Browsing all articles from April, 2010

Flattr this!

So far in this series, we’ve learnt a few things.
First, is that this hardware is quite nice for hacking purposes, as they’ve left the uBoot in a nice state, and have easily accessible debug ports.
Second is that doing this kind of thing isn’t really that complicated, and can be quite fun.

We’re pretty much ready to start doing our own coding, as we know how the images are packed, and we can use the uBoot to either flash onl the romfs on or own, or alternately roll a complete linux + romfs binary image.

For that, we’ll need to be ready to roll up our sleeves, and actually do some development (finally!).

Getting a development environment setup is our next step, as we’re ready to test out adding binaries.

I’m using Debian, but most Linux environments should be similar. OSX is BSD based, and more of a pain due to Apple not putting everything needed in the normal places, so I’m doing this in a VM on my Macbook under Debian.

Go grab a copy of “NUC700 Series MCU uCLinux” from here

Setup a VM for Debian (not going to cover that) or install Debian or similar.

Copy the zip file to /home in the OS you use.

cd /home
mkdir N745
cd N745
unzip ../NUC700\ Series\ MCU\ uCLinux\

You should now see something like this:

:/home/N745/NUC700 Series MCU uCLinux BSP# ls -al
total 68
drwxr-xr-x 6 root root 4096 2009-05-15 20:02 .
drwxr-xr-x 3 root root 4096 2010-04-30 02:23 ..
drwxr-xr-x 3 root root 4096 2009-05-15 20:06 bootloader
drwxr-xr-x 2 root root 4096 2009-05-15 20:03 bsp
drwxr-xr-x 2 root root 4096 2009-05-15 20:02 doc
drwxr-xr-x 4 root root 4096 2009-05-15 20:02 mkrom
-r--r--r-- 1 root root 44632 2009-03-27 11:49 NUC700 uClinux BSP Release Note.pdf
debian:/home/N745/NUC700 Series MCU uCLinux BSP#

Unfortunately the build *really* doesn’t like long filenames, so lets move all this to the N745 folder, and get rid of the annoyingly named folder.

/home/N745/NUC700 Series MCU uCLinux BSP# mv * ..
/home/N745/# cd ..
/home/N745/# rm -r NUC700\ Series\ MCU\ uCLinux\ BSP/

We still need to unzip the BSP, as its compressed, so go into bsp

/home/N745/# cd bsp
/home/N745/bsp# tar -xzvf NUC700BSP.tar.gz

Yay, yet another bloody subdirectory. Sigh.

/home/N745/bsp# cd NUC700BSP
debian:/home/N745/bsp/NUC700BSP# ls -al
total 183300
drwxr-xr-x 2 shanghaiguide shanghaiguide 4096 2009-03-26 22:38 .
drwxr-xr-x 3 root root 4096 2010-04-30 02:29 ..
-rw-r--r-- 1 shanghaiguide shanghaiguide 29521418 2009-03-26 21:55 applications.tar.gz
-rw-r--r-- 1 shanghaiguide shanghaiguide 43742203 2009-03-26 21:22 arm_tools_3.3.tar.gz
-rw-r--r-- 1 shanghaiguide shanghaiguide 36108739 2009-03-26 21:11 arm_tools.tar.gz
-rw-r--r-- 1 shanghaiguide shanghaiguide 5643452 2009-03-26 21:24 build.tar.gz
-rwxr--r-- 1 shanghaiguide shanghaiguide 4370 2009-03-26 22:31
-rw-r--r-- 1 shanghaiguide shanghaiguide 72439431 2009-03-26 20:53 uClinux-dist.tar.gz

Run the install – I’ve decided to install the whole shebang to /home/N745

Note – The observant amongst you will notice I’m running this as root.
This is NOT recommended. I’m running under a VM solely created to play with this, so I don’t really care if I break it (as I can roll back to the initial install image fairly easy in vmware). Don’t do this yourselves (unless you want to break things).

debian:/home/N745/bsp/NUC700BSP# ./
firstly install arm_tools.tar.gz -->/usr/local/
wait for a while
successfully finished installing arm_tools.tar.gz
now begin to install build.tar.gz,applications.tar.gz and uClinux-dist.tar.gz
Please enter your absolute path for installing build.tar.gz, applications.tar.gz and uClinux-dist.tar.gz:
/home/N745 has existed
please wait for a while, it will take some time
whole installation finished successfully!

We finally have our build environment unzipped, and its sitting in nuc700-uClinux.

debian:/home/N745# cd nuc700-uClinux/
debian:/home/N745/nuc700-uClinux# ls -al
total 24
drwxr-xr-x 6 root root 4096 2010-04-30 02:31 .
drwxr-xr-x 7 root root 4096 2010-04-30 02:31 ..
drwxr-xr-x 7 root root 4096 2009-03-25 00:44 applications
drwxr-xr-x 2 root root 4096 2009-03-26 21:23 image
drwxr-xr-x 12 root root 4096 2009-03-26 04:54 romdisk
drwxr-xr-x 10 root root 4096 2009-03-26 06:50 uClinux-dist

uClinux-dist has the default binaries we want, plus we need to configure the kernel, so lets visit there first (the more adventurous can look at the other folders)

