Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at

Author Topic: Firmware Recovery - method #2  (Read 206630 times)

  • No avatar
  • *****
February 17, 2011, 10:49:07 am
Step #1

For most firmware recovery, we'll need to solder in a serial connection.

This isn't too hard, its only 4 connectors. 

Locate J2 on the underside of the camera motherboard, and solder in 4 connectors.
Flip the board over again and plug in 4 cables to those 4 connectors.
You'll see that pin 4 says 3.3v next to it, and pin 1 says RX next to it so you can easily work out which pins are which.

Plug in your rs232-> ttl adaptor as follows.

Board #  -> rs232/ttl adaptor.
1   -> RX
2   -> TX 
3   -> GND
4   -> VCC

One you have that, we can open up a terminal application (Putty is good, and is available on most operating systems).
Open up Putty, and set it to look for the serial port you are using.

Power up the camera, and you should see some text whiz by.  If so, all good, proceed to step 2.

Step #2


Download Kermit or CKermit as applicable for your OS -
Download the kermit capture script attached to this post in the larger of the 2 zip files(capcam.kds)

Download Jedit
Download the Jedit script attached to this post in the larger of the 2 zip files (editcapture.bsh)

Then follow the instructions below:

Restoring a 541CPU.pcb Foscam clone camera.
Lloyd E. Sponenburgh 11/19/2010

Use the Serial port at 115200,8,N,1 and Xmodem CRC protocol.

We'll need a good camera to work from, so dig out the spare camera you have.  You do have one right?

Stop the camera at the bootloader, and list the rom files.

Code: [Select]

W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Dec 10 2009
Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

        MAC Address         : 0E:F2:B3:DC:0C:EF
        IP Address          :
        DHCP Client         : Enabled
        CACHE               : Enabled
        BL buffer base      : 0x00300000
        BL buffer size      : 0x00100000
        Baud Rate           : 115200
        USB Interface       : Enabled
        Serial Number       : 0xFFFFFFFF

For help on the available commands type 'h'

Press ESC to enter debug mode

bootloader > ls -al
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000048 exec:0x7F010000 -f
Image: 7 name:linux base:0x7F020000 size:0x000BF700 exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008FF80 exec:0x7F0E0000 -a
Image: 8 name:webui base:0x7F180000 size:0x0006F700 exec:0x7F180000 -a

You should see something similar to the above.

We're going to save the linux kernel, the romfs, and optionally the webui if you have one.  Don't worry if you don't have one, its not essential.

Write down the image sizes for each image (except image 0, as thats for the bootloader configuration), convert to decimal, and divide by 256.  You can do this easily in most calculator apps.

Lets try this with our linux kernel image.

Says the size is 0x00BF700

BF700 in decimal is 784,128.
784,128 / 256 = 3063

We need this for dumping the files from the rom.  Why 256?  As the bootloader allows us to dump the rom in 256 byte groups.
If the division results in a fraction, round up to the next whole integer.
Eg if you get 254.5, round up to 255

Repeat this for all the files you want to save.
You should now have 2 or 3 sets of figures.

Press enter a few times to make sure that the bootloader has nothing in it, close Putty, and open up Kermit

Press Alt-X in Kermit to take you to the Kermit command window.  Do a “take capcam.kds” to load the capture script.

We're now going to start capturing.
You should have the list of files handy, and your filesizes/256 handy.

Our linux file above looks like this
linux base:0x7F020000 size:0x000BF700  / filesize 3063

We're going to call the capcam script as follows.


For our linux file, this will look something like this:
“capcam 0x7f020000 3063 kernel.txt”

You'll see kermit ask for 3063 pages of rom dump, and then stop.
It might take a while!

Repeat the process for any other images you want.

romfs base 0x7f0e0000 size: 0x8FF80 / filesize 2304 (rounded up as its not an even number)
"capcam 0x7F0E0000  2304 romfs.txt"

Once you've saved your images, close Kermit, and open Jedit.

