Hacking the Foscam FI8908W

I recently bought a Wireless Pan/Tilt IP Camera in an effort to eventually replace all of the old 2.4GHz wireless cameras around the house, which have ruthlessly stressing my Wireless B/G (also 2.4GHz) Internet.  I found these cameras, and lots of reviews and articles about how good they are, despite their rather small price-tag.  In the world of P/T Cameras, let alone IP Cameras, you’d typically be looking at 2-3x the price for the next best thing.  They aren’t perfect, but updated to the more recent versions of their firmware, they are great cameras that almost equally well in Windows, OS X, or Linux.  Top that with a company that is reportedly very responsive to customer needs, open documentation for protocols and APIs to manipulate the camera, and you’ve got the makings of a great product.  You can read up on any number of reviews via Google, but I’ll link one in particular here.

Based on the title of this post, I suspect you’re not interested in which camera to buy… rather, you’ve already bought one and you’re wondering what else it can do.  I did too.  After a little searching around, I decided to download the latest firmware files and take a look at them under the proverbial microscope of the Hex Editor.

Foscam has two separate firmware files.  One is a ‘core’ firmware, and the other is the ‘WebUI’.  Immediately, it was clear that the ‘core’ firmware was a much more complicated beast; my current, best assumption is that the file is a bonefied, honest-to-God self-extracting binary.  I haven’t taken my camera apart yet to figure out which processor its running, but I suspect I’ll find an ARM processor inside.  What I can tell from scanning the core firmware file is that the underlying OS which the firmware provides is, you guessed it, Linux.  I like these Foscam guys more and more.  I digress.  About this point, I decided to go check out the other file.

The second file, the WebUI firmware, was much easier to tame.  A few simple guesses about what the header information in the file meant, and a couple hours of validating my theories produced the following truth table.

Offset:     Data Type/Size:    Description/Value/Etc:
0x0000      INT32_LE           Size of file
0x0004      Byte[4]            Version Number, each byte a min/minor  value (2.4.8.12)
0x0008      Char[21]           File Description

{ ## Repeats until End-Of-File

+0x000      INT32_LE           Length of File Name
+0x004      Char[...]          File Name
+(Filelen)  Byte               File Type (0 = directory, 1 = file)

{ If 'File Type' == 1 then
+0x001      INT32_LE           Length of File Data
+0x004      Char[...]          File Data
}

}

Based on this data, I was able to whip out the utterly mind-numbing C code below:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>

int main(int argc, char **argv) {
  FILE *f = NULL;
  int len = 0, type = 0;
  char src_file[512], dst_file[512], *data = NULL;
  int max_data = 0;

  if ( (f = fopen(argv[1], "rb")) == NULL)
    exit(-1);

  fseek(f, 0, SEEK_END);
  int file_len = ftell(f);
  fseek(f, 0, SEEK_SET);

  fread(&len, 1, 4, f);
  if (len != file_len) {
    fprintf(stderr, "File size doesn't match that reported in the header: %d/%d\n", len, file_len);
    exit(-1);
  }

  fseek(f, 29, SEEK_SET); // seek to first file

  while(!feof(f)) {
    memset(src_file, 0, sizeof(src_file));
    memset(dst_file, 0, sizeof(dst_file));

    fread(&len, 1, 4, f); // read filename length
    fread(src_file,1,len,f); // read filename
    sprintf(dst_file, "%s%s", argv[2], src_file);

    type = 0;
    fread(&type, 1, 1, f); // read entry type
    if (type == 0) {
      if (mkdir(dst_file, 0770) != 0) {
        fprintf(stderr, "Unable to write file: %s", dst_file);
        exit(-1);
      }
    } else if (type == 1) {
      FILE *f2 = fopen(dst_file, "wb");
      if (f2 == NULL) {
        fprintf(stderr, "Unable to write file: %s", dst_file);
        exit(-1);
      }

      fread(&len, 1, 4, f); // read data length
      if (len > max_data) {
        data = realloc(data, len);
        max_data = len;
        if (data == NULL) {
          fprintf(stderr, "Unable to allocate  data necessary to extract file.  Requested: %d bytes.\n", len);
          exit(-1);
        }
      }
      fread(data,1,len,f);

      fprintf(stdout, "Extracting %s (%d bytes)...\n", src_file, len);
      fwrite(data, 1, len, f2);
      fclose(f2);
    }
  }

  fclose(f);
  free(data);
  return 0;
}

You should be able to copy/paste this into and empty .c file (for example, “extract.c”) and run the following command:

gcc extract.c -o extract

Change “extract.c” and “extract” to whatever you want to call it.  Running that command will create an executable file named “extract” (or whatever you changed it to).  This is the executable file that will extract the contents of the firmware file.

When you have that file, you should be able to run the following command:

./extract <path_to_firmwarefile> <path_to_destination>

This should extract all the files in the firmware file into the path specified.  I would encourage you to first create a directory for the extracted firmware files.  If you want to extract to the current directory, you must still enter this parameter as “./”  (but without the quotes) Ie:

./extract ../FI8908W-fw11.14.1.46bis/2.4.8.12.bin ./

Have fun, and happy hacking…  Hopefully soon, I’ll post the code for a second utility to repackage a firmware file.  If someone beats me to it, please feel free to post, or ask any questions about the format of the file.  At the least, being able to see how the web/javascript interact with the underlying OS should provide options for making a back door.

About these ads

~ by kylemallory on March 30, 2010.

142 Responses to “Hacking the Foscam FI8908W”

  1. Hey there,

    Thats quite brilliant. I am amazed at how people are taking to these products. It really brings me joy to see you successful with this great new Foscam wireless IP Camera. I am one of the original authorized USA distributors of Foscam IP Cameras and I am listed as an official distributor on their website.

    I appreciate your enthusiasm and anytime you want a discount, please let me know and I will gladly provide it for you.

    Keep the code comming.

    Best,

    • Thanks. A generous offer! Hopefully sometime this next week, I’ll post some code for re-assembling the WebUI firmware file, which will let us (me, you, anyone) provide access to some of the missing functions in the Firefox/Push interface, and even accessing some undocumented features, like setting the pan speed, etc. I’ve been spending the last few days trying to reverse engineer the base IP protocol, bypassing the web interface entirely (and allowing bi-directional audio, for example). If there is anything you could do to help me in these efforts, such as aquiring protocol specifications, etc. that would be completely awesome. My immediate goal is to provide a full-featured controller application for Linux. I’m still a ways from there though!

  2. hi there this is great news i have got one of these cameras from ebay and it turned out to be a clone it came in a green box and on the circuit board it say ipcam hw V1 but i did not known this at the time so i flashed my camera with the original software but i bricked it but i got it back to life with the recovery files but i had lost my web ui do you think i could get the web ui back on the camera ????? thank’s David

    • David,
      My guess is, if you recovered using the Foscam firmware, you should be able to use the Foscam Web firmware as well. Of course, I make no guarantee to this claim, but it’s probably a fairly safe assumption.

    • David, I bricked my phone too. Did you figure out how to recover from this? I even got the IP Cam guys to send me firmware files but upgrading the firmware tries but doesn’t take. It just makes a chirping sound now and from the IP camera finder, I can see the camera tries to load up and gets an IP but doesn’t boot up all the way. It resets within 6-8 seconds.

  3. I purchased one of the fake foscam’s online and can’t get it to access remotely from outside of my network. Can anyone help with this??

  4. Hey Raymond, I did the same on mine. The foscam actually sends it’s native control protocol over HTTP, it just doesn’t use HTTP commands, so if you run Wireshark and capture just the port 80 traffic, you should capture everything relevant for the camera (unfortunately with all the actual HTTP noise as well). In the Foscam, all data packets start with ‘MO_O’ for the ‘operation protocol’ used to configure the camera, and MO_V for video/audio packets. If you want to, make a small capture file while logging into the camera and email it to me. I’d be curious to see if there are differences.

    • Hey Raymond, I did the same on mine. The foscam actually sends it native control protocol of HTTP, it just doesn’t use HTTP commands, so if you run Wireshark and capture just the port 80 traffic, you should capture everything relevant for the camera. In the Foscam, all data packets start with ‘MO_O’ for the ‘operation protocol’ used to configure the camera, and MO_V for video/audio packets. If you want to, make a small capture file while logging into the camera and email it to me. I’d be curious to see if there are differences.

      • Hello kyle,
        My colleague and I are building an iPhone and Android app around a Foscam and/or Y-cam MJPEG camera. The challenge that we are facing is extracting the audio from the camera into our mobile app (or any app for that matter). I found that Sunshine iPhone app and a couple others are successfully extracting the audio, however we cannot duplicate it. We believe its in the Mo_V http header packet and that its using G.726. Can anybody help us here. We have been trying for such a long time to get this going but we keep running into a dead end on this front. Thank you in advance, Marko.

  5. FYI: I poked around the “strings”, it seems they are using
    Winbond uClinux.

  6. hi thanks for the quick reply i have tryedbut it lock the camera up i have look at the cgi list and this is part of it var id=’003010C1D039′;
    var sys_ver=’11.14.1.46′;
    var app_ver=’0.0.0.0′;
    var alias=”;
    var now=1270315495;
    var tz=0;
    var ntp_enable=1;

    as you can see in the var app there is nothing there, i will keep trying thanks David

  7. Hi,

    Excellent !! Any success in getting the core firmware unlocked ?

    Good Luck with your great job

  8. Hi,

    The firmware is a uclinux from winbond (http://www.gadgetvictims.com/2009/12/bring-your-fi8908w-paperweight-back-to.html) the recovery file have the W90N745 uClinux BSP User’s Manual – will that help you in any way to unlock the core firmware file?

    I’m trying to build an hardware interface for the camera – to control other devices as well via the interface – ex. the springler to water my garden.

    Regards
    Thushar

    • Thanks, ucLinux is helpful. Lots of documentation, etc. Raymond pointed this out earlier as well. At least with that I know its an ELF binary, which should get me a ways. The next step will probably require taking apart a camera and trying to determine the architecture. Unfortunately, I’m not prepared to do that to mine, just yet.

