Firmware Recovery - method #2

hi guys
Help me please!
I bought my camera here http://www.ebay.co.uk/itm/140995053856?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1439.l2649
I mistakenly flashed the firmware from another camera http://www.wansview.com/index.php/h-264-ip-camera/708-ncz-625w
The camera works, but the web interface does not work, asks for a password and username at the entrance, but then everything in 404 pages.
I want to restore the firmware via tftp.
Please help me find rs-232 connector on the PCB.
Foto PCB http://fotkidepo.ru/?id=album:51275

hey, is there any way to change the MAC adress of a EasyN FS-613B-M1661 camera? Mine is working fine after recovery, but i have 2 cameras with the same MAC adresses and its creating issues.

Hello,
I'm having problem finding the files. Bin (visiondigi_product_update.bin and u-boot.bin.img)
be you could help me, following the end of the reading error,
My email: roberto@omosquito.com.br
thank you
Roberto

Reading: ...

u-boot 2008.10 dirty-svn1130 -  2 2 2012  - 12:02:43
lau engine V.5.0.2
busybox v1.1.2 - 2011.05.11
vr98xx 2.14.2012
------------------
product_update.bin
file: visiondigi_ product_update.bin
mac ce:af:40:61:07:04
----------------------------
UPDATE Fhash
UHisilicon ETH net controler
MAC:   CE-AF-40-61-07-04
-------------------------
update visiondigi=============
Hisilicon ETH net controler
miiphy_register: non unique device name '0:02'
miiphy_register: non unique device name '0:03'
MAC:   CE-AF-40-61-07-04
Up/Down PHY not link.
--------------------------------------------------------------------------
ERROS: Usb auto update detecting ......
ERR: file <product_update.bin> not found
ERR: file <visiondigi_product_update.bin> not found
ERR: update image/config not found, slip update
----------------------------------------------------------------------------
====================================================================================================
Informe:
LIBDVR : **********************************************************************
LIBDVR : |                      SYSTEM INFO

LIBDVR : |     VR98XX PRODUCTID:        0x80000054 - Complie time Feb 14 2012 14
:02:08
SystemGetVGAPixel VGA <3> 0:1080p, 1:1280*1024, 2:1280*720, 3:1024*768,  4:800*6
00
LIBDVR : |     VR98XX PRODUCT_TYPE:<84>. VGA <3>
LIBDVR : |    svn:.
LIBDVR : |    FrontBoard type 0xff
LIBDVR : **********************************************************************
SystemGetVGAPixel VGA <3> 0:1080p, 1:1280*1024, 2:1280*720, 3:1024*768,  4:800*6
00
LIBDVR : Chip_Init------LocalChipID:0, 0#######
LIBDVR : ########total  chip is : 1########
LIBDVR : ##############chipMode:0##############
LIBDVR : This Device ChipNum is 1, product type is 84.videoStd is 1
LIBDVR : total_chn:8
LIBDVR : #####DCM_Init########
rm: cannot remove `/var/usr/Sofia': No such file or directory
rm Sofia from RAM

I have the same proble as rusty, but didnt see the solution. Does anyone know what is this about?

CAPTURE: ERROR - FAILURE TO SEE BOOTLOADER PROMPT "bootloader > "

Hello,

i was trying to update my Tenvis 3815W/TR3818 (i think its a Foscam US8908w clone) but it just did brick my cam.
The only hope i have right now, is to fix the cam with a firmware recovery but i cant find the right pins for the serial connection.

Here is a picture of the PCB, i hope someone could help me to find the right pins.

Here is a picture of the PCB, i hope someone could help me to find the right pins.

I've put red rectangle around serial connector on your board:


Baud rate: 57600
Data: 8
Stop: 1
Parity: None
Flow: None

To enter uboot you need to press 4 when asked.

Hi, i have bricked my Tenvis 3815W on a bad update, i have the same PCB of TomThedragon (thx to yuri for details about jtag) but now im not sure at 100% about what file i need to upload to my cam for bring back it to life and not to make more troubles... someone could help me? thx in advence! and sorry for my poor english

Big thx to Yuri for the help with the pins and sorry for my late answer, i was quite busy..

