News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Yoics / Aversys 9100A IP Cam Sharing Device  (Read 8070 times)

  • No avatar
  • *****
February 17, 2011, 07:55:04 am
Whilst googling for some information, I noticed that there is another device which is exceedingly like ours.

It serves a marginally different purpose, but the hardware is pretty much the same.
Its so similar in fact, that it looks like the same code is used in both.

The IPCam code is a little more monolithic, but its obviously the same code base. 
I'd guess that their code is older than ours, but its pretty similar.  I'll be doing a disassembly of some of their binaries later.  I'm interested to see what camera.flat, mctest do with regards to any gpio access.

Lets take a look at the 9100A boot logs

Code: [Select]
W90N740 Boot Loader [ Version 1.1 $Revision: 6 $ ] Rebuilt on Sep 26 2003
Running on a W90N740 Evaluation Board
Board Revision 1.0, W90N740 MCU
Memory Size is 0x800000 Bytes, Flash Size is 0x200000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2003. All rights reserved.
Boot Loader Configuration:

        TFTP server port    : MAC 1
        Network phy chip    : DAVICOM DM9161E
        MAC 0 Address       : 00:69:70:63:6D:21
        IP 0 Address        : 0.0.0.0
        MAC 1 Address       : 00:91:00:00:63:0E
        IP 1 Address        : 0.0.0.0
        DHCP Client         : Enabled
        CACHE               : Enabled
        BL buffer base      : 0x00300000
        BL buffer size      : 0x00100000
        Default baud rate   : -1


For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 ( clyu2@localhost.localdomainCet e-mail est protégé contre les robots collecteurs de mails, votre navigateur doit accepter le Javascript pour le voir ) (gcc version 3.0) #955 Fri Oct 17 16:15:14 CST 2003
Processor: Winbond W90N740 revision 1
Architecture: W90N740
On node 0 totalpages: 2048
zone(0): 0 pages.
zone(1): 2048 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0
Calibrating delay loop... 39.83 BogoMIPS
Memory: 7MB = 7MB total
Memory: 5880KB available (920K code, 192K data, 40K init)
Dentry cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode cache hash table entries: 512 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Winbond W90N740 Serial driver version 0.9 (2001-12-27) with no serial options enabled
ttyS00 at 0xfff80000 (irq = 6) is a W90N740
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0A0000-7F1D9BFF [VIRTUAL 7F0A0000-7F1D9BFF] (RO)
RAMDISK driver initialized: 16 RAM disks of 1024K size 1024 blocksize
loop: loaded (max 8 devices)
The flash size:0x00200000
Boot Loader Configuration:

        TFTP server port    : MAC 1
        Network phy chip    : PHY
        MAC 0 Address       : 00:69:70:63:6d:21
        IP 0 Address        : 0.0.0.0
        MAC 1 Address       : 00:91:00:00:63:0e
        IP 1 Address        : 0.0.0.0
        DHCP Client         : Enabled
        CACHE               : Enabled
01 eth0 initial ok!
which:0
01 eth1 initial ok!
which:1
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
Linux video capture interface: v1.00
Welcome wireless network! :)
GPIO: 50d0
wireless driver reset failed, dfbe
prism: error -5 registering device "wlan0"
AM29LV160DB Flash Detected
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 9
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver W99683
W99683.c: v1.00 for Linux 2.4 : W99683 USB Camera Driver
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
Shell invoked to run file: -t
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc/Html/Reboot
Command: cp /etc/Html/Simple/Reboot.htm /etc/Html/Reboot/Reboot.htm
Command: cp /etc/yoics_img.jpg /usr/yoics0.jpg
Command: cp /etc/yoics_img.jpg /usr/yoics1.jpg
Command: cp /etc/yoics_img.jpg /usr/yoics2.jpg
Command: cp /etc/yoics_img.jpg /usr/yoics3.jpg
Command: ifconfig lo 127.0.0.1
Command: #ifconfig eth1 hw ether 00:1c:2a:42:46:11
Command: ifconfig eth1 up
MiiStationWrite 1
MiiStationWrite 1