      If it really is a binary (which I’m guessing at this point), and knowing the architecture, it should be possible to disassemble and ultimately cross-compile a new firmware file. I’m not putting much effort into this approach directly though, as I think we may find better solutions by using the UI firmware to install a telnet or SSH server instead.

      • Since you guys got me thinking about it, here is some interesting stuff I ran across while searching ucLinux:

        http://www.uclinux.org/bFLT/

        http://www.beyondlogic.org/uClinux/bflt.htm

        After poking around in the core firmware, i was able to determine that there are about a dozen bFLT files in the firmware, and from those, I was able to determine that they are using the Rev 4 of bFLT, which is for the m68k architecture. Still haven’t been able to figure out the actual format of the firmware file, but progress is being made. The most confusing part is that it seems the firmware itself is little-endian, while the files it contains are big-endian. That will no doubt confuse me a lot along the way.

  9. Here is a trace talking to the camera at 192.168.1.70 to 73

    http://docs.google.com/Doc?docid=0ATqv7EjKjtaCZGRzN241c2JfOGRmNzNqZmRu&hl=en

    I don’t understand or see MO_V files; but I am not too familiar with these protocols. OTOH I did see
    Server: Netwave IP Camera
    in the status response

    http://docs.google.com/Doc?docid=0ATqv7EjKjtaCZGRzN241c2JfOGRmNzNqZmRu&hl=en

    the actual status is at the end; with decorations elsewhere.
    Looking up Netwave leads to:

    http://www.gadgetvictims.com/2008/08/foscam-fi8908w-firmware-history-page.html

    With this section
    Documentation:

    IPCAM user guide 4.1.2 – mirror
    IPCAM CGI SDK V1.7 – mirror
    IPCAM CGI Application Instruction v109 – mirror
    IPCAM Protocol – mirror
    Where the sdk gives http://url/commands.cgi/
    that can be sent over to the web interface. These seem similar to my camera commands. In addition when VLC sends the videostream.cgi command it knows how to recognize the returned video stream. Thus this part is adhering to some standard.
    It seems to me that there might be two or three approaches to this hacking.
    1) Make up a javascript (or some such) console that can be configured to send all of the cgi commands.
    2) Like your doing figure out the loading structure and rewrite the web interface.
    3) Just to be contrary, dump a virus (or maybe a ftp/ssl enable (ssl is unlikely)) on top the memory that enables a backdoor.

    I sort of like the javascript idea. If the command data base is structured as a spreadsheet then it could be maintained and reused. Say like so.
    Name desc cgi_command_to_send expected_response action

    I dearly love simple things; I’ve tried it the other way:)

    • I’m not seeing the messages that I’d expect. You’re running a different core firmware than I am. Maybe that has something to do with it. When I get home, I’ll try and take a screenshot of my WireShark, showing the data that I’m seeing.

      I think the CGI interface is provided by the core firmware (I haven’t confirmed this yet, but). and so I’m not sure that you would get any benefit out of a javascript approach, any more than you would just calling the CGI directly (which is actually what the UI does). They took an interesting approach where the CGI (status.cgi, for example) returns, as javascript, a series of variables. The web interface queries the CGI via a “, and then uses more javascript to print those values into the actual webpage. The protocol ‘MO_O’ stuff I’ve been messing with is the lower-level protocol used to query/set all of the same values done through the CGI. In essence, the Firefox/’Push’ interface uses the CGI stuff, while the IE/ActiveX solution does the low-level protocol, which is where the two-way audio is supported, etc, and why Firefox doesn’t support those features.

      The memory-tromping/backdoor approach is interesting. I think my approach for actually getting the camera to do something that it wasn’t designed to do (for example, finding a way to read the IO on the back as a temp sensor) would require some way of actually installing new executable code, and then calling that code. If you could get a new CGI program on the camera, and execute it via a HTTP request, that would be a relatively simple means. Question is whether HTTPd is sandboxed or not.

      Core firmware is proving to be a mind-fuck. I’m actually starting to think that its not so much an archive file, like a tar file, but a file that describes actually were and how to write the flash memory: ie, “at address 00772D00 write the following data”. I suspect that data is everything from inode structures for the filesystem to the actual file data.

  10. I used curl against the CGI SDK 2.1 and got the expected responses from most commands.
    If you have (can get) curl I can send a script in some form.
    Ray

  11. You were right about the “MO_O” reference.

    • I didn’t get your message until after I made these… so I figure I’ll post them anyway for anyone else who wants to see. Note that I have my camera running on port 9120, rather than the default (port 80).
      Foscam Request
      Foscam Response

  12. Is lr_cmos_11_14_1_46.bin an archive file with another archive or executable inside ? When i tried to rename lr_cmos_11_14_1_46.bin to lr_cmos_11_14_1_46.zip and just try to open it using winrar, i saw the linux.bin file inside tho winrar throws an error. This could not happen if firmware is an executable .. right.

    Also, the recovery file (from http://www.gadgetvictims.com/2009/12/bring-your-fi8908w-paperweight-back-to.html) seems to consist of romfs_cmos_11_14_1_37.img and linux.zip( which has linux.bin inside). Could an expert view on the romfs_cmos_11_14_1_37.img help us to find more about the core firmware file ?

    Regards
    Thushar

    • Based on my latest investigations, I think the .bin file is an archive that contains linux.bin, and a couple of FLAT (bFLT) executable binaries. I just haven’t been able to figure out the relationships to be able to write a tool to extract the files. My guess now is that the file/block headers inside the firmware .bin file are variable length, depending on the file and its type, which is making things a lot more difficult than necessary.

      OS X sees the lr_cmos_11_14_1_46.bin also as an archive, and identifies it as a “MacBinary Archive”. If I run the OS X Archive Utility on the .bin file, it won’t do anything but recompress it.

      I’ll check out the recovery image and see if I can make anything from it. I’d really like to find some information on the ‘BNEG’ file magic that is the first 4 bytes of the .bin image, but I can’t find anything via Google.

  13. Small progress:

    http://tools.rebel-it.com.au/ipc-1002/README.TXT

    batch example
    ———–
    mkdir firmware
    dd if=lr_cmos_11_14_1_46.bin bs=1 count=32 of=firmware/header.img
    od -x header.img
    dd if=lr_cmos_11_14_1_46.bin bs=1 skip=32 count=0403 of=firmware/kernel.img
    and so forth. I’ve spent to many hours on this today:)
    ———————-
    Daydreaming: find the ftp code and open it up to connect.
    More realistically drop tftp or a console into the server javascript area, or alternately a custom function. I will double check if dd works on the interface .bin file later.
    This may be obvious to others but I think the javascript/user interface is server-side javascript with little tiny pieces/slaves downloaded as needed. I haven’t verified this yet, but it fits what I have seen.

  14. Or not; I just looked at dd. It actually doesn’t verfiy anything but maybe the core parameters are in the uclinux documents.

    • Raymond, Good find! They are using ‘dd’ to brute-force extract parts of the firmware file. Not bullet-proof, but helpful nonetheless. Some of the other bits about mounting the filesystem are really interesting. Definitely something to play with. The problem is, extracting the files only gets us so far. Unless we can build hacked firmware to load on the camera, we’ll only be able to do so much.

      The server-side javascript is interesting. From the WireShark results, its clearly making a “/status.cgi” GET request, which you can make yourself to get the info. What’s happening within that cgi is the real question, but I am hopeful that there is some internal voodoo going on that may prove to be fun to play with.

  15. I guess I will break down and physically disassemble my camera.
    There is probably a tftp interface on port 65550 but you have to get into the bootloader to switch from serial to network; catch-22 unless we can find the bit and plunk it through javascript.
    Just for information a boot loader manual that I think is similar.
    ftp://220.232.158.86/Winbond/W90N745/Documentation/
    Actually the site has a bunch of stuff for uclinux systems. Unfortunately I can not vouch for it not being a trojan site.
    I should find a better site.
    As for the javascript client/server: I think that the client command/request is intercepted by some other program who decides what to do, if to do it, and then the annoying next-url. Then the results “rain down” onto the server code which xmitts a new page to the client. In that case we have to find the interpreter intercepting the command on the server and try to find holes. But if the loader is the bootloader code being reused we could drop javascript compliant code onto the server javascript with a rewrite of the ui; so that the attempt to set wireless would execute it; or something else not needed. Let’s see what’s wrong with that? Well it wouldn’t go to a particular place because the source is ASCII, but that is okay as long as the updater doesn’t require ASCII it should just dump the incoming into a buffer. Then the buffer gets read out and interpreted.
    Sorry to go on so long (:

    Ray

  16. Webcontrols Parameters :

    “snapshot.cgi
    description To obtain the snapshot
    Permission visitor
    Syntax /snapshot.cgi[?user=&pwd=&next_url=]
    Parameters user:username
    pwdassword
    next_url:the name of snapshot
    Note 1 If not use the parameter “next_url”, the snapshot name is:device
    id(Alias)_ Current time.jpg

    [EDIT] More goodness here…

    Hope this help us in some way

    • Thanks for the info, Thushar! I actually ran across this document, courtesy of gadgetvictims.com, that describes the entire CGI SDK. Unfortunately, it doesn’t allow two-way audio. This, with the tools to hack the UI Firmware should keep some web-do-gooder busy for a while! In an effort to keep the reply chain shorter, I’ve edited your post to reflect the same link…

  17. I took the picture from my cam inside:

    There is the links to ICs datasheets

    http://file.qip.ru/file/126440710/aa28569e/APP2000004USBD.html

    http://file.qip.ru/file/126440714/ad459287/HY57V641620F_L_S_TP_series_Rev.html

    http://file.qip.ru/file/126440713/33210724/NUC745ADN.html

    http://file.qip.ru/file/126440711/dd2f6608/W19B320BB.html

    The documentation from ftp://220.232.158.86/Winbond/W90N745/Documentation/ is right.
    Some additional information you can find on http://www.nuvoton.com/hq/enu/ProductAndSales/ProductLines/ConsumerElectronicsIC/ARMMicrocontroller/ARMMicrocontroller/NUC745A.htm
    Nuvoton and Winbond is the same compony. By this link you’ll find uClinux for NUC745A and compiler for it.

