{"id":455,"date":"2010-04-21T00:23:20","date_gmt":"2010-04-20T16:23:20","guid":{"rendered":"http:\/\/www.computersolutions.cn\/blog\/?p=455"},"modified":"2011-10-31T03:40:45","modified_gmt":"2011-10-30T19:40:45","slug":"ipcam-hacking-part-2","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2010\/04\/ipcam-hacking-part-2\/","title":{"rendered":"IPCam Hacking – pt#2"},"content":{"rendered":"

Finally got a chance to play around with the second ipcam I bought.<\/p>\n

This one is a little bit smarter than the previous one – its running off an ARM5<\/del>ARM7 CPU (Nuvoton NUC745ADN), so has a bit more oomph. 16M ram is a whole lot more to play with for a start! The last device only had 16KB, so this puppy can be taught to do some tricks!<\/p>\n

Serial was a little bit trickier to solder on this time – my initial connectors were too small, so had to resolder with larger ones, and I managed to mess up a tad. Never said my soldering was any good \ud83d\ude09
\nGetting it to talk to the computer was a bit painful too – eventually I settled on 115,200 8,n,1, xon\/xoff which should have worked the first time around, but I was getting garbage.<\/p>\n

Probably flow control (xon\/xoff), as fiddling with the connections got it going eventually.<\/p>\n

First output from the board is below – this is from a clean boot (with no ethernet or wifi).<\/p>\n


\nW90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Dec 10 2009
\nMemory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
\nBoard designed by Winbond
\nHardware support provided at Winbond
\nCopyright (c) Winbond Limited 2001 - 2006. All rights reserved.
\nBoot Loader Configuration:<\/p>\n

MAC Address : 0E:F2:B3:DC:08:05
\n IP Address : 0.0.0.0
\n DHCP Client : Enabled
\n CACHE : Enabled
\n BL buffer base : 0x00300000
\n BL buffer size : 0x00100000
\n Baud Rate : -1
\n USB Interface : Disabled
\n Serial Number : 0xFFFFFFFF<\/p>\n

For help on the available commands type 'h'<\/p>\n

Press ESC to enter debug mode ......
\nCache enabled!
\nProcessing image 1 ...
\nProcessing image 2 ...
\nProcessing image 3 ...
\nProcessing image 4 ...
\nProcessing image 5 ...
\nProcessing image 6 ...
\nProcessing image 7 ...
\nUnzip image 7 ...
\nExecuting image 7 ...
\nLinux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1013 \u00c8\u00fd 12\u00d4\u00c2 2 13:17:32 CST 2009
\nProcessor: Winbond W90N745 revision 1
\nArchitecture: W90N745
\nOn node 0 totalpages: 4096
\nzone(0): 0 pages.
\nzone(1): 4096 pages.
\nzone(2): 0 pages.
\nKernel command line: root=\/dev\/rom0 rw
\nCalibrating delay loop... 39.83 BogoMIPS
\nMemory: 16MB = 16MB total
\nMemory: 14376KB available (1435K code, 288K data, 40K init)
\nDentry cache hash table entries: 2048 (order: 2, 16384 bytes)
\nInode cache hash table entries: 1024 (order: 1, 8192 bytes)
\nMount-cache hash table entries: 512 (order: 0, 4096 bytes)
\nBuffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
\nPage-cache hash table entries: 4096 (order: 2, 16384 bytes)
\nPOSIX conformance testing by UNIFIX
\nLinux NET4.0 for Linux 2.4
\nBased upon Swansea University Computer Society NET3.039
\nInitializing RT netlink socket
\nStarting kswapd
\nWinbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled
\nttyS00 at 0xfff80000 (irq = 9) is a W90N745
\nWinbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled
\nttyS00 at 0xfff80100 (irq = 10) is a W90N7451
\nI2C Bus Driver has been installed successfully.
\nBlkmem copyright 1998,1999 D. Jeff Dionne
\nBlkmem copyright 1998 Kenneth Albanowski
\nBlkmem 1 disk images:
\n0: 7F0E0000-7F16D3FF [VIRTUAL 7F0E0000-7F16D3FF] (RO)
\nAM29LV160DB Flash Detected
\n01 eth0 initial ok!
\nwhich:0
\nPPP generic driver version 2.4.2
\nLinux video capture interface: v1.00
\nWinbond Audio Driver v1.0 Initialization successfully.
\nusb.c: registered new driver hub
\nadd a static ohci host controller device
\n: USB OHCI at membase 0xfff05000, IRQ 15
\nhc_alloc_ohci
\nusb-ohci.c: AMD756 erratum 4 workaround
\nhc_reset
\nusb.c: new USB bus registered, assigned bus number 1
\nhub.c: USB hub found
\nhub.c: 2 ports detected
\nusb.c: registered new driver audio
\naudio.c: v1.0.0:USB Audio Class driver
\nusb.c: registered new driver serial
\nusbserial.c: USB Serial Driver core v1.4<\/p>\n

_____ ____ _ ____
\n|__ \/ _| _ \\ \/ \\ \/ ___|
\n \/ \/ | | | | | |\/ _ \\ \\___ \\
\n \/ \/| |_| | |_| \/ ___ \\ ___) |
\n\/____\\__, |____\/_\/ \\_\\____\/
\n |___\/
\nZD1211B - version 2.24.0.0
\nusb.c: registered new driver zd1211b
\nmain_usb.c: VIA Networking Wireless LAN USB Driver 1.13
\nusb.c: registered new driver vntwusb
\nusb.c: registered new driver rt73
\ndvm usb cam driver 0.0.0.0 by Maverick Gao in 2006-8-12
\nusb.c: registered new driver dvm
\ndvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
\nusb.c: registered new driver dvm usb cam driver for sonix288
\nNET4: Linux TCP\/IP 1.0 for NET4.0
\nIP Protocols: ICMP, UDP, TCP
\nIP: routing cache hash table of 512 buckets, 4Kbytes
\nTCP: Hash tables configured (established 1024 bind 2048)
\nVFS: Mounted root (romfs filesystem) readonly.
\nFreeing init memory: 40K
\nBINFMT_FLAT: bad magic\/rev (0x74202d74, need 0x4)
\nBINFMT_FLAT: bad magic\/rev (0x74202d74, need 0x4)
\nShell invoked to run file: \/bin\/init
\nCommand: mount -t proc none \/proc
\nCommand: mount -t ramfs none \/usr
\nCommand: mount -t ramfs none \/swap
\nCommand: mount -t ramfs none \/var\/run
\nCommand: mount -t ramfs none \/etc
\nCommand: mount -t ramfs none \/flash
\nCommand: mount -t ramfs none \/home
\nCommand: camera&
\n[8]
\nCommand: sh
\nno support<\/p>\n

Sash command shell (version 1.1.1)
\n\/> hub.c: connect-debounce failed, port 1 disabled
\nnew USB device :80fd7e04-fed640
\nhub.c: new USB device 1, assigned address 2
\ndvm cmos successfully initialized
\ndvm camera registered as video0
\nnew USB device :80fb0204-fed640
\nhub.c: new USB device 2, assigned address 3
\nidVendor = 0x148f, idProduct = 0x2573<\/p>\n

Wait for auto-negotiation complete...ResetPhyChip Failed
\nvideo0 opened
\n1
\n1
\n1
\n1
\n1
\n1
\nset resolution 5
\nset brightness 144
\nset contrast 3
\nset sharpness 3
\nset mode 2
\n__pthread_initial_thread_bos:34c000
\nmanage pid:16
\naudio_dev.state not AU_STATE_RECORDING
\nwb_audio_start_record
\n=> usb_rtusb_open
\nretide_ddns.c: can not get server dns.camcctv.com ip
\nntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
\nget oray info
\nupnp get ip error
\ninet_sr.c INET_rinput 321
\naction===1
\noptions==33
\ninet_sr.c INET_setroute 75
\n*args===255.255.255.255
\n*args===netmask
\n*args===eth1
\ninet_sr.c INET_rinput 321
\naction===1
\noptions==33
\ninet_sr.c INET_setroute 75
\n*args===default
\n*args===gw
\n*args===eth1
\nMlmeAssocReqAction(): WPA2\/WPA2PSK fill the ReqVarIEs with CipherTmp!
\n3
\n3
\n3
\n3
\n3
\n3
\n<\/code><\/p>\n

Initially I had the board setup on its own without the camera attached, but the boot scripts require it connected, otherwise they reboot..
\nOstensibly, this is the same hardware as the fi8908w (who are just reselling the OEM version with marginally different firmware as far as I can tell).<\/p>\n

Next step is to setup a cross compiler for uclinux so I can make some binaries, and test.
\nLuckily all the available tools are open source \/ free. Yay!<\/p>\n

I’m in contact with the factory, and they’ll be sending an SDK over at some point soonish, although its only in Chinese.
\nLuckily for me, that shouldn’t be a problem, as i’m reasonably capable at groking both code, and simplified chinese \ud83d\ude42<\/p>\n

ucLinux should be easy enough to build a rom image for though – tons of examples, and I already have a few firmware files to compare. <\/p>\n

It shouldn’t be too hard for me to roll another firmware with ssh installed, so that we can get in without serial, that would be more useful for others too.<\/p>\n

I’ve had a quick look inside the folders in the device from the device itself – fairly minimal, pretty much the only binaries are the necessary ones.
\nMy initial aim is to redo the UI to a nicer one, and fix some of the more glaring bugs. The factory people are at a trade show in Taiwan this week, so hopefully next week I’ll get some dev tools (otherwise its reverse engineering, bleh…). <\/p>\n

\"\"<\/a><\/p>\n

Some more people are playing with these as well (links below):<\/p>\n

http:\/\/irishjesus.wordpress.com\/2010\/03\/30\/hacking-the-foscam-fi8908w\/<\/a><\/p>\n


\nhttp:\/\/www.gadgetvictims.com\/2009\/12\/bring-your-fi8908w-paperweight-back-to.html<\/a><\/p>\n

Unfortuanately for me, both are variably accessible. WordPress is available this week woohoo, but its an on \/ off dealio with the GFW…, so I might have to stop commenting there once the government decides if WordPress is “teh evil” again.<\/p>\n

The irishjesus blog guy has done some of the harder bits like file extraction already (although not strictly necessary, as there are existing tools for that kind of thing).<\/p>\n

—<\/p>\n

Updates<\/strong><\/p>\n

Have some docs from the factory now, see attached file for the CGI spec.<\/p>\n

IP Camera CGI \u5e94\u7528\u6307\u5357-1.11<\/a><\/p>\n

I have others, but not so relevant especially for those than don’t read Chinese!<\/p>\n

Data sheet for the Chip and build instructions here –<\/p>\n

http:\/\/www.nuvoton.com\/hq\/enu\/ProductAndSales\/ProductLines\/ConsumerElectronicsIC\/ARMMicrocontroller\/ARMMicrocontroller\/NUC745A.htm<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Finally got a chance to play around with the second ipcam I bought. This one is a little bit smarter than the previous one – its running off an ARM5ARM7 CPU (Nuvoton NUC745ADN), so has a bit more oomph. 16M ram is a whole lot more to play with for a start! The last device […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[252,25],"tags":[246,248,244,245,241,240,247],"class_list":["post-455","post","type-post","status-publish","format-standard","hentry","category-ip-cam","category-technical-mumbo-jumbo","tag-arm5","tag-arm7","tag-f8908w","tag-foscam","tag-hacking","tag-ipcam","tag-uclinux"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=455"}],"version-history":[{"count":7,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/455\/revisions"}],"predecessor-version":[{"id":760,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/455\/revisions\/760"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}