Wait for auto-negotiation complete...OK
100MB - Full Duplex
Command: camera.flat&
new USB device :801c7804-15d6c0
hub.c: new USB device 1, assigned address 2
[15]
Command: mctest&
[16]
Command: inetd&
[17]
Command: splitter&
2003/2/1 0:0:0
probing for device..., 0
probe: vendorID: 416, ProductID: 6830
Find W99683 USB Camera
video name: W99683usb
W99683.c: Device registered on minor 0
Total size 5836
Web Camera Version: Nov  5 2004 16:30:04
.
pcConfigParam->CheckSum:81273150
p1[7]:1,j 2,config->bNumInterfaces:3
usbaudio: device 2 audiocontrol interface 1 has 1 input and 0 output AudioStreaming interfaces
usbaudio: valid input sample rate 8000
usbaudio: device 2 interface 2 altsetting 1: format 0x00000010 sratelo 8000 sratehi 8000 attributes 0x00
usbaudio: registered dsp 14,3
usbaudio: no mixer controls found for Terminal 2
usb_audio_parsecontrol: usb_audio_state at 0014e7c0
MCTEST:SendRequest:NetConnect error
MCTEST:SendRequest:NetConnect error
MCTEST:mc_tx_socket:sendto failed -1,errno:19
MCTEST:SendRequest:NetConnect error
MCTEST:SendRequest:NetConnect error
MCTEST:mc_tx_socket:sendto failed -1,errno:19
Initializing eth1...
[18]
Command: yoicsd -f /bin/yoics.txt &
Before execv /bin/dhcpc.
[20]
Command: sh

Sash command shell (version 1.1.1)
/> 9100a Video Server Stream Splitter Startup V0.3 Alpha
--(c)2006 Yoics Inc. All Rights Reserved.
Reboot !!!
Yoics bcaster built Jun  2 2008 at 18:37:24 Now Starting Up
   Beta Version 2.3 - (c)2008 Yoics Inc. All Rights Reserved
   Winbond uClinux ARM Version -port 0 - 0
read conf ar=/bin/yoics.txt
config file /bin/yoics.txt
alloc pool
Computer MAC for eth1 = 00:00:00:91:00:00:63:0e
  Using server  on port 5959
  Using device uid = 00:00:00:91:00:00:63:0e
Port[0]:80
Port[1]:0
Port[2]:0
Start http server at: [/etc/Html]
__pthread_initial_thread_bos:5f0000
manage pid:22
ipsrver to do
open dev/video0 success!
New NtpSetTime, NTP Server: 91.121.121.160
NTPC_Init
Open dev/dsp success!
Prepare Audio Buffer
0x7e 256 16 16 256 129 ( 128 128 128 128 0 ) ver: 507
0 6
Error:  Camera/CameraCtl.c, 178.
Error:  Camera/CameraCtl.c, 178.
pCameraParam->ulImgChannel:103
The camera is W99683usb
Driver.c: mode 1
channel:259,:259
ret:0
Starting up...
-connecting to target..
***..connected socket 3
GetMacAddr.cgi MacAddress = 00:91:00:00:63:0E

-connecting to target..
***..connected socket 3
dumppics
receive read 281 bytes
index is 281
line-16=HTTP/1.0 200 OK
OK
line-36=Date: Sat, 01 Feb 2003 00:00:08 GMT
line-16=Server: WYM/1.0
line-18=Connection: close
line-64=Content-Type: multipart/x-mixed-replace;boundary=WINBONDBOUDARY
boundry found = WINBONDBOUDARY
line-45=Last-Modified: Sat, 01 Feb 2003 00:00:08 GMT
line-17=Pragma: no-cache
line-24=Cache-Control: no-cache
line-34=Expires: 01 Jan 1970 00:00:00 GMT
read 4096
Running at 0FPS
attaching to dest server port 80
config data = |A|F7F48C484524455CC4EF9AE4AD0333E6491D4F14|
Running at 6FPS
Command Processor now active.
server ip a = 64.150.180.158
restart bind our port = 3072, our IP = 192.168.0.101, our socket = 3
server ip a = 64.150.180.157
goto nat check
natcheck rx state = 0 cound 0 size= 6 to 8
redirect
Running at 8FPS

I'll be pulling down a few firmware files from the yoics site and taking a look at them more closely.
From a cursory look, they use the same busybox version as in the BSP.

