[原创]+[翻译]Another Foscam FI8908W Clone Firmware Exploration
从智能摄像头研究的论坛上看到一篇,主要讲的是固件的修改。
以下是意会过来的内容。
文中提到的附件工具和刷机包均在
http://www.saveontelephonebills.com/camera/908clonerecovery.zip
可惜我打不开。
目标设备:FI8908W
评测环境:Win7 64b
评测前准备:备份所有的配置文件等内容
获得配置
xxx.xxx.xxx.xxx = Local IP Address or ISP IP Address or DDNS of IP Camera
#### = Port for IP Camera
Username = Admin Level User Name of IP Camera
Password = Password for the above User Name of IP Camera
尝试通过http cgi端口获得(支持CGI网络访问的摄像头方可用此方法尝试)
http://xxx.xxx.xxx.xxx:####/get_params.cgi?user=Username&pwd=Password
或的结果后,保存下来
小螺丝刀
烙铁和焊锡
杜邦线(接串口)
支持3.3VDC的串口接口
USB转UART TTL线
从IP Cam中获取的文件
1. linux.zip
2. romfs.img
3. 0.2.9.12.bin ("WebUI")
4. lr_cmos_0_37_2_47.bin ("Is the normal system firmware for the camera, having 1. and 2. here merged")
5. IPCamera.exe ("IP Camera Finder Tool")
6. ActiveX_IP.exe ("ActiveX Installer")
7. Instructions ("Windows Shortcut to this Forum post here")
获取Boot Loader Users Manual
该款PCB上清楚的印有串口标记,4个空的Pin孔,标记有3.3V,Rx GND等
其他地方有3.5V DC的Pin孔,不要连接
使用HyperTerminal或ClearTerminal进行COMM口通信。
可以通过ClearTerminal输入命令或发送文件。
使用串口命令对摄像头进行Recovery操作。
使用串口能看到完整的Boot信息。根据BootLoader的User Manual能发现可用命令。
在启动过程中根据提示,按“ESC”进入Boot的 Debug模式,即可使用BootLoader的命令。
bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000ADFD8 exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0D0000 size:0x000FC800 exec:0x7F0D0000 -a
bootloader >i
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:
MAC Address : 00:6E:06:05:8A:12
IP Address : 0.0.0.0
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0x00300000
BL buffer size : 0x00100000
Baud Rate : -1
Bootloader只允许一次显示256Bytes的内存地址
根据内存地址,对二进制文件进行dump。
如WebUI.bin位置在0x7F200000 - 0x7F33727F
通过命令
d 0x7f200000
可以dump内存
d 0x7f200000
Displaying memory at 0x7F200000
[7F200000] 440C9ABD 04D81A69 - 000E124B 0C090200 ...Di...K.......
[7F200010] 0000000F 7463412F - 58657669 2E50495F ..../ActiveX_IP.
[7F200020] 01657865 00016E92 - 00905A4D 00000003 exe..n..MZ......
[7F200030] 00000004 0000FFFF - 000000B8 00000000 ................
[7F200040] 00000040 00000000 - 00000000 00000000 @...............
[7F200050] 00000000 00000000 - 00000000 00000000 ................
[7F200060] 00000000 000000D0 - 0EBA1F0E CD09B400 ................
[7F200070] 4C01B821 685421CD - 70207369 72676F72 !..L.!This.progr
[7F200080] 63206D61 6F6E6E61 - 65622074 6E757220 am.cannot.be.run
[7F200090] 206E6920 20534F44 - 65646F6D 0A0D0D2E .in.DOS.mode....
[7F2000A0] 00000024 00000000 - A84A75E5 FB2414A1 $........uJ...$.
[7F2000B0] FB2414A1 FB2414A1 - FB7B1C2F FB2414A3 ..$...$./.{...$.
[7F2000C0] FB2514A1 FB24143A - FB791C22 FB2414B0 ..%.:.$.".y...$.
[7F2000D0] FB1437F5 FB2414A8 - FB221266 FB2414A0 .7....$.f."...$.