debian:/home/N745/nuc700-uClinux# cd uClinux-dist/
debian:/home/N745/nuc700-uClinux/uClinux-dist# ls -al
total 84
drwxr-xr-x 10 root root 4096 2009-03-26 06:50 .
drwxr-xr-x 6 root root 4096 2010-04-30 02:31 ..
drwxr-xr-x 2 root root 4096 2009-01-22 23:27 bin
drwxr-xr-x 3 root root 4096 2009-03-26 06:50 config
-rw-r--r-- 1 root root 18007 2009-01-22 23:29 COPYING
drwxr-xr-x 3 root root 4096 2009-01-22 23:27 Documentation
drwxr-xr-x 11 root root 4096 2009-01-22 23:29 freeswan
drwxr-xr-x 5 root root 4096 2009-01-22 23:29 lib
drwxr-xr-x 15 root root 4096 2009-03-26 06:50 linux-2.4.x
-rw-r--r-- 1 root root 3228 2009-01-22 23:28 MAINTAINERS
-rw-r--r-- 1 root root 7977 2009-01-22 23:27 Makefile
-rw-r--r-- 1 root root 4935 2009-01-22 23:29 README
-rw-r--r-- 1 root root 1654 2009-01-22 23:29 SOURCE
drwxr-xr-x 158 root root 4096 2009-01-22 23:28 user
drwxr-xr-x 4 root root 4096 2009-03-12 03:54 vendors

Looks like it should be fairly easy, right?

The default build doesn’t work. Why would it be that easy.

You’ll end up with issues like:

entry-armv.S:782: Error: Internal_relocation (type 210) not fixed up
entry-armv.S:784: Error: Internal_relocation (type 208) not fixed up

So, we need to make sure we start off fresh.
Also, note that we’re building for an N745 cpu, so we’ll need to configure that at the make config stage.
Lastly, and EXTREMELY important, is that we’ll need to put our required tools in the path.

sample PATH below:


debian:/home/N745/nuc700-uClinux/uClinux-dist# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/arm_tools/bin

debian:/home/N745/nuc700-uClinux/uClinux-dist#make clean

Now we have a choice - Recommend use make xconfig if possible.
You need to have a GUI, and have tk installed. (apt-get install tk)
Otherwise run make config, and run through the tediously large amount of questions


debian:/home/N745/nuc700-uClinux/uClinux-dist#make xconfig

OPTION#not recommended

debian:/home/N745/nuc700-uClinux/uClinux-dist# make config
config/mkconfig >
# No defaults found
* Target Platform Selection
* Choose a Vendor/Product combination.
Vendor/Product (nuvoton/nuc710, nuvoton/nuc740, nuvoton/nuc745) [nuvoton/nuc710] (NEW) nuvoton/nuc745

[For the rest, I used the defaults (except for the Network Tools questions, which I said Y to all)]

Continue here from whatever menu (x)config you used.

debian:/home/N745/nuc700-uClinux/uClinux-dist#make oldconfig

[Needed, or compile doesn't work]

debian:/home/N745/nuc700-uClinux/uClinux-dist#make dep

[A gazillion pages of info later, we have a build environment!]

We’re finally ready to use our weapon of mass destruction.


It should compile without issue.

Next step is to mount our created rom image, and copy the binaries off, or just go to the compiled folders, and get the binaries.

I’ve done this step already, and have a zip file of a few useful files ready.

-rwxr-xr-x 1 root root 110888 2010-04-30 03:50 ftpd
-rwxr-xr-x 1 root root 55164 2010-04-30 03:52 ping
-rwxr-xr-x 1 root root 1201904 2010-04-30 03:51 ssh
-rwxr-xr-x 1 root root 1219864 2010-04-30 03:51 sshd
-rwxr-xr-x 1 root root 118004 2010-04-30 03:45 telnet
-rwxr-xr-x 1 root root 45460 2010-04-30 03:45 telnetd

file *
ftpd: BFLT executable – version 4 ram
ping: BFLT executable – version 4 ram
ssh: BFLT executable – version 4 ram
sshd: BFLT executable – version 4 ram
telnet: BFLT executable – version 4 ram
telnetd: BFLT executable – version 4 ram

Download that here – arm7-nettools

All we need to do now is mount our romfs image, unzip the, copy the arm7 bFLT binaries over to bin, add telnetd, sshd, and ftpd to our /bin/init, and rebuild by running genromfs on our filesystem.

We can then finally flash our new romfs, and test it out.

Don’t forget that romfs is a read only file system, so we can’t modify it by mounting it. We need to mount, copying everything to elsewhere, do our required bits and pieces, then rebuild.


mount -o loop -t romfs still_unsure.img /mnt/test -r

mkdir /mnt/new
cd /mnt
rsync -arv /mnt/test/ new
cd new/bin

[We need to also edit init]
pico init



eg –
cat init
mount -t proc none /proc
mount -t ramfs none /usr
mount -t ramfs none /swap
mount -t ramfs none /var/run
mount -t ramfs none /etc
mount -t ramfs none /flash
mount -t ramfs none /home

Change to the next directory up, and lets run genromfs

genromfs -d new -f testrom.img
debian:/mnt# ls testrom.img
debian:/mnt# ls -al testrom.img
-rw-r–r– 1 root root 3329024 2010-04-30 04:18 testrom.img

In theory, this should be usable (famous last words!).

Unfortunately, I can’t try testing on that at home, as all the equipment is at the office, but that should be fairly easy.

Probably also some small config issues to sort out, as ftpd, telnetd and sshd will probably choke without their related /etc/whatever config files needed, but we can sort that out via serial on the debug ports.

Flattr this!

Spent a while checking out the different binaries available for the different OEM versions.
Some interesting things I’ve found.

If I take a look at a sample kernel – eg

ls -al lr_cmos_11_14_1_46.bin
-rw-r--r-- 1 lawrence staff 1350539 Mar 15 13:47 lr_cmos_11_14_1_46.bin

Our file size for the file i have is 1350539 bytes.

