News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Foscam 9820 CLONE firmware. Help me ID .pk2 file?  (Read 19232 times)

August 29, 2012, 11:24:44 am
Hi,
 I'm hoping to extract (and change) the web UI on this Foscam FI9820W clone I got however unlike the standard foscam firmware, the firmware for this thing is a .pk2 file. It looks like it might be some sort of file system or compressed (zip) file but I have been unsuccessful in mounting or opening it. The only info I can find online points to a chinese MMO from several years ago, that I don't think is related.

Anyone have any ideas? The file is too large for attachment, so I've put it up at this link (zipped):
http://23.21.200.172/gm8126_k120403.zip

Thanks!

  • No avatar
  • *
November 10, 2012, 09:26:56 pm

I just bought a Tenvis IPRobot3, which is also based on the GM8126 (you can find this information in the Setup > System > System Status page, where it says Hardware Ver. GM8126) for which you can find extensive doc and SDK here:
http://www.openipcam.com/files/ARM9/GM8126/

The first thing to try was to read the docs and see how the firmware is packaged with the SDK... and no luck there, it doesn't look like the IPCam makers did follow the SDK way of building/packaging the firmware (nsboot, burnin, u-boot, linux in binary format).

So what do we have here...
 ./extract-ng.sh gm8126-tenvis-1.1.6.2.2012-11-08.pk2
Firmware Mod Kit (build-ng) 0.78 beta, (c)2011-2012 Craig Heffner, Jeremy Collake
...
Scanning firmware...
...
*ERROR: No supported file system found! Aborting...*

This is not going to be straightforward...

# hexdump -C gm8126-tenvis-1.1.6.2.2012-11-08.pk2
00000000  50 4b 32 00 be 1f 00 00  2d 3e 9b 50 00 00 00 00  |PK2.....->.P....|
00000010  00 00 00 00 00 00 00 00  06 00 00 00 46 49 4c 45  |............FILE|
00000020  50 c4 cb d6 09 d0 04 a1  1c cc 46 c5 20 ee e0 69  |P.........F. ..i|
00000030  d9 1a 00 00 17 00 00 00  2f 6d 6e 74 2f 6d 74 64  |......../mnt/mtd|
00000040  2f 67 6d 64 76 72 5f 6d  65 6d 2e 63 66 67 00 ba  |/gmdvr_mem.cfg..|
00000050  1a 00 00 fa e7 52 0a ec  25 2a 25 d1 de 04 58 93  |.....R..%*%...X.|

Let's see if "FILE" is a keyword or a delimiter we can find elsewhere in the file...
# xxd -c 256 gm8126-tenvis-1.1.6.2.2012-11-08.pk2 | grep -A1 FILE
...FILEP.........F. ..i......../mnt/mtd/gmdvr_mem.cfg...
.\..FILE.&._....S.R............./mnt/mtd/boot.sh....
....rFILE..z....'..`Z...v.m....../mnt/mtd/isp_ov9710.cfg...
...AFILE..6;C..9.~io..]...d...../dev/mtdblock0...
....$xFILE.v.....,.l%'a.*.0......./mnt/mtd/html.tgz...

Bingo...

So now we know the CMOS is an OV9710:
http://www.ovt.com/products/sensor.php?id=42

Let's try to split the files...
00000040  2f 67 6d 64 76 72 5f 6d  65 6d 2e 63 66 67 00 ba  |/gmdvr_mem.cfg..|
00000050  1a 00 00 fa e7 52 0a ec  25 2a 25 d1 de 04 58 93  |.....R..%*%...X.|
So after the cfg "63 66 67", we have a null byte "00", then 2 bytes and then again two null bytes.

Do we have this pattern later ?
00001b20  ee b5 08 00 00 11 00 00  00 2f 6d 6e 74 2f 6d 74  |........./mnt/mt|
00001b30  64 2f 62 6f 6f 74 2e 73  68 00 9c 08 00 00 8e f0  |d/boot.sh.......|
Yes... but after the "00 00", there is no common header... so this is where it is going to start to be tricky.

Let's try to split the file :
# dd bs=1 skip=83 count=6842 if=gm8126-tenvis-1.1.6.2.2012-11-08.pk2 of=test.end && hexdump -C test.end
00000000  fa e7 52 0a ec 25 2a 25  d1 de 04 58 93 61 63 76  |..R..%*%...X.acv|
00000010  81 a3 04 58 93 61 63 76  81 a3 04 58 93 61 49 3a  |...X.acv...X.aI:|
00000020  c2 e7 7b 0b da 3b 26 76  81 a3 04 58 93 61 63 76  |..{..;&v...X.acv|
00000030  81 a3 04 45 93 77 72 62  95 b3 14 72 df 22 27 09  |...E.wrb...r."'.|
...

test.end should now contain the content of gmdvr_mem.cfg

We have some kind of alignment there which sounds good...

# xxd -c8 test.end | awk '{ print $6 }' | sort | uniq -c | sort -rn | head -20
     47 ...X.acv
     17 ...[.b`u
     13 ..A...,#
     12 ..J...6"
      9 ...X.|cf
      9 ..Q....7
      9 ..@..acv
      7 ...X.a~v
      7 ..{..;&v
      7 ..{..5r.
      6 ...X.asv
      6 ...X.ack
      6 ...X.ac\
      6 ...H.acv
...