    And also I have the description of audio and video stream:

    http://file.qip.ru/file/126440715/da42a211/IP_Camera_Prototcol.htm

    • Archon, thanks for the links and images. Great stuff. Sorry it took a little while for your comment to post. WP filed it as spam (probably too many link from .ru), and I just noticed it tonight.

  18. Serial is pretty easy on them – I’m already doing what you’re doing!
    Want to collaborate?

    I’m in touch with the factory that makes them already, and they’ll be sending an SDK over.

    Its quite a bare system though – basically everything sits in /home, and the rest of the system is *extremely* minimal.

    I have some more on my blog at http://www.computersolutions.cn/blog

    Cheers,

    Lawrence.

    • Lawrence, cool to see your progress. Would definitely welcome some more collaboration! The more the merrier, right? I think I’m about to order another camera or two, and will probably be willing to pull one of them apart, too.

  19. PS, mine doesn’t have a winbond, its actually a Nuvoton N745 (which is a clone of the Winbond ARM chip I think)

    • Yeap, the two pinouts look identical. In fact the data sheets look identical; based on sample size that is small.

  20. hi guys my camera is in bits if you want some details and picture there is no problemi will uploaded them and i have been logging it as well with the serial still connected if you want them as well thanks dave

  21. My “unknown” camera:\
    Board: ES_IP607_ARM_2
    SDRAM: W9812G6IH
    ARM processor: W90N745CDG
    Latch for I/O: 74hc259d.
    Unstuffed comm connector goes to:TX0D,RX0D processor pins 10,11 I think
    Ethernet: DM9161AEP
    Motor driver?: ULN2803L Octal driver
    DVM008: Clock chip/RTC
    SY-5W-k: relay (probably for outgoing alarm contacts) rated for 1-2A signal but only .5A contact rating. I presume that contact rating is allowed (non-degrading) current during relay transition; and signal is with the contacts firmly closed. I can’t find the voltage rating but I presume it would be 117VAC.
    Audio: ALC203 Realtek. This seems like overkill; but…
    Motor driver? : 2822M STM micro
    Bunch of other stuff around the I/O pins probably an switching regulator for the relay or some such
    NVRAM: S29AL016J spansion
    16 Megabit (2 M x 8-Bit/1 M x 16-Bit) CMOS 3.0 Volt-only Boot Sector Flash Memory

    Perhaps I will take hires pictures of the boards. I did save copies of most of the data sheets.

    “That’s all folks”

    • Hi Raymond, I got the same cam as you: Board: ES_IP607_ARM_2 I managed to brick it. I still have a good one, can you tell me how to transfer the good firmware to the bricked one? or do you have good recovery files for this cam?

      Thanks!

  22. Misc from web trolling:

    BNEG: Amusing– NBGE You or somebody else has endian problem.
    It appears to be a common phrase (although probably 2 or 4 mb size or starting point). Compare the header.img in hex to:


    the start of the 9100a romfs file loaded from this post looks like this

    [7F0A0000] 47454E42 00000001 – 00000000 00000000 BNEG…………
    [7F0A0010] 00139400 6D6F722D – 2D736631 00921300 ….-rom1fs-…

    From: http://support.yoics.com/viewtopic.php?p=610&sid=145b4ec6d4be054c6ed9b9344af48b9d

    Haven’t found Winbond (or arm7) schematics yet but the Winbond uclinux user manual has:
    W99683 samera usb support : Video for linux on page 15.
    Which means downloading the code and examing that kernel (io ?) section should be relevant.

    Ray

    • Interesting. I had questioned whether it was endiann-ness, but always assumed it was a 4-byte sequence (which shouldn’t suffer from endian-ness), not a long (which would). Reading that thread:

      “however the ‘-romfs-‘ tag is offset by 0x14

      so I used the line

      fx 6 romfs.img 0x7f0a0000 0x7f0a0014 -a

      the system then rebooted correctly…”

      So, it looks like they were able to get the file to load after they offset/stripped the 14 bytes prior to the -romfs- tag, including the ‘BNEG’. Which falls in line with my thinking that that is all part of a header, and is not meant to be loaded into memory (or at least as part of the image itself). Problem is, the header length varies, and its not immediately clear what the length of the header should be.

      In the lr_cmos_11_14_1_46.bin the first 64 bytes are:


      0000 - 42 4E 45 47 01 00 00 00 - BNEG....
      0008 - 01 00 00 00 32 B3 0B 00 - ....2...
      0010 - D0 08 00 50 4B 03 04 - .-..PK..
      0018 - 14 00 00 00 08 00 63 2B - ......c+
      0020 - 10 3B 72 88 39 83 BE B2 - .;r.9...
      0028 - 0B 00 10 99 18 00 09 00 - ........
      0030 - 00 00 6C 69 6E 75 78 2E - ..linux.
      0038 - 62 69 6E EC FD 0B 78 5C - bin.".x\

      In this case, upto the ‘linux.bin’ tag, there are 50 bytes, rather than the 14. I need to double-check my notes at home, but I think the long 0x26 is the length of linux.bin in LE. And the subsequent long at 0x2E is the length of the tag ‘linux.bin’ (9, in LE). The S32_LE at 0x26, is 766654 (decimal). Add 59 (the length of the header, including the ‘linux.bin’ tag), and you end up right near the ballpark of the -rom1fs- tag. There is a similar length field, at 0x0C (S32_LE), that also puts us in the same area of the file. Maybe coincidence?

  23. I guess I will load up Windbond’s uclinux tomorrow. At some point I have to stop obsessing. About to make a politically incorrect joke about obsessive/compulsive, and hacking. “What’s the difference…”; let me know if you can think of a good punch line.
    PCB pictures

    http://docs.google.com/leaf?id=0Bzqv7EjKjtaCOTQ3MGQ5MzktMzc3Mi00YmRkLThkNDYtMzMxMzIxNmMzMzhm&hl=en

    http://docs.google.com/leaf?id=0Bzqv7EjKjtaCYmM2MWExMmQtOGUyMC00MmVkLThkNzUtZjk0ZWQ0ODk2YzJm&hl=en

    BTW: I am having a problem fitting endian problems with the fact that some words come through correctly; linux.bin

  24. Raymond, we have the same camera hardware.

    I’ve spoken to the factory, Foscam is one of their clients they OEM for. So the clones are not clones, but the real thing, just unbadged.

    I’ve also been in contact with Maverick Gao (thanks to the wonders of Google), and can probably ask him a few tech questions if anyone has. He didn’t really want to talk much though, and passed me off to someone else, so I suggest we do our dev work ourselves unless we get really stuck. Factory guys are pretty helpful, as long as can sell more product, they’re happy.

    I should be receiving an SDK sometime soon, and I can answer some of the questions you might have.

    If you look at the data sheets for the chips used (ARM5..), you’ll see why the rom formats are in that size too.

    http://www.nuvoton.com/hq/enu/ProductAndSales/ProductLines/ConsumerElectronicsIC/ARMMicrocontroller/ARMMicrocontroller/NUC745A.htm

    ROM build info here – http://www.nuvoton.com/NR/rdonlyres/6D3B8939-4393-42C9-A602-BD40775E0CC9/0/APP2000007MKROM.pdf

    We’re on kernel 2.4.

    First steps would be to compile an ARM7 binary, and add to the userland firmware, then test. I’ll play around with that tonight, as I only get time for these things after work.

    I have the CGI interface stuff if people want too. Will update my own blog with the files.

  25. [...] http://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/ [...]

  26. For anyone building test binaries – ucLinux needs a flat binary.
    Hence the bflt headers.

    Even the current firmware linux rom build gets that wrong for some bits according to the kernel boot logs

    BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
    BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)

    Build tips here –

    http://www.ucdot.org/article.pl?sid=02/09/17/0044221

    We don’t really need to change the kernel stuff (yet), so making userland stuff should be fairly straightforward.
    I guess first step is a hello world, or add ssh access.

    I’m probably going to delete the OCX file for space – takes up 156kb (although less, as it should be a JFFS partition so compressed.)

    I’ll take a look at the existing files later.

    Kyle, do you want to contact me via email?

  27. Lawrence, Could you say who is the orginal OEM manufacturer for foscom cameras please ? Also, Could you please ask you contact in the factory if it is possible to add more IO ports to the hardware .. say 4 or so external trigger ports ? A schematics would be handy as well .

    Regards
    Thushar

  28. Thushar: Gardening and such.
    I’ve been thinking about your idea of using this as a general purpose controller.
    J6 on the PCB is apparently a USB port.
    Inserting a connector and bringing a cable out could provide the interface for an external storage device for images (i.e. standalone surveillance), or could work into
    EZ430-F2013

    http://focus.ti.com/docs/toolsw/folders/print/ez430-f2013.html

    which is $20, has plenty of I/O. You would still have to provide the interface conditioning; relays, ssr’s, and such.
    I can help with the MSP430 gizmo. I wrote a commercial design using it and I have one of the gizmos (I think). Unfortunately the product didn’t go anywhere commercially (:
    So the point is: compile in the USB support and install the connector.
    Unfortunately there are conflicting indications. The Winbond OS indicates that it expects the camera to be USB. If it is then the secondary USB needs a transceiver to be real USB. Working around this is not a problem for the EZ430; but setting up for USB storage would probably require the transceiver. This primary/secondary consideration is why I wanted the model number and manufacturer of the camera.
    And so on..
    Unfortunately I am not a liberty to do program experimentation on the camera I have. It’s dedicated for our “frac” security. I would have to buy another camera for experiments. Being in Mexico that is harder than you might think.

