Firmware update on IPC-Color4K-T180 / IPC-PDW5849-A180-E2-ASTE bricked it

[mephisto_uk]

Firmware update of my IPC-Color4K-T180 from empiretech went terribly wrong. Not sure if this is a buggy firmware update, the firmware was downloaded from empiretech's website V3.140.0000000.32.R.250115, update was done as usual, camera never came back working. When botting ip, it picks up the IP 192.168.1.251 which I think is some sort of obscure recovery method for TFTP, then later it goes to 192.168.1.108. Dahua config tool cannot initialise it, web interface does not respond. I got a serial cable, and used the firmware empiretech sent me on the SD card and ran sdupgrade to flash all files that were supplied. camera came back alive. I was recommended then to flash the firmware from empiretech website once again, then it got bricked again.

I tried to flash is back using the same procedure as before. no luck

It seems the camera get stuck right here when booting:

CPU: 1 PID: 526 Comm: upTool Tainted: G           O      4.19.132 #1
Hardware name: CHIPUP MDK-XS7320
[<c0211ef0>] (unwind_backtrace) from [<c020e330>] (show_stack+0x10/0x14)
[<c020e330>] (show_stack) from [<c076e608>] (dump_stack+0x94/0xa8)
[<c076e608>] (dump_stack) from [<c023be80>] (kernel_restart+0xc/0x58)
[<c023be80>] (kernel_restart) from [<c023be28>] (sys_reboot+0x1e0/0x1e8)
[<c023be28>] (sys_reboot) from [<c0201000>] (ret_fast_syscall+0x0/0x54)
Exception stack(0xc64e5fa8 to 0xc64e5ff0)
5fa0:                   0001c678 00000000 fee1dead 28121969 01234567 00000000
5fc0: 0001c678 00000000 00012400 00000058 00000000 00000000 b6ff4000 bef5c514
5fe0: b6f0c4c0 bef5c50c 0001c66c b6f0c4e0
reboot: Restarting system
$Tch SpiNand
Load 0x00000080 to 0x00100000,size=30332
Key hash pass!
Imgsign pass
Jmp 0x00100000

Info: write leveling start
Info: write leveling done

Info: dqs gating start
Info: dqs gating done

Info: read train start
Info: bypass read train done

Info: write train start
ddr init done

simple ddr test
swap
ddr_clk: 599500
cpu_clk: 1000000
enc_clk: 400000

DDR32bit done!

B: Dec 25 2024 00:27:50
chip id is 0x0x7FB3804C
mac io keep 3.3v
PreImgHeaderBase = 0x0010FE78
SpiNand : Scan Uimg @0x00100000
use 2 plane to read
Load 0x00100040 to 0x12000000,size=227704
rdbuf 131072 131072
SMC_loadPartition ReadPage ret 0
SMC_init crc done, start_addr 0x00200000 size 0x00001688 crc 0x224AA6B1
SmcReadNandID id = 0x7F7F01C8
SMC_nandInit set ESMT F50L1G1LB, id 0x000000C8 0x00000001
SMC_init done
Jmp 0x12000000


DH-Boot ver001.001.001-svn16508 (Dec 25 2024 - 00:27:18 +0800)

SMC_init nand ESMT F50L1G1LB, id 0xc8 0x1
SMC_init done
NAND Flash Init.
SMC_getNandInfo nand ESMT F50L1G1LB
id=0xc8 1
id_cnt=2
spare_size=64
page_size=2048
page_cnt=64
blk_cnt=1024
plane_cnt=1
bits_per_cell=1
luns_per_target=1
ntargets=1
ecc_bitlen=1
ecc_perlen=512
ecc_addr=0xc0
ecc_bitmask=0x30
ecc_errmask=0x20
rx_width=4
tx_width=1

 

[mephisto_uk]

Here is the list of files that I have from Empiretech:



There is a file called updatefilelist.txt with the following contends:

dhboot-min.bin.img
dhboot.bin.img
kernel.img
romfs-x.squashfs.img
web-x.squashfs.img
pd-x.squashfs.img
dhdtb.bin.img
firmware-x.squashfs.img
CmdScript.img

I copied those to a SD card and flashed them, which appear to flash just fine:

