Hardware -------- Samsung S3C44B0X Development Board (ARMv3) 1Gb flash: * 960k allocated to kernel * 2.6Mb allocated to root filesystem * 61Mb allocated to config (user) filesystem 16Mb RAM Firmware Format --------------- Header is as follows: offset length 0x00 4 signature 11221978 0x04 4 firmware revision eg 01010012 is v1.1.0.18 0x08 4 kernel size 0x0c 4 kernel checksum 0x10 4 root fs size 0x14 4 root fs checksum After the header is the kernel image (length at header offset 0x08). After the kernel is the root jffs2 filesystem. Checksum -------- A new firmware that is uploaded using the web GUI is verified prior to copying to flash. The kernel and the root filesystem images are each checksummed, and must match the checkums in the firmware header. Checksum is probably a polynomial-based CRC, because a transposed byte between adjacent bytes or dwords yields different checksums. Regardless, the upfirmware command displays the required checksum and we can use it to tweak the header. It's an ARM7 binary in bFLT format statically linked against uClinux libraries, so we use qemu-arm to run it. Alas, it expects the argument to be in the wrong place in its environment, and one needs to make a file called 'TERM=asdf' in the current directory as the firmware file, or a symlink to it. Firmware Hacking ---------------- To hack the firmware, simply (!) extract the 3 different parts, mount the root filesystem on your non-embedded Linux system, adjust the files you need, and put it all back together. You need to adjust the "root fs checksum" in the header to match the newly created filesystem. It's actually been a while since I've done this, but from memory these commands might do what's needed. * extract the header dd if=firmware.bin bs=1 count=32 of=header.img * look at the contents of the header od -x header.img * get the kernel size at 4 bytes from offset 0x08, and turn it into decimal * get the kernel dd if=firmware.bin bs=1 skip=32 count= of=kernel.img * calculate the offset of the start of the root filesystem by adding kernel size to 32 dd if=firmware.bin bs=1 skip= of=rootfs.img The tricky part is to mount the jffs2 filesystem. You can't always just use the mount command like you would any other filesystem image. Some Linux kernels needed special kernel modules to be manually loaded before it would work just right. The key thing to learn about is "MTD" which stands for "Memory Technology Device" (ie flash). This web page has some useful info on how to do the equivalent mounting for another firmware: http://wiki.maemo.org/Modifying_the_root_image OS -- Linux kernel 2.6.1.8 with uClinux and various patches, Boa for the webserver, and busybox for the usual stuff. Accounts -------- The 'roger' user is probably named after Roger Jay whose name and email address appear in the dmesg output associated with the driver for the VC0568 camera chip. OS * uses shadow passwords * root account has no password * nobody account is locked * 'roger' account has password 'roger' Web * accounts stored in /etc/ipcam.cfg * use MD5 hashes * admin account has password 123456 * roger account has password roger * other accounts are 'user' and 'guest' Binaries -------- Special purpose binaries are: /bin/camctrl - turns on and off the camera, lists camera parameters, disables 'privacy' (?) /bin/crypt - encrypts or decrypts a file using a given key /bin/erase /bin/eraseall /bin/ez-ipupdate /bin/ipcam /bin/ipcamd /bin/ipcamsearch /bin/lcdshow - shows IP settings displayed on the front panel /bin/led - turns on, off or flashes the LED on the front panel /bin/snap - takes a snapshot and puts it into /tmp/s/snapshot.jpg /usr/sbin/adsl-connect - script /usr/sbin/adsl-start - script /usr/sbin/adsl-status - script /usr/sbin/adsl-stop - script /usr/sbin/factory_reset - script to unmount /mnt/cfg, copy /cfg.img over /tmp/mtdblock2 and reboot /usr/sbin/g - tftp get script (using busybox tftp) /usr/sbin/init_ipaddr /usr/sbin/kill4update - script to turn off camera and kill timer, ez-ipupdate, sf.cgi, ipcamd and ipcam, then shut down adsl (inc pppd and pppoe) activity /usr/sbin/ll - script to alias "ls -l" /usr/sbin/p - tftp put script (using busybox tftp) /usr/sbin/pppd /usr/sbin/pppoe /usr/sbin/rr - script to call "ps -x", "free" and "date" in a loop /usr/sbin/unlockfs - script to remount / as read-write /usr/sbin/updatefs - script to fetche with tftp a new root filesystem jffs2.img from server IP configured in /mnt/cfg/host.cfg (192.168.1.42) and install it by copying to /tmp/mtdblock1, running sync and rebooting /usr/sbin/updatekernel - as per updatefs but installs a kernel zImage into /tmp/mtdblock0 /home/www/guest/ieng - shell CGI script to handle guest access /home/www/cgi-bin/action - handles most tasks initiated from web GUI /home/www/cgi-bin/cgi_demo - script to print some standard web variables /home/www/cgi-bin/hwtest - performs hardware tests /home/www/cgi-bin/nph-backupcfg - backs up the config and gives to the user /home/www/cgi-bin/sf.cgi - feeds the camera video in MJPEG over HTTP format /home/www/cgi-bin/testcgi - gets and sets "IIC" register values, see below IIC register ------------ Browse to http://ip.address/cgi-bin/testcgi to get access to a program that lets you read and write to some kind of registers. The interface is in Chinese, but by experimentation it can be shown that some of the values relate to the LCD on the front panel (changing them also changes what's displayed there) and others relate to the camera's motion. Translations (shown in quotes) by Google. Reg Function ------- -------- 00 "Rotational direction of Haeundae register (write only)" move camera (1=down, 2=right, 3=up, 4=down) 01 "Step angle Yuntai register (write only)" set/get size of move 02 "Yuntai detection correction register (write only)" 1 or more triggers calibration 03 "Yuntai middle register (write only)" 1 or more triggers home 04 "Yuntai automatic inspection register (write only)" pan/tilt auto (1=pan, 2=tilt, 3=both, 0=stop) 05 "Yuntai speed automatic inspection register (write only)" ? (default=255) 06 "Yuntai Status Register (read only)" ? (default=0) 07 "Yuntai run status register (read only)" ? (default=0) 08 0F "Privacy protection" blue light on front panel (1=on, 0=off) 10 "IP address of the highest" (1st quad) 11 "IP address at a high" (2nd quad) 12 "IP address of time low" (3rd quad) 13 "IP address of the lowest" (4th quad) 14 "IP address of the highest-bit mask" 15 "IP address mask time high" 16 "IP address mask time low" 17 "IP address of the lowest mask" 18 "the highest level gateway address" 19 "gateway address at a high" 1A "gateway address at low" 1B "the lowest gateway address" 1C "icon display control register" 1D "interconnection mode display control register"