Lorex LNB8005B-C and Dahua firmware (Solved with instructions)

[Corellon]

I'm not familiar with Serial as I'm waiting on a adapter to use, from the log it looks like it's already entered the boot loaded which is why you don't get the stop autoboot prompt (Means tftp over ethernet should still work) but a few things in the console do stand out:

Downloading: *
Retry count exceeded; starting again
Try again use backup_serverip
*** ERROR: `serverip' not set
You might need to set the serverip for the TFTP using serial? Do you have the TFTP running at 192.168.254.254 and the router at 192.168.1.1? Can you ping the camera from the TFTP server?

kload 0x2000000 succeed!
Wrong Image Format for bootm command
This does point that the memory address should be 0x2000000, but also that the tftp is fetching the wrong/incorrect file. I never tried direct to 2.800 I did do the initial flash at 2.622 not sure if there is an issue direct to 2.800.

Do you see the camera fetching the file from the TFTP server? Should at least see it getting the info file.

 

[hope__silent]

I have loaded two cameras with 2.800, both with TFTP. One from 2.622, one from Lorex firmware. I have not been able to load 2.800 from 2.622 with the GUI or config tool. They both appear to be fully functional. However, I intend to try and load another camera with 2.622 eventually (once I finish my extended work week) and get an upgrade to 2.800 working via the GUI so I know future firmware updates should be supported and I'm not missing any images I should otherwise have. More to come...

 

[pozzello]

yes, cam gets images via tftpd over ethernet at boot, so i know that's working when i set up the PC at the right IP, etc...

i'm serving 2.622 from the tftp server, but perhaps some of my earler attempts messed up something important...

via serial, i don't get any response to my keystrokes. may not have the connections right, but figured the Rx was right next to the Tx, and i'm clearly receiving.

I suppose I could take down the working un-molested LNB8005-C to compare via serial for any clues, but that means getting out a ladder.
If nothing else, I may be able to extract working FW from it to install on this tester...

Then again, I may just have another donation for Alastair's "fix me!" collection.

 

[pozzello]

@hope_silent are your cams the Flir/Lorex LNB8005-C's like mine or the (apparently not the same) LNB8005B-C like the OP's?... thanx.

 

[hope__silent]

@hope_silent are your cams the Flir/Lorex LNB8005-C's like mine or the (apparently not the same) LNB8005B-C like the OP's?... thanx.

I believe all of mine are LNB8005-C's.

 

[pozzello]

I believe all of mine are LNB8005-C's.

hm. perhaps you can share the 'commands' text file that worked for you? thanx.

edit: nm, i see you did that previously. thanx.

 

[Corellon]

I'm on my mobile so sorry if the text or spelling is bad. You may be better off not being able to upgrade over the web interface as turns out that updates the bootloader to need signed images.

I'm having an issue where the image quality at night is not as good with the dahau firmware in color mode as it is with the lorex firmware (too much green, but the b/w image quality is better then the lorex image quality) would like to try different versions to see where the change started and what changed but cant go back on that camera.

I dont think there is a difference between the lnb8005b-c and lnb8005-c as they have the same dahau model number, I'm waiting on my usb to uart so I can get a image from the stock lorex firmware as a backup and also see if I can reverse the bootloader.

@pozzello you seem to have experience with the serial connection, any idea of the commands needed to download a copy of the original firmware and to flash a unsigned bootloader?

Not sure what is going on with your ftp, can you copy the full ncat log and tftp log?

 

[pozzello]

Here's where I'm at now. I have a serial/uart adapter hooked to the cam and can read the output as it tries to boot up. It seems the cam never gets to any point where it's looking for keystrokes to stop booting and drop into into a 'shell', tho. So I can't type stuff at it directly, but I can have it run commands from the commands.txt file via tftp upon startup.

so with this command file,

Spoiler: commands

printenv
help
echo "fatls"
fatls
echo "partition"
partition
echo "bdinfo"
bdinfo
echo "fsinfo"
fsinfo
echo "cfgRestore"
cfgRestore
echo "sleep 20"
sleep 20

I get the output below...

