Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Author Topic: How to start ?  (Read 6727 times)

  • No avatar
  • *
July 07, 2015, 06:59:22 am
I have a couple 3511 cameras, how do I start getting new firmware on these ? Or getting a backup ?
Assume I get/find the JTAG, what do I do from there ? Any tutorial ?
I am skilled in many computer things, but do not have much experience with these things. Can code, cross-compile a kernel etc.

  • No avatar
  • *
October 05, 2015, 09:18:51 pm
if you found out could you tell me. I posted but no answer as of yet

  • No avatar
  • *
November 21, 2015, 04:46:31 pm
Hi there,

I have just started on this stuff myself, so I'd like to pass on what i have learned.
I had a few of these cameras, and have always been disappointed with the quality of software on them. I find that good hardware is often ruined by weak software - really unfortunate - but also a good opportunity I suppose.

Firstly, I would recommend getting serial access to the camera. This is going to be hurdle number one, and believe me, until you have this - anything else you try will likely be thwarted by the quality of firmware on the camera. Once you have access to a serial port, everything else falls into place.
Secondly, I would recommend selecting a camera that has an SDK available. For me, this was the Hi3516C - it's a great, and very capable chip - doesn't get as hot as a lot of the others, and it's in sooooo many cameras. Thankfully some of these 3rd party Chinese camera vendors have leaked the SDK, so it's easy to get hold of on the web, just good for them (I think there is one here on openipcam too).

Once you have your cameras serial port plugged into your computer  (this will likely involve getting a RS232-serial converter cable, and soldering to the serial port pins on your camera), turning the camera on while running a terminal program on your computer will cause the boot up sequence to be rendered to your computer. You've probably already seen plenty of these "bootup dumps" in forums. You can glean lots of useful information from this.

I won't go into details, because you can read articles like this one:

But the high level overview is this....
Note that all the following information is based on my Hi3516C camera....

There are 3 physical pieces on the camera involved in firmware hacking:
1. The microcontroller (CPU) - this is the HiSilicon chip
2. The RAM - it's probably the second largest chip on your board after the microcontroller
3. The flash memory

There are 2 kinds of flash memory (from a functional perspective - I think they're separate chips on my board) on the board - the flash which stores the actual firmware, and the flash which just stores a bunch of configuration known as environment variables. The former on my is about 8MB, and the latter about 8KB.

The flash memory on the camera is divided up into blocks, and there are 3 key areas your are interested in, in this sequence (there may be more, that the vendor has set up for storing writable configuration etc).
1. uboot
2. kernel
3. root filesystem

The first piece is the uboot code. This is the first thing to boot. Have you ever pressed F8 when booting windows on your computer? And you get a little text menu that asks if you want to boot into safe mode, diagnostic boot up etc etc? uboot is like that. Never overwrite the uboot - you should never need to. You can enhance the camera to your hearts desire without touching uboot (from what I understand).
When you boot the camera, there will be a moment a few seconds after boot where it says "press CTRL+C to stop boot" or something like that. If you do that, you will be given a command prompt where you can do things like back up your flash. Uboot has a few critical drivers built into it for utilising the hardware on the chip - so it can, for example, use the ethernet adapter before the operating system has even loaded.

The boot sequence looks a little like this...

1. uboot starts
2. uboot reads the kernel image from the flash memory, into RAM
3. uboot boots that RAM address
4. kernel takes over, and reads environment variables for where to get the root filesystem from (which will also be flash)
5. uboot initializes some stuff, and then mounts the root filesystem

When you are at the uboot menu, you have some commands available to you. One of them is TFTP, which is a kind of file transfer command.
This guy has written a tutorial on that - which is quite good:

So, to start hacking things, follow the tutorial above to back up both your kernel, and filesystem image.
One you have done that, what I did, was extract the filesystem image to somewhere on my network, and shared it as an NFS share.
Then I modified my uboot environment variable to tell the kernel to load the root filesystem from the NFS share, instead of from the firmware in flash.
Then, once the camera had booted, all of the files that it was were actually on my networked hard drive, not the camera flash, and I could tweak them using my text editor, without worrying about breaking the camera - because I could at any point, change the environment variables back to their original values, and the camera would boot off the internal flash memory again.

I hope that gives you a loose idea of how these cameras work, and how to tinker with them.