Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Author Topic: Cotier TV-631W/IP 1.3MP  (Read 5272 times)

  • No avatar
  • *
March 25, 2016, 01:45:05 pm

I bought Cotier TV-631W/IP 1.3MP from dealextreme (SKU: 315912). I would not recommend this camera to anyone, but if you want to play with it then here's some things i've learned.
It has telnet enabled and the usual stuff.
However, root password isn't "xc3511" or "xmhdipc". Bummer.

I managed to dump firmware using serial cable attached to RTG pins on the board. R=Rx, T=Tx and G=ground. By the way, this camera is manufactured 01/2016 according to label inside of it.
It has u-boot, so you can interrupt boot by pressing any button when prompted.

Code: [Select]
PI NOR ID code:0xc2 0x20 0x17
SPI jump setting is 3 bytes mode
Boot image offset: 0x10000. size: 0x50000. Booting Image .....

U-Boot 2013.01 (Jan 04 2016 - 15:55:21)

DRAM:  64 MiB
ROM CODE has enable I cache
SPI mode
SF: Got idcodes
00000000: c2 20 17 c2    . ..
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
flash is 3byte mode
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial

ID: 8136140
AC: 200  HC: 200  P1: 712  P2: 600  P3: 540
C6: 712  DR: 950
J: 237   H1: 237
Net:   GMAC set RMII mode
reset PHY
Warning: eth0 MAC addresses don't match:
Address in SROM is         4b:28:6e:73:62:6f
Address in environment is  00:42:70:00:30:22

mul pin set 0x40000000
gpio clk 0xffedf3fe
gpio dir 0x3040000
gpio out 0x40000
Hit any key to stop autoboot:  0
GM # printenv
bootargs=mem=64M gmmem=23M console=ttyS0,115200 user_debug=31 init=/init mtdparts=nor-flash:64K(nsboot),256K(uboot),2880K(kernel),4224K(app),384K(config),384K(log),-(else) reset=0
bootcmd=sf probe 0:0;run lm;bootm 0x2000000
lm=sf read 0x02000000 z

Environment size: 490/65532 bytes
GM #

Code: [Select]
Hit any key to stop autoboot:  0
SF: Got idcodes
00000000: c2 20 17 c2    . ..
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
flash is 3byte mode
## Booting kernel from Legacy Image at 02000000 ...
   Image Name:   gm8136
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2764352 Bytes = 2.6 MiB
   Load Address: 02000000
   Entry Point:  02000040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
: mem=64M gmmem=23M console=ttyS0,115200 user_debug=31 init=/init mtdparts=nor-flash:64K(nsboot),256K(uboot),2880K(kernel),4224K(app),384K(config),384K(log),-(else) reset=0

