News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: AC13 Brookstone Rover  (Read 73777 times)

February 14, 2012, 02:09:47 pm
Hi all.

I have been a proud owner of the off-brand Loftek CXS 2200 and have been happily using it for the past year. I've even written a Chrome extension to act as a monitor to remotely view and control the camera when I am at work with much success- so needless to say I am rather familiar with at least the API for the camera.

Fast forward to last week and I came in possession of a Brookstone Rover and, unable to resist, quickly voided the warranty by unscrewing all fasteners and popped the top off. Imagine my surprise to discover that the innards looked almost exactly like that of my Loftek camera! It makes sense though when you consider that the camera platform contains:

  • WiFi Connectivity
  • A Camera
  • A Microphone
  • Toggle-able Infrared Control
  • Two Motors

So essentially it looks like they are using the camera platform as-is but utilizing the pan/tilt motors to drive the rover using left/right tank-tread style control. Brookstone lists the device as being "Designed and Manufactured by Brookstone and goes by the model number AC13". Upon connecting to the ad-hoc wifi that the rover creates I confirmed this by accessing the
app-specified IP address (http://192.168.1.100) and logging in with user/pass: AC13/AC13. Poking around it is easy to see that the in-built web server responds to the expected decoder_control.cgi, get_camera_params.cgi, camera_control.cgi, etc. and even has the expected misspelling of "Device Embeded(sic) Web UI Version" in the Web UI. However, it does not appear to support the videostream.asf or videostream.cgi URLs.

Obviously no one has the firmware for this device yet, and I have thus far hit a brick wall trying to get any usable information from the Brookstone customer/technical service. However, I would like to be able to start hacking away at this device as soon as possible to accomplish three main goals:

  • Replace the alkaline batteries with a rechargeable Li-Poly battery. (Really? Less than 2.5 hours of usage requiring 6 AAs?!)
  • Connect the rover directly to my router rather than requiring a direct connection from the controlling device.
  • Create an app/extension that I can use to control the device.
  • Possibly utilize the IR to do some crazy stuf like control the television.

The first should be easy enough once I get my hands on the right battery and charging circuit. However, I will need firmware access to accomplish the others. There is a mysterious 3-pin port on the bottom of the device that Brookstone refuses to acknowledge, but I am thus far unable to determine if it is a serial/JTAG/proprietary port. I have a Bus Pirate on the way from China right now so I should be able to get info on that shortly.

So I guess the long and short of it is this: Does anyone else have any experience with this device? If so any info would be appreciated. The only other place that I can find that has relevant information was in this Android development thread that documents the binary protocol used. ]However, as I learn more information I will be sure to document it here and any other appropriate location.

  • No avatar
  • *****
February 14, 2012, 04:12:05 pm
how about publishing some pictures from the pcb?
if it's a US based company they should comply with the GPL

February 14, 2012, 04:16:59 pm
I will try to get some pictures up tomorrow night. Good call on the GPL compliance, however if they're only leveraging uCLinux and not necessarily modifying any portion of it they shouldn't be required to release any of their custom firmware right? If they're only using tools to host a web interface and proxying communication to a custom handler that should be well within the scope of the GPL.

  • No avatar
  • *****
February 15, 2012, 12:03:24 pm
In general, they are only allowed to keep code secret that was entirely written by them or only uses parts that don't require publishing of source (eg BSD et al).

But it is an old fight, if you have to open your source if it uses a gpl'd library, or is a kerneldriver not running in userspace, etc

But it doesn't excuse them if they buy the camera as "black box" their product is based - allthough only in part - on a part that relies on gpl source ....  but I'm only layman


February 18, 2012, 02:34:59 pm
Sorry for the delay, but here are the pictures and what little information can be gleaned at this time. The entire album of picures can be viewed at the following location: Brookstone AC13 Rover

Pictures were taken with an iPhone 3S, so quality is not phenomenal. Click on the pictures for a full-sized image.

