News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: GET and POST  (Read 18824 times)

  • *****
July 19, 2011, 08:08:11 pm
I have been experimenting with how to upload the settings data. This is the data starting at 0x7f1f0000. There is a CGI to read it "backup_params.cgi" Inputting on the browser address line "http://url/backup_params.cgi" will prompt to download a file to your local PC. The file is a binary dump of 0x7f1f0000 to 0x7f1f126f. Great - a CGI way to grab the settings!

Uploading the settings back into a camera is a bigger problem, or at least it is for me with my limited understanding of html GET/POST.

There is a CGI for loading the settings into a camera - "restore_params.cgi". It is not implemented in any html files. Hmmm, how to get it to work? I thought about putting the necessary POST html script onto another device, but I realized that the POST script needed to be on the camera - at least I think that it does.

Meanwhile, I took the camera's existing upgrade.html script and modified it to add a third section to select a file and "restore_params.cgi" POST using the exact same code as was used for "upgrade_htmls.cgi" (different cgi, of course). I repacked the webui, uploaded it into the camera and attempted the "restore_params.cgi" POST script. No joy - NOTHING HAPPENED!

Would one of you HTML gurus look at the code below and see what is wrong?

Code: [Select]
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <link rel="stylesheet" href="style.css" type="text/css">
    <title></title>
  </head>
  <body class="bkpadcol2">
    <table class="bkpadcol3" height="100%" width="100%">
      <tbody>
        <tr>
          <td class="v1">
            <table class="v2 f14" width="100%">
              <tbody>
                <tr>
                  <td colspan="2" class="bkpadcol2" height="10"><br>
                  </td>
                </tr>
                <tr>
                  <td colspan="2" height="3" bgcolor="#999999"><br>
                  </td>
                </tr>
                <tr height="25">
                  <td colspan="2" class="h2 bkpadcol2"><strong>
                      <script>document.write(top.str_upgrade_firmware);</script></strong>
                    <br>
                  </td>
                </tr>
                <tr>
                  <td colspan="2" class="bkpadcol2" height="5"> <br>
                  </td>
                </tr>
                <tr>
                  <td colspan="2" height="100%" width="100%">
                    <table class="v2 f14" height="100%" cellspacing="5"
                      width="100%">
                      <tbody>
                        <tr height="25">
                          <td class="mid18" width="40%">&nbsp;&nbsp;
                            <script>document.write(top.str_upgrade_swware);</script></td>
                          <form action="upgrade_firmware.cgi?next_url=reboot.htm"
                            method="post" enctype="multipart/form-data"></form>
                          <td class="mid18"><input name="file" size="20"
                              type="file">&nbsp;&nbsp;<button onclick="top.reboot_seconds=60;form.submit();">
                              <script>document.write(top.str_set);</script></button></td>
                        </tr>
                        <tr height="25">
                          <td class="mid18" width="40%">&nbsp;&nbsp;
                            <script>document.write(top.str_upgrade_awware);</script></td>
                          <form action="upgrade_htmls.cgi?next_url=reboot.htm"
                            method="post" enctype="multipart/form-data"></form>
                          <td class="mid18"><input name="file" size="20"
                              type="file">&nbsp;&nbsp;<button onclick="top.reboot_seconds=60;form.submit();">
                              <script>document.write(top.str_set);</script></button></td>
                        </tr>
                        <tr height="25">
                          <td class="mid18" width="40%">&nbsp;&nbsp;
                            <script>document.write("Upload params");</script></td>
                          <form action="restore_params.cgi?next_url=reboot.htm"
                            method="post" enctype="multipart/form-data"></form>
                          <td class="mid18"><input name="file" size="20"
                              type="file">&nbsp;&nbsp;<button onclick="top.reboot_seconds=60;form.submit();">
                              <script>document.write(top.str_set);</script></button></td>
                        </tr>
                      </tbody>
                    </table>
                  </td>
                </tr>
              </tbody>
            </table>
          </td>
        </tr>
      </tbody>
    </table>
  </body>
</html>

A basic html to do this should be:
Code: [Select]
Content-type:text/html
<html>
<head>
<title>upload params</title>
</head>
<body>
<form action="restore_params.cgi?next_url=index.htm" method="POST" enctype="multipart/form-data">
      <input type="file" name="file" size="20"> </input><br />
      <br />
      <p><input type="submit" name="Submit" value="Submit" /></p>
</body>
</html>

I don't see how I can upload the params without having an html script on the camera that is equipped with "restore_params.cgi". Is there any way to submit a POST from a HTML script that is hosted externally of the camera -or- via the address field - cloaked in some magic?

