Hacking the Foscam FI8908W
I recently bought a Wireless Pan/Tilt IP Camera in an effort to eventually replace all of the old 2.4GHz wireless cameras around the house, which have ruthlessly stressing my Wireless B/G (also 2.4GHz) Internet. I found these cameras, and lots of reviews and articles about how good they are, despite their rather small price-tag. In the world of P/T Cameras, let alone IP Cameras, you’d typically be looking at 2-3x the price for the next best thing. They aren’t perfect, but updated to the more recent versions of their firmware, they are great cameras that almost equally well in Windows, OS X, or Linux. Top that with a company that is reportedly very responsive to customer needs, open documentation for protocols and APIs to manipulate the camera, and you’ve got the makings of a great product. You can read up on any number of reviews via Google, but I’ll link one in particular here.
Based on the title of this post, I suspect you’re not interested in which camera to buy… rather, you’ve already bought one and you’re wondering what else it can do. I did too. After a little searching around, I decided to download the latest firmware files and take a look at them under the proverbial microscope of the Hex Editor.
Foscam has two separate firmware files. One is a ‘core’ firmware, and the other is the ‘WebUI’. Immediately, it was clear that the ‘core’ firmware was a much more complicated beast; my current, best assumption is that the file is a bonefied, honest-to-God self-extracting binary. I haven’t taken my camera apart yet to figure out which processor its running, but I suspect I’ll find an ARM processor inside. What I can tell from scanning the core firmware file is that the underlying OS which the firmware provides is, you guessed it, Linux. I like these Foscam guys more and more. I digress. About this point, I decided to go check out the other file.
The second file, the WebUI firmware, was much easier to tame. A few simple guesses about what the header information in the file meant, and a couple hours of validating my theories produced the following truth table.
Offset: Data Type/Size: Description/Value/Etc: 0x0000 INT32_LE Size of file 0x0004 Byte[4] Version Number, each byte a min/minor value (2.4.8.12) 0x0008 Char[21] File Description { ## Repeats until End-Of-File +0x000 INT32_LE Length of File Name +0x004 Char[...] File Name +(Filelen) Byte File Type (0 = directory, 1 = file) { If 'File Type' == 1 then +0x001 INT32_LE Length of File Data +0x004 Char[...] File Data } }
Based on this data, I was able to whip out the utterly mind-numbing C code below:
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> int main(int argc, char **argv) { FILE *f = NULL; int len = 0, type = 0; char src_file[512], dst_file[512], *data = NULL; int max_data = 0; if ( (f = fopen(argv[1], "rb")) == NULL) exit(-1); fseek(f, 0, SEEK_END); int file_len = ftell(f); fseek(f, 0, SEEK_SET); fread(&len, 1, 4, f); if (len != file_len) { fprintf(stderr, "File size doesn't match that reported in the header: %d/%d\n", len, file_len); exit(-1); } fseek(f, 29, SEEK_SET); // seek to first file while(!feof(f)) { memset(src_file, 0, sizeof(src_file)); memset(dst_file, 0, sizeof(dst_file)); fread(&len, 1, 4, f); // read filename length fread(src_file,1,len,f); // read filename sprintf(dst_file, "%s%s", argv[2], src_file); type = 0; fread(&type, 1, 1, f); // read entry type if (type == 0) { if (mkdir(dst_file, 0770) != 0) { fprintf(stderr, "Unable to write file: %s", dst_file); exit(-1); } } else if (type == 1) { FILE *f2 = fopen(dst_file, "wb"); if (f2 == NULL) { fprintf(stderr, "Unable to write file: %s", dst_file); exit(-1); } fread(&len, 1, 4, f); // read data length if (len > max_data) { data = realloc(data, len); max_data = len; if (data == NULL) { fprintf(stderr, "Unable to allocate data necessary to extract file. Requested: %d bytes.\n", len); exit(-1); } } fread(data,1,len,f); fprintf(stdout, "Extracting %s (%d bytes)...\n", src_file, len); fwrite(data, 1, len, f2); fclose(f2); } } fclose(f); free(data); return 0; }
You should be able to copy/paste this into and empty .c file (for example, “extract.c”) and run the following command:
gcc extract.c -o extract
Change “extract.c” and “extract” to whatever you want to call it. Running that command will create an executable file named “extract” (or whatever you changed it to). This is the executable file that will extract the contents of the firmware file.
When you have that file, you should be able to run the following command:
./extract <path_to_firmwarefile> <path_to_destination>
This should extract all the files in the firmware file into the path specified. I would encourage you to first create a directory for the extracted firmware files. If you want to extract to the current directory, you must still enter this parameter as “./” (but without the quotes) Ie:
./extract ../FI8908W-fw11.14.1.46bis/2.4.8.12.bin ./
Have fun, and happy hacking… Hopefully soon, I’ll post the code for a second utility to repackage a firmware file. If someone beats me to it, please feel free to post, or ask any questions about the format of the file. At the least, being able to see how the web/javascript interact with the underlying OS should provide options for making a back door.
Hey there,
Thats quite brilliant. I am amazed at how people are taking to these products. It really brings me joy to see you successful with this great new Foscam wireless IP Camera. I am one of the original authorized USA distributors of Foscam IP Cameras and I am listed as an official distributor on their website.
I appreciate your enthusiasm and anytime you want a discount, please let me know and I will gladly provide it for you.
Keep the code comming.
Best,
RavatTrading Foscam-US said this on April 5, 2010 at 9:24 pm |
Thanks. A generous offer! Hopefully sometime this next week, I’ll post some code for re-assembling the WebUI firmware file, which will let us (me, you, anyone) provide access to some of the missing functions in the Firefox/Push interface, and even accessing some undocumented features, like setting the pan speed, etc. I’ve been spending the last few days trying to reverse engineer the base IP protocol, bypassing the web interface entirely (and allowing bi-directional audio, for example). If there is anything you could do to help me in these efforts, such as aquiring protocol specifications, etc. that would be completely awesome. My immediate goal is to provide a full-featured controller application for Linux. I’m still a ways from there though!
kylemallory said this on April 5, 2010 at 9:57 pm |
hi there this is great news i have got one of these cameras from ebay and it turned out to be a clone it came in a green box and on the circuit board it say ipcam hw V1 but i did not known this at the time so i flashed my camera with the original software but i bricked it but i got it back to life with the recovery files but i had lost my web ui do you think i could get the web ui back on the camera ????? thank’s David
David M said this on April 10, 2010 at 4:12 am |
David,
My guess is, if you recovered using the Foscam firmware, you should be able to use the Foscam Web firmware as well. Of course, I make no guarantee to this claim, but it’s probably a fairly safe assumption.
kylemallory said this on April 10, 2010 at 10:21 am |
David, I bricked my phone too. Did you figure out how to recover from this? I even got the IP Cam guys to send me firmware files but upgrading the firmware tries but doesn’t take. It just makes a chirping sound now and from the IP camera finder, I can see the camera tries to load up and gets an IP but doesn’t boot up all the way. It resets within 6-8 seconds.
joe said this on April 22, 2010 at 9:54 pm |
he joe could i have a copy of the files they sent you my email is billyboydtr@hotmail.co.uk Thanks dave
david m said this on April 28, 2010 at 2:34 pm
I purchased one of the fake foscam’s online and can’t get it to access remotely from outside of my network. Can anyone help with this??
burt said this on April 13, 2010 at 2:39 pm |
Hey Raymond, I did the same on mine. The foscam actually sends it’s native control protocol over HTTP, it just doesn’t use HTTP commands, so if you run Wireshark and capture just the port 80 traffic, you should capture everything relevant for the camera (unfortunately with all the actual HTTP noise as well). In the Foscam, all data packets start with ‘MO_O’ for the ‘operation protocol’ used to configure the camera, and MO_V for video/audio packets. If you want to, make a small capture file while logging into the camera and email it to me. I’d be curious to see if there are differences.
