Apr
30

IP Cam Hacking – pt#5

Lawrence Sheed // 30 Apr 2010 // 14 Comments

So far in this series, we’ve learnt a few things.
First, is that this hardware is quite nice for hacking purposes, as they’ve left the uBoot in a nice state, and have easily accessible debug ports.
Second is that doing this kind of thing isn’t really that complicated, and can be quite fun.

We’re pretty much ready to start doing our own coding, as we know how the images are packed, and we can use the uBoot to either flash onl the romfs on or own, or alternately roll a complete linux + romfs binary image.

For that, we’ll need to be ready to roll up our sleeves, and actually do some development (finally!).

Getting a development environment setup is our next step, as we’re ready to test out adding binaries.

I’m using Debian, but most Linux environments should be similar. OSX is BSD based, and more of a pain due to Apple not putting everything needed in the normal places, so I’m doing this in a VM on my Macbook under Debian.

Go grab a copy of “NUC700 Series MCU uCLinux BSP.zip” from here http://www.metavert.com/public/NO-SUPPORT/

Setup a VM for Debian (not going to cover that) or install Debian or similar.

Copy the zip file to /home in the OS you use.

cd /home mkdir N745 cd N745 unzip ../NUC700\ Series\ MCU\ uCLinux\ BSP.zip

You should now see something like this:

:/home/N745/NUC700 Series MCU uCLinux BSP# ls -al total 68 drwxr-xr-x 6 root root 4096 2009-05-15 20:02 . drwxr-xr-x 3 root root 4096 2010-04-30 02:23 .. drwxr-xr-x 3 root root 4096 2009-05-15 20:06 bootloader drwxr-xr-x 2 root root 4096 2009-05-15 20:03 bsp drwxr-xr-x 2 root root 4096 2009-05-15 20:02 doc drwxr-xr-x 4 root root 4096 2009-05-15 20:02 mkrom -r--r--r-- 1 root root 44632 2009-03-27 11:49 NUC700 uClinux BSP Release Note.pdf debian:/home/N745/NUC700 Series MCU uCLinux BSP#

Unfortunately the build *really* doesn’t like long filenames, so lets move all this to the N745 folder, and get rid of the annoyingly named folder.

/home/N745/NUC700 Series MCU uCLinux BSP# mv * .. /home/N745/# cd .. /home/N745/# rm -r NUC700\ Series\ MCU\ uCLinux\ BSP/

We still need to unzip the BSP, as its compressed, so go into bsp

/home/N745/# cd bsp /home/N745/bsp# tar -xzvf NUC700BSP.tar.gz NUC700BSP/ NUC700BSP/arm_tools.tar.gz NUC700BSP/install.sh NUC700BSP/arm_tools_3.3.tar.gz NUC700BSP/build.tar.gz NUC700BSP/applications.tar.gz NUC700BSP/uClinux-dist.tar.gz

Yay, yet another bloody subdirectory. Sigh.

/home/N745/bsp# cd NUC700BSP debian:/home/N745/bsp/NUC700BSP# ls -al total 183300 drwxr-xr-x 2 shanghaiguide shanghaiguide 4096 2009-03-26 22:38 . drwxr-xr-x 3 root root 4096 2010-04-30 02:29 .. -rw-r--r-- 1 shanghaiguide shanghaiguide 29521418 2009-03-26 21:55 applications.tar.gz -rw-r--r-- 1 shanghaiguide shanghaiguide 43742203 2009-03-26 21:22 arm_tools_3.3.tar.gz -rw-r--r-- 1 shanghaiguide shanghaiguide 36108739 2009-03-26 21:11 arm_tools.tar.gz -rw-r--r-- 1 shanghaiguide shanghaiguide 5643452 2009-03-26 21:24 build.tar.gz -rwxr--r-- 1 shanghaiguide shanghaiguide 4370 2009-03-26 22:31 install.sh -rw-r--r-- 1 shanghaiguide shanghaiguide 72439431 2009-03-26 20:53 uClinux-dist.tar.gz debian:/home/N745/bsp/NUC700BSP#

