ICP Permit
Webmail
Newsletters
Support30
IP Cam Hacking – pt#4
Spent a while checking out the different binaries available for the different OEM versions.
Some interesting things I’ve found.
If I take a look at a sample kernel – eg
lr_cmos_11_14_1_46.bin
ls -al lr_cmos_11_14_1_46.bin
-rw-r--r-- 1 lawrence staff 1350539 Mar 15 13:47 lr_cmos_11_14_1_46.bin
Our file size for the file i have is 1350539 bytes.
A hexdump of the header shows:
00000000 42 4e 45 47 01 00 00 00 01 00 00 00 77 cb 0b 00 |BNEG……..w…|
00000010 00 d0 08 00 50 4b 03 04 14 00 00 00 08 00 3a 2e |….PK……..:.|
00000020 87 3b 3b e7 b8 16 03 cb 0b 00 bc d9 18 00 09 00 |.;;………….|
PK is the standard file header for Zip compression (as Zip was invented by Phil Katz)
Zip fingerprint in hex is – 0x04034b50, which matches nicely in our second line – 50 4b 03 04
On the offchance it contained a zip file, I tried unzipping from the start of the PK.
We can totally misuse dd to write from an offset of 20 bytes to a test.zip file as follows:
lawrence$ dd if=lr_cmos_11_14_1_46.bin of=test.zip skip=0x14 bs=1
(check I actually did that right)
lawrence$ hexdump -C test.zip |more
00000000 50 4b 03 04 14 00 00 00 08 00 3a 2e 87 3b 3b e7 |PK........:..;;.|
00000010 b8 16 03 cb 0b 00 bc d9 18 00 09 00 00 00 6c 69 |..............li|
Unfortunately this didn’t unzip.
However…
zipinfo test.zip
Archive: test.zip 1350519 bytes 1 file
-rw------- 2.0 fat 1628604 b- defN 7-Dec-09 05:49 linux.bin
1 file, 1628604 bytes uncompressed, 772867 bytes compressed: 52.5%
Says there is a valid zip file there, so we’re getting somewhere. It should be something like 772867 bytes + whatever Zip header / footer file bits in size.
If we take a look at the Zip file format, it says that the end of directory (aka end of zip file) marker is 0x06054b50
ZIP end of central directory record
Offset Bytes Description[4]
0 4 End of central directory signature = 0x06054b50
4 2 Number of this disk
6 2 Disk where central directory starts
8 2 Number of central directory records on this disk
10 2 Total number of central directory records
12 4 Size of central directory (bytes)
16 4 Offset of start of central directory, relative to start of archive
20 2 ZIP file comment length (n)
22 n ZIP file comment
If we search the file for that, we get:
000bcb70 78 2e 62 69 6e 50 4b 05 06 00 00 00 00 01 00 01 |x.binPK………|
So, from our Start PK 03 04 through to PK 05 06 we’re at position 0×14 through 0x0bcb79
If we write that out now –
dd if=lr_cmos_11_14_1_46.bin of=test.zip skip=0×14 bs=1 count=0x0bcb79
Then try unzip test.zip – we have a winner!
lawrence$ unzip test.zip
Archive: test.zip
inflating: linux.bin
lawrence$ ls -al test.zip
-rw-r--r-- 1 lawrence staff 772985 Apr 30 03:28 test.zip
lawrence$ ls -al linux.bin
-rw-------@ 1 lawrence staff 1628604 Dec 7 05:49 linux.bin
So, we know that the file has a header, then a zip file (which uncompresses to linux.bin, and has our linux binary), then more data.