From the first one I downloaded -
Their rom file doesn't contain binaries though - only the webui.
Contents of that is below:

Code: [Select]
ls -al /mnt/cam -lR
/mnt/cam:
total 4
drwxr-xr-x 1 root root   32 Jan  1  1970 .
drwxr-xr-x 7 root root 4096 Feb 10 23:53 ..
drwxr-xr-x 1 root root   32 Jan  1  1970 etc

/mnt/cam/etc:
total 0
drwxr-xr-x 1 root root   32 Jan  1  1970 .
drwxr-xr-x 1 root root   32 Jan  1  1970 ..
drwxr-xr-x 1 root root   32 Jan  1  1970 Html
-rw-r--r-- 1 root root 1463 Jan  1  1970 WCConfig.ini

/mnt/cam/etc/Html:
total 0
drwxr-xr-x 1 root root     32 Jan  1  1970 .
drwxr-xr-x 1 root root     32 Jan  1  1970 ..
-rw-r--r-- 1 root root   1308 Jan  1  1970 42.gif
-rw-r--r-- 1 root root   1293 Jan  1  1970 43.gif
-rw-r--r-- 1 root root   1787 Jan  1  1970 Add.htm
-rw-r--r-- 1 root root   4370 Jan  1  1970 Audio.htm
-rw-r--r-- 1 root root   2201 Jan  1  1970 channel.htm
-rw-r--r-- 1 root root   4732 Jan  1  1970 CheckUpdate.htm
-rw-r--r-- 1 root root   1634 Jan  1  1970 Config.htm
-rw-r--r-- 1 root root  23321 Jan  1  1970 Control.htm
drwxr-xr-x 1 root root     32 Jan  1  1970 Ctl
-rw-r--r-- 1 root root   2936 Jan  1  1970 DDns.htm
-rw-r--r-- 1 root root   1078 Jan  1  1970 favicon.ico
-rw-r--r-- 1 root root   3936 Jan  1  1970 f.txt
-rw-r--r-- 1 root root   2283 Jan  1  1970 I-cam-9000.jpg
-rw-r--r-- 1 root root   1832 Jan  1  1970 index.htm
-rw-r--r-- 1 root root   3436 Jan  1  1970 Log.htm
-rw-r--r-- 1 root root  10825 Jan  1  1970 Main.htm
-rw-r--r-- 1 root root   7000 Jan  1  1970 Motion.htm
-rw-r--r-- 1 root root  12881 Jan  1  1970 Network.htm
drwxr-xr-x 1 root root     32 Jan  1  1970 Reboot
-rw-r--r-- 1 root root   5397 Jan  1  1970 Reboot.htm
drw-r--r-- 1 root root     32 Jan  1  1970 Simple
-rw-r--r-- 1 root root  13135 Jan  1  1970 System.htm
-rw-r--r-- 1 root root   5120 Jan  1  1970 Thumbs.db
-rw-r--r-- 1 root root   1428 Jan  1  1970 Update.htm
-rw-r--r-- 1 root root   3655 Jan  1  1970 User.htm
-rw-r--r-- 1 root root 166199 Jan  1  1970 WinWebPush.cab
-rw-r--r-- 1 root root   5233 Jan  1  1970 Wireless.htm

/mnt/cam/etc/Html/Ctl:
total 0
drwxr-xr-x 1 root root   32 Jan  1  1970 .
drwxr-xr-x 1 root root   32 Jan  1  1970 ..
-rw-r--r-- 1 root root 5397 Jan  1  1970 Reboot.htm

/mnt/cam/etc/Html/Reboot:
total 0
drwxr-xr-x 1 root root 32 Jan  1  1970 .
drwxr-xr-x 1 root root 32 Jan  1  1970 ..

/mnt/cam/etc/Html/Simple:
total 0
drw-r--r-- 1 root root    32 Jan  1  1970 .
drwxr-xr-x 1 root root    32 Jan  1  1970 ..
-rw-r--r-- 1 root root 39520 Jan  1  1970 core.jar
-rw-r--r-- 1 root root   552 Jan  1  1970 index.htm
-rw-r--r-- 1 root root  1514 Jan  1  1970 top.htm

Their misleadingly named linux.bin file is actually the romfs, although packed with a header.

