{"id":489,"date":"2010-04-30T16:04:11","date_gmt":"2010-04-30T08:04:11","guid":{"rendered":"http:\/\/www.computersolutions.cn\/blog\/?p=489"},"modified":"2013-01-04T22:50:18","modified_gmt":"2013-01-04T14:50:18","slug":"ip-cam-hacking-pt5","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2010\/04\/ip-cam-hacking-pt5\/","title":{"rendered":"IP Cam Hacking \u2013 pt#5"},"content":{"rendered":"

So far in this series, we’ve learnt a few things.
\nFirst, is that this hardware is quite nice for hacking purposes, as they’ve left the uBoot in a nice state, and have easily accessible debug ports.
\nSecond is that doing this kind of thing isn’t really that complicated, and can be quite fun.<\/p>\n

We’re pretty much ready to start doing our own coding, as we know how the images are packed, and we can use the uBoot to either flash onl the romfs on or own, or alternately roll a complete linux + romfs binary image.<\/p>\n

For that, we’ll need to be ready to roll up our sleeves, and actually do some development (finally!).<\/p>\n

Getting a development environment setup is our next step, as we’re ready to test out adding binaries.<\/p>\n

I’m using Debian, but most Linux environments should be similar. OSX is BSD based, and more of a pain due to Apple not putting everything needed in the normal places, so I’m doing this in a VM on my Macbook under Debian.<\/p>\n

Go grab a copy of “NUC700 Series MCU uCLinux BSP.zip” from here http:\/\/www.metavert.com\/public\/NO-SUPPORT\/<\/a><\/p>\n

Setup a VM for Debian (not going to cover that) or install Debian or similar.<\/p>\n

Copy the zip file to \/home in the OS you use.<\/p>\n

cd \/home
\nmkdir N745
\ncd N745
\nunzip ..\/NUC700\\ Series\\ MCU\\ uCLinux\\ BSP.zip<\/code><\/p>\n

You should now see something like this:<\/p>\n

:\/home\/N745\/NUC700 Series MCU uCLinux BSP# ls -al
\ntotal 68
\ndrwxr-xr-x 6 root root 4096 2009-05-15 20:02 .
\ndrwxr-xr-x 3 root root 4096 2010-04-30 02:23 ..
\ndrwxr-xr-x 3 root root 4096 2009-05-15 20:06 bootloader
\ndrwxr-xr-x 2 root root 4096 2009-05-15 20:03 bsp
\ndrwxr-xr-x 2 root root 4096 2009-05-15 20:02 doc
\ndrwxr-xr-x 4 root root 4096 2009-05-15 20:02 mkrom
\n-r--r--r-- 1 root root 44632 2009-03-27 11:49 NUC700 uClinux BSP Release Note.pdf
\ndebian:\/home\/N745\/NUC700 Series MCU uCLinux BSP# <\/code><\/p>\n

Unfortunately the build *really* doesn’t like long filenames, so lets move all this to the N745 folder, and get rid of the annoyingly named folder.<\/p>\n


\n\/home\/N745\/NUC700 Series MCU uCLinux BSP# mv * ..
\n\/home\/N745\/# cd ..
\n\/home\/N745\/# rm -r NUC700\\ Series\\ MCU\\ uCLinux\\ BSP\/
\n<\/code><\/p>\n

We still need to unzip the BSP, as its compressed, so go into bsp<\/p>\n


\n\/home\/N745\/# cd bsp
\n\/home\/N745\/bsp# tar -xzvf NUC700BSP.tar.gz
\nNUC700BSP\/
\nNUC700BSP\/arm_tools.tar.gz
\nNUC700BSP\/install.sh
\nNUC700BSP\/arm_tools_3.3.tar.gz
\nNUC700BSP\/build.tar.gz
\nNUC700BSP\/applications.tar.gz
\nNUC700BSP\/uClinux-dist.tar.gz
\n<\/code><\/p>\n

Yay, yet another bloody subdirectory. Sigh.<\/p>\n


\n\/home\/N745\/bsp# cd NUC700BSP
\ndebian:\/home\/N745\/bsp\/NUC700BSP# ls -al
\ntotal 183300
\ndrwxr-xr-x 2 shanghaiguide shanghaiguide 4096 2009-03-26 22:38 .
\ndrwxr-xr-x 3 root root 4096 2010-04-30 02:29 ..
\n-rw-r--r-- 1 shanghaiguide shanghaiguide 29521418 2009-03-26 21:55 applications.tar.gz
\n-rw-r--r-- 1 shanghaiguide shanghaiguide 43742203 2009-03-26 21:22 arm_tools_3.3.tar.gz
\n-rw-r--r-- 1 shanghaiguide shanghaiguide 36108739 2009-03-26 21:11 arm_tools.tar.gz
\n-rw-r--r-- 1 shanghaiguide shanghaiguide 5643452 2009-03-26 21:24 build.tar.gz
\n-rwxr--r-- 1 shanghaiguide shanghaiguide 4370 2009-03-26 22:31 install.sh
\n-rw-r--r-- 1 shanghaiguide shanghaiguide 72439431 2009-03-26 20:53 uClinux-dist.tar.gz
\ndebian:\/home\/N745\/bsp\/NUC700BSP#
\n<\/code><\/p>\n

Run the install – I’ve decided to install the whole shebang to \/home\/N745<\/p>\n

Note – The observant amongst you will notice I’m running this as root.
\nThis is NOT<\/strong> recommended. I’m running under a VM solely created to play with this, so I don’t really care if I break it (as I can roll back to the initial install image fairly easy in vmware). Don’t do this yourselves (unless you want to break things). <\/p><\/blockquote>\n


\ndebian:\/home\/N745\/bsp\/NUC700BSP# .\/install.sh
\nfirstly install arm_tools.tar.gz -->\/usr\/local\/
\nwait for a while
\nsuccessfully finished installing arm_tools.tar.gz
\nnow begin to install build.tar.gz,applications.tar.gz and uClinux-dist.tar.gz
\nPlease enter your absolute path for installing build.tar.gz, applications.tar.gz and uClinux-dist.tar.gz:
\n\/home\/N745
\n\/home\/N745 has existed
\nplease wait for a while, it will take some time
\nwhole installation finished successfully!
\ndebian:\/home\/N745\/bsp\/NUC700BSP#
\n<\/code><\/p>\n

We finally have our build environment unzipped, and its sitting in nuc700-uClinux.<\/p>\n

debian:\/home\/N745# cd nuc700-uClinux\/
\ndebian:\/home\/N745\/nuc700-uClinux# ls -al
\ntotal 24
\ndrwxr-xr-x 6 root root 4096 2010-04-30 02:31 .
\ndrwxr-xr-x 7 root root 4096 2010-04-30 02:31 ..
\ndrwxr-xr-x 7 root root 4096 2009-03-25 00:44 applications
\ndrwxr-xr-x 2 root root 4096 2009-03-26 21:23 image
\ndrwxr-xr-x 12 root root 4096 2009-03-26 04:54 romdisk
\ndrwxr-xr-x 10 root root 4096 2009-03-26 06:50 uClinux-dist
\ndebian:\/home\/N745\/nuc700-uClinux# <\/code><\/p>\n

uClinux-dist has the default binaries we want, plus we need to configure the kernel, so lets visit there first (the more adventurous can look at the other folders)<\/p>\n


\ndebian:\/home\/N745\/nuc700-uClinux# cd uClinux-dist\/
\ndebian:\/home\/N745\/nuc700-uClinux\/uClinux-dist# ls -al
\ntotal 84
\ndrwxr-xr-x 10 root root 4096 2009-03-26 06:50 .
\ndrwxr-xr-x 6 root root 4096 2010-04-30 02:31 ..
\ndrwxr-xr-x 2 root root 4096 2009-01-22 23:27 bin
\ndrwxr-xr-x 3 root root 4096 2009-03-26 06:50 config
\n-rw-r--r-- 1 root root 18007 2009-01-22 23:29 COPYING
\ndrwxr-xr-x 3 root root 4096 2009-01-22 23:27 Documentation
\ndrwxr-xr-x 11 root root 4096 2009-01-22 23:29 freeswan
\ndrwxr-xr-x 5 root root 4096 2009-01-22 23:29 lib
\ndrwxr-xr-x 15 root root 4096 2009-03-26 06:50 linux-2.4.x
\n-rw-r--r-- 1 root root 3228 2009-01-22 23:28 MAINTAINERS
\n-rw-r--r-- 1 root root 7977 2009-01-22 23:27 Makefile
\n-rw-r--r-- 1 root root 4935 2009-01-22 23:29 README
\n-rw-r--r-- 1 root root 1654 2009-01-22 23:29 SOURCE
\ndrwxr-xr-x 158 root root 4096 2009-01-22 23:28 user
\ndrwxr-xr-x 4 root root 4096 2009-03-12 03:54 vendors
\ndebian:\/home\/N745\/nuc700-uClinux\/uClinux-dist#
\n<\/code><\/p>\n

Looks like it should be fairly easy, right?
\nWrong.<\/p>\n

The default build doesn’t work. Why would it be that easy.<\/p>\n

You’ll end up with issues like:<\/p>\n

entry-armv.S:782: Error: Internal_relocation (type 210) not fixed up
\n(OFFSET_IMM)
\nentry-armv.S:784: Error: Internal_relocation (type 208) not fixed up
\n(IMMEDIATE)\n<\/p><\/blockquote>\n

So, we need to make sure we start off fresh.
\nAlso, note that we’re building for an N745 cpu, so we’ll need to configure that at the make config stage.
\nLastly, and EXTREMELY<\/strong> important, is that we’ll need to put our required tools in the path.<\/p>\n

DO NOT FORGET TO DO THIS<\/strong>
\nsample PATH below:<\/p>\n

PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/local\/arm_tools\/bin<\/p>\n


\ndebian:\/home\/N745\/nuc700-uClinux\/uClinux-dist# PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/local\/arm_tools\/bin<\/p>\n

debian:\/home\/N745\/nuc700-uClinux\/uClinux-dist#make clean<\/p>\n

Now we have a choice - Recommend use make xconfig if possible.
\nYou need to have a GUI, and have tk installed. (apt-get install tk)
\nOtherwise run make config, and run through the tediously large amount of questions<\/p><\/blockquote>\n

OPTION#preferred<\/strong><\/p>\n

debian:\/home\/N745\/nuc700-uClinux\/uClinux-dist#make xconfig <\/p>\n

OPTION#not recommended<\/strong><\/p>\n

debian:\/home\/N745\/nuc700-uClinux\/uClinux-dist# make config
\nconfig\/mkconfig > config.in
\n#
\n# No defaults found
\n#
\n*
\n* Target Platform Selection
\n*
\n*
\n* Choose a Vendor\/Product combination.
\n*
\nVendor\/Product (nuvoton\/nuc710, nuvoton\/nuc740, nuvoton\/nuc745) [nuvoton\/nuc710] (NEW) nuvoton\/nuc745<\/p>\n

[For the rest, I used the defaults (except for the Network Tools questions, which I said Y to all)]<\/p>\n

Continue here from whatever menu (x)config you used.<\/p><\/blockquote>\n

debian:\/home\/N745\/nuc700-uClinux\/uClinux-dist#make oldconfig<\/p>\n

[Needed, or compile doesn't work]<\/p>\n

debian:\/home\/N745\/nuc700-uClinux\/uClinux-dist#make dep<\/p>\n

[A gazillion pages of info later, we have a build environment!]
\n<\/code><\/p>\n

We’re finally ready to use our weapon of mass destruction.<\/p>\n


\ndebian:\/home\/N745\/nuc700-uClinux\/uClinux-dist#make
\n...<\/p>\n

<\/code><\/p>\n

It should compile without issue. <\/p>\n

Next step is to mount our created rom image, and copy the binaries off, or just go to the compiled folders, and get the binaries.<\/p>\n

I’ve done this step already, and have a zip file of a few useful files ready.<\/p>\n

-rwxr-xr-x 1 root root 110888 2010-04-30 03:50 ftpd
\n-rwxr-xr-x 1 root root 55164 2010-04-30 03:52 ping
\n-rwxr-xr-x 1 root root 1201904 2010-04-30 03:51 ssh
\n-rwxr-xr-x 1 root root 1219864 2010-04-30 03:51 sshd
\n-rwxr-xr-x 1 root root 118004 2010-04-30 03:45 telnet
\n-rwxr-xr-x 1 root root 45460 2010-04-30 03:45 telnetd<\/p>\n

file *
\nftpd: BFLT executable – version 4 ram
\nping: BFLT executable – version 4 ram
\nssh: BFLT executable – version 4 ram
\nsshd: BFLT executable – version 4 ram
\ntelnet: BFLT executable – version 4 ram
\ntelnetd: BFLT executable – version 4 ram<\/p>\n

Download that here – arm7-nettools<\/a><\/p>\n

All we need to do now is mount our romfs image, unzip the arm7-nettools.zip, copy the arm7 bFLT binaries over to bin, add telnetd, sshd, and ftpd to our \/bin\/init, and rebuild by running genromfs on our filesystem.<\/p>\n

We can then finally flash our new romfs, and test it out.<\/p>\n

\nDon’t forget that romfs is a read only file system, so we can’t modify it by mounting it. We need to mount, copying everything to elsewhere, do our required bits and pieces, then rebuild.<\/p>\n

eg<\/p>\n

mount -o loop -t romfs still_unsure.img \/mnt\/test -r<\/p>\n

mkdir \/mnt\/new
\ncd \/mnt
\nrsync -arv \/mnt\/test\/ new
\ncd new\/bin
\nwget http:\/\/www.computersolutions.cn\/blog\/wp-content\/uploads\/2010\/04\/arm7-nettools.zip
\nunzip arm7-nettools.zip
\nrm arm7-nettools.zip<\/p>\n

[We need to also edit init]
\npico init<\/p>\n

Add <\/p>\n

sshd&
\ntelnetd&
\nftpd&<\/p>\n

eg –
\ncat init
\nmount -t proc none \/proc
\nmount -t ramfs none \/usr
\nmount -t ramfs none \/swap
\nmount -t ramfs none \/var\/run
\nmount -t ramfs none \/etc
\nmount -t ramfs none \/flash
\nmount -t ramfs none \/home
\ncamera&
\nsshd&
\ntelnetd&
\nftpd&
\nsh<\/p>\n

Change to the next directory up, and lets run genromfs<\/p>\n

genromfs -d new -f testrom.img
\ndebian:\/mnt# ls testrom.img
\ntestrom.img
\ndebian:\/mnt# ls -al testrom.img
\n-rw-r–r– 1 root root 3329024 2010-04-30 04:18 testrom.img<\/p>\n

In theory, this should be usable (famous last words!).\n<\/p><\/blockquote>\n

Unfortunately, I can’t try testing on that at home, as all the equipment is at the office, but that should be fairly easy.<\/p>\n

Probably also some small config issues to sort out, as ftpd, telnetd and sshd will probably choke without their related \/etc\/whatever config files needed, but we can sort that out via serial on the debug ports.<\/p>\n","protected":false},"excerpt":{"rendered":"

So far in this series, we’ve learnt a few things. First, is that this hardware is quite nice for hacking purposes, as they’ve left the uBoot in a nice state, and have easily accessible debug ports. Second is that doing this kind of thing isn’t really that complicated, and can be quite fun. We’re pretty […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[252,1],"tags":[248,258,245,118,240,250,249,247],"class_list":["post-489","post","type-post","status-publish","format-standard","hentry","category-ip-cam","category-uncategorized","tag-arm7","tag-debian","tag-foscam","tag-howto","tag-ipcam","tag-nc745","tag-nuvoton","tag-uclinux"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=489"}],"version-history":[{"count":13,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/489\/revisions"}],"predecessor-version":[{"id":918,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/489\/revisions\/918"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}