News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Web Interface Checksum  (Read 14161 times)

April 04, 2011, 08:16:46 am
Looks its simply all bytes from 0xC to size bytes (so size - 0xC bytes) added together.

Haven't tested it with a modified firmware yet, but the following is generating correct checksums for existing images.

Code: [Select]
#include <stdio.h>
int main(int argc, char **argv)
{
   FILE *file = fopen(argv[1], "rb");
   if (file) {
      int i;
      unsigned char data;
      int header;
      int checksum=0;
      int old_checksum;
      int size;
      int count=0;
      int version;

      fread(&header, 1, 4, file);
      fread(&old_checksum, 1, 4, file);
      fread(&size, 1, 4, file);
      fread(&version, 1, 4, file);

      fseek(file, 0xc, SEEK_SET);

      while (!feof(file)) {
         data=fgetc(file);
         count++;
         checksum += (int) data;
         if (count == (size - 0xc)) {
            break;
         }
      }
      printf("firmware: \t%s\n", argv[1]);
      printf("header: \t0x%08x\n", header);
      printf("size: \t\t0x%08x\n", size);
      printf("version: \t0x%08x\n", version);
      printf("old checksum: \t0x%08x\n", old_checksum);
      printf("new checksum: \t0x%08x\n", checksum);
   } else {
      perror(argv[1]);
   }
   return 0;
}
« Last Edit: April 04, 2011, 02:37:25 pm by Nocturnal »

  • No avatar
  • *****
April 04, 2011, 02:04:54 pm
Nice work :)

You want to make the packer now then, or should I?

I'm heading home in 10 days, so will have time then for coding.

April 04, 2011, 02:12:41 pm
I emailed Kyle to see if he wants to update fostar, otherwise I will probably write an update for it tomorrow.

April 04, 2011, 03:05:39 pm
I just knocked together this, which should repack a webui image generated by the latest fostar (from the svn repo).

Code: [Select]
#include <stdio.h>
int main(int argc, char **argv)
{
   FILE *file = fopen(argv[1], "rb");
   FILE *file2 = fopen(argv[2], "wb");
   if (file && file2) {
      int i;
      unsigned char data;
      int header = 0x440c9abd;
      int checksum=0;
      int size;
      int count=0x10;
      int version;

      fread(&size, 1, 4, file);
      fread(&version, 1, 4, file);
      fseek(file, 0x1d, SEEK_SET);

      for (i=0; i < 4; i++) {
         checksum += (version >> (i * 8)) & 0xFF;
      }

      fseek(file2, 0x10, SEEK_SET);
      while (!feof(file)) {
         data=fgetc(file);
         count++;
         checksum += (int) data;
         fputc((int) data, file2);
         if (count == (size - 0xd)) {
            break;
         }
      }
      fseek(file2, 0x0, SEEK_SET);
      fwrite(&header, 0x4, 1, file2);
      fwrite(&checksum, 0x4, 1, file2);
      fwrite(&count, 0x4, 1, file2);
      fwrite(&version, 0x4, 1, file2);
   } else {
      perror(argv[1]);
   }
   return 0;
}


Unfortunately, I can't test the resulting image, since my camera's power supply just died as I was getting ready to download the image :(
« Last Edit: April 05, 2011, 10:00:42 am by Nocturnal »

April 04, 2011, 09:59:58 pm
Nocturnal, you are a genius. It checks out with the UI file that I have too. Time to start packing and playing.

April 05, 2011, 10:30:29 am
I put together a temporary power supply, made a few changes to my repacking coded (edited above) since it wasn't properly striping the old header, and after failing to set my tftp client to binary mode several times, finally loaded a working modified web ui image onto my camera.

So it works.

April 05, 2011, 07:52:21 pm
Woo Hoo!

Nothing can stop us now!

  • No avatar
  • *****
April 06, 2011, 12:57:57 pm
Nice work Nocturnal

Saves me doing it, as I've been pestered a few times by people to make a packer  ;)

April 14, 2011, 03:15:11 am
Hi there, I made a packer/unpacker for both firmware and webui

It's bash script, could be ugly but no need to compile and feel free to custom.

Based on xxd,gawk it's quite easy to do. I'll make a post later on the futur wiki with the description of full files architecture (firmware and webui).

Code: [Select]
.:: Foscam Resource ToolKit ::.

$0 --webui|--firm file|folder

You can use this piece of script to :
- Pack and unpack webui resource
- Pack and unpack firmware resource

Usage :

Unpack webui : $0 --webui file.bin

Pack webui : $0 --webui webui_folder

Unpack firmware : $0 --firm file.bin

Pack firmware : $0 --firm firmware_folder

(note the firmware folder must contain rootfs.img and linux.bin files)


It has been tested with both firmware and webui by packing the unpacked one, checksum are the same (not md5sum for webui because the file are not in the same order).

April 21, 2011, 07:05:31 pm
Hi!
I have successfully unpacked and re-packed a new webUI with your Toolkit.
I would like to ask 2 questions before updating my cam:
1. What is the max filesize of the new .bin ?
2. Have you tested a "re-pack" on a FI8918W?
Thanks a lot.