If we take a look at what follows – ie the rest of the data in the original file after the end of the zip, it doesn’t look compressed
000bcb79 00 00 00 00 01 00 01 00 37 00 00 00 2a cb 0b 00 |……..7…*…|
000bcb89 00 00 2d 72 6f 6d 31 66 73 2d 00 08 cf a0 98 16 |..-rom1fs-……|
000bcb99 76 dd 72 6f 6d 20 34 62 31 63 62 36 38 66 00 00 |v.rom 4b1cb68f..|
000bcba9 00 00 00 00 00 49 00 00 00 20 00 00 00 00 d1 ff |…..I… ……|
000bcbb9 ff 97 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bcbc9 00 00 00 00 00 60 00 00 00 20 00 00 00 00 d1 d1 |…..`… ……|
000bcbd9 ff 80 2e 2e 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bcbe9 00 00 00 00 00 c9 00 00 00 80 00 00 00 00 8c 88 |…………….|
000bcbf9 9d 47 73 77 61 70 00 00 00 00 00 00 00 00 00 00 |.Gswap……….|
…
000bd969 50 7d 64 68 63 70 63 00 00 00 00 00 00 00 00 00 |P}dhcpc………|
000bd979 00 00 62 46 4c 54 00 00 00 04 00 00 00 40 00 01 |..bFLT…….@..|
000bd989 11 70 00 01 37 60 00 01 50 e8 00 00 28 00 00 01 |.p..7`..P…(…|
000bd999 37 60 00 00 02 b5 00 00 00 05 00 00 00 00 00 00 |7`…………..|
000bd9a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bd9b9 00 00 1f 8b 08 00 f4 6b 45 3f 02 03 dc 5b 0f 70 |…….kE?…[.p|
000bd9c9 14 d7 79 7f bb 77 a7 bf 07 9c fe f0 c7 48 a0 95 |..y..w.......H..|
000bd9d9 50 88 5c 23 b3 02 19 64 23 e0 84 30 76 72 b8 9c |P.\#...d#..0vr..|
000bd9e9 31 50 6c 2b 58 06 d7 25 84 d6 ea 80 6d 02 8c 7d |1Pl+X..%....m..}|
000bd9f9 48 02 64 17 b0 00 91 12 17 fb b6 29 ed 60 86 c6 |H.d........).`..|
000bda09 4c aa 74 34 0e 71 0e 90 03 d3 d2 54 fc 51 87 30 |L.t4.q.....T.Q.0|
In fact it looks like more files...
bFLT is our flat ELF header..., and the other bits in-between look suspiciously like more files, and folders.
So, we probably have a filesystem in there.
Its late, and thats all for today, but it looks like we might even get to play around with both the linux image and the web UI image.
Just had another thought though - if you recall, our romfs size was 0x0008D000
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a
What do we see here - in our header? 00000010 00 d0 08 00
00000000 42 4e 45 47 01 00 00 00 01 00 00 00 77 cb 0b 00 |BNEG……..w…|
00000010 00 d0 08 00 50 4b 03 04 14 00 00 00 08 00 3a 2e |….PK……..:.|
Seem to have a match, no? 0x 08 d0 00
I'm going to bet that our 0x 00 0b cb 77 also has some meaning too in our header 20 bytes, especially as the linux.bin zip file size is close to that at 0x00 0b cb 79.
Its highly probable I've miscounted something with the offset, and thats going to turn out to be the zip file size.
Now I've gotten this far, I'm too excited to go to sleep (its 4am here now!)
Lets try the filesystem from where we left off (aka from 0x0bcb79)
dd if=lr_cmos_11_14_1_46.bin of=unsure_what_filesystem.img skip=0x0bcb79 bs=1
mount -r unsure_what_filesystem.img
mount: unsure_what_filesystem.img: unknown special file or file system.
Nope.
Kyle's blog comment has this gem in
however the ‘-romfs-’ tag is offset by 0×14
so I used the line
fx 6 romfs.img 0x7f0a0000 0x7f0a0014 -a
the system then rebooted correctly…”
Lets use that as the start.
hexdump -C unsure_what_filesystem.img |more
00000000 00 00 00 00 01 00 01 00 37 00 00 00 2a cb 0b 00 |........7...*...|
00000010 00 00 2d 72 6f 6d 31 66 73 2d 00 08 cf a0 98 16 |..-rom1fs-......|
00000020 76 dd 72 6f 6d 20 34 62 31 63 62 36 38 66 00 00 |v.rom 4b1cb68f..|
-rom1fs- starts at position 0x12 [which is another indicator that I'm off by 2 bytes somewhere - as they mention 0x14 bytes, and the 12bytes prefix I have prior to the -rom1fs- are going to be from our second file header, I'll bet...
0x0bcb79 - 2 = 0x0bcb77, which is what the previous header said, so that really makes me think thats the filesize now!