Okay i could get a connection over the native COM port of my computer with help of an serial2ttl adapter but i got stuck shortly after that, because my cam seems to use a different software :/

Here is a log of the console if i let the cam boot:

Code: [Select]

U-Boot 1.1.3 (Dec 18 2013 - 22:50:18)

Board: Ralink APSoC DRAM:  16 MB
relocate_code Pointer at: 80fb4000
spi_wait_nsec: 42
spi device id: c2 20 17 c2 20 (2017c220)
find flash: MX25L6405D
raspi_read: from:30000 len:1000
.*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 3.6.0.0
--------------------------------------------
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping
DRAM_TYPE: SDRAM
DRAM_SIZE: 128 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 16 MBytes
Flash component: 8 MBytes NOR Flash
Date:Dec 18 2013  Time:22:50:18
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

 ##### The CPU freq = 360 MHZ ####
 estimate memory size =16 Mbytes
raspi_read: from:80028 len:6
.
start time:31591247l
File: cmd_net.c, Func: do_my_tftpb, Line: 69

 netboot_common, argc= 3

 NetTxPacket = 0x80FE6E80

 KSEG1ADDR(NetTxPacket) = 0xA0FE6E80

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 Header Payload scatter function is Disable !!

 ETH_STATE_ACTIVE!!
Using Eth0 (10/100-M) device
TFTP from server 172.119.238.119; our IP address is 192.168.2.66
Filename 'xx.img'.

 TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: ====================broadcast get file
T ====================broadcast get file

 could not get file, cancel update
ret = 1

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.                                                                                                                                                    0

3: System Boot system code via Flash.
## Booting image at bc0e0000 ...
raspi_read: from:e0000 len:40
.Magic Number,27051956
   Image Name:   Linux Kernel Image
   Created:      2014-07-03  11:38:25 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    973759 Bytes = 950.9 kB
   Load Address: 80000000
   Entry Point:  80303000
raspi_read: from:e0040 len:edbbf
...............   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
[mips_linux.c==86]:     theKernel:0x0,0x60,0x8,0x40,0x0,0x10,0x1,0x3c
No initrd
## Transferring control to Linux (at address 80303000) ...
## Giving linux memsize in MB, 16

Starting kernel ...

[mips_linux.c==241]:    linux_argc:5
[mips_linux.c==243]:    linux_argv[0]:<NULL>
[mips_linux.c==243]:    linux_argv[1]:console=ttyS1,57600n8
[mips_linux.c==243]:    linux_argv[2]:root=/dev/mtdblock6
[mips_linux.c==243]:    linux_argv[3]:rootfstype=jffs2
[mips_linux.c==243]:    linux_argv[4]:rw
[mips_linux.c==246]:    linux_env:memsize=16
[mips_linux.c==246]:    linux_env:initrd_start=0x00000000
[mips_linux.c==246]:    linux_env:initrd_size=0x0
[mips_linux.c==246]:    linux_env:flash_start=0x00000000
[mips_linux.c==246]:    linux_env:flash_size=0x800000

LINUX started...

 THIS IS ASIC
Linux version 2.6.21 (liwei@liwei-desktop) (gcc version 3.4.2) #941 Thu Jul 3 01:49:23 WARST 2014

 The CPU frequency set to 360 MHz
CPU revision is: 0001964c
enter es8388_close
enter es8388_close
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 4064
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock6 rootfstype=jffs2 rw
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = 60808044, status = 11000000
PID hash table entries: 64 (order: 6, 256 bytes)
calculating r4koff... 0015f900(1440000)
CPU frequency 360.00 MHz
Using 180.000 MHz high precision timer.
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
max_low_pfn:4096
Memory: 12976k/16384k available (2728k kernel code, 3408k reserved, 351k data, 100k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP reno registered
deice id : c2 20 17 c2 20 (2017c220)
MX25L6405D(c2 2017c220) (8192 Kbytes)
mtd .name = raspi, .size = 0x00800000 (8M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 7 MTD partitions on "raspi":
0x00000000-0x00800000 : "ALL"
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "rf_param"
0x00040000-0x00090000 : "cfg0"
0x00090000-0x000e0000 : "cfg1"
0x000e0000-0x00260000 : "kernel"
0x00260000-0x00880000 : "RootFS"
mtd: partition "RootFS" extends beyond the end of device "raspi" -- size truncated to 0x5a0000
Load Ralink DFS Timer Module
RT3xxx EHCI/OHCI init.
JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
Ralink gpio driver initialized===============
=====================0x0040009c
=====================0x0040409c
Enable Ralink GDMA Controller Module
GDMA IP Version=2
i2cdrv_major = 218
enter es8388_init==================
Serial: 8250/16550 driver $Revision: 1.8 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
new motor: install module ......
==================A:0, B:0
enter dm2016_init==================
Ralink APSoC Ethernet Driver Initilization. v2.1  256 rx/tx descriptors allocated, mtu = 1500!
xx===============i:-1 mac addr:0:c:43:28:ffffff80:4a