[7F2000E0] 68636952 FB2414A1 - 00000000 00000000 Rich..$.........
[7F2000F0] 00000000 00000000 - 00004550 0005014C ........PE..L...
bootloader >
配置文件“params.bin”在0x7F1F0000 - 0x7F1F1533
d 0x7f1f0000
Displaying memory at 0x7F1F0000
[7F1F0000] 440C9ABD 000058F6 - 00001534 45363030 ...D.X..4...006E
[7F1F0010] 35303630 32314138 - 02250000 0902002F 06058A12..%./...
[7F1F0020] 6D65440C 6143206F - 6172656D 00003220 .Demo.Camera.2..
[7F1F0030] 00000000 64610000 - 006E696D 00000000 ......admin.....
[7F1F0040] 70000000 77737361 - 0064726F 00006461 ...password.ad..
[7F1F0050] 00000002 00000000 - 00000000 00000000 ................
[7F1F0060] 00000000 00000000 - 00000000 00000000 ................
[7F1F0070] 00000000 00000000 - 00000000 00000000 ................
[7F1F0080] 00000000 00000000 - 00000000 00000000 ................
[7F1F0090] 00000000 00000000 - 00000000 00000000 ................
[7F1F00A0] 00000000 00000000 - 00000000 00000000 ................
[7F1F00B0] 00000000 00000000 - 00000000 00000000 ................
[7F1F00C0] 00000000 00000000 - 00000000 00000000 ................
[7F1F00D0] 00000000 00000000 - 00000000 00000000 ................
[7F1F00E0] 00000000 00000000 - 00000000 00000000 ................
[7F1F00F0] 00000000 00000000 - 00000000 00000000 ................
bootloader >
该版本摄像头自带"Sash command shell (version 1.1.1)".
通用的Sash命令参考:http://www.linuxcommand.org/man_pages/sash8.html
从Bootloader切换到内置shell command只需要提示符切入ClearTerminal main window 然后使用<Enter>键即可,shell支持如下命令:
/> help
cd [dirname]
sleep seconds
chgrp gid filename ...
chmod mode filename ...
chown uid filename ...
cmp filename1 filename2
cp srcname ... destname
df [file-system]
echo [args] ...
exec filename [args]
exit
free
help
hexdump [-s] filename
hostname [hostname]
kill [-sig] pid ...
ln [-s] srcname ... destname
ls [-lidC] filename ...
mkdir dirname ...
mknod filename type major minor
more filename ...
mount [-t type] devname dirname
mv srcname ... destname
printenv [name]
pwd
pid
quit
rm filename ...
rmdir dirname ...
setenv name value
source filename
sync
touch filename ...
umask [mask]
umount filename
ps
cat filename ...
date date [MMDDhhmm[YYYY]]
/>
设备列表:
/proc> cat devices
Character devices:
1 mem
2 pty
3 ttyp
4 ttyS
5 cua
10 misc
14 sound
81 video_capture
89 i2c
108 ppp
162 raw
180 usb
188 ttyUSB
200 ptz
Block devices:
31 Blkmem
/proc>
不要随意使用“del 0”“del”命令
为了将linux.zip文件下载到摄像头
del 7
fx 7 linux.zip 0x7F020000 0x8000 -acxz
下载romfs.img到摄像头
del 6
fx 6 romfs.img 0x7F0D0000 0x7F0D0000 -a
然后通过ls查看
bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux.zip base:0x7F020000 size:0x000AE000 exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0D0000 size:0x000FC800 exec:0x7F0D0000 -a
bootloader >
而后reboot即可完成刷机
最好使用IP Camera Finder Tool 安装WebUI,使用Bootloader刷机可能会有问题。
使用IPCamera.exe文件连接上IP和端口之后,点击选择“Upgrade Firmware”然后使用admin和password并选择升级WebUI
使用IP Camera Finder Tool工具,可以找到刷机重启后,联网的IP Camera的IP地址和端口。
刷入修改后的WebUI,可以改变很多安全属性,包括公网无login登录等。
还可以使用IP Camera作为一个小型的WebServer使用。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
