[原创]+[翻译]Another Foscam FI8908W Clone Firmware Exploration

从智能摄像头研究的论坛上看到一篇，主要讲的是固件的修改。

以下是意会过来的内容。

文中提到的附件工具和刷机包均在

http://www.saveontelephonebills.com/camera/908clonerecovery.zip

可惜我打不开。

目标设备：FI8908W

评测环境：Win7 64b

评测前准备：备份所有的配置文件等内容

获得配置

xxx.xxx.xxx.xxx = Local IP Address or ISP IP Address or DDNS of IP Camera

#### = Port for IP Camera

Username = Admin Level User Name of IP Camera

Password = Password for the above User Name of IP Camera

尝试通过http cgi端口获得（支持CGI网络访问的摄像头方可用此方法尝试）

http://xxx.xxx.xxx.xxx:####/get_params.cgi?user=Username&pwd=Password

或的结果后，保存下来

小螺丝刀

烙铁和焊锡

杜邦线（接串口）

支持3.3VDC的串口接口

USB转UART TTL线

从IP Cam中获取的文件

1. linux.zip

2. romfs.img

3. 0.2.9.12.bin ("WebUI")

4. lr_cmos_0_37_2_47.bin ("Is the normal system firmware for the camera, having 1. and 2. here merged")

5. IPCamera.exe ("IP Camera Finder Tool")

6. ActiveX_IP.exe ("ActiveX Installer")

7. Instructions ("Windows Shortcut to this Forum post here")

获取Boot Loader Users Manual

该款PCB上清楚的印有串口标记，4个空的Pin孔，标记有3.3V，Rx GND等

其他地方有3.5V DC的Pin孔，不要连接

使用HyperTerminal或ClearTerminal进行COMM口通信。

可以通过ClearTerminal输入命令或发送文件。

使用串口命令对摄像头进行Recovery操作。

使用串口能看到完整的Boot信息。根据BootLoader的User Manual能发现可用命令。

在启动过程中根据提示，按“ESC”进入Boot的 Debug模式，即可使用BootLoader的命令。

bootloader > ls

Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af

Image: 7 name:linux.bin base:0x7F020000 size:0x000ADFD8 exec:0x00008000 -acxz

Image: 6 name:romfs.img base:0x7F0D0000 size:0x000FC800 exec:0x7F0D0000 -a

bootloader >i

W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010

Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes

Board designed by Winbond

Hardware support provided at Winbond

Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.

Boot Loader Configuration:

MAC Address         : 00:6E:06:05:8A:12

IP Address          : 0.0.0.0

DHCP Client         : Enabled

CACHE               : Enabled

BL buffer base      : 0x00300000

BL buffer size      : 0x00100000

Baud Rate           : -1

Bootloader只允许一次显示256Bytes的内存地址

根据内存地址，对二进制文件进行dump。

如WebUI.bin位置在0x7F200000 - 0x7F33727F

通过命令

d 0x7f200000

可以dump内存

d 0x7f200000

Displaying memory at 0x7F200000

[7F200000] 440C9ABD 04D81A69 - 000E124B 0C090200  ...Di...K.......

[7F200010] 0000000F 7463412F - 58657669 2E50495F  ..../ActiveX_IP.

[7F200020] 01657865 00016E92 - 00905A4D 00000003  exe..n..MZ......

[7F200030] 00000004 0000FFFF - 000000B8 00000000  ................

[7F200040] 00000040 00000000 - 00000000 00000000  @...............

[7F200050] 00000000 00000000 - 00000000 00000000  ................

[7F200060] 00000000 000000D0 - 0EBA1F0E CD09B400  ................

[7F200070] 4C01B821 685421CD - 70207369 72676F72  !..L.!This.progr

[7F200080] 63206D61 6F6E6E61 - 65622074 6E757220  am.cannot.be.run

[7F200090] 206E6920 20534F44 - 65646F6D 0A0D0D2E  .in.DOS.mode....

[7F2000A0] 00000024 00000000 - A84A75E5 FB2414A1  $........uJ...$.

[7F2000B0] FB2414A1 FB2414A1 - FB7B1C2F FB2414A3  ..$...$./.{...$.

[7F2000C0] FB2514A1 FB24143A - FB791C22 FB2414B0  ..%.:.$.".y...$.

[7F2000D0] FB1437F5 FB2414A8 - FB221266 FB2414A0  .7....$.f."...$.

[7F2000E0] 68636952 FB2414A1 - 00000000 00000000  Rich..$.........

[7F2000F0] 00000000 00000000 - 00004550 0005014C  ........PE..L...

bootloader >

配置文件“params.bin”在0x7F1F0000 - 0x7F1F1533

d 0x7f1f0000

Displaying memory at 0x7F1F0000

[7F1F0000] 440C9ABD 000058F6 - 00001534 45363030  ...D.X..4...006E

[7F1F0010] 35303630 32314138 - 02250000 0902002F  06058A12..%./...

[7F1F0020] 6D65440C 6143206F - 6172656D 00003220  .Demo.Camera.2..

[7F1F0030] 00000000 64610000 - 006E696D 00000000  ......admin.....

[7F1F0040] 70000000 77737361 - 0064726F 00006461  ...password.ad..

[7F1F0050] 00000002 00000000 - 00000000 00000000  ................

[7F1F0060] 00000000 00000000 - 00000000 00000000  ................

[7F1F0070] 00000000 00000000 - 00000000 00000000  ................

[7F1F0080] 00000000 00000000 - 00000000 00000000  ................

[7F1F0090] 00000000 00000000 - 00000000 00000000  ................

[7F1F00A0] 00000000 00000000 - 00000000 00000000  ................

[7F1F00B0] 00000000 00000000 - 00000000 00000000  ................

[7F1F00C0] 00000000 00000000 - 00000000 00000000  ................

[7F1F00D0] 00000000 00000000 - 00000000 00000000  ................

[7F1F00E0] 00000000 00000000 - 00000000 00000000  ................

[7F1F00F0] 00000000 00000000 - 00000000 00000000  ................

bootloader >

该版本摄像头自带"Sash command shell (version 1.1.1)".

通用的Sash命令参考：http://www.linuxcommand.org/man_pages/sash8.html

从Bootloader切换到内置shell command只需要提示符切入ClearTerminal main window 然后使用<Enter>键即可，shell支持如下命令：

/> help

cd         [dirname]

sleep      seconds

chgrp      gid filename ...

chmod      mode filename ...

chown      uid filename ...

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！