    Ray

  29. Ray, USB idea sounds great – But still we need to get hold of the firmware source and tool chain to build the USB support into the kernel.Hope we will get there soon

    Thushar

  30. Woops: I made a mistake with the USB ports (I was looking at the 173 pin 740 data sheet); the 745 has two independent USB ports that should work straight out; and I think the connector-less J6 is port 2.
    Ray

  31. I just looked at the EX430; it has 8 outputs capable of driving the triac.

    http://search.digikey.com/scripts/DkSearc/dksus.dll?Detail&name=MOC3023MFS-ND

    If you were to use these then make sure you put some protection diodes around the outputs to guard against power line spikes coupling back into the MSP430; they are real.

    Here are a couple of link with more elaborate interfaces:

    Except the 1:1 and Vreg indicate a special triac or high Vreg

    Anyhow..: The process would seem to be.
    Energize USB-2
    Add a cgi that takes an arbitrary string from the client and dumps it out to the USB; and vice versa. This would provide a means to program the MSP430 from the client (i.e. real computer).
    Add a handle into the calender scheduling to prompt the MSP430 to do something.
    Perhaps the ability to program and read the MSP430 through the camera is overkill; but it might be convenient to be able to update the MSP430 via the Ethernet port in a in-place installation. Or in my case via 802.11 .
    Kind of neat having a free USB port in/out of the camera. You could daisy chain cameras ethernet-usb-ethernet-usb …. (with some connector flimflam) . Furthermore there are relatively inexpensive usb modules to take measurements, produce analog out, and do digital I/O.
    You could have the fanciest garden system on the block. Schedule watering times based upon humidity and temperature and wind speed. Schedule your Christmas tree strings arbitrarily, turn lights and alarm systems on and off; and do it all from your iphone/ipad across the world:):)
    etc…. All through one camera!

  32. Oh yes; the EX430 ports support 10 bit A/D conversion.

  33. hi guy i have do some photo’s and some data sheet for this who can i email it to oh the circuit board as a model number on it IPCAM HW-YT02_V1 Thanks Dave

    • You could post them on google docs; but here is my email address
      rrogers@@plaidheron..com
      with the obvious correction.
      Above the EX430 entries should have been EZ430 from TI (sigh).
      Sorry about the u-tube clip; I don’t know how it got put in. In fact that arrangement works but the triac I listed from digikey has optical isolation built it; but also has the backcoupling possibility.

  34. Anyone with any updates on the firmware decoding ?

  35. @thushar, do a little footwork on your own.
    Most of what you asked is readily available.

    USB is enabled in the shipped linux firmware.
    The audio/wifi/camera all use USB for I/O

    A check of the data sheet for the CPU will show you what ports are available. Hint, most are in use.

    http://www.nuvoton.com/NR/rdonlyres/4894DE14-6EDF-40E3-8BF3-F208AF5A1BB9/0/NUC745ADN.pdf

    Check page 7.
    Some can be re-purposed though, eg GPIO5,6 (pin 10,11) are in use for serial out (for debugging purposes), but in theory could be set as additional IO pins, assuming you have some other way of talking to the embedded cpu (eg telnet or similar).

    We do have working i2c, serial, and other i/o ports anyway..

    Data sheet info and rom build info is on the Nuvoton website, which is also linked on my blog post on my site.

    I need to wait for a second unit before I make any changes to mine, so it will be a few days before I get to do anything other than in a dev environment.

    Suggest you setup a Debian box, and install the relevant UC Linux cross compiler tools.

    The hardware manufacturer for these is Shenzhen based, url is http://www.sznv.net/

    @Roger – not sure we have the same chipset, mine is the 128pin Arm7 745ADN from Nuvoton. Its the same as a Winbond W90N745 (hence the firmware identifying as that in the boot room).

    As I’ve said before, no current need to change the Linux partition – it works ok. Only real need right now is some extra binaries in the home rom.

    Linux firmware (uclinux) is pretty much in the same place as the default –

    (Image 7)
    base address is 0x7f020000
    load address is 0x8000

    Again, I don’t think we really need to mess with it.

    Its a pretty standard build, we don’t have JFFS2 support built in (although we can if we roll our own)

    Strongly suggest for dev work, either get a ARM7 board to play with, or hook up the serial debug port on the camera, and DON’T MESS WITH THE BOOTLOADER!
    The more adventurous can hook up JTAG – that seems to be readily available on my board at least, as is serial, which is nice.

    Bootloader gives us a way to recover if we make a bad image…

    Our basic specs:

    W90N745 application Core Module:
    MCU: Winbond/Nuvoton clone ARM7TDMI based W90N745 operating up to 80MHz Freq.
    USB: One USB1.1 Host + one Slave
    UART: A TX/RX signal only UART port (UART0) for debug console. Another UART port
    supported with Male type connectors by W90N745’s UART interface.
    Network: A 10/100Mbps Ethernet port supported with DM9161E (PHY) by W90N745’s
    RMII interface.
    JTAG: 14-pin JTAG debug interface.

    Anyone have a copy of the W90N745.tar.gz BSP dev files?

    Most of the sites that have it aren’t accessible easily from China which is annoying.

  36. Sorry guys, haven’t had much time to play with the camera the last few days. Been a crazy-ass week. Lawrence, does your camera have WiFi? I hope our second USB isn’t being used by the WiFi… I’m going to order my additional cameras today. I don’t know how much additional time I’ll have to play over the next week.

  37. “The audio/wifi/camera all use USB for I/O”
    I don’t know but my look-see says the audio uses the I2C port: pins
    44-48.
    Perhaps we aren’t talking about the same thing. When I say “USB” I mean Pins 1-8.
    Haven’t tracked down wifi/camera yet. Or whether J6/USB2 is shared.

  38. @Raymond Quite possible, I didn’t look at the chip pin outs, was looking at the boot log off dmesg

    Winbond Audio Driver v1.0 Initialization successfully.
    usb.c: registered new driver hub
    add a static ohci host controller device
    : USB OHCI at membase 0xfff05000, IRQ 15
    hc_alloc_ohci
    usb-ohci.c: AMD756 erratum 4 workaround
    hc_reset
    usb.c: new USB bus registered, assigned bus number 1
    hub.c: USB hub found
    hub.c: 2 ports detected
    usb.c: registered new driver audio
    audio.c: v1.0.0:USB Audio Class driver
    usb.c: registered new driver serial
    usbserial.c: USB Serial Driver core v1.4

    _____ ____ _ ____
    |__ / _| _ \ / \ / ___|
    / / | | | | | |/ _ \ \___ \
    / /| |_| | |_| / ___ \ ___) |
    /____\__, |____/_/ \_\____/
    |___/
    ZD1211B – version 2.24.0.0
    usb.c: registered new driver zd1211b
    main_usb.c: VIA Networking Wireless LAN USB Driver 1.13
    usb.c: registered new driver vntwusb
    usb.c: registered new driver rt73
    dvm usb cam driver 0.0.0.0 by Maverick Gao in 2006-8-12
    usb.c: registered new driver dvm
    dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
    usb.c: registered new driver dvm usb cam driver for sonix288

  39. Thank you Lawrence

    These manufactures are supposed to provide the source code of the firmware to honur the GPL license terms of Linux – Then why they are not ?

    Any one with any progress on the core firmware hacking ?

  40. hi guy i have found out that i have a 2 mb samsung sdram chip on my canera i think i’am going to desolider the chip and putting a 8 mb chip on the board i have lokked at the pins and they are the same do you guys think this will work, the reason for this is when i try to upload the web ui it crashes half way throw the install like it has not got enought memory, thanks dave

  41. The chip on mine is a Winbond W9812G61H-6

    According to the data sheet, that 2M X 4 BANKS X 16 BITS SDRAM @ 3.3V
    166MHz/CL3

    Data sheet is here – http://jp.ic-on-line.cn/IOL/datasheet/w9812g6ih_4223255.pdf

    If you have serial, can you check your bootloader setup to see what rom size you have.

    Over serial – power up the device, wait for the uBoot prompt, press ESC to get in, then type “ls” and press ENTER

    eg

    bootloader > ls Image: 0 name:BOOT INFO base:0x7F010000 size:0x0000FFCC exec:0x7F010000 -f Image: 1 name:romfs base:0x7F020000 size:0x0009D400 exec:0x00700000 -ac Image: 2 name:linux base:0x7F0C0000 size:0x000E8250 exec:0x00008000 –acx

    I need a paste of yours (Note: thats a sample ls above, not from our device)

    I’d also like someone working on a “Foscam” to do the same if possible – eg Kyle?

    I’ll have more info on my own blog later, including some hi-res shots of the board.

  42. hi there lawrence qis this what you are after

    W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Aug 19 2009
    Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
    Board designed by Winbond
    Hardware support provided at Winbond
    Copyright (c) Winbond Limited 2001 – 2006. All rights reserved.
    Boot Loader Configuration:

    MAC Address : 00:30:10:C1:D0:39
    IP Address : 0.0.0.0
    DHCP Client : Enabled
    CACHE : Enabled
    BL buffer base : 0x00300000
    BL buffer size : 0x00100000
    Baud Rate : -1
    USB Interface : Disabled
    Serial Number : 0xFFFFFFFF

    For help on the available commands type ‘h’

    Press ESC to enter debug mode …

    bootloader > ls
    Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
    Image: 7 name:linux.bin base:0x7F020000 size:0x000BB334 exec:0x00008000 -acxz
    Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a

