News:

Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Author Topic: Help Request - Memory Dump  (Read 11356 times)

  • *****
July 04, 2011, 11:23:02 am
I have two WansView NC-541/W cameras but I have replaced the firmware in both from firmware captured using "method 2" described elsewhere in this board. While the captured firmware yields working cameras, a factory enabled feature is now lost. Apparently data is being installed by the factory that is not in images 6, 7 & 8, and I have now lost that data. Wansview has a pre-installed DDNS service - www.nwsvr.com (58.61.38.177) that prepends a device id that is pre-installed into the camera - someplace. For example, if the device ID assigned to a camera is 002exaf, then the ddns address is 002exaf.nwsvr.com. Both the device ID and the associated DDNS are printed on a label on the camera's bottom. Each camera's device ID is unique.

I would appreciate it if I could examine the "BOOT INFO" and Settings sections of other cameras that retain their factory original firmware. Any brand interests me. Please submit the output from five commands:

ls
d -b 0x7f010000
d -b 0x7F1F0000
d -b 0x7F1F0100
d -b 0x7F1F0200

BE ADVISED: The camera's passwords are in one of these blocks, in clear text. So, if this is a problem you may want to obscure them, such as capture into a text editor and replace with XXXXXXXX.

as an example, here is mine:
Code: [Select]
bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000048 exec:0x7F010000 -f
Image: 7 name:linux.zip base:0x7F020000 size:0x000BFF00 exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0010C400 exec:0x7F0E0000 -a

bootloader > d -b 0x7f010000
Displaying memory at 0x7F010000
[7F010000] 48 00 00 00 01 00 00 00 - 00 B8 00 00 68 D2 C0 A8  H...........h...
[7F010010] 00 B2 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F010020] 01 00 00 00 01 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F010030] 00 00 30 00 00 00 10 00 - 00 C2 01 00 FF FF FF FF  ..0.............
[7F010040] EF BE AD DE 01 00 00 00 - FF FF FF FF FF FF FF FF  ................
[7F010050] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F010060] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F010070] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F010080] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F010090] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F0100A0] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F0100B0] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F0100C0] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F0100D0] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F0100E0] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................
[7F0100F0] FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF  ................

bootloader > d -b 0x7F1F0000
Displaying memory at 0x7F1F0000
[7F1F0000] BD 9A 0C 44 56 48 00 00 - E8 14 00 00 30 30 42 38  ...DVH......00B8
[7F1F0010] 30 30 30 30 36 38 44 32 - 00 15 16 02 24 00 00 04  000068D2....$...
[7F1F0020] 11 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0030] 00 00 00 00 00 00 61 64 - 6D 69 6E 00 00 00 00 00  ......admin.....
[7F1F0040] 00 00 00 31 32 33 34 35 - 36 00 00 00 00 00 00 00  ...123456.......
[7F1F0050] 02 67 63 6F 6D 65 72 00 - 00 00 00 00 00 00 58 61  .gcomer.......Xa
[7F1F0060] 6D 6A 6C 46 00 00 00 00 - 00 00 00 02 76 69 73 69  mjlF........visi
[7F1F0070] 74 6F 72 00 00 00 00 00 - 00 76 69 73 69 74 6F 72  tor......visitor
[7F1F0080] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0090] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F00A0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F00B0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F00C0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F00D0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F00E0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F00F0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................

bootloader > d -b 0x7F1F0100
Displaying memory at 0x7F1F0100
[7F1F0100] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 C0 A8  ................
[7F1F0110] 01 B2 FF FF FF 00 C0 A8 - 01 01 D0 68 02 55 00 00  ...........h.U..
[7F1F0120] 00 00 00 50 00 00 00 00 - 00 00 00 00 00 00 00 00  ...P............
[7F1F0130] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0140] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0150] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0160] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0170] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0180] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0190] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F01A0] 00 00 00 00 00 00 00 01 - 58 61 6D 6A 6C 46 00 00  ........XamjlF..
[7F1F01B0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F01C0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F01D0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F01E0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F01F0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................

bootloader > d -b 0x7F1F0200
Displaying memory at 0x7F1F0200
[7F1F0200] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0210] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0220] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0230] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0240] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0250] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0260] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0270] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0280] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0290] 00 00 00 01 74 69 6D 65 - 2E 6E 69 73 74 2E 67 6F  ....time.nist.go
[7F1F02A0] 76 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  v...............
[7F1F02B0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F02C0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F02D0] 00 00 00 00 00 3C 00 58 - 4D 00 00 00 05 00 00 00  .....<.XM.......
[7F1F02E0] 00 00 00 00 64 00 64 00 - 00 00 00 00 00 01 00 00  ....d.d.........
[7F1F02F0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................

bootloader >

« Last Edit: July 04, 2011, 11:38:47 am by celem »

  • No avatar
  • *****
July 04, 2011, 03:49:51 pm
Hi,
in my apexis OEM the url and id for the vondor ddns is in the user settings block. So it vanishes with an "del -all". If you have an old backp of user settings you might find the info ...

