News:

I have another forum dedicate to arcade board and handheld reverse engineering over at http://forum.retrosticks.com

Author Topic: How to unpack .pkg files for H.264 Foscam and Clone Cameras?  (Read 5582 times)

  • ***
August 07, 2012, 12:13:45 PM
Anyone figured it out yet?

If so, how?

Don

  • No avatar
  • *****
August 10, 2012, 03:41:56 PM
If you send me one, I can take a look.

I'm good at that side of things.  See my blog for lots of examples of reverse engineering formats :)

http://www.computersolutions.cn/blog

  • ***
August 10, 2012, 05:21:13 PM
If you send me one, I can take a look.

I'm good at that side of things.  See my blog for lots of examples of reverse engineering formats :)

http://www.computersolutions.cn/blog

Foscam H.264 FI9820W http://foscam.com/Private/ProductFiles/FI9820W-3.2.6.1.1-20120724.zip

  • No avatar
  • *****
August 11, 2012, 12:11:17 PM
JFFS2 filesystem with a header in front.  This was too easy.

Took a quick look at the file in a hex editor.
Looked extremely like a filesystem, with some header bytes in front.

See attached image for that.

JFFS2 uses
0xe0011985 Linux jffs2 filesystem data little endian (of which our CPU is... little endian byte ordered).

Hexdump of that in text shows :

000000c0  0c 00 00 00 b1 b0 1e e4  85 19 01 e0 2b 00 00 00  |............+...|
000000d0  e6 6e 26 7d 01 00 00 00  00 00 00 00 02 00 00 00  |.n&}............|
000000e0  33 06 12 50 03 04 00 00  14 af 7f 82 ff 83 66 55  |3..P..........fU|
000000f0  62 69 6e ff 85 19 02 e0  44 00 00 00 1d fb f7 98  |bin.....D.......|


So bingo.

0xC8 onwards is a JFFS2 Filesystem. (offset 200).
Thats a nice even number too, so its likely that our header crap is 200bytes, and I have a winner

Lets grab that, and try mount it.

>  dd if=B12FC_V3.2.6.1.1_0724Hd9820P2.pkg bs=1 skip=200 of=jffs2.img

We'll have a jffs2.img file now which nominally should be mountable (may have post FS crap on the end, but lets see).

Sure, I know the magic bytes are correct, but lets double check -

> file jffs2.img
jffs2.img: Linux jffs2 filesystem data little endian


I now need to skip over to a real OS, as OS X doesn't like too many Filesystems, so we now continue on my NAS.

JFFS2 is a bit of a pain in the ass to mount, as its a memory block device FS aimed at Flash NAND memory, vs a traditional filesystem.

To mount it we need to blat it into a memory block.

So.. lets get ready.
# modprobe mtd
# modprobe jffs2
# modprobe mtdram total_size=1000000
# modprobe mtdblock
# modprobe mtdchar


Check we have our device now -

#cat /proc/mtd
dev:    size   erasesize  name
mtd0: 3d090000 00020000 "mtdram test device"

Lets copy it

#dd if=jffs2.img  of=/dev/mtd0
18385+1 records in
18385+1 records out
9413348 bytes (9.4 MB) copied, 0.144445 s, 65.2 MB/s


And now mount it
#mount -t jffs2  /dev/mtdblock0  jffs2

cd jffs2
root@nasty:/nas/Downloads/foscam/jffs2# ls -al
total 41
drwxr-xr-x 23 root     root         0 Jan  1  1970 .
drwxrwxr-x  3 lawrence nasusers     4 Aug 11 17:32 ..
drwxrwxrwx  3 root     root         0 Jul  5 14:58 bin
drwxrwxrwx  8 root     root         0 Jul  5 14:58 boot
drwxrwxrwx  2 root     root         0 Jul  5 14:58 dev
drwxrwxrwx  5 root     root         0 Jul  5 14:58 etc
drwxrwxrwx  3 root     root         0 Jul  5 14:58 exclude.lst
drwxrwxrwx  2 root     root         0 Jul  5 14:58 font
drwxrwxrwx  2 root     root         0 Jul  5 14:58 home
drwxrwxrwx  8 root     root         0 Jul  5 14:58 ipcamera
drwxrwxrwx  7 root     root         0 Jul  5 14:58 komod
drwxrwxrwx  3 root     root         0 Jul  5 14:58 lib
drwxrwxrwx  2 root     root         0 Jul  5 14:58 linuxrc
drwxrwxrwx  3 root     root         0 Jul  5 14:58 mnt
drwxrwxrwx  2 root     root         0 Jul  5 14:58 opt
-rwxrwxrwx  2 root     root      6184 Jul  5 14:58 proc
drwxrwxrwx  2 root     root         0 Jul  5 14:58 root
drwxrwxrwx  2 root     root         0 Jul  5 14:58 sbin
drwxrwxrwx  2 root     root         0 Jul  5 14:58 share
-rwxrwxrwx  2 root     root      8194 Jul  5 14:58 sys
-rwxrwxrwx  2 root     root      9779 Jul  5 14:58 tmp
-rwxrwxrwx  2 root     root     13581 Jul  5 14:58 usr
drwxrwxrwx  3 root     root         0 Jul  5 14:58 var
drwxrwxrwx  2 root     root         0 Jul  5 14:58 wifi


Simple.

