Howto reset OEM Dahua nvr

Ghostface

n3wb
Joined
Jan 11, 2022
Messages
6
Reaction score
4
Location
Belgium
Hi,

Just replaced an old oem (sefica) dahua nvr with a milestonesys server based solution.
Customer told me i could have the old dvr.
I dont know the password. I do not see a reset button inside.
Anyone who knows how i can reset this thing to factory default state ?

I Already tried removing the cmos battery.

Label says "DVR16IP4K-16P-S2" Not a dahua parts number.

Pictures here:
IMG20230324164831.jpgIMG20230324165431.jpgIMG20230324170438.jpg

Thanks in advance
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
If you feel like spending a bit of time on the topic, you could use or get an RS232 interface (not TTL serial) with a null modem cable to hook up to the serial console via the DB9 connector on the back panel.
There would probably be lots of interesting and maybe useful commands available through it.
 

Ghostface

n3wb
Joined
Jan 11, 2022
Messages
6
Reaction score
4
Location
Belgium
Hi, this board on top is only the 16p poe switch I think. Was not really looking at this pcb. I can take a picture when i m back at the office. But i was looking more at the mainboard on top of the picture for a reset button/ headers.

If you feel like spending a bit of time on the topic, you could use or get an RS232 interface (not TTL serial) with a null modem cable to hook up to the serial console via the DB9 connector on the back panel.
There would probably be lots of interesting and maybe useful commands available through it.
I can try that next week, i have a cable. I was thinking i would get stuck on a password prompt also ?
 

JeffCharger

Getting the hang of it
Joined
Jul 9, 2015
Messages
80
Reaction score
46
I don’t know whether this will help or not.

I do know that Lorex provides a service at their tech support line where, if you forget, or purchase a used DVR, they will reset a default psw on the unit if you give them a serial #. I’m not sure if Dahua does this or not.
 

Ghostface

n3wb
Joined
Jan 11, 2022
Messages
6
Reaction score
4
Location
Belgium
I get nothing out of the RS232 port.
Tried 115200 and 9600
Or my serial cable is not the correct one

I think the nvr will end up in the recycling bin.
 

Ghostface

n3wb
Joined
Jan 11, 2022
Messages
6
Reaction score
4
Location
Belgium
Found a different cable.

Normal boot output:

Code:
Special NAND id table Version 1.36
Nand ID: 0xEF 0xF1 0x80 0x95 0x00 0x00 0x00 0x00
stmmac_init,550,0x70431,3
PHY not link!

get_update_state,266,55,ff
get_update_state,266,aa,ff
get_update_state,266,5a,ff
*** INFO *** dul-backup state: NORMAL BOOT fail=0.


U-Boot 2010.06-svn2362 (Jul 21 2016 - 16:46:32)

CS:1 Block:64KB Chip:512KB Name:"w25x40"
Special NAND id table Version 1.36
Nand ID: 0xEF 0xF1 0x80 0x95 0x00 0x00 0x00 0x00
Block:128KB Page:2KB Chip:128MB*1 OOB:64B ECC:none Nand total size: 128MB
In:    serial
Out:   serial
Err:   serial
SCU:   load slave image ...OK
Read backup misc byte ... ok!
PRODUCT:>1U
can't find corresponding entry
[openbmp 251]### CRAMFS LOAD ERROR<0> for /bmp_logo.bmp!
load log failed
stmmac_init,550,0x70431,3
PHY not link!
Hit any key to stop autoboot:  0
stmmac_init,550,0x70431,3
PHY not link!
the network not link!
stmmac_init,550,0x70431,3
PHY not link!
.## Booting kernel from Legacy Image at 42000000 ...
   Image Name:   Linux-3.10.0_hi3536
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    3762472 Bytes = 3.6 MiB
   Load Address: 40008000
   Entry Point:  40008000
   Loading Kernel Image ... OK
OK

Starting kernel ...
bootargs = console=ttyAMA0,115200 mem=928M root=/dev/mtdblock4 rootfstype=squashfs init=/linuxrc dh_keyboard=1 load_modules=1 toe=0 need_reset=0

Uncompressing Linux... done, booting the kernel.
I tried to hit any key multiple times to stop the boot process but that seems not to work.
Also after Uncompressing Linux... done, booting the kernel. nothing happens anymore.
I can type in the terminal but nothing happens.
No login screen.
Nothing.
 

Perimeter

Getting comfortable
Joined
Feb 18, 2023
Messages
557
Reaction score
581
Location
Europe
Just wondering: Did you ever try to take out the battery for an or more hour and put it back in? On PCs, this may clear the CMOS. I have no idea what it does on NCRs.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I tried to hit any key multiple times to stop the boot process but that seems not to work.
Suggestion :
Keep Shift-8 (*) pressed so it auto-repeats then power up the DVR, see if that interrupts u-boot.
If so, the commands
printenv
and
help
may provide useful info.

I can type in the terminal but nothing happens.
Which suggests the RS-232 TX is connected and working OK.
 