Raymond Rogers said this on April 14, 2010 at 6:54 pm |
Hey Raymond, I did the same on mine. The foscam actually sends it native control protocol of HTTP, it just doesn’t use HTTP commands, so if you run Wireshark and capture just the port 80 traffic, you should capture everything relevant for the camera. In the Foscam, all data packets start with ‘MO_O’ for the ‘operation protocol’ used to configure the camera, and MO_V for video/audio packets. If you want to, make a small capture file while logging into the camera and email it to me. I’d be curious to see if there are differences.
kylemallory said this on April 15, 2010 at 8:40 pm |
Hello kyle,
My colleague and I are building an iPhone and Android app around a Foscam and/or Y-cam MJPEG camera. The challenge that we are facing is extracting the audio from the camera into our mobile app (or any app for that matter). I found that Sunshine iPhone app and a couple others are successfully extracting the audio, however we cannot duplicate it. We believe its in the Mo_V http header packet and that its using G.726. Can anybody help us here. We have been trying for such a long time to get this going but we keep running into a dead end on this front. Thank you in advance, Marko.
marko popovich said this on March 21, 2012 at 8:37 pm
FYI: I poked around the “strings”, it seems they are using
Winbond uClinux.
Raymond Rogers said this on April 14, 2010 at 7:03 pm |
hi thanks for the quick reply i have tryedbut it lock the camera up i have look at the cgi list and this is part of it var id=’003010C1D039′;
var sys_ver=’11.14.1.46′;
var app_ver=’0.0.0.0′;
var alias=”;
var now=1270315495;
var tz=0;
var ntp_enable=1;
as you can see in the var app there is nothing there, i will keep trying thanks David
David M said this on April 15, 2010 at 1:58 pm |
Hi,
Excellent !! Any success in getting the core firmware unlocked ?
Good Luck with your great job
Thushar said this on April 16, 2010 at 9:01 am |
Hi,
The firmware is a uclinux from winbond (http://www.gadgetvictims.com/2009/12/bring-your-fi8908w-paperweight-back-to.html) the recovery file have the W90N745 uClinux BSP User’s Manual – will that help you in any way to unlock the core firmware file?
I’m trying to build an hardware interface for the camera – to control other devices as well via the interface – ex. the springler to water my garden.
Regards
Thushar
Thushar said this on April 16, 2010 at 9:59 am |
Thanks, ucLinux is helpful. Lots of documentation, etc. Raymond pointed this out earlier as well. At least with that I know its an ELF binary, which should get me a ways. The next step will probably require taking apart a camera and trying to determine the architecture. Unfortunately, I’m not prepared to do that to mine, just yet.
If it really is a binary (which I’m guessing at this point), and knowing the architecture, it should be possible to disassemble and ultimately cross-compile a new firmware file. I’m not putting much effort into this approach directly though, as I think we may find better solutions by using the UI firmware to install a telnet or SSH server instead.
kylemallory said this on April 16, 2010 at 11:41 am |
Since you guys got me thinking about it, here is some interesting stuff I ran across while searching ucLinux:
http://www.uclinux.org/bFLT/
http://www.beyondlogic.org/uClinux/bflt.htm
After poking around in the core firmware, i was able to determine that there are about a dozen bFLT files in the firmware, and from those, I was able to determine that they are using the Rev 4 of bFLT, which is for the m68k architecture. Still haven’t been able to figure out the actual format of the firmware file, but progress is being made. The most confusing part is that it seems the firmware itself is little-endian, while the files it contains are big-endian. That will no doubt confuse me a lot along the way.
kylemallory said this on April 16, 2010 at 12:26 pm
Here is a trace talking to the camera at 192.168.1.70 to 73
http://docs.google.com/Doc?docid=0ATqv7EjKjtaCZGRzN241c2JfOGRmNzNqZmRu&hl=en
I don’t understand or see MO_V files; but I am not too familiar with these protocols. OTOH I did see
Server: Netwave IP Camera
in the status response
http://docs.google.com/Doc?docid=0ATqv7EjKjtaCZGRzN241c2JfOGRmNzNqZmRu&hl=en
the actual status is at the end; with decorations elsewhere.
Looking up Netwave leads to:
http://www.gadgetvictims.com/2008/08/foscam-fi8908w-firmware-history-page.html
With this section
Documentation:
IPCAM user guide 4.1.2 – mirror
IPCAM CGI SDK V1.7 – mirror
IPCAM CGI Application Instruction v109 – mirror
IPCAM Protocol – mirror
Where the sdk gives http://url/commands.cgi/
that can be sent over to the web interface. These seem similar to my camera commands. In addition when VLC sends the videostream.cgi command it knows how to recognize the returned video stream. Thus this part is adhering to some standard.
It seems to me that there might be two or three approaches to this hacking.
1) Make up a javascript (or some such) console that can be configured to send all of the cgi commands.
2) Like your doing figure out the loading structure and rewrite the web interface.
3) Just to be contrary, dump a virus (or maybe a ftp/ssl enable (ssl is unlikely)) on top the memory that enables a backdoor.
I sort of like the javascript idea. If the command data base is structured as a spreadsheet then it could be maintained and reused. Say like so.
Name desc cgi_command_to_send expected_response action
I dearly love simple things; I’ve tried it the other way:)
Raymond Rogers said this on April 16, 2010 at 1:52 pm |
I’m not seeing the messages that I’d expect. You’re running a different core firmware than I am. Maybe that has something to do with it. When I get home, I’ll try and take a screenshot of my WireShark, showing the data that I’m seeing.
I think the CGI interface is provided by the core firmware (I haven’t confirmed this yet, but). and so I’m not sure that you would get any benefit out of a javascript approach, any more than you would just calling the CGI directly (which is actually what the UI does). They took an interesting approach where the CGI (status.cgi, for example) returns, as javascript, a series of variables. The web interface queries the CGI via a “, and then uses more javascript to print those values into the actual webpage. The protocol ‘MO_O’ stuff I’ve been messing with is the lower-level protocol used to query/set all of the same values done through the CGI. In essence, the Firefox/’Push’ interface uses the CGI stuff, while the IE/ActiveX solution does the low-level protocol, which is where the two-way audio is supported, etc, and why Firefox doesn’t support those features.
The memory-tromping/backdoor approach is interesting. I think my approach for actually getting the camera to do something that it wasn’t designed to do (for example, finding a way to read the IO on the back as a temp sensor) would require some way of actually installing new executable code, and then calling that code. If you could get a new CGI program on the camera, and execute it via a HTTP request, that would be a relatively simple means. Question is whether HTTPd is sandboxed or not.
Core firmware is proving to be a mind-fuck. I’m actually starting to think that its not so much an archive file, like a tar file, but a file that describes actually were and how to write the flash memory: ie, “at address 00772D00 write the following data”. I suspect that data is everything from inode structures for the filesystem to the actual file data.
kylemallory said this on April 16, 2010 at 2:25 pm |
I used curl against the CGI SDK 2.1 and got the expected responses from most commands.
If you have (can get) curl I can send a script in some form.
Ray
Raymond Rogers said this on April 16, 2010 at 8:03 pm |
You were right about the “MO_O” reference.
Raymond Rogers said this on April 16, 2010 at 8:16 pm |
I didn’t get your message until after I made these… so I figure I’ll post them anyway for anyone else who wants to see. Note that I have my camera running on port 9120, rather than the default (port 80).
kylemallory said this on April 17, 2010 at 8:04 am |
Is lr_cmos_11_14_1_46.bin an archive file with another archive or executable inside ? When i tried to rename lr_cmos_11_14_1_46.bin to lr_cmos_11_14_1_46.zip and just try to open it using winrar, i saw the linux.bin file inside tho winrar throws an error. This could not happen if firmware is an executable .. right.
Also, the recovery file (from http://www.gadgetvictims.com/2009/12/bring-your-fi8908w-paperweight-back-to.html) seems to consist of romfs_cmos_11_14_1_37.img and linux.zip( which has linux.bin inside). Could an expert view on the romfs_cmos_11_14_1_37.img help us to find more about the core firmware file ?
Regards
Thushar
Thushar said this on April 19, 2010 at 4:31 am |
Based on my latest investigations, I think the .bin file is an archive that contains linux.bin, and a couple of FLAT (bFLT) executable binaries. I just haven’t been able to figure out the relationships to be able to write a tool to extract the files. My guess now is that the file/block headers inside the firmware .bin file are variable length, depending on the file and its type, which is making things a lot more difficult than necessary.
OS X sees the lr_cmos_11_14_1_46.bin also as an archive, and identifies it as a “MacBinary Archive”. If I run the OS X Archive Utility on the .bin file, it won’t do anything but recompress it.
