*SOLVED* Swann NVR softbricked after firmware update - Currently on uBoot console

Thank you very much for your quick response,

I haven't been able to get connected at all with UART when turning on the NVR once UART is connected to TTL device the the serial monitor I only get error device can not connected and drop the serial connection with the UART adapter

However when I turn the NVR on whilst connected to UART the pc plays the sound as if to say a device has been connected/disconnected then the error appears.

I wonder if the UART pins are incorrect ? Used a multimeter to check and according to the images and my testing I have the correct tx and Rx and gnd pins so I'm stumped

Any guidance on checking UART connection to the main board would be appreciated. Thank you

I'll also try and get some images tonight of my connections

Thank you again
 
alastairstevenson said:
The extracted file has big chunks that have not been written.
I wonder if that will also be the case in the other partitions.
It might be a misbehaving flash chip, in which case it would be messy to fix, would need a physical replacement.

If you are up for it - and in truth there isn't much to lose - you could try flashing the kernel that I extracted from the firmware file.
Rename the kernel file I'd attached above as kernel_from_fw in the tftp server folder.
The re-written file can be read out again to do a comparison.
It's easy enough to do, the commands should be as follows at the bootloader prompt, one line at a time :
Code: 
sf probe 0

tftp 0x82000000 kernel_from_fw

sf erase 0x80000 0x200000

sf write 0x82000000 0x80000 0x200000

sf read 0x82000000 0x80000 0x200000

tftp 0x82000000 kernel_reread 0x200000

reset

And just for interest, here is how I split the firmware :
Code: 
#!/bin/sh
# This is a simple 'split out some of the components' script based on a manual inspection
# of the original NVR8-7285_0113_3438_1103.pak firmware.
# It looks like the firmware is organised as a simple manifest front section, giving name,
# location and size for each component.
#
dd if=orig_fw.pak of=uboot1 bs=1 skip=$((0x04f8)) count=$((0x03770c))
dd if=orig_fw.pak of=bootargs bs=1 skip=$((0x037c04)) count=$((0x0200))
dd if=orig_fw.pak of=kernel bs=1 skip=$((0x057c04)) count=$((0x1f7008))
dd if=orig_fw.pak of=fs bs=1 skip=$((0x24ec0c)) count=$((0x2d4000))
# This is the fs SQUASHFS partition which we can directly unpack.
sudo unsquashfs -d fs_squashfs fs
dd if=orig_fw.pak of=app bs=1 skip=$((0x522c0c)) count=$((0x74e000))
# This is the app SQUASHFS partition which we can directly unpack.
sudo unsquashfs -d app_squashfs app
dd if=orig_fw.pak of=logo bs=1 skip=$((0xc70c0c)) count=$((0xf1fd))

# End

Good luck!
Click to expand...
Hi alastairstevenson,
I am having an issue that I might be able to solve using your methods. How did you do the manual inspection of the firmware to split out the component? Also how did you figure out where to write the components to the memory locations? I pulled the log from my unit that has the Reolink firmware and it shows a the partition tables being read into memory but they wont match my OEM firmware is there a way to read it from the pak file?

Here is what im talking about the partitions
Code: 
Found Nand Flash Controller V504.
Nand ID: 0x01 0xF1 0x80 0x1D 0x01 0xF1 0x80 0x1D
Nand: AMD NAND 128MiB 3,3V 8-bit 
Nand(Hardware): Block:128KB Page:2KB OOB:64B ECC:4bits/512Byte Chip:128MB*1
11 cmdlinepart partitions found on MTD device hinand
11 cmdlinepart partitions found on MTD device hinand
Creating 11 MTD partitions on "hinand":
0x000000000000-0x000000080000 : "uboot1"
0x000000080000-0x000000260000 : "uboot2"
0x000000260000-0x000000280000 : "bootargs"
0x000000280000-0x0000006c0000 : "kernel"
0x0000006c0000-0x0000012c0000 : "fs"
0x0000012c0000-0x0000032c0000 : "app"
0x0000032c0000-0x000003ac0000 : "para"
0x000003ac0000-0x000003cc0000 : "logo"
0x000003cc0000-0x0000047c0000 : "ipc_img"
0x000000000000-0x000008000000 : "wholeflash"
0x0000047c0000-0x0000048c0000 : "uid_img"

Sorry for hijacking this thread.

Thanks
-George

I made a post about my issue here
X

Thread 'Swann NVR8-7400 (kinda bricked) firmware downgrade help'

I have a NVR8-7400 and I needed to replace one camera and could not find a Swan camera but I did find the Reolink RLC-410 camera that kinda worked . I was able to use Reolink software to connect to my NVR and manage it so I figured they use the same hardware. Then I found out that RLN8-410 firmware will load on the NVR87400. And then the "find out moment" I was able to see the Reolink camera but not the other seven Swann cameras "crap". The Reolink NVR firmware would not connect to the Swann cameras password error and there is no where to change it :angry:. So I fixed one but broke 7. I...
 
Last edited:
Trying to answer your questions -
A manual inspection of the firmware with a hex editor can often reveal a header that indicates how the firmware is packed. And the positions within the file where they are located.
Then the tool binwalk can also be used to confirm the main components so that they can be split off using the dd tool.
Then a bootlog as you have shown above will show the partition layout in the flash memory such that extracted data can be written to the correct locations.
As you indicate - it could well be the case that the partition layout may be different between the 2 firmwares.
 
You must log in or register to reply here.
Top Bottom