Our ROMFS works out to be 577 536 bytes, which is 0x8D000, which is also what the boot loader said, so getting a lot of good confirmation on these figures!]
Write that out to another file:
dd if=unsure_what_filesystem.img of=still_unsure.img skip=0×12 bs=1
Still doesn’t mount on my Mac, however, some more googling for rom1fs uclinux got me here
http://romfs.sourceforge.net/
Which specifically mentions –
Embedded projects using romfs
uClinux, the microcontroller Linux, is a port of the kernel, and selected user-space programs to capable, embedded processors, like some “smaller” Motorola m68k, and ARM systems.
ROMFS looks like:
offset content
+—+—+—+—+
0 | – | r | o | m | \
+—+—+—+—+ The ASCII representation of those bytes
4 | 1 | f | s | – | / (i.e. “-rom1fs-”)
+—+—+—+—+
8 | full size | The number of accessible bytes in this fs.
+—+—+—+—+
12 | checksum | The checksum of the FIRST 512 BYTES.
+—+—+—+—+
16 | volume name | The zero terminated name of the volume,
: : padded to 16 byte boundary.
+—+—+—+—+
xx | file |
: headers :
struct romfs_super_block
{
__u32 word0;
__u32 word1;
__u32 size;
__u32 checksum;
char name[0]; /* volume name */
};
Which looks to be a *very* good match for what that header has!
So, its in ROMFS format from the -rom1fs- start header.
(Mostly from here – http://zhwen.org/?p=articles/romfs)
Unfortunately my OSX box appears to be missing romfs support, so I can’t check it without going back to the office.
mount -o loop -t romfs still_unsure.img /mnt
mount: exec /System/Library/Filesystems/romfs.fs/Contents/Resources/mount_romfs for /mnt: No such file or directory
Booted up my Debian VM, and tried again.
debian:/mnt/hgfs/FI8908,FI8908W# mount -o loop -t romfs still_unsure.img /mnt/test -r
debian:/mnt/hgfs/FI8908,FI8908W# cd /mnt/test/
debian:/mnt/test# ls -al
total 4
drwxr-xr-x 1 root root 32 1969-12-31 18:00 .
drwxr-xr-x 4 root root 4096 2010-04-29 16:19 ..
drwxr-xr-x 1 root root 32 1969-12-31 18:00 bin
drwxr-xr-x 1 root root 32 1969-12-31 18:00 dev
drwxr-xr-x 1 root root 32 1969-12-31 18:00 etc
drwxr-xr-x 1 root root 32 1969-12-31 18:00 flash
drwxr-xr-x 1 root root 32 1969-12-31 18:00 home
drwxr-xr-x 1 root root 32 1969-12-31 18:00 proc
drwxr-xr-x 1 root root 32 1969-12-31 18:00 swap
drwxr-xr-x 1 root root 32 1969-12-31 18:00 usr
We have a winner!
Full file listing below:
.
|-- bin
| |-- camera
| |-- dhcpc
| |-- ifconfig
| |-- init
| |-- iwconfig
| |-- iwpriv
| |-- mypppd
| | |-- chap-secrets
| | |-- options
| | |-- pap-secrets
| | `-- pppd
| |-- route
| |-- rt73.bin
| |-- sh
| |-- wetctl
| `-- wpa_supplicant
|-- dev
| |-- console
| |-- display
| |-- dsp -> dsp1
| |-- dsp0
| |-- dsp1
| |-- fb0
| |-- hda
| |-- hda1
| |-- hda2
| |-- hdb
| |-- i2c0
| |-- i2c1
| |-- key
| |-- keypad
| |-- lp0
| |-- mixer -> mixer1
| |-- mixer0
| |-- mixer1
| |-- mouse
| |-- mtd0
| |-- mtd1
| |-- mtdblock0
| |-- mtdblock1
| |-- nftlA1
| |-- nftla
| |-- null
| |-- ppp
| |-- ppp1
| |-- ptmx
| |-- pts
| |-- ptyp0
| |-- ptyp1
| |-- ptyp2
| |-- ptyp3
| |-- ptyp4
| |-- ptyp5
| |-- ptyp6
| |-- ptyp7
| |-- ptyp8
| |-- ptyp9
| |-- ptz0
| |-- rom0
| |-- rom1
| |-- rom2
| |-- sda
| |-- sda1
| |-- sda2
| |-- sdb
| |-- sdb1
| |-- sdb2
| |-- smartcard0
