Dahua Firmware Mod Kit + Modded Dahua Firmware

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Once the camera powered up, I browsed through the setup options, including STORAGE, but found nothing new. In other words, the camera is not seeing or recognizing the SD card.
If you have telnet access to the camera, check the kernel log after power on to see if there are any references to finding and initiallising an SD interface, for example:
cat /proc/kmsg
or
dmesg
or checking for an SD/MMC device
ls -al /dev/mm*
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
If you have telnet access to the camera, check the kernel log after power on to see if there are any references to finding and initiallising an SD interface, for example:
cat /proc/kmsg
or
dmesg
or checking for an SD/MMC device
ls -al /dev/mm*
Do what he said first to check if the kernel even detected the SDCard.

The camera determines SDCard support through the HWID:
From user-x.squashfs.img: /etc/IPCimod
Code:
SDCAP=$(gethwid 11)temp=${SDCAP##*hwidValue == }
cap_sd=${temp%% *}
echo cap_sd $cap_sd
and later in the script it does this:
Code:
	if [ $cap_sd -eq 0 ];then
		sed 's/\"FTP\" \: false/\"FTP\" \: true/' /var/tmp/pd/CustomConfig | \
		sed 's/\"Local\" \: true/\"Local\" \: false/' | \
		sed 's/\"Remote\" \: false/\"Remote\" \: true/' | \
		sed 's/\"Local\" \: false, \"FTP\" \: true/\"FTP\" \: true, \"Local\" \: false/'  > /var/tmp/pd/CustomConfig~
		mv -f /var/tmp/pd/CustomConfig~ /var/tmp/pd/CustomConfig
	fi
So I guess you could put that last part in a .sh script in /tmp and run it with telnet after the cam has booted?
You could also modify the HWID in the U-Boot env, that could however have other effects. Can always revert it though.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
Interesting. I have a few Themis cams ... but not a lot of reason to tinker with their firmware as they are working fine.

It would be cool though to make the camera load jpeg video in browsers that don't have the plugin installed. I can't begin to imagine why they don't do this by default.

Also, would it be possible to take a PAL camera and convert it to NTSC via firmware, so as to unlock 30/60 FPS instead of the 25/50 FPS of PAL? Or is there a hardware difference?
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
I could try, same file I modified to change my 4216-4k back to english had options for ntsc/pal but I did not mess w/em.. probably.

all the source for the webui is hackable, but its all been minified so making sweeping changes could prove painful.

would be nice to have a html5 video page we could slap in there and have work w/out plugins hehe
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
I could try, same file I modified to change my 4216-4k back to english had options for ntsc/pal but I did not mess w/em.. probably.

all the source for the webui is hackable, but its all been minified so making sweeping changes could prove painful.

would be nice to have a html5 video page we could slap in there and have work w/out plugins hehe
Yup. It would be nice if it could play h264 video, but it is hard to get h264 streaming live (with < 1 second delay) to a browser without plugins, and practically impossible without server-side code to tunnel something through a web socket. Refreshing a jpeg frame, on the other hand, is trivial and would be more than sufficient for testing configuration changes (exposure, WDR, sharpness, etc).
 

sumguy

Getting the hang of it
Joined
Jan 23, 2016
Messages
106
Reaction score
21
So, to summarize: I have two HDW4431C-A cameras:

This one has a socket soldered to it and quipped with a 32GB SD card
Device Type IPC-HDW4431C-A
Software Version 2.420.0000.17.R, build : 2016-03-13
WEB Version 3.2.1.331232
ONVIF Version 2.4.2

-- and --

This one is stock.
Device Type IPC-HDW4431C-A
Software Version 2.420.0000.21.R, Build Date: 2016-07-24
WEB Version 3.2.1.364036
ONVIF Version 2.42

I have telnet access to both cameras.
I've checked kmsg looking for any mount command of the SD card, to no avail.
I also executed ls -al /dev/mm* and ls -al /dev/sd* to no avail.

Incidently, both camera behave (similar output) when listing various directories.
It seems like the kernel does not detect the SD card. I will try accessing the
card in a Windows PC tomorrow to rule out a defective card.