upTool#sdupgrade
[SD]:find 1 sd card!
[SD]:mount /dev/mmc1p1 success!
[SD]:start handle file /mnt/sd/dhboot-min.bin.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb657e008 ...
   Legacy image found
   Image Name:   boot
   Image Type:   ARM Linux Firmware (uncompressed)
   Data Size:    292604 Bytes = 285.75 kB = 0.28 MB
   Load Address: 00000000
   Entry Point:  00100000
   Verifying Checksum ... OK
crc from program is :0xe49add79
flwrite ok!
[SD]:start handle file /mnt/sd/CmdScript.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xd74df8 ...
   Legacy image found
   Image Name:   CmdScript
   Image Type:   ARM Linux Standalone Program (uncompressed)
   Data Size:    550 Bytes = 0.54 kB = 0.00 MB
   Load Address: 00000000
   Entry Point:  00000c00
   Verifying Checksum ... OK
crc from program is :0x1bb9e95d
flwrite ok!
[SD]:start handle file /mnt/sd/dhboot.bin.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xd74df8 ...
   Legacy image found
   Image Name:   boot
   Image Type:   ARM Linux Firmware (uncompressed)
   Data Size:    226992 Bytes = 221.67 kB = 0.22 MB
   Load Address: 00100000
   Entry Point:  001c0000
   Verifying Checksum ... OK
crc from program is :0xe80cd202
flwrite ok!
[SD]:start handle file /mnt/sd/kernel.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb6185008 ...
   Legacy image found
   Image Name:   kernel
   Image Type:   ARM Linux Firmware (uncompressed)
   Data Size:    4454400 Bytes = 4350.00 kB = 4.25 MB
   Load Address: 06600000
   Entry Point:  06d00000
   Verifying Checksum ... OK
crc from program is :0x2ae5b0b9
flwrite ok!
[SD]:start handle file /mnt/sd/romfs-x.squashfs.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb48ae008 ...
   Legacy image found
   Image Name:   romfs
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    30502912 Bytes = 29788.00 kB = 29.09 MB
   Load Address: 04800000
   Entry Point:  06600000
   Verifying Checksum ... OK
crc from program is :0x4fc25aca
flwrite ok!
[SD]:start handle file /mnt/sd/web-x.squashfs.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb57b7008 ...
   Legacy image found
   Image Name:   web
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    14737408 Bytes = 14392.00 kB = 14.05 MB
   Load Address: 06d00000
   Entry Point:  07d00000
   Verifying Checksum ... OK
crc from program is :0xa23e550f
flwrite ok!
[SD]:start handle file /mnt/sd/pd-x.squashfs.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb640a008 ...
   Legacy image found
   Image Name:   pd
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    1814528 Bytes = 1772.00 kB = 1.73 MB
   Load Address: 07d00000
   Entry Point:  08000000
   Verifying Checksum ... OK
crc from program is :0x2325fe14
flwrite ok!
[SD]:start handle file /mnt/sd/dhdtb.bin.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xd74df8 ...
   Legacy image found
   Image Name:   dtb
   Image Type:   ARM Linux Firmware (uncompressed)
   Data Size:    279832 Bytes = 273.27 kB = 0.27 MB
   Load Address: 00500000
   Entry Point:  00600000
   Verifying Checksum ... OK
crc from program is :0x67e1d252
flwrite ok!
[SD]:start handle file /mnt/sd/firmware-x.squashfs.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb3af8008 ...
   Legacy image found
   Image Name:   firmware
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    44879872 Bytes = 43828.00 kB = 42.80 MB
   Load Address: 01a00000
   Entry Point:  04800000
   Verifying Checksum ... OK
crc from program is :0x3ace2849
flwrite ok!
[SD]:/dev/mmc1p1 : upgrade 9 file success
upTool#

I do a reset, and I'm back to square 1:

upTool#upTool#reset
CPU: 0 PID: 526 Comm: upTool Tainted: G           O      4.19.132 #1
Hardware name: CHIPUP MDK-XS7320
[<c0211ef0>] (unwind_backtrace) from [<c020e330>] (show_stack+0x10/0x14)
[<c020e330>] (show_stack) from [<c076e608>] (dump_stack+0x94/0xa8)
[<c076e608>] (dump_stack) from [<c023be80>] (kernel_restart+0xc/0x58)
[<c023be80>] (kernel_restart) from [<c023be28>] (sys_reboot+0x1e0/0x1e8)
[<c023be28>] (sys_reboot) from [<c0201000>] (ret_fast_syscall+0x0/0x54)
Exception stack(0xc6459fa8 to 0xc6459ff0)
9fa0:                   0001c678 00000000 fee1dead 28121969 01234567 00000000
9fc0: 0001c678 00000000 00012400 00000058 00000000 00000000 b6f9a000 be978514
9fe0: b6eb24c0 be97850c 0001c66c b6eb24e0
reboot: Restarting system
$Tch SpiNand
Image flag error! read=0x63730923
Tch SpiNor
Mmc:Init failed!
DScan SpiNand
scan blk : 64
Load 0x00020080 to 0x00100000,size=30332
Key hash pass!
Imgsign pass
Jmp 0x00100000

Info: write leveling start
Info: write leveling done

Info: dqs gating start
Info: dqs gating done

Info: read train start
Info: bypass read train done

Info: write train start
ddr init done

simple ddr test
swap
ddr_clk: 599500
cpu_clk: 1000000
enc_clk: 400000

DDR32bit done!