I’ll check out the recovery image and see if I can make anything from it. I’d really like to find some information on the ‘BNEG’ file magic that is the first 4 bytes of the .bin image, but I can’t find anything via Google.
kylemallory said this on April 19, 2010 at 9:59 am |
Small progress:
http://tools.rebel-it.com.au/ipc-1002/README.TXT
batch example
———–
mkdir firmware
dd if=lr_cmos_11_14_1_46.bin bs=1 count=32 of=firmware/header.img
od -x header.img
dd if=lr_cmos_11_14_1_46.bin bs=1 skip=32 count=0403 of=firmware/kernel.img
and so forth. I’ve spent to many hours on this today:)
———————-
Daydreaming: find the ftp code and open it up to connect.
More realistically drop tftp or a console into the server javascript area, or alternately a custom function. I will double check if dd works on the interface .bin file later.
This may be obvious to others but I think the javascript/user interface is server-side javascript with little tiny pieces/slaves downloaded as needed. I haven’t verified this yet, but it fits what I have seen.
Raymond Rogers said this on April 19, 2010 at 12:37 pm |
Or not; I just looked at dd. It actually doesn’t verfiy anything but maybe the core parameters are in the uclinux documents.
Raymond Rogers said this on April 19, 2010 at 12:49 pm |
Raymond, Good find! They are using ‘dd’ to brute-force extract parts of the firmware file. Not bullet-proof, but helpful nonetheless. Some of the other bits about mounting the filesystem are really interesting. Definitely something to play with. The problem is, extracting the files only gets us so far. Unless we can build hacked firmware to load on the camera, we’ll only be able to do so much.
The server-side javascript is interesting. From the WireShark results, its clearly making a “/status.cgi” GET request, which you can make yourself to get the info. What’s happening within that cgi is the real question, but I am hopeful that there is some internal voodoo going on that may prove to be fun to play with.
kylemallory said this on April 19, 2010 at 2:54 pm |
I guess I will break down and physically disassemble my camera.
There is probably a tftp interface on port 65550 but you have to get into the bootloader to switch from serial to network; catch-22 unless we can find the bit and plunk it through javascript.
Just for information a boot loader manual that I think is similar.
ftp://220.232.158.86/Winbond/W90N745/Documentation/
Actually the site has a bunch of stuff for uclinux systems. Unfortunately I can not vouch for it not being a trojan site.
I should find a better site.
As for the javascript client/server: I think that the client command/request is intercepted by some other program who decides what to do, if to do it, and then the annoying next-url. Then the results “rain down” onto the server code which xmitts a new page to the client. In that case we have to find the interpreter intercepting the command on the server and try to find holes. But if the loader is the bootloader code being reused we could drop javascript compliant code onto the server javascript with a rewrite of the ui; so that the attempt to set wireless would execute it; or something else not needed. Let’s see what’s wrong with that? Well it wouldn’t go to a particular place because the source is ASCII, but that is okay as long as the updater doesn’t require ASCII it should just dump the incoming into a buffer. Then the buffer gets read out and interpreted.
Sorry to go on so long (:
Ray
Raymond Rogers said this on April 19, 2010 at 5:45 pm |
Webcontrols Parameters :
“snapshot.cgi
description To obtain the snapshot
Permission visitor
Syntax /snapshot.cgi[?user=&pwd=&next_url=]
Parameters user:username
pwdassword
next_url:the name of snapshot
Note 1 If not use the parameter “next_url”, the snapshot name is:device
id(Alias)_ Current time.jpg
[EDIT] More goodness here…
Hope this help us in some way
Thushar said this on April 20, 2010 at 4:16 am |
Thanks for the info, Thushar! I actually ran across this document, courtesy of gadgetvictims.com, that describes the entire CGI SDK. Unfortunately, it doesn’t allow two-way audio. This, with the tools to hack the UI Firmware should keep some web-do-gooder busy for a while! In an effort to keep the reply chain shorter, I’ve edited your post to reflect the same link…
kylemallory said this on April 20, 2010 at 10:20 am |
I took the picture from my cam inside:
There is the links to ICs datasheets
http://file.qip.ru/file/126440710/aa28569e/APP2000004USBD.html
http://file.qip.ru/file/126440714/ad459287/HY57V641620F_L_S_TP_series_Rev.html
http://file.qip.ru/file/126440713/33210724/NUC745ADN.html
http://file.qip.ru/file/126440711/dd2f6608/W19B320BB.html
The documentation from ftp://220.232.158.86/Winbond/W90N745/Documentation/ is right.
Some additional information you can find on http://www.nuvoton.com/hq/enu/ProductAndSales/ProductLines/ConsumerElectronicsIC/ARMMicrocontroller/ARMMicrocontroller/NUC745A.htm
Nuvoton and Winbond is the same compony. By this link you’ll find uClinux for NUC745A and compiler for it.
And also I have the description of audio and video stream:
http://file.qip.ru/file/126440715/da42a211/IP_Camera_Prototcol.htm
Archonmaster said this on April 20, 2010 at 7:36 am |
Archon, thanks for the links and images. Great stuff. Sorry it took a little while for your comment to post. WP filed it as spam (probably too many link from .ru), and I just noticed it tonight.
kylemallory said this on April 22, 2010 at 11:18 pm |
Serial is pretty easy on them – I’m already doing what you’re doing!
Want to collaborate?
I’m in touch with the factory that makes them already, and they’ll be sending an SDK over.
Its quite a bare system though – basically everything sits in /home, and the rest of the system is *extremely* minimal.
I have some more on my blog at http://www.computersolutions.cn/blog
Cheers,
Lawrence.
Lawrence Sheed said this on April 20, 2010 at 9:16 am |
Lawrence, cool to see your progress. Would definitely welcome some more collaboration! The more the merrier, right? I think I’m about to order another camera or two, and will probably be willing to pull one of them apart, too.
kylemallory said this on April 20, 2010 at 10:16 am |
PS, mine doesn’t have a winbond, its actually a Nuvoton N745 (which is a clone of the Winbond ARM chip I think)
Lawrence Sheed said this on April 20, 2010 at 9:32 am |
Yeap, the two pinouts look identical. In fact the data sheets look identical; based on sample size that is small.
Raymond Rogers said this on April 20, 2010 at 1:13 pm |
hi guys my camera is in bits if you want some details and picture there is no problemi will uploaded them and i have been logging it as well with the serial still connected if you want them as well thanks dave
David M said this on April 20, 2010 at 10:59 am |
What the board id; the white stenciling on the green?
Raymond Rogers said this on April 20, 2010 at 1:22 pm |
Post a link to your pictures. I like pictures. If you don’t have a place to host them, email them to me and I’ll put them on the blog.
kylemallory said this on April 20, 2010 at 1:46 pm |
Do you have the camera model?
Raymond Rogers said this on April 20, 2010 at 7:12 pm |
My “unknown” camera:\
Board: ES_IP607_ARM_2
SDRAM: W9812G6IH
ARM processor: W90N745CDG
Latch for I/O: 74hc259d.
Unstuffed comm connector goes to:TX0D,RX0D processor pins 10,11 I think
Ethernet: DM9161AEP
Motor driver?: ULN2803L Octal driver
DVM008: Clock chip/RTC
SY-5W-k: relay (probably for outgoing alarm contacts) rated for 1-2A signal but only .5A contact rating. I presume that contact rating is allowed (non-degrading) current during relay transition; and signal is with the contacts firmly closed. I can’t find the voltage rating but I presume it would be 117VAC.
Audio: ALC203 Realtek. This seems like overkill; but…
Motor driver? : 2822M STM micro
Bunch of other stuff around the I/O pins probably an switching regulator for the relay or some such
NVRAM: S29AL016J spansion
16 Megabit (2 M x 8-Bit/1 M x 16-Bit) CMOS 3.0 Volt-only Boot Sector Flash Memory
Perhaps I will take hires pictures of the boards. I did save copies of most of the data sheets.
“That’s all folks”
Raymond Rogers said this on April 20, 2010 at 11:39 am |
Hi Raymond, I got the same cam as you: Board: ES_IP607_ARM_2 I managed to brick it. I still have a good one, can you tell me how to transfer the good firmware to the bricked one? or do you have good recovery files for this cam?
Thanks!
Ramon said this on August 14, 2010 at 2:11 am |
Misc from web trolling:
BNEG: Amusing– NBGE You or somebody else has endian problem.
