I had for a while a tenvis mini319W network camera. this camera is the usual consumer Chinese product, built on the cheap, bad packaging and sold in low end computer shops. Anyway, it was a cheap and dirty solution for a project of mine and despite everything it does the job ok.
The Tenvis mini319W is actually the same as foscam FI8918W and when I say the same, it means different casing, but same exact identical board. It’s just a re-branding. For some reason there are a lot of clones of this model. To stress even more the fact that they are actually the same product I even downloaded the firmware from foscam and flashed my tenvis without problems. The correct firmware to use is lr_cmos_11_37_2_46.bin that is the zip file you can download from the foscam website. I assume that the foscam firmware is more up-to-date, and for the moment the firmware is working fine. The two relevant links : http://www.tenvis.com/web/firmwaredownload.html http://www.foscam.com/down3.aspx
Here there is a long list of cameras that are compatible with the same firmware. I spent all this time on this gadget just because the tenvis model is not included in this list …
After a fair amount of time learning how to unpack the firmware, I found this blog that has all the information and tools to turn this camera in an open camera. There is also a project called openipcam that focus on this family of products. You can find there all the information that I managed to figure out in the mean time. I thing this wiki is the main source of information about foscam hw/sw.
This is a walk through of all the things I’ve learned this morning about this camera.
First steps to analyze a proprietary firmware
The easier thing you can do while approaching a binary you don’t know if to look at it. After a few try with hexdump I quickly realized that the format wasn’t anything I had seen before. Since I didn’t have enough info to duckduck, I end up asking on irc for help. Shortly after I stumbled on the excellent binwalk a nice tool to unpack firmaware images.
$binwalk lr_cmos_0_37_2_36.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
20 0x14 Zip archive data, at least v2.0 to extract
712036 0xADD64 romfs filesystem, version 1 size: 1094448 bytes, named rom 4cfcea76.
715668 0xAEB94 BFLT executable version 4, code offset: 0x00000040, data segment starts at: 0x00011170, bss segment starts at: 0x00013760, bss segment ends at: 0x000150E8, stack size: 10240 bytes, relocation records start at: 0x00013760, number of reolcation records: 693, ram gzip
[...]
This tool definitely got me started. Analyzing the output it is easy to guess that the first part is a zipped kernel, the second part, and more interesting, is the romfs image. I wanted to know if it is possible to have a shell console on the device, so I focused immediately on the fs image. To extract and mount the image, you just need to get it from the binary blob with dd and the just mount it.
dd if=lr_cmos_0_37_2_36.bin of=romfs.bin bs=1 skip=712036
mkdir test
mount -o loop romfs.bin test/
so far, so good. This is what we got in the image :
test/bin$file *
camera: BFLT executable - version 4 ram gzip
dhcpc: BFLT executable - version 4 ram gzip
dhcpcd: BFLT executable - version 4 ram gzip
dhcpd: BFLT executable - version 4 ram gzip
fcc_ce.wlan: POSIX shell script, ASCII text executable
ifconfig: BFLT executable - version 4 ram gzip
init: ASCII text
iwconfig: BFLT executable - version 4 ram gzip
iwpriv: BFLT executable - version 4 ram gzip
mypppd: directory
route: BFLT executable - version 4 ram gzip
rt73.bin: data
sh: BFLT executable - version 4 ram gzip
wetctl: BFLT executable - version 4 ram
wpa_supplicant: BFLT executable - version 4 ram gzip
So there is definitely no way to access remotely to the camera… However at this point, I started to suspect that there were few too many similarities with the foscam firmware… and once you have to right keyword, you can find almost everything on the internet.
Shortly after this revelation I ended up on this post and a minute later on the source code.
From here on, it was easy : somebody else already did all the hard work. Unpacking the firmware with fostar is a breeze:
$fostar -u lr_cmos_0_37_2_36.bin
*** REMEMBER! ALWAYS KEEP A BACKUP OF YOUR ORIGINAL FIRMWARE ***
*** I AM NOT RESPONSIBLE FOR YOU TURNING YOUR CAMERA INTO A PAPERWEIGHT ***
*** USE OF THIS SOFTWARE IS AT YOUR OWN RISK ***
*** ***
*** If you don't agree to this, press 'Ctrl+C' now. ***
Extracting linux.zip (712016 bytes)...
Extracting romfs.img (1094656 bytes)...
$unzip linux.zip
Archive: linux.zip
inflating: linux.bin
$strings linux.bin | grep -E "Linux version"
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1452
Now I know the architecture and in theory with this info I could recreate the build environment to add more binaries to the rom. Then the Web interface is in a different binary blob. To extract :
$./fostar -x /var/tmp/mini_1.2.2.18.bin /var/tmp/webUI
*** REMEMBER! ALWAYS KEEP A BACKUP OF YOUR ORIGINAL FIRMWARE ***
*** I AM NOT RESPONSIBLE FOR YOU TURNING YOUR CAMERA INTO A PAPERWEIGHT ***
*** USE OF THIS SOFTWARE IS AT YOUR OWN RISK ***
*** ***
*** If you don't agree to this, press 'Ctrl+C' now. ***
Disassembling firmware file '/var/tmp/mini_1.2.2.18.bin' to '/var/tmp/test2/'
Extracting /admin.htm (1153 bytes)...
Extracting /admin_content.htm (4519 bytes)...
[...]
fostar has also built in the capability to repack the image, giving the possibility to fix, hack and modify the interface (or the rom image, if you want to go thought the hassle of cross compiling your tools.
These cameras can also be connected via a jtag (serial cable) interface. I’ve a small jtag to usb cable and I want to try this next…
These are other few interesting links related to firmware analysis in different contexts that I found and read along the way.
- http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/
- http://en.wikipedia.org/wiki/ZIP
- http://aluigi.altervista.org/mytoolz.htm
- http://0entropy.blogspot.fr/2011/08/firmware-reverse-engineering.html
- https://sites.google.com/site/shihsung/rc32xxx-soc/analyze-firmware
- http://code.google.com/p/firmware-mod-kit/source/checkout
- http://www.networkworld.com/community/node/41672