Spoiler: output

U-Boot 2010.06-svn3845 (Dec 18 2016 - 09:32:48)
I2C: ready
DRAM: 118 MiB
gBootLogPtr:00b80008.
spinor flash ID is 0x1940ef
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
TEXT_BASE:01000000
Net: Detected MACID:00:40:7f:8e:d2:8e
PHY:0x001cc816,addr:0x00
s3l phy RTL8201 init

MMC: sdmmc init
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Download Filename 'upgrade_info_7db780a713a4.txt'.
Download to address: 0x5000000
Downloading: #################################################
done
Bytes transferred = 223 (df hex)
string value is 0
The end of file
bootdelay=3
baudrate=115200
ipaddr=192.168.1.108
autoload=yes
gatewayip=192.168.1.1
netmask=255.255.255.0
dh_keyboard=1
sysbackup=1
logserver=127.0.0.1
loglevel=4
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
autonm=255.255.255.0
pd=tftp 0x02000000 pd-x.squashfs.img; flwrite
ethact=ambarella mac
BSN=3B04645PAA00640
serverip=192.168.1.1
da=tftp 0x2000000 dhboot.bin.img; flwrite; tftp dhboot-min.bin.img;flwrite
dr=tftp 0x2000000 romfs-x.squashfs.img; flwrite
dk=tftp 0x2000000 kernel.img; flwrite
du=tftp 0x2000000 user-x.squashfs.img; flwrite
dw=tftp 0x2000000 web-x.squashfs.img; flwrite
dc=tftp 0x2000000 custom-x.squashfs.img; flwrite
dt=tftp 0x2000000 data-x.squashfs.img; flwrite
dp=tftp 0x02000000 partition-x.cramfs.img;flwrite
up=tftp 0x2000000 update.img; flwrite
tk=tftp 0x200100 hawthorn.dts.dtb;tftp 0x2000000 uImage;bootm 0x2000000
bootcmd=sf read 0x200100 0x8000 0x8000;sf read 0x2000000 0xf0000 0x180000;bootm 0x2000000
bootargs=console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc
HWID=IPC-HFW4830EP-S:01:02:03:50:21:00:01:00:00:00:04:2D0:00:00:00:00:00:01:00:00:200
hwidEx=00:02:00:00:00:00:00:00:00:00:00:00:00:00:00:00
devalias=IPC-HFW4830E-S
ID=ND011705005350
ethaddr=00:40:7F:8E2:8E
appauto=1
stdin=serial
stdout=serial
stderr=serial
filesize=DF
fileaddr=5000000

Environment size: 1340/131068 bytes
? - alias for 'help'
backup - backup - manual backup program.

base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootf - boot from flash
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cfgRestore- erase config and backup partition.

cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
dhcp - boot image via network using DHCP/TFTP protocol
echo - echo args to console
editenv - edit environment variable
erasepart- erasepart

exit - exit script
false - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
flwrite - flwrite - write data into FLASH memory

fsinfo - print information about filesystems
fsload - load binary file from a filesystem image
go - start application at address 'addr'
gpio - gpio test
help - print command description/usage
hwid - hwid - set hardware id and save to flash

i2c - I2C sub-system
icache - enable or disable instruction cache
iminfo - print header information for application image
itest - return true/false on integer compare
kload - kload - load uImage file from parttion

lip - lip - set local ip address but not save to flash

loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
logsend - get log buf
loop - infinite loop on address range
ls - list files in a directory (default /)
mac - mac - set mac address and save to flash

md - memory display
memsize - memsize - set mem size

mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - mmcinfo <dev num>-- display MMC info
mtest - simple RAM read/write test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
partition- print partition information
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
rdefault- rdefault -recover default env

reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
showvar - print local hushshell variables
sip - sip - set server ip address but not save to flash