It appears to be a common phrase (although probably 2 or 4 mb size or starting point). Compare the header.img in hex to:
”
the start of the 9100a romfs file loaded from this post looks like this
[7F0A0000] 47454E42 00000001 – 00000000 00000000 BNEG…………
[7F0A0010] 00139400 6D6F722D – 2D736631 00921300 ….-rom1fs-…
”
From: http://support.yoics.com/viewtopic.php?p=610&sid=145b4ec6d4be054c6ed9b9344af48b9d
Haven’t found Winbond (or arm7) schematics yet but the Winbond uclinux user manual has:
W99683 samera usb support : Video for linux on page 15.
Which means downloading the code and examing that kernel (io ?) section should be relevant.
Ray
Raymond Rogers said this on April 20, 2010 at 12:28 pm |
Interesting. I had questioned whether it was endiann-ness, but always assumed it was a 4-byte sequence (which shouldn’t suffer from endian-ness), not a long (which would). Reading that thread:
“however the ‘-romfs-‘ tag is offset by 0x14
so I used the line
fx 6 romfs.img 0x7f0a0000 0x7f0a0014 -a
the system then rebooted correctly…”
So, it looks like they were able to get the file to load after they offset/stripped the 14 bytes prior to the -romfs- tag, including the ‘BNEG’. Which falls in line with my thinking that that is all part of a header, and is not meant to be loaded into memory (or at least as part of the image itself). Problem is, the header length varies, and its not immediately clear what the length of the header should be.
In the lr_cmos_11_14_1_46.bin the first 64 bytes are:
0000 - 42 4E 45 47 01 00 00 00 - BNEG....
0008 - 01 00 00 00 32 B3 0B 00 - ....2...
0010 - D0 08 00 50 4B 03 04 - .-..PK..
0018 - 14 00 00 00 08 00 63 2B - ......c+
0020 - 10 3B 72 88 39 83 BE B2 - .;r.9...
0028 - 0B 00 10 99 18 00 09 00 - ........
0030 - 00 00 6C 69 6E 75 78 2E - ..linux.
0038 - 62 69 6E EC FD 0B 78 5C - bin.".x\
In this case, upto the ‘linux.bin’ tag, there are 50 bytes, rather than the 14. I need to double-check my notes at home, but I think the long 0x26 is the length of linux.bin in LE. And the subsequent long at 0x2E is the length of the tag ‘linux.bin’ (9, in LE). The S32_LE at 0x26, is 766654 (decimal). Add 59 (the length of the header, including the ‘linux.bin’ tag), and you end up right near the ballpark of the -rom1fs- tag. There is a similar length field, at 0x0C (S32_LE), that also puts us in the same area of the file. Maybe coincidence?
kylemallory said this on April 20, 2010 at 1:44 pm |
I guess I will load up Windbond’s uclinux tomorrow. At some point I have to stop obsessing. About to make a politically incorrect joke about obsessive/compulsive, and hacking. “What’s the difference…”; let me know if you can think of a good punch line.
PCB pictures
http://docs.google.com/leaf?id=0Bzqv7EjKjtaCOTQ3MGQ5MzktMzc3Mi00YmRkLThkNDYtMzMxMzIxNmMzMzhm&hl=en
http://docs.google.com/leaf?id=0Bzqv7EjKjtaCYmM2MWExMmQtOGUyMC00MmVkLThkNzUtZjk0ZWQ0ODk2YzJm&hl=en
BTW: I am having a problem fitting endian problems with the fact that some words come through correctly; linux.bin
Raymond Rogers said this on April 20, 2010 at 7:11 pm |
Raymond, we have the same camera hardware.
I’ve spoken to the factory, Foscam is one of their clients they OEM for. So the clones are not clones, but the real thing, just unbadged.
I’ve also been in contact with Maverick Gao (thanks to the wonders of Google), and can probably ask him a few tech questions if anyone has. He didn’t really want to talk much though, and passed me off to someone else, so I suggest we do our dev work ourselves unless we get really stuck. Factory guys are pretty helpful, as long as can sell more product, they’re happy.
I should be receiving an SDK sometime soon, and I can answer some of the questions you might have.
If you look at the data sheets for the chips used (ARM5..), you’ll see why the rom formats are in that size too.
http://www.nuvoton.com/hq/enu/ProductAndSales/ProductLines/ConsumerElectronicsIC/ARMMicrocontroller/ARMMicrocontroller/NUC745A.htm
ROM build info here – http://www.nuvoton.com/NR/rdonlyres/6D3B8939-4393-42C9-A602-BD40775E0CC9/0/APP2000007MKROM.pdf
We’re on kernel 2.4.
First steps would be to compile an ARM7 binary, and add to the userland firmware, then test. I’ll play around with that tonight, as I only get time for these things after work.
I have the CGI interface stuff if people want too. Will update my own blog with the files.
Lawrence said this on April 20, 2010 at 7:56 pm |
[…] https://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/ […]
IPCam Hacking Part 2. « Computer Solutions Blog said this on April 20, 2010 at 8:08 pm |
For anyone building test binaries – ucLinux needs a flat binary.
Hence the bflt headers.
Even the current firmware linux rom build gets that wrong for some bits according to the kernel boot logs
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Build tips here –
http://www.ucdot.org/article.pl?sid=02/09/17/0044221
We don’t really need to change the kernel stuff (yet), so making userland stuff should be fairly straightforward.
I guess first step is a hello world, or add ssh access.
I’m probably going to delete the OCX file for space – takes up 156kb (although less, as it should be a JFFS partition so compressed.)
I’ll take a look at the existing files later.
Kyle, do you want to contact me via email?
Lawrence Sheed said this on April 20, 2010 at 9:54 pm |
Lawrence, Could you say who is the orginal OEM manufacturer for foscom cameras please ? Also, Could you please ask you contact in the factory if it is possible to add more IO ports to the hardware .. say 4 or so external trigger ports ? A schematics would be handy as well .
Regards
Thushar
Thushar said this on April 21, 2010 at 1:35 am |
Thushar: Gardening and such.
I’ve been thinking about your idea of using this as a general purpose controller.
J6 on the PCB is apparently a USB port.
Inserting a connector and bringing a cable out could provide the interface for an external storage device for images (i.e. standalone surveillance), or could work into
EZ430-F2013
http://focus.ti.com/docs/toolsw/folders/print/ez430-f2013.html
which is $20, has plenty of I/O. You would still have to provide the interface conditioning; relays, ssr’s, and such.
I can help with the MSP430 gizmo. I wrote a commercial design using it and I have one of the gizmos (I think). Unfortunately the product didn’t go anywhere commercially (:
So the point is: compile in the USB support and install the connector.
Unfortunately there are conflicting indications. The Winbond OS indicates that it expects the camera to be USB. If it is then the secondary USB needs a transceiver to be real USB. Working around this is not a problem for the EZ430; but setting up for USB storage would probably require the transceiver. This primary/secondary consideration is why I wanted the model number and manufacturer of the camera.
And so on..
Unfortunately I am not a liberty to do program experimentation on the camera I have. It’s dedicated for our “frac” security. I would have to buy another camera for experiments. Being in Mexico that is harder than you might think.
Ray
Raymond Rogers said this on April 21, 2010 at 9:07 am |
Ray, USB idea sounds great – But still we need to get hold of the firmware source and tool chain to build the USB support into the kernel.Hope we will get there soon
Thushar
Thushar said this on April 21, 2010 at 9:37 am |
Woops: I made a mistake with the USB ports (I was looking at the 173 pin 740 data sheet); the 745 has two independent USB ports that should work straight out; and I think the connector-less J6 is port 2.
Ray
Raymond Rogers said this on April 21, 2010 at 9:39 am |
I just looked at the EX430; it has 8 outputs capable of driving the triac.
http://search.digikey.com/scripts/DkSearc/dksus.dll?Detail&name=MOC3023MFS-ND
If you were to use these then make sure you put some protection diodes around the outputs to guard against power line spikes coupling back into the MSP430; they are real.
Here are a couple of link with more elaborate interfaces:
Except the 1:1 and Vreg indicate a special triac or high Vreg
Anyhow..: The process would seem to be.
Energize USB-2
Add a cgi that takes an arbitrary string from the client and dumps it out to the USB; and vice versa. This would provide a means to program the MSP430 from the client (i.e. real computer).
Add a handle into the calender scheduling to prompt the MSP430 to do something.
Perhaps the ability to program and read the MSP430 through the camera is overkill; but it might be convenient to be able to update the MSP430 via the Ethernet port in a in-place installation. Or in my case via 802.11 .
