ICP Permit
Webmail
Newsletters
Support6
IP Cam Hacking – pt#6
I’ve uploaded a zip of my built test image here. I’ve only included telnetd, and ftpd, as the sshd binary is very large, and won’t fit into our rom image space!
If someone is willing to test, feel free.
Test Rom with FTPD and TELNETD binaries added
This rom is 700k+- vs the normal 550kb. So this may / may not overwrite the web ui.
As China’s firewall is being particularly obnoxious this week as to what I can view on the web, I can’t actually get to the info I need to see where they typically write the UI to in rom.
In theory, we should be able to write to the same base address via the boot loader.
The original rom is written here -
Image: 6 name:romfs.img base:0×7F0E0000 size:0×0008D000 exec:0×7F0E0000 -a
And I’m pretty sure that the UI gets written somewhere after this, and not as a separate image. I’d have to run Windows and a sniffer to test this though (using their firmware update software).
Our boot logs show that linux blkmem driver is set to view the whole area from 0×7F0E0000 through to 0x7F16D3FF, so we should easily have 200kb to waste^Hplay with.
From my boot logs:
Blkmem 1 disk images:
0: 7F0E0000-7F16D3FF [VIRTUAL 7F0E0000-7F16D3FF] (RO)
Obstensibly, this should be a matter of going to the bootloader over serial, then uploading our img file.
Suggest rename from testrom.img to romfs.img to be consistent.
It should be something like this:
bootloader > del 6
(delete the current romfs.img)
bootloader > fx 6 romfs.img 0x7f0e0000 0x7f0e0000 -a
Waiting for download
Press Ctrl-x to cancel … (while it waits, you have to select Transfer > Send File in Hyperterminal menu, choose the Xmodem protocol and select my rom image)
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Flash programming …
bootloader> boot
Then see what happens in the logs.
It should boot, then attempt to run telnetd and ftpd.
That probably WON’T work just yet, as they’ll complain about missing /etc/ config files.
You might also be missing the UI (as I think this gets written somewhere after our romfs.img in flash)
Send me the serial logs in the comments, and I can fix that up, and repackage.
I also know why the alleged clones (NB they’re not f..king clones sigh, they’re all made by 1 manufacturer here for different people, including FOSCAM) don’t work. The linux.bin for older firmware is set to boot from 0x7f0D0000 as opposed to 0x7f0e0000, so image 6 and 7 both need to be reflashed.
Also of note is that the newer units have gone cheaper, and use 2M flash, previous units had 4M.
uCLinux reports 8M, but its not talking about Flash, just RAM
Be prepared to brick (not completely, as we have a bootloader, and can reflash the original firmware) if it doesn’t work.
If my rom above doesn’t work initially for you, try flashing this linux.zip before reverting, and see if that helps it boot.
eg
bootloader> del 7
bootloader> fx 7 linux.zip 0x7f020000 0x8000 -acxz
Waiting for download
Press Ctrl-x to cancel ... (while it waits, you have to select Transfer > Send File in Hyperterminal menu, choose the Xmodem protocol and select my linux.zip)
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Flash programming ...
bootloader> fx 6 romfs.img 0x7f0e0000 0x7f0e0000 -a
Waiting for download
Press Ctrl-x to cancel ... (while it waits, you have to select Transfer > Send File in Hyperterminal menu, choose the Xmodem protocol and select my rom image)
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Flash programming ...
Why aren’t I doing this?
Mostly as I don’t currently have a good serial connection, I’m waiting on headers. Currently I have to hold the serial ports onto the board with fingers, and thats less than reliable!
I should get around to fixing that soonish though, I’m interested in testing this myself…
I’d also appreciate the French contingent adding some info. I’m particularly interested in paillassou’s board photos, and any other firmware people have found for these so I can compare.
I can’t get to Picasa, GadgetVictims, IrishJesus now in China. Grrr.
Yes, I know, use a VPN or proxy… Unfortunately what we do precludes doing so, as I’d probably get told off by our beloved government here, and thats not worth the risk…
Comments please.
Do you like this article? Share It!
122 Comments to “IP Cam Hacking – pt#6”
Post comment
Archives
- December 2011
- November 2011
- October 2011
- September 2011
- July 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
Categories
- Apple
- Badges
- BMW
- China Related
- Cool Hunting
- Exploits
- Firmware
- Food
- General Talk
- government
- IP Cam
- iPhone
- Lasers
- legislation
- MODx
- MySQL
- requirements
- Service Issues
- Tao Bao
- Technical Mumbo Jumbo
- Things that will get me censored
- Travel
- Uncategorized
- Useful Info
Most Popular Posts
- Samsung N310 (Samsung Go) Hackintosh Installation on Snow Leopard (9943)
- BMW Keys and Transponders E36 E38 E46 etc (EWS2) (7419)
- eFrontWPI - Wordpress integration Plugin for eFront (7336)
- IPCam Hacking - pt#2 (6796)
- IP Cam Hacking – pt#5 (4706)
Tags
Recent Comments
-
tryphon: It helped me to fix mine. I used a pair of pliers like you did and it worked fine. I drink a coffee typing...