I also executed the sed commands (cor35vet's post: Thanks!), but no joy before
nor after a reboot.


I will post excerpts of the telnet session tomorrow (over 82KB).

Some tidbits:

Code:
~ # less /proc/filesystems
nodev    sysfs
nodev rootfs
nodev bdev
nodev proc
nodev cgroup
nodev tmpfs
nodev sockfs
nodev pipefs
nodev anon_inodefs
nodev rpc_pipefs
nodev devpts
      squashfs
nodev ramfs
      vfat
      msdos
nodev nfs
nodev nfs4
nodev jffs2
nodev mtd_inodefs
 
~ # mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/mtdblock4 on /mnt/custom type squashfs (ro,relatime)
/dev/mtdblock5 on /mnt/pd type squashfs (ro,relatime)
/dev/mtdblock8 on /mnt/web type squashfs (ro,relatime)
/dev/mtdblock9 on /usr type squashfs (ro,relatime)
/dev/mtdblock10 on /mnt/syslog type jffs2 (rw,relatime)
/dev/mtdblock11 on /mnt/mtd type jffs2 (rw,relatime)
/dev/mtdblock12 on /mnt/backup type jffs2 (rw,relatime)
tmpfs on /usr/data/Strings/SimpChinese.txt type tmpfs (rw,relatime)
tmpfs on /usr/data/Strings/i18n type tmpfs (rw,relatime)
tmpfs on /mnt/custom/SimpChinese.txt type tmpfs (rw,relatime)
tmpfs on /mnt/custom/i18n type tmpfs (rw,relatime)
/dev/mtdblock8 on /mnt/web/help/SimpChinese type squashfs (ro,relatime)
 