Run the install – I’ve decided to install the whole shebang to /home/N745

Note – The observant amongst you will notice I’m running this as root.
This is NOT recommended. I’m running under a VM solely created to play with this, so I don’t really care if I break it (as I can roll back to the initial install image fairly easy in vmware). Don’t do this yourselves (unless you want to break things).

debian:/home/N745/bsp/NUC700BSP# ./install.sh firstly install arm_tools.tar.gz -->/usr/local/ wait for a while successfully finished installing arm_tools.tar.gz now begin to install build.tar.gz,applications.tar.gz and uClinux-dist.tar.gz Please enter your absolute path for installing build.tar.gz, applications.tar.gz and uClinux-dist.tar.gz: /home/N745 /home/N745 has existed please wait for a while, it will take some time whole installation finished successfully! debian:/home/N745/bsp/NUC700BSP#

We finally have our build environment unzipped, and its sitting in nuc700-uClinux.

debian:/home/N745# cd nuc700-uClinux/ debian:/home/N745/nuc700-uClinux# ls -al total 24 drwxr-xr-x 6 root root 4096 2010-04-30 02:31 . drwxr-xr-x 7 root root 4096 2010-04-30 02:31 .. drwxr-xr-x 7 root root 4096 2009-03-25 00:44 applications drwxr-xr-x 2 root root 4096 2009-03-26 21:23 image drwxr-xr-x 12 root root 4096 2009-03-26 04:54 romdisk drwxr-xr-x 10 root root 4096 2009-03-26 06:50 uClinux-dist debian:/home/N745/nuc700-uClinux#

uClinux-dist has the default binaries we want, plus we need to configure the kernel, so lets visit there first (the more adventurous can look at the other folders)

debian:/home/N745/nuc700-uClinux# cd uClinux-dist/ debian:/home/N745/nuc700-uClinux/uClinux-dist# ls -al total 84 drwxr-xr-x 10 root root 4096 2009-03-26 06:50 . drwxr-xr-x 6 root root 4096 2010-04-30 02:31 .. drwxr-xr-x 2 root root 4096 2009-01-22 23:27 bin drwxr-xr-x 3 root root 4096 2009-03-26 06:50 config -rw-r--r-- 1 root root 18007 2009-01-22 23:29 COPYING drwxr-xr-x 3 root root 4096 2009-01-22 23:27 Documentation drwxr-xr-x 11 root root 4096 2009-01-22 23:29 freeswan drwxr-xr-x 5 root root 4096 2009-01-22 23:29 lib drwxr-xr-x 15 root root 4096 2009-03-26 06:50 linux-2.4.x -rw-r--r-- 1 root root 3228 2009-01-22 23:28 MAINTAINERS -rw-r--r-- 1 root root 7977 2009-01-22 23:27 Makefile -rw-r--r-- 1 root root 4935 2009-01-22 23:29 README -rw-r--r-- 1 root root 1654 2009-01-22 23:29 SOURCE drwxr-xr-x 158 root root 4096 2009-01-22 23:28 user drwxr-xr-x 4 root root 4096 2009-03-12 03:54 vendors debian:/home/N745/nuc700-uClinux/uClinux-dist#

Looks like it should be fairly easy, right?
Wrong.

The default build doesn’t work. Why would it be that easy.

You’ll end up with issues like:

entry-armv.S:782: Error: Internal_relocation (type 210) not fixed up
(OFFSET_IMM)
entry-armv.S:784: Error: Internal_relocation (type 208) not fixed up
(IMMEDIATE)

So, we need to make sure we start off fresh.
Also, note that we’re building for an N745 cpu, so we’ll need to configure that at the make config stage.
Lastly, and EXTREMELY important, is that we’ll need to put our required tools in the path.