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0
Linux version 3.3.0 (menghuanhuan@coder-System-Product-Name) (gcc version 4.4.0 20100318 (experimental) (Buildroot 2012.02) ) #553 PREEMPT Tue Sep 29 09:18:49 CST 2015
CPU: FA6 [66056263] revision 3 (ARMv5TE), cr=0000397f
CPU VIPT aliasing data cache, unknown instruction cache
Machine: Grain-Media GM8136 series
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: mem=64M gmmem=23M console=ttyS0,115200 user_debug=31 init=/init mtdparts=nor-flash:64K(nsboot),256K(uboot),2880K(kernel),4224K(app),384K(config),384K(log),-(else) reset=0
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 64MB = 64MB total
Memory: 55928k/55928k available, 9608k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0x84800000 - 0xff000000   (1960 MB)
    lowmem  : 0x80000000 - 0x84000000   (  64 MB)
    modules : 0x7f000000 - 0x80000000   (  16 MB)
      .text : 0x80008000 - 0x80275a70   (2487 kB)
      .init : 0x80276000 - 0x808ac000   (6360 kB)
      .data : 0x808ac000 - 0x808bd920   (  71 kB)
       .bss : 0x808bd944 - 0x808c95b0   (  48 kB)
gm_jiffies_init, system HZ: 100, pClk: 100000000
console [ttyS0] enabled
Calibrating delay loop... 709.42 BogoMIPS (lpj=3547136)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x1daf08 - 0x1daf50
devtmpfs: initialized
FMEM: 5888 pages(0x1700000 bytes) from bank0 are reserved for Frammap.
FMEM: Logical memory ends up at 0x84000000, init_mm:0x80004000(0x4000), PAGE_OFFSET:0x80000000(0x0),
FMEM: FA726 Test and Debug Register: 0x0
NET: Registered protocol family 16
PMU: Mapped at 0xfe000000
IC: GM8135, version: 0x1
iotable: VA: 0xfe000000, PA: 0x90c00000, Length: 4096
iotable: VA: 0xfe001000, PA: 0x90700000, Length: 4096
iotable: VA: 0xfe002000, PA: 0x90800000, Length: 4096
iotable: VA: 0xfe003000, PA: 0x90900000, Length: 4096
iotable: VA: 0xfe004000, PA: 0x90d00000, Length: 4096
iotable: VA: 0xfe005000, PA: 0x96000000, Length: 4096
bio: create slab <bio-0> at 0
Switching to clocksource fttmr010:1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
Video Timer(timer3) Max 42000ms in 0xfa56ea00 HZ.
ftdmac020 ftdmac020.0: DMA engine driver: irq 1, mapped at 0x84804000
GM CPU frequency driver
CPUFREQ support for gm initialized
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 109
io scheduler noop registered
io scheduler deadline registered (default)
gpiochip_add: registered GPIOs 0 to 31 on device: ftgpio010.0
probe ftgpio010.0 OK, at 0x84856000
gpiochip_add: registered GPIOs 32 to 63 on device: ftgpio010.1
probe ftgpio010.1 OK, at 0x84858000
kernel compliation time Sep 29 2015 09:17:19
config gpio i2c encry single
encryption ok
Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xfe001000 (irq = 21) is a 16550A
serial8250: ttyS1 at I/O 0xfe002000 (irq = 22) is a 16550A
serial8250: ttyS2 at I/O 0xfe003000 (irq = 25) is a 16550A
brd: module loaded
loop: module loaded
SPI020 init
SPI020 uses AHB DMA mode
FTSPI020 enable DMA handshake 0x3
SPI020 gets DMA channel 0
ftspi020 ftspi020.0: Faraday FTSPI020 Controller at 0x92300000(0x8485c000) irq 54.
spi spi0.0: setup: bpw 8 mode 0
CLK div field set 1, clock = 30000000Hz
SPI_FLASH spi0.0: MX25L64 (8192 Kbytes)
Warning ============> partition 0 overlap with 1
7 cmdlinepart partitions found on MTD device nor-flash
Creating 7 MTD partitions on "nor-flash":
0x000000000000-0x000000010000 : "nsboot"
0x000000010000-0x000000050000 : "uboot"
0x000000050000-0x000000320000 : "kernel"
0x000000320000-0x000000740000 : "app"
0x000000740000-0x0000007a0000 : "config"
0x0000007a0000-0x000000800000 : "log"
0x000000800000-0x000000800000 : "else"
mtd: partition "else" is out of reach -- disabled
Probe FTSPI020 SPI Controller at 0x92300000 (irq 54)
ftgmac: Loading version 2.0 ...
ftgmac: Tx queue number = 128, Rx queue number = 128
ftgmac100-0-mdio: probed
ftgmac100-0 ftgmac100-0.0: eth0: 1 tx queue used (max: 2)
ftgmac100-0 ftgmac100-0.0: eth0: 1 rx queue used (max: 1)
ftgmac100-0 ftgmac100-0.0: eth0: irq 3, mapped at 8485e000
ftgmac100-0 ftgmac100-0.0: eth0: generated random MAC address 42:ef:98:44:ce:1f
i2c /dev entries driver
ftiic010 ftiic010.0: irq 18, mapped at 84860000
I2C hangs detection thread started!
TCP cubic registered
NET: Registered protocol family 17
Freeing init memory: 6360K
Mounting root fs rw ...
Mounting other filesystems ...
Setting hostname ...
[RCS]: /etc/init.d/S80network