Just to check we don't have garbage -

cd bin
file wlanconfig
wlanconfig:   ELF 32-bit LSB executable, ARM, version 1, dynamically linked (uses shared libs), stripped


Its a HI3512 based unit, have the SDK in the file section.

  • No avatar
  • *****
August 11, 2012, 12:16:52 PM
Oh, and in future, you may want to add some files to your toolchest.

Binwalk
https://code.google.com/p/binwalk/ is good occasionally, although I haven't used it in ages.

Hexdump - for hex dumps..
eg  hexdump -C  filename | more

strings - for looking for strings in files
eg strings filename


I usually then use a hex viewer, and search for the text strings to see whats around them.


Usually you'll find compressed stuff in firmware files, so looking for PK or the GZip Magic bytes is also useful, as you can often find what you're looking for that way.


Good luck!

  • ***
August 14, 2012, 11:18:01 PM
Thank you so much!

It's been many years since I have done these things and I am using Windows at the moment. It should be noted that I do have Ubuntu, as dual-boot, but not really a Linux person. I also have access to Linux servers that run web sites, but never played with Linux at this level.

What tool/util/program are you using to do these commands and can the same things be done on Windows based systems?:

>  dd if=B12FC_V3.2.6.1.1_0724Hd9820P2.pkg bs=1 skip=200 of=jffs2.img
#mount -t jffs2  /dev/mtdblock0  jffs2

In other words, do I need to be using only a Linux based system to be able to do all these things and mount as well?

Thanks for all your time on this.
« Last Edit: August 14, 2012, 11:41:51 PM by TheUberOverLord »

  • No avatar
  • *****
August 15, 2012, 07:50:13 AM
You'll definitely need a unix box of sorts, as not many OS's can mount JFFS2 other than *nix based.

The dd command is just to chop off the first 200 bytes.

dd - http://en.wikipedia.org/wiki/Dd_(Unix)

You can use anything that will do the same thing really.  dd is a bit hacky to be used for that, but its on every unix box, so..


August 22, 2012, 05:23:51 AM
WONDERFULL !!!

February 01, 2013, 06:07:57 PM
we should skip 188 bytes from the PKG file.
in the 188 bytes header, there are 2 jffs2 file system.

February 01, 2013, 06:13:40 PM
00000000h: 7B 0F C7 3F 61 9F 00 00 00 00 00 00 00 00 00 00 ; {.Ç?aŸ..........

00000010h: 56 31 30 30 52 30 30 33 43 30 31 42 30 34 32 00 ; V100R003C01B042.
00000020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................

00000030h: 68 75 61 77 65 69 00 00 00 00 00 00 00 00 00 00 ; huawei..........
00000040h: 00 00 00 00 00 00 00 00 4C 69 6E 75 78 00 00 00 ; ........Linux...
00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................

00000060h: 00 00 00 02 //total jffs2
                  1F 1C 00 01 31 2E 33 2E 34 2E 33 00 ; ........1.3.4.3.
00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000080h: B0 1A F7 09 FF FF FF FF 00 8E EC D0 00 00 00 04 ; °.÷.ÿÿÿÿ.ŽìÐ....

the first image is 0x8eecd0

00000090h: 96 17 00 02 31 2E 33 2E 34 2E 33 00 FF FF FF FF ; –...1.3.4.3.ÿÿÿÿ
000000a0h: 00 00 00 00 00 1D F7 09 FF FF FF FF 00 00 00 00 ; ......÷.ÿÿÿÿ....
000000b0h: 00 00 00 00 00 00 B6 20 00 00 00 04

the second file length is 0xb620 bytes                                               85 19 03 20 ; ......¶ ....…..

Then we can use dd extract the jffs2 files and mount to our system.

April 04, 2013, 04:52:02 AM
Hi,

I managed to mount the the image using admin's tutorial. Thanks!

Hakense, could you please add the commandline commands you entered to split and load these 2 images? (just for the ease and future use)

Also I wonder a few things:
- I saw Telnet was disabled in a few configuration files. How to enable this? Would it work to uncomment the line and then unmount the image and do a file compare? and afterwards hexedit the original image file? or should I follow an other procedure for this?
- How to modify the image? like adding extra modules etc? is there some good information on the net on how to do this?

Thanks for sharing this interesting information!