  43. Cache enabled!
    Processing image 1 …
    Processing image 2 …
    Processing image 3 …
    Processing image 4 …
    Processing image 5 …
    Processing image 6 …
    Processing image 7 …
    Unzip image 7 …
    Executing i
    Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #953 ÈÕ 8ÔÂ 16
    05:23:09 CST 2009
    Processor: Winbond W90N745 revision 1
    Architecture: W90N745
    On node 0 totalpages: 2048
    zone(0): 0 pages.
    zone(1): 2048 pages.
    zone(2): 0 pages.
    Kernel command line: root=/dev/rom0 rw
    Calibrating delay loop… 39.83 BogoMIPS
    Memory: 8MB = 8MB total
    Memory: 6292KB available (1429K code, 286K data, 40K init)
    Dentry cache hash table entries: 1024 (order: 1, 8192 bytes)
    Inode cache hash table entries: 512 (order: 0, 4096 b
    Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
    Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
    Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
    POSIX conformance testing by UNIFIX
    Linux NET4.0 for Linux 2.4
    Based upon Swansea University Computer Society NET3.039
    Initializing RT netlink socket
    Starting kswapd
    Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options en
    abled
    ttyS00 at 0xfff80000 (irq = 9) is a W90N745
    Winbond W90N7451 Serial driver version 1.0
    nabled
    ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
    I2C Bus Driver has been installed successfully.
    Blkmem copyright 1998,1999 D. Jeff Dionne
    Blkmem copyright 1998 Kenneth Albanowski
    Blkmem 1 disk images:
    0: 7F0E0000-7F16CFFF [VIRTUAL 7F0E0000-7F16CFFF] (RO)
    AM29LV160DB Flash Detected
    01 eth0 initial ok!
    which:0
    PPP generic driver version 2.4.2
    Linux video capture interface: v1.00
    Winbond Audio Driver v1.0 Initialization successfully.
    usb.c: registered new driver hub
    add a static ohci host controller device
    : USB OHCI at membase 0xfff05000, IRQ 1590P745 Boot Loader [ Version 1.1 $Revisi
    hc_alloc_ohci
    usb-ohci.c: AMD756 erratum 4 workaround 19 2009
    Pro
    hc_resetinbond W
    usb.c: new USB bus registered, assigned bus number 1
    Initializing RT netlink
    hub.c: USB hub foundrchitecture: W90N745
    hub.c: 2 ports detected
    usb.c: registered new driver audioes: 2048N745 Serial driver version
    audio.c: v1.0.0:USB Audio Class driver
    zone(0): 0 pages.oard de
    usb.c: registered new driver serial
    zone(1): 2048 pages.c: USB d
    usbserial.c: USB Serial Driver core v1.4re
    zone(2): 0 pages.at Winbond=-

    _____ ____ _ ____
    Kernel command lin
    |__ / _| _ \ / \ / ___|nd Limited 2001 – 2006. All
    / / | | | | | |/ _ \ \___ \
    / /| |_| | |_| / ___ \ ___) |y loop… 39.83 BogoMIPS Drive
    /____\__, |____/_/ \_\____/
    |___/
    Fo
    Blkmem copyright
    IP Add
    usb.c: registered new driver vntwusbtable entries: 1024 (order: 1, 8192
    usb.c: registered new driver rt73Enabled0D0000-7F159FFF [VIRTUAL
    dvm usb cam driver 0.0.0.0 by Maverick Gao in 2006-8-12
    usb.c: registered new driver dvmries: 512 (order: 0, 4096 b
    dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20

    Architec
    Blkmem copyright 1998 Kenneth Albanowskie
    usb.c: registered new driver dvm usb cam driver for sonix288
    Mount-c
    Blkmem 1 disk
    NET4: Linux TCP/IP 1.0 for NET4.0
    USB Mass Stora
    z
    IP Protocols: ICMP, UDP, TCPAL 7F0E0000-7F16CFFF] (RO)es
    IP: routing cache hash table of 512 buckets, 4Kby

    [8]
    Command: sherial.c: US

    Sash command shell (version 1.1.1)d8A000 exec:0x7F
    /> no support
    new USB device :807dce04-7e864090N

    _____ ___
    hub.c: new USB device 2, assigned address 2
    idVendor = 0x148f, idProduct = 0x2573|: mount -t proc none /procing

    Wait for auto-negotiation complete…ResetPhyChip Failed| | | | | |/ _ \ \___ \

    • David,

      I appreciate the enthusiasm and effort, but I’m not sure what the purpose of your post is. Based on your earlier posts, it looks like you’ve got 8MB of memory now? Sorry, but without any context of what’s significant about your post, it’s essentially noise.

      [Edit] –Nevermind, my bad. I see that Lawrence had asked for that, for comparisons. Sorry, guys; been crazy lately, and no chance yet to recover.

  44. This is good info.

    I’ll hopefully be able to do a comparison of your size firmware with mine. Also note that we can rip the current firmware off the device to a file – We know where it starts and ends.

    Image: 0 name:BOOT INFO base:0x7F010000 size:0×00000038 exec:0x7F010000 -af

    [Image 0 is 38 bytes (small!).
    Boot info is not the bootloader - 38bytes is way too small for that.
    It actually stores our bootloader config settings.
    eg ip address, cache setting, boot loader buffer address etc
    -af indicates Active (a) , and is a Filesystem image (f)]

    Image: 7 name:linux.bin base:0x7F020000 size:0x000BB334 exec:0×00008000 -acxz
    [Image 7 is our OS - Linux 2.4.20 ucLinux Not sure why Maverick didn't build on 2.6, there is more hardware support. Probably time dependant - 2.6 may not have been available, plus the Nuvoton sample code is also 2.4 based...

    -axcz says active (a) executable (x) copied to ram (c) compressed (z) ]

    Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a

    [Our rom image - aka userland stuff. This is where we'll be putting our own code. Looks like its stuck quite high up in the flash, although doesn't need to be given size of the Linux rom. We have plenty of room available.

    We'll need to make appropriate changes to Image 6 size on flashing

    -a says active partition.]

  45. Kyle – you almost worked it out when you checked out the rom in comment midway.

    I’ve managed to work out how the main firmware file is packed.
    Seems like we have a 20 byte header, then a Zip file.

    Post zip file we have the rom (as you noted). This is probably a linux filesystem I guess, so we could try mounting it maybe?

    I’ll play around with that tomorrow, as its late here (4am+-).

    Current progress on my blog – should make interesting reading for you all…

    • Very Cool! I kept seeing that ‘PK’ in there, I just couldn’t make the connection to PKZip. Nice Work! Hopefully I’ll get a chance to play around in the next few days and expand on ‘fostar’.

  46. Decided to keep going.

    The -romfs- bit is the start header for the filesystem as I suspected.
    Its in… romfs format.

    I couldn’t get it mounted yet, as my mac doesn’t support romfs, but I think I’m there.

    Kyle – you want to take a look at what I’ve updated on the current post, and see if you can mount that?

    I can email you the file if needed.

    • I think I can manage the file extraction from the notes on your blog.

      Unfortunately, my linux machines are all at home, so I won’t be able to play around for a few more hours, at least.

  47. Got it mounted!

    Forgot I had a Debian VM I installed the other day.

    Matches perfectly with what we have in the actual filesystem on the device, so I think we’re totally ready to go.

    So, we know how the main linux image is built +-, and we can regenerate the romfs using genromfs, so its going to be easy work to add in a ssh or other binary so normal people can play (i.e. by not having to solder stuff onto the board).

  48. Working on getting some user binaries now.
    Notes on setting up the dev environment on my blog now.

    Quite pleased with my progress, although I won’t be building any images until next week or so, as the physical hardware is at the office.

    Hopefully someone else will follow what I’ve done, and try out creating some ARM7 bFLT user binaries, add to the extracted ROMFS, then regenerate it with genromfs, and try flashing that using the boot loader.

    Hinty hint hint.

  49. Well what a step forward, i,m installing vm ware right now can not wait to get stuck in now thanks guy anybody do a image i will be the first to test it thanks dave

  50. Have made a test image. You’ll need to know what you’re doing to test though, so only really valuable if you’ll give feedback to me.

    http://www.computersolutions.cn/blog/2010/05/ip-cam-hacking-%E2%80%93-pt6/

    I’m having issues getting to most foreign sites that I would use for reference (including this one). GFW blows…

    • Lawrence, I brought my linux laptop to the office today. Last day before my project deadline, so things are slowing down. Hoping to get a chance to play around with some code today. I’ll look over your image and let you know what happens.

  51. Hey all, I uploaded new code onto the foscam-util sourceforge.net page, that allows packing/unpacking of the system firmware file. I’ll post a new entry soon enough that goes into the details. But between this new code, and the amazing work that Lawrence has done figuring out how to access and rebuild the romfs image and recompile the linux.bin, you should have everything you need.

    http://sourceforge.net/projects/foscam-util/

    I’d suggest you just do this (complete with makefile):

    svn co https://foscam-util.svn.sourceforge.net/svnroot/foscam-util/trunk foscam-util

  52. I’m trying to get this cam to work with the software, SecuritySpy. Securityspy said to try contacting Foscam and asking for the HTTP request required by the camera, which can then be entered into SecuritySpy manually.”

    Can anyone help me with this?

    Thanks

  53. Wozzy
    Try http://www.google.com/url?sa=t&source=web&ct=res&cd=1&ved=0CBIQFjAA&url=http%3A%2F%2Fwww.drivehq.com%2Ffile%2Fdf.aspx%2Fpublish%2Fbubbah%2FPublicFolder%2FIPCAMCGISDKV1.7.pdf&ei=1-TmS7bDNJewMpG8-IQI&usg=AFQjCNEKsAey6N_qqPw9CPd-Na5EGD1xOQ&sig2=Yzqw0I-rc2sHXZhkpTuLfw
    Or more succinctly google : IPCAMCGISDKV1.7.pdf

  54. Perfect. Exactly what I needed. Thanks so much!

  55. Hi guys!
    I have a Foscam FI8908W and I love it I think it has some great features. Of course I would love it if the firmware could record in XviD or H264 and then delete files over a designated time frame like a week or so as not to bogg down my 1 Terabyte network drive. The other issue is the Web UI must be open to keep recording, another problem I encountered
    To explain what I’m trying to do so this comment makes sense: I have a La Fonera 2.0N router that has a USB port of which I’m using to record to a Terabyte hard drive, it works just like any old network drive, of course at great cost savings over a decent d-link network drive setup, besides I can attach a USB hub to it and do other things as well. My whole point of doing so is to save the energy of not having to run a PC 24/7 to surveil my home. I contacted Foscam and they were very quick to respond and tried to be very helpful. Unfortunately Foscam doesn’t have a firmware that can compress video, and furthemore the firmware can’t delete data that is over a specified age. They didn’t seem to comment on another way that the Foscam can record “stand alon” as well. They DID say that they are working on those very things and hopefully in the near future we all can benifit from the new features.
    So, I have two questions for this thread.
    1) has anyone had any luck with any of these issues I’m encountering. Or, can someone refer me to a forum that might address such a thing.