Code: [Select]
hex linux.bin | more
0x00000000: 42 4e 45 47 01 00 00 00 - 00 00 00 00 00 00 00 00 BNEG............
0x00000010: 00 94 13 00 2d 72 6f 6d - 31 66 73 2d 00 13 92 00 ....-rom1fs-....
0x00000020: 49 90 d5 42 72 6f 6d 20 - 34 36 34 38 62 34 37 61 I..Brom 4648b47a

Has lots of elf binaries in there.

Code: [Select]
hex linux.bin | grep bFLT
0x000000f0: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x00009310: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x0000ecb0: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x00016e60: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x0001c2f0: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x00032250: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x00038950: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x00042a40: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x000684c0: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 50 ....bFLT.......P
0x00071330: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 50 ....bFLT.......P
0x00077550: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x0007b510: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 40 ....bFLT.......@
0x00102770: 00 00 00 00 62 46 4c 54 - 00 00 00 04 00 00 00 50 ....bFLT.......P

I guess I'll just have to rip off the header  0x0 - 0x14 and write that out to a new file and try mount it as romfs.

Code: [Select]
dd if=linux.bin of=9100romfs.img bs=1 skip=20

mkdir /mnt/9100
mount -t romfs -o loop 9100romfs.img /mnt/9100

cd /mnt/9100

# ls
bin  dev  etc  proc  swap  usr  var


Not too hard ;)

Lets see what we have in there shall we

Code: [Select]
# tree
.
├── bin
│   ├── camera.flat
│   ├── dhcpc
│   ├── dmesg -> ../etc/busybox
│   ├── ifconfig
│   ├── inetd
│   ├── inittab
│   ├── mctest
│   ├── more -> ../etc/busybox
│   ├── mount
│   ├── nc -> ../etc/busybox
│   ├── ping -> ../etc/busybox
│   ├── pppd
│   ├── route
│   ├── sh
│   ├── splitter
│   ├── telnet -> ../etc/busybox
│   ├── telnetd
│   ├── wget -> ../etc/busybox
│   ├── yoicsd
│   └── yoics.txt
├── dev
│   ├── console
│   ├── dsp
│   ├── mtd1
│   ├── mtdblock1
│   ├── ppp
│   ├── ppp1
│   ├── ptyp0
│   ├── ptyp1
│   ├── ptyp2
│   ├── rom1
│   ├── sda
│   ├── sda1
│   ├── ttyp0
│   ├── ttyp1
│   ├── ttyp2
│   ├── ttyS0
│   ├── ttyS1
│   ├── video0
│   └── video1
├── etc
│   ├── busybox
│   ├── Html
│   │   ├── 42.gif
│   │   ├── 43.gif
│   │   ├── about.htm
│   │   ├── Add.htm
│   │   ├── Audio.htm
│   │   ├── channel.htm
│   │   ├── CheckUpdate.htm
│   │   ├── Config.htm
│   │   ├── Control.htm
│   │   ├── Ctl
│   │   │   └── Reboot.htm
│   │   ├── DDns.htm
│   │   ├── favicon.ico
│   │   ├── I-cam-9000.jpg
│   │   ├── images
│   │   │   ├── 1.main-page_02.jpg
│   │   │   ├── 1.main-page_10.jpg
│   │   │   ├── 1.main-page_11.jpg
│   │   │   ├── 1.main-page_13.jpg
│   │   │   ├── 1.main-page_15.jpg
│   │   │   ├── 1.main-page_20.jpg
│   │   │   ├── 1x4_504_06.jpg
│   │   │   ├── 1xright_01.jpg
│   │   │   ├── 1xright_02.jpg
│   │   │   ├── 1xright_04.jpg
│   │   │   ├── 1xright_06.jpg
│   │   │   ├── bg_left.gif
│   │   │   ├── column_left_504_01.jpg
│   │   │   ├── column_left_504_02.jpg
│   │   │   ├── corner1_t_l.jpg
│   │   │   ├── corner1_t_r.jpg
│   │   │   ├── corner_bg_b.gif
│   │   │   ├── corner_bg_l2.gif
│   │   │   ├── corner_bg_r1.gif
│   │   │   ├── corner_b_l.jpg
│   │   │   ├── corner_b_r.jpg
│   │   │   ├── logo_9100.gif
│   │   │   ├── m_0.gif
│   │   │   ├── m_0_HL.gif
│   │   │   ├── m_2.gif
│   │   │   ├── m_2.gif.1
│   │   │   ├── m_2_HL.gif
│   │   │   ├── m_3.gif
│   │   │   ├── m_3_HL.gif
│   │   │   ├── m_4.gif
│   │   │   ├── m_4_HL.gif
│   │   │   ├── mainpage_top_13_b.jpg
│   │   │   ├── m_separ.gif
│   │   │   ├── right.jpg
│   │   │   ├── sm_1.gif
│   │   │   ├── sm_1_HL.gif
│   │   │   ├── sm_3.gif
│   │   │   ├── sm_3_HL.gif
│   │   │   ├── spacer.gif
│   │   │   └── title_bg_1_1.jpg
│   │   ├── index.htm
│   │   ├── index.html
│   │   ├── Log.htm
│   │   ├── Main.htm
│   │   ├── Motion.htm
│   │   ├── Network.htm
│   │   ├── Reboot
│   │   ├── Reboot.htm
│   │   ├── Simple
│   │   │   ├── camera.htm
│   │   │   ├── CheckUpdate.htm
│   │   │   ├── clearyoics.htm
│   │   │   ├── core.jar
│   │   │   ├── DDns.htm
│   │   │   ├── factorydefault.htm
│   │   │   ├── favicon.ico
│   │   │   ├── GPIO.htm
│   │   │   ├── home.htm
│   │   │   ├── home.htm.bak
│   │   │   ├── index.htm
│   │   │   ├── motion.htm
│   │   │   ├── network.htm
│   │   │   ├── Reboot.htm
│   │   │   ├── time.htm
│   │   │   ├── top4Cus.htm
│   │   │   ├── top.htm
│   │   │   ├── Update.htm
│   │   │   ├── users.htm
│   │   │   └── wireless.htm
│   │   ├── System.htm
│   │   ├── test.css
│   │   ├── Update.htm
│   │   ├── User.htm
│   │   ├── usr -> ../../usr
│   │   ├── webcam_default.gif
│   │   ├── webcam.html
│   │   ├── webcam.js
│   │   └── WinWebPush.cab
│   ├── index.htm
│   ├── inetd.conf
│   ├── passwd
│   ├── ppp
│   │   └── pppoe-options
│   ├── services
│   ├── WCConfig.ini
│   └── yoics_img.jpg
├── proc
├── swap
├── usr
└── var
    └── run

