Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Author Topic: Broken Hootoo WLAN IP Webcam  (Read 24413 times)

April 23, 2013, 03:35:14 am
Hello !
I have a broken HooToo Pan&Tilt WLAN Webcam.
Flashed a wrong Firmware.
I dont know if it is an original.
I have managed to access the Bootloader via Serial Console and tried a lot of different Firmwares (HooToo, WansView, etc...)
But i always get the write i2c error.
Maybe someone has an Idea.
see Attatchments !
« Last Edit: April 23, 2013, 03:39:23 am by hollari »

  • No avatar
  • *****
April 23, 2013, 05:40:09 am
HooToo isn't a manufacturer, they are most probably made by apexis.
For the problems, they are approximately the same as I experienced with my Hootoo cam.
At the end it wasn't woring any longer with "compatible" firmware. It worked somehow with a full rom-dump from the original, but only barely - rebooting several times a day ... so luckily for me it was only two month after purchase and I returned it for full refund...

I can send you a full rom dump if you are brave enough to try - you should at least remove the bootloader

April 23, 2013, 02:44:28 pm
I dont have that luck; i bought it over 1 year ago and wanted it to use now.

Anyway if you can provide me a full flash dump, that would be very fine.
(The Camera is useless now anyway)

I have now managed to access the camera via RS232 (MAX232 circuit that i use for many other Units too).
But i have no idea how to access it via JTAG.

In my Oppinion the Bootloader is full intakt, so if you provide me the full Flash Dump, i will try to split it into the required images and flash them via RS232 in the first step.
If this fails, maybe there is some other (inexpensive) way to flash the whole image.
(I know the JTAG Pins, they connected with some SMD resistors, but no idea if i can gain JTAG Access via som Parallel Port of a computer or simmilar)

Br, Sigi
« Last Edit: April 23, 2013, 03:07:43 pm by hollari »

  • No avatar
  • *****
April 27, 2013, 01:00:05 pm
yes you bl looks ok. It would CRC on you otherwise.
The first 0x10000h bytes are the bl, so cut them. (maybe you could cut from 0x2B0000h to save time)
then flash the remaining part as image 0 (fx 0 rom.bin 0x7f010000 0x7f010000 -nofooter) option. after the flash there should again exist all "partitions" although you flashed "none"...
« Last Edit: April 30, 2013, 08:37:32 am by schufti »

April 29, 2013, 04:37:51 am
Hi !
I have now flashed the full-dump into the Camera.
(cut 0x10000 bytes from the beginning; it looks like the bootloader cannot overwrite itself)
But i have the same problem :
 I2C Error
and so on...

Should i really try to overwrite the bootloader via JTAG ?
Can this have anything todo with the I2C bus ?
Or does the camera have a physical defect ?

April 29, 2013, 11:08:05 am
If everything else fails :
Does somebody have a self compiled uCLinux for this Processor, that does not automatically reboot when some hardware cannot be accesses ?
Maybe my camera doesnt have an I2C bus ?!?
Maybe with Telnet and Busybox included ?
Propably even with a writeable Filesystem (jffs) like OpenWRT ?

  • **
April 29, 2013, 04:31:24 pm
I'm working on this at the moment - I am hoping to add support for many of these cameras to OpenWRT so you can just install it on your camera like you can on so many routers.

You don't say which messages you are seeing, so if you are able to boot the Linux kernel then reflashing a new bootloader won't help.  Reflashing the bootloader is generally a very bad idea because it is tied so closely to your specific board.  A different bootloader may not have drivers for your flash chip or other devices and may therefore not boot at all.

Most of the cameras seem to reboot if the webcam isn't working as a reliability measure.  Have you made sure all the connections inside the camera are secure?  No loose plugs etc?

April 30, 2013, 02:35:05 am
I am getting this I2C wirte errors again. (Like i wrote in my first post on this thread)

Attatched to this post you can find another logfile that was created now with another (wholeflash-except-bootloader) firmware I have found on the internet.

I guess you are right, the bootloader should not be changed.
You said, you are working on OpenWRT for such cameras ?
Do you have a (beta-) Version that i could test ?
I would be lucky to have a working device that can do more than load the bootloader. :-)
« Last Edit: April 30, 2013, 02:37:36 am by hollari »

  • **
April 30, 2013, 03:42:24 am
Interesting.  It looks like one of my test cameras has a much newer firmware:

Code: [Select]
params length is 5428
sw version is
aw version is

But I haven't yet figured out how to dump the firmware so I can't give you a copy unfortunately.  I'm guessing the I2C errors are because the firmware is looking for a chip that is not present in your camera - possibly the PHY chip for Ethernet since "ResetPhyChip Failed".  Perhaps if you open your device and look at the PHY IC it might shed some light on the matching firmware you need.  For the record, both my NUC745 cameras have ICPlus IC101A PHY chips.

