News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Firmware Recovery uvision  (Read 11795 times)

June 16, 2011, 04:57:51 am
Okay. I'm in with the UM232.

The output of bootloader
Quote
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

        MAC Address         : 00:B8:00:01:3B:29
        IP Address          : 0.0.0.0
        DHCP Client         : Enabled
        CACHE               : Enabled
        BL buffer base      : 0x00300000
        BL buffer size      : 0x00100000
        Baud Rate           : -1
        USB Interface       : Disabled
        Serial Number       : 0xFFFFFFFF


For help on the available commands type 'h'

Press ESC to enter debug mode ....

bootloader > h

bootloader > ls -al
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux base:0x7F020000 size:0x000ADD50 exec:0x00008000 -acxz
Image: 6 name:romfs base:0x7F0E0000 size:0x0010BC00 exec:0x7F0E0000 -a

It seems there is no Webui Partition. Is the Webui then contained in romfs??

I just want to dump, translate the webui, put it back.


Okay i computed the values:

Linux Dec size: 712016 /256 = 2781.3125

will i have to use 2782 or 2781 ? sorry i have here an english problem, it says roundup in the tutorial but the next integer would be 2781.

Romfs Dec size: 1096704 /256= 4284

EDIT:

I managed to build a bin file for my romfs partion and mounted the partition however i don't find the files from Webinterface. It seems to mount them on boot because the are in /home. But in the romfs.bin Where are they? It won't display any webui address on Bootloader.
« Last Edit: June 16, 2011, 09:43:13 am by Borsti92 »

  • *****
June 16, 2011, 09:58:37 am
The webui is in image 8. Image 8 was loaded with the -nofooter argument which makes it invisible to the ls command. If you were to reload your webui, you have two choices of how to load it:

fx 8 webui.bin 0x7f200000 0x7f200000 -a
 -or-
fx 8 webui.bin 0x7f200000 0x7f200000 -nofooter (if you want webui to be invisible to ls command)

  • No avatar
  • *****
June 16, 2011, 10:32:20 am
Hi,

no, the webui is in a hidden partition. Usually on 4MB devices it starts at 0x7F200000 with unknown size. If you use a size of 0xFFFFF for a start you should be ok. You can skip/cut the empty part in a next step.

If possible please post a full bootlog and dump of the linux, romfs and webui partition for future reference...

If you are using the Kermit/Jedit method you can safely just truncate the blockcount as the script allways dumps one block to many.... you can verify this by looking at the end of the file (will be all FF).
« Last Edit: June 16, 2011, 10:33:55 am by schufti »

June 16, 2011, 01:51:07 pm
@celem I'm actually dumping a working camera, so i do not have a webui.bin at the very begining. I need to get german language working in the webui or flash a new webui because when i set my camera to german it says undefined on every text. However there is a translation file in the home/german folder.

When i mount the romfs.bin i get file structure so this dump seems fine. home folder empty.

For linuxkernel dump, I hope i did this correctly, i dumpt with 2782 not 2781

I will try to dump starting 0x7F200000 tomorrow, um232 is at the office. I'm not sure if it is 4mb or 2mb model, will the position be different?

For cutting you mean i can erase all FF-Lines at the end of the hex file, or do i need to stay in the 256 byte window to reflash later?


Will post all dumps and bootlog tomorrow from office.
« Last Edit: June 16, 2011, 01:55:39 pm by Borsti92 »

  • *****
June 16, 2011, 02:24:57 pm
You DO have a webui. It is hidden in image 8, as I posted before

  • No avatar
  • *****
June 16, 2011, 06:42:13 pm
You can see that you have a 4MB device yourself looking at the bootlog:
Quote
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
you can cut any line with FF from te end to the first line with different content.
the fostar tool will take care of the different size ...

I think that there is just the german files missing ....
look in the home directory, there should be a subdirectory for each supported language with only a "string.js" in it. In the fw of my cam it is named "Deutsch" maybe they didn't clone correctly and named it "german" ...

  • *****
June 16, 2011, 07:00:32 pm
enter:
bootloader > d 0x7F200000 and see if you see HTML code there - you should!

Also, in my wansview NC541/W camera's webui, there is a deutsch folder.

June 17, 2011, 01:40:04 am
ok celem i got it  :)

they actually have the string.js in the german, french, spanish folder. Renaming folder to "Deutsch" gives error in console: do_file: can not find file german/string.js, so folder name is correct.

