I had for a while a tenvis mini319W network camera. this camera is the
usual consumer Chinese product, built on the cheap, bad packaging and
sold in low end computer shops. Anyway, it was a cheap and dirty
solution for a project of mine and despite everything it does the job ok.
The Tenvis mini319W is actually the same as foscam FI8918W and when I
say the same, it means different casing, but same exact identical
board. It’s just a re-branding. For some reason there are a lot of
clones of this model. To stress even more the fact that they are
actually the same product I even downloaded the firmware from foscam
and flashed my tenvis without problems. The correct firmware to use is
lr_cmos_11_37_2_46.bin that is the zip file you can download from
the foscam website. I assume that the foscam firmware is more
up-to-date, and for the moment the firmware is working fine.
The two relevant links :
http://www.tenvis.com/web/firmwaredownload.html
http://www.foscam.com/down3.aspx
Here
there is a long list of cameras that are compatible with the same
firmware. I spent all this time on this gadget just because the tenvis
model is not included in this list …
After a fair amount of time learning how to unpack the firmware, I
found this blog
that has all the information and tools to turn this camera in an open
camera. There is also a project called
openipcam that focus on this family of
products. You can find there all the information that I managed to
figure out in the mean time. I thing this
wiki is the main
source of information about foscam hw/sw.
This is a walk through of all the things I’ve learned this morning
about this camera.
First steps to analyze a proprietary firmware
The easier thing you can do while approaching a binary you don’t know
if to look at it. After a few try with hexdump I quickly realized
that the format wasn’t anything I had seen before. Since I didn’t have
enough info to duckduck, I end up asking on irc for help. Shortly
after I stumbled on the excellent
binwalk a nice tool to unpack
firmaware images.
$binwalk lr_cmos_0_37_2_36.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
20 0x14 Zip archive data, at least v2.0 to extract
712036 0xADD64 romfs filesystem, version 1 size: 1094448 bytes, named rom 4cfcea76.
715668 0xAEB94 BFLT executable version 4, code offset: 0x00000040, data segment starts at: 0x00011170, bss segment starts at: 0x00013760, bss segment ends at: 0x000150E8, stack size: 10240 bytes, relocation records start at: 0x00013760, number of reolcation records: 693, ram gzip
[...]
This tool definitely got me started. Analyzing the output it is easy
to guess that the first part is a zipped kernel, the second part, and
more interesting, is the romfs image. I wanted to know if it is
possible to have a shell console on the device, so I focused
immediately on the fs image. To extract and mount the image, you just
need to get it from the binary blob with dd and the just mount it.
dd if=lr_cmos_0_37_2_36.bin of=romfs.bin bs=1 skip=712036
mkdir test
mount -o loop romfs.bin test/
so far, so good. This is what we got in the image :
test/bin$file *
camera: BFLT executable - version 4 ram gzip
dhcpc: BFLT executable - version 4 ram gzip
dhcpcd: BFLT executable - version 4 ram gzip
dhcpd: BFLT executable - version 4 ram gzip
fcc_ce.wlan: POSIX shell script, ASCII text executable
ifconfig: BFLT executable - version 4 ram gzip
init: ASCII text
iwconfig: BFLT executable - version 4 ram gzip
iwpriv: BFLT executable - version 4 ram gzip
mypppd: directory
route: BFLT executable - version 4 ram gzip
rt73.bin: data
sh: BFLT executable - version 4 ram gzip
wetctl: BFLT executable - version 4 ram
wpa_supplicant: BFLT executable - version 4 ram gzip
So there is definitely no way to access remotely to the camera…
However at this point, I started to suspect that there were few too
many similarities with the foscam firmware… and once you have to
right keyword, you can find almost everything on the internet.
Shortly after this revelation I ended up on this
post
and a minute later on the source
code.
From here on, it was easy : somebody else already did all the hard
work. Unpacking the firmware with fostar is a breeze:
$fostar -u lr_cmos_0_37_2_36.bin
*** REMEMBER! ALWAYS KEEP A BACKUP OF YOUR ORIGINAL FIRMWARE ***
*** I AM NOT RESPONSIBLE FOR YOU TURNING YOUR CAMERA INTO A PAPERWEIGHT ***
*** USE OF THIS SOFTWARE IS AT YOUR OWN RISK ***
*** ***
*** If you don't agree to this, press 'Ctrl+C' now. ***
Extracting linux.zip (712016 bytes)...
Extracting romfs.img (1094656 bytes)...
$unzip linux.zip
Archive: linux.zip
inflating: linux.bin
$strings linux.bin | grep -E "Linux version"
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1452
Now I know the architecture and in theory with this info I could
recreate the build environment to add more binaries to the rom. Then
the Web interface is in a different binary blob. To extract :
$./fostar -x /var/tmp/mini_1.2.2.18.bin /var/tmp/webUI
*** REMEMBER! ALWAYS KEEP A BACKUP OF YOUR ORIGINAL FIRMWARE ***
*** I AM NOT RESPONSIBLE FOR YOU TURNING YOUR CAMERA INTO A PAPERWEIGHT ***
*** USE OF THIS SOFTWARE IS AT YOUR OWN RISK ***
*** ***
*** If you don't agree to this, press 'Ctrl+C' now. ***
Disassembling firmware file '/var/tmp/mini_1.2.2.18.bin' to '/var/tmp/test2/'
Extracting /admin.htm (1153 bytes)...
Extracting /admin_content.htm (4519 bytes)...
[...]
fostar has also built in the capability to repack the image,
giving the possibility to fix, hack and modify the interface (or the
rom image, if you want to go thought the hassle of cross compiling
your tools.
These cameras can also be connected via a
jtag
(serial cable) interface. I’ve a small jtag to usb cable and I want to
try this next…
These are other few interesting links related to firmware analysis in
different contexts that I found and read along the way.
- http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/
- http://en.wikipedia.org/wiki/ZIP
- http://aluigi.altervista.org/mytoolz.htm
- http://0entropy.blogspot.fr/2011/08/firmware-reverse-engineering.html
- https://sites.google.com/site/shihsung/rc32xxx-soc/analyze-firmware
- http://code.google.com/p/firmware-mod-kit/source/checkout
- http://www.networkworld.com/community/node/41672