sleep - delay execution for some time
source - run script from memory
sync_uboot- sync_uboot - sync uboot to uboot-bak

test - minimal test like /bin/sh
tftpboot- tftpboot- boot image via network using TFTP protocol
true - do nothing, successfully
usleep - delay execution for some time
version - print monitor version
"fatls"
usage: fatls <interface> <dev[art]> [directory]
"partition"
name cs offset size flag fs_flags fs_type
MinBoot 0 0x0000000000000000 0x0000000000040000 0x00000000 0x00000000 0x00000000
U-Boot 0 0x0000000000080000 0x0000000000040000 0x00000000 0x00000000 0x00000000
hwid 0 0x00000000000c0000 0x0000000000020000 0x00000000 0x00000000 0x00000000
partition 0 0x00000000000e0000 0x0000000000010000 0x00000000 0x00000001 0x00000001
Kernel 0 0x00000000000f0000 0x0000000000180000 0x00000000 0x00000000 0x00000000
romfs 0 0x0000000000270000 0x0000000000150000 0x00000000 0x00000001 0x00000002
web 0 0x00000000003c0000 0x0000000000680000 0x00000000 0x00000001 0x00000002
user 0 0x0000000000a40000 0x0000000001030000 0x00000000 0x00000001 0x00000002
updateflag 0 0x0000000001a70000 0x0000000000030000 0x00000000 0x00000000 0x00000000
config 0 0x0000000001aa0000 0x0000000000070000 0x00000000 0x00000003 0x00000004
product 0 0x0000000001b10000 0x0000000000010000 0x00000000 0x00000001 0x00000002
custom 0 0x0000000001b20000 0x0000000000020000 0x00000000 0x00000001 0x00000002
backupker 0 0x0000000001b40000 0x00000000000e0000 0x00000000 0x00000001 0x00000002
backupfs 0 0x0000000001c20000 0x0000000000050000 0x00000000 0x00000001 0x00000002
data 0 0x0000000001c70000 0x0000000000100000 0x00000000 0x00000003 0x00000004
user1 0 0x0000000001d70000 0x0000000000290000 0x00000000 0x00000001 0x00000002
MinBoot mountcmd:
U-Boot mountcmd:
hwid mountcmd:
partition mountcmd:
Kernel mountcmd:
romfs mountcmd:
web mountcmd:mount /dev/mtdblock6 /mnt/web/
user mountcmd:mount /dev/mtdblock7 /usr/
updateflag mountcmd:
config mountcmd:mnt_jffs2 /dev/mtdblock9 /mnt/mtd jffs2
product mountcmd:mount /dev/mtdblock10 /mnt/pd/
custom mountcmd:mount /dev/mtdblock11 /mnt/custom/
backupker mountcmd:
backupfs mountcmd:
data mountcmd:mnt_jffs2 /dev/mtdblock14 /mnt/data jffs2
user1 mountcmd:mount /dev/mtdblock15 /mnt/user/
"bdinfo"
arch_number = 0x23283041
env_t = 0x00000000
boot_params = 0x00200000
DRAM bank = 0x00000000
-> start = 0x00200000
-> size = 0x07600000
ethaddr = 00:40:7F:8E2:8E
ip_addr = 192.168.1.108
baudrate = 115200 bps
"fsinfo"
SPI probe: 32768 KiB W25Q256FV at 0:0 is now current device
### filesystem type is JFFS2
Scanning JFFS2 FS: done.
Compression: NONE
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: ZERO
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: RTIME
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: RUBINMIPS
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: COPY
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: DYNRUBIN
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: ZLIB
frag count: 0
compressed sum: 0
uncompressed sum: 0
"cfgRestore"
config erased.
"sleep 20"
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
cmdLine console=ttyS0,115200 mem=130M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1
Download Filename 'success.txt'.
Download to address: 0x2000000
Downloading: *
TFTP error: (0)Erasing SPI flash...
Writing to SPI flash...
done
state:ff,err_count:05
Wrong Image Format for bootm command
ERROR: can't get kernel image!
try:kload 0x2000000 succeed!
## Booting kernel from Legacy Image at 02000000 ...
Image Name: Linux-3.10.73
Created: 2017-11-09 22:03:10 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1569588 Bytes = 1.5 MiB
Load Address: 00208000
Entry Point: 00208000
Verifying Checksum ... OK
Loading Kernel Image ...OK
OK
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
get bootargs info failed
crashflasg:1, logmagic:54410011.