ANTS login: [nsboot]partsize=65536
find partition app index=3 addr=3276800 size=4325376
mount: mounting /dev/mtdblock3 on /update failed: No such device
ifconfig eth0 netmask
HW reset
hwclock: can't open '/dev/misc/rtc': No such file or directory
Starting up asdpd...
asdpd : type=IPC rPort=10000 sPort=10000 services=[I8S;ONVIF;]
start appinstall ..........Thu Jan 1 00:00:03 UTC 1970
start appinstall ..........Thu Jan 1 00:00:03 UTC 1970
find partition config index=4 addr=7602176 size=393216
phy speed is 10, half duplex
HW reset
find partition log index=5 addr=7995392 size=393216
phy speed is 100, full duplex
HW reset
patching started.
rm: can't remove '/root/patch': Read-only file system
patching finished.
before insert modules..........Thu Jan 1 00:00:05 UTC 1970
set mul pin
sensor reg adjust
detect sensor 0x707 0x707
before insmode drv
gmlib cfg ok!
gmlib 720p ok!
./appinstall: line 348: resolution: not found
isp328 day cfg ok!
isp328 night cfg ok!
chipboard id file ok!
enc param ok!
             total         used         free       shared      buffers
Mem:         62288        39292        22996            0          100
-/+ buffers:              39192        23096
Swap:            0            0            0
driver ftgpio compliation time Sep 28 2015 15:21:39
Frammap: DDR0: memory base=0x2000000, memory size=0x1700000, align_size = 4K.
Frammap: version 1.1.2, and the system has 1 DDR.
Frammap: fail to open /mnt/mtd/config_8136, /tmp/template_8136 is created.

and so on

First i tried to change bootargs so that init=/bin/sh but because of busybox they didn't work (i think).
Since there is no tftp command available so i had to find another way to dump the firmware. As dmesg shows, partitions are from 0x0 to 0x800000.

The way i got it wasn't that elegant but did the trick. In u-boot, you can read to memory from flash. And then you can print the memory to console. I configured serial session to log printable output.

Code: [Select]
sf probe 0:0
sf read 0x0 0x0 0x800000
md.b 0x0 0x800000

Now log contains dumped firmware. I removed unneeded stuff from the start (u-boot things and commands), giving me only lines like
Code: [Select]
00000000: 27 05 19 56 d1 11 37 6d 56 09 e7 02 00 2a 2e 40    '..V..7mV....*.@

This one removes addresses and ascii output:
Code: [Select]
cat serial.log |cut -d":" -f2 |cut -c 1-49 >> parsed.log
And this one converts it to binary form:
Code: [Select]
xxd -r -p parsed.log firmware.bin

And here we have firmware.bin (and partition adresses from dmesg)! As i said, it wasn't very fancy way but did the trick.

I did not manage to open kernel image yet. I think initramfs of it contains /etc and so on. I was intrested in /etc/passwd and /etc/shadow.

I extracted squashfs file system (0x000000320000-0x000000740000). You need to have squashfs-tools compiled with XZ_SUPPORT = 1
Theres scripts like that run on boot. With commands like cat /etc/passwd and cat /etc/shadow* i was able to find out hash of the root password.
mksquashfs with options -comp xy does the trick when packing it again.

Place your modified filesystem to tftp root and with u-boot you download it to cameras memory

Code: [Select]

sf probe 0:0
sf erase 0x320000 0x420000
setenv serverip
tftpboot modified_squash.bin
sf write 0x2000000 0x320000 0x296000

So heres the /etc/passwd
Code: [Select]

And /etc/shadow
Code: [Select]

Does anybody know :
Whats the password behind that hash?
Is there some another/better firmware available for that device?

How to unpack initramfs from u-boot image?
Binwalk says :
Code: [Select]
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0xD111376D, created: 2015-09-29 01:18:58, image size: 2764352 bytes, Data Address: 0x2000000, Entry Point: 0x2000040, data CRC: 0xF1647B7F, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "gm8136"

  • No avatar
  • *
March 28, 2016, 11:13:48 am
root password is 'antslq'.

U-boot images is giving me a headache.

Code: [Select]
# file kernel.bin
kernel.bin: Linux kernel ARM boot executable zImage (little-endian)
# hexdump kernel.bin |head
0000000 0000 e1a0 0000 e1a0 0000 e1a0 0000 e1a0
0000020 0002 ea00 2818 016f 0000 0000 2e40 002a
0000030 7001 e1a0 8002 e1a0 2000 e10f 0003 e312
0000040 0001 1a00 0017 e3a0 3456 ef12 2000 e10f
0000050 20c0 e382 f002 e121 7004 e51f 02f6 0000
0000060 47c4 e59f 0055 eb00 0f4a e28f 1c4e e890
0000070 d01c e590 0001 e040 6000 e086 a000 e08a
0000080 9000 e5da e001 e5da 940e e189 e002 e5da
0000090 a003 e5da 980e e189 9c0a e189 d000 e08d

That's as far as i can get with kernel image. What am i missing?