The virginal unmolested Rover:


The internal components after facing the wrath of the screwdriver and wire cutters:


A closer image of the main board:


Notes:
  • All of the connectors are secured in the sockets with a bit of maleable yet secure glue. Be careful when removing the connectors so that you do not break any wires. I used a pair of pliers with a healthy dose of patience and finesse.
  • The power leads are connected directly from the battery compartment (6AA -> ~9.0V) and soldered onto the main board instead of using a plug or connector. >:( Also, I didn't look too closely but I did not notice any power regulation circuity, so be careful what you feed this device.
  • There is a decent amount of space in the shell behind the battery compartment. Probably enough to hold a properly size Li-Po battery cell and charging circuitry.

A view of the flash ship underneath the wireless module:


A closer view of the top set of interface pads:


A closer view of the middle and bottom set of interface pads:


Notes:
  • The flash chip is labeled S29GL032N90TF1040 and is the expected 32Mbit (4MB) Spansion flash chip. (Datasheet)
  • The top set of interface pads are labelled:
    • GPIO17 (unconnected)
    • F_RST
    • GND
    • TXD0
    • RXD0
  • The connected pins of the top set are broken out into a reset button and a conveniently located three-pin interface port on the bottom of the rover. I should be able to use this port to access the serial console on the device, but since my TTL capable hardware is on the way I will have to wait until its arrival to confirm.
  • The middle set of interface pads are labelled:
    • IR+
    • IR-
    • +5V
    • DN0
    • DP0
    • GND
    These pads interface directly to the camera module and the IR module.
  • The bottom set of interface pads are labelled:
    • GPIO9
    • GPIO10
    • GND
    • +3.3V
    These pads are completely unconnected and are begging to be utilized for other purposes.

A view of the wireless interface module:


Notes:
  • The wireless module is listed as BL-RT3070-U2 and is the expected Ralink family of RT3070 single-chip USB wireless solutions found on most other IP cameras.

So this is all the information I have thus far. What do you think? Want any more information that I have access to at this time?

I will be sure to post any more information I can discover as it becomes available.

  • No avatar
  • *****
February 18, 2012, 04:10:56 pm
thanks, nice to see such simple design.

The next step would be dumping the fw and webui to look for modifications ...

February 22, 2012, 03:40:08 pm
Yeah. Will do so as soon as my hardware gets here from China. Delivery looks sometime between March 5 and 13  :o Since it looks like the system utilizes the 4MB flash ship that will hopefully give us some much appreciated room to modify and add additional components.

While I wait for that to get here I've been busying myself by working on some utilities to manage WebUI files based on some information found here on the site. Hopefully this will help make things go quickly once I can get a proper firmware dump from the device.

March 01, 2012, 02:12:22 pm
Well, I got my stuff and was able to connect to the device. Here is the boot log. Note that after the boot process finishes there is a pause and then it reboots. I think it'll do this until a device connects to its WIFI AP.

Code: [Select]
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

MAC Address         : 00:00:00:00:00:01
IP Address          : 0.0.0.0
DHCP Client         : Enabled
CACHE               : Enabled
BL buffer base      : 0x00300000
BL buffer size      : 0x00100000
Baud Rate           : 115200
USB Interface       : Enabled
Serial Number       : 0x00BC614E


For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1481 ?? 6?? 15 11:04:25 CST 2011
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 4096
zone(0): 0 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 16MB = 16MB total
Memory: 14616KB available (1278K code, 206K data, 40K init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F172BFF [VIRTUAL 7F0E0000-7F172BFF] (RO)
S29GL032N Flash Detected
01 eth0 initial ok!
which:0
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4
rtusb init --->
usb.c: registered new driver rt2870
dvm usb cam driver 0.0.0.1 by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: mount -t ramfs none /tmp
Command: mkdir /tmp/run
Command: camera&
[8]
Command: sh