| |-- smartcard1
| |-- tty
| |-- tty1
| |-- ttyS0
| |-- ttyS1
| |-- ttyS2
| |-- ttyS3
| |-- ttyp0
| |-- ttyp1
| |-- ttyp2
| |-- ttyp3
| |-- ttyp4
| |-- ttyp5
| |-- ttyp6
| |-- ttyp7
| |-- ttyp8
| |-- ttyp9
| |-- urandom
| |-- usb
| | |-- lp.sh
| | |-- lp0
| | |-- lp1
| | |-- lp2
| | |-- lp3
| | |-- lp4
| | |-- lp5
| | |-- lp6
| | |-- lp7
| | |-- lp8
| | `-- lp9
| |-- usi
| |-- video0
| `-- video1
|-- etc
|-- flash
|-- home
|-- proc
|-- swap
|-- usr
`-- var
`-- run
13 directories, 97 files
While I obviously can’t run any binaries locally, I can look at the text files to confirm that the ROMFS hasn’t just gotten the filesystem correct.
debian:/mnt/test/bin# cat init
mount -t proc none /proc
mount -t ramfs none /usr
mount -t ramfs none /swap
mount -t ramfs none /var/run
mount -t ramfs none /etc
mount -t ramfs none /flash
mount -t ramfs none /home
camera&
sh
debian:/mnt/test/bin# file camera
camera: BFLT executable - version 4 ram gzip
Looking *very* good.
Thats all for tonight, but it looks like we can easily add bits to the firmware using genromfs, dd, and a hex editor, or just genromfs, and someone willing to test a rebuilt user rom with an extra binary. Probably going to be telnetd as ssh requires a kernel recompile 
Next step, actually doing that, and testing.
I’m definitely going to bed now – its 5:30am.
Tomorrow is a holiday though (in China), so happy May holidays!
Do you like this article? Share It!
12 Comments to “IP Cam Hacking – pt#4”
Post comment
Archives
- May 2012
- April 2012
- March 2012
- December 2011
- November 2011
- October 2011
- September 2011
- July 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
Categories
- Apple
- Arcade Machines
- Badges
- BMW
- China Related
- Cool Hunting
- Exploits
- Firmware
- Food
- General Talk
- government
- IP Cam
- iPhone
- Lasers
- legislation
- MODx
- MySQL
- requirements
- Reviews
- Service Issues
- Tao Bao
- Technical Mumbo Jumbo
- Things that will get me censored
- Travel
- Uncategorized
- Useful Info
Most Popular Posts
- Samsung N310 (Samsung Go) Hackintosh Installation on Snow Leopard (11712)
- IPCam Hacking - pt#2 (9303)
- eFrontWPI - Wordpress integration Plugin for eFront (7577)
- BMW Keys and Transponders E36 E38 E46 etc (EWS2) (7131)
- IP Cam Hacking – pt#5 (6178)
Tags
Recent Comments
-
HenryX: If you have any problems about motocycle , I can answer you. I am a local Shanghaier with a 5 years’...
-
Johnny E: Hi Lawrence.. i have a 1999 Bmw E46 320i, i had to change the engine because it was broken, and now i...
-
Lawrence Sheed: Zoneminder is a video monitoring capture system. I have an IP Camera pointed at the entrance, and...
-
Shaun Wallace: That is pretty cool, and cheap too! I may order one thanks to your recommendation. What is zone...
-
Hector: My country doesn’t require a license for MOPEDS & no highway sticker. Liability and the cost of...
Recent Trackbacks
- eFront Blog: 5 things you (perhaps) don’t know about eFront
- SISTEMAS O.R.P: Recuperar una cámara Zaapa CIP-RW después de un fallo de actualización
- Blog - DO Bots: Brookstone Rover AC13
- How can I stop Pop3 Brute Force attacks: need to create a regex, and add it to fail2ban Here is a guide....