A hexdump of the header shows:

00000000 42 4e 45 47 01 00 00 00 01 00 00 00 77 cb 0b 00 |BNEG……..w…|
00000010 00 d0 08 00 50 4b 03 04 14 00 00 00 08 00 3a 2e |….PK……..:.|
00000020 87 3b 3b e7 b8 16 03 cb 0b 00 bc d9 18 00 09 00 |.;;………….|

PK is the standard file header for Zip compression (as Zip was invented by Phil Katz)
Zip fingerprint in hex is – 0x04034b50, which matches nicely in our second line – 50 4b 03 04

On the offchance it contained a zip file, I tried unzipping from the start of the PK.

We can totally misuse dd to write from an offset of 20 bytes to a file as follows:

lawrence$ dd if=lr_cmos_11_14_1_46.bin skip=0x14 bs=1

(check I actually did that right)
lawrence$ hexdump -C |more
00000000 50 4b 03 04 14 00 00 00 08 00 3a 2e 87 3b 3b e7 |PK........:..;;.|
00000010 b8 16 03 cb 0b 00 bc d9 18 00 09 00 00 00 6c 69 ||

Unfortunately this didn’t unzip.


Archive: 1350519 bytes 1 file
-rw------- 2.0 fat 1628604 b- defN 7-Dec-09 05:49 linux.bin
1 file, 1628604 bytes uncompressed, 772867 bytes compressed: 52.5%

Says there is a valid zip file there, so we’re getting somewhere. It should be something like 772867 bytes + whatever Zip header / footer file bits in size.

If we take a look at the Zip file format, it says that the end of directory (aka end of zip file) marker is 0x06054b50

ZIP end of central directory record

Offset Bytes Description[4]
 0 4 End of central directory signature = 0x06054b50
 4 2 Number of this disk
 6 2 Disk where central directory starts
 8 2 Number of central directory records on this disk
10 2 Total number of central directory records
12 4 Size of central directory (bytes)
16 4 Offset of start of central directory, relative to start of archive
20 2 ZIP file comment length (n)
22 n ZIP file comment

If we search the file for that, we get:
000bcb70 78 2e 62 69 6e 50 4b 05 06 00 00 00 00 01 00 01 |x.binPK………|

So, from our Start PK 03 04 through to PK 05 06 we’re at position 0x14 through 0x0bcb79

If we write that out now –
dd if=lr_cmos_11_14_1_46.bin skip=0x14 bs=1 count=0x0bcb79

Then try unzip – we have a winner!

lawrence$ unzip
inflating: linux.bin
lawrence$ ls -al
-rw-r--r-- 1 lawrence staff 772985 Apr 30 03:28
lawrence$ ls -al linux.bin
-rw-------@ 1 lawrence staff 1628604 Dec 7 05:49 linux.bin

So, we know that the file has a header, then a zip file (which uncompresses to linux.bin, and has our linux binary), then more data.

If we take a look at what follows – ie the rest of the data in the original file after the end of the zip, it doesn’t look compressed

000bcb79 00 00 00 00 01 00 01 00 37 00 00 00 2a cb 0b 00 |……..7…*…|
000bcb89 00 00 2d 72 6f 6d 31 66 73 2d 00 08 cf a0 98 16 |..-rom1fs-……|
000bcb99 76 dd 72 6f 6d 20 34 62 31 63 62 36 38 66 00 00 |v.rom 4b1cb68f..|
000bcba9 00 00 00 00 00 49 00 00 00 20 00 00 00 00 d1 ff |…..I… ……|
000bcbb9 ff 97 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bcbc9 00 00 00 00 00 60 00 00 00 20 00 00 00 00 d1 d1 |…..`… ……|
000bcbd9 ff 80 2e 2e 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bcbe9 00 00 00 00 00 c9 00 00 00 80 00 00 00 00 8c 88 |…………….|
000bcbf9 9d 47 73 77 61 70 00 00 00 00 00 00 00 00 00 00 |.Gswap……….|

000bd969 50 7d 64 68 63 70 63 00 00 00 00 00 00 00 00 00 |P}dhcpc………|
000bd979 00 00 62 46 4c 54 00 00 00 04 00 00 00 40 00 01 |..bFLT…….@..|
000bd989 11 70 00 01 37 60 00 01 50 e8 00 00 28 00 00 01 |.p..7`..P…(…|
000bd999 37 60 00 00 02 b5 00 00 00 05 00 00 00 00 00 00 |7`…………..|
000bd9a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
000bd9b9 00 00 1f 8b 08 00 f4 6b 45 3f 02 03 dc 5b 0f 70 |…….kE?…[.p|
000bd9c9 14 d7 79 7f bb 77 a7 bf 07 9c fe f0 c7 48 a0 95 |..y..w…….H..|
000bd9d9 50 88 5c 23 b3 02 19 64 23 e0 84 30 76 72 b8 9c |P.\#…d#..0vr..|
000bd9e9 31 50 6c 2b 58 06 d7 25 84 d6 ea 80 6d 02 8c 7d |1Pl+X..%….m..}|
000bd9f9 48 02 64 17 b0 00 91 12 17 fb b6 29 ed 60 86 c6 |H.d……..).`..|
000bda09 4c aa 74 34 0e 71 0e 90 03 d3 d2 54 fc 51 87 30 |L.t4.q…..T.Q.0|

In fact it looks like more files…

bFLT is our flat ELF header…, and the other bits in-between look suspiciously like more files, and folders.
So, we probably have a filesystem in there.

Its late, and thats all for today, but it looks like we might even get to play around with both the linux image and the web UI image.

Just had another thought though – if you recall, our romfs size was 0x0008D000

Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a

What do we see here – in our header? 00000010 00 d0 08 00

00000000 42 4e 45 47 01 00 00 00 01 00 00 00 77 cb 0b 00 |BNEG……..w…|
00000010 00 d0 08 00 50 4b 03 04 14 00 00 00 08 00 3a 2e |….PK……..:.|

Seem to have a match, no? 0x 08 d0 00
I’m going to bet that our 0x 00 0b cb 77 also has some meaning too in our header 20 bytes, especially as the linux.bin zip file size is close to that at 0x00 0b cb 79.

