Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Author Topic: lr_cmos_11_37_2_51.bin firmware extra data at end  (Read 6724 times)

  • No avatar
  • *
August 18, 2013, 11:49:38 pm
There appears to be an extra chunk of data at the end of the lr_cmos_11_37_2_51.bin firmware file for foscam 8910 camera.

I'm using foscam_pkmgr bash script ( to unpack and pack the firmware. I am simply unpacking and repacking the firmware and they do not match.

I can see the file sizes do not match:

ls -l lr_cmos_11_37_2_51.bin*
-rw-rw-r-- 1 root root 1818812 Aug 18 19:04 lr_cmos_11_37_2_51.bin
-rw-rw-r-- 1 root root 1818804 Aug 18 20:46 lr_cmos_11_37_2_51.bin_custom

If I convert both to hex and compare, the original has some extra data at the very end of the file:
01bc0b0: 0000 0000 9fc0 1b0b 60aa ba34            ........`..4

Anyone have any idea what this could be? Any help would be appreciated.

  • No avatar
  • *
August 19, 2013, 01:33:13 am
This looks like an md5sum appended to the end of the file. Still trying to figure out what it is an md5sum of? Any ideas?

# MD5 sum at end of lr_cmos_11_37_2_51.bin
echo -n 9fc01b0b60aaba34 | xxd -p

# Append this to unpacked/repacked firmware that I made
echo -n 9fc01b0b60aaba34 | xxd -r -p >> custom_lr_cmos_11_37_2_51.bin

# Now custom and original match
md5sum lr_cmos_11_37_2_51.bin firm5.bin
242e2788aa32aefb3b68b9988cc97159  lr_cmos_11_37_2_51.bin
242e2788aa32aefb3b68b9988cc97159  custom_lr_cmos_11_37_2_51.bin

August 23, 2013, 01:24:27 am
An md5 checksum is 16 bytes and there are only 8 bytes at the end of the file.  I was thinking perhaps it was the CRC64 checksum of the file, or the concatenated CRC32 checksums of the 2 contained files (linux.bin and rootfs.img), but it doesn't seem to be either of those.

September 27, 2013, 06:06:07 pm
I was finally able to flash a custom firmware, although it required physical access to the camera.  I wrote up the details here:  I am currently working on a way to do this without having physical access.

October 05, 2013, 07:14:35 pm
Here is another post I wrote on my blog with details on how to generate the correct checksum without requiring physical access:  Enjoy!

  • No avatar
  • *
October 26, 2013, 05:46:46 pm
Nice work Corey! Thanks for writing up the details.