Sash command shell (version 1.1.1)
/> new USB device :80fb4004-fed6c0
hub.c: new USB device 2, assigned address 2
new USB device :80fb4604-fed6c0
hub.c: new USB device 1, assigned address 3
probing sonix288 usb camera ...
dvm camera registered as video0
p1[7]:1,j 3,config->bNumInterfaces:4
usbaudio: device 3 audiocontrol interface 2 has 1 input and 0 output AudioStreaming interfaces
usbaudio: valid input sample rate 16000
usbaudio: device 3 interface 3 altsetting 1: format 0x00000010 sratelo 16000 sratehi 16000 attributes 0x01
usbaudio: valid input sample rate 48000
usbaudio: device 3 interface 3 altsetting 2: format 0x00000010 sratelo 48000 sratehi 48000 attributes 0x01
usbaudio: registered dsp 14,35
usbaudio: warning: found 1 of 0 logical channels.
usbaudio: assuming the channel found is the master channel (got a Philips camera?). Should be fine.
usbaudio: registered mixer 14,32
usb_audio_parsecontrol: usb_audio_state at 00ff3b20
params length is 3572
sw version is 1.5.0.0
aw version is 1.1.0.0
video0 opened
5 0
wifi car mode is 1
SIOCSIFFLAGS: Unknown error 1
0x1300 = 00073200
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===255.255.255.255
*args===netmask
*args===eth1
[29]
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===default
*args===gw
*args===eth1
__pthread_initial_thread_bos:294000
manage pid:32
Prepare Audio Buffer
usb.c: USB disconnect on device 2 address 2
RtmpOSNetDevDetach(): RtmpOSNetDeviceDetach(), dev->name=eth1!

Now, as far as dumping the firmware- I have tried many different software packages (screen, kermit, ZTerm, etc...) and many different keys, but when the message "Press ESC to enter debug mode" is displayed nothing I can do seems to force the bootloader into debug mode.

I know that my device is transmitting characters (verified in loopback mode) so I'm not positive what the problem is. Has anyone encountered this before?

March 01, 2012, 02:42:39 pm
Nevermind regarding my problem regarding transmitting characters. Turns out I was using the wrong transmit pin on my device...  :-[ *derp*

March 01, 2012, 04:20:46 pm
Code: [Select]
Press ESC to enter debug mode .

bootloader > ls -al
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000048 exec:0x7F010000 -af
Image: 7 name:linux base:0x7F020000 size:0x000AE264 exec:0x00008000 -acxz
Image: 6 name:romfs base:0x7F0E0000 size:0x00092C00 exec:0x7F0E0000 -a

So:

ImageBaseSize (Hex)Pages
BOOT INFO0x7F0100000x000000481
linux0x7F0200000x000AE2642786
romfs0x7F0E00000x00092C002348

March 01, 2012, 10:05:37 pm
Okay, I was able to get the firmware files from the partitions and have attached them to this post.

Also I went ahead and wrote a conversion utility to convert the dump information to the binary format.

Now to figure out what goodies are contained within...

March 02, 2012, 02:27:55 pm
Back again with another installment. This time with both the raw dump from the WebUI memory layout (0x7F200000 - 0x7F2AFFFF) as well as the extracted contents. Enjoy!

Code: [Select]
[13:31:52] asuka:webui$ ls -go *
-rw-r--r--  1    1625 Mar  2 13:14 Factory_light.htm
-rw-r--r--  1    3471 Mar  2 13:14 Factory_mic.htm
-rw-r--r--  1    3066 Mar  2 13:14 Factory_motor.htm
-rw-r--r--  1    3356 Mar  2 13:14 Factory_video.htm
-rw-r--r--  1     797 Mar  2 13:14 acctronfactorytestforac13.htm
-rw-r--r--  1    1256 Mar  2 13:14 admin.htm
-rw-r--r--  1    1048 Mar  2 13:14 admin_content.htm
-rw-r--r--  1    1254 Mar  2 13:14 alias.htm
-rw-r--r--  1    1190 Mar  2 13:14 backup.htm
-rw-r--r--  1     994 Mar  2 13:14 factory.htm
-rw-r--r--  1     372 Mar  2 13:14 index.htm
-rw-r--r--  1     799 Mar  2 13:14 index1.htm
-rw-r--r--  1    1778 Mar  2 13:14 public.js
-rw-r--r--  1     933 Mar  2 13:14 reboot.htm
-rw-r--r--  1     928 Mar  2 13:14 reboots.htm
-rw-r--r--  1    1383 Mar  2 13:14 status.htm
-rw-r--r--  1    3622 Mar  2 13:14 style.css
-rw-r--r--  1    2018 Mar  2 13:14 upgrade.htm
-rw-r--r--  1    1635 Mar  2 13:14 user.htm
-rw-r--r--  1   11009 Mar  2 13:14 wireless.htm