B: Dec 25 2024 00:27:50
chip id is 0x0x7FB3804C
mac io keep 3.3v
PreImgHeaderBase = 0x0010FE78
FlagCrc fail, read=0x1C26B238, calc=0xA9A7F4ED
Tch SpiNand
Image flag error! read=0x63730923
Tch SpiNor
DScan SpiNand
scan blk : 64
SpiNand : Scan Uimg @0x00100000
use 2 plane to read
Load 0x00100040 to 0x12000000,size=227704
rdbuf 131072 131072
SMC_loadPartition ReadPage ret 0
SMC_init crc done, start_addr 0x00200000 size 0x00001688 crc 0x224AA6B1
SmcReadNandID id = 0x7F7F01C8
SMC_nandInit set ESMT F50L1G1LB, id 0x000000C8 0x00000001
SMC_init done
Jmp 0x12000000


DH-Boot ver001.001.001-svn16508 (Dec 25 2024 - 00:27:18 +0800)

SMC_init nand ESMT F50L1G1LB, id 0xc8 0x1
SMC_init done
NAND Flash Init.
SMC_getNandInfo nand ESMT F50L1G1LB
id=0xc8 1
id_cnt=2
spare_size=64
page_size=2048
page_cnt=64
blk_cnt=1024
plane_cnt=1
bits_per_cell=1
luns_per_target=1
ntargets=1
ecc_bitlen=1
ecc_perlen=512
ecc_addr=0xc0
ecc_bitmask=0x30
ecc_errmask=0x20
rx_width=4
tx_width=1

 

[mephisto_uk]

Does anyone have any idea how I can resolve this? I've been trying to recover it the whole day

 

[mephisto_uk]

I've managed to get the firmware DH_IPC-HX5(4)XXX-Taurus_MultiLang_PN_Stream3_V3.120.0000000.39.R.230918 from Dahua, then copied the following to an sdcard:

firmware-x.squashfs.img
kernel.img
pd-x.squashfs.img
romfs-x.squashfs.img
web-x.squashfs.img

booted the camera with serial cable, pressed shift+8 during boot to send * to the camera, then ran the command sdupgrade

sdupgrade
[SD]:find 1 sd card!
FAT-fs (mmc1p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
[SD]:mount /dev/mmc1p1 success!
[SD]:start handle file /mnt/sd/firmware-x.squashfs.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb40f0008 ...
   Legacy image found
   Image Name:   firmware
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    38318080 Bytes = 37420.00 kB = 36.54 MB
   Load Address: 01a00000
   Entry Point:  04800000
   Verifying Checksum ... OK
crc from program is :0xfdd06d4b
flwrite ok!
[SD]:start handle file /mnt/sd/kernel.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb613c008 ...
   Legacy image found
   Image Name:   kernel
   Image Type:   ARM Linux Firmware (uncompressed)
   Data Size:    4451328 Bytes = 4347.00 kB = 4.25 MB
   Load Address: 06600000
   Entry Point:  06d00000
   Verifying Checksum ... OK
crc from program is :0xcf87005e
flwrite ok!
[SD]:start handle file /mnt/sd/pd-x.squashfs.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb641e008 ...
   Legacy image found
   Image Name:   pd
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    1429504 Bytes = 1396.00 kB = 1.36 MB
   Load Address: 07d00000
   Entry Point:  08000000
   Verifying Checksum ... OK
crc from program is :0x65acbbb0
flwrite ok!
[SD]:start handle file /mnt/sd/romfs-x.squashfs.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb4a05008 ...
   Legacy image found
   Image Name:   romfs
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    28794880 Bytes = 28120.00 kB = 27.46 MB
   Load Address: 04800000
   Entry Point:  06600000
   Verifying Checksum ... OK
crc from program is :0x6b7b3d0b
flwrite ok!
[SD]:start handle file /mnt/sd/web-x.squashfs.img
Otp version is 0x00000000, Flash version is 0x00000000
upTool_commonSwRsaVerify run successfully!

## Checking Image at 0xb574b008 ...
   Legacy image found
   Image Name:   web
   Image Type:   ARM Linux Standalone Program (gzip compressed)
   Data Size:    14876672 Bytes = 14528.00 kB = 14.19 MB
   Load Address: 06d00000
   Entry Point:  07d00000
   Verifying Checksum ... OK
crc from program is :0x9ca9fb8
flwrite ok!
[SD]:/dev/mmc1p1 : upgrade 5 file success
upTool#reset

a restart after that, and the camera is back working, but old firmware, and the "AI" license if not valid. I'm sending the devinfo.dat to empiretech to get an updated license. It seems to have a conflict when switching from empiretech's firmware to Dahua directly, but I could not find

I'll try slightly older versions before the V3.140.0000000.32.R.250115 to see if I can get any other stable release. So far, V3.140.0000000.32.R.250115 has been a disaster for me.

 

[mephisto_uk]

on another note, if I update manually the 5 firmware files from Dahua V3.140.0000000.32.R.250115, on the first boot the camera works, if I power cycle the camera, it no longer works.