  • No avatar
  • *****
April 24, 2011, 02:39:24 am
Max filesize is obviously whatever your flash size is!

Kernel is run compressed in ram, so that ones smaller - usually around 800kb.
Romfs is 700kb
Webui usually about 500kb

So a 2M flash is pretty tightly packed.  If you dump the OCX file, you should have plenty of space however.

4M is easier to mess around with.

  • *****
April 24, 2011, 02:10:44 pm
neXus - have you been successful in loading webui images, created with foscam_pkmgr, back into the camera? I extracted the webui of my wansview camera, changed the image in one GIF (keeping the image size and characteristics the same) and repacked it with foscam_pkmgr. However, the camera didn't take the load because upon reboot the old image was still there. I loaded a foscam webui into the camera without error and then reloaded the original wansview webui. I also tried an extract/repack and noticed some checksum differences:

Code: [Select]
firmware: wansview-0.0.4.17-orig.bin
header: 0x440c9abd
size: 0x000a55c0
version: 0x11040000
old checksum: 0x03afc0d0
new checksum: 0x03afc0d0

firmware: 0.0.4.17-repack.bin
header: 0x440c9abd
size: 0x000a55a9
version: 0x11040000
old checksum: 0x03b015f7
new checksum: 0x03b01267

The old checksum=0x03b015f7 is what foscam_pkmgr reported during its packaging. The checksum.c computes a different checksum. Any help appreciated.

  • *****
April 24, 2011, 03:26:01 pm
Well, I semi-bricked my wansview. I finally got a webui to load but now when I open the IP of the camera I get a 404 not found instead of my login page. In order to get a webui that would load I used fostar to pack it and then Nocturnal's code to repack it. The wansview NC541/W accepted that load - too bad it hosed the camera. :(

Here is a checksum of the repacked fostar pack:
$ ./checksum 0.0.4.18-rp.bin
firmware:    0.0.4.18-rp.bin
header:    0x440c9abd
size:       0x000a5b61
version:    0x12040000
old checksum:    0x03b095d6
new checksum:    0x03b095d6

----UPDATE----
I see the problem but don't know how to fix it given that I have no binaries for the wansview except for the webui. Using the serial port I see that the home folder is empty. Apparently my load deleted the home contents but didn't load the new webui.
----UPDATE----
Figuring that I had little to lose, I decided to try and load in the romfs.img from a foscam.

My romfs is in a slightly different place tha is the foscam:
Code: [Select]
bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000BFE5C exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0010C400 exec:0x7F0E0000 -a

Code: [Select]
bootloader > fx 6 romfs.img 0x7F0E0000 0x7F0E0000 -a                                                                           
Waiting for download
Press Ctrl-x to cancel ...                                                                                                     
bootloader > 

My xmodem send fails after two NAKs. Now I'm really in a jam.

----UPDATE----
I have been using minicom on my Mint-9 Linux system to talk to the wansview ipcamera. After some research, I discovered that Microsoft has modified the xmodem protocol used within its hyperterminal program. After trying every likely option with minicom as it relates to xmodem, I gave up and went to the basement and drag out an old Windows-XP box. Using Hyperterminal, xmodem loaded the foscam romfs.img without error. Unfortunately, It continually reboots with the write i2c errorthat others have written about. Sonce the ipcamera was designed to work with Hyperterminal's modified xmodem, I am stuck with using that for now. However, I would really like to know the options to Linux's sx that will work in the Hyperterminal way. Now, if I can just find a romfs,img that will work.
« Last Edit: April 24, 2011, 07:49:44 pm by celem »

April 25, 2011, 06:49:11 am
What is foscam_pkmgr?

The difference between 0.0.4.17-repack.bin and wansview-0.0.4.17-orig.bin is size. Different size, different checksum (unless the extra bytes are all 0x00), and a probably broken image.

An empty home directory is actually an indication that the webui has failed the boot up checks. That could be a bad checksum or possibly a bad webui with a good checksum. Your romfs was fine. Did you use the latest fostar from the svn repo as I instructed? If everything worked right 0.0.4.18-rp.bin (Assuming its a repack with no changes) should have had an identical size and checksum to the original.

I never got xmodem to work, I used tftp instead (just make sure binary mode is set).



 

  • *****
April 25, 2011, 09:43:14 am
Nocturnal - re "What is foscam_pkmgr?" look back in this thread to the attachment posted on April 14th by neXus.

If my romfs was ok, how do I then load a new webui if the old one is missing or corrupt? Accessing from the web yields 404 error and if accessing from the bootloader I see no block in which to load it. I read somewhere that there may be a hidden block 8 that holds the webui but I am pretty sure that, when all was well, that I looked into the home folder and saw the webui files, that are now missing. My flash looked like below, when all was well:

Code: [Select]
bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000BFE5C exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0010C400 exec:0x7F0E0000 -a