Starting kernel ...

Not sure where to go from here. Looking for a command or maneuver that would drop me into a shell to poke around a bit more easily from the serial console.

Any ideas how to copy the firmware image off my other working/unmolested LNB800-C so I could at least get this back to operationall? So many pages of info here its hard to tell if that's been done already...

Thanx, Paul.

edit:

- Do i dare try the 'da' command to update the boot loader?
da=tftp 0x2000000 dhboot.bin.img; flwrite; tftp dhboot-min.bin.img;flwrite
- I've seen the "fail to load bootargsParameters.txt" error reported in cases where people flash Chinese-only cams with US or Internationsl versions, so perhaps that's a clue ?...

 

[Corellon]

I've heard people say that you need to spam * like crazy while the camera is booting to force it into the shell, not sure if also using another terminal type in putty would work. I should be getting my serial device today so I will be able to experiment more myself (including how to retrieve an image from another device (I've asked a few people but no response yet either))

I would avoid updating the boot device as I don't think that would make a difference and could make things worse, one thing i did notice is that your new command file doesn't have any run commands to flash an image but your still getting:
Wrong Image Format for bootm command
ERROR: can't get kernel image!
try:kload 0x2000000 succeed!

which implies to me that the kernel is corrupt, it is getting the TFTP and it is running the command file, try running just the below in a command file:
run dr
run dk
tftp 0x2000000 .FLASHING_DONE_STOP_TFTP_NOW
sleep 5

see if that succeeds, if it does remove those lines and try one or two more run's and see if it works, maybe an incremental flash would work better then all at once (which would not commit the changes if any of the run's fail) at least maybe you can verify which image is giving problems.

Edit: Just got my usb to serial device, started taking the camera apart, kinda at a loss of where the pads for the serial connection is, it's not just one PCB but 3 stacked together do I have to take the Lens off as well?

 

[pozzello]

I do seem to have the right connection for Tx, as hitting Ctrl-C during the sleep time causes the cam to exit the script and try loading the kernel.
As mentioned previously, I never see the "Hit any key to stop autoboot:" prompt.


I was able to set up the networking on my PC so I can capture the console output as I power-cycle my working Lorex cam (and it TFTP's and runs my command file) without physically un-installing it.

It looks identical to what i see on the non-booting cam, including

• the "fail to load bootargsParameters.txt" message, so I'm going to ignore that, assuming it's a red herring...
• still no "Hit any key to stop autoboot:" prompt. ( I can't find the 'any' key on my keyboard either... )

Notice my cams' bootloader is "U-Boot 2010.06-svn3845 (Dec 18 2016 - 09:32:48)"
Is this the same your successfully Dahua'd Lorex units show?
perhaps yours have a different bootloader and/or you updated yours with 'run da'?...

Thanx, Paul.

 

[Corellon]

I didn't update with run da but it appears to have updated the boot loader when I used the web interface to go from 2.620 to 2.800 something I'm trying to reverse right now, this is the result of the same commands that you used on yours (Different camera but same model/batch as the one I upgraded)

