Unbricking Dahua VTO2000A

Kurz nachdem ich meine Dahua VTO2000A in Betrieb genommen hatte, habe ich diese natürlich gleich mal einer modifizierten Firmware 3.1 gebricked – es gab keine Reaktion über einen der üblichen Ports mehr und das Licht leuchtete daherhaft. Uncool. Ich folgte also diesem Thread und mit leichter Abwandlung kam ich via Telnet zum Ziel.

Werbung


Mittels Putty habe ich mich via Telnet auf der IP (Standard ist 192.168.1.110) mit dem Port 23 angemeldet. Nutzername ist in Firmware 3.1 „admin“ und das Passwort ist 7ujMko0 + WebUI Passwort. Also in der Standardauslieferung 7ujmko0admin.

# ps
  PID  Uid        VSZ Stat Command
    1 root       2820 S   init
    2 root            SW  [posix_cpu_timer]
    3 root            SW  [softirq-high/0]
    4 root            SW  [softirq-timer/0]
    5 root            SW  [softirq-net-tx/]
    6 root            SW  [softirq-net-rx/]
    7 root            SW  [softirq-block/0]
    8 root            SW  [softirq-tasklet]
    9 root            SW  [softirq-hrtimer]
   10 root            SW  [softirq-rcu/0]
   11 root            SW< [desched/0]
   12 root            SW< [events/0]
   13 root            SW< [khelper]
   14 root            SW< [kthread]
   28 root            SW< [kblockd/0]
   29 root            SW< [cqueue/0]
   30 root            SW< [kseriod]
   37 root            SW< [khubd]
   83 root            SW  [pdflush]
   84 root            SW  [pdflush]
   85 root            SW< [kswapd0]
   86 root            SW< [aio/0]
   87 root            SW< [cifsoplockd]
   88 root            SW< [cifsdnotifyd]
  134 root            SW  [mtdblockd]
  138 root            SW< [dm_spi.0]
  174 root            SW< [dm_spi.1]
  207 root            SWN [jffs2_gcd_mtd6]
  211 root            SWN [jffs2_gcd_mtd7]
  242 root      10372 S   /utils/syshelper 25
  349 root            SW< [dsp_timer/0]
  358 root            SW< [spi_mcu_irq/0]
  379 root       2424 S   /utils/upgraded
  380 root     120004 S   VideoDaemon
  382 root       2824 S   /utils/telnetd
  384 root       2824 S   /bin/sh /etc/init.d/appd
  390 root       2132 S   feedwdt
  391 root       2824 S   /bin/sh --
  403 root       2824 S   -sh
  405 root       2824 R   ps

Nun muss man den Upgrade-Prozess „/utils/upgraded“ einmal killen.

# kill -9 379

Nun wird das Upgrade-Tool manuell nochmal gestartet, also einfach „/utils/upgraded“ in die Kommandozeile. Sobald „UPGRADED_MSG: start download file“ erscheint, dann ConfigTool nutzen um via Port 3800 die neue Firmware hochzuladen:

# /utils/upgraded
[libdvr]
libdvr.so Build time: Jun 16 2016 at 17:09:56.
[libdvr] SVN NUM: 7402.
UPGRADED_MSG: Do memlock
UPGRADED_MSG: lock failure: addrStart=4002b000, addrEnd=40032000
UPGRADED_MSG: lock failure: addrStart=4006f000, addrEnd=40076000
UPGRADED_MSG: lock failure: addrStart=400b3000, addrEnd=400bb000
UPGRADED_MSG: lock failure: addrStart=400bf000, addrEnd=400c6000
UPGRADED_MSG: lock failure: addrStart=401df000, addrEnd=401e7000
UPGRADED_MSG: lock failure: addrStart=401f8000, addrEnd=401ff000
Name: upgraded, bulid date: Dec 19 2014 17:18:02, svn: 448
UPGRADED_MSG: start download file!
[libdvr] At the start of getSystemInfo
[libdvr] @@@@ buf = 3L03365PAZ0CFA0
UPGRADED_MSG: Second login mode!
[libdvr] At the start of getSystemInfo
[libdvr] @@@@ buf = 3L03365PAZ0CFA0
[libdvr] At the start of getSystemInfo
[libdvr] @@@@ buf = 3L03365PAZ0CFA0
UPGRADED_MSG: Can't Open /mnt/mtd/Config/passwd
UPGRADED_MSG: Login success!
UPGRADED_MSG: Can't find pid app.sh
UPGRADED_MSG: Can't find pid sonia
UPGRADED_MSG: Kill 380 successful
UPGRADED_MSG: Kill VideoDaemon success!
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: Receive A4(alarm)
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: Receive A1(alive package)
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: Receive A4(alarm)
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: Receive A4(alarm)
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_ERR: LINE: 897: Unkonw Command
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: Receive A4(alarm)
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: Receive A1(alive package)
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: reset_watchdog
UPGRADED_MSG: Received : 13644118, FileSize : 13644118
UPGRADED_MSG: Download Complete
UPGRADED_MSG: Do DownLoad success!
[libdvr] ####CFG_FLASH_SEC_SIZE=0x10000
[libdvr] NUM_MTDS=11
[libdvr] ####MTD_START[0]=0x2000000
[libdvr] ####MTD_START[1]=0x2040000
[libdvr] ####MTD_START[2]=0x2060000
[libdvr] ####MTD_START[3]=0x2080000
[libdvr] ####MTD_START[4]=0x2280000
[libdvr] ####MTD_START[5]=0x2580000
[libdvr] ####MTD_START[6]=0x2780000
[libdvr] ####MTD_START[7]=0x2820000
[libdvr] ####MTD_START[8]=0x28c0000
[libdvr] ####MTD_START[9]=0x28e0000
[libdvr] ####MTD_START[10]=0x2ee0000
[libdvr] ####MTD_START[11]=0x3000000
UPGRADED_MSG: Flash init success
UPGRADED_ERR: LINE: 1074: invalid file: check.img
UPGRADED_ERR: LINE: 1074: invalid file: Install.lua
UPGRADED_MSG: zip file total size: 13870296
[libdvr] At the start of getSystemInfo
[libdvr] @@@@ buf = 3L03365PAZ0CFA0
UPGRADED_MSG: packet.name: VTO2000A, board.name: VTO2000A
UPGRADED_MSG: packet.hardver: , board.hardver:
UPGRADED_MSG: Verify version success
 
