News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Capture romfs image via serial port?  (Read 4430 times)

  • *****
April 23, 2011, 05:31:02 pm
Tell me if I'm all wet here, but -

While looking at the bootloader dialog on my Wansview NV541/W:
Code: [Select]
bootloader > h

W90P745 Command Shell v1.0 Rebuilt on May 06 2010 at 13:00:07

H        Display the available commands
B        Set Baud Rate
D        Display memory. D -? for help
E        Edit memory. E -? for help
G        Goto address
I        information
MX       Xmodem download
MT       TFTP/USB download
FT       Program the flash by TFTP/USB. FT -? for help
FX       Program the flash by Xmodem. FX -? for help
CP       Memory copy
LS       List the images in the flash
SET      Setting boot loader configuration. SET -? for help
CHK      Check the flash
RUN      Execute image
DEL      DEL the image or flash block
MSET     Fill memory
TERM     Change the terminal output port
BOOT     Reboot the system
CACHE    Cache setting
USB      USB interface setting
UNZIP    Unzip image
ATTRIB   Change the image attribution
INTF     Print bootloader supported interface, ether USB or MAC
bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000BFE5C exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0010C400 exec:0x7F0E0000 -a

bootloader > d 0x7f020000
Displaying memory at 0x7F020000
[7F020000] 04034B50 00020014 - 43E50008 983B3D86  PK.........C.=;.
[7F020010] FDE8192B 8D30000B - 00090019 696C0000  +.....0.......li
[7F020020] 2E78756E EC6E6962 - 547C7DFD 8E07BD47  nux.bin..}|TG...
[7F020030] 6487D9CF 79385B09 - 72A436EC 34A6B480  ...d.[8y.6.r...4
[7F020040] B6900F6D 14B2D314 - 2ED0515A B1516D0F  m.......ZQ...mQ.
[7F020050] A8AD2DA6 1515A6D4 - 24DDB4BD A062909B  .-.........$..b.
[7F020060] 6943C201 7A2DACDA - 54578BD1 DE8AC5EA  ..Ci..-z..WT....
[7F020070] 4AC5502D DED45A2D - 6EECF55A 5459098E  -P.J-Z..Z..n..YT
[7F020080] 6D62F454 7BF7DFBB - 49BB3666 DEF70FA9  T.bm...{f6.I....
[7F020090] C7F7F7EF 6618BCCF - F3399CCF D3CF99F8  .......f..9.....
[7F0200A0] 2233E67C 693E4F11 - 882FD3C6 9A9C5A78  |.3".O>i../.xZ..
[7F0200B0] 3C8BAC94 B29A6A94 - E3845075 31B880E9  ...<.j..uP.....1
[7F0200C0] 37B70BE9 CECD9ABC - 5CFAB5AA 4FB87561  ...7.......\au.O
[7F0200D0] 3D67C85A F1BD8AE8 - 1886F5F4 2D539F0A  Z.g=..........S-
[7F0200E0] 8B56958E 88D5DFE6 - 344588A3 E6E98C24  ..V.......E4$...
[7F0200F0] C8850BF4 DD2B3108 - 49DEE22C 2E5C9442  .....1+.,..IB.\.

bootloader >

This got me wondering - would it be possible, using the built-in commands, to load an ARM compiled version of xxd into RAM and execute it in ram to do a hex dump to stdout for capture and subsequent conversion back to binary.

  • No avatar
  • *****
April 24, 2011, 02:36:55 am
Why couldn't you just use XXD to dump the current firmware on your computer?
Easier than compiling a kernel, a romfs with xxd, and running it.


Its essentially what others have done to dump their current firmware without resorting to dumping the flash via other methods like jtag or tsop resoldering etc.

  • *****
April 24, 2011, 08:42:05 am
I do not have a copy of the firmware within the camera. Wansview's tech support did email me an updated WebUI upon my request. I subsequently requested a full firmware file but have not received a response.

Wansview, http://www.wansview.com/, does not post their firmware on their web site.

What I was alluding to was not "Easier than compiling a kernel, a romfs with xxd, and running it", but rather if it would be possible to compile xxd and load it into the camera's RAM via its "MX" command and execute it in RAM via the "G" command, or some variation thereof. Like I said before, maybe I am all wet, but it seemed like a remote possibility.

P.S.: The new WebUI version did dramatically improve non-Microsoft browser usability.

April 25, 2011, 06:52:48 am
Or... you can use the "d" display memory command, a few scripts, and a bit of parsing code to dump out the firmware. Which is what I did.

  • *****
April 25, 2011, 01:56:13 pm
Regrettably, in my various gyrations I deleted block 6 and installed a romfs from another camera, which gives a reboot loop. Thus, my real romfs is lost.
------UPDATE-------
I just ordered another wansview NC541/W for $65.25, including shipping. When it arrives I will extract all images using the display memory from bootloader technique and then attempt to rebuild my currently butchered wansview. With the updated webui that wansview emailed to me, its support of Firefox and Chrome is excellent. The build quality is also good.
« Last Edit: April 25, 2011, 02:25:47 pm by celem »