Kind of neat having a free USB port in/out of the camera. You could daisy chain cameras ethernet-usb-ethernet-usb …. (with some connector flimflam) . Furthermore there are relatively inexpensive usb modules to take measurements, produce analog out, and do digital I/O.
You could have the fanciest garden system on the block. Schedule watering times based upon humidity and temperature and wind speed. Schedule your Christmas tree strings arbitrarily, turn lights and alarm systems on and off; and do it all from your iphone/ipad across the world:):)
etc…. All through one camera!
Raymond Rogers said this on April 21, 2010 at 10:58 am |
Oh yes; the EX430 ports support 10 bit A/D conversion.
Raymond Rogers said this on April 21, 2010 at 11:06 am |
hi guy i have do some photo’s and some data sheet for this who can i email it to oh the circuit board as a model number on it IPCAM HW-YT02_V1 Thanks Dave
David M said this on April 21, 2010 at 12:15 pm |
You could post them on google docs; but here is my email address
rrogers@@plaidheron..com
with the obvious correction.
Above the EX430 entries should have been EZ430 from TI (sigh).
Sorry about the u-tube clip; I don’t know how it got put in. In fact that arrangement works but the triac I listed from digikey has optical isolation built it; but also has the backcoupling possibility.
Raymond Rogers said this on April 21, 2010 at 12:23 pm |
Anyone with any updates on the firmware decoding ?
Thushar said this on April 22, 2010 at 4:28 am |
@thushar, do a little footwork on your own.
Most of what you asked is readily available.
USB is enabled in the shipped linux firmware.
The audio/wifi/camera all use USB for I/O
A check of the data sheet for the CPU will show you what ports are available. Hint, most are in use.
Click to access NUC745ADN.pdf
Check page 7.
Some can be re-purposed though, eg GPIO5,6 (pin 10,11) are in use for serial out (for debugging purposes), but in theory could be set as additional IO pins, assuming you have some other way of talking to the embedded cpu (eg telnet or similar).
We do have working i2c, serial, and other i/o ports anyway..
Data sheet info and rom build info is on the Nuvoton website, which is also linked on my blog post on my site.
I need to wait for a second unit before I make any changes to mine, so it will be a few days before I get to do anything other than in a dev environment.
Suggest you setup a Debian box, and install the relevant UC Linux cross compiler tools.
The hardware manufacturer for these is Shenzhen based, url is http://www.sznv.net/
@Roger – not sure we have the same chipset, mine is the 128pin Arm7 745ADN from Nuvoton. Its the same as a Winbond W90N745 (hence the firmware identifying as that in the boot room).
As I’ve said before, no current need to change the Linux partition – it works ok. Only real need right now is some extra binaries in the home rom.
Linux firmware (uclinux) is pretty much in the same place as the default –
(Image 7)
base address is 0x7f020000
load address is 0x8000
Again, I don’t think we really need to mess with it.
Its a pretty standard build, we don’t have JFFS2 support built in (although we can if we roll our own)
Strongly suggest for dev work, either get a ARM7 board to play with, or hook up the serial debug port on the camera, and DON’T MESS WITH THE BOOTLOADER!
The more adventurous can hook up JTAG – that seems to be readily available on my board at least, as is serial, which is nice.
Bootloader gives us a way to recover if we make a bad image…
Our basic specs:
W90N745 application Core Module:
MCU: Winbond/Nuvoton clone ARM7TDMI based W90N745 operating up to 80MHz Freq.
USB: One USB1.1 Host + one Slave
UART: A TX/RX signal only UART port (UART0) for debug console. Another UART port
supported with Male type connectors by W90N745’s UART interface.
Network: A 10/100Mbps Ethernet port supported with DM9161E (PHY) by W90N745’s
RMII interface.
JTAG: 14-pin JTAG debug interface.
Anyone have a copy of the W90N745.tar.gz BSP dev files?
Most of the sites that have it aren’t accessible easily from China which is annoying.
Lawrence Sheed said this on April 22, 2010 at 6:26 am |
Sorry guys, haven’t had much time to play with the camera the last few days. Been a crazy-ass week. Lawrence, does your camera have WiFi? I hope our second USB isn’t being used by the WiFi… I’m going to order my additional cameras today. I don’t know how much additional time I’ll have to play over the next week.
kylemallory said this on April 22, 2010 at 8:39 am |
“The audio/wifi/camera all use USB for I/O”
I don’t know but my look-see says the audio uses the I2C port: pins
44-48.
Perhaps we aren’t talking about the same thing. When I say “USB” I mean Pins 1-8.
Haven’t tracked down wifi/camera yet. Or whether J6/USB2 is shared.
Raymond Rogers said this on April 22, 2010 at 11:57 am |
@Raymond Quite possible, I didn’t look at the chip pin outs, was looking at the boot log off dmesg
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4
_____ ____ _ ____
|__ / _| _ \ / \ / ___|
/ / | | | | | |/ _ \ \___ \
/ /| | / ___ \ ___) |
/____\__, |____/_/ \_\____/
|___/
ZD1211B – version 2.24.0.0
usb.c: registered new driver zd1211b
main_usb.c: VIA Networking Wireless LAN USB Driver 1.13
usb.c: registered new driver vntwusb
usb.c: registered new driver rt73
dvm usb cam driver 0.0.0.0 by Maverick Gao in 2006-8-12
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
Lawrence Sheed said this on April 22, 2010 at 9:50 pm |
Thank you Lawrence
These manufactures are supposed to provide the source code of the firmware to honur the GPL license terms of Linux – Then why they are not ?
Any one with any progress on the core firmware hacking ?
thushar said this on April 24, 2010 at 12:07 am |
hi guy i have found out that i have a 2 mb samsung sdram chip on my canera i think i’am going to desolider the chip and putting a 8 mb chip on the board i have lokked at the pins and they are the same do you guys think this will work, the reason for this is when i try to upload the web ui it crashes half way throw the install like it has not got enought memory, thanks dave
david m said this on April 26, 2010 at 11:48 pm |
The chip on mine is a Winbond W9812G61H-6
According to the data sheet, that 2M X 4 BANKS X 16 BITS SDRAM @ 3.3V
166MHz/CL3
Data sheet is here – http://jp.ic-on-line.cn/IOL/datasheet/w9812g6ih_4223255.pdf
If you have serial, can you check your bootloader setup to see what rom size you have.
Over serial – power up the device, wait for the uBoot prompt, press ESC to get in, then type “ls” and press ENTER
eg
bootloader > ls Image: 0 name:BOOT INFO base:0x7F010000 size:0x0000FFCC exec:0x7F010000 -f Image: 1 name:romfs base:0x7F020000 size:0x0009D400 exec:0x00700000 -ac Image: 2 name:linux base:0x7F0C0000 size:0x000E8250 exec:0x00008000 –acx
I need a paste of yours (Note: thats a sample ls above, not from our device)
I’d also like someone working on a “Foscam” to do the same if possible – eg Kyle?
I’ll have more info on my own blog later, including some hi-res shots of the board.
Lawrence Sheed said this on April 27, 2010 at 12:21 am |
hi there lawrence qis this what you are after
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Aug 19 2009
Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 – 2006. All rights reserved.
Boot Loader Configuration:
MAC Address : 00:30:10:C1:D0:39
IP Address : 0.0.0.0
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0x00300000
BL buffer size : 0x00100000
Baud Rate : -1
USB Interface : Disabled
Serial Number : 0xFFFFFFFF
For help on the available commands type ‘h’
Press ESC to enter debug mode …
bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000BB334 exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a
david m said this on April 27, 2010 at 1:53 pm |
Cache enabled!