codebase:
total 304
-rw-r--r--  1   155648 Mar  2 13:14 DVM_IPCam2.ocx

english:
total 40
-rw-r--r--  1   20179 Mar  2 13:14 string.js

images:
total 168
-rw-r--r--  1    3516 Mar  2 13:14 alarm.wav
-rw-r--r--  1   11886 Mar  2 13:14 down.bmp
-rw-r--r--  1   11758 Mar  2 13:14 left.bmp
-rw-r--r--  1    5288 Mar  2 13:14 light_down.gif
-rw-r--r--  1    5708 Mar  2 13:14 light_up.gif
-rw-r--r--  1    4193 Mar  2 13:14 mic_down.GIF
-rw-r--r--  1    4634 Mar  2 13:14 mic_up.gif
-rw-r--r--  1   11758 Mar  2 13:14 right.bmp
-rw-r--r--  1   11886 Mar  2 13:14 up.bmp

simple_chinese:
total 40
-rw-r--r--  1   20102 Mar  2 13:14 string.js

Note that I still have not seen hide not hair of the internally referenced CGI scripts (which is really what I was after). Does anyone know where I can find these files on the file system?

Also, here is the info contained within romfs as well for completeness sake with the extracted files attached. Not much but this is all of it:

Code: [Select]
[13:29:57] asuka:romfs_data$ ls -go *
bin:
total 1016
-rwxr-x---  1   76877 Mar  2 12:26 camera
-rwxr-x---  1   40713 Mar  2 12:26 dhcpc
-rwxr-x---  1   44766 Mar  2 12:26 dhcpcd
-rwxr-x---  1   24590 Mar  2 12:26 dhcpd
-rwxr-x---  1     929 Mar  2 12:26 fcc_ce.wlan
-rwxr-x---  1   21610 Mar  2 12:26 ifconfig
-rwxr-x---  1     234 Mar  2 12:26 init
-rwxr-x---  1   38300 Mar  2 12:26 iwconfig
-rwxr-x---  1   33630 Mar  2 12:26 iwpriv
drwxr-x---  6     204 Mar  2 12:26 mypppd
-rwxr-x---  1   28824 Mar  2 12:26 route
-rwxr-x---  1    2048 Mar  2 12:26 rt73.bin
-rwxr-x---  1   31043 Mar  2 12:26 sh
-rwxr-x---  1   48520 Mar  2 12:26 wetctl
-rwxr-x---  1   96327 Mar  2 12:26 wpa_supplicant

dev:
total 0
drwxr-x---  2    68 Mar  2 12:26 pts
drwxr-x---  3   102 Mar  2 12:26 usb

etc:

flash:

home:

proc:

swap:

tmp:

usr:

var:
total 0
drwxr-x---  2   68 Mar  2 12:26 run
« Last Edit: March 02, 2012, 02:39:15 pm by ArminTamzarian »

  • No avatar
  • *****
March 02, 2012, 03:58:07 pm
it's the "camera" binary that does all the magic. It is init, webserver, cgi, you name it.

Most likely it is a quick 'n' dirty  copy & paste job of mostly open source code parts and should therefor be published but sue the chinese ...