When i copy the german/string.js to the english folder it also shows undefined on english so there may be a bug in string.js for german, french,... probably the encoding is wrong.
« Last Edit: June 17, 2011, 03:10:26 am by Borsti92 »

June 17, 2011, 03:15:30 am
Bootlog:

Quote

W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

        MAC Address         : 00:B8:00:01:3B:29
        IP Address          : 0.0.0.0
        DHCP Client         : Enabled
        CACHE               : Enabled
        BL buffer base      : 0x00300000
        BL buffer size      : 0x00100000
        Baud Rate           : -1
        USB Interface       : Disabled
        Serial Number       : 0xFFFFFFFF


For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1452 R; 12TB 6
 08:08:33 CST 2010
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 4096
zone(0): 0 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 16MB = 16MB total
Memory: 14616KB available (1274K code, 210K data, 40K init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options en
abled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options e
nabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F1EBBFF [VIRTUAL 7F0E0000-7F1EBBFF] (RO)
S29GL032N Flash Detected
01 eth0 initial ok!
which:0
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4
rtusb init --->
usb.c: registered new driver rt2870
dvm usb cam driver 0.0.0.1 by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: mount -t ramfs none /tmp
Command: mkdir /tmp/run
Command: camera&
[8]
Command: sh

Sash command shell (version 1.1.1)
/> hub.c: connect-debounce failed, port 1 disabled
new USB device :80fb4004-fed6c0
hub.c: new USB device 1, assigned address 2
probing sonix288 usb camera ...
dvm camera registered as video0
p1[7]:1,j 3,config->bNumInterfaces:4
usbaudio: device 2 audiocontrol interface 2 has 1 input and 0 output AudioStream
ing interfaces
usbaudio: valid input sample rate 16000
usbaudio: device 2 interface 3 altsetting 1: format 0x00000010 sratelo 16000 sra
tehi 16000 attributes 0x01
usbaudio: valid input sample rate 48000
usbaudio: device 2 interface 3 altsetting 2: format 0x00000010 sratelo 48000 sra
tehi 48000 attributes 0x01
usbaudio: registered dsp 14,35
usbaudio: warning: found 1 of 0 logical channels.
usbaudio: assuming the channel found is the master channel (got a Philips camera
?). Should be fine.
usbaudio: registered mixer 14,32
usb_audio_parsecontrol: usb_audio_state at 00ff3d80
new USB device :80fb4404-fed6c0
hub.c: new USB device 2, assigned address 3
sw version is 21.35.2.36
aw version is 0.9.3.4

Wait for auto-negotiation complete...OK
100MB - FULL
video0 opened
1
1
1
1
1
1
unknown command
__pthread_initial_thread_bos:3f8000
manage pid:14
2
2
2
2
2
2
Prepare Audio Buffer
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===255.255.255.255
*args===netmask
*args===eth0
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===default
*args===gw
*args===eth0
av client logon in 1642816681
bonjour callback: service registered
update_smarteye_ddns: update ddns ok
ntpc adjust ok
Jun 17 08:04:17 2011 bonjour: mDNSPlatformRawTime went backwards by 336497201 ti
cks; setting correction factor to 714342350

'Complete Firmware Dump'
http://www.insite-design.eu/camera/Uvision_Foscam_Clone_Boxcamera_with_Nightvision_Complete_fwdump.zip

Can someone check if i did the TXT > HEX > BIN conversion correctly and upload to the FILES section?
« Last Edit: June 17, 2011, 03:52:42 am by Borsti92 »

  • No avatar
  • *****
June 17, 2011, 04:52:52 am
yes, the files look good.

and yes, the string.js in the german subdir is broken (look at the chinese characters and english text at the end) ...

you could either try the one attached (extracted from the apexis webui) or use the whole apexis webui. It seems to be quite the same ...
« Last Edit: June 17, 2011, 05:38:52 am by schufti »

June 18, 2011, 08:07:42 am
thank you very much, that did the trick.

I will try to make my own Webui, because some of the functions are not logical. Also the window is really small. I will try to make it zoomable.

Assembling and Disassembling works very well with the Fostar Tool. So i keep you updated. Once ready i will make a new thread and provide firmware improvements.

  • No avatar
  • *****
June 18, 2011, 08:20:18 am
You also should list /proc

and /dev

Useful stuff in there also (for noting what dev nodes things use, and drivers used etc).

I've uploaded this to the files section as the bin files, also listed the version on the webui.

Please provide the file locations and executable point so I can add to the folder.

(paste what comes back from an ls -al from the bootloader prompt).