#cd bin

#file *

camera.flat: BFLT executable - version 4 ram gzip
dhcpc:       BFLT executable - version 4 ram gzip
dmesg:       symbolic link to `../etc/busybox'
ifconfig:    BFLT executable - version 4 ram gzip
inetd:       BFLT executable - version 4 ram
inittab:     ASCII text, with CRLF line terminators
mctest:      BFLT executable - version 4 ram gzip
more:        symbolic link to `../etc/busybox'
mount:       BFLT executable - version 4 ram gzip
nc:          symbolic link to `../etc/busybox'
ping:        symbolic link to `../etc/busybox'
pppd:        BFLT executable - version 4 ram gzip
route:       BFLT executable - version 4 ram gzip
sh:          BFLT executable - version 4 ram gzip
splitter:    BFLT executable - version 4 ram gzip
telnet:      symbolic link to `../etc/busybox'
telnetd:     BFLT executable - version 4 ram
wget:        symbolic link to `../etc/busybox'
yoicsd:      BFLT executable - version 4 ram gzip
yoics.txt:   ASCII text, with CRLF line terminators


I'm willing to bet that I can get their yoics stuff running without too much hassle on the ipcamera.
I've already sent them an email enquiring about integration, will see what comes of that.

Yoicsd looks like it sets up a tunnel to the yoics server(s) - it tries server1. server2. server3. server4. in series, and then sets up a session after some negotiation.
It then can stream data through to the yoics servers post authentication.

Haven't sniffed the traffic yet though.

Guess I'll take a look at the other binaries first..

Lawrence.