News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Recent Posts

Pages: [1] 2 3 ... 10
1
Hacking & Modding / Re: Foscam FI9828W U-Boot password
« Last post by Tk128 on August 19, 2017, 01:45:05 pm »
Today I had same problem. I tried with recovery binaries, however it didn't work. Tried serial, but it's protected by password...where can I find it? Thanks
2
Firmware / FI8909W Recovery data
« Last post by rxWsp on August 17, 2017, 11:26:37 am »
Hello guys,

I've bricked my Foscam FI8909W and so I need the 2 files (linux.zip and romfs.img) to be flashed. I didn't find them.
Someone has them?

Thank you in advance!
3
Firmware / Recovering Siepem S6211-WR - Ingenic T10 based
« Last post by Chachi on August 16, 2017, 02:22:38 am »
Been lurking for a while but now I need a little guidance as I actually make the vital keystrokes that will hopefully restore this camera.

It's nothing special but I picked it up cheap and ran it for a few days until I noticed heavy traffic when I knew no one was watching a stream. I decided to unplug it and do some securing of the network at a later date. When I went to finally turn it on, it did not move and the LAN lights would come on for a few seconds, and then appear to reset.

I'm to U-Boot and if anyone needs TX/RX pics, let me know but, I'm not sure how to get anything useful onto the camera. Here is the output with one boot cycle and then me halting it:

Code: [Select]
U-Boot SPL 2013.07 (Feb 27 2016 - 10:34:09)
pll_init:347
l2cache_clk = 450000000
pll_cfg.pdiv = 8, pll_cfg.h2div = 4, pll_cfg.h0div = 4, pll_cfg.cdiv = 1, pll_cfg.l2div = 3
nf=38 nr = 1 od0 = 1 od1 = 1
cppcr is 02604900
CPM_CPAPCR 04b0890d
nf=50 nr = 1 od0 = 1 od1 = 1
cppcr is 03204900
CPM_CPMPCR 0320490d
cppcr 0x9a7b5510
apll_freq 909312000
mpll_freq 1200000000
ddr sel mpll, cpu sel apll
ddrfreq 400000000
cclk  909312000
l2clk 303104000
h0clk 300000000
h2clk 300000000
pclk  150000000
CPM_DDRCDR(0000002c) = a0000002


U-Boot 2013.07 (Feb 27 2016 - 10:34:09)

Board: ISVP (Ingenic XBurst T10 SoC)
DRAM:  64 MiB
Top of RAM usable for U-Boot at: 84000000
Reserving 402k for U-Boot at: 83f98000
Reserving 32784k for malloc() at: 81f94000
Reserving 32 Bytes for Board Info at: 81f93fe0
Reserving 124 Bytes for Global Data at: 81f93f64
Reserving 128k for boot params() at: 81f73f64
Stack Pointer at: 81f73f48
Now running in RAM - U-Boot at: 83f98000
MMC:
the manufacturer c2
SF: Detected MX25L64**E

In:    serial
Out:   serial
Err:   serial
Net:   CPM_MACCDR(54) = a0000017
Jz4775-9161
Hit any key to stop autoboot:  0
the manufacturer c2
SF: Detected MX25L64**E

SF: 2883584 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80600000 ...
   Image Name:   Linux-3.10.14
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    2344413 Bytes = 2.2 MiB
   Load Address: 80010000
   Entry Point:  80404510
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.10.14 (root@aplink-desktop) (gcc version 4.7.2 (Ingenic 2015.02) ) #12 PREEMPT Sat Feb 27 10:32:49 CST 2016
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 RESET ERROR PC:B5C818FF
[    0.000000] CPU0 revision is: 00d00100 (Ingenic Xburst)
[    0.000000] FPU revision is: 00b70000
[    0.000000] CCLK:909MHz L2CLK:454Mhz H0CLK:200MHz H2CLK:200Mhz PCLK:100Mhz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 004c8000 @ 00010000 (usable)
[    0.000000]  memory: 00038000 @ 004d8000 (usable after init)
[    0.926159] drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
[    0.936018] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,2)
[    0.944632] Rebooting in 3 seconds..Restarting after 4 ms

U-Boot SPL 2013.07 (Feb 27 2016 - 10:34:09)
pll_init:347
l2cache_clk = 450000000
pll_cfg.pdiv = 8, pll_cfg.h2div = 4, pll_cfg.h0div = 4, pll_cfg.cdiv = 1, pll_cfg.l2div = 3
nf=38 nr = 1 od0 = 1 od1 = 1
cppcr is 02604900
CPM_CPAPCR 04b0890d
nf=50 nr = 1 od0 = 1 od1 = 1
cppcr is 03204900
CPM_CPMPCR 0320490d
cppcr 0x9a7b5510
apll_freq 909312000
mpll_freq 1200000000
ddr sel mpll, cpu sel apll
ddrfreq 400000000
cclk  909312000
l2clk 303104000
h0clk 300000000
h2clk 300000000
pclk  150000000
CPM_DDRCDR(0000002c) = a0000002