Open up on of the saved rom files, and take a quick page through in Jedit.
You should see pages and pages of something similar to the following:

Code: [Select]
Displaying memory at 0x400
[00000400] A5810004 B3E00000 - A3A00000 E49DF004  ................
[00000410] E52DE004 EBFFFFD3 - E3500000 A59F156C  ..-.......P.l...
[00000420] A3A00980 A5810004 - B3E00000 A3A00000  ................
[00000430] E49DF004 E52DE004 - EBFFFFCA E3500000  ......-.......P.
[00000440] A59F1548 A3A00840 - A5810004 B3E00000  H...@...........
[00000450] A3A00000 E49DF004 - E2800481 E3C00480  ................
[00000460] E35009FC 33A00B40 - 31A0F00E E59F151C  ..P.@..3...1....
[00000470] E5911004 E1500001 - 23A00000 33A00D80  ......P....#...3
[00000480] E1A0F00E E2800481 - E3C00480 E3500B40  ............@.P.
[00000490] 33A00D80 31A0F00E - E59F14F0 E5911004  ...3...1........
[000004A0] E1500001 23A00000 - 33A00B40 E1A0F00E  ..P....#@..3....
[000004B0] E2800481 E3C00480 - E3500B40 33A00D80  ........@.P....3
[000004C0] 31A0F00E E59F14C4 - E5911004 E1500001  ...1..........P.
[000004D0] 23A00000 33A00B40 - E1A0F00E E2800481  ...#@..3........
[000004E0] E3C00480 E350097C - 33A00B40 31A0F00E  ....|.P.@..3...1
[000004F0] E3500980 23A00000 - 33A00D80 E1A0F00E  ..P....#...3....

If so, all good, and we're ready to start.
Make sure that the first line of text in the file starts with the lines of hex. 
If there is a blank line or two, remove it and make sure that it starts from the hex dump text.
Also make sure that the cursor is placed on the first character in the file before continuing.

Open up the Macro menu, and run the editcapture.bsh macro (downloaded from the link above)

It should go through the file, and parse it out to a list of hex, 16 bytes per line.
Page through the file again, and make sure it looks ok.

There should be nothing in the file except line after line of 16 hex values space separated similar to the below

Code: [Select]
E3 50 09 80 23 A0 00 00 33 A0 0D 80 E1 A0 F0 0E

Make sure any blank lines are removed from the top or bottom of the file (if there are any).

Save this new file as [some filename].hex 

eg linux.hex or romfs.hex as appropriate.

Don't give up, we're almost done!

Our last step is to convert the hexdump back into a binary file.

We can use a Hex -> Binary converter from here for that (I've also attached it to this post).

Run the hexbin program with each file, and generate your binary image.

Repeat for each file you need converted.


Good, now you can upload the files to the board so we can share with others :)

I've attached Lloyd's writeup and binaries from his camera to this post also (misleadingly called 541cpu foscam clone recovery - foscam doesn't make cameras, so its hard to have any clones...).

Thanks to Lloyd for allowing us to redistribute this.
« Last Edit: June 04, 2011, 04:39:23 pm by admin »

April 12, 2011, 03:25:08 pm
My script for SecureCRT:
Code: [Select]
#$language = "VBScript"
#$interface = "1.0"

Sub main
Dim St
Dim En
Dim h

crt.Screen.Synchronous = True

St = crt.Dialog.Prompt("Please enter your start adress: (Dec)", "Enter adress", "2130771968", False)
En = crt.Dialog.Prompt("Please enter your end adress: (Dec)", "Enter adress", "2132803583", False)

For st=st to en-255
crt.Screen.Send "d -b " & "0x" & h & VbCr
crt.Screen.WaitForString "bootloader >"

crt.Screen.Synchronous = False
End Sub
Now the script for record is necessary. ;)

  • *****
May 03, 2011, 12:07:39 pm
I found the recommended HexBin software unusable. I modified, and simplified, HexBin.c to only do hex to binary conversion, outputting to stdout, which I simply redirect to whatever filename that I desire (source attached below). This method worked perfectly the first time, while Ramon van Bruggen's firmware download tool failed for me, producing a bad copy. Plus, method#2 has the benefit of being an all linux solution.
« Last Edit: May 03, 2011, 03:17:24 pm by celem »

May 12, 2011, 05:47:12 pm
Hello admin,

I tried to capture the files from my working cam. When I start kermit with "capcam 0x7f020000 3064 file.txt" I receive an errormessage:


The cam is in the bootloader mode... so what's the reason for this message?


