Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Author Topic: Firmware Recovery - method #2  (Read 203347 times)

  • *****
August 08, 2011, 03:36:25 pm
Still smells like a bad ground connection to me.

November 15, 2011, 08:35:07 am
Im getting the "CAPTURE: ERROR - FAILURE TO SEE THE BOOTLOADER PROMPT" error too - have I missed something when setting kermit95 up?

As it turns out I needed to type this into kermit first
set modem type direct
set port com1
set speed 115200
set carier-watch off
set flow none
set parity none
« Last Edit: November 15, 2011, 08:49:10 am by steaky1212 »

December 13, 2011, 02:20:59 pm
i got this beginning at the first line i have captured do i have to remove this line to the beginning of the hex or do i have to left this line here ?

Displaying memory at 0x400

if i have done the script in jedit at the and of the file i have one blank line an a few lines with ff ff ff ff ff ect do i also have to remove the lines with the ff in it ?


  • No avatar
  • *****
December 13, 2011, 03:32:29 pm

Displaying memory at 0x400

should not be in the dumped files. This looks like some leftovers because the kermit script doesn't issue a "d" command without parameters. 0x400 is not in flash, so not interesting for dumping. Lines that are of interest look like
d -b 0x7F000000
Displaying memory at 0x7F000000
[7F000000] B4 01 9F E5 B4 11 9F E5 - 00 10 80 E5 00 00 0F E1  ................
[7F000010] C0 00 80 E3 00 F0 21 E1 - 00 00 A0 E3 A0 11 9F E5  ......!.........

or like
d -b 0x7F000000 Displaying memory at 0x7F000000 [7F000000] B4 01 9F E5 B4 11 9F E5 - 00 10 80 E5 00 00 0F E1  ................
[7F000010] C0 00 80 E3 00 F0 21 E1 - 00 00 A0 E3 A0 11 9F E5  ......!.........

depending on the editor you use

a blank line or lines with FF at the end can be omitted for most cases but to be safe, look at the full dump and leave FF to the end of a 256 byte block.

December 14, 2011, 03:33:05 pm
thanks for the help.
i have tryed all the options to edit the captured files but when i upload the file to my foscam i got a different size of the linux and the romfs i uploaded to the cam.
the original size is different of the captured files how is this posible ?
because i have done the count and devided by 256.
can u help me please ?

my linux.bin Base 0x7f020000 size 0x000bf7b0
my romfs.bin Base 0x7f0e0000 size 0x000b0800
i have a 4 mb memory on my cam.


  • No avatar
  • *****
December 14, 2011, 04:06:42 pm
the kermit script allways does one block more than requested.

usually for the kernel and the webui you can see where the original ended.
the kernel is zipped and the end is 18 bytes after "50 4b 05 06" usually 00 00
the webui ends directly after a closing html tag "3C 2F 68 74 6D 6C 3E  </html>"
You should cut your files there.

For the romfs you can look for border between the 00 00 to FF FF filled area at the end and cut there.

December 14, 2011, 04:19:37 pm
ok thanks but i have one other question.
my count is when devide the size to 256 = 30636875 what do i have to do now ?
do i use 3063 size or do i use the 3064 rounded up ?


  • No avatar
  • *****
December 15, 2011, 02:09:59 am
it would be much easier if you paste holistic info (output of ls).
or just dump the full flash starting from 0x7f000000 with either 16383 blocks for 4MB or 8191 blocks for 2MB and I will disect it for you.

December 16, 2011, 03:52:59 pm
thanks but i dont want you to do it for me because i want to learn it myself.
thats why i ask because of my un even integer how to do it right.

thank you again.

  • No avatar
  • *****
December 16, 2011, 07:51:05 pm
ok, but the number you gave can't be the remainder of a /256 division from one of the images.

30636875*256= approx 7GB

That is why I asked for the output of ls.

You take the size of an image, divide it by 256 and take the integer part of the result.
The romfs should allways give an integer by itself (the size should be 0xYYYY00.
« Last Edit: December 17, 2011, 03:31:53 am by schufti »

December 17, 2011, 06:02:14 pm
My linux bin is base = 0x7f020000 size = 0x000bf7b0 bf7b0 devided by 256 = 30636875
my romfs bin is base = 0x7f0e0000 size = 0x000b0800 b0800 devided by 256 = 2824

thats my count on this.
but the 30636875 is not a rounded up integer.
so i don,t know if this is ok.

and if i have to use the 3063 or the 3064 as size to capture the firmware.