  • No avatar
  • *****
July 20, 2011, 06:40:31 am
Hi,
maybe two example backup.html from cams webui can be of help?
« Last Edit: July 20, 2011, 06:49:28 am by schufti »

  • *****
July 20, 2011, 08:43:11 am
schufti,

Interesting. After reading your post I examined my foscam folder and see that it contains the backup.htm file within the webui. My problem seems to be that the WansView NC-541W appears to support the restore_params.cgi yet does not have a backup.htm file within its webui.

  • *****
July 20, 2011, 10:06:26 am
I loaded both of the backup.htm into my webui and reloaded it. The text wouldn't display so I edited the strings.js to include the strings and it still wouldn't display the strings. Then I added "<script src="public.js"></script>" just below </head>, just like in "index.htm", yet the text still would not display. I gave up on the text and just tried the functions. They work. I downloaded a params.bin and the uploaded it back into the camera. Ok, so that works - BUT - I have no way to do this on a NC-541W with an original webui that lacks the internal backup.htm.

Is there no way to utilize a cgi that requires POST via external manipulation? Some sort of magic url syntax?

You can see that I am no html coder.

  • *****
July 20, 2011, 10:36:54 am
Also, when I set parameters via set_smarteye.cgi:
Code: [Select]
http://192.168.1.114/set_smarteye.cgi?mid=smarteye&pid=BSeries&se_ddns_svr=www.nwsvr.com&se_ddns_port=80&se_ddns_interval=18000&se_ddns_name=002bxaf.nwsvr.com&se_ddns_user=002bxaf&se_ddns_pwd=82616413&alarm_enabled=0&alarm_port=0&se_ddns_status=1

it replies ok, indicating that the command was accepted, yet when I issue a get_smarteye.cgi to examine the result, there is no change:
Code: [Select]
var mid='';
var pid='';
var se_ddns_svr='';
var se_ddns_port=0;
var se_ddns_interval=0;
var se_ddns_name='';
var se_ddns_user='';
var se_ddns_pwd='';
var alarm_enabled=0;
var alarm_svr='';
var alarm_port=0;
var alarm_user='';
var alarm_pwd='';
var se_ddns_status=2;

So, backup.htm is not implemented in a factory fresh, unmodified camera and the set_smarteye.cgi doesn't seem to work properly.

  • No avatar
  • *****
July 20, 2011, 03:45:47 pm
Hi,
so best thing would be modifying your webui to include a backup.html

depending on the level of perfection you want to achieve you may try to even get it in the settings page or just as "hidden" page.

  • *****
July 20, 2011, 04:04:51 pm
Not the best thing, but apparently the only thing. The best thing would be to be able to load params.bin without modifying the webui.

  • No avatar
  • *****
July 21, 2011, 04:40:46 am
I doubt smarteye.cgi supporting set_ddns. If you look at the ddns.htm you'll see that they are using set_ddns.cgi for setting ddns parameters ...

If you are brave, you may try my modified webui for your cam.
I additionaly enabled some "disabled" admin functions (alias, setother, decoder, user), too.
Don't know if they are needed or superfluous.

upload of settings might work like this ...
Code: [Select]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>upload params</title>
<base target="_top" href="http://192.168.1.114/">
</head>
<body>
<form action="restore_params.cgi?next_url=index.htm?user=root?pwd=secret" method="post" enctype="multipart/form-data">
<input type="file" name="file" size="20">&nbsp;<input type="submit" value="upload">
</form>
</body>
</html>

(replace root/secret by your admin/password combination)
« Last Edit: July 21, 2011, 05:49:46 am by schufti »

  • *****
August 02, 2011, 03:36:39 pm
schufti,

I loaded your webui.bin and had the same results as with what I created, namely it fails to do what I want. I did a backup of the current camera. Then, with a hex editor, I added in the factory ddns info (www.nwsvr.com, etc.). Nothing else was changed. The filesize remained the same. Restoring the modified file is rejected. Reloading the saved file is accepted. Any ideas?