U-Boot 2013.07 (Feb 27 2016 - 10:34:09)

Board: ISVP (Ingenic XBurst T10 SoC)
DRAM:  64 MiB
Top of RAM usable for U-Boot at: 84000000
Reserving 402k for U-Boot at: 83f98000
Reserving 32784k for malloc() at: 81f94000
Reserving 32 Bytes for Board Info at: 81f93fe0
Reserving 124 Bytes for Global Data at: 81f93f64
Reserving 128k for boot params() at: 81f73f64
Stack Pointer at: 81f73f48
Now running in RAM - U-Boot at: 83f98000
MMC:
the manufacturer c2
SF: Detected MX25L64**E

In:    serial
Out:   serial
Err:   serial
Net:   CPM_MACCDR(54) = a0000017
Jz4775-9161
Hit any key to stop autoboot:  0
isvp#

I found several Russian sites with directions for restoring cameras based on the Ingenic T10 but the one in particular that seemed most promising had broken links for the useful files. https://4pda.ru/forum/index.php?showtopic=807259
Google Translated: https://translate.googleusercontent.com/translate_c?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&sp=nmt4&tl=en&u=http://4pda.ru/forum/index.php%3Fshowtopic%3D807259&usg=ALkJrhijolnhxY_Mh_50EBQh78Ced5YPtQ

My hopeful find was that Siepem has a Github where they apparently just dumped a bunch of files so, I'm hoping someone can point me to what is useful and how I should go about pushing something useful to the camera. https://github.com/siepem/cdonline
4
Firmware / Instar 3010 from 2011
« Last post by cbkdi on August 14, 2017, 03:20:39 pm »
hello everybody,
lets have some time travel back to 2011, i have such an old cam i wanna debrick after the Instar Website gave me a faulty firmware and brick it.

I am connected to my cam via serial and i lurked a long time on this board and tried a lot of suggestions for similar problems here.

But my cam always reboot.

Thats what the Bootloader told me:

Quote
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

        MAC Address         : 00:0D:C5:D2:C5:A5
        IP Address          : 0.0.0.0
        DHCP Client         : Enabled
        CACHE               : Enabled
        BL buffer base      : 0x00300000
        BL buffer size      : 0x00100000
        Baud Rate           : 115200
        USB Interface       : Enabled
        Serial Number       : 0x00BC614E


For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1925 Áù 11ÔÂ 3 04:41:51 CST 2012
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 4096
zone(0): 0 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 16MB = 16MB total
Memory: 14316KB available (1493K code, 292K data, 40K init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F16BFFF [VIRTUAL 7F0E0000-7F16BFFF] (RO)
S29GL032N Flash Detected
01 eth0 initial ok!
which:0
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
i2s audio probe 1
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4

 _____     ____    _    ____
|__  /   _|  _ \  / \  / ___|
  / / | | | | | |/ _ \ \___ \
 / /| |_| | |_| / ___ \ ___) |
/____\__, |____/_/   \_\____/
     |___/
ZD1211B - version 2.24.0.0
usb.c: registered new driver zd1211b
main_usb.c: VIA Networking Wireless LAN USB Driver 1.20.04
usb.c: registered new driver vntwusb
usb.c: registered new driver rt73
dvm usb cam driver 0.0.0.1 by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: camera&
[8]
Command: sh

Sash command shell (version 1.1.1)
/> hub.c: connect-debounce failed, port 1 disabled
new USB device :80fd5e04-fed740
hub.c: new USB device 1, assigned address 2
detect_sensor: mi360
dvm cmos successfully initialized
dvm camera registered as video0
aw version is 0.25.2.6
aw version is 3.16.2.51

Wait for auto-negotiation complete...OK
100MB - FULL
video0 opened
1
1
1
1
1
1
set resolution 4
set brightness 100
set contrast 4
set sharpness 3
set mode 0
__pthread_initial_thread_bos:35c000
manage pid:14
2
2
2
2
2
2
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===255.255.255.255
*args===netmask
*args===eth0
[25]
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
myreboot

i tried an endless number different zips, bins and img´s but it will always come to:
[25]
10 time i2c write error
myreboot.

i get mad about this.

Could anyone explain me what does the [25] means?
I see some peolpes struggling with similar problems sometimes the number is [28] or whatever.

please explain, im sad.
5
Hacking & Modding / Running D-LINK Firmware on a FOSCAM device
« Last post by chrisw8189 on August 07, 2017, 01:18:23 pm »
What are the possibilities to run D-Link firmware on FOSCAM cameras? I like D-Link App, and the way you can interact with other devices but I like FOSCAM cameras. When it comes to these IP Cameras do they tend to all have the same board which would allow one to change the firmware? Is there more to it? I kind of figured a lot of the major cameras brand the same cameras, is this correct?
6
Hacking & Modding / Re: Hacking the IPRobot3
« Last post by Robo on August 04, 2017, 09:21:15 pm »
Unbricking a bricked IProbot3 ver1. 2013 with firmware 1.1.6  :)

This is a bit old news since the version of the camera has changed, but after a few years and many months of trial and error, I finally found a combination of steps that let me unbrick my old Tenvis IPRobot3 camera.  It looks that some people were able to use Telnet for this, I used the USB method.  I am ending my work on these cameras and will not be able to support those of you that try this nor will not be able to give out the firmware.  You might be able to find old  firmware on the web and the tools to extract the pk2 files.   Also, this procedure might only work on older discontinued versions of cameras and on a limited number of instances when the camera had a bad firmware update and it became unresponsive.  Specifically in my case, it failed during a firmware update when the Ethernet cable got unplugged and wifi was used for the update by accident. If this has happened to you too, then there is a good chance the steps below could help you.   

In order to complete the procedure, you will need to remove the camera bottom cover and connect a 3.3v USB converter to J9 by soldering wires to the camera's pcb, then use a terminal program to interact with the boot-loader. You will also need a fat32 formatted TIFF SD memory card and a copy of the firmware that has been uncompressed and renamed from “mtdblock0.new” to “linux”.  I also copied all the other files in the uncompressed gm8126-tenvis-1-1-6-2-2012-11-08.pk2 to the SD card then renamed them removing “.new” from each, but it seemed unnecessary.  If your camera is newer, use a version of firmware that is intended for that model of camera and J9 maybe different as well.

The steps are to copy Linux to the TIFF SD card and then put the SD into the camera. Then connect an Ethernet cable and the U9/USB port to a computer.  Now power up the camera and launch your Hyper Terminal program at 38400 baud N81 with the correct com port setting. Next power off and on the camera and press “.” in the terminal program during the first two seconds of the camera's startup. Then from the bootloader menu, do option 78 to boot from SD. The camera should load Linux from the sd.  Next find the IP address of the camera. The IP address of the camera is listed in hex format at the end of the linux boot log seen on the terminal screen.  To resolve the IP address of the camera, convert the hex numbers to decimal. Lastly, log into the camera with a web browser and do a normal firmware update. 

Notes: There are post regarding what wires to connect to J9 already and you will have to search for them. You will have to manually set your computer's IP address in the same subnet of your camera, but as a different IP address in that subnet.  I also found that Hyper Terminal would not recognize the USB com port unless I connect the USB converter to the computer and camera first, then power on the camera before I launched Hyper Terminal.  I suggest getting comfortable with the boot-loader via Hyper Terminal after connecting to J9 and insuring you have working USB drivers for the USB converter first. 

Good Luck!


7
Firmware / Help me with no name ip camera
« Last post by redstrat984 on August 02, 2017, 05:09:55 am »
Hi
i'm new user of this forum, i'm from italy, i need help with my ip camera,
this camera is a no name camera, buyed from ebay, some time ago. have a great video, it's 720p resolution with nwsvr1.com cloud service,
the problem is onvif....it's signed like onvif but have only main stream and limitated firmware....
it's possibile to swap firmware with other version??

current version sign:
firmware 00.20.02.0043P1
webui 0.0.5.19
firmware time 2016-10-07 18.43
if can help, this is the site of the productor... http://cd.ipcamdata.com/en/xseries.html i've got a x seris.

if you need photo of the camera or motherborad of the camera ask me :)

thanks to all for the help.
8
Firmware / Re: Hi3516 Unknown command 'root' - try 'help'
« Last post by admin on July 28, 2017, 01:42:11 pm »
Suggest read the uBoot docs for what is (possibly) available.

http://www.denx.de/wiki/view/DULG/UBootCmdGroupInfo

a uboot is a preboot that loads the OS
You will need to see if you have an OS on your board to boot into.

I'd try some common commands like
help
ls
flinfo

and try see what partitions you have etc
9
Firmware / Re: U-boot corrupted. Looking for recovery procedure
« Last post by admin on July 28, 2017, 01:36:53 pm »
Whats the SoC?

Some of the more modern SoC's can do recovery via USB boot.
If not, you'll need an SPI flasher or similar to rewrite the uboot directly onto the flash, eg with a BusPirate or dedicated device.
10
Firmware / Re: VACRON firmware format
« Last post by admin on July 28, 2017, 01:30:05 pm »
I wish I could afford IDA, that was actually moderately useful.

You can't assume/guarantee that the update /upgrade mechanism will be the same for each camera though.

Looks like it loads the file via web interface into ram, writes to /tmp then does some compares to see if valid.
I'd check the .bin file you first gave to see if it passes their compare process.


Pages: [1] 2 3 ... 10