Processing image 1 …
Processing image 2 …
Processing image 3 …
Processing image 4 …
Processing image 5 …
Processing image 6 …
Processing image 7 …
Unzip image 7 …
Executing i
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #953 ÈÕ 8ÔÂ 16
05:23:09 CST 2009
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 2048
zone(0): 0 pages.
zone(1): 2048 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop… 39.83 BogoMIPS
Memory: 8MB = 8MB total
Memory: 6292KB available (1429K code, 286K data, 40K init)
Dentry cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode cache hash table entries: 512 (order: 0, 4096 b
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options en
abled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0
nabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F16CFFF [VIRTUAL 7F0E0000-7F16CFFF] (RO)
AM29LV160DB Flash Detected
01 eth0 initial ok!
which:0
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 1590P745 Boot Loader [ Version 1.1 $Revisi
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround 19 2009
Pro
hc_resetinbond W
usb.c: new USB bus registered, assigned bus number 1
Initializing RT netlink
hub.c: USB hub foundrchitecture: W90N745
hub.c: 2 ports detected
usb.c: registered new driver audioes: 2048N745 Serial driver version
audio.c: v1.0.0:USB Audio Class driver
zone(0): 0 pages.oard de
usb.c: registered new driver serial
zone(1): 2048 pages.c: USB d
usbserial.c: USB Serial Driver core v1.4re
zone(2): 0 pages.at Winbond=-
_____ ____ _ ____
Kernel command lin
|__ / _| _ \ / \ / ___|nd Limited 2001 – 2006. All
/ / | | | | | |/ _ \ \___ \
/ /| | / ___ \ ___) |y loop… 39.83 BogoMIPS Drive
/____\__, |____/_/ \_\____/
|___/
Fo
Blkmem copyright
IP Add
usb.c: registered new driver vntwusbtable entries: 1024 (order: 1, 8192
usb.c: registered new driver rt73Enabled0D0000-7F159FFF [VIRTUAL
dvm usb cam driver 0.0.0.0 by Maverick Gao in 2006-8-12
usb.c: registered new driver dvmries: 512 (order: 0, 4096 b
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
Architec
Blkmem copyright 1998 Kenneth Albanowskie
usb.c: registered new driver dvm usb cam driver for sonix288
Mount-c
Blkmem 1 disk
NET4: Linux TCP/IP 1.0 for NET4.0
USB Mass Stora
z
IP Protocols: ICMP, UDP, TCPAL 7F0E0000-7F16CFFF] (RO)es
IP: routing cache hash table of 512 buckets, 4Kby
[8]
Command: sherial.c: US
Sash command shell (version 1.1.1)d8A000 exec:0x7F
/> no support
new USB device :807dce04-7e864090N
_____ ___
hub.c: new USB device 2, assigned address 2
idVendor = 0x148f, idProduct = 0x2573|: mount -t proc none /procing
Wait for auto-negotiation complete…ResetPhyChip Failed| | | | | |/ _ \ \___ \
david m said this on April 27, 2010 at 1:57 pm |
David,
I appreciate the enthusiasm and effort, but I’m not sure what the purpose of your post is. Based on your earlier posts, it looks like you’ve got 8MB of memory now? Sorry, but without any context of what’s significant about your post, it’s essentially noise.
[Edit] –Nevermind, my bad. I see that Lawrence had asked for that, for comparisons. Sorry, guys; been crazy lately, and no chance yet to recover.
kylemallory said this on April 27, 2010 at 2:04 pm |
This is good info.
I’ll hopefully be able to do a comparison of your size firmware with mine. Also note that we can rip the current firmware off the device to a file – We know where it starts and ends.
Image: 0 name:BOOT INFO base:0x7F010000 size:0×00000038 exec:0x7F010000 -af
[Image 0 is 38 bytes (small!).
Boot info is not the bootloader – 38bytes is way too small for that.
It actually stores our bootloader config settings.
eg ip address, cache setting, boot loader buffer address etc
-af indicates Active (a) , and is a Filesystem image (f)]
Image: 7 name:linux.bin base:0x7F020000 size:0x000BB334 exec:0×00008000 -acxz
[Image 7 is our OS – Linux 2.4.20 ucLinux Not sure why Maverick didn’t build on 2.6, there is more hardware support. Probably time dependant – 2.6 may not have been available, plus the Nuvoton sample code is also 2.4 based…
-axcz says active (a) executable (x) copied to ram (c) compressed (z) ]
Image: 6 name:romfs.img base:0x7F0E0000 size:0x0008D000 exec:0x7F0E0000 -a
[Our rom image – aka userland stuff. This is where we’ll be putting our own code. Looks like its stuck quite high up in the flash, although doesn’t need to be given size of the Linux rom. We have plenty of room available.
We’ll need to make appropriate changes to Image 6 size on flashing
-a says active partition.]
Lawrence said this on April 28, 2010 at 4:59 pm |
Kyle – you almost worked it out when you checked out the rom in comment midway.
I’ve managed to work out how the main firmware file is packed.
Seems like we have a 20 byte header, then a Zip file.
Post zip file we have the rom (as you noted). This is probably a linux filesystem I guess, so we could try mounting it maybe?
I’ll play around with that tomorrow, as its late here (4am+-).
Current progress on my blog – should make interesting reading for you all…
Lawrence said this on April 29, 2010 at 1:10 pm |
Very Cool! I kept seeing that ‘PK’ in there, I just couldn’t make the connection to PKZip. Nice Work! Hopefully I’ll get a chance to play around in the next few days and expand on ‘fostar’.
kylemallory said this on April 29, 2010 at 1:24 pm |
Decided to keep going.
The -romfs- bit is the start header for the filesystem as I suspected.
Its in… romfs format.
I couldn’t get it mounted yet, as my mac doesn’t support romfs, but I think I’m there.
Kyle – you want to take a look at what I’ve updated on the current post, and see if you can mount that?
I can email you the file if needed.
Lawrence said this on April 29, 2010 at 2:12 pm |
I think I can manage the file extraction from the notes on your blog.
Unfortunately, my linux machines are all at home, so I won’t be able to play around for a few more hours, at least.
kylemallory said this on April 29, 2010 at 2:24 pm |
Got it mounted!
Forgot I had a Debian VM I installed the other day.
Matches perfectly with what we have in the actual filesystem on the device, so I think we’re totally ready to go.
So, we know how the main linux image is built +-, and we can regenerate the romfs using genromfs, so its going to be easy work to add in a ssh or other binary so normal people can play (i.e. by not having to solder stuff onto the board).
Lawrence said this on April 29, 2010 at 2:27 pm |
You are THE MAN! Brilliant fucking work!!
kylemallory said this on April 29, 2010 at 2:28 pm |
Working on getting some user binaries now.
Notes on setting up the dev environment on my blog now.
Quite pleased with my progress, although I won’t be building any images until next week or so, as the physical hardware is at the office.
Hopefully someone else will follow what I’ve done, and try out creating some ARM7 bFLT user binaries, add to the extracted ROMFS, then regenerate it with genromfs, and try flashing that using the boot loader.
Hinty hint hint.
Lawrence said this on April 30, 2010 at 1:17 am |
Well what a step forward, i,m installing vm ware right now can not wait to get stuck in now thanks guy anybody do a image i will be the first to test it thanks dave
david m said this on April 30, 2010 at 11:16 am |
Have made a test image. You’ll need to know what you’re doing to test though, so only really valuable if you’ll give feedback to me.
http://www.computersolutions.cn/blog/2010/05/ip-cam-hacking-%E2%80%93-pt6/
I’m having issues getting to most foreign sites that I would use for reference (including this one). GFW blows…
Lawrence said this on May 5, 2010 at 9:16 am |
Lawrence, I brought my linux laptop to the office today. Last day before my project deadline, so things are slowing down. Hoping to get a chance to play around with some code today. I’ll look over your image and let you know what happens.
kylemallory said this on May 5, 2010 at 9:22 am |
Hey all, I uploaded new code onto the foscam-util sourceforge.net page, that allows packing/unpacking of the system firmware file. I’ll post a new entry soon enough that goes into the details. But between this new code, and the amazing work that Lawrence has done figuring out how to access and rebuild the romfs image and recompile the linux.bin, you should have everything you need.
http://sourceforge.net/projects/foscam-util/
I’d suggest you just do this (complete with makefile):
svn co https://foscam-util.svn.sourceforge.net/svnroot/foscam-util/trunk foscam-util
Kyle Mallory said this on May 6, 2010 at 4:21 pm |
I’m trying to get this cam to work with the software, SecuritySpy. Securityspy said to try contacting Foscam and asking for the HTTP request required by the camera, which can then be entered into SecuritySpy manually.”
Can anyone help me with this?
Thanks
Wozzy said this on May 8, 2010 at 9:06 pm |
Wozzy
Try http://www.google.com/url?sa=t&source=web&ct=res&cd=1&ved=0CBIQFjAA&url=http%3A%2F%2Fwww.drivehq.com%2Ffile%2Fdf.aspx%2Fpublish%2Fbubbah%2FPublicFolder%2FIPCAMCGISDKV1.7.pdf&ei=1-TmS7bDNJewMpG8-IQI&usg=AFQjCNEKsAey6N_qqPw9CPd-Na5EGD1xOQ&sig2=Yzqw0I-rc2sHXZhkpTuLfw
Or more succinctly google : IPCAMCGISDKV1.7.pdf
Raymond Rogers said this on May 9, 2010 at 9:44 am |
Perfect. Exactly what I needed. Thanks so much!