This must be some kind of compression, because of the dictionnary...

The content of a sample gmdvr_mem.cfg file is available in the SDK :
http://www.openipcam.com/files/ARM9/GM8126/GM8126%20v1.1/Embedded_Linux/source/arm-linux-2.6.28.tgz
(in arm-linux-2.6.28/module/dvr/gmdvr_mem.cfg)

# cat /usr/local/src/GM8126/GM8126_SDK-V1.1/Embedded_Linux/source/arm-linux-2.6.28/target/rootfs-cpio/product/IPC-720P/memory/gmdvr_mem.cfg | sed 's/_/\n/g' | sort | uniq -c | sort -rn | head -20
    105 enc
     54 max
     33 out3
     33 out2
     33 out1
     33 out0
     27
     20 sub2
     20 sub1
     20 scl2
     20 scl1
     20 scl0
     18 out
...

That's it for now... more to come later.


  • No avatar
  • *
November 10, 2012, 09:32:39 pm

Btw, the Tenvis firmware I used is this one :
http://apps.tenvis.com/Download/iprobot3/1.1.6.2_1108.zip

It's been officially published by tenvis on this page :
http://forum.tenvis.com/forum-viewthread-tid-485-highlight-firmware.html


  • No avatar
  • *
April 15, 2013, 12:30:44 am
Has anyone been able to split the files in the 1.1.6.2 firmware? If someone could help, that would be great.

I found that J9 on the main board is the serial console and with a USB to 3.3v TTL converter, it works great. The baud rate is 38400 n81 no handshaking and the pin order is 3.3v, gnd, rx, tx on the pcb (do not connect 3.3v and swap TR/RX from the converter).  They are using U-Boot as the bootloader.  With hyperterminal you can watch the linux bootlog of the camera as it loads or hit ESC in the first 2 seconds to get into U-Boot. Uboot has a lot of commands. Currently I am getting an error when I try to access the Flash with “sf probe 0.0”.

July 15, 2013, 11:51:40 pm
This pk2 file is a set of files, I've written a simple unpacker, but it currently gets stuck in on one file where it finds a CMD instead of the FILE signature.  still looking at it.  Given the repetitive nature of the scrambled I though it might be a XOR based encryption, I used a tool here:  https://github.com/hellman/xortool.git to guess the 8 byte encryption key.  My tools i'm working with are here:  https://github.com/karcaw/ipr3tools.git if you want to take a look, or help out.  Each file seems to need a different encryption key, and I have not found all of the keys yet.

July 25, 2013, 03:10:33 am
Similar matter has already been discussed at yahoo answers. I can post the link if needed

July 25, 2013, 05:57:01 pm
Please post the link

  • No avatar
  • *
October 02, 2013, 07:20:49 pm
Here is how to fully decrypt the firmware 8) :

1 - Get pk2unpack from here https://github.com/karcaw/ipr3tools
    and launch : pk2unpack my_firmware.pk2
    This will create a set of files that are crypted.

2 - Launch the following php script against your crypted files (it's indeed a 8 byte XOR, but the key is the same for all files and probably all firmware versions). The python XOR script didn't work out for me, since I'm still using python 2.4 which doesn't have bytearrays.
    This will decrypt the files unpacked earlier.

# php unxor-pk2.php gmdvr_mem.cfg
... and there you go.
with xor_conv (from ipr3tools), that would probably be something like :
# python xor_conv gmdvr_mem.cfg A1832478B3414356

<?

function x($str) { return pack("H*",$str); }

$fp=fopen($_SERVER["argv"][1],"r");

while($b=fread($fp,8)) {

// this is a 8-byte XOR with the following HEX key : A1 83 24 78 B3 41 43 56

if($b[0]!="") echo $b[0] ^ x("A1");
if($b[1]!="") echo $b[1] ^ x("83");
if($b[2]!="") echo $b[2] ^ x("24");
if($b[3]!="") echo $b[3] ^ x("78");
if($b[4]!="") echo $b[4] ^ x("B3");
if($b[5]!="") echo $b[5] ^ x("41");
if($b[6]!="") echo $b[6] ^ x("43");
if($b[7]!="") echo $b[7] ^ x("56");

}

fclose($fp);

?>
« Last Edit: November 04, 2013, 08:36:21 pm by RIP »

  • No avatar
  • *
October 29, 2013, 12:49:26 am
Great work RIP and karcaw! Is there anyway someone could extract the files in any of the iprobot3 firmwares and send them to me?
Thanks,
Robo

  • No avatar
  • *
November 04, 2013, 08:39:14 pm

I just edited a bit my post so that you can understand that you can do it all by yourself :)

Even on Windows with cygwin or even with the native Windows versions of python and php.


  • No avatar
  • *
January 02, 2014, 05:41:19 pm
Hi,

I wrote an firmware un- and repacker for the PK2 files.
It also shows you the commands and lets you add your own.
Usage and compilation is documented in the header.
http://dose.0wnz.at/ipcams/tenvis_pack.c
I haven't tested repacked images yet. If you have questions, just ask.

Regards,
leecher

  • No avatar
  • *
January 06, 2014, 04:18:08 am
Hi,

I wrote an firmware un- and repacker for the PK2 files.

Regards,
leecher

Thanks leecher this might do the trick to bring my Iprobot3 back to life. Just waiting for the converter to turn up .