  • *****
July 04, 2011, 04:55:49 pm
I think I've narrowed in on it. The ID used for the factory built-in ddns service is the DeviceID. The DeviceID is returned by the get_status.cgi call as variable 'alias'. If the returned value is empty, then the DeviceID is set to anonymous, see attached screenshot. If 'alias' contains data, then that is the DeviceID and is used by the built-in ddns and in other places. I don't think that I have a dump of the settings block before I wiped it clean. Thus, it would be useful if someone would do the dumps above and let me see the area where the DeviceID is stored. Obviously, for this to be of value, your camera has to have its DeviceID/alias set to some value.

  • *****
July 04, 2011, 05:50:17 pm
OK, I solved the DeviceID issue, but I'd still love to see dumps of a virgin machine because I know of at least one other setting that is missing (the IP for the built-in DDNS service).

The DeviceID/alias is a NULL terminated string stored starting at location 0x7F1F0021. I don't know the maximum length but it may be the value stored at 0x7F1F0020, which is 12 (hex), in my case.

I successfully set my DeviceID/alias by entering the following string into a browser address field. The response was a web page containing only the word ok:

http://192.168.1.178/set_alias.cgi?alias=002exaf

Obviously, "192.168.1.178" would be whatever the correct IP for the camera.

  • No avatar
  • *****
July 05, 2011, 02:16:44 am
hmmm...., the alias was something that I could set via the webui.
The alias initially was the device-id, but could be changed.
The alias name was used to identify the camera in the webui and the osd.
Setting the alias didn't change the url to the vendor ddns or the messages which device-id was updated at the vendor ddns.

the vendor ddns isn't stored as ip but as url according to this log:
Code: [Select]
ntpc.c: can not resolve ntpserver(at.pool.ntp.org)'s ip
can not get dyndns server ip
check_ipid_shat_net: can not get ip of ipid.shat.net
will update 7988
update_7988: can not get server www.aipcam.com ip
ntpc.c: can not resolve ntpserver(at.pool.ntp.org)'s ip
ntpc.c: can not resolve ntpserver(at.pool.ntp.org)'s ip
ntpc adjust ok
will update 7988
update_7988: update ok

and, as I said, the alias and vendor ddns are stored in the user settings block

the alias is - as you stated correctly - at 0x7F1F0021
and the url and device-id [c1234] for the vendor ddns is at around 0x7F1F0720
Code: [Select]
Displaying memory at 0x7F1F0720 together with some info what page to call for ddns update

[7F1F0720] 00 00 00 0C 77 77 77 2E - 61 69 70 63 61 6D 2E 63  ....www.aipcam.c
[7F1F0730] 6F 6D 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  om..............
[7F1F0740] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0750] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0760] 00 00 00 00 00 50 00 63 - 31 32 33 34 00 00 00 00  .....P.c1234....
[7F1F0770] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0780] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0790] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07A0] 00 00 00 00 00 00 00 00 - 37 33 30 00 00 00 00 00  ........730.....
[7F1F07B0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07C0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07D0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07E0] 00 00 00 00 00 00 00 00 - 00 2F 76 69 70 64 64 6E  ........./vipddn
[7F1F07F0] 73 2F 75 70 67 65 6E 67 - 78 69 6E 2E 61 73 70 00  s/upgengxin.asp.

the generic info can also be found at the (mirror)location for the factory defaults starting @0x7F1F8000

boot info block
Code: [Select]
Boot Loader Configuration:

        MAC Address         : 00:aa:bb:cc:dd:ee
        IP Address          : 0.0.0.0
        DHCP Client         : Enabled
        CACHE               : Enabled
        BL buffer base      : 0x00300000
        BL buffer size      : 0x00100000
        Baud Rate           : 115200
        USB Interface       : Enabled
        Serial Number       : 0x00112233

bootloader >d -b 0x7f010000
Displaying memory at 0x7F010000
[7F010000] 48 00 00 00 01 00 00 00 - 00 AA BB CC DD EE 00 00  H............6..
[7F010010] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F010020] 01 00 00 00 01 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F010030] 00 00 30 00 00 00 10 00 - 00 C2 01 00 00 00 00 00  ..0.............
[7F010040] 33 22 11 00 01 00 00 00 - FF FF FF FF FF FF FF FF  3...............
« Last Edit: July 05, 2011, 05:42:51 am by schufti »

  • *****
July 05, 2011, 09:37:21 am
Thanks. The alias cannot be set via the WansView NC-541/W webui. It is a read-only value that is displayed as DeviceID and is used to identify the device with the manufacturer's DDNS. It is interesting that when the factory loads the firmware via JTAG that they install a unique camera identifier as the DeviceID/alias.