    2) This may be far out, but I cam across a program called “Active Webcam” that has some wonderful features, unfortunately I can’t get my FI8908W to setup. Has anyone been able to get theirs to work?
    Thx for listening guys, I’m not a programmer so I try my best to follow exactly what you guys are doing here. I have great respect for all the efforts you putting into this project. And furthermore thanks for being patient.
    If anyone has any answers for me, can you go to my website http://www.BuonAppetitoProvidence.com and email me from my contact page?
    Thx

    -Pete

  56. Hi. foscam.c doesn’t work with foscam ebay clon firmware. This is the clon firmware if you want to test:

    http://liken.otsoa.net/pub/ipcamfirmware.rar

    I would like to have a firmware with telnet or ssh.

  57. Does anybody have experience with or suppliers of alternate lens for this type of camera? I need to zoom in a little. Apparently I need something described by 35mm; but I know nothing about whether this description means anything.

    • Raymond, most of these cameras have a standard M12x0.5 thread mount. I haven’t checked mine to know for sure, but I’ve seen other posts and comments around the web that suggest this is true. You can buy lenses from a variety of sources, include (of course) Ebay. Here is just one link from a Google for ‘M12 Lenses': http://peauproductions.com/store/index.php?main_page=index&cPath=4 (I don’t know anything about this company or if these prices are reasonable, etc. so do you’re homework!)

  58. I bought the kit

    http://peauproductions.com/store/index.php?main_page=product_info&products_id=2&zenid=b93d47ff174f4651974f40d701687452

    2.8mm-16mm Lenses (6 in total)
    to be able to try out various zoom settings for license plates. I will post the usage results when I receive and try them.
    Do too various things I actually bought them from BuyNow.
    Dealextreme had the best price though.

  59. In case anybody wants a simple control template for zoneminder, here is a thread

    http://www.zoneminder.com/forums/viewtopic.php?p=57137

    I am thinking about translating it, and other things, into javascripta; and making a control panel; after I get my new camera.
    Ray

  60. I have been a bit quiet on the update front, but i have gotten somewhere.

    I can *almost* toss out / replace the camera monolithic executable now, and use a proper http process plus some small executables to capture images using the standard /dev/video0 interface.

    I need to work out how to talk to the stepper motor stuff still (I’m guessing over i2c bus), but most of the groundwork is ready.

    Nothing releasable yet, as its not quite past barely working. I can capture a jpg off the cam via my own binaries now, so its alpha proof of concept.

    Probably by next week will have something with a web ui, assuming i get time.

  61. What are your opinions about generating a wiki type of technical document for this project (or whatever it is). There is a lot of information scattered around but it is a little disorganized.
    Something like:
    Extended hardware descriptions, including the paging scheme used by FOSCAM, arm and the boot. I have forgotten these things.

    Howto access the camera at the command line level; and hopefully open a terminal/console over ethernet.

    Software descriptions, compiling, options, source and binary.
    I was thinking of Google projects, or perhaps sourceforge has facilities so one person doesn’t have to do it all; but the result is organized.

    Thoughts?
    Ray

    • I think it’s a great idea. We could use the sourceforge project for my utilities. I’m on set for the rest of the week. Remind me in next week, and I can add you to the project.

  62. Hi all,
    I am new in the cam-world. I write hee to know where can I find the API for the Foscam?
    Thanks for the information!

  63. I have 2 clone foscam FI8908W Wireless IP Camera and the problem is that they have the same mac adress so on my Lan i can not see both of them.
    Is there any solution for that problem ?
    Thanks

    • you could fix the ip addresses on the cameras (so they are different). not ideal but might work, although your router may get a bit confused from time to time. you might have to change the port settings on the cameras so that they are different and then put port forwards on your router, that might help.

  64. hmmm…I smell open source firmware brewing here and that makes me feel goood…
    I think the hardware is pretty capable in these little cammies. The software side of things…well, that needs work…
    I wish I could help out but unfortunately my coding skills are practically non-resistant :(
    I’m a pretty good user tho…
    Cheers.

  65. I meant non-existent…stupid auto spell correction :lol

  66. Thanks ComFos
    Well is it so difficult to change the mac address ?

  67. HI
    the latest WebUI “firmware” has extra 8 bytes in header (the first 8 bytes). Couldn’t figure out what they’re about. Any thoughts?

  68. Great work guys. I’d love to get involved with this.
    I’ve got a clone camera (FS-618A-M136).

    I’m a bit confused at the moment though. I’ve heard various conflicting reports about these clones. Some people say they’re identical to the Foscam, even to the point of being firmware compatible. Yet other people are warning that flashing clone firmware onto a non-clone or vice-versa will brick the device. Which is correct?

    Will fostar.c from the sourceforge page work with my camera or am I going to have to figure out modifications?

    Thanks.
    Simon

    • I don’t know the answer to your question, since I don’t have any experience with your camera. Chances are, if you can unpack the firmware files with fostar, you should also be able to reassemble them. So, it should be an easy test to run the program on your firmware files, and see what happens.

      In my experience so far, it seems that most clone cameras are very similar, though not identical. Some may work, some may not. Some differences are as simple as the size of the NVRAM on the main board. Other differences are as significant as different IO ports to communicate with the camera, meaning that a binary that works on one camera may load on another, but not perform as expected. Others could load via the firmware, but crash as soon as the software is actually loaded. Unfortunately, without some first hand experience with specific cameras, taking them apart, seeing what electronics are inside, and testing the software/firmware, we won’t ever know.

      Of course, the best way to get involved would be to start by trying the tools on your camera, and see what you can figure out. If it works, document it… if it doesn’t, document that as well, and then we can work to figure out what is different and how to fix it.

  69. I just got my 8908w clone from dx yesterday, I attempted to flash to the latest foscam firmware and ended up bricking it.

    I hooked up the jtag. It looks like I have the one with the smaller flash/ram.

    W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Aug 19 2009
    Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes

    I started following the directions to recover it (11.14.1.37). I was able to flash the main and linux.zip no problem. rebooted fine. Then I tried loading the webui through the ipcam tool. It loaded, but the ipcam tool never saw it again. I rebooted the camera and it pops back up in the ipcamtool, but still says no webui detected. I tried updating it again, and watched the terminal this time. Right after flashing, some stuff pops up in the terminal then this code pops up and locks up the camera.

    “Code: 4282c004 4a00001b (e4913004) e4a03004 e1a0ca00 ”

    I tried web versions from 2.4.8.8 – 2.4.8.14

    I tried for hours last night trying various firmwares and addresses. Has anyone successfully flashed a 8908 with the smaller memory/flash?
    If so, what address and firmware did you use?

  70. I’m back in a country where I can read this blog again ;)

    I’ve spent the last week working on notes and documentation on the camera stuff on a new url here – http://www.openipcam.com

    Feel free to add comments and follow my work on there.

    Currently I’m rebuilding the compiler toolchain for a newer GCC, and making my own kernel.

    I should have a generic firmware for the units in a while, I’m almost done doing the boring prep setup work ;)

  71. Hi,
    has a big problem with clone fosca camera, I tried a few firmware or i / o error or i2c error. at this link some photos of the boards and boxes. If anyone of you have similar or knows a solution please help. http://img16.imageshack.us/g/20110207014.jpg/

  72. I’m pretty much done now with all the pieces.

    Have my own kernel, network, various wifi drivers etc going, all the tools that are needed are ready, just need to compile up the cam driver, and I’m good.

    Looking at setting up okpg to make it a bit modular so i can do something like openwrt and have a webserver install things like additional wifi drivers on the fly as needed, but basically all the pieces are done now, just need to put it all together.

    It even fits nicely in the 2M flash, which is a surprise.

    Took me 2 1/2 weeks to get it done though!

    I’ll even have a surprise new feature for the camera :)

    More info at the http://openipcam.com site

    I still need to work on the PTZ functionality, but thats the last on my list of things I want to get done.

    Quite happy with my progress to date though.

    Lawrence.

  73. You can also have a look at: http://fwhacking.blogspot.com/search/label/fi8908w

  74. Hi. Thanks for the great job!!!
    So. How can I get all CGI-files?

  75. I have the same problem. everst

    everst said:
    has a big problem with clone fosca camera, I tried a few firmware or i / o error or i2c error. at this link some photos of the boards and boxes. If anyone of you have similar or knows a solution please help. http://img16.imageshack.us/g/20110207014.jpg/

  76. I have a clone camera, and was wondering if anyone had looked into:
    1) limiting patrol angle; i.e., HL30 to limit left horizontal patrol to 30deg instead of the full 135deg, so that the camera is not scanning a wall, obstruction, etc. Ideally, you could set independent patrol limits for all 4 axes…
    2) motion tracking – once motion is detected, use PT functions to track the motion.

  77. Has anyone been able to figure out the format of the MO_V data? Were trying to make a viewer for the video stream?

    • did you ever get anywhere on this?

      My colleague and I are building an iPhone and Android app around a Foscam and/or Y-cam MJPEG camera. The challenge that we are facing is extracting the audio from the camera into our mobile app (or any app for that matter). I found that Sunshine iPhone app and a couple others are successfully extracting the audio, however we cannot duplicate it. We believe its in the Mo_V http header packet and that its using G.726. Can anybody help us here. We have been trying for such a long time to get this going but we keep running into a dead end on this front. Thank you in advance, Marko.

  78. Kyle, I hope you are still monitoring this thread. Could you please contact me? I would like to speak with you about some consulting work for these foscams. It is a very time sensitive project.

  79. [...] ook interessant is aan deze camera, is dat het draait op Linux. Zo zijn op Internet al enthousiastelingen te vinden die gestart zijn met het hacken van de firmware. Dus op dit moment of in de nabije [...]