Should be this:

Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af

Image: 7 name:linux base:0x7F020000 size:0x000ADD50 exec:0x00008000 -acxz
Image: 6 name:romfs base:0x7F0E0000 size:0x0010BC00 exec:0x7F0E0000 -a
Image: 8 name:webui base:0x7f200000 size:0x00xE5B90 exec:0x7f200000 -a


Added..





« Last Edit: June 18, 2011, 09:18:09 am by admin »

July 01, 2011, 12:16:35 pm
Location are fine.


Here comes list of /dev

Quote
drwxr-xr-x  1 0        0              32  Jan 01 1970  .
drwxr-xr-x  1 0        0              32  Jan 01 1970  ..
crw-------  1 0        0          5,   1  Jul 01 16:01 console
crw-------  1 0        0        196,   1  Jan 01 1970  display
lrwxrwxrwx  1 0        0               4  Jan 01 1970  dsp -> dsp1
crw-------  1 0        0         14,   3  Jan 01 1970  dsp0
crw-------  1 0        0         14,  19  Jan 01 1970  dsp1
crw-------  1 0        0         14,  35  Jan 01 1970  dsp2
crw-------  1 0        0         29,   0  Jan 01 1970  fb0
brw-------  1 0        0          3,   0  Jan 01 1970  hda
brw-------  1 0        0          3,   1  Jan 01 1970  hda1
brw-------  1 0        0          3,   2  Jan 01 1970  hda2
brw-------  1 0        0          3,  64  Jan 01 1970  hdb
crw-------  1 0        0         89,   0  Jan 01 1970  i2c0
crw-------  1 0        0         89,   1  Jan 01 1970  i2c1
crw-------  1 0        0        191,   1  Jan 01 1970  key
crw-------  1 0        0        192,   0  Jan 01 1970  keypad
crw-------  1 0        0          6,   0  Jan 01 1970  lp0
lrwxrwxrwx  1 0        0               6  Jan 01 1970  mixer -> mixer1
crw-------  1 0        0         14,   0  Jan 01 1970  mixer0
crw-------  1 0        0         14,  16  Jan 01 1970  mixer1
crw-------  1 0        0         14,  32  Jan 01 1970  mixer2
crw-------  1 0        0         10,   1  Jan 01 1970  mouse
crw-------  1 0        0         90,   0  Jan 01 1970  mtd0
crw-------  1 0        0         90,   2  Jan 01 1970  mtd1
brw-------  1 0        0         30,   0  Jan 01 1970  mtdblock0
brw-------  1 0        0         30,   1  Jan 01 1970  mtdblock1
brw-------  1 0        0         93,   1  Jan 01 1970  nftlA1
brw-------  1 0        0         93,   0  Jan 01 1970  nftla
crw-------  1 0        0          1,   3  Jan 01 1970  null
crw-------  1 0        0        108,   0  Jan 01 1970  ppp
crw-------  1 0        0        108,   1  Jan 01 1970  ppp1
crw-------  1 0        0          5,   2  Jan 01 1970  ptmx
drwxr-xr-x  1 0        0              32  Jan 01 1970  pts
crw-------  1 0        0          2,   0  Jan 01 1970  ptyp0
crw-------  1 0        0          2,   1  Jan 01 1970  ptyp1
crw-------  1 0        0          2,   2  Jan 01 1970  ptyp2
crw-------  1 0        0          2,   3  Jan 01 1970  ptyp3
crw-------  1 0        0          2,   4  Jan 01 1970  ptyp4
crw-------  1 0        0          2,   5  Jan 01 1970  ptyp5
crw-------  1 0        0          2,   6  Jan 01 1970  ptyp6
crw-------  1 0        0          2,   7  Jan 01 1970  ptyp7
crw-------  1 0        0          2,   8  Jan 01 1970  ptyp8
crw-------  1 0        0          2,   9  Jan 01 1970  ptyp9
crw-------  1 0        0        200,   0  Jan 01 1970  ptz0
brw-------  1 0        0         31,   0  Jan 01 1970  rom0
brw-------  1 0        0         31,   1  Jan 01 1970  rom1
brw-------  1 0        0         31,   2  Jan 01 1970  rom2
brw-------  1 0        0          8,   0  Jan 01 1970  sda
brw-------  1 0        0          8,   1  Jan 01 1970  sda1
brw-------  1 0        0          8,   2  Jan 01 1970  sda2
brw-------  1 0        0          8,  16  Jan 01 1970  sdb
brw-------  1 0        0          8,  17  Jan 01 1970  sdb1
brw-------  1 0        0          8,  18  Jan 01 1970  sdb2
crw-------  1 0        0        124,   0  Jan 01 1970  smartcard0
crw-------  1 0        0        124,   1  Jan 01 1970  smartcard1
crw-------  1 0        0          5,   0  Jan 01 1970  tty
crw-------  1 0        0          4,   1  Jan 01 1970  tty1
crw-------  1 0        0          4,  64  Jan 01 1970  ttyS0
crw-------  1 0        0          4,  65  Jan 01 1970  ttyS1
crw-------  1 0        0          4,  66  Jan 01 1970  ttyS2
crw-------  1 0        0          4,  67  Jan 01 1970  ttyS3
crw-------  1 0        0          3,   0  Jan 01 1970  ttyp0
crw-------  1 0        0          3,   1  Jan 01 1970  ttyp1
crw-------  1 0        0          3,   2  Jan 01 1970  ttyp2
crw-------  1 0        0          3,   3  Jan 01 1970  ttyp3
crw-------  1 0        0          3,   4  Jan 01 1970  ttyp4
crw-------  1 0        0          3,   5  Jan 01 1970  ttyp5
crw-------  1 0        0          3,   6  Jan 01 1970  ttyp6
crw-------  1 0        0          3,   7  Jan 01 1970  ttyp7
crw-------  1 0        0          3,   8  Jan 01 1970  ttyp8
crw-------  1 0        0          3,   9  Jan 01 1970  ttyp9
crw-------  1 0        0          1,   9  Jan 01 1970  urandom
drwxr-xr-x  1 0        0              32  Jan 01 1970  usb
crw-------  1 0        0        231,   0  Jan 01 1970  usi
crw-------  1 0        0         81,   0  Jan 01 1970  video0
crw-------  1 0        0         81,   1  Jan 01 1970  video1