Look at the attachment to this post.

celem

  • No avatar
  • *****
August 02, 2011, 05:14:28 pm
Hi,

did call the backup/restore page directly via url or navigate to it via the menu structure of the webui?
are the mentioned new menupoints visible? do they show correct strings?

maybe they do some sort of CRC check on the settings file.
To verify this assumption you should make a backup, change just one detail in the settings (e.g. ntpserver) via the webui, make a new backup and see if more than the ntpserver name changed.

  • *****
August 02, 2011, 05:19:42 pm
Ok, I didn't notice that you had added links in the "Maintain" page. When I access that way the strings populate correctly. I also see the other settings that you added - nice!

  • *****
August 02, 2011, 05:29:30 pm
I downloaded a params.bin file and then I changed only one byte (the last character of the alias), then downloaded another params.bin file. Next i did a hex dump of each and compared them. More than one byte changed! You may be on to something!

-----
ecomer@pennyroyal:~/Downloads$ hd params.bin >1
ecomer@pennyroyal:~/Downloads$ hd params2.bin >2
ecomer@pennyroyal:~/Downloads$ diff 1 2
1c1
< 00000000  bd 9a 0c 44 04 3c 00 00  e8 14 00 00 30 30 42 38  |...D.<......00B8|
---
> 00000000  bd 9a 0c 44 00 3c 00 00  e8 14 00 00 30 30 42 38  |...D.<......00B8|
3c3
< 00000020  12 30 30 32 62 78 61 66  00 00 00 00 00 00 00 00  |.002bxaf........|
---
> 00000020  12 30 30 32 62 78 61 61  00 00 00 00 00 00 00 00  |.002bxaa........|
ecomer@pennyroyal:~/Downloads$ hd -n 256 params.bin
00000000  bd 9a 0c 44 04 3c 00 00  e8 14 00 00 30 30 42 38  |...D.<......00B8|
00000010  30 30 30 30 36 38 44 32  00 15 16 02 24 00 00 04  |000068D2....$...|
00000020  12 30 30 32 62 78 61 66  00 00 00 00 00 00 00 00  |.002bxaf........|
...

ecomer@pennyroyal:~/Downloads$ hd -n 256 params2.bin
00000000  bd 9a 0c 44 00 3c 00 00  e8 14 00 00 30 30 42 38  |...D.<......00B8|
00000010  30 30 30 30 36 38 44 32  00 15 16 02 24 00 00 04  |000068D2....$...|
00000020  12 30 30 32 62 78 61 61  00 00 00 00 00 00 00 00  |.002bxaa........|
---

Plus, looking at Lawrence's dissassembly of 'camera' and see:


005da4:  e59f0d88   ldr   r0, [pc, #3464] ; [006b34]   "factory params zone checksum uncorrect!"


« Last Edit: August 02, 2011, 06:27:14 pm by celem »

  • *****
August 02, 2011, 06:36:00 pm
BINGO! - Yes a checksum. I used the foscam checksum tool, figuring that the same logic would be used, and I have a match!

the original params.bin:
00000000  bd 9a 0c 44 04 3c 00 00  e8 14 00 00 30 30 42 38  |...D.<......00B8|
00000010  30 30 30 30 36 38 44 32  00 15 16 02 24 00 00 04  |000068D2....$...|

checksum output:
ecomer@pennyroyal:~/Downloads$ ./checksum params.bin
firmware:    params.bin
header:    0x440c9abd
size:       0x000014e8
version:    0x38423030
old checksum:    0x00003c04
new checksum:    0x00003c05

the modified params.bin:
00000000  bd 9a 0c 44 00 3c 00 00  e8 14 00 00 30 30 42 38  |...D.<......00B8|
00000010  30 30 30 30 36 38 44 32  00 15 16 02 24 00 00 04  |000068D2....$...|

checksum output:
ecomer@pennyroyal:~/Downloads$ ./checksum params2.bin
firmware:    params2.bin
header:    0x440c9abd
size:       0x000014e8
version:    0x38423030
old checksum:    0x00003c00
new checksum:    0x00003c00



  • No avatar
  • *****
August 04, 2011, 12:47:50 pm
Hi,
I hacked a new "checksum" function in the w_fostarn.exe.
It calculates the new checksum and writes it to the file.

it's use: "w_fostarn.exe -s parameters.bin"
« Last Edit: August 04, 2011, 01:43:01 pm by schufti »

  • *****
August 04, 2011, 01:10:37 pm
I don't use Windows - will you share the source?