.

What do you think about this:

dd if=/dev/mtd/1 bs=4096 count=1 2>&1 | grep -m 1 ^HWID=

Maybe there is localization info in this mtd device?

 

 

Can you print the output of dd if=/dev/mtd/1 bs=4096 count=1 2>&1

 

I was chasing a lead in this area early this week, and I just had another thought. I'd like to close the loop on this one.

Edited by Guest

Share this post


Link to post
Share on other sites
UPGRADED_MSG: native 1

UPGRADED_MSG: verify_native failed

 

 

dd if=/dev/mtd/1 bs=4096 count=1 2>&1

displays native=1 in china fw. So it has to be changed to 0, i think.

 

Can you print the output of dd if=/dev/mtd/1 bs=4096 count=1 2>&1

 

I was chasing a lead in this area early this week, and I just had another thought. I'd like to close the loop on this one.

 

Somehow i cant, it was working earlier, now i get this ~ # dd if=/dev/mtd/1 bs=4096 count=1 2>&1

ýÛæbootdelay=3~ #

 

Made it:

bootdelay=3baudrate=115200ipaddr=192.168.1.108serverip=192.168.1.1autoload=yesgatewayip=192.168.1.1netmask=255.255.255.0wifiaddr=00:12:34:56:78:91dh_keyboard=1sysbackup=1logserver=127.0.0.1loglevel=4 autosip=192.168.254.254autolip=192.168.1.108autogw=192.168.1.1autonm=255.255.255.0ethact=ambarella macstdin=serialstdout=serialstderr=serialHWID=IPC-HDW4100C:01:02:05:19:0A:00:01:06:01:00:00:210:00:00:02:00:00:00:00:00:100devalias=IPC-HDW4300Cda=tftp 0xc2000000 dhboot.bin.img; flwrite; tftp dhboot-min.bin.img;nand protect off;flwrite;nand protect ondr=tftp 0xc2000000 romfs-x.ubifs.img; flwritedk=tftp 0xc2000000 kernel.img; flwritedu=tftp 0xc2000000 user-x.ubifs.img; flwritedw=tftp 0xc2000000 web-x.ubifs.img; flwriteds=tftp 0xc2000000 dsp-x.ubifs.img; flwritedc=tftp 0xc2000000 custom-x.ubifs.img; flwritedt=tftp 0xc2000000 data-x.ubifs.img; flwritedf=tftp 0xc2000000 fpga.img; flwriteup=tftp 0xc2000000 update.img; flwritetk=tftp 0xc2000000 uImage; bootmbootcmd=nand read 0xc2000000 0x00c80000 0x00580000;bootm 0xc2000000bootargs=console=ttyS0 mem=138M ubi.mtd=romfs root=ubi0:romfs ro rootfstype=ubifs init=/linuxrc video=amb0fb:720x480,720x480,1,0 lpj=2392064ID=1A01870PAA00120native=1filesize=200fileaddr=C7000000ethaddr=4C:11:BF:9C:EF:30appauto=0

 

My camera is 4300c

Share this post


Link to post
Share on other sites

This is driving me nuts!!!!! So I can get the newest firmware to run V2.420.0005.0.R.20141205 by changing 2 files in 2 locations.

 

mv English.txt to SimpChinese.txt in /usr/data/Strings & /mnt/custom

modify i18n & change language to SimpChinese in /usr/data/Strings & /mnt/custom

 

These changes will allow all the new firmware to work, but I still can't find the root cause. Somewhere outside the partitions that get flashed by the firmware, there is a flag that makes the camera "require" chinese firmware....

 

If you load any 2.42 version of English firmware, you will need to fake it by renaming the key files to Chinese.

 

I want to find what the Chinese flag is on the camera so I can change it and then load English firmware without modifications.

 

Arghhhhh!

Share this post


Link to post
Share on other sites

Here's what I believe to be true at this point.

 

1. There doesn't appear to be any env variables set in uboot that affect language.

2. The following img are part of the firmware bin file

 

check.img <----- this is possibly related but I have not fully investigated

custom-x.ubifs.img

dhboot.bin.img

kernel.img

partition-x.cramfs.img

pd-x.ubifs.img

romfs-x.ubifs.img

user-x.ubifs.img

web-x.ubifs.img

 

3. The mtd partitions are:

mtd0: 00100000 00020000 "U-Boot" <---- Uboot

mtd1: 00100000 00020000 "hwid" <----- loaded with env variables from uboot

mtd2: 00100000 00020000 "updateflag" <---- ??? Is this the key to solving this issue? contains binary data. Will review

mtd3: 00100000 00020000 "partition" <---- loaded from img in firmware update

mtd4: 00340000 00020000 "custom" <---- loaded from img in firmware update

mtd5: 00340000 00020000 "product" <---- loaded from img in firmware update

mtd6: 00580000 00020000 "Kernel" <---- loaded from img in firmware update

mtd7: 00800000 00020000 "romfs" <---- loaded from img in firmware update

mtd8: 00800000 00020000 "web" <---- loaded from img in firmware update

mtd9: 01980000 00020000 "user" <---- loaded from img in firmware update

mtd10: 00400000 00020000 "syslog"

mtd11: 00400000 00020000 "config" <----- connected to HWID (see /usr/etc/checkHWID.sh) May be indirectly related

mtd12: 00400000 00020000 "backup"

 

 

Somewhere outside the data that is flashed by the firmware, exists a language/China flag that is used and compared to when running the newer firmware....