-
mark: I have a ms10105 v4.1 moshisoft board and here is the pinout: 1 y stepper a (yellow) 2 y stepper a (white) 3...
-
Lawrence Sheed: Haven’t taken a deep look yet, probably next month can check it out. There are people who are...
-
-
Kunlun: I tried to get my motorbike lesson after my car driving lesson, they answered me that I needed to wait 1...
Recent Trackbacks
- SISTEMAS O.R.P: Recuperar una cámara Zaapa CIP-RW después de un fallo de actualización
- Blog - DO Bots: Brookstone Rover AC13
- How can I stop Pop3 Brute Force attacks: need to create a regex, and add it to fail2ban Here is a guide....
- shanghailoz is our latest member! -:
- Probleem bij installatie op Samsung N310:
PHOTOSTREAM
Maybe I have found a solution!! I hope that my tool is going to work, will keep you posted:
http://blog.morrison.nl/2011/01/foscam-clone-recovery-tool/
Hi and happy new year !
here : http://www.nuvoton.com/hq/enu/ProductAndSales/ProductLines/IndustrialIC/ARMMicrocontroller/ARMMicrocontroller/Pages/default.aspx
They write that there is 2 sdk for the nuc745 :
Normal release : uClinux 2.4.20
Conditional release : uClinux 2.6.9
I presume the first one is the one we use, but what about the second?
Do you know something about it Lawrence?
I’ve never found somthing usefull concerning 2.6 kernel for our NUC745 boards…
I have no idea what is happening!! I have completed a dump from a working camera, the linux.zip file seems to be ok because I can unzip it and I get a linux.bin file, the romfs.img I can’t verfy because I don’t have any reference. I have flashed the firmware from a working camera onto the bricked device… and STILL the device keeps rebooting!!! These are the last lines:
set brightness 100
set contrast 4
set sharpness 3
set mode 0
__pthread_initial_thread_bos:35c000
manage pid:16
2
2
2
2
2
2
audio_dev.state not AU_STATE_RECORDING
wb_audio_start_record
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===255.255.255.255
*args===netmask
*args===eth0
[29]
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
myreboot
I have 2 bricked camera’s both with the same result, so it is not a hardware failure!
I really am out of options now
I have zipped my tool and posted it here:
http://blog.morrison.nl/2011/01/foscam-clone-recovery-part-2/
It doesn’t work for my, but maybe for others
Hi Everybody !
Pls help me.
I’m still looking for a working dump for my camera ….
Text On my PCB: IPCAM_PT2_V3.3f_sc
http://rftech.hu/IPCAM/myPCB.jpg
http://rftech.hu/IPCAM/Log
Relay clicks ON, after OFF, and reboot
If sdy has the same (and it’s still working)
pls make a full dump with Ramon’s tool
maybe it can help me.
Thanks in advance!
Robert
Hope this can help someone :
I am a newby and found very interesting this forum.I also have a bricked Foscam clone camera,
and tried to restore romfs.img and linux.zip files taken from the archive called “IP607_Final” with the updated memory addresses .Everything has gone OK,but during the rebooting of the camera,I get this error:”ntpc.c can not resolve ip address time…ecc,ecc”.Of course IPCAMERA_tool does not find the camera via the ethernet port (or wireless).Also pressing reset button does not fix. So I ask :where is my error ? Also tried to re-flashing the 2 files.Thanks
hi
i have the same problem. i bought the exact same cam and restored the images from that cam to the broken one but still the same error. img 0 it size says 0×00000048 and on the correct one its 0×00000038 also the size of the img7 is deferent on the working cam its 0x000aaa18 and on the broken one its 0x000aaa00
is the flash borken or what is the problem??
thx
user error is the problem..
go to openipcam.com and ask me there for help, have moved discussions on this topic there.
Hello
please help me!!
I need linux.zip and romfs.img to restore my cam. I had try maygion file but not working, somebody can help me??? i see over my cam and see this IPCAM_PT2_v3.3F_sc. I make a mistake after upgrade firmware
i have try too romfs.img and receive the i2c error error
Try the latest Apexis J011 FW (sth like this 17.22.2.36)
It’s to big, so u won’t be able to upload any WebUI, but
the IP Cam Tool will see your camera.
Then u should use the tool and upload one of them
Apexis J011 FW 0.11.1.46 WebUI 18.6.3.12
or
Heden FW 0.23.2.18 WebUI 0.3.2.5