DO NOT FORGET TO DO THIS
sample PATH below:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/arm_tools/bin

debian:/home/N745/nuc700-uClinux/uClinux-dist# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/arm_tools/bin


debian:/home/N745/nuc700-uClinux/uClinux-dist#make clean
Now we have a choice - Recommend use make xconfig if possible.

You need to  have a GUI, and have tk installed.  (apt-get install tk)

Otherwise run make config, and run through the tediously large amount of questions
OPTION#preferred
debian:/home/N745/nuc700-uClinux/uClinux-dist#make xconfig     
OPTION#not recommended
debian:/home/N745/nuc700-uClinux/uClinux-dist# make config

config/mkconfig > config.in

#

# No defaults found

#

*

* Target Platform Selection

*

*

* Choose a Vendor/Product combination.

*

Vendor/Product (nuvoton/nuc710, nuvoton/nuc740, nuvoton/nuc745) [nuvoton/nuc710] (NEW) nuvoton/nuc745
[For the rest, I used the defaults (except for the Network Tools questions, which I said Y to all)]
Continue here from whatever menu (x)config you used.
debian:/home/N745/nuc700-uClinux/uClinux-dist#make oldconfig
[Needed, or compile doesn't work]
debian:/home/N745/nuc700-uClinux/uClinux-dist#make dep

[A gazillion pages of info later, we have a build environment!]

We’re finally ready to use our weapon of mass destruction.

debian:/home/N745/nuc700-uClinux/uClinux-dist#make ...

It should compile without issue.

Next step is to mount our created rom image, and copy the binaries off, or just go to the compiled folders, and get the binaries.

I’ve done this step already, and have a zip file of a few useful files ready.

-rwxr-xr-x 1 root root 110888 2010-04-30 03:50 ftpd
-rwxr-xr-x 1 root root 55164 2010-04-30 03:52 ping
-rwxr-xr-x 1 root root 1201904 2010-04-30 03:51 ssh
-rwxr-xr-x 1 root root 1219864 2010-04-30 03:51 sshd
-rwxr-xr-x 1 root root 118004 2010-04-30 03:45 telnet
-rwxr-xr-x 1 root root 45460 2010-04-30 03:45 telnetd

file *
ftpd: BFLT executable – version 4 ram
ping: BFLT executable – version 4 ram
ssh: BFLT executable – version 4 ram
sshd: BFLT executable – version 4 ram
telnet: BFLT executable – version 4 ram
telnetd: BFLT executable – version 4 ram

Download that here – arm7-nettools

All we need to do now is mount our romfs image, unzip the arm7-nettools.zip, copy the arm7 bFLT binaries over to bin, add telnetd, sshd, and ftpd to our /bin/init, and rebuild by running genromfs on our filesystem.

We can then finally flash our new romfs, and test it out.

Don’t forget that romfs is a read only file system, so we can’t modify it by mounting it. We need to mount, copying everything to elsewhere, do our required bits and pieces, then rebuild.

eg

mount -o loop -t romfs still_unsure.img /mnt/test -r

mkdir /mnt/new
cd /mnt
rsync -arv /mnt/test/ new
cd new/bin
wget http://www.computersolutions.cn/blog/wp-content/uploads/2010/04/arm7-nettools.zip
unzip arm7-nettools.zip
rm arm7-nettools.zip

[We need to also edit init]
pico init

Add

sshd&
telnetd&
ftpd&

eg –
cat init
mount -t proc none /proc
mount -t ramfs none /usr
mount -t ramfs none /swap
mount -t ramfs none /var/run
mount -t ramfs none /etc
mount -t ramfs none /flash
mount -t ramfs none /home
camera&
sshd&
telnetd&
ftpd&
sh

Change to the next directory up, and lets run genromfs

genromfs -d new -f testrom.img
debian:/mnt# ls testrom.img
testrom.img
debian:/mnt# ls -al testrom.img
-rw-r–r– 1 root root 3329024 2010-04-30 04:18 testrom.img

In theory, this should be usable (famous last words!).

Unfortunately, I can’t try testing on that at home, as all the equipment is at the office, but that should be fairly easy.

Probably also some small config issues to sort out, as ftpd, telnetd and sshd will probably choke without their related /etc/whatever config files needed, but we can sort that out via serial on the debug ports.

April 30, 2010 // IP Cam, Uncategorized // 14 Comments // Tags: arm7, debian, foscam, howto, nc745, nuvoton, uclinux

14 Comments to “IP Cam Hacking – pt#5”

user888 says:

May 3, 2010 at 12:08 am

Do you have a build with only an added ssh daemon in it? I’m a bit lazy but still want to explore the device

I have two Foscam FI8908w’s. One has a printed Foscam logo on it, seems to be newer. Wireless network also seems to be more stable and it detects wireless channel 13 (and 14 maybe also).

Reply
David M says:

May 4, 2010 at 1:55 pm

Well Guys what a result nice work to you all, i downloaded the new files from foscam for the ipcam and i tryed to flash my camera with them but it would not do it, it says wrong files or something like that , so it looks like it looks for the first 38 bytes in the camera the software is here do not flash this if you have a clone http://www.foscam.com/down/FI8908%20FI8908W/FI8908%20FI8908W%20sw%20upgrade%20package.rar

Thanks David

Reply
- Lawrence Sheed says:
  
  May 4, 2010 at 2:07 pm
  
  You would need to flash from the bootloader, not from the UI, so would need to open up your device, and add the serial headers, and use a MAX232 or similar to talk to it from a PC over serial.
  As far as I know the devices come from the same manufacturer. Foscam is one of their clients (according to the ODM – http://en.sznv.net/)
  
  I should have a flashable firmware testable in a day or two.
  
  Reply
  - David M says:
    
    May 4, 2010 at 4:43 pm
    
    that is great i can only flash the recovery file as the foscam firmware is to big i have got the rs232 serial soildered to the board thanks david m
    
    Reply
dominique says:

June 12, 2010 at 3:18 pm

Very impressed. Very great job.

I’m waiting for a max232 and a flashable firmware.
I have a dream : OpenWrt for the Foscam FI8908W…

Question :
How can i search in the linux.bin to find some function that are not documented in the cgi doc of foscam like the parameter &onestep=1, i ‘ve search in all .bin, the romfs and i did not encounter this string, i didn’t encounter the cgi binaries to.
Cheers
Dominique

Reply
- olivier says:
  
  October 1, 2010 at 10:38 pm
  
  I think that CGI are all include in the /bin/camera file
  this file can be accessible by mounting romfs.img
  I want also to add/modify some CGI
  
  Reply
  - Lawrence Sheed says:
    
    October 1, 2010 at 10:48 pm
    
    I guess you have no clue what this post is about…
    
    Reply
MethodicJon says:

August 18, 2010 at 11:51 pm

Can someone let me know where arm7-nettools.zip moved to?

Reply
- Gianxx says:
  
  September 25, 2010 at 2:54 pm
  
  bump!
  
  Reply
- Chakablinda says:
  
  December 16, 2010 at 6:15 pm
  
  Hi,
  
  Me too I’m searching arm7-nettools.zip.
  
  Question :
  After make xconfig, make dep and make, where is (his path, I follow the same actions and the same path) our romfs image created ?
  
  Thx, regards.
  
  Reply
  - Chakablinda says:
    
    December 16, 2010 at 7:00 pm
    
    Auto reply : I used this cmd : find / -name ‘*.img’ , my will is good.
    
    Reply
Warvector says:

December 15, 2010 at 1:07 am

Hello,

Nice topic, I have anything to say about the MakeFile (from nuc700-uclinux), when you use the make command if there is an error line 216, this is how to fix it : it’s linux linux_only instead of : linux linux%_only.

Regards,

Reply
leandro says:

March 24, 2011 at 8:34 am

Where can I find the files to donwload? (mainly arm7-nettools.zip)

Reply
- Lawrence Sheed says:
  
  March 26, 2011 at 2:37 pm
  
  See my http://www.openipcam.com site.
  
  Reply