and /proc

Quote
/proc> ls -al
dr-xr-xr-x 26 0        0               0  Jan 01 1970  .
drwxr-xr-x  1 0        0              32  Jan 01 1970  ..
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 1
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 14
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 15
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 17
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 18
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 2
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 20
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 21
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 22
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 26
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 28
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 3
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 30
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 4
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 5
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 6
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 7
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 8
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 9
dr-xr-xr-x  2 0        0               0  Jul 01 16:04 bus
-r--r--r--  1 0        0               0  Jul 01 16:04 cmdline
-r--r--r--  1 0        0               0  Jul 01 16:04 cpuinfo
-r--r--r--  1 0        0               0  Jul 01 16:04 devices
-r--r--r--  1 0        0               0  Jul 01 16:04 dma
dr-xr-xr-x  2 0        0               0  Jul 01 16:04 driver
-r--r--r--  1 0        0               0  Jul 01 16:04 execdomains
-r--r--r--  1 0        0               0  Jul 01 16:04 filesystems
-------r--  1 0        0               0  Jul 01 16:04 flash_4m
dr-xr-xr-x  2 0        0               0  Jul 01 16:04 fs
-r--r--r--  1 0        0               0  Jul 01 16:04 interrupts
-r--r--r--  1 0        0               0  Jul 01 16:04 iomem
-r--r--r--  1 0        0               0  Jul 01 16:04 ioports
-r--------  1 0        0        16781312  Jul 01 16:04 kcore
-r--------  1 0        0               0  Jul 01 16:04 kmsg
-r--r--r--  1 0        0               0  Jul 01 16:04 loadavg
-r--r--r--  1 0        0               0  Jul 01 16:04 locks
-r--r--r--  1 0        0               0  Jul 01 16:04 meminfo
-r--r--r--  1 0        0               0  Jul 01 16:04 misc
lrwxrwxrwx  1 0        0              11  Jul 01 16:04 mounts -> self/mounts
dr-xr-xr-x  3 0        0               0  Jul 01 16:04 net
-------r--  1 0        0               0  Jul 01 16:04 p1_p1
-r--r--r--  1 0        0               0  Jul 01 16:04 partitions
lrwxrwxrwx  1 0        0              64  Jul 01 16:04 self -> 9
-rw-r--r--  1 0        0               0  Jul 01 16:04 slabinfo
-r--r--r--  1 0        0               0  Jul 01 16:04 stat
-r--r--r--  1 0        0               0  Jul 01 16:04 swaps
dr-xr-xr-x  4 0        0               0  Jul 01 16:04 tty
-r--r--r--  1 0        0               0  Jul 01 16:04 uptime
-r--r--r--  1 0        0               0  Jul 01 16:04 version