  80. Have you guys tried putting any cameras on Sensr.net? It’s a free service for monitoring, saving, and sharing IP cameras. The site is built around always-on network cameras, and it store all the motion events from your cameras so you can share them with friends and family easily.

    It works great with Foscam models, and their network camera blog has guides on how to set up the Foscam FI8905W and how to configure the Foscam FI8918W if you get stuck.

    http://blog.sensr.net/2011/02/08/configure-your-foscam-fi8918w-for-ftp/

  81. hi is there a possibility to stream video from foscam through RED5 server ? does any one did that?

  82. did anyone have any joy with a zoom lens? i love this camera but it needs to be able to zoom a bit as i cant mount it close enough. id love a remote controllable zoom but i guess thats close to impossible, a manual zoom would be fine. please let me know!

    i have the FI8918W

  83. Is there any way to secure the remote access better than running basic HTTP username/password authenticatioon in the Open (via DDNS domain name) to the camera via Transport Layer Security / HTTPS ?

    Can the cemera bulit in web server be somehow restricted to only accept request traffic from certain source IP adresses / MAC addresses?

    • I have a remote VPN that goes to an external server, this server then has Apache2 running which proxies traffic to the camera through the VPN. So TLS to the Apache2 instance on my server, then securely encrypted to my home network and the camera.

  84. Hi! Any idea to change the CSS WebUI? Thx!

    AD

  85. Just for your information, the MO_V packets for images are actually .DIC files (http://filext.com/file-extension/DIC). You can identify it’s header looking for the string “.DIC” at the start of the packet (offset 0x61).

    I’m creating myself a dictionary for the FOSCAM IP Cams native protocol. As soon as I get enough information to play around with it I’ll post the link here.

    • Vinicius, I see you are delving into the MO_V code. I was wondering if you can tell me where the audio portion is so I can extract it.

  86. Ok, some enlightment already: In the MO_V packet, look for the JPEG header FF:D8, at offset 36 (0x24). From this header on, this is a plain JPEG file.

  87. Hello, I see that you guys are trying to get into the Foscam camera. My colleague and I have tried everything we can think of to try to extract the audio from the camera onto our iphones or androids. We know its in the MO_V, its G.726 but we cannot seem to extract the data. We wiresharked it and still are having a tough time pulling the audio out. Please HELP!

    • Hi there! The audio is probably in RAW format. You can reproduce it in .NET using some audio library like the NAudio library. The settings would be:

      Format: PCM
      Sample Rate: 16khz
      Channels: 1
      Avg Bytes per Second = 32kbps
      Block Align: 2
      Bits per Sample: 16

      The code in .NET would be something like this:

      ========================================

      _wavePlayer = new WaveOut(WaveCallbackInfo.FunctionCallback());
      _bufferedWaveProvider = new BufferedWaveProvider(
      WaveFormat.CreateCustomFormat(WaveFormatEncoding.Pcm, 16000, 1, 16000 * 2, 2, 16)
      );
      _bufferedWaveProvider.BufferLength = 12000;
      _bufferedWaveProvider.DiscardOnBufferOverflow = true;
      _wavePlayer.Init(_bufferedWaveProvider);

      =========================================

      Regards,

      Vinicius

      • Thank you for taking the time to respond. your comment was very helpful!

  88. Ok, this is a draft of what I got so far by sniffing the network packets. I actually have a PowerShell script which discovers and get some jpegs from the camera. These data were taken from my test environment.

    Sorry for the poor format. As I said before, this is just a draft.

    Hope it helps other devs.

    ===============================================

    Header Length = always 23 bytes
    Header Offset 4 = Command ID
    Header Offset 15 = (word) Data length

    Data Offset always start at offset 23.

    Send (Hello)

    4D 4F 5F 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    MO_O……………….

    Receive (Kind of “Hello Back” + Camera MAC)

    4D 4F 5F 4F 01 00 00 00 00 00 00 00 00 00 00 1B 00 00 00 1B 00 00 00 00 00 30 30 30 44 43 35 44 30 34 37 46 31 00 00 00 00 01 00 00 00 00 0B 0E 02 1C
    MO_O…………………000DC5D047F1………….

    Send (Authenticate)

    4D 4F 5F 4F 02 00 00 00 00 00 00 00 00 00 00 1A 00 00 00 1A 00 00 00 61 64 6D 69 6E 00 00 00 00 00 00 00 00 63 32 48 37 69 66 33 36 00 00 00 00 00
    MO_O……………….admin……..c2h7if36…..

    Data Offset 0 = username (13 bytes)
    Data Offset 13 = password (13 bytes)

    Receive (Kind of Authentication OK)

    4D 4F 5F 4F 03 00 00 00 00 00 00 00 00 00 00 03 00 00 00 03 00 00 00 00 00 02
    MO_O………………….

    Send (Get Configured Cameras?)

    4D 4F 5F 4F 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    MO_O……………….

    Receive (Configured Cameras missing the first charater for everything.)

    4D 4F 5F 4F 1C 00 00 00 00 00 00 00 00 00 00 80 04 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 6C 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 32 2E 31 36 38 2E 32 2E 31 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 6D 69 6E 00 00 00 00 00 00 00 00 00 32 48 37 69 66 33 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 65 70 6C 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 32 2E 31 36 38 2E 32 2E 31 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 6D 69 6E 00 00 00 00 00 00 00 00 00 32 48 37 69 66 33 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6E 6F 6E 79 6D 6F 75 73 00 00 00 00 00 00 00 00 00 00 00 00 00 39 32 2E 31 36 38 2E 32 2E 31 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 6D 69 6E 00 00 00 00 00 00 00 00 00 32 48 37 69 66 33 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    MO_O………..€…€……………………………………………………………………………………………………………………………….ale………………92.168.2.11………………………………………………..dmin………2h7if36………………..epler…………….92.168.2.13………………………………………………..dmin………2h7if36………………..nonymous………….92.168.2.14………………………………………………..dmin………2h7if36…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….

    Send (Get video token or something like that)

    4D 4F 5F 4F 04 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 02
    MO_O………………..

    Receive (Command 0x11?)

    4D 4F 5F 4F 11 00 00 00 00 00 00 00 00 00 00 08 00 00 00 08 00 00 00 20 60 04 02 02 03 00 00
    MO_O………………. `……

    Receive (Generated Video Token)

    4D 4F 5F 4F 05 00 00 00 00 00 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 19 E8 FC 6A
    MO_O………………….èüj

    Data Offset 2 = Video Token

    Send (Start sending video)

    4D 4F 5F 56 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 19 E8 FC 6A
    MO_V………………..èüj

    Data Offset 0 = Video Token

    Send (Command 0x07?)
    4D 4F 5F 4F 07 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 00 00 00 00
    MO_O…………………..