~ # ls -al /dev
total 4
drwxrwxrwt    6 root     root          3720 Sep 24 01:06 .
drwxr-xr-x   17 root     root           214 Jan  1  1970 ..
drwxr-xr-x    4 root     root           100 Jan  1  1970 .udev
crw-------    1 root     root      218,  61 Jan  1  1970 acodec
crw-------    1 root     root      218,  14 Jan  1  1970 adec
crw-------    1 root     root      218,  13 Jan  1  1970 aenc
crw-------    1 root     root      218,   5 Jan  1  1970 ai
crw-------    1 root     root      218,   6 Jan  1  1970 ao
crw-------    1 root     root      250,   0 Jan  1  1970 binder
crw-------    1 root     root      251,   0 Jan  1  1970 binderNS
crw-------    1 root     root      252,   0 Jan  1  1970 binderSR
crw-------    1 root     root      218,  25 Jan  1  1970 chnl
crw-rw-rw-    1 root     root        5,   1 Sep 27 19:56 console
crw-rw-rw-    1 root     root       10,  62 Jan  1  1970 cpu_dma_latency
crw-------    1 root     root       29,   0 Jan  1  1970 fb0
lrwxrwxrwx    1 root     root            13 Jan  1  1970 fd -> /proc/self/fd
crw-rw-rw-    1 root     root        1,   7 Jan  1  1970 full
crw-rw-rw-    1 root     root       10,  63 Jan  1  1970 gmac
crw-------    1 root     root      218,  22 Jan  1  1970 h264e
crw-------    1 root     root      218,  23 Jan  1  1970 h265e
-rw-r--r--    1 root     root           100 Sep 24 01:06 h_Dahua_IPC_HX4XXX-Eos_2420000021R2016072_leslie
crw-------    1 root     root      218,  60 Jan  1  1970 hi_mipi
crw-------    1 root     root      218,  63 Jan  1  1970 hi_tde
crw-------    1 root     root      218,  62 Jan  1  1970 hifb
crw-------    1 root     root      218,  20 Jan  1  1970 isp_dev
crw-------    1 root     root      218,  17 Jan  1  1970 ive
crw-------    1 root     root       77,  12 Jan  1  1970 ivf
crw-------    1 root     root      218,  24 Jan  1  1970 jpege
crw-rw-rw-    1 root     root        1,  11 Jan  1  1970 kmsg
crw-------    1 root     root      253,   0 Jan  1  1970 logDev
crw-------    1 root     root      218,  12 Jan  1  1970 logmpp
crw-rw-rw-    1 root     root        1,   1 Jan  1  1970 mem
drw-rw-rw-    2 root     root            40 Jan  1  1970 misc
crw-------    1 root     root       10,  59 Jan  1  1970 mmz_userdev
drw-rw-rw-    2 root     root           380 Jan  1  1970 mtd
crw-rw-rw-    1 root     root       90,   0 Jan  1  1970 mtd0
crw-rw-rw-    1 root     root       90,   1 Jan  1  1970 mtd0ro
crw-rw-rw-    1 root     root       90,   2 Jan  1  1970 mtd1
crw-rw-rw-    1 root     root       90,  20 Jan  1  1970 mtd10
crw-rw-rw-    1 root     root       90,  21 Jan  1  1970 mtd10ro
crw-rw-rw-    1 root     root       90,  22 Jan  1  1970 mtd11
crw-rw-rw-    1 root     root       90,  23 Jan  1  1970 mtd11ro
crw-rw-rw-    1 root     root       90,  24 Jan  1  1970 mtd12
crw-rw-rw-    1 root     root       90,  25 Jan  1  1970 mtd12ro
crw-rw-rw-    1 root     root       90,   3 Jan  1  1970 mtd1ro
crw-rw-rw-    1 root     root       90,   4 Jan  1  1970 mtd2
crw-rw-rw-    1 root     root       90,   5 Jan  1  1970 mtd2ro
crw-rw-rw-    1 root     root       90,   6 Jan  1  1970 mtd3
crw-rw-rw-    1 root     root       90,   7 Jan  1  1970 mtd3ro
crw-rw-rw-    1 root     root       90,   8 Jan  1  1970 mtd4
crw-rw-rw-    1 root     root       90,   9 Jan  1  1970 mtd4ro
crw-rw-rw-    1 root     root       90,  10 Jan  1  1970 mtd5
crw-rw-rw-    1 root     root       90,  11 Jan  1  1970 mtd5ro
crw-rw-rw-    1 root     root       90,  12 Jan  1  1970 mtd6
crw-rw-rw-    1 root     root       90,  13 Jan  1  1970 mtd6ro
crw-rw-rw-    1 root     root       90,  14 Jan  1  1970 mtd7
crw-rw-rw-    1 root     root       90,  15 Jan  1  1970 mtd7ro
crw-rw-rw-    1 root     root       90,  16 Jan  1  1970 mtd8
crw-rw-rw-    1 root     root       90,  17 Jan  1  1970 mtd8ro
crw-rw-rw-    1 root     root       90,  18 Jan  1  1970 mtd9
crw-rw-rw-    1 root     root       90,  19 Jan  1  1970 mtd9ro
brw-rw-rw-    1 root     root       31,   0 Jan  1  1970 mtdblock0
brw-rw-rw-    1 root     root       31,   1 Jan  1  1970 mtdblock1
brw-rw-rw-    1 root     root       31,  10 Jan  1  1970 mtdblock10
brw-rw-rw-    1 root     root       31,  11 Jan  1  1970 mtdblock11
brw-rw-rw-    1 root     root       31,  12 Jan  1  1970 mtdblock12
brw-rw-rw-    1 root     root       31,   2 Jan  1  1970 mtdblock2
brw-rw-rw-    1 root     root       31,   3 Jan  1  1970 mtdblock3
brw-rw-rw-    1 root     root       31,   4 Jan  1  1970 mtdblock4
brw-rw-rw-    1 root     root       31,   5 Jan  1  1970 mtdblock5
brw-rw-rw-    1 root     root       31,   6 Jan  1  1970 mtdblock6
brw-rw-rw-    1 root     root       31,   7 Jan  1  1970 mtdblock7
brw-rw-rw-    1 root     root       31,   8 Jan  1  1970 mtdblock8
brw-rw-rw-    1 root     root       31,   9 Jan  1  1970 mtdblock9
lrwxrwxrwx    1 root     root             9 Jan  1  1970 mytty -> /dev/null
crw-rw-rw-    1 root     root       10,  61 Jan  1  1970 network_latency
crw-rw-rw-    1 root     root       10,  60 Jan  1  1970 network_throughput
crw-rw-rw-    1 root     root        1,   3 Jan  1  1970 null
crw-------    1 root     root      243,   0 Jan  1  1970 pdcAdc
crw-------    1 root     root      248,   0 Jan  1  1970 pdcHwid
crw-------    1 root     root      247,   0 Jan  1  1970 pdcIRCut
crw-------    1 root     root      239,   0 Jan  1  1970 pdcMem
crw-------    1 root     root      242,   0 Jan  1  1970 pdcMisc
crw-------    1 root     root      249,   0 Jan  1  1970 pdcPartion
crw-------    1 root     root      240,   0 Jan  1  1970 pdcRecord
crw-------    1 root     root      246,   0 Jan  1  1970 pdcRtc
crw-------    1 root     root      245,   0 Jan  1  1970 pdcSmartIR
crw-------    1 root     root      241,   0 Jan  1  1970 pdcSramFile
crw-------    1 root     root      244,   0 Jan  1  1970 pdcWdt
crw-rw-rw-    1 root     root      108,   0 Jan  1  1970 ppp
crw-rw-rw-    1 root     root        5,   2 Sep 27 20:00 ptmx
drw-rw-rw-    2 root     root             0 Jan  1  1970 pts
crw-rw-rw-    1 root     root        1,   8 Jan  1  1970 random
crw-------    1 root     root      218,  21 Jan  1  1970 rc
crw-------    1 root     root      218,  16 Jan  1  1970 rgn
lrwxrwxrwx    1 root     root             9 Jan  1  1970 root -> mtdblock7
crw-------    1 root     root      238,   0 Jan  1  1970 senDev
crw-rw-rw-    1 root     root       10, 231 Jan  1  1970 snapshot
lrwxrwxrwx    1 root     root            15 Jan  1  1970 stderr -> /proc/self/fd/2
lrwxrwxrwx    1 root     root            15 Jan  1  1970 stdin -> /proc/self/fd/0
lrwxrwxrwx    1 root     root            15 Jan  1  1970 stdout -> /proc/self/fd/1
crw-------    1 root     root      218,   8 Jan  1  1970 sys
crw-rw-rw-    1 root     root        5,   0 Jan  1  1970 tty
crw-rw-rw-    1 root     root        4,   0 Jan  1  1970 tty0
crw-rw-rw-    1 root     root        4,   1 Jan  1  1970 tty1
crw-rw-rw-    1 root     root        4,  10 Jan  1  1970 tty10
crw-rw-rw-    1 root     root        4,  11 Jan  1  1970 tty11
crw-rw-rw-    1 root     root        4,  12 Jan  1  1970 tty12
crw-rw-rw-    1 root     root        4,  13 Jan  1  1970 tty13
crw-rw-rw-    1 root     root        4,  14 Jan  1  1970 tty14
crw-rw-rw-    1 root     root        4,  15 Jan  1  1970 tty15
crw-rw-rw-    1 root     root        4,  16 Jan  1  1970 tty16
crw-rw-rw-    1 root     root        4,  17 Jan  1  1970 tty17
crw-rw-rw-    1 root     root        4,  18 Jan  1  1970 tty18
crw-rw-rw-    1 root     root        4,  19 Jan  1  1970 tty19
crw-rw-rw-    1 root     root        4,   2 Jan  1  1970 tty2
crw-rw-rw-    1 root     root        4,  20 Jan  1  1970 tty20
crw-rw-rw-    1 root     root        4,  21 Jan  1  1970 tty21
crw-rw-rw-    1 root     root        4,  22 Jan  1  1970 tty22
crw-rw-rw-    1 root     root        4,  23 Jan  1  1970 tty23
crw-rw-rw-    1 root     root        4,  24 Jan  1  1970 tty24
crw-rw-rw-    1 root     root        4,  25 Jan  1  1970 tty25
crw-rw-rw-    1 root     root        4,  26 Jan  1  1970 tty26