Spoiler: Output

Ncat: Version 7.40 ( Ncat - Netcat for the 21st Century )
Ncat: Listening on 192.168.254.254:5002
gBootLogPtr:00b80008.
spinor flash ID is 0x1940ef
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
TEXT_BASE:01000000
Net: Detected MACID:00:40:7f:96:7b:e5
PHY:0x001cc816,addr:0x00
s3l phy RTL8201 init
MMC: sdmmc init
Using ambarella mac device
TFTP from server 192.168.254.254; our IP address is 192.168.1.108; sending through gateway 192.168.1.1Download Filename 'upgrade_info_7db780a713a4.txt'.Download to address: 0x5000000
Downloading: *
done
Bytes transferred = 229 (e5 hex)
string value is 0
The end of file
bootargs=console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc
bootcmd=sf read 0x2000000 0xf0000 0x180000;
bootm x2000000
bootdelay=3
baudrate=115200
ipaddr=192.168.1.108
serverip=192.168.1.1
autoload=yes
gatewayip=192.168.1.1
netmask=255.255.255.0
da=tftp 0x02000000 dhboot.bin.img; flwrite;tftp dhboot-min.bin.img;flwrite
dr=tftp 0x02000000 romfs-x.squashfs.img; flwrite
dk=tftp 0x02000000 kernel.img; flwrite
du=tftp 0x02000000 user-x.squashfs.img; flwrite
dw=tftp 0x02000000 web-x.squashfs.img; flwrite
dp=tftp 0x02000000 partition-x.cramfs.img;flwrite
dc=tftp 0x02000000 custom-x.squashfs.img; flwrite
up=tftp 0x02000000 update.img; flwrite
tk=tftp 0x02000000 uImage; bootm
dh_keyboard=1
sysbackup=1
logserver=127.0.0.1
loglevel=4
autosip=192.168.254.254
autolip=192.168.1.108
autogw=192.168.1.1
autonm=255.255.255.0
pd=tftp 0x02000000 pd-x.squashfs.img; flwrite
ethact=ambarella macBSN=3D05507PAA07673HWID=IPC-HFW4830EP-S:01:02:03:50:21:00:01:00:00:00:04:2D0:00:00:00:00:00:01:00:00:200hwidEx=00:02:00:00:00:00:00:00:00:00:00:00:00:00:00:00
devalias=IPC-HFW4830E-S
ID=ND011708007127
ethaddr=00:40:7F:96:7B:E5
appauto=1
stdin=serial
stdout=serial
stderr=serial
filesize=E5
fileaddr=5000000
Environment size: 1229/131068 bytes
? - alias for 'help'
backup - backup - manual backup program.

base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootf - boot from flash
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cfgRestore- erase config and backup partition.

cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
dhcp - boot image via network using DHCP/TFTP protocol
echo - echo args to console
editenv - edit environment variable
erasepart- erasepart

exit - exit script
false - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
flwrite - flwrite - write data into FLASH memory

fsinfo - print information about filesystems
fsload - load binary file from a filesystem image
go - start application at address 'addr'
gpio - gpio test
help - print command description/usage
hwid - hwid - set hardware id and save to flash

i2c - I2C sub-system
icache - enable or disable instruction cache
iminfo - print header information for application image
itest - return true/false on integer compare
kload - kload - load uImage file from parttion

lip - lip - set local ip address but not save to flash

loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
logsend - get log buf
loop - infinite loop on address range
ls - list files in a directory (default /)
mac - mac - set mac address and save to flash

md - memory display
memsize - memsize - set mem size

mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - mmcinfo <dev num>-- display MMC info
mtest - simple RAM read/write test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
partition- print partition information
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
rdefault- rdefault -recover default env

reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
showvar - print local hushshell variables
sip - sip - set server ip address but not save to flash

sleep - delay execution for some time
source - run script from memory
sync_uboot- sync_uboot - sync uboot to uboot-bak