I'll try loading what I think is needed at the addresses that you show. However, I suspect that the DDNS requires a password. This may be the DeviceID or a generic password, maybe 123456?

I think that when we advise that, prior to flashing new firmware, that copies be made of the images, that we also advise copying image 0 and the settings block. You cannot recreate a like-new camera without them.

  • No avatar
  • *****
July 05, 2011, 12:11:00 pm
Bootloader, not important imho, but yeah, saving the 64kb data block would be useful.
Although this does get recreated on boot if it doesn't exist from what I see.

Datablock for that though is going to be camera specific to some degree.

  • *****
July 05, 2011, 12:31:12 pm
I agree about the "BOOT INFO" block except that it can contain at least one field that may not rebuilt, namely the serial number. In all cases that I have examined it, it was always set to all Fs, but that may not always be the case, and some firmware version might, in the future, use it.

The data block is vendor and even specific to a particular camera (DeviceID) and should be captured.

Lawrence, didn't I see a post where you purchased an NC-541/W? If so, and you haven't yet wiped the settings block, would you be willing to post a dump of the settings block?
Code: [Select]
d -b 0x7F1F0000
d -b 0x7F1F0100
d -b 0x7F1F0200

  • *****
July 05, 2011, 01:22:24 pm
Schufti,

Interestingly, my 7F1F0720 block contains nothing. A similar looking block at 7F1F0820 contains a url that isn't remotely like the ddns listed on the bottom of the camera (nwsvr.com). The dns.camcctv.com shows up as a dead link in my browser.

Code: [Select]
bootloader > d -b 0x7F1F0720                                                   
Displaying memory at 0x7F1F0720
[7F1F0720] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0730] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0740] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0750] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0760] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0770] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0780] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0790] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07A0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07B0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07C0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07D0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07E0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F07F0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0800] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0810] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................


Code: [Select]
Displaying memory at 0x7F1F0820
[7F1F0820] 00 00 00 00 00 00 00 00 - 00 00 64 6E 73 2E 63 61  ..........dns.ca
[7F1F0830] 6D 63 63 74 76 2E 63 6F - 6D 00 00 00 00 00 00 00  mcctv.com.......
[7F1F0840] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0850] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0860] 00 00 00 00 00 00 00 00 - 00 00 00 15 27 2C 01 00  ............',..
[7F1F0870] 00 01 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0880] 00 00 00 00 00 0C 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0890] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F08A0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F08B0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F08C0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F08D0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F08E0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F08F0] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0900] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
[7F1F0910] 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................

« Last Edit: July 05, 2011, 01:24:55 pm by celem »

  • *****
July 05, 2011, 01:34:03 pm
In my camera's 0x7F1F1020 memory block, there is a URL for http://www.cdlxkj.com/, which is the Chengdu Ideal Technology Development Co., Ltd. involved in research and development, manufacturing, sales and service network alarm operation of high-tech enterprise, involved in both product development and manufacturing, and operational services in the networking group of alarm companies.

I wonder if this is an artifact leftover from some prior contract? It certainly seems unrelated to the WansView camera. Chengdu does show a camera among its products - http://en.cdlxkj.com/ProductShow.asp?ID=78, which, physically is very different from the NC0541/W

Code: [Select]
Displaying memory at 0x7F1F1020
[7F1F1020] 00000000 00000000 - 00000000 00000000  ................
[7F1F1030] 00000000 00000000 - 00000000 00000000  ................
[7F1F1040] 00000000 00000000 - 00000000 9ABD0000  ................
[7F1F1050] 0000440C 440C9ABD - 00000000 00000000  .D.....D........
[7F1F1060] 00000000 00000000 - 00000000 00000000  ................
[7F1F1070] 00000000 00000000 - 00000000 00000000  ................
[7F1F1080] 00000000 00000000 - 00000000 00000000  ................
[7F1F1090] 00000000 00000000 - 00000000 00000000  ................
[7F1F10A0] 00000000 00000000 - 00000000 00000000  ................
[7F1F10B0] 00000000 00000000 - 00000000 00000000  ................
[7F1F10C0] 00000000 00000000 - 00000000 00000000  ................
[7F1F10D0] 00000000 00000000 - 00000000 00000000  ................
[7F1F10E0] 00000000 00000000 - 00000000 00000000  ................
[7F1F10F0] 00000000 9ABD0000 - 7069440C 656D6163  .........Dipcame
[7F1F1100] 632E6172 6B786C64 - 6F632E6A 0000006D  ra.cdlxkj.com...
[7F1F1110] 00000000 00000000 - 00000000 00000000  ................

« Last Edit: July 05, 2011, 01:37:40 pm by celem »