June 08, 2011, 10:27:57 am
This is Mainboard from Uvision Cam which is similar to one of the Foscam Models.

Can someone help to identify the correct pins.

The +d -d pins you see are connected to WLAN
The J2 is connected to CCD Sensor by cable.
« Last Edit: June 08, 2011, 11:13:43 am by Borsti92 »

  • No avatar
  • *****
June 08, 2011, 11:32:55 am
pins 10 & 11 of the CPU (nuvoton chip) are TXD0 and RXD0, looks like they are not specifically routed to a connector on your board, their 2nd function is gpio but that doesn't seem to be used on your board either, allthough forseen (tracks between U5 & U6 to R40,U6/p4).
« Last Edit: June 08, 2011, 11:35:13 am by schufti »

June 09, 2011, 10:48:10 am
You are right.

Pin 10 is on R40 and 11 on the missing U6.

Can i directly solder to those pins a TTL RS232 adapter? Do i need to remove the R40 other side goes to U8??

The 3.3V i get it where? I can take it from j4 block on the board??
« Last Edit: June 09, 2011, 10:52:32 am by Borsti92 »

  • *****
June 09, 2011, 11:31:31 am
You don't need the 3.3v for most interfaces, just a tx, rx and ground/common. I use a FTDI converter similar to the UM232R ( Some folks modify the Nokia cable sold by DealExtreme (

June 09, 2011, 01:51:06 pm
Okay. I ordered the UM232R.

Thank you

  • No avatar
  • *****
June 09, 2011, 02:02:37 pm
No, the R40 may be pullup/pulldown that can stay. Try 1st with, if it doesn't work, remove it.

There are a lot of shops that have a sale on those old serial cables since nobody is going to buy them any longer. Ever tried to download pictures from / upload mp3s to your mobile via serial connection?

And if your PC still has RS232, it is even cheaper....

  • *****
June 09, 2011, 02:55:14 pm
...I ordered the UM232R...

I said "similar to the UM232R". I looked up my actual product - it is a "Kmtronic SS_FTDI" (

You can use the UM232R but the hookup will be MUCH more complex. If you can still cancel the UM232R order, I would do so.

Also, while I have not personally tried it, looks at the attached photo that refers to the Nokia CA-42 cable, such as this clone

« Last Edit: June 09, 2011, 03:12:25 pm by celem »

  • No avatar
  • *****
June 10, 2011, 07:51:18 pm
For dumping, you want serial - my experience with USB based is that they don't do flow control very well, so you get bad dumps.

On a different note, I've attached a windows hex2bin binary of the c code posted in the first post in this thread.

May be useful to those on windows.

June 16, 2011, 01:56:51 am
I received the UM232R already. Now i see it has much more pins then the adaptor you use, i cannot find RX/TX on this one.

I have a PC with R232 Interface card, can I then solder the cables directly to RS232 to do the dump?? And don't need the FTDI and the 3.3V Power?   What would the TTL Adaptor be for?? Is it only necessary to use on USB ?

Will i need to cross the cables (RX to TX on an Rs232 plug ??)
« Last Edit: June 16, 2011, 02:18:39 am by Borsti92 »

  • No avatar
  • *****
June 16, 2011, 04:45:03 am

no it is dangerous to connect your PC-RS232 (+12V/-12V) directly to the serial (0V/3.3V) on the camera.

From the module you only need RxD (5), TxD (1) and ground (7)   J2 should be set, J1 1&2 should be set

Rx on board goes to Tx on cam, Tx on board goes to Rx on cam, gnd to gnd

maybe you find somebody more in hw to assist your project?
« Last Edit: June 16, 2011, 04:46:51 am by schufti »

July 22, 2011, 05:30:32 pm
I measured from my foscam 8918 that between third and first as well as third and second points the voltage is 3.3V:

About dealextreme Nokia cable, which I received today. Between white and green the voltage is 3.3V and between white and blue the voltage is 0.9V:

Which one is tx and which one is rx in dx cable? Green or blue?