Wozzy said this on May 10, 2010 at 7:27 pm |
Hi guys!
I have a Foscam FI8908W and I love it I think it has some great features. Of course I would love it if the firmware could record in XviD or H264 and then delete files over a designated time frame like a week or so as not to bogg down my 1 Terabyte network drive. The other issue is the Web UI must be open to keep recording, another problem I encountered
To explain what I’m trying to do so this comment makes sense: I have a La Fonera 2.0N router that has a USB port of which I’m using to record to a Terabyte hard drive, it works just like any old network drive, of course at great cost savings over a decent d-link network drive setup, besides I can attach a USB hub to it and do other things as well. My whole point of doing so is to save the energy of not having to run a PC 24/7 to surveil my home. I contacted Foscam and they were very quick to respond and tried to be very helpful. Unfortunately Foscam doesn’t have a firmware that can compress video, and furthemore the firmware can’t delete data that is over a specified age. They didn’t seem to comment on another way that the Foscam can record “stand alon” as well. They DID say that they are working on those very things and hopefully in the near future we all can benifit from the new features.
So, I have two questions for this thread.
1) has anyone had any luck with any of these issues I’m encountering. Or, can someone refer me to a forum that might address such a thing.
2) This may be far out, but I cam across a program called “Active Webcam” that has some wonderful features, unfortunately I can’t get my FI8908W to setup. Has anyone been able to get theirs to work?
Thx for listening guys, I’m not a programmer so I try my best to follow exactly what you guys are doing here. I have great respect for all the efforts you putting into this project. And furthermore thanks for being patient.
If anyone has any answers for me, can you go to my website http://www.BuonAppetitoProvidence.com and email me from my contact page?
Thx
-Pete
Pete said this on May 21, 2010 at 1:13 pm |
Hi. foscam.c doesn’t work with foscam ebay clon firmware. This is the clon firmware if you want to test:
http://liken.otsoa.net/pub/ipcamfirmware.rar
I would like to have a firmware with telnet or ssh.
Liken said this on May 22, 2010 at 9:32 am |
Does anybody have experience with or suppliers of alternate lens for this type of camera? I need to zoom in a little. Apparently I need something described by 35mm; but I know nothing about whether this description means anything.
Raymond Rogers said this on May 30, 2010 at 9:19 am |
Raymond, most of these cameras have a standard M12x0.5 thread mount. I haven’t checked mine to know for sure, but I’ve seen other posts and comments around the web that suggest this is true. You can buy lenses from a variety of sources, include (of course) Ebay. Here is just one link from a Google for ‘M12 Lenses’: http://peauproductions.com/store/index.php?main_page=index&cPath=4 (I don’t know anything about this company or if these prices are reasonable, etc. so do you’re homework!)
Kyle Mallory said this on May 30, 2010 at 11:50 am |
I bought the kit
http://peauproductions.com/store/index.php?main_page=product_info&products_id=2&zenid=b93d47ff174f4651974f40d701687452
2.8mm-16mm Lenses (6 in total)
to be able to try out various zoom settings for license plates. I will post the usage results when I receive and try them.
Do too various things I actually bought them from BuyNow.
Dealextreme had the best price though.
Raymond Rogers said this on June 1, 2010 at 7:57 am |
In case anybody wants a simple control template for zoneminder, here is a thread
http://www.zoneminder.com/forums/viewtopic.php?p=57137
I am thinking about translating it, and other things, into javascripta; and making a control panel; after I get my new camera.
Ray
Raymond Rogers said this on June 1, 2010 at 12:14 pm |
I have been a bit quiet on the update front, but i have gotten somewhere.
I can *almost* toss out / replace the camera monolithic executable now, and use a proper http process plus some small executables to capture images using the standard /dev/video0 interface.
I need to work out how to talk to the stepper motor stuff still (I’m guessing over i2c bus), but most of the groundwork is ready.
Nothing releasable yet, as its not quite past barely working. I can capture a jpg off the cam via my own binaries now, so its alpha proof of concept.
Probably by next week will have something with a web ui, assuming i get time.
Lawrence said this on June 1, 2010 at 5:51 pm |
What are your opinions about generating a wiki type of technical document for this project (or whatever it is). There is a lot of information scattered around but it is a little disorganized.
Something like:
Extended hardware descriptions, including the paging scheme used by FOSCAM, arm and the boot. I have forgotten these things.
Howto access the camera at the command line level; and hopefully open a terminal/console over ethernet.
Software descriptions, compiling, options, source and binary.
I was thinking of Google projects, or perhaps sourceforge has facilities so one person doesn’t have to do it all; but the result is organized.
Thoughts?
Ray
Raymond Rogers said this on June 9, 2010 at 12:52 pm |
I think it’s a great idea. We could use the sourceforge project for my utilities. I’m on set for the rest of the week. Remind me in next week, and I can add you to the project.
kylemallory said this on June 9, 2010 at 1:51 pm |
Hi all,
I am new in the cam-world. I write hee to know where can I find the API for the Foscam?
Thanks for the information!
JoseMou said this on June 30, 2010 at 2:48 pm |
I have 2 clone foscam FI8908W Wireless IP Camera and the problem is that they have the same mac adress so on my Lan i can not see both of them.
Is there any solution for that problem ?
Thanks
Manos said this on July 12, 2010 at 3:45 pm |
you could fix the ip addresses on the cameras (so they are different). not ideal but might work, although your router may get a bit confused from time to time. you might have to change the port settings on the cameras so that they are different and then put port forwards on your router, that might help.
kev said this on December 10, 2011 at 4:11 am |
hmmm…I smell open source firmware brewing here and that makes me feel goood…
I think the hardware is pretty capable in these little cammies. The software side of things…well, that needs work…
I wish I could help out but unfortunately my coding skills are practically non-resistant 😦
I’m a pretty good user tho…
Cheers.
CamFos said this on July 28, 2010 at 5:07 am |
I meant non-existent…stupid auto spell correction :lol
CamFos said this on July 28, 2010 at 5:09 am |
Thanks ComFos
Well is it so difficult to change the mac address ?
Manos said this on July 31, 2010 at 5:55 pm |
HI
the latest WebUI “firmware” has extra 8 bytes in header (the first 8 bytes). Couldn’t figure out what they’re about. Any thoughts?
rcruz said this on August 4, 2010 at 1:17 am |
Great work guys. I’d love to get involved with this.
I’ve got a clone camera (FS-618A-M136).
I’m a bit confused at the moment though. I’ve heard various conflicting reports about these clones. Some people say they’re identical to the Foscam, even to the point of being firmware compatible. Yet other people are warning that flashing clone firmware onto a non-clone or vice-versa will brick the device. Which is correct?
Will fostar.c from the sourceforge page work with my camera or am I going to have to figure out modifications?
Thanks.
Simon
systemparadox said this on August 25, 2010 at 10:52 am |
I don’t know the answer to your question, since I don’t have any experience with your camera. Chances are, if you can unpack the firmware files with fostar, you should also be able to reassemble them. So, it should be an easy test to run the program on your firmware files, and see what happens.
In my experience so far, it seems that most clone cameras are very similar, though not identical. Some may work, some may not. Some differences are as simple as the size of the NVRAM on the main board. Other differences are as significant as different IO ports to communicate with the camera, meaning that a binary that works on one camera may load on another, but not perform as expected. Others could load via the firmware, but crash as soon as the software is actually loaded. Unfortunately, without some first hand experience with specific cameras, taking them apart, seeing what electronics are inside, and testing the software/firmware, we won’t ever know.
Of course, the best way to get involved would be to start by trying the tools on your camera, and see what you can figure out. If it works, document it… if it doesn’t, document that as well, and then we can work to figure out what is different and how to fix it.
kylemallory said this on August 25, 2010 at 12:28 pm |
I just got my 8908w clone from dx yesterday, I attempted to flash to the latest foscam firmware and ended up bricking it.
I hooked up the jtag. It looks like I have the one with the smaller flash/ram.