crw-rw-rw-    1 root     root        4,  27 Jan  1  1970 tty27
crw-rw-rw-    1 root     root        4,  28 Jan  1  1970 tty28
crw-rw-rw-    1 root     root        4,  29 Jan  1  1970 tty29
crw-rw-rw-    1 root     root        4,   3 Jan  1  1970 tty3
crw-rw-rw-    1 root     root        4,  30 Jan  1  1970 tty30
crw-rw-rw-    1 root     root        4,  31 Jan  1  1970 tty31
crw-rw-rw-    1 root     root        4,  32 Jan  1  1970 tty32
crw-rw-rw-    1 root     root        4,  33 Jan  1  1970 tty33
crw-rw-rw-    1 root     root        4,  34 Jan  1  1970 tty34
crw-rw-rw-    1 root     root        4,  35 Jan  1  1970 tty35
crw-rw-rw-    1 root     root        4,  36 Jan  1  1970 tty36
crw-rw-rw-    1 root     root        4,  37 Jan  1  1970 tty37
crw-rw-rw-    1 root     root        4,  38 Jan  1  1970 tty38
crw-rw-rw-    1 root     root        4,  39 Jan  1  1970 tty39
crw-rw-rw-    1 root     root        4,   4 Jan  1  1970 tty4
crw-rw-rw-    1 root     root        4,  40 Jan  1  1970 tty40
crw-rw-rw-    1 root     root        4,  41 Jan  1  1970 tty41
crw-rw-rw-    1 root     root        4,  42 Jan  1  1970 tty42
crw-rw-rw-    1 root     root        4,  43 Jan  1  1970 tty43
crw-rw-rw-    1 root     root        4,  44 Jan  1  1970 tty44
crw-rw-rw-    1 root     root        4,  45 Jan  1  1970 tty45
crw-rw-rw-    1 root     root        4,  46 Jan  1  1970 tty46
crw-rw-rw-    1 root     root        4,  47 Jan  1  1970 tty47
crw-rw-rw-    1 root     root        4,  48 Jan  1  1970 tty48
crw-rw-rw-    1 root     root        4,  49 Jan  1  1970 tty49
crw-rw-rw-    1 root     root        4,   5 Jan  1  1970 tty5
crw-rw-rw-    1 root     root        4,  50 Jan  1  1970 tty50
crw-rw-rw-    1 root     root        4,  51 Jan  1  1970 tty51
crw-rw-rw-    1 root     root        4,  52 Jan  1  1970 tty52
crw-rw-rw-    1 root     root        4,  53 Jan  1  1970 tty53
crw-rw-rw-    1 root     root        4,  54 Jan  1  1970 tty54
crw-rw-rw-    1 root     root        4,  55 Jan  1  1970 tty55
crw-rw-rw-    1 root     root        4,  56 Jan  1  1970 tty56
crw-rw-rw-    1 root     root        4,  57 Jan  1  1970 tty57
crw-rw-rw-    1 root     root        4,  58 Jan  1  1970 tty58
crw-rw-rw-    1 root     root        4,  59 Jan  1  1970 tty59
crw-rw-rw-    1 root     root        4,   6 Jan  1  1970 tty6
crw-rw-rw-    1 root     root        4,  60 Jan  1  1970 tty60
crw-rw-rw-    1 root     root        4,  61 Jan  1  1970 tty61
crw-rw-rw-    1 root     root        4,  62 Jan  1  1970 tty62
crw-rw-rw-    1 root     root        4,  63 Jan  1  1970 tty63
crw-rw-rw-    1 root     root        4,   7 Jan  1  1970 tty7
crw-rw-rw-    1 root     root        4,   8 Jan  1  1970 tty8
crw-rw-rw-    1 root     root        4,   9 Jan  1  1970 tty9
crw-rw-rw-    1 root     root      204,  64 Jan  1  1970 ttyAMA0
crw-rw-rw-    1 root     root      204,  65 Jan  1  1970 ttyAMA1
crw-rw-rw-    1 root     root      204,  66 Jan  1  1970 ttyAMA2
crw-rw-rw-    1 root     root      204,  64 Jan  1  1970 ttyS0
crw-rw-rw-    1 root     root      204,  64 Jan  1  1970 ttyS000
crw-rw-rw-    1 root     root      204,  65 Jan  1  1970 ttyS1
crw-rw-rw-    1 root     root        1,   9 Jan  1  1970 urandom
crw-------    1 root     root      218,   9 Jan  1  1970 vb
crw-rw-rw-    1 root     root        7,   0 Jan  1  1970 vcs
crw-rw-rw-    1 root     root        7,   1 Jan  1  1970 vcs1
crw-rw-rw-    1 root     root        7, 128 Jan  1  1970 vcsa
crw-rw-rw-    1 root     root        7, 129 Jan  1  1970 vcsa1
crw-------    1 root     root      218,   4 Jan  1  1970 vda
crw-------    1 root     root      218,   2 Jan  1  1970 venc
crw-------    1 root     root      218,  19 Jan  1  1970 vgs
crw-------    1 root     root      218,   0 Jan  1  1970 vi
crw-------    1 root     root      218,   1 Jan  1  1970 vo
crw-------    1 root     root      218,  10 Jan  1  1970 vpss
crw-rw-rw-    1 root     root        1,   5 Jan  1  1970 zero
I also tried checking all the /dev/mtd* devices without any joy.