- shanghailoz is our latest member! -:
PHOTOSTREAM
Following the hacking of the Foscam with interest
keep up the good work
Very interesting research… I’m working with the same IpCam model from an HK supplier.
Wondering if you could change/add another DDNS providers to the list.
One question… where are the cgi’s files located?
Take care with your cam, another guy get a bricked one when he put an altered firmware.
Its one monolithic binary, so the http and cgi and video stuff is all run from a runtime called camera.
I’m not worried about bricking at all. I have jtag access, and the bootloader is fairly userfriendly.
I guess I really need to dive into this again, I did get quite far last time.
For others that have read what I have done so far – the xyz axis motors are controlled by i/o pins directly, and not i2c.
hi lawrance ,did you get anywhere with the web interface on the clone foscam ???
thanks Dave
You don’t even need to look at the file with a hex editor. You can analyze most firmware images with a forensic/data recovery tool (i recommend foremost).
Running foremost over the image returns a .zip file and a file audit.txt that lists the file offset and size…
Anyway, thank you very much for this description! I’m currently doing a little reverse engineering of my own and this has helped me to extract the romfs (foremost didn’t reveal that one)
I disagree. I think you most definitely do need to look over files in a hex editor if you don’t know whats going on.
Check the work I did on the keychain firmware – http://www.computersolutions.cn/blog/2010/08/firmware-hackery-on-keychain-spycams-ak36xx-based/
I’m pretty sure foremost wouldn’t give me that level of detail. Tools are good, but you need to learn when and how to use them.
I’m by no means good at this, I just dabble, but its not that hard to do, and its fun to work out how things are made.
I just got my 8908w clone from dx yesterday, I attempted to flash to the latest foscam firmware and ended up bricking it.
I hooked up the jtag. It looks like I have the one with the smaller flash/ram.
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Aug 19 2009
Memory Size is 0×1000000 Bytes, Flash Size is 0×200000 Bytes
I started following the directions to recover it (11.14.1.37). I was able to flash the main and linux.zip no problem. rebooted fine. Then I tried loading the webui through the ipcam tool. It loaded, but the ipcam tool never saw it again. I rebooted the camera and it pops back up in the ipcamtool, but still says no webui detected. I tried updating it again, and watched the terminal this time. Right after flashing, some stuff pops up in the terminal then this code pops up and locks up the camera.
“Code: 4282c004 4a00001b (e4913004) e4a03004 e1a0ca00 ”
I tried web versions from 2.4.8.8 – 2.4.8.14
I tried for hours last night trying various firmwares and addresses. Has anyone successfully flashed a 8908 with the smaller memory/flash?
If so, what address and firmware did you use?
Trying to reproduce your results on a different bin (foscam FI8918W lr_cmos_11_22_2_30.bin) I noticed a few errors/difference. For one, my ubuntu 10.10 ubuntu doesn’t like hexadecimal input. What does work however, in bash anyhow, is using skip=$((0×14)) to get to byte 20.
Also, you mention the ZIP end of central directory record and your count being off somewhere? (Or atleast you mentioned it in some of your great posts).
The problem lies with the end of central directory record. At first, you just use the PK 05 06 marker and cut the zip file there. My unzip also doesn’t work on that. Creating a test zip file, I notice after the PK 05 06 marker all the other fields, about 18 bytes worth e.g. a full header without the comment bits. My offset is off by 2 bytes however. They reserve 4 bytes, but only 2 are used (mostly due to it being 0 maybe?) dd-ing the firmware and including the entire end of record yields us with a properly ending zipfile that zip will eat. Starting from exactly that byte, is also the exact start of the romfs marker (-romfs-).
Just an FYI I’d thought I mention
In case i read over it, I’m confirming what you saw 
@oliver.
Don’t forget, when I wrote this, it was in the early am, so you may get some weird math errors, it was late, and I really should have been sleeping when i wrote it up.
On another note, I’ve setup a website at http://www.openipcam.com which I’m busy adding updates to. Suggest register, and start adding info there.
Lawrence.
Your article help me on getting into the firmware for my linux embedded surveillance DVR, Avermedia eb1304. Avermedia will not give me the source code. It is a very good product and I have installed tons of them in businesses.Thanks! Hey need an installer\tech in China?