test - minimal test like /bin/sh
tftpboot- tftpboot- boot image via network using TFTP protocol
true - do nothing, successfully
upmh - mcu heat upgraded
usleep - delay execution for some time
version - print monitor version
usage: fatls <interface> <dev[art]> [directory]
name cs offset size flag fs_flags fs_type
MinBoot 0 0x0000000000000000 0x0000000000040000 0x00000000 0x00000000 0x00000000
U-Boot 0 0x0000000000080000 0x0000000000040000 0x00000000 0x00000000 0x00000000
hwid 0 0x00000000000c0000 0x0000000000020000 0x00000000 0x00000000 0x00000000
partition 0 0x00000000000e0000 0x0000000000010000 0x00000000 0x00000001 0x00000001
Kernel 0 0x00000000000f0000 0x0000000000180000 0x00000000 0x00000000 0x00000000
romfs 0 0x0000000000270000 0x0000000000150000 0x00000000 0x00000001 0x00000002
web 0 0x00000000003c0000 0x0000000000680000 0x00000000 0x00000001 0x00000002
user 0 0x0000000000a40000 0x0000000001030000 0x00000000 0x00000001 0x00000002
updateflag 0 0x0000000001a70000 0x0000000000030000 0x00000000 0x00000000 0x00000000
config 0 0x0000000001aa0000 0x0000000000070000 0x00000000 0x00000003 0x00000004
product 0 0x0000000001b10000 0x0000000000010000 0x00000000 0x00000001 0x00000002
custom 0 0x0000000001b20000 0x0000000000020000 0x00000000 0x00000001 0x00000002
backupker 0 0x0000000001b40000 0x00000000000e0000 0x00000000 0x00000001 0x00000002
backupfs 0 0x0000000001c20000 0x0000000000050000 0x00000000 0x00000001 0x00000002
data 0 0x0000000001c70000 0x0000000000100000 0x00000000 0x00000003 0x00000004
user1 0 0x0000000001d70000 0x0000000000290000 0x00000000 0x00000001 0x00000002
MinBoot mountcmd:
U-Boot mountcmd:
hwid mountcmd:
partition mountcmd:
Kernel mountcmd:
romfs mountcmd:
web mountcmd:mount /dev/mtdblock6 /mnt/web/
user mountcmd:mount /dev/mtdblock7 /usr/
updateflag mountcmd:
config mountcmd:mnt_jffs2 /dev/mtdblock9 /mnt/mtd jffs2
product mountcmd:mount /dev/mtdblock10 /mnt/pd/
custom mountcmd:mount /dev/mtdblock11 /mnt/custom/
backupker mountcmd:
backupfs mountcmd:
data mountcmd:mnt_jffs2 /dev/mtdblock14 /mnt/data jffs2
user1 mountcmd:mount /dev/mtdblock15 /mnt/user/
arch_number = 0x23283041
env_t = 0x00000000
boot_params = 0x00200000
DRAM bank = 0x00000000
-> start = 0x00200000
-> size = 0x07600000
ethaddr = 00:40:7F:96:7B:E5
ip_addr = 192.168.1.108
baudrate = 115200 bps
SPI probe: 32768 KiB W25Q256FV at 0:0 is now current device
### filesystem type is JFFS2
Scanning JFFS2 FS: done.
Compression: NONE
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: ZERO
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: RTIME
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: RUBINMIPS
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: COPY
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: DYNRUBIN
frag count: 0
compressed sum: 0
uncompressed sum: 0
Compression: ZLIB
frag count: 0
compressed sum: 0
uncompressed sum: 0
config erased.
partition file version 2
rootfstype squashfs root /dev/mtdblock5
fail to load bootargsParameters.txt
fail to load bootargsParameters.txt file
cmdLine console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc

This is from the serial of the flashed camera (With updated bootloader)
U-Boot 2010.06-svo6390 (Nov 27 2019 - 18:32:23)

 

[pozzello]

thanx for that. so yours does have a new(er) boot loader. but it first 'worked' on 2.622 without updating that?
and the bootloader got updated by a subsequent upgrade from the the UI. hm. why would one want or need to go back?

I have since tried re-flashing several times with various firmware versions, careful to un-zip each correctly into my 'root' folder.

Same results with every version tried. seems to TFTP download all the files, tries to start the kernel and then nothing, then about a minute later, reboots again (must be the watchdog kicking in when the kernel fails to run...) It never appears in the Dahau Config Tool for this cam. Even tried Nmap against it while doing a longer sleep via the command file, finding no telnet or other open ports...