Its highly probable I’ve miscounted something with the offset, and thats going to turn out to be the zip file size.

Now I’ve gotten this far, I’m too excited to go to sleep (its 4am here now!)

Lets try the filesystem from where we left off (aka from 0x0bcb79)
dd if=lr_cmos_11_14_1_46.bin of=unsure_what_filesystem.img skip=0x0bcb79 bs=1

mount -r unsure_what_filesystem.img
mount: unsure_what_filesystem.img: unknown special file or file system.


Kyle’s blog comment has this gem in

however the ‘-romfs-’ tag is offset by 0×14

so I used the line

fx 6 romfs.img 0x7f0a0000 0x7f0a0014 -a

the system then rebooted correctly…”

Lets use that as the start.

hexdump -C unsure_what_filesystem.img |more
00000000 00 00 00 00 01 00 01 00 37 00 00 00 2a cb 0b 00 |……..7…*…|
00000010 00 00 2d 72 6f 6d 31 66 73 2d 00 08 cf a0 98 16 |..-rom1fs-……|
00000020 76 dd 72 6f 6d 20 34 62 31 63 62 36 38 66 00 00 |v.rom 4b1cb68f..|

-rom1fs- starts at position 0x12 [which is another indicator that I’m off by 2 bytes somewhere – as they mention 0x14 bytes, and the 12bytes prefix I have prior to the -rom1fs- are going to be from our second file header, I’ll bet…
0x0bcb79 – 2 = 0x0bcb77, which is what the previous header said, so that really makes me think thats the filesize now!

Our ROMFS works out to be 577 536 bytes, which is 0x8D000, which is also what the boot loader said, so getting a lot of good confirmation on these figures!]

Write that out to another file:
dd if=unsure_what_filesystem.img of=still_unsure.img skip=0x12 bs=1

Still doesn’t mount on my Mac, however, some more googling for rom1fs uclinux got me here

Which specifically mentions –

Embedded projects using romfs

uClinux, the microcontroller Linux, is a port of the kernel, and selected user-space programs to capable, embedded processors, like some “smaller” Motorola m68k, and ARM systems.

ROMFS looks like:

offset content
0 | – | r | o | m | \
+—+—+—+—+ The ASCII representation of those bytes
4 | 1 | f | s | – | / (i.e. “-rom1fs-“)
8 | full size | The number of accessible bytes in this fs.
12 | checksum | The checksum of the FIRST 512 BYTES.
16 | volume name | The zero terminated name of the volume,
: : padded to 16 byte boundary.
xx | file |
: headers :

struct romfs_super_block

__u32 word0;

__u32 word1;

__u32 size;

__u32 checksum;

char name[0]; /* volume name */


Which looks to be a *very* good match for what that header has!
So, its in ROMFS format from the -rom1fs- start header.

(Mostly from here –

Unfortunately my OSX box appears to be missing romfs support, so I can’t check it without going back to the office.

mount -o loop -t romfs still_unsure.img /mnt
mount: exec /System/Library/Filesystems/romfs.fs/Contents/Resources/mount_romfs for /mnt: No such file or directory

Booted up my Debian VM, and tried again.

debian:/mnt/hgfs/FI8908,FI8908W# mount -o loop -t romfs still_unsure.img /mnt/test -r
debian:/mnt/hgfs/FI8908,FI8908W# cd /mnt/test/
debian:/mnt/test# ls -al
total 4
drwxr-xr-x 1 root root 32 1969-12-31 18:00 .
drwxr-xr-x 4 root root 4096 2010-04-29 16:19 ..
drwxr-xr-x 1 root root 32 1969-12-31 18:00 bin
drwxr-xr-x 1 root root 32 1969-12-31 18:00 dev
drwxr-xr-x 1 root root 32 1969-12-31 18:00 etc
drwxr-xr-x 1 root root 32 1969-12-31 18:00 flash
drwxr-xr-x 1 root root 32 1969-12-31 18:00 home
drwxr-xr-x 1 root root 32 1969-12-31 18:00 proc
drwxr-xr-x 1 root root 32 1969-12-31 18:00 swap
drwxr-xr-x 1 root root 32 1969-12-31 18:00 usr

We have a winner!

Full file listing below:

|-- bin
| |-- camera
| |-- dhcpc
| |-- ifconfig
| |-- init
| |-- iwconfig
| |-- iwpriv
| |-- mypppd
| | |-- chap-secrets
| | |-- options
| | |-- pap-secrets
| | `-- pppd
| |-- route
| |-- rt73.bin
| |-- sh
| |-- wetctl
| `-- wpa_supplicant
|-- dev
| |-- console
| |-- display
| |-- dsp -> dsp1
| |-- dsp0
| |-- dsp1
| |-- fb0
| |-- hda
| |-- hda1
| |-- hda2
| |-- hdb
| |-- i2c0
| |-- i2c1
| |-- key
| |-- keypad
| |-- lp0
| |-- mixer -> mixer1
| |-- mixer0
| |-- mixer1
| |-- mouse
| |-- mtd0
| |-- mtd1
| |-- mtdblock0
| |-- mtdblock1
| |-- nftlA1
| |-- nftla
| |-- null
| |-- ppp
| |-- ppp1
| |-- ptmx
| |-- pts
| |-- ptyp0
| |-- ptyp1
| |-- ptyp2
| |-- ptyp3
| |-- ptyp4
| |-- ptyp5
| |-- ptyp6
| |-- ptyp7
| |-- ptyp8
| |-- ptyp9
| |-- ptz0
| |-- rom0
| |-- rom1
| |-- rom2
| |-- sda
| |-- sda1
| |-- sda2
| |-- sdb
| |-- sdb1
| |-- sdb2
| |-- smartcard0
| |-- smartcard1
| |-- tty
| |-- tty1
| |-- ttyS0
| |-- ttyS1
| |-- ttyS2
| |-- ttyS3
| |-- ttyp0
| |-- ttyp1
| |-- ttyp2
| |-- ttyp3
| |-- ttyp4
| |-- ttyp5
| |-- ttyp6
| |-- ttyp7
| |-- ttyp8
| |-- ttyp9
| |-- urandom
| |-- usb
| | |--
| | |-- lp0
| | |-- lp1
| | |-- lp2
| | |-- lp3
| | |-- lp4
| | |-- lp5
| | |-- lp6
| | |-- lp7
| | |-- lp8
| | `-- lp9
| |-- usi
| |-- video0
| `-- video1
|-- etc
|-- flash
|-- home
|-- proc
|-- swap
|-- usr
`-- var
`-- run