 

The hunt continues....

Share this post


Link to post
Share on other sites

So i managed to edit custom img file from firmware, repack it - sign crc and...

I have flashable frimware from web interface in english

Share this post


Link to post
Share on other sites
So i managed to edit custom img file from firmware, repack it - sign crc and...

I have flashable frimware from web interface in english

Share this post


Link to post
Share on other sites
So i managed to edit custom img file from firmware, repack it - sign crc and...

I have flashable frimware from web interface in english

 

 

Very nice vcka!

 

What I'm after is trying to get to the root cause of what is blocking the General release ENG Firmware files from loading on the camera without modification. The camera seems to have something that blocks English firmware from running. It will load just fine, but the sonia process fails on a language check.

 

This behavior would indicate that there is a setting outside the firmware partitions that is checked for what language is allowed to run on the camera. Many of the cameras off AliExpress seem to be locked to Chinese on the newer firmware. I posted a simple work around, but it would be nice to understand what is blocking it from running, then to correct it and be able to load regular firmware without modification.

Edited by Guest

Share this post


Link to post
Share on other sites

Hi.

 

I think these firmware posts are going to far .

 

Once it's been stated its to help Chinese copy real software . Then it become software theft.

 

Everyone in the security industry install to protect customers home or businesses from theft or protect against.

 

Both hikvision and dahua work hard to try and stop there software getting back into china copy.

 

Asking people to send firmware from real cameras to open it up for others to use is a big copyright problem and is also theft.

 

 

This forum has become in the last few weeks a porthole to help allied new egg ebay sellers to continue selling copy cameras

 

Copyright theft is not a good way to go for the forum ... And not good for hikvision or dahua distributors or OEM companies

Chimes copies are taking there business away ..... And also making the names of dahua or hikvision not a reliable security system to use in high end installs .... With all back door openings to there software being posted to everyone

Share this post


Link to post
Share on other sites

You're right tomcctv!

But maybe these manufacturers should think about it more.

After all, nothing has changed. That's their problem in the first place. They lose money!!!

In any case, open solution - will earn only Chinese on all others. All the others only lose!

Share this post


Link to post
Share on other sites
Hi.

 

I think these firmware posts are going to far .

 

Once it's been stated its to help Chinese copy real software . Then it become software theft.

 

Everyone in the security industry install to protect customers home or businesses from theft or protect against.

 

Both hikvision and dahua work hard to try and stop there software getting back into china copy.

 

Asking people to send firmware from real cameras to open it up for others to use is a big copyright problem and is also theft.

 

 

This forum has become in the last few weeks a porthole to help allied new egg ebay sellers to continue selling copy cameras

 

Copyright theft is not a good way to go for the forum ... And not good for hikvision or dahua distributors or OEM companies

Chimes copies are taking there business away ..... And also making the names of dahua or hikvision not a reliable security system to use in high end installs .... With all back door openings to there software being posted to everyone

 

 

I'm not sure what you are referring to, but I don't recall anyone asking for firmware from real cameras to open it up for others. Nor do I think anyone has stated that they are trying to help Chinese copy real software.

 

The binaries that provide the functionality for the camera have not been de-compilled or reverse engineered. We have just been exploring the structure and operation of the cameras. It's no different than logging into your print server, digital billboards, Apple TV, or any other Linux based device to see how it's put together.

 

I bought a few cameras and I believe them to be the real deal but the fact remains that support sucks big time! Just because I bought them from from Chinese resellers does not make them fake. These products are in high demand and many people don't want to pay 3 times the price giving a cut to distribution, resellers and integrators. Sure you get support from these channels, but most support is mediocre at best and many people are capable of supporting themselves if the information is made available.

 

As a person who like to take things apart and see how they work, I have spent some time looking into the inner workings of these little computers. I bricked one of my cameras on my first attempt to update it and took it upon myself to figure out how it all works.

 

I've since realized that my cameras are locked to Chinese firmware and due to my inquisitive nature will figure out how it's done. There are tons of posts and threads on other manufacturers cameras and how to unlock Chinese firmware. It's no different than people unlocking their cell phones, tablets etc. The point is that sharing information that we learn from our own efforts is a good thing. These cameras have many issues that the manufacturer should and could address if they cared about the quality of their products.

 

A company who does not share firmware updates publicly is only encouraging people to dig deeper. Had I had access to firmware when I bricked my camera, I would have reloaded it and been done with it. But because it wasn't, I was left to fend for myself and get things resolved.

 

There is nothing "special" about these cameras that has been disclosed in these forums beyond what can reasonably be discovered with an ounce of common sense, a little time and the desire to do so. I'm not expert in any of this stuff and I was able to figure all this out with minimal effort. As far as the statement "With all back door openings to there software being posted to everyone"... There are no backdoor openings being posted to everyone and if there was it would be in the interest of the company to know about them and fix them. They ARE a security company by the way!

Edited by Guest

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×