News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: lr_cmos_11_37_2_51.bin firmware extra data at end  (Read 6724 times)

  • No avatar
  • *
August 18, 2013, 11:49:38 pm
There appears to be an extra chunk of data at the end of the lr_cmos_11_37_2_51.bin firmware file for foscam 8910 camera.

I'm using foscam_pkmgr bash script (https://github.com/moldov/webui/blob/master/foscam_pkmgr) to unpack and pack the firmware. I am simply unpacking and repacking the firmware and they do not match.

I can see the file sizes do not match:

ls -l lr_cmos_11_37_2_51.bin*
-rw-rw-r-- 1 root root 1818812 Aug 18 19:04 lr_cmos_11_37_2_51.bin
-rw-rw-r-- 1 root root 1818804 Aug 18 20:46 lr_cmos_11_37_2_51.bin_custom


If I convert both to hex and compare, the original has some extra data at the very end of the file:
01bc0b0: 0000 0000 9fc0 1b0b 60aa ba34            ........`..4

Anyone have any idea what this could be? Any help would be appreciated.

  • No avatar
  • *
August 19, 2013, 01:33:13 am
This looks like an md5sum appended to the end of the file. Still trying to figure out what it is an md5sum of? Any ideas?

# MD5 sum at end of lr_cmos_11_37_2_51.bin
echo -n 9fc01b0b60aaba34 | xxd -p
39666330316230623630616162613334

# Append this to unpacked/repacked firmware that I made
echo -n 9fc01b0b60aaba34 | xxd -r -p >> custom_lr_cmos_11_37_2_51.bin

# Now custom and original match
md5sum lr_cmos_11_37_2_51.bin firm5.bin
242e2788aa32aefb3b68b9988cc97159  lr_cmos_11_37_2_51.bin
242e2788aa32aefb3b68b9988cc97159  custom_lr_cmos_11_37_2_51.bin

August 23, 2013, 01:24:27 am
An md5 checksum is 16 bytes and there are only 8 bytes at the end of the file.  I was thinking perhaps it was the CRC64 checksum of the file, or the concatenated CRC32 checksums of the 2 contained files (linux.bin and rootfs.img), but it doesn't seem to be either of those.

September 27, 2013, 06:06:07 pm
I was finally able to flash a custom firmware, although it required physical access to the camera.  I wrote up the details here: http://justreadthecode.wordpress.com/2013/09/26/ipcamera-fun/.  I am currently working on a way to do this without having physical access.

October 05, 2013, 07:14:35 pm
Here is another post I wrote on my blog with details on how to generate the correct checksum without requiring physical access: http://justreadthecode.wordpress.com/2013/10/04/ipcamera-fun-part-2/.  Enjoy!

  • No avatar
  • *
October 26, 2013, 05:46:46 pm
Nice work Corey! Thanks for writing up the details.