Header CRC Checking ... OK
Image Name:   custom-x.cramfs.img
Image Type:   custom-x.cramfs.img (gzip compressed)
Data Size:    90176 B, Bytes =  0.09 MB
Load Address: 0X2060000
Data CRC Checking ... OK
Programing start at: 0X2060000
 
umount: No such file or directory
Upgrade : Complete Total 0%...  [libdvr] flash erase: addr=0x2070000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 0%...
Header CRC Checking ... OK
Image Name:   pd-x.cramfs.img
Image Type:   pd-x.cramfs.img (gzip compressed)
Data Size:    45120 B, Bytes =  0.04 MB
Load Address: 0X28C0000
Data CRC Checking ... OK
Programing start at: 0X28C0000
 
[libdvr] flash erase: addr=0x28c0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 0%...
Header CRC Checking ... OK
Image Name:   kernel-x.cramfs.img
Image Type:   kernel-x.cramfs.img (gzip compressed)
Data Size:    1682736 B, Bytes =  1.60 MB
Load Address: 0X2080000
Data CRC Checking ... OK
Programing start at: 0X2080000
 
Upgrade : Complete Total 12%... [libdvr] flash erase: addr=0x2210000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 13%...
Header CRC Checking ... OK
Image Name:   romfs-x.cramfs.img
Image Type:   romfs-x.cramfs.img (gzip compressed)
Data Size:    3117120 B, Bytes =  2.97 MB
Load Address: 0X2280000
Data CRC Checking ... OK
Programing start at: 0X2280000
 
Upgrade : Complete Total 35%... [libdvr] flash erase: addr=0x2570000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 35%...
Header CRC Checking ... OK
Image Name:   user-x.cramfs.img
Image Type:   user-x.cramfs.img (gzip compressed)
Data Size:    6221888 B, Bytes =  5.93 MB
Load Address: 0X28E0000
Data CRC Checking ... OK
Programing start at: 0X28E0000
 
Upgrade : Complete Total 71%... [libdvr] flash erase: addr=0x2da0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 71%... [libdvr] flash erase: addr=0x2db0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 72%... [libdvr] flash erase: addr=0x2dc0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 72%... [libdvr] flash erase: addr=0x2dd0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 73%... [libdvr] flash erase: addr=0x2de0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 73%... [libdvr] flash erase: addr=0x2df0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 74%... [libdvr] flash erase: addr=0x2e00000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 74%... [libdvr] flash erase: addr=0x2e10000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 79%... [libdvr] flash erase: addr=0x2ec0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 80%...
Header CRC Checking ... OK
Image Name:   web-x.cramfs.img
Image Type:   web-x.cramfs.img (gzip compressed)
Data Size:    1384512 B, Bytes =  1.32 MB
Load Address: 0X2580000
Data CRC Checking ... OK
Programing start at: 0X2580000
 
Upgrade : Complete Total 90%... [libdvr] flash erase: addr=0x26d0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 90%...
Header CRC Checking ... OK
Image Name:   data-x.cramfs.img
Image Type:   data-x.cramfs.img (gzip compressed)
Data Size:    1073216 B, Bytes =  1.02 MB
Load Address: 0X2EE0000
Data CRC Checking ... OK
Programing start at: 0X2EE0000
 
Upgrade : Complete Total 97%... [libdvr] flash erase: addr=0x2fe0000,block_nums=1, block_size=0x10000
Upgrade : Complete Total 98%... [libdvr] idestatus =0
Upgrade : Complete Total 100%...        UPGRADED_MSG: will reboot system
[libdvr] sync....

Done 😉

Veröffentlicht von

Uli

IT-Nerd und Admin

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.