    Receive (Sequence of jpegs or jpeg chunks. Not fully tested)
    4D 4F 5F 56 01 00 00 00 00 00 00 00 00 00 00 4F 40 00 00 4F 40 00 00 24 CA 24 16 1A 4C A4 4F 00 42 40 00 00 FF D8 FF DB 00 84 00 0A 07 07 08 07 06 0A 08 08 08 0B 0A 0A 0B 0E 18 10 0E 0D 0D 0E 1D 15 16 11 18 23 1F 25 24 22 1F 22 21 26 2B 37 2F 26 29 34 29 21 22 30 41 31 34 39 3B 3E 3E 3E 25 2E 44 49 43 3C 48 37 3D 3E 3B 01 0A 0B 0B 0E 0D 0E 1C 10 10 1C 3B 28 22 28 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B FF C4 01 A2 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0A 0B 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0A 0B 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 42 B1 C1 15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73 74 75 76 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09 23 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 D5 D6 D7 D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9 FA FF C0 00 11 08 01 E0 02 80 03 01 21 00 02 11 01 03 11 01 FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 E1 01 A0 9A D4 CC 39 A3 AD 20 F4 0E FE D4 B4 C0 3B D2 D0 16 03 DA 94 1A 37 10 B4 A3 A5 03 B0 BC 62 9C 3A 51 E8 01 4A 3D E8 1F 41 73 F9 53 E5 91 A5 60 CC 00 20 63 81 8A 2C AF 71 A9 B5 17 1E E3 78 E9 4A 29 91 60 A5 07 8A 10 C5 06 94 1E 31 40 0A 09 A5 0D 4C 5B 06 69 73 DA 96 C1 61 05 28 EB ED 4C 18 B9 E2 80 69 05 B4 0C F3 45 00 14 0A 00 3B D0 29 80 71 40 C5 20 02 29 A4 71 40 08 01 ED 41 A0 60 45 37 14 5C 00 F1 DA 93 3E B4 74 01 28 CF 3C 52 01 28 3D 38 A0 04 E6 90 9E 94 B4 01 29 3B 50 30 A2 80 18 7D A9 28 01 0D 25 02 1A 33 48 7A D0 31 0D 18 F6 A1 30 B8 9D BA 51 C6 69 00 52 52 18 51 4C 40 28 A0 02 8A 00 28 A4 02 52 D3 01 D9 A5 FA D5 74 00 ED 47 23 9A 40 83 34 1C 91 4C 03 AD 3B B5 00 02 94 52 B8 85 A7 0F 4A 3C 80 3A 11 4B DB AD 30 4C 70 E9 4B E9 48 60 38 A5 A2 E2 17 A7 D6 94 7A 53 01 71 48 3A D0 98 0B 4A 29 DC 05 14 A2 81 5D 0B DA 8A 13 05 B0 0E 94 A2 81 89 46 68 B8 AE 19 A3 9A 00 01 C5 1B 8D 00 19 34 02 7D 68 18 7E 34 99 A0 10 BB BD E9 32 68 0D 84 DD 8A 33 EF 45 C1 58 4C D1 45 C0 4A 09 A5 70 42 0A 53 C7 6A 57 0B 0D EE 29 68 01 A4 7B D2 1A 2E 31 28 A0 04 3D 29 31 40 09 8E 29 3B 50 C4 36 92 8B 80 84 52 77 A3 A0 C0 83 49 ED 4A FD 80 43 40 A5 76 1B 09 DE 8A 00 28 A0 04 E2 8A 2E 02 D1 40 08 3A 51 8A 3A 00 51 8A 00 7D 1D AA AE 80 06 71 48 29 80 A2 8F 40 28 15 80 00 3B D2 9A 57 05 D8 55 E9 4E A1 85 C5 14 A3 8A 04 28 A5 1C 53 1D 85 A5 A0 2C 28 A5 1D A9 6C 16 16 97 3E 94 EE 16 00 69 46 28 EB A0 00 E2 8A 62 16 97 BD 2D C7 60 E2 94 71 4C 05 CD 26 45 00 06 81 8A 05 D0 0F B5 03 1E 94 26 09 5C 4A 38 A0 10 B4 82 8D 02 C1 FC A9 28 B8 05 1D A8 D0 62 76 A5 A2 E2 13 8C D1 48 00 E3 14 83 8A 16 C3 0A 4E D4 80 43 45 00 21 34 94 0D 01 A4 A2 E2 B0 9D 45 14 AE 82 C1 4C 23 F2 A3 70 0A 4A 00 6E 29 08 A2 E3 42 1E D4 86 90 06 38 A4 A3 A8 82 8A 34 1D 84 EF 4B 40 09 45 00 1C 51 D2 80 0C D2 77 EB 42 18 B9 14 99 A0 56 1F 47 6A A0 0A 3F 95 1A 09 00 EB 45 08 6B B0 B4 53 01 C3 1C 53 85 16 13 01 4E FA 52 0B 80 C5 3B E9 4E C0 B7 14 F4 14 A2 81 85 38 52 01 78 18 A0 70 31 40 85 A3 8F 5A 6B 40 B0 A2 8A 10 83 D2 9D 8E 45 30 01 4A 28 18 52 62 98 AC 28 1C 51 C7 A5 21 D8 43 ED 47 6A 00 4F 6A 51 47 40 10 51 40 74 B0 0A 0D 2B 85 82 81 F4 A0 04 EF 47 4A 2F A8 58 3B F4 A0 D0 02 0A 29 00 52 71 40 06 68 CD 16 01 A6 8F A5 03 12 92 80 01 49 DE 86 16 10 D2 1E 94 6C 21 BE D4 52 01 0F B5 37 93 D6 8D 83 A0 98 A0 81 40 C6 D1 DA 90 05 14 00 52 0A 00 4F AD 03 02 81 86 7D A8 E3 BD 00 19 F4 A4 A0 00 50 68 0B 12 76 A4 A6 20 1E D4 B4 F4 00 1D 29 71 CD 17 B0 06 28 14 C0 70 1C 52 AF 4A 5D 00 5A 70 E9 42 10 0A 77 E3 40 5C 5F 41 4B
    MO_V………..O@..O@..$Ê$..L¤O.B@..ÿØÿÛ.„………………………#.%$”.”!&+7/&)4)!”0A149;>>>%.DIC;………..;(“(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ÿÄ.¢………………………………………………………………..}……..!1A..Qa.”q.2‘¡.#B±Á.RÑð$3br‚…….%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùú…………….w…….!1..AQ.aq.”2..B‘¡±Á.#3Rð.brÑ..$4á%ñ….&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz‚ƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚâãäåæçèéêòóôõö÷øùúÿÀ….à.€..!…….ÿÚ……….?.á. šÔÌ9£­ ô.þÔ´À;ÒÐ..ڔ.7.´£¥.°¼bœ:Qè.J=è.AsùS呥`Ì. cŠ,¯q©µ..ãxéJ)‘`¥.Š.Å.”.1@..¥.L[.isږÁa.(ëíL.¹â€i.´.óE....;Ð)€q@Å .)¤q@..íA `E7.\.ñړ>´t.(Ï<R.(=8 .搞”´.);P0¢€.}©(..%..3HzÐ1..ö¡0¸ºQÆi.RR.QL@( .Š.(¤.RÓ.Ù¥úÕt.íG#š@ƒ4.‘L.­;µ..”R¸…§.J”î..iF(ë .âŠb.—½-Ç`â”qL.Í&E..Š.Ð.µ..”&.\J8 .´‚.Áü©(¸..¨Ðbv¥¢â.ŒÑH.ã.ƒŠ.Ã.NԀCE.!4”..¤¢â°E.®‚ÁL#ò£p.J.n).¢ãB.Ԇ.8¤£¨‚Š4.„ïK@.E..QҀ.ÒwëB.¹.™ V.Gj .?•...ëE.k°´S.Ã.S…...NúR.€Å;éNÀ·.ô.¢…8R.x. p1@…£Zk@°¢Š.ƒÒŽE0.J(.Rb˜¬(.QÇ¥!ØCíGj.OjQG@.Q@t°..+…‚ô .ïGJ/¨X;ô Ð..).Rq@.hÍ..¦¥..’€.Iކ..Ò.”l!¾ÔR..µ7“֍ƒ ˜ @ÆÑڐ...R..O­..†}¨ã½..ô¤ .Ph..v¤¦ .Ô´ô..)qÍ.°.(.Àp.R¯J].ZpéB..wã@\_AK
    4

    Data Offset 0 = Image offset start (byte)

  89. Hey,
    This has been a great read as well as a tremendous help so thank you to everyone for your input….your awesome! ok now for the question i have, has anyone ever had a problem with their camera not able to find any wireless networks when using the “Original WebUI” because for some reason after having the camera hooked up working perfectly for 3 months, then being stored for another 5 months, i hooked it up and now it will not find my Wi-Fi connection or any other wireless network. I’ve tried using everything from “no security” to “wpa2 tkip-aes” even tried my old router and it is all the same! So i opened my camera from the bottom and checked that the antenna was connected, no change, switched it to the “aux” and same as before…. nothing! So no its back to the “main” placement like it was and I’m stuck, wondering if anyone has any suggestions for me. Any help would be appreciated greatly.
    Thanks,
    Spencer

  90. [...] Googling for “W90N745″ threw up a number of online sites about this camera (here, here and here) that pre-date my own investigations by a long shot — oh well! Mine is here for [...]

  91. Hi, just wanted to say, I enjoyed this post. It was funny. Keep on posting!

  92. Here are two generic browser interface examples, both with live demos. Both are free. For MJPEG IP Cameras: Click Here for MJPEG IP Cameras For H.264 Cameras: Click Here for H.264 IP Cameras

  93. First of all I want to say great blog! I had a quick question that I’d like to ask if you do not mind. I was interested to know how you center yourself and clear your thoughts prior to writing. I have had trouble clearing my thoughts in getting my ideas out there. I do take pleasure in writing however it just seems like the first 10 to 15 minutes tend to be lost simply just trying to figure out how to begin. Any recommendations or hints? Cheers!

    • Thanks. Short answer: just write. Start with “so today I was thinking…” And let your brain dump. The beauty of the digital age is you can edit and edit to your hearts content, until you are satisfied. Of course, you shouldn’t otherwise you’ll never post, but… Let your brain dump, then go back and figure out “how to begin” after you’ve finished.

  94. Go you geeks!!! The world would stop without you guys! While you are at it, put the brightness issue on the list of to do… thank you.

  95. The following will let you extract and mount the OS:

    7z e lr_cmos_11_37_2_46.bin
    mount -o loop linux.bin mount -t binfmt_misc

    • The above wasn’t quite right, but *this* works:
      export BINLEN=`od -A n -l -j 12 -N 4 ../lr_cmos_11_37_2_46.bin | awk ‘{ print $1; }’`
      dd if=lr_cmos_11_37_2_46.bin bs=1 count=$BINLEN skip=20 of=linux.bin.gz
      gzip -d linux.bin.gz
      dd if=lr_cmos_11_37_2_46.bin bs=1 skip=$(($BINLEN + 20)) of=fs.bin
      mkdir mount
      sudo mount -o loop fs.bin mount -t romfs
      you can then cd into mount/ to examine the files.

  96. Hello all,
    I seem to have brick my Tenvis IPRobot 3 after loading their frimware 1.1.6.2 that is linked on the tervis forums. They post it voids the warranty if you try the use their forum firmware. Contacting their support was disappointing in all they would say was the camera was now broken. After a few emails and pointing out the bootloader was still intact, they offered a discount for a new camera or to send the camara to china if I pay the shipping round trip. They would not help when I pointed out I could get into the boot loader myself. I found that J9 on the main board is the serial console and with a USB to 3.3v TTL, it works great. The baud rate is 38400 and the pin order is 3.3v, gnd, rx, tx on the pcb. They are using U-Boot as the bootloader. What I need help is is decoding their firmware file. It looks to have multi parts that I can see with a hex editor. The file has a .pk2 extension which is just their own extension. I have more data I have collected and would be happy to share it. Does anyone have any experience with the IPRobot3 or know of any websites that do? What I need are the bin files and the memory locations so I can load them via the bootloader.
    Thanks
    Robo

  97. Please remove “Contacting their support was disappointing in all they would say was the camera was now broken. After a few emails and pointing out the bootloader was still intact, they offered a discount for a new camera or to send the camara to china if I pay the shipping round trip. They would not help when I pointed out I could get into the boot loader myself” from my last post.

  98. […] I found a few very interesting sites: http://www.gadgetvictims.com/2009/12/bring-your-fi8908w-paperweight-back-to.html http://www.computersolutions.cn/blog/2010/05/ip-cam-hacking-%E2%80%93-pt6/ http://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/ […]

  99. […] http://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/ […]

  100. Hello everyone!

    I am trying to play an audio file in the camera through native protocol..

    I have almost got it, but the audio quaility is not good enough..

    I send an audio file: ADPCM 8khz, 32kbs, mono.. in the TALK_DATA packets..

    I would appreciate any clue!!

    Thanks!

    Mai

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 26 other followers

%d bloggers like this: