Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Recent Posts

Pages: 1 2 [3] 4 5 ... 10
Firmware / Instar 3010 from 2011
« Last post by cbkdi on August 14, 2017, 03:20:39 pm »
hello everybody,
lets have some time travel back to 2011, i have such an old cam i wanna debrick after the Instar Website gave me a faulty firmware and brick it.

I am connected to my cam via serial and i lurked a long time on this board and tried a lot of suggestions for similar problems here.

But my cam always reboot.

Thats what the Bootloader told me:

W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

        MAC Address         : 00:0D:C5:D2:C5:A5
        IP Address          :
        DHCP Client         : Enabled
        CACHE               : Enabled
        BL buffer base      : 0x00300000
        BL buffer size      : 0x00100000
        Baud Rate           : 115200
        USB Interface       : Enabled
        Serial Number       : 0x00BC614E

For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1925 Áù 11ÔÂ 3 04:41:51 CST 2012
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 4096
zone(0): 0 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 16MB = 16MB total
Memory: 14316KB available (1493K code, 292K data, 40K init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F16BFFF [VIRTUAL 7F0E0000-7F16BFFF] (RO)
S29GL032N Flash Detected
01 eth0 initial ok!
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
i2s audio probe 1
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
usb-ohci.c: AMD756 erratum 4 workaround
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4

 _____     ____    _    ____
|__  /   _|  _ \  / \  / ___|
  / / | | | | | |/ _ \ \___ \
 / /| |_| | |_| / ___ \ ___) |
/____\__, |____/_/   \_\____/
ZD1211B - version
usb.c: registered new driver zd1211b
main_usb.c: VIA Networking Wireless LAN USB Driver 1.20.04
usb.c: registered new driver vntwusb
usb.c: registered new driver rt73
dvm usb cam driver by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: camera&
Command: sh

Sash command shell (version 1.1.1)
/> hub.c: connect-debounce failed, port 1 disabled
new USB device :80fd5e04-fed740
hub.c: new USB device 1, assigned address 2
detect_sensor: mi360
dvm cmos successfully initialized
dvm camera registered as video0
aw version is
aw version is

Wait for auto-negotiation complete...OK
100MB - FULL
video0 opened
set resolution 4
set brightness 100
set contrast 4
set sharpness 3
set mode 0
manage pid:14
inet_sr.c INET_rinput 321
inet_sr.c INET_setroute 75
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error
write i2c error

i tried an endless number different zips, bins and img´s but it will always come to:
10 time i2c write error

i get mad about this.

Could anyone explain me what does the [25] means?
I see some peolpes struggling with similar problems sometimes the number is [28] or whatever.

please explain, im sad.
Hacking & Modding / Running D-LINK Firmware on a FOSCAM device
« Last post by chrisw8189 on August 07, 2017, 01:18:23 pm »
What are the possibilities to run D-Link firmware on FOSCAM cameras? I like D-Link App, and the way you can interact with other devices but I like FOSCAM cameras. When it comes to these IP Cameras do they tend to all have the same board which would allow one to change the firmware? Is there more to it? I kind of figured a lot of the major cameras brand the same cameras, is this correct?
Hacking & Modding / Re: Hacking the IPRobot3
« Last post by Robo on August 04, 2017, 09:21:15 pm »
Unbricking a bricked IProbot3 ver1. 2013 with firmware 1.1.6  :)

This is a bit old news since the version of the camera has changed, but after a few years and many months of trial and error, I finally found a combination of steps that let me unbrick my old Tenvis IPRobot3 camera.  It looks that some people were able to use Telnet for this, I used the USB method.  I am ending my work on these cameras and will not be able to support those of you that try this nor will not be able to give out the firmware.  You might be able to find old  firmware on the web and the tools to extract the pk2 files.   Also, this procedure might only work on older discontinued versions of cameras and on a limited number of instances when the camera had a bad firmware update and it became unresponsive.  Specifically in my case, it failed during a firmware update when the Ethernet cable got unplugged and wifi was used for the update by accident. If this has happened to you too, then there is a good chance the steps below could help you.   

In order to complete the procedure, you will need to remove the camera bottom cover and connect a 3.3v USB converter to J9 by soldering wires to the camera's pcb, then use a terminal program to interact with the boot-loader. You will also need a fat32 formatted TIFF SD memory card and a copy of the firmware that has been uncompressed and renamed from “” to “linux”.  I also copied all the other files in the uncompressed gm8126-tenvis-1-1-6-2-2012-11-08.pk2 to the SD card then renamed them removing “.new” from each, but it seemed unnecessary.  If your camera is newer, use a version of firmware that is intended for that model of camera and J9 maybe different as well.

The steps are to copy Linux to the TIFF SD card and then put the SD into the camera. Then connect an Ethernet cable and the U9/USB port to a computer.  Now power up the camera and launch your Hyper Terminal program at 38400 baud N81 with the correct com port setting. Next power off and on the camera and press “.” in the terminal program during the first two seconds of the camera's startup. Then from the bootloader menu, do option 78 to boot from SD. The camera should load Linux from the sd.  Next find the IP address of the camera. The IP address of the camera is listed in hex format at the end of the linux boot log seen on the terminal screen.  To resolve the IP address of the camera, convert the hex numbers to decimal. Lastly, log into the camera with a web browser and do a normal firmware update. 

Notes: There are post regarding what wires to connect to J9 already and you will have to search for them. You will have to manually set your computer's IP address in the same subnet of your camera, but as a different IP address in that subnet.  I also found that Hyper Terminal would not recognize the USB com port unless I connect the USB converter to the computer and camera first, then power on the camera before I launched Hyper Terminal.  I suggest getting comfortable with the boot-loader via Hyper Terminal after connecting to J9 and insuring you have working USB drivers for the USB converter first. 

Good Luck!

Firmware / Help me with no name ip camera
« Last post by redstrat984 on August 02, 2017, 05:09:55 am »
i'm new user of this forum, i'm from italy, i need help with my ip camera,
this camera is a no name camera, buyed from ebay, some time ago. have a great video, it's 720p resolution with cloud service,
the problem is's signed like onvif but have only main stream and limitated firmware....
it's possibile to swap firmware with other version??

current version sign:
firmware time 2016-10-07 18.43
if can help, this is the site of the productor... i've got a x seris.

if you need photo of the camera or motherborad of the camera ask me :)

thanks to all for the help.
Firmware / Re: Hi3516 Unknown command 'root' - try 'help'
« Last post by admin on July 28, 2017, 01:42:11 pm »
Suggest read the uBoot docs for what is (possibly) available.

a uboot is a preboot that loads the OS
You will need to see if you have an OS on your board to boot into.

I'd try some common commands like

and try see what partitions you have etc
Firmware / Re: U-boot corrupted. Looking for recovery procedure
« Last post by admin on July 28, 2017, 01:36:53 pm »
Whats the SoC?

Some of the more modern SoC's can do recovery via USB boot.
If not, you'll need an SPI flasher or similar to rewrite the uboot directly onto the flash, eg with a BusPirate or dedicated device.
Firmware / Re: VACRON firmware format
« Last post by admin on July 28, 2017, 01:30:05 pm »
I wish I could afford IDA, that was actually moderately useful.

You can't assume/guarantee that the update /upgrade mechanism will be the same for each camera though.

Looks like it loads the file via web interface into ram, writes to /tmp then does some compares to see if valid.
I'd check the .bin file you first gave to see if it passes their compare process.

Firmware / Re: VACRON firmware format
« Last post by temp0727 on July 28, 2017, 07:36:03 am »
I grabbed some other files they provide for other cams. One of those files was JFFS, from which I got "update.cgi", but couldn't understand the algoright for it. Anyway, they seem to pack kernel and fs into that binary file. Attached some flowcharts from IDA and original update.cgi
Firmware / Re: Wanscam HW0021 firmware
« Last post by sirbossa on July 28, 2017, 04:26:36 am »
Does someone have the FW of the HW0021? I have seemed to install a wrong FW, and now my cam is all black and white, with very poor resolution. Want to get back to the original FW, but can't find it..:-S.
Firmware / Re: VACRON firmware format
« Last post by admin on July 28, 2017, 01:16:26 am »
I downloaded the rar file, unpacked and took a cursory look at the bin file.

Looks like its possibly encrypted or compressed post header, as I don't see many FF's or 00 strings in the file after the initial header.
strings also doesn't show any readable text, which ties in with it being compressed or encrypted.

A scan with binwalk ( ) to see if it finds any recognizable FS or compression in there shows nothing.

I'm guessing its probably encrypted with some custom method.

You'd need more firmware files to look at in order to proceed.
Pages: 1 2 [3] 4 5 ... 10