I'm a bit baffled, but not too bummed. this was an extra cam I wasn't using anyways, which is why i figured i could take the chance...
Gonna see if i can get the still-working Lorex to spit out it's files somehow to re-create the original FW.

"I am the Lorex -- I speak for the cams"...

 

[Corellon]

well I'm not sure if I've done something wrong, I used to get serial output and now I just get garbage....

I want to go back on the boot loader as the new ones have a signed firmware which means you can't go down a version if you want too (such as I would like to try 2.622 again as 2.800 has Image Quality issues at night in color mode), I can say for sure that 2.622 worked for me right from the TFTP, I would still suggest seeing if you can flash dk and pd only and see if it succeeds, from what I've noticed is if you flash all the files but one fails it will not commit the changes and reverts everything.

I'm still trying to figure the serial out, hope I didn't bork something while trying to figure out the pins, seems i get gibberish if I don't have tx and rx connected, only rx which is odd. I don't get the press any key to stop autoboot either, but when I try to type into the console I get gibberish echoed back so thinking something is not quiet right still

Edit number... lost count..... : I got shell now, you really do have to spam * from the moment you plug the camera in, as in you have 0 seconds.... you know you've succeeded when you see > returned

 

[pozzello]

* (as in shift-8) ?

 

[Corellon]

Yes, Or I use putty and just the 8 on the number pad... literally have to hold it down as I plug in the POE. Trying to find away to get an image off of the camera onto the TFTP, or to flash from the tftp without the signature check

 

[pozzello]

yes! holding down shift-8 (*) while turning the cam on gets a shell prompt.
(I am using Putty. had previously tried holding down space/other/any key, but not shift-8)
progress of sorts...

 

[Corellon]

Ok found this on another forum for uboot, seems to work :

sf probe 0:0 (set the target for the operations)
sf read 0x02000000 0x0 40000 (Read the bootloader to 0x02000000
tftp 0x02000000 boot.bin 40000 (upload the image to the tftp (make sure you enable PUT (Write=Y overwrite=Y)

File doesn't exactly match the Bin files from the firmware but I might be looking at the wrong ones, I will look at other ways but it's promising as way to backup the firmware

 

[Corellon]

I hooked up my stock camera to serial, this is the uboot information:

U-Boot 2010.06-svn4707 (Jun 30 2017 - 16:13:32)
I2C: ready
DRAM: 118 MiB
gBootLogPtr:00b80008.
spinor flash ID is 0x1940ef
partition file version 2
rootfstype squashfs root /dev/mtdblock5
gParameter[0]:node=bootargs, parameter=console=ttyS0,115200 mem=118M root=/dev/mtdblock5 rootfstype=squashfs init=/linuxrc.
TEXT_BASE:01000000
Net: Detected MACID:00:40:7f:96:7b:e5
PHY:0x001cc816,addr:0x00
s3l phy RTL8201 init