I am working on OpenWRT for this camera and others, but unfortunately I am only at the stage where I have ported Linux kernel 3.9 to the NUC745 CPU.  I can boot the kernel on the camera, but I can't yet get a command line as the binaries don't run and I'm not sure why.  Hopefully once I figure this out I can then add board support to OpenWRT, then it will be a fairly easy matter of just compiling OpenWRT for this platform.

I will certainly post back to the forum when I have something that can be tested so it would be good if you were willing to test when the time comes!  As long as you don't reflash your bootloader there should be no danger of bricking your device, since you have serial console access.

April 30, 2013, 02:29:08 pm
I guess you are right; my camera searches for a Chip that isnt there or that is broken.
I am sure, it is NOT from the Ethernet Chip, because i can ping the Camera for a few seconds.
(And : the Ethernet is for 99% sure NEVER connected via I2C)
(the "ResetPhyChip Failed" is only there because no Ethernet Cable was connected at this time)
I think, the I2C bus is used for the motion control of the camera.
So if I would be able to change the firmware in a way that it does not access this chip, maybe it would be working. (Without Pan and Tilt for sure...)

About reading the Firmware :
If you have serial access to the working camera, you should be able to open a serial shell when its booted.
(I have this on my camera too, when i enter "kill 8" shortly before it reboots again)
I am not sure, but maybe you can make a symbolic link from the home-directory to the flash device and read the firmware via browser to a file.

  • **
May 01, 2013, 05:07:43 am
The Ethernet is definitely not connected via I2C, but the PHY chip could be configured via I2C - I haven't checked the datasheets to see how the PHY chips are set up.  I'm not sure how the PTZ controls work but I doubt they are I2C, I think they have GPIO lines connected to the motors via level shifters/driver arrays.

Can you connect the Ethernet cable and ping the camera's IP address?  That would tell you for sure whether the PHY chip is to blame or not.

You don't appear to be able to create symlinks in the /home (web) directory as the /proc files you might want to link to are on a different filesystem.  You can copy them, but there doesn't seem to be any way to access the flash memory in /proc anyway.  Normally there are /proc/mtdblockX devices but there aren't here.  It's not too important though, as once I can boot my own kernel all the way to userspace I can run my own tools to dump the firmware.

May 01, 2013, 03:28:38 pm
A Soft Link ca FOR SURE be made between differen Partitions (ln -s xx yy). A Hard Link is only in the same Partition !!
But Maybe the /home (=Web Interface) is write protected.
In this case it may be helpful to erase the partition (needs to be flashed visible before).
Then it should be mounted to the / (ramdisk) and then it IS writeable.

  • **
May 02, 2013, 04:14:34 am
Oh of course a soft link would work, silly me.  I tried this, but the web server doesn't seem to follow symlinks.  I don't get an error, just a blank page when I try to open a file symlinked from /proc.  Strange.

I don't want to change my flash at all until I have successfully dumped it.  I have no idea why my own kernel doesn't want to run any ARM binaries, because that's the only thing stopping me...

May 05, 2013, 02:39:39 pm
Maybe it is possible to un-mount the /home partition and create a new one in the ram-disk ?
Then it should be possible to copy the whole-flash device to a file in the ramdisk and download it.

I am really wondering why there is no working linux for such cameras. Are they so seldom ?

  • **
May 05, 2013, 04:20:36 pm
The problem is how do you "copy the whole-flash device"?  There is no source file to copy, and you can't (easily) upload your own binary to dump the firmware either.

I think Linux is so rare because the CPU used by these devices - a Nuvoton NUC745 - has no supporting code in the Linux kernel so you must use Nuvoton's difficult BSP in order to compile anything.  I guess most people have found it more trouble than it is worth.  Hopefully now I have ported the NUC745 support code to the git version of Linux I can submit it to be included in the mainline distribution which will help there.

The other problem is the NUC745 uses an ARM7TDMI core, which has no MMU.  I am currently having a lot of problems getting a no-MMU toolchain to build using buildroot, as this is not a widely tested configuration.  For instance I figured out the reason why my new kernel won't run my binaries is because the kernel does not support ELF format executables (this is not possible in a no-MMU environment), but when switching to the alternative FLAT binaries, various components in the toolchain won't compile.  There is a lot more debugging to do to fix these problems!