March 02, 2012, 04:45:45 pm
Good call. I double checked and after unpacking the executables I was able to extract the following strings:

Code: [Select]
bFLT
VUUU
I,X!
BNEG
.\gfff
gfff
@ #!
@ #!
@ c!
@ c!
video stop
audio stop
host stop
av stop
switch wifi car toy mode
malloc memory error size:%d times:%d !
ifconfig eth1 up
eth1
ifconfig eth1 down
192.168.1.100
255.255.255.0
192.168.1.1
/etc/rt73sta.dat
open /etc/rt73sta.dat error
/etc/RT2870STA.dat
open /etc/RT2870STA.dat error
Adhoc
Infra
[Default]
SSID=%s
NetworkType=%s
Channel=%d
AuthMode=OPEN
EncrypType=NONE
AuthMode=WEPAUTO
EncrypType=WEP
DefaultKeyID=%d
Key1Type=%d
Key2Type=%d
Key3Type=%d
Key4Type=%d
Key1Str=%s
Key2Str=%s
Key3Str=%s
Key4Str=%s
AuthMode=WPAPSK
EncrypType=TKIP
WPAPSK=%s
AuthMode=WPANONE
EncrypType=AES
WPAPSK=%s
AuthMode=WPAPSK
EncrypType=AES
WPAPSK=%s
AuthMode=WPA2PSK
EncrypType=AES
WPAPSK=%s
AuthMode=WPANONE
EncrypType=TKIP
WPAPSK=%s
AuthMode=WPA2PSK
EncrypType=TKIP
WPAPSK=%s
ifconfig eth1
 netmask
route add -net 255.255.255.255 netmask 255.255.255.255 eth1
/etc/dhcpd.conf
subnet %s
/etc/dhcpd.iplist
dhcpd eth1 &
route add default gw
 eth1
/etc/host.conf
open host.conf error
order bind
/etc/resolv.conf
open resolv.conf error
nameserver 202.96.128.166
nameserver 202.96.134.133
nameserver %s
up wireless
[Default]
CountryRegion=5
Channel=0
%s: open /etc/RT2870STA.dat error
do_wifi_scan
%s: ioctl SIOCSIWSCAN failed
%s: ioctl SIOCGIWSCAN failed %d
get_wifi_scan_result
params length is %d
read factory params error !
factory params zone not inited !
factory params zone checksum uncorrect!
can not allocte enough memory for reinit factory zone !
AC13
reinit factory zone error !
read camera params error !
camera params zone not inited !
camera params zone checksum uncorrect!
reinit camera params zone error !
sw version is %s
/proc/flash_4m
aw checksum not correct !
aw not exist !
can not allocte enough memory for read aw!
read aw error !
aw has error format: file is too long
/home
read aw error: can not create file !
aw has error format: filename is too long
aw has error format: size not match %d %d
aw size exceed %d!
aw version is %s
ifconfig lo 127.0.0.1
/dev/video0
open video device error
%d %d
/proc/net/vt6656
/proc/net/zd1211b
/proc/net/rt2571wf
/proc/net/rt3070
can not find wifi network device !
/proc/wau8812
/proc/ac97
/proc/p1_p1
wifi car mode is %d
AC13_%s
restore factory params
write camera params error !
write factory params error !
aw upgrade file has error format !
%s: malloc memory failed
WriteAW
aw upgrade file has error checksum !
encode error
/dev/i2c0
can not open i2c device
write i2c error
read i2c error
get image err
try to reopen video
MO_O
MO_V
GET
POST
?456789:;<=
 !"#$%&'()*+,-./0123
/dev/dsp
open audio device error
/dev/mixer
/dev/dsp0
/dev/mixer0
open mixer device error
/dev/dsp2
/dev/mixer2
create audio msg queue error!
create audio thread error!
audio = 1
audio = 0
speak = 1
speak = 0
audio timeout
create video msg queue error!
create video thread error!
send video msg error!
create av msg queue error!
create host thread error!
create av thread error!
recv a opr video end from client %d
MO_O
MO_I
create socket error !
bind error !
create listen socket error !
listen error !
/home
accept socket error !
255.255.255.255
192.168.1.100
255.255.255.0
192.168.1.1
send av msg error!
send av keep alive
av wait connect timeout %d
av connection %d is disconnected
MO_V
av stop video %d
send audio msg error
av client logon in %d
audio lost 128
av client %d send error %d
%02x
set_param: can not malloc memory
<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required.
</BODY></HTML>
HTTP/1.1 401 Unauthorized
Server: Netwave IP Camera
Date: %s
WWW-Authenticate: Basic realm="AC13_%s"
Content-Type: text/html
Content-Length: %d
Connection: close
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: text/plain
Content-Length: %d
Cache-Control: no-cache
Connection: close
<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>%d %s</H4>
</BODY></HTML>
HTTP/1.1 %d %s
Server: Netwave IP Camera
Date: %s
Content-Type: text/html
Content-Length: %d
Connection: close
%a, %d %b %Y %H:%M:%S GMT
process_HTTP_REQ: can not find the first line
Authorization:
Basic
process_HTTP_REQ: Authorization must be Basic
get_auth_info: auth word is too long
Content-Length:
Content-Type:
boundary=
process_HTTP_REQ: can not find the end of http head
post
process_HTTP_REQ: not support this method %s
Not Implemented
Method is not implemented.
process_HTTP_REQ: only support absolute path
Bad Request
Bad filename.
index.htm
.cgi
process_HTTP_REQ: http frame size exceed 8192
process_HTTP_REQ: can not recv total http head
process_HTTP_REQ: head is over 768 bytes. It's Hack attack !!!
Can't parse request.
.ocx
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: application/octet-stream
Content-Length: %d
Connection: close
.exe
.cab
.rar
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: application/rar
Content-Length: %d
Connection: close
.zip
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: application/zip
Content-Length: %d
Connection: close
.css
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: text/css
Content-Length: %d
Cache-Control: private
Connection: close
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: text/javascript
Content-Length: %d
Cache-Control: private
Connection: close
.jpg
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: image/jpeg
Content-Length: %d
Cache-Control: private
Connection: close
.gif
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: image/gif
Content-Length: %d
Cache-Control: private
Connection: close
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: text/html
Content-Length: %d
Cache-Control: private
Connection: close
do_file: can not find file %s
Not Found
File not found.
decoder_control.cgi
decoder control.cgi
wifi_car_control.cgi
camera_control.cgi
get_wifi_link.cgi
restore_factory.cgi
upgrade_firmware.cgi
upgrade_htmls.cgi
get_params.cgi
set_params.cgi
wifi_scan.cgi
get_wifi_scan_result.cgi
check_user.cgi
backup_params.cgi
restore_params.cgi
do_cgi: unknown cgi
user
/proc/net/wireless
eth1
var link_quality=%d;
var signal_level=%d;
var noise_level=%d;
command
next_url
error: illegal params.
param
value
var %s='
sys_ver
app_ver
alias
adhoc_ssid
username
userpwd
var resolution=%d;
mask
gateway
var port=%d;
wifi_ssid
var wifi_encrypt=%d;
var wifi_defkey=%d;
wifi_key1
wifi_key2
wifi_key3
wifi_key4
var wifi_authtype=%d;
var wifi_keyformat=%d;
var wifi_key1_bits=%d;
var wifi_key2_bits=%d;
var wifi_key3_bits=%d;
var wifi_key4_bits=%d;
wifi_wpa_psk
port
resolution
wifi_encrypt
wifi_defkey
wifi_authtype
wifi_keyformat
wifi_key1_bits
wifi_key2_bits
wifi_key3_bits
wifi_key4_bits
reboot
error: this cgi only support post method.
error: illegal file.
/swap/firmware.bin
error: busy, try later.
error: system error, try later.
error: illegal http frame.
error: network error.
var ap_bssid=new Array();
var ap_ssid=new Array();
var ap_mode=new Array();
var ap_security=new Array();
ap_bssid[%d]='%02x%02x%02x%02x%02x%02x';
%s[%d]='
ap_ssid
ap_mode[%d]=%d;
ap_security[%d]=%d;
var ap_number=%d;
HTTP/1.1 200 OK
Server: Netwave IP Camera
Date: %s
Content-Type: application/octet-stream
Content-Length: %d
Content-disposition: filename="params.bin"
Connection: close
/dev/ptz0
can not open ptz device !!!
/dev/i2c0
%s: can not open i2c device
_i2c_read
%s: read i2c error
_i2c_write
%s: write i2c error
Not enough memory in %s %d.
Msg.c
Init mutex for msg mutex failed!
Init semphore for msg consumer failed!
Init semphore for msg producer failed!
Not enough memory in %s %d.
Help/C_List.c
***********testsigpipe*************
manage pid:%d
__pthread_initial_thread_bos:%x
********************************
cntpair is %d
*******************l is %x
,`Can not open File :%s
Read Header Failed
Magic %x,Versoin %d
Invalid Magic
Please use 'genbin' to create image file
linux.bin
romfs.img
Malloc %d memory failed
%x :blockSize <=0
Buffer length is less than image_footer->length when read_func==NULL
Block Not Alignment
Write Firmwate Corrupt
image_footer->image_checksum:%x,sum:%x
image_footer->checksum:%x,sum:%x
Buffer length(%d) is less than image_footer->length(%d) when write_func==NULL
Can not find image %d
????
%m/%d/%y
%Y-%m-%d
%H:%M
%H:%M:%S
()*+
,M4.1.0,M10.5.0
/etc/TZ
$VVZ
 $(,048<CJR\eluy}
6<BFKPWair{~
ASCII
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
June
July
August
September
October
November
December
%a %b %e %H:%M:%S %Y
%m/%d/%y
%H:%M:%S
%I:%M:%S %p
^[yY]
^[nN]
(nil)
(null)
hlLq
%n[csoupxXid
/bin/sh
""##$$$%%&&
 +0-#'I
npxXoudifFeEgGaACScs
hlLjztqZ
Unknown error
Success
Operation not permitted
No such file or directory
No such process
Interrupted system call
Input/output error
No such device or address
Argument list too long
Exec format error
Bad file descriptor
No child processes
Resource temporarily unavailable
Cannot allocate memory
Permission denied
Bad address
Block device required
Device or resource busy
File exists
Invalid cross-device link
No such device
Not a directory
Is a directory
Invalid argument
Too many open files in system
Too many open files
Inappropriate ioctl for device
Text file busy
File too large
No space left on device
Illegal seek
Read-only file system
Too many links
Broken pipe
Numerical argument out of domain
Numerical result out of range
Resource deadlock avoided
File name too long
No locks available
Function not implemented
Directory not empty
Too many levels of symbolic links
No message of desired type
Identifier removed
Channel number out of range
Level 2 not synchronized
Level 3 halted
Level 3 reset
Link number out of range
Protocol driver not attached
No CSI structure available
Level 2 halted
Invalid exchange
Invalid request descriptor
Exchange full
No anode
Invalid request code
Invalid slot
Bad font file format
Device not a stream
No data available
Timer expired
Out of streams resources
Machine is not on the network
Package not installed
Object is remote
Link has been severed
Advertise error
Srmount error
Communication error on send
Protocol error
Multihop attempted
RFS specific error
Bad message
Value too large for defined data type
Name not unique on network
File descriptor in bad state
Remote address changed
Can not access a needed shared library
Accessing a corrupted shared library
.lib section in a.out corrupted
Attempting to link in too many shared libraries
Cannot exec a shared library directly
Invalid or incomplete multibyte or wide character
Interrupted system call should be restarted
Streams pipe error
Too many users
Socket operation on non-socket
Destination address required
Message too long
Protocol wrong type for socket
Protocol not available
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported by protocol
Address already in use
Cannot assign requested address
Network is down
Network is unreachable
Network dropped connection on reset
Software caused connection abort
Connection reset by peer
No buffer space available
Transport endpoint is already connected
Transport endpoint is not connected
Cannot send after transport endpoint shutdown
Too many references: cannot splice
Connection timed out
Connection refused
Host is down
No route to host
Operation already in progress
Operation now in progress
Stale NFS file handle
Structure needs cleaning
Not a XENIX named type file
No XENIX semaphores available
Is a named type file
Remote I/O error
Disk quota exceeded
No medium found
Wrong medium type
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

Unpacked camera executable included for those interested. Also, I found what I was looking for. Specifically a cgi to control the rover itself in Factory_motor.htm and verified to be in the camera executable: wifi_car_control.cgi

  • No avatar
  • *****
March 04, 2012, 08:38:48 am
Looks exactly the same as the usual firmware too.