Thanks to all who contributed to the thread that got me started.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
If the kernel isn't seeing the SD card, then you are most likely missing some additional hardware on the PCB like a resistor or capacitor that is required for the SD card.
Or maybe sonia is doing some other weird stuff, try running that shell script then killall sonia and run sonia again after that (by just typing sonia).
Rebooting won't really do anything there because that's in tmpfs.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
I notice the modded Themis firmware bin file is about 1 MB larger than the official image from dahuatech.com. Is this just the additional languages adding to the size? About how much more space is available before the image is too big?
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
I notice the modded Themis firmware bin file is about 1 MB larger than the official image from dahuatech.com. Is this just the additional languages adding to the size? About how much more space is available before the image is too big?
Original: 13824405 bytes
Modified: 13914063 bytes
Difference: 89658 bytes = 87.55KiB

0/10 see you after class!

Oh you just reminded me that I also have to push the Themis config to the Dahua-Firmware-Mod-Kit Github, gonna do that soon™
You can check the partition sizes in there ^
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
Hahaha. You are absolutely right of course. Firefox is wrong. I bet the Chinese web server lied about the file size and FF used that, but downloaded the entire thing.

 
  • Like
Reactions: xzf

xzf

n3wb
Joined
Sep 19, 2016
Messages
1
Reaction score
0
I modded an Alps firmware,I want to change my Chinese firmware camera into English,I just replaced "SimpChinese.txt" content with English translate,but the camera briking.
I have no idea how to patch sonia
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
On the subject of using /cgi-bin/snapshot.cgi as a video source in browsers that don't support the streaming plugin ... I noticed that loading this snapshot image requires basic authentication even if you have already logged in to the camera via the normal method. I know of no way to automate a basic authentication login using JavaScript. So I think you'd have to make the user log in a second time. That is, unless there is another way to authenticate to the snapshot.cgi page. Perhaps via URL parameters. Oh well. I do not intend to pursue it any further.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
I modded an Alps firmware,I want to change my Chinese firmware camera into English,I just replaced "SimpChinese.txt" content with English translate,but the camera briking.
I have no idea how to patch sonia
Okay, first of all put your hacking gloves and dark sunglasses on.

When the camera starts it autostarts telnetd and sonia, telnetd is up right away and sonia takes a few seconds until it gets to the point where it loads the language files.
There are checks in place to verify the language files (which I have patched in my FW) and in case of a mismatch it'll just reboot right away.

So you have to telnet into the cam as fast as possible and run "killall sonia".
Now you triggered another bomb, the hardware watchdog will murder the camera in less than 60 seconds.
Next to disable the autostart of sonia you type "appauto 0" and wait until the cam reboots.

From there you can flash a working firmware via configtool, I suggest chinese unmodified one for now or just leave it like it is.
I wrote this to a guy asking me how to patch sonia in a PM:
You can see what files I have modified here for Eos: https://github.com/BotoX/DH_IPC-HX4X...commits/master
and for Themis: https://github.com/BotoX/DH_IPC-HX4X...commits/master

The hardest part is patching sonia with IDA Pro so it doesn't quit when you use another language.
For this you need to know about reverse engineering and ARM assembler to change instructions in the binary to skip certain code paths.