W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Aug 19 2009
Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
I started following the directions to recover it (11.14.1.37). I was able to flash the main and linux.zip no problem. rebooted fine. Then I tried loading the webui through the ipcam tool. It loaded, but the ipcam tool never saw it again. I rebooted the camera and it pops back up in the ipcamtool, but still says no webui detected. I tried updating it again, and watched the terminal this time. Right after flashing, some stuff pops up in the terminal then this code pops up and locks up the camera.
“Code: 4282c004 4a00001b (e4913004) e4a03004 e1a0ca00 ”
I tried web versions from 2.4.8.8 – 2.4.8.14
I tried for hours last night trying various firmwares and addresses. Has anyone successfully flashed a 8908 with the smaller memory/flash?
If so, what address and firmware did you use?
JoaoPaulo said this on February 1, 2011 at 6:28 pm |
I’m back in a country where I can read this blog again 😉
I’ve spent the last week working on notes and documentation on the camera stuff on a new url here – http://www.openipcam.com
Feel free to add comments and follow my work on there.
Currently I’m rebuilding the compiler toolchain for a newer GCC, and making my own kernel.
I should have a generic firmware for the units in a while, I’m almost done doing the boring prep setup work 😉
Lawrence Sheed said this on February 4, 2011 at 9:25 am |
Welcome back, Lawrence. Nice to see some progress still being made, and with a dedicated home!
kylemallory said this on February 7, 2011 at 9:39 am |
Hi,
has a big problem with clone fosca camera, I tried a few firmware or i / o error or i2c error. at this link some photos of the boards and boxes. If anyone of you have similar or knows a solution please help. http://img16.imageshack.us/g/20110207014.jpg/
everst said this on February 7, 2011 at 1:16 am |
I’m pretty much done now with all the pieces.
Have my own kernel, network, various wifi drivers etc going, all the tools that are needed are ready, just need to compile up the cam driver, and I’m good.
Looking at setting up okpg to make it a bit modular so i can do something like openwrt and have a webserver install things like additional wifi drivers on the fly as needed, but basically all the pieces are done now, just need to put it all together.
It even fits nicely in the 2M flash, which is a surprise.
Took me 2 1/2 weeks to get it done though!
I’ll even have a surprise new feature for the camera 🙂
More info at the http://openipcam.com site
I still need to work on the PTZ functionality, but thats the last on my list of things I want to get done.
Quite happy with my progress to date though.
Lawrence.
Lawrence Sheed said this on February 17, 2011 at 5:46 pm |
hey Lawrence,
Would you be interested in some consulting work on these focsam cams firmware? Please contact me at: max.bridgewater@gmail.com
Max said this on October 29, 2011 at 5:30 pm |
You can also have a look at: http://fwhacking.blogspot.com/search/label/fi8908w
fwhacking said this on March 2, 2011 at 8:58 am |
Hi. Thanks for the great job!!!
So. How can I get all CGI-files?
Van-Der-Van said this on March 13, 2011 at 8:19 am |
I have the same problem. everst
everst said:
has a big problem with clone fosca camera, I tried a few firmware or i / o error or i2c error. at this link some photos of the boards and boxes. If anyone of you have similar or knows a solution please help. http://img16.imageshack.us/g/20110207014.jpg/
Tom Grow said this on April 17, 2011 at 10:27 am |
I have a clone camera, and was wondering if anyone had looked into:
1) limiting patrol angle; i.e., HL30 to limit left horizontal patrol to 30deg instead of the full 135deg, so that the camera is not scanning a wall, obstruction, etc. Ideally, you could set independent patrol limits for all 4 axes…
2) motion tracking – once motion is detected, use PT functions to track the motion.
slash_buzz said this on April 18, 2011 at 12:28 pm |
Has anyone been able to figure out the format of the MO_V data? Were trying to make a viewer for the video stream?
Sean Siegel said this on May 4, 2011 at 2:03 pm |
did you ever get anywhere on this?
My colleague and I are building an iPhone and Android app around a Foscam and/or Y-cam MJPEG camera. The challenge that we are facing is extracting the audio from the camera into our mobile app (or any app for that matter). I found that Sunshine iPhone app and a couple others are successfully extracting the audio, however we cannot duplicate it. We believe its in the Mo_V http header packet and that its using G.726. Can anybody help us here. We have been trying for such a long time to get this going but we keep running into a dead end on this front. Thank you in advance, Marko.
marko popovich said this on March 21, 2012 at 8:37 pm |
use http://…./videostream.asf
you can get audio data from there.
Anthony Ho said this on March 30, 2012 at 1:52 pm
Kyle, I hope you are still monitoring this thread. Could you please contact me? I would like to speak with you about some consulting work for these foscams. It is a very time sensitive project.
JJ Morris said this on July 5, 2011 at 9:32 am |
[…] ook interessant is aan deze camera, is dat het draait op Linux. Zo zijn op Internet al enthousiastelingen te vinden die gestart zijn met het hacken van de firmware. Dus op dit moment of in de nabije […]
mijn eerste IP Camera: Foscam FI8908W. Aanrader! | dannyvanmaanen.nl said this on August 5, 2011 at 8:10 am |
Have you guys tried putting any cameras on Sensr.net? It’s a free service for monitoring, saving, and sharing IP cameras. The site is built around always-on network cameras, and it store all the motion events from your cameras so you can share them with friends and family easily.
It works great with Foscam models, and their network camera blog has guides on how to set up the Foscam FI8905W and how to configure the Foscam FI8918W if you get stuck.
http://blog.sensr.net/2011/02/08/configure-your-foscam-fi8918w-for-ftp/
Bob said this on October 4, 2011 at 4:17 pm |
hi is there a possibility to stream video from foscam through RED5 server ? does any one did that?
Patryk said this on October 12, 2011 at 3:19 pm |
did anyone have any joy with a zoom lens? i love this camera but it needs to be able to zoom a bit as i cant mount it close enough. id love a remote controllable zoom but i guess thats close to impossible, a manual zoom would be fine. please let me know!
i have the FI8918W
kev said this on December 10, 2011 at 4:14 am |
Is there any way to secure the remote access better than running basic HTTP username/password authenticatioon in the Open (via DDNS domain name) to the camera via Transport Layer Security / HTTPS ?
Can the cemera bulit in web server be somehow restricted to only accept request traffic from certain source IP adresses / MAC addresses?
Theo19 said this on December 18, 2011 at 10:07 am |
I have a remote VPN that goes to an external server, this server then has Apache2 running which proxies traffic to the camera through the VPN. So TLS to the Apache2 instance on my server, then securely encrypted to my home network and the camera.
Tom said this on February 6, 2012 at 9:04 am |
Hi! Any idea to change the CSS WebUI? Thx!
AD
Arthur said this on January 25, 2012 at 8:19 am |
Just for your information, the MO_V packets for images are actually .DIC files (http://filext.com/file-extension/DIC). You can identify it’s header looking for the string “.DIC” at the start of the packet (offset 0x61).
I’m creating myself a dictionary for the FOSCAM IP Cams native protocol. As soon as I get enough information to play around with it I’ll post the link here.
Vinicius said this on February 28, 2012 at 5:19 pm |
Vinicius, I see you are delving into the MO_V code. I was wondering if you can tell me where the audio portion is so I can extract it.
marko popovich said this on March 21, 2012 at 10:18 pm |
Ok, some enlightment already: In the MO_V packet, look for the JPEG header FF:D8, at offset 36 (0x24). From this header on, this is a plain JPEG file.
viniciusvbf said this on February 28, 2012 at 6:06 pm |
Hello, I see that you guys are trying to get into the Foscam camera. My colleague and I have tried everything we can think of to try to extract the audio from the camera onto our iphones or androids. We know its in the MO_V, its G.726 but we cannot seem to extract the data. We wiresharked it and still are having a tough time pulling the audio out. Please HELP!
marko popovich said this on March 21, 2012 at 2:55 pm |
Hi there! The audio is probably in RAW format. You can reproduce it in .NET using some audio library like the NAudio library. The settings would be:
Format: PCM
Sample Rate: 16khz
Channels: 1
Avg Bytes per Second = 32kbps
Block Align: 2
Bits per Sample: 16
The code in .NET would be something like this:
========================================
_wavePlayer = new WaveOut(WaveCallbackInfo.FunctionCallback());
_bufferedWaveProvider = new BufferedWaveProvider(
WaveFormat.CreateCustomFormat(WaveFormatEncoding.Pcm, 16000, 1, 16000 * 2, 2, 16)
);
_bufferedWaveProvider.BufferLength = 12000;
_bufferedWