News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Unpacking Firmware  (Read 8717 times)

  • No avatar
  • *
July 17, 2015, 08:39:34 pm
I just got a new foscam. Everyone tells me to modify the web UI i need to unpack the .bin firmware. So I build with GCC the foscam tool here as well as other one. I try to extract a bunch of different firmware .bin from foscam (just to make sure it wasn't my model) and these tools look like they don't work anymore.

Command Example:
$ ./fosfirm 2.4.10.5.bin /files/


Error:
File size doesn't match that reported in the header: 1141676733/1132523

This happens with every .bin firmware I've tried, and on linux and mac. How are people extracting firmware these days? What tool can I use?

Thanks in advance!

  • No avatar
  • *
July 18, 2015, 05:35:15 pm
So using binwalk I see that it says it's an encrypted image. I google tons before this and never realized foscam started AES-128 encrypting it's bin. What are my options to change the WEB UI? I have access to serious computing power and was wondering what I need to tell john the ripper exactly about Foscam C1 firmware bin file to have it run passwords against it all day.

Is the other option opening up the device? I just want to change the web interface.

  • No avatar
  • *
July 27, 2015, 03:00:25 pm
Use openssl with the passwords supplied in the firmware hacking forum to decrypt the original .BIN file, then use binwalk -e (extract) to break it into its parts.

http://www.openipcam.com/forum/index.php/topic,687.0.html
« Last Edit: July 27, 2015, 03:02:00 pm by VorlonFrog »

  • No avatar
  • *
January 06, 2016, 02:40:46 pm
None of those are useful in decrypting the Foscam C1 Firmware. They all give bad decrypt. It's a different type of firmware. Has anyone made any progress? This camera has been out for about a year.

Here's the current firmware
Step1_FosIPC_E_app_ver2.x.2.16.bin

I need to get into that and rewrite the web interface. Thanks!

Use openssl with the passwords supplied in the firmware hacking forum to decrypt the original .BIN file, then use binwalk -e (extract) to break it into its parts.

http://www.openipcam.com/forum/index.php/topic,687.0.html

  • ***
January 07, 2016, 05:23:22 am
None of those are useful in decrypting the Foscam C1 Firmware. They all give bad decrypt. It's a different type of firmware. Has anyone made any progress? This camera has been out for about a year.

Here's the current firmware
Step1_FosIPC_E_app_ver2.x.2.16.bin

I need to get into that and rewrite the web interface. Thanks!

Use openssl with the passwords supplied in the firmware hacking forum to decrypt the original .BIN file, then use binwalk -e (extract) to break it into its parts.

http://www.openipcam.com/forum/index.php/topic,687.0.html

Not sure WHY your focus is NOT with creating other methods to do same? Like below. Unless you are trying to make it appear, that YOU are the manufacturer of these IP Cameras and not Foscam?

---------------------------------

This Interface shown below. Can be used with any IP Camera/NVR/DVR/VMS that supports pulling snapshots using HTTP and/or HTTPS and is accessible from any Internet browser capable devices. From Computers to Tablets and Phones to TV's. That are using any Operating System and Browsers. Without downloading/installing any Plug-Ins or Media Players and IP Camera image refresh bandwidth can be controlled as well. Which makes it great for web pages in websites as well as for personal use from any of your Internet browser capable devices.

Examples:



Added live Axis IP Camera demos. Here's one that even allows you to start a train with all IP Camera controls:

http://107.170.59.150/Axis/SecureImageDisplayControl.htm

Another without IP Camera controls but with digital zoom:

http://107.170.59.150/Axis/SecureImageDisplayZoom1.htm

Another without any IP Camera controls and with a thermal image from the IP Camera above:

http://107.170.59.150/Axis/SecureImageDisplay2.htm

The Interface supports both HTTP and HTTPS and optionally prompting for access. Even if the IP Cameras does not support HTTPS. Unique User Id and Password that has nothing to do with the IP Cameras can also be used. The example below is using a self-signed certificate so you will see a warning. User: admin Password: admin

https://107.170.59.150/Axis/SecureImageDisplayControlLogin.php

---------------------------------

Point being. You could and can create the Web Interface of your choice doing anything the default interface can and does and even more. With or without full motion video and/or audio. Without requiring you to modify firmware to do same. That said, without your ("Custom firmware") being installed. Your custom interface would INSTANTLY disappear. Whereas with the approach shown above, it would not.

If you want to take on the chore of constantly creating custom firmware versions. Each and every time that official firmware versions are released by Foscam or by any other IP Camera manufacturer? Then you WILL have a very daunting task. That never ends.

If you assume that any current decryption methods of firmware will remain the same ("Forever") in order to create your custom firmware versions in the future. Then you are sadly mistaken as well. What happens when any decryption methods that you found to work today, fails in the future to work with newer firmware releases, using your approach?

What would you do when an emergency firmware release ("Which you suddenly can't decrypt") is made due to a security exploit of older firmware releases so that those IP Camera owners will now be protected from that exploit? Which generally happens, more than you maybe aware of with All IP Camera brands and models from different IP Camera manufacturers.

Note: I have in the past. Modified IP Camera firmware, to support a custom Web Interface. While it was fun to experiment with and play with. It's nothing short of a complete nightmare to maintain, as new firmware releases are released. Even for personal use only.


From: http://www.openipcam.com/forum/index.php/topic,473.0.html

Last, but far from least. If you would intend to distribute your ("Custom Firmware"). It best be 80+ percent different than the original firmware. Because firmware is copy written and most likely the IP Camera manufacturers you infringe upon, have much more deeper pockets than you have to throw money at suing you because you created a "Derivative Work" violating their copyrights on the original firmware in question.

I won't even go into one also using firmware version numbers for your custom firmware. Normally used by the IP Camera manufacturer in question and/or what additional monies that manufacturer could be awarded based on how you marketed your custom firmware.

So. Why take on the support overhead and potential legal burdens of creating custom firmware? When you can do the same things using methods, like the above?

Even if, these custom changes you wish to make are for personal use. Using the above shown methods, will generally survive and function as they did, after a firmware upgrade/downgrade. Allowing you and/or others to be able to use the most current firmware for your IP Camera equipment or to even remain on older firmware releases if desired.

Don

« Last Edit: January 08, 2016, 01:58:13 am by TheUberOverLord »