Maybe I could patch sonia for your camera, it should take me 15 minutes or so if they didn't change anything by now :D
Also Themis for example uses ARM THUMB assembler (16bit) instead of normal ARM 32bit assembler, which is a bit more complicated...


I'll look into making an FW for you camera tomorrow if you can give me the exact name of the FW/link to dahuas download page.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246

TVT73

Pulling my weight
Joined
Aug 29, 2016
Messages
406
Reaction score
108
Location
Germany
Thank you for your work. But i am wondering if the eos Verison is really compatible to this one:

Device Type IPC-HFW4431M-AS-I1
Software Version 2.460.0000.4.R, Build Date: 2016-06-21
WEB Version 3.2.1.354451
ONVIF Version 2.42
S/N 2F01101PAU00001
Copyright 2015,All Rights Reserved.
You can see its on 2.46 and not 2.42 ...

Whats now the right one? On the Chinese Download i also found Versions of later on. Did you try them?

Edit: sorry it was only newer for themis not eos ...
 
Last edited by a moderator:

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
Thank you for your work. But i am wondering if the eos Verison is really compatible to this one:


You can see its on 2.46 and not 2.42 ...

Whats now the right one? On the Chinese Download i also found Versions of later on. Did you try them?
It's listed here: http://download.dahuatech.com/kit_det.php?cid=3876
Should be compatible, but the camera will (should?) reject wrong firmware.
I know that it works on IPC-HFW4431M-AS-I2 so very unlikely it won't work on yours.
 

TVT73

Pulling my weight
Joined
Aug 29, 2016
Messages
406
Reaction score
108
Location
Germany
Be really carefully with the newer generation. I had flashed with config tool v3.x a non working firmware from cz ftp in my hdw4431, unbricking is really difficult, because enabling telnet and logging in by hand is not possible any more ( you have around 3s left till reboot!), the old how to doesn't work any more.

I can only advice to try your firmwares under 2 circumstances :
You need to have a working firmware version as backup
Flash it only from telnet, you will see only there if the flash has been successfully and when not you can flash your known working version again.And test it with the working one, so that you learn how to do and how it looks.

I will give your version a try, because I know how to recover! All other should be really careful, otherwise they can brick the cam.
By time I will write down a recover way for telnet..., no time for it momentarily.
 

cor35vet

IPCT Contributor
Joined
Jun 23, 2016
Messages
337
Reaction score
246
Be really carefully with the newer generation. I had flashed with config tool v3.x a non working firmware from cz ftp in my hdw4431, unbricking is really difficult, because enabling telnet and logging in by hand is not possible any more ( you have around 3s left till reboot!), the old how to doesn't work any more.

I can only advice to try your firmwares under 2 circumstances :
You need to have a working firmware version as backup
Flash it only from telnet, you will see only there if the flash has been successfully and when not you can flash your known working version again.And test it with the working one, so that you learn how to do and how it looks.

I will give your version a try, because I know how to recover! All other should be really careful, otherwise they can brick the cam.
By time I will write down a recover way for telnet..., no time for it momentarily.
Your problem probably came from sonia quitting because of language or PAL/NTSC mismatch...
Which is patched in this firmware! :D
 

t0p0ne

n3wb
Joined
Oct 13, 2016
Messages
9
Reaction score
1
Guys, i need some help please..

I bought a couple of HDBW4431R-ZS that came in English firmware "originally" but right after i hard reset two of them, they've changed to Chinese language grrr..and needless to say it need them in English in order to work with. So i've been following this thread to upgrade the firmware DH_IPC-HX4XXX-Eos using IP ConfigTool port: 3800 but it doesn't appear to take it, because web UI is still in Chinese (FW 2.420.0.21).

I saw some of you guys saying connect the camera using either telnet, shh..But i can't quite get telnet to work, on all of my computers??!! Always run into this error" Could not open connection to the host, on port 23: Connect failed" each time despite telnet is enable and running, firewall is off.

What i'm trying to accomplish is rather simple - turn these damn cameras back to English, i don't necessarily need to flash upgrade the firmware.

So any suggestion is greatly appreciated as i'm kind of lost here.. :(
 
Top