  • No avatar
  • *****
December 17, 2011, 06:32:52 pm
0xBF7B0 == 784304  divided by 256 = 3063.6875  so you would start the kermit script as
CAPCAM 0x7f020000 3063 kernel.txt

CAPCAM 0x7f0e0000 2824 romfs.txt

don't forget to dump your webui, the bootinfo and the settings area.

I think the problem was that you didn't paste the decimal point, so I misinterpreted you numbers.

December 24, 2011, 04:39:39 pm
Hello! Thank you for your help!

I am used this instruction and all comments on this thread and made ​​a successful recovery.

I have cameras with Ralink wi-fi module. Another hardware same as Foscam 9808W.

4 megs memory and 16 RAM.
Device Firmware Version
Device Embeded Web UI Version

I tried to find original firmware but manufacture ( does not share it in internet.
I sent many mails but there no reply still.
Seller tell me that manufacture do not give there firmware because it is corporative secret files.

And now ... Anyone can fix our cameras with this firmware files. =)
But you must know ... it is our "corporative secret". =)

Sorry for my English.

W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on May 11 2010
Memory Size is 0x1000000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

        MAC Address         : 00:60:6E:ХХ:ХХ:ХХ
        IP Address          :
        DHCP Client         : Enabled
        CACHE               : Enabled
        BL buffer base      : 0x00300000
        BL buffer size      : 0x00100000
        Baud Rate           : -1
        USB Interface       : Disabled
        Serial Number       : 0xFFFFFFFF

For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1482 EA 6OA 16
 01:00:08 CST 2011
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 4096
zone(0): 0 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 16MB = 16MB total
Memory: 14616KB available (1278K code, 206K data, 40K init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options en
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options e
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0D0000-7F1DBFFF [VIRTUAL 7F0D0000-7F1DBFFF] (RO)
S29GL032N Flash Detected
01 eth0 initial ok!
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
usb-ohci.c: AMD756 erratum 4 workaround
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4
rtusb init --->
usb.c: registered new driver rt2870
dvm usb cam driver by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: mount -t ramfs none /tmp
Command: mkdir /tmp/run
Command: camera&
Command: sh
no support

Sash command shell (version 1.1.1)
/> hub.c: connect-debounce failed, port 1 disabled
new USB device :80fb4004-fed740
hub.c: new USB device 1, assigned address 2
probing sonix288 usb camera ...
dvm camera registered as video0
p1[7]:1,j 3,config->bNumInterfaces:4
usbaudio: device 2 audiocontrol interface 2 has 1 input and 0 output AudioStream
ing interfaces
usbaudio: valid input sample rate 16000
usbaudio: device 2 interface 3 altsetting 1: format 0x00000010 sratelo 16000 sra
tehi 16000 attributes 0x01
usbaudio: valid input sample rate 48000
usbaudio: device 2 interface 3 altsetting 2: format 0x00000010 sratelo 48000 sra
tehi 48000 attributes 0x01
usbaudio: registered dsp 14,35
usbaudio: warning: found 1 of 0 logical channels.
usbaudio: assuming the channel found is the master channel (got a Philips camera
?). Should be fine.
usbaudio: registered mixer 14,32
usb_audio_parsecontrol: usb_audio_state at 00ff3b00
new USB device :80fb4404-fed740
hub.c: new USB device 2, assigned address 3
params length is 5428
sw version is
aw version is

Wait for auto-negotiation complete...OK
100MB - FULL
video0 opened
unknown command
do_zoom_stop: write error 5
manage pid:14
audio_dev.state not AU_STATE_RECORDING
inet_sr.c INET_rinput 321
inet_sr.c INET_setroute 75
ntpc adjust ok
Dec 24 19:40:48 2011 bonjour: mDNSPlatformRawTime went backwards by 659899678 ti
cks; setting correction factor to 294323915
bonjour callback: service registered
up wireless
0x1300 = 00064300
« Last Edit: December 26, 2011, 09:12:39 am by Zel »

  • No avatar
  • *****
December 25, 2011, 05:28:43 am
would be nice if you could dump the webui too, and make some pictures from the pcb. It may help identify the OEM.

December 25, 2011, 08:42:09 am
would be nice if you could dump the webui too, and make some pictures from the pcb. It may help identify the OEM.

Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000AE21C exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0D0000 size:0x0010C000 exec:0x7F0D0000 -a

I am not sure, but, maybe, webui can be work...
I cant extract it (IDK how). If someone can extract it we will be know file corrupt or not.
« Last Edit: December 25, 2011, 09:58:41 am by Zel »