13 directories, 97 files

While I obviously can’t run any binaries locally, I can look at the text files to confirm that the ROMFS hasn’t just gotten the filesystem correct.

debian:/mnt/test/bin# cat init
mount -t proc none /proc
mount -t ramfs none /usr
mount -t ramfs none /swap
mount -t ramfs none /var/run
mount -t ramfs none /etc
mount -t ramfs none /flash
mount -t ramfs none /home

debian:/mnt/test/bin# file camera
camera: BFLT executable - version 4 ram gzip

Looking *very* good.

Thats all for tonight, but it looks like we can easily add bits to the firmware using genromfs, dd, and a hex editor, or just genromfs, and someone willing to test a rebuilt user rom with an extra binary. Probably going to be telnetd as ssh requires a kernel recompile 🙁

Next step, actually doing that, and testing.

I’m definitely going to bed now – its 5:30am.

Tomorrow is a holiday though (in China), so happy May holidays!

Flattr this!

I’ve finally received my 2nd camera, so I can now start working properly on it (assuming I get some free time too!)

High resolution photos of the board are below:

Main parts used are:

RAM – Winbond W9812G61H-6 (2M)
According to the data sheet, that 2M X 4 BANKS X 16 BITS SDRAM @ 3.3V / 166MHz/CL3
Data sheet is here –

Flash – Spansion S29AL016D (2M)
Other boards are populated with different providers – some people have Samsung flash…
Mine has the Spansion onboard both units. Its programmable onboard (via the uBoot)
Data sheet here –

Sound Card – ALC203
This is obviously used as the BSP for the Novotel provides sample code for that card, making their life easier…
Data sheet here –

Wired Ethernet – Davicom DM9161AEP (10/100 Ethernet)
Data sheet here –

8 Port Relay Driver (for the motors etc) – ULN2803
Data sheet here –
More info / explanation here –

Wifi – RALINK 2571 (on daughterboard). Wireless G
This is a USB based chipset, so we’re using 4 usb connector pins for this one.
No datasheet, as Ralink are dicks.

CPU – ARM7 N745CDG (Arm 7 by Nuvoton)
Lot of info for chip available at Nuvoton.

W90N745 makes use of the ARM7TDMI microprocessor core of ARMR and 0.18um production to achieve standard operation at 80MHz. 128-Pin LQPF packing is also used to save electricity and lower costs. The built-in 4KBytes I-Cache and 4KBytes D-Cache of W90N745 can also be set as On-Chip RAM according to the needs of product developers. With regards to system integration, W90N745 is suitable for network-related applications such as management switch, IP cameras, VoIP and printer servers.
* One Ethernet MAC
* One USB 2.0 full speed Host controller
* One USB 2.0 full speed Host/Device controller
* AC97/I2S
* 4 UARTs
* I²C Master
* 31 GPIOs
* Power Management

Data sheets –
The uclinux sample distribution and files can be downloaded here –

I’m just waiting on a JLINK USB adaptor, then I’m ready to roll.


David M from comments at provided his rom sizing from his device, I’ve got some notes on that here.

MAC Address : 00:30:10:C1:D0:39
IP Address :
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0×00300000
BL buffer size : 0×00100000
Baud Rate : -1
USB Interface : Disabled
Serial Number : 0xFFFFFFFF

For help on the available commands type ‘h’

Press ESC to enter debug mode …

bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0×00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000BB334 exec:0×00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a

My notes:

Image: 0 name:BOOT INFO base:0x7F010000 size:0×00000038 exec:0x7F010000 -af

[Image 0 is 38 bytes (small!).
Boot info is not the bootloader – 38bytes is way too small for that.
It actually stores our bootloader config settings.
eg ip address, cache setting, boot loader buffer address etc.
Our initial settings are below:

MAC Address : 00:30:10:C1:D0:39 (should be changed, this Mac range belongs to Cisco!)
IP Address : (unset)
DHCP Client : Enabled (pulls ip from dhcp..)
CACHE : Enabled (onboard chip cache)
BL buffer base : 0×00300000
BL buffer size : 0×00100000
Baud Rate : -1 (unset / so defaults to 115,200,8,n,1)
USB Interface : Disabled (NC745 has no USB for bootloader)
Serial Number : 0xFFFFFFFF (unset)

-af indicates Active (a) , and is a Filesystem image (f)]

Image: 7 name:linux.bin base:0x7F020000 size:0x000BB334 exec:0×00008000 -acxz
[Image 7 is our OS – Linux 2.4.20 ucLinux Not sure why Maverick didn’t build on 2.6, there is more hardware support. Probably time dependant – 2.6 may not have been available, plus the Nuvoton sample code is also 2.4 based…

-axcz says active (a) executable (x) copied to ram (c) compressed (z) ]

Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a

[Our rom image – aka userland stuff. This is where we’ll be putting our own code. Looks like its stuck quite high up in the flash, although doesn’t need to be given size of the Linux rom. We have plenty of room available.

We’ll need to make appropriate changes to Image 6 size on flashing

-a says active partition.]

Flattr this!

Finally got a chance to play around with the second ipcam I bought.

This one is a little bit smarter than the previous one – its running off an ARM5ARM7 CPU (Nuvoton NUC745ADN), so has a bit more oomph. 16M ram is a whole lot more to play with for a start! The last device only had 16KB, so this puppy can be taught to do some tricks!

Serial was a little bit trickier to solder on this time – my initial connectors were too small, so had to resolder with larger ones, and I managed to mess up a tad. Never said my soldering was any good 😉
Getting it to talk to the computer was a bit painful too – eventually I settled on 115,200 8,n,1, xon/xoff which should have worked the first time around, but I was getting garbage.

Probably flow control (xon/xoff), as fiddling with the connections got it going eventually.

First output from the board is below – this is from a clean boot (with no ethernet or wifi).

W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Dec 10 2009
Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

MAC Address : 0E:F2:B3:DC:08:05
IP Address :
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0x00300000
BL buffer size : 0x00100000
Baud Rate : -1
USB Interface : Disabled
Serial Number : 0xFFFFFFFF

For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1013 Èý 12ÔÂ 2 13:17:32 CST 2009
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 4096
zone(0): 0 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 16MB = 16MB total
Memory: 14376KB available (1435K code, 288K data, 40K init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F16D3FF [VIRTUAL 7F0E0000-7F16D3FF] (RO)
AM29LV160DB Flash Detected
01 eth0 initial ok!
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
usb-ohci.c: AMD756 erratum 4 workaround
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4

_____ ____ _ ____
|__ / _| _ \ / \ / ___|
/ / | | | | | |/ _ \ \___ \
/ /| |_| | |_| / ___ \ ___) |
/____\__, |____/_/ \_\____/
ZD1211B - version
usb.c: registered new driver zd1211b
main_usb.c: VIA Networking Wireless LAN USB Driver 1.13
usb.c: registered new driver vntwusb
usb.c: registered new driver rt73
dvm usb cam driver by Maverick Gao in 2006-8-12
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: camera&
Command: sh
no support

Sash command shell (version 1.1.1)
/> hub.c: connect-debounce failed, port 1 disabled
new USB device :80fd7e04-fed640
hub.c: new USB device 1, assigned address 2
dvm cmos successfully initialized
dvm camera registered as video0
new USB device :80fb0204-fed640
hub.c: new USB device 2, assigned address 3
idVendor = 0x148f, idProduct = 0x2573

Wait for auto-negotiation complete...ResetPhyChip Failed
video0 opened
set resolution 5
set brightness 144
set contrast 3
set sharpness 3
set mode 2
manage pid:16
audio_dev.state not AU_STATE_RECORDING
=> usb_rtusb_open
retide_ddns.c: can not get server ip
ntpc.c: can not resolve ntpserver('s ip
get oray info
upnp get ip error
inet_sr.c INET_rinput 321
inet_sr.c INET_setroute 75
inet_sr.c INET_rinput 321
inet_sr.c INET_setroute 75
MlmeAssocReqAction(): WPA2/WPA2PSK fill the ReqVarIEs with CipherTmp!

Initially I had the board setup on its own without the camera attached, but the boot scripts require it connected, otherwise they reboot..
Ostensibly, this is the same hardware as the fi8908w (who are just reselling the OEM version with marginally different firmware as far as I can tell).

Next step is to setup a cross compiler for uclinux so I can make some binaries, and test.
Luckily all the available tools are open source / free. Yay!

I’m in contact with the factory, and they’ll be sending an SDK over at some point soonish, although its only in Chinese.
Luckily for me, that shouldn’t be a problem, as i’m reasonably capable at groking both code, and simplified chinese 🙂

ucLinux should be easy enough to build a rom image for though – tons of examples, and I already have a few firmware files to compare.

It shouldn’t be too hard for me to roll another firmware with ssh installed, so that we can get in without serial, that would be more useful for others too.

I’ve had a quick look inside the folders in the device from the device itself – fairly minimal, pretty much the only binaries are the necessary ones.
My initial aim is to redo the UI to a nicer one, and fix some of the more glaring bugs. The factory people are at a trade show in Taiwan this week, so hopefully next week I’ll get some dev tools (otherwise its reverse engineering, bleh…).

Some more people are playing with these as well (links below):

Unfortuanately for me, both are variably accessible. WordPress is available this week woohoo, but its an on / off dealio with the GFW…, so I might have to stop commenting there once the government decides if WordPress is “teh evil” again.

The irishjesus blog guy has done some of the harder bits like file extraction already (although not strictly necessary, as there are existing tools for that kind of thing).


Have some docs from the factory now, see attached file for the CGI spec.

IP Camera CGI 应用指南-1.11

I have others, but not so relevant especially for those than don’t read Chinese!

Data sheet for the Chip and build instructions here –

Flattr this!

When I was younger, I used to like taking things apart.  I still do that, but they tend to work better these days, hehe

This last few weeks I’ve been playing with IP Camera’s for a pet project that started off as a request over Skype for info about surveillance.
As the ever useful Taobao is full of vendors selling the same 4 or 5 camera’s for reasonable prices I ordered a couple to take a peek at.

I’ve only taken one apart so far – the really really cheap one that I installed in the office so I can get a look at who comes up the stairs without having to move my fat ass out of the chair.  A quick shortcut in FF, and it works quite nicely as a separate browser window in the corner of the desktop.

Onto the discovery phase 🙂

I had a quick spin with NMAP, but other than discovering that they rather naughtily misuse a Mac Address assigned to the evil Cisco, not much help.
Also nothing appeared to be running on any other ports than the web port 🙁
nmap -A

Starting Nmap 5.00 ( ) at 2010-04-13 19:27 CST
Interesting ports on
Not shown: 999 filtered ports
80/tcp open http?
|_ html-title: IPCamera
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
SF:\r\n\r\n\r\n\r\n\r\n\r\n\r\n<BODY\x20onLoad=\" SF:doPop\(\);\">\xb6\xd4\xb2\xbb\xc6\xf0\xa3\xac\xc4\xfa\xb5\xc4\xe4\xaf\x
SF:c0\xc0\xc6\xf7\xb2\xbb\xd6\xa7\xb3\xd6\xbf\xf2\xbc\xdc\xa3\xa1</BODY></ SF:NOFRAMES>\r\n</FRAMESET>\r\n\r\n</HTML>\r\n")%r(FourOhFourRequest,1DF,"
SF:cache\r\n\r\n<HTML>\r\n<HEAD>\r\n<TITLE></TITLE>\r\n<meta\x20http-equiv SF:=\"Content-Type\"\x20content=\"text/html;\x20charset=gb2312\"></HEAD>\r
SF:\n<BODY\x20BGCOLOR=\"#C4CEEF\"\x20onLoad=\"window\.status='\xbb\xb6\xd3 SF:\xad\xca\xb9\xd3\xc3\xcd\xf8\xc2\xe7\xc9\xe3\xcf\xf1\xbb\xfa!';return\x SF:20true;\">\r\n\r\n
<TD\x20HEIGHT=80\x20ALIGN=center\x20BGCOLOR= SF:\"#C4CEEF\"><FONT\x20color=\"#FF6633\"\x20size=\"\+2\"\x20FACE=\"Arial\ SF:"><B>IP\x20Camera</B></FONT></TD>



MAC Address: 00:0A:42:33:66:54 (Cisco Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop

Next up is the usual dissection. I had done some minor googling on the device I bought, which is basically this below:

As its an OEM product, this is available under a whole bunch of different names – mostly with IP-510 or similar in the title, eg LTI-510 etc.

For a cheap OEM product, it actually seems to be reasonably well made though – the Case is an nice and solid aluminium sheath that looks like its been repurposed from something else, and the board itself is suprisingly well diagrammed. Its almost made for hacking!

Chips onboard are as follows:

25.0618mhz crystal from TXC – bonus points for why its 25mhz. Reply in the comments 🙂
Davicom DM9008AEP, TRC9016NLE (both for Ethernet. imho Davicom is a second-rate Realtek)
ViMicro VC0528BRVC (Camera processor / CCD Controller)
And last, but not least, our CPU, which is an 8051, although not from ATMEL.
Part number on that is C8051F340. My first guess is that it incorporates some integrated flash on there for firmware. Unfortunately its likely to be all C and Assembler, and the last time I did embedded 8051 stuff was in the early 90’s.

Google confirms it – basically its an all in one controller with 32 or 64KB onboard, and roughly 4k ram. Woohoo!

Datasheet here –

Good news is that the board has serial out clearly labeled on the top left side. Better news is that the chip has an onboard debug mode, so I don’t even need any ICE (In Circuit Emulation) tools should I want to take a look. Bad news is that I’m probably going to be too lazy to do it, as its more work and less fun than the second one I bought, which has Linux running on it.

That said, this one is cheap. Real cheap. Cheap enough that its probably worth knocking out a decent firmware, and reselling it with a better UI, and more features.
Might be possible, although anything more than whats there is probably stretching it given the ram / storage constraints. Looks like its all offboard processing/streaming for this model!

There are also some unpopulated spots on the board, which I strongly suspect would be for audio, given the board has a MIC input and no Mic, and the main controller is a ViMicro, which supports MP3 output also…

I’ll see if I can find a firmware file, and do a disassembly, or more probably see what I get out of the serial port connection in the near future.

Photos below. [Excuse the pasty white hands, its still winter for some reason in Shanghai, despite being April… Oh global warming. Where art thou, when I needest thee!]:

Some further files for the curious here –

Flattr this!

I’ve been seeing a bunch of failed Apple Time Capsules recently.
The issue is that the PSU’s are dying, as opposed to the HDD’s.

I took one apart to take a look, and the issue is the oh too familiar someone bought cheap capacitors that use the wrong formula. Tsk tsk Apple!

Here are some photos of a faulty power supply from a Time Capsule I’ve taken apart to demonstrate –

Read more »

Flattr this!

Vietnam airlines had a special for 1400RMB return including tax to Hanoi.
As I’ve never been to Vietnam, I thought I’d take it.

Photo’s to follow once I’m back in Shanghai, as no card reader!

First impressions I receive of Hanoi – rats and Mopeds.
Not sure which there are more of, both are visible in the corner of your eye at all times. The mopeds are more vociferous though, and a walk through the streets is a cacophony of hooting, and avoidance.
At least, much as in China, sensible manners get you across the roads. Just walk, and they’ll drive around. Hesitate, and you are doomed. Vespa (Piaggio) owns the market, with Honda coming in a close 1st. Sure, there are more Honda’s than Vespa’s numberwise, but *everyone* drives a vespa. Its a city of cool from that respect.

Hanoi is a shithole. Nothing to really recommend it. Its the same generic Southeast Asia template, albeit on a marginally more industrialized level. Its a dirty city, and the remaining architecture is neither interesting, nor beautiful. The delapidated is being torn down, and replaced by the generic concrete in much the same shape and form. House fronts still narrow as driven by taxes on shopfront sizes from regimes long gone.

Car hooters are a pseudo interesting thing. Echo… co… co… co… co… style fade outs that make the noise less of an annoyance. Admittedly it is a rather cool effect. Hooters here are used as indicators and lights might be in the West. Hooting is a way of saying here i am, rather than get out of the way. Echo-location bat style in metal form.

Guidebooks are not necessarily a great help. I picked up a Lonely Planet; deriguer tourist accessory that it is, and had a quick scan through the Hanoi section. “Every stranger on the street wants to help you”. What a crock of horseshit. They neglected the the last part of that sentence – “…away from your money”.

Trust no-one.

Everyone is after something. From moped drivers lazing on their bikes every two metres, to hotel staff trying to sell tickets to Halong Bay, to street peddlars hastling and hustling, the annoyances are endless.

For every act of kindness, the balance is broken fourfold by someone doing something equally retarded and obvious scamwise. Seek and ye shall find. Maybe I just don’t want to be found.

Sit at a bar called half man, half noodle. Sign says drink here, or we shoot the puppy. Why is it my thoughts tend to shoot the damn puppy.

Vietnam is supposed to be cheap. For european tourists, maybe. Coming from China, seems expensive. Not overly so, but seen through my experienced “I know what things cost” eyes, they aren’t as cheap as they should be.

Walk around the semi endless streets around the lake, many shops doing color copies of older Propaganda posters. Not originals, but badly offset color printing on semi decent rice paper.
Ask pricing at one – small $5, large $15.
That’s about 100RMB for a large one, which is about right if you counter in staff, rentals etc, so a fair price.
Roll it up, seal, suddenly price is $50.
So, small copies $5, now $15 -> $50? Walk out, as price starts coming down again. Not interested anymore. Shitty ass city, can’t wait to be back in Shanghai.

Its the little things here that pile up. Maybe its just I’m being a miserable git, which undoubtedly I am, but still, the vibe here is wrong.

Book a trip out of the city for a change of air. Reasonable for a day trip – $22, although on the way I spot another agency for $12. Thats my fault for not checking a couple of places first, and doing something spur of the moment in the hotel. Not really concerned about that, its still a fair price, and although I feel vaguely ripped off, i’m not worried about it.
An hour into our journey we stop off “for a rest”. That pissed me off. The oh so blatant detour 30 minutes drive in the opposite direction away from our destination to a handicraft / coffee shop where they get paid by head. At least in China they knowingly sell you those trips, and prices are discounted accordingly.
Outside poorer people touting fruit and whatnot, like flies around shit. We tourists, are the shit.
Quite apt considering how tourism generally denigrates and fucks up a place.

Not as bad as Tang Hui near Huang Shan (which I still think should be nuked from orbit), but on its slow inexorable decline into dependance on the teat of handouts and third world poverty that can only be made possible by our own consumer driven culture.
Ponder the thought of cult in culture.
Flash back to Iain Banks – “The Culture“.
We export our beliefs, borg like, to be absorbed.

Always Coca-Cola.

Is that the anthem for the 21st Century?

Anthem or anathema, who knows. Maybe we do deserve to be quarantined from the rest of the galaxy, lest we infect it.

What is tourism anyway?
Voyeurism made global.
“Look how much better we have it.”, back on the bus, as we can always leave.

Wake up late the next day to banging on my door. Cleaning staff obnoxiously do not take no for an answer, and come back three separate times until I launch into a tirade that gets rid of them. That I’m rather hung over, and stink of stale alcohol isn’t helping my demeanor either.
Once again, HBO is showing something watchable and I pass in and out of consciousness till about 3pm.
Shower, and am feeling much better with the world, and myself.

Funky Buddha is pretty much the only decent late nightlife in Hanoi. Few obnoxiously loud drunk Ozzies, and more of a local scene. Still shuts early though. 2am more or less the cut off point for the town.

I’ll be glad to leave this place.

Good to get out of China, and see a different place, but Vietnam isn’t for me. Death of a thousand cuts would be apt. Lot of little niggling issues, rather than large ones, but the blatant amount of petty bullshit ripoff’s makes Vietnam somewhere to be missed.

I’ve done lots of Asia, and Vietnam is a third world version pastiche of other places that just do it better.
My summation in two words – don’t come.

Things to buy:
Nu Rou Gan. Some great dried beef available in some of the streets around the market area north of the Hoan Kiem lake.

Available pretty much everywhere, pricing is reasonable – $5-10 for reasonable sized copies of Tintin covers.

Books (on scooters). Beware, pricing is silly at first. While I don’t mind gouging per se, I often refuse to do business with someone because they start with an initially silly price. There is ballpark, and there is out of the ballpark figure, most here start with the ball so far out of the ballpark, that you cannot even see the stadium. Example pricing – random copied Lonely planet guides – they’ll start at around 500,000, you can get for 50,000. 1000% markup anyone?

Hip and Trendy:
Not that much here, only 2 semi cool shops next to each other on Ta Hien.
Bo Sua on 24d Ta Hien is worth a browse if you’re in the vicinity, but don’t make a trip otherwise.
Design idea’s are good, but need nurturing.

Funky Buddha 2 Ta Hien

Not much else decent, unless you like shitty Babyface clones in smaller sizes, or backpacker packed foreigner bars.

Street food probably the best bet. Vietnamese food probably better experienced outside of Vietnam.
Avoid the foreign looking restaurants, pricing is sky high, and quality rock bottom.

Do try coffee though, the coffee bars have good coffee (strong, and sweet), and most of the cooler local looking places are plastered with paintings, and make for a good 10-15 minute stop over to rest weary feet.