MAC_ADRH -- : 0x0000000c
MAC_ADRL -- : 0x4328804a
PROC INIT OK!


=== pAd = c004f000, size = 522368 ===

<-- RTMPAllocAdapterBlock, Status=0
Linux video capture interface: v2.00
usbcore: registered new interface driver uvcvideo
USB Video Class driver (SVN r209)
=================register mtd device
rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: Product: Ralink EHCI Host Controller
usb usb1: Manufacturer: Linux 2.6.21 ehci_hcd
usb usb1: SerialNumber: rt3xxx
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000
usb usb2: Product: RT3xxx OHCI Controller
usb usb2: Manufacturer: Linux 2.6.21 ohci_hcd
usb usb2: SerialNumber: rt3xxx-ohci
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
i2c /dev entries driver
[drivers/i2c/i2c-core.c==i2c_register_driver==365]
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
VFS: Mounted root (jffs2 filesystem).
Freeing unused kernel memory: 100k freed
Warning: unable to open an initial console.


Here are the two firmware files from the Tenvis website: small.update (seems to be the kernel) big.update (maybe the rest of the filesystem?)

Hi, and thx for the awesome information...

I have a question regarding to my Foscam China clone. I accidentally updated a wrong webui file and now the hexcode in memory is wrong, so my webgui doesnt work anymore. The bootloader and romfs works as normal, but crashes because of the damaged webui file.

This is the wrong hexcode:

bootloader > d 0x7F1FFFFF

Displaying memory at 0x7F1FFFFF

[7F1FFFFC]          440C9ABD - 04F0A6D8 000CF370     ....D....p...

[7F20000C] 020A0402 0000000F - 63617069 6E692F6B  ........ipack/in

[7F20001C] 2E786564 016D7468 - 0000021E 3CBFBBEF  dex.htm........<

--> as you can see ipack/ -> is wrong ... I tried to override the memory with MX command and original webui firmware, but it didnt work.

Any ideas how to solve this?

Thx and regards!

you should try to flash the correct webui via the camera finder tool that should have come with your cam. It usually locates your cam in your network and with a rightclick it offers to flash new firmware

second method: try to erase the webui partition and flash it with fx command

hi,
camera.sh crashes while loading, so I have no connection to the cam via network.
BUT finally I got it working with fx command, also tried memset and e, but they didnt change the memory?!?
In my case I have no additional partition for webgui, so I dont know how to erase it? But I have overridden the memory via fx and it worked like a charm.
The start address of webgui is 0x7F200000 and I just uploaded the new webgui.bin file via:

fx 5 webgui.bin 0x7F200000 0x7F200000 -a -nofooter

so thx for the hint schufti

can anyone help me to find rs232 pinout?it is an eyesight ipcamera ip911iw

Hi everybody,

this is my first post in OpenIPCam forum!

I'm trying to make a backup of my camera's firmware before starting to play with other firmware, but I'm stuck in the Kermit phase and maybe someone can help me.

I'm able to see the bootloader prompt on the terminal. Then I close the terminal and open the same connection in Kermit (Kermit 95 in Windows 7). I make the connection, but can't send commands, like for example 'ls -la' to test.
I think this may be the reason why when I run the script it gives me that it can't find the bootloader prompt.

It seems the Kermit when in terminal mode don't sends commands, but if I reboot the camera I get all the startup information so the Kermit config connection is OK, but somehow the "keyboard" is not working.
Can someone give me some tips on what it might be the issue.

Thanks,
Paulo

as far as I remember there were some statements that the free Windows version doesn't work, but the trialversion of the commercial kermit will. YMMV

Thanks for the quick reply, I have the version which has 21 days free trial, but I'll check more in detail if there can be some problem with it.

Thanks,
Paulo