{"id":509,"date":"2010-05-06T00:07:41","date_gmt":"2010-05-05T16:07:41","guid":{"rendered":"http:\/\/www.computersolutions.cn\/blog\/?p=509"},"modified":"2013-01-04T22:50:08","modified_gmt":"2013-01-04T14:50:08","slug":"ip-cam-hacking-%e2%80%93-pt6","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2010\/05\/ip-cam-hacking-%e2%80%93-pt6\/","title":{"rendered":"IP Cam Hacking \u2013 pt#6"},"content":{"rendered":"<p>I&#8217;ve uploaded a zip of my built test image here.  I&#8217;ve only included telnetd, and ftpd, as the sshd binary is very large, and won&#8217;t fit into our rom image space!<\/p>\n<p>If someone is willing to test, feel free.<\/p>\n<p><a href='http:\/\/www.computersolutions.cn\/blog\/wp-content\/uploads\/2010\/04\/testrom.zip'>Test Rom with FTPD and TELNETD binaries added<\/a><\/p>\n<p>This rom is 700k+- vs the normal 550kb. So this may \/ may not overwrite the web ui.<\/p>\n<p>As China&#8217;s firewall is being particularly obnoxious this week as to what I can view on the web, I can&#8217;t actually get to the info I need to see where they typically write the UI to in rom.<\/p>\n<p>In theory, we should be able to write to the same base address via the boot loader.<\/p>\n<p>The original rom is written here &#8211;<\/p>\n<p>Image: 6 name:romfs.img base:0\u00d77F0E0000 size:0\u00d70008D000 exec:0\u00d77F0E0000 -a<\/p>\n<p>And I&#8217;m pretty sure that the UI gets written somewhere after this, and not as a separate image.  I&#8217;d have to run Windows and a sniffer to test this though (using their firmware update software).<\/p>\n<p>Our boot logs show that linux blkmem driver is set to view the whole area from 0\u00d77F0E0000 through to 0x7F16D3FF, so we should easily have 200kb to waste^Hplay with.<\/p>\n<p>From my boot logs:<\/p>\n<p>Blkmem 1 disk images:<br \/>\n0: 7F0E0000-7F16D3FF [VIRTUAL 7F0E0000-7F16D3FF] (RO)<\/p>\n<p>Obstensibly, this should be a matter of going to the bootloader over serial, then uploading our img file.<br \/>\nSuggest rename from testrom.img to romfs.img to be consistent.<\/p>\n<p>It should be something like this:<\/p>\n<p>bootloader > del 6<br \/>\n(delete the current romfs.img)<\/p>\n<p>bootloader > fx 6 romfs.img 0x7f0e0000 0x7f0e0000 -a<br \/>\nWaiting for download<br \/>\nPress Ctrl-x to cancel &#8230;  (while it waits, you have to select Transfer > Send File in Hyperterminal menu, choose the Xmodem protocol and select my rom image)<br \/>\nCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC<br \/>\nFlash programming &#8230;<\/p>\n<p>bootloader> boot<\/p>\n<p>Then see what happens in the logs.<\/p>\n<p>It should boot, then attempt to run telnetd and ftpd.<br \/>\nThat probably WON&#8217;T work just yet, as they&#8217;ll complain about missing \/etc\/ config files. <\/p>\n<p>You might also be missing the UI (as I think this gets written somewhere after our romfs.img in flash)<\/p>\n<p>Send me the serial logs in the comments, and I can fix that up, and repackage.<\/p>\n<p>I also know why the alleged clones (NB they&#8217;re not f..king clones sigh, they&#8217;re all made by 1 manufacturer here for different people, including FOSCAM) don&#8217;t work.  The linux.bin for older firmware is set to boot from  0x7f0D0000  as opposed to  0x7f0e0000, so image 6 and 7 both need to be reflashed.<\/p>\n<p>Also of note is that the newer units have gone cheaper, and use 2M flash, previous units had 4M.<br \/>\nuCLinux reports 8M, but its not talking about Flash, just RAM<\/p>\n<p>Be prepared to brick (not completely, as we have a bootloader, and can reflash the original firmware) if it doesn&#8217;t work.<\/p>\n<p>If my rom above doesn&#8217;t work initially for you, try flashing this <a href='http:\/\/www.computersolutions.cn\/blog\/wp-content\/uploads\/2010\/05\/linux.zip'>linux.zip<\/a> before reverting, and see if that helps it boot.<\/p>\n<p>eg<br \/>\n<code><br \/>\nbootloader> del 7<\/p>\n<p>bootloader> fx 7 linux.zip 0x7f020000 0x8000 -acxz<br \/>\nWaiting for download<br \/>\nPress Ctrl-x to cancel ...  (while it waits, you have to select Transfer > Send File in Hyperterminal menu, choose the Xmodem protocol and select my linux.zip)<br \/>\nCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC<br \/>\nFlash programming ...<\/p>\n<p>bootloader> fx 6 romfs.img 0x7f0e0000 0x7f0e0000 -a<br \/>\nWaiting for download<br \/>\nPress Ctrl-x to cancel ...  (while it waits, you have to select Transfer > Send File in Hyperterminal menu, choose the Xmodem protocol and select my rom image)<br \/>\nCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC<br \/>\nFlash programming ...<br \/>\n<\/code><\/p>\n<p>Why aren&#8217;t I doing this?<\/p>\n<p>Mostly as I don&#8217;t currently have a good serial connection, I&#8217;m waiting on headers.  Currently I have to hold the serial ports onto the board with fingers, and thats less than reliable!<\/p>\n<p>I should get around to fixing that soonish though, I&#8217;m interested in testing this myself&#8230;<\/p>\n<blockquote><p>I&#8217;d also appreciate the French contingent adding some info. I&#8217;m particularly interested in paillassou&#8217;s board photos, and any other firmware people have found for these so I can compare.<\/p><\/blockquote>\n<p> I can&#8217;t get to Picasa, GadgetVictims, IrishJesus now in China. Grrr.<\/p>\n<p>Yes, I know, use a VPN or proxy&#8230;  Unfortunately what we do precludes doing so, as I&#8217;d probably get told off by our beloved government here, and thats not worth the risk&#8230;<\/p>\n<p>Comments please.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve uploaded a zip of my built test image here. I&#8217;ve only included telnetd, and ftpd, as the sshd binary is very large, and won&#8217;t fit into our rom image space! If someone is willing to test, feel free. Test Rom with FTPD and TELNETD binaries added This rom is 700k+- vs the normal 550kb. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[252],"tags":[248,258,245,118,240,250,249,247],"class_list":["post-509","post","type-post","status-publish","format-standard","hentry","category-ip-cam","tag-arm7","tag-debian","tag-foscam","tag-howto","tag-ipcam","tag-nc745","tag-nuvoton","tag-uclinux"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=509"}],"version-history":[{"count":7,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/509\/revisions"}],"predecessor-version":[{"id":917,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/509\/revisions\/917"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}