News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Web Server recommendations for our Firmware  (Read 6892 times)

  • No avatar
  • *****
February 03, 2011, 09:53:18 am
Reading the overview here http://www.cnx-software.com/2010/12/22/http-server-for-uclinux/ for http://www.mathopd.org/, it looks like that Webserver would make a good solution to use in a rebuilt firmware.  Its small, and it does what is needed.  It also runs as a single process (good for small embedded systems like ours).
There are other choices - like litettpd, boa, but this is smaller, and compiles cleanly.


Looks fairly straightforward to implement too.

The cgi implementation part looks especially perfect -

http://www.mathopd.org/wiki?CGI/Example

Some patches here - http://opensource.stobor.net/mathopd/

..and lastly an example of how to use it in a shell script  (as a cgi)

http://linuxgazette.net/155/lg_tips.html


Call this something appropriate like

zipfolder.cgi

Code: [Select]
#!/bin/bash
echo Content-Type: application/zip
echo "Content-Disposition: attachment; filename=files.zip"
echo
zip -9r - *

You'll also need to ensure zip is compiled in, for that example, but it shows what can be done easily.


« Last Edit: February 03, 2011, 09:56:45 am by admin »

March 09, 2011, 09:01:28 am
Hi there,

First of all, what an amazing job! I've readed all the post from your blog about hacking Foscam IP Cam.

I have a question, what about the webserver included in default firmware? I'm interested in modify it (ie, the default port), but can't find anything in camera binary. Instead, there's a real webserver or just something doing echo HTTP responses?

Sorry for my bad english... :)

Regards from Spain


  • No avatar
  • *****
March 09, 2011, 10:29:23 am
The camera binary does a lot of things all as one application.

Thats why I really wanted to rewrite it all, as I prefer a more modular approach, as its more flexible.

Monolithic is ok, but you want to change functionality, you need to recompile again.

We don't have the source for the camera binary.

I could change the port in use fairly easily though - I already disassembled the binary - thats on my blog. You can go through the asm code and spot the startup for the web server part of the camera binary fairly easily, and then look for the variables area that it uses.

You'd be looking for something that loads a variable of value 0x50 (which is 80 in hex).
So, search for the webserver stuff, then look close by for a load of 0x50 from an address in the binary.

The post in question is this one that I wrote late one night - http://www.computersolutions.cn/blog/2011/01/ipcam-hacking-part-7/.  Of course subsequently I found out you can unpack binaries in a much easier method using flthdr -Z, but I didn't know at the time!

The disassembly of my camera executable is here, as I just uploaded it now - http://www.openipcam.com/files/Reverse%20Engineering/
Direct URL is:  http://www.openipcam.com/files/Reverse%20Engineering/camera_asm.html

Strongly note that you'd need to do the same to your camera executable, as its unlikely that mine and yours are the same.  You would need to redo your changes for every firmware update.
If thats acceptable, then do it.

I could roll out the changes for you if you can give me a copy of your current romfs.
Then I can mount it, copy your camera executable, disassemble, then find the offset for the hex value you'd need to change, plus repack your firmware back, so you can write it back on the camera.




Looking at mine briefly, I'd guess here -

Code: [Select]
00ae7c:  e1a0c00d mov ip, sp
00ae80:  e92dd8f0 stmdb sp!, {r4, r5, r6, r7, fp, ip, lr, pc}
00ae84:  e24cb004 sub fp, ip, #4 ; 0x4
00ae88:  e1a05000 mov r5, r0
00ae8c:  e1a06001 mov r6, r1
00ae90:  e3a07050 mov r7, #80 ; 0x50 'P'
00ae94:  e1a04005 mov r4, r5
00ae98:  e1d430d0 ldrsb r3, [r4, #0]
00ae9c:  e3530000 cmp r3, #0 ; 0x0
00aea0:  0a000006 beq 00aec0(6) ; jump

So, I'd change the values at 0x00ae90 in the executable from
e3 a0 70 50
to
e3 a0 70 [port number i wanted to use]

...and see if that worked.

Probably not though, that would be too easy ;)



« Last Edit: March 09, 2011, 11:21:30 am by admin »