Spoiler

partition
name cs offset size flag fs_flags fs_type
MinBoot 0 0x0000000000000000 0x0000000000040000 0x00000000 0x00000000 0x00000000
U-Boot 0 0x0000000000080000 0x0000000000040000 0x00000000 0x00000000 0x00000000
hwid 0 0x00000000000c0000 0x0000000000020000 0x00000000 0x00000000 0x00000000
partition 0 0x00000000000e0000 0x0000000000010000 0x00000000 0x00000001 0x00000001
Kernel 0 0x00000000000f0000 0x0000000000180000 0x00000000 0x00000000 0x00000000
romfs 0 0x0000000000270000 0x0000000000150000 0x00000000 0x00000001 0x00000002
web 0 0x00000000003c0000 0x0000000000680000 0x00000000 0x00000001 0x00000002
user 0 0x0000000000a40000 0x0000000001030000 0x00000000 0x00000001 0x00000002
updateflag 0 0x0000000001a70000 0x0000000000030000 0x00000000 0x00000000 0x00000000
config 0 0x0000000001aa0000 0x0000000000070000 0x00000000 0x00000003 0x00000004
product 0 0x0000000001b10000 0x0000000000010000 0x00000000 0x00000001 0x00000002
custom 0 0x0000000001b20000 0x0000000000020000 0x00000000 0x00000001 0x00000002
backupker 0 0x0000000001b40000 0x00000000000e0000 0x00000000 0x00000001 0x00000002
backupfs 0 0x0000000001c20000 0x0000000000050000 0x00000000 0x00000001 0x00000002
data 0 0x0000000001c70000 0x0000000000100000 0x00000000 0x00000003 0x00000004
user1 0 0x0000000001d70000 0x0000000000290000 0x00000000 0x00000001 0x00000002
MinBoot mountcmd:
U-Boot mountcmd:
hwid mountcmd:
partition mountcmd:
Kernel mountcmd:
romfs mountcmd:
web mountcmd:mount /dev/mtdblock6 /mnt/web/
user mountcmd:mount /dev/mtdblock7 /usr/
updateflag mountcmd:
config mountcmd:mnt_jffs2 /dev/mtdblock9 /mnt/mtd jffs2
product mountcmd:mount /dev/mtdblock10 /mnt/pd/
custom mountcmd:mount /dev/mtdblock11 /mnt/custom/
backupker mountcmd:
backupfs mountcmd:
data mountcmd:mnt_jffs2 /dev/mtdblock14 /mnt/data jffs2
user1 mountcmd:mount /dev/mtdblock15 /mnt/user/

I seem to not be able to tftp upload in my stock firmware, have to investigate this further, unsure how else I can then upload an image of the memory dumps

 

[Corellon]

I wrote this script to dump the memory contents from my 2.80 firmware device, just put in your commands.txt file

Spoiler: Dump

sip 192.168.254.254
sf read 0x02000000 0x0000000000000000 40000
tftp 0x02000000 280MinBoot.bin 40000
sf read 0x02000000 0x0000000000080000 40000
tftp 0x02000000 280U-Boot.bin 40000
sf read 0x02000000 0x00000000000c0000 20000
tftp 0x02000000 280hwid.bin 20000
sf read 0x02000000 0x00000000000e0000 10000
tftp 0x02000000 280partition.bin 10000
sf read 0x02000000 0x00000000000f0000 180000
tftp 0x02000000 280Kernel.bin 180000
sf read 0x02000000 0x0000000000270000 150000
tftp 0x02000000 280romfs.bin 150000
sf read 0x02000000 0x00000000003c0000 680000
tftp 0x02000000 280web.bin 680000
sf read 0x02000000 0x0000000000a40000 1030000
tftp 0x02000000 280user.bin 1030000
sf read 0x02000000 0x0000000001a70000 30000
tftp 0x02000000 280updateflag.bin 30000
sf read 0x02000000 0x0000000001aa0000 70000
tftp 0x02000000 280config.bin 70000
sf read 0x02000000 0x0000000001b10000 10000
tftp 0x02000000 280product.bin 10000
sf read 0x02000000 0x0000000001b20000 20000
tftp 0x02000000 280custom.bin 20000
sf read 0x02000000 0x0000000001b40000 e0000
tftp 0x02000000 280backupker.bin e0000
sf read 0x02000000 0x0000000001c20000 50000
tftp 0x02000000 280backupfs.bin 50000
sf read 0x02000000 0x0000000001c70000 100000
tftp 0x02000000 280data.bin 100000
sf read 0x02000000 0x0000000001d70000 290000
tftp 0x02000000 280user1.bin 290000

Now I will see if there is a way I can daisy chain the boot loader, boot unsecured from flash, load the updated bootloader into memory from tftp (without flashing) and then boot into the bootloader from there

 

[pozzello]

appreciate the efort, but ya lost me at "make sure you enable PUT (Write=Y overwrite=Y) "
where/how do I do that?...