For most firmware recovery, we'll need to solder in a serial connection.
This isn't too hard, its only 4 connectors.
Locate J2 on the underside of the camera motherboard, and solder in 4 connectors.
Flip the board over again and plug in 4 cables to those 4 connectors.
You'll see that pin 4 says 3.3v next to it, and pin 1 says RX next to it so you can easily work out which pins are which.
Plug in your rs232-> ttl adaptor as follows.
Board # -> rs232/ttl adaptor.
1 -> RX
2 -> TX
3 -> GND
4 -> VCC
One you have that, we can open up a terminal application (Putty is good, and is available on most operating systems).
Open up Putty, and set it to look for the serial port you are using.
Power up the camera, and you should see some text whiz by. If so, all good, proceed to step 2.Step #2
Download Kermit or CKermit as applicable for your OS - http://www.columbia.edu/kermit/k95.html
Download the kermit capture script attached to this post in the larger of the 2 zip files(capcam.kds)
Download Jedit http://www.jedit.org/
Download the Jedit script attached to this post in the larger of the 2 zip files (editcapture.bsh)
Then follow the instructions below:
Restoring a 541CPU.pcb Foscam clone camera.
Lloyd E. Sponenburgh 11/19/2010
Use the Serial port at 115200,8,N,1 and Xmodem CRC protocol.
We'll need a good camera to work from, so dig out the spare camera you have. You do have one right?
Stop the camera at the bootloader, and list the rom files.
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Dec 10 2009
Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:
MAC Address : 0E:F2:B3:DC:0C:EF
IP Address : 192.168.0.99
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0x00300000
BL buffer size : 0x00100000
Baud Rate : 115200
USB Interface : Enabled
Serial Number : 0xFFFFFFFF
For help on the available commands type 'h'
Press ESC to enter debug mode
bootloader > ls -al
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000048 exec:0x7F010000 -f
Image: 7 name:linux base:0x7F020000 size:0x000BF700 exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008FF80 exec:0x7F0E0000 -a
Image: 8 name:webui base:0x7F180000 size:0x0006F700 exec:0x7F180000 -a
You should see something similar to the above.
We're going to save the linux kernel, the romfs, and optionally the webui if you have one. Don't worry if you don't have one, its not essential.
Write down the image sizes for each image (except image 0, as thats for the bootloader configuration), convert to decimal, and divide by 256. You can do this easily in most calculator apps.
Lets try this with our linux kernel image.
Says the size is 0x00BF700
BF700 in decimal is 784,128.
784,128 / 256 = 3063
We need this for dumping the files from the rom. Why 256? As the bootloader allows us to dump the rom in 256 byte groups.
If the division results in a fraction, round up to the next whole integer.
Eg if you get 254.5, round up to 255
Repeat this for all the files you want to save.
You should now have 2 or 3 sets of figures.
Press enter a few times to make sure that the bootloader has nothing in it, close Putty, and open up Kermit
Press Alt-X in Kermit to take you to the Kermit command window. Do a “take capcam.kds” to load the capture script.
We're now going to start capturing.
You should have the list of files handy, and your filesizes/256 handy.
Our linux file above looks like this
linux base:0x7F020000 size:0x000BF700 / filesize 3063
We're going to call the capcam script as follows.
capcam BASE SIZE IN PAGES OUTPUTFILE
For our linux file, this will look something like this:
“capcam 0x7f020000 3063 kernel.txt”
You'll see kermit ask for 3063 pages of rom dump, and then stop.
It might take a while!
Repeat the process for any other images you want.
romfs base 0x7f0e0000 size: 0x8FF80 / filesize 2304 (rounded up as its not an even number)
"capcam 0x7F0E0000 2304 romfs.txt"
Once you've saved your images, close Kermit, and open Jedit.
Open up on of the saved rom files, and take a quick page through in Jedit.
You should see pages and pages of something similar to the following:
Displaying memory at 0x400
 A5810004 B3E00000 - A3A00000 E49DF004 ................
 E52DE004 EBFFFFD3 - E3500000 A59F156C ..-.......P.l...
 A3A00980 A5810004 - B3E00000 A3A00000 ................
 E49DF004 E52DE004 - EBFFFFCA E3500000 ......-.......P.
 A59F1548 A3A00840 - A5810004 B3E00000 H...@...........
 A3A00000 E49DF004 - E2800481 E3C00480 ................
 E35009FC 33A00B40 - 31A0F00E E59F151C ..P.@..3...1....
 E5911004 E1500001 - 23A00000 33A00D80 ......P....#...3
 E1A0F00E E2800481 - E3C00480 E3500B40 ............@.P.
 33A00D80 31A0F00E - E59F14F0 E5911004 ...3...1........
[000004A0] E1500001 23A00000 - 33A00B40 E1A0F00E ..P....#@..3....
[000004B0] E2800481 E3C00480 - E3500B40 33A00D80 ........@.P....3
[000004C0] 31A0F00E E59F14C4 - E5911004 E1500001 ...1..........P.
[000004D0] 23A00000 33A00B40 - E1A0F00E E2800481 ...#@..3........
[000004E0] E3C00480 E350097C - 33A00B40 31A0F00E ....|.P.@..3...1
[000004F0] E3500980 23A00000 - 33A00D80 E1A0F00E ..P....#...3....
If so, all good, and we're ready to start.
Make sure that the first line of text in the file starts with the lines of hex.
If there is a blank line or two, remove it and make sure that it starts from the hex dump text.
Also make sure that the cursor is placed on the first character in the file before continuing.
Open up the Macro menu, and run the editcapture.bsh macro (downloaded from the link above)
It should go through the file, and parse it out to a list of hex, 16 bytes per line.
Page through the file again, and make sure it looks ok.
There should be nothing in the file except line after line of 16 hex values space separated similar to the below
E3 50 09 80 23 A0 00 00 33 A0 0D 80 E1 A0 F0 0E
Make sure any blank lines are removed from the top or bottom of the file (if there are any).
Save this new file as [some filename].hex
eg linux.hex or romfs.hex as appropriate.
Don't give up, we're almost done!
Our last step is to convert the hexdump back into a binary file.
We can use a Hex -> Binary converter from here for that http://sites.google.com/site/bindeshkumarsingh/apps/win/Hex-Bin_interconverter.zip
(I've also attached it to this post).
Run the hexbin program with each file, and generate your binary image.
Repeat for each file you need converted.
Good, now you can upload the files to the board so we can share with others
I've attached Lloyd's writeup and binaries from his camera to this post also (misleadingly called 541cpu foscam clone recovery - foscam doesn't make cameras, so its hard to have any clones...).
Thanks to Lloyd for allowing us to redistribute this.