Ghostface

n3wb
Joined
Jan 11, 2022
Messages
6
Reaction score
4
Location
Belgium
Just wondering: Did you ever try to take out the battery for an or more hour and put it back in? On PCs, this may clear the CMOS. I have no idea what it does on NCRs.
Tried that. No Luck

Suggestion :
Keep Shift-8 (*) pressed so it auto-repeats then power up the DVR, see if that interrupts u-boot.
If so, the commands
printenv
and
help
may provide useful info.


Which suggests the RS-232 TX is connected and working OK.
Thanks @alastairstevenson !
I was able to stop the boot process.

printenv output:
Code:
hisilicon # printenv
bootargs=console=ttyAMA0,115200 mem=928M root=/dev/mtdblock4 rootfstype=squashfs                                                                                                                                                              init=/linuxrc
slave_autostart=1
slave_bootargs=mem=64M console=ttyAMA2,115200
bootcmd=autoup; nand read 0x42000000 0x300000 0x400000; bootm
slave_bootcmd=nand read 0x81000000 0x2100000 0x100000;nand read 0x82000000 0x220                                                                                                                                                             0000 0x300000;nand read 0x83000000 0x2500000 0xe00000;bootm 0x81000000 0x8200000                                                                                                                                                             0 0x83000000
bootdelay=3
Verif_Code=00000000000000000000000000000000
baudrate=115200
netup_timeout=1000
bootnandflash=1
loadaddr=0x42000000
key=000000000000
deviceid=0000000000000000
eth1addr=00:00:23:34:45:77
serverip=255.255.255.255
ipaddr=255.255.255.255
gatewayip=255.255.255.255
netmask=255.255.0.0
ver=U-Boot 2010.06-svn2362 (Jul 21 2016 - 16:46:32)
appauto=1
dh_keyboard=1
load_modules=1
sysbackup=0
da=tftp u-boot.bin.img; flwrite
dr=tftp romfs-x.squashfs.img; flwrite
du=tftp user-x.squashfs.img; flwrite
dw=tftp web-x.squashfs.img; flwrite
dl=tftp logo-x.squashfs.img; flwrite
ds=tftp slave-x.squashfs.img; flwrite
dc=tftp custom-x.squashfs.img; flwrite
up=tftp update.img; flwrite
tk=tftp uImage; bootm
pm=tftp 575s_PMX.bin.img; flwrite
dx=tftp u-boot_slave.bin.img; flwrite
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
netretry=no
updatetimeout=1000
tftptimeout=1000
restore=0
autonm=255.255.255.0
selfchecked=1
ethaddr=3c:ef:8c:12:6a:7a
DEVID=DVR16IP4K-16P-S2
ID=2L03436PAMY5SA6
stdin=serial
stdout=serial
stderr=serial
verify=n

Environment size: 1443/131068 bytes
I noticed there were also other commands possible.
After typing eracgf ? to found out more about the command, the recorder was already reset :cool:

Code:
hisilicon # help
?       - alias for 'help'
autoup  - load update file from server
base    - print or set address offset
boot    - boot kernel from uboot
bootd   - boot kernel from uboot
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
ddr     - ddr training function
decjpg  - jpgd   - decode jpeg picture.

devid   - devid      - set hardware id and save to flash

eracfg  - eracfg - erase config sectors

eralogo - eralogo - erase logo sectors

fb_set  - fb_set     - get shift key

fb_test - fb_test      - frontboard read/write test

flwrite - flwrite - write img data into FLASH from memory

get_key - get_key     - get shift key

getinfo - print hardware information
go      - start application at address 'addr'
help    - print command description/usage
hwid    - hwid      - set hardware id and save to flash

lip     - lip      - set local ip address but not save to flash

loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
mac     - mac      - set mac address and save to flash

mac1    - mac1      - set mac1 address and save to flash

md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nandops - flwrite - write img data into FLASH from memory

nboot   - boot from NAND device
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
showlogo- showlogo   - show the logo picture on screen.

sip     - sip      - set server ip address but not save to flash

startgx - startgx   - open graphics layer.
        - startgx [layer addr stride x y w h]

startvl - startvl   - open video layer.
        - startvl [layer addr stride x y w h]

startvo - startvo   - open interface of vo device.
        - startvo [dev type sync]
stopgx  - stopgx   - close graphics layer.
        - stopgx [layer]
stopvl  - stopvl   - close video layer.
        - stopvl [layer]
stopvo  - stopvo   - close interface of vo device.
        - stopvo [dev]
tftp    - tftp  - download or upload image via network using TFTP protocol
version - print monitor version
vobgset - setvobg   - set vo backgroud color.
        - setvobg [dev color]
hisilicon # eracfg ?
boottype=1:
boottype=1:
erase config sectors
done
hisilicon #
Thanks for the help !
 
Last edited:

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
16,445
Reaction score
38,162
Location
Alabama
Just wondering: Did you ever try to take out the battery for an or more hour and put it back in? On PCs, this may clear the CMOS. I have no idea what it does on NCRs.
FWIW, the lithium coin cell just maintains the RTC's (Real Time Clock) day/date/hour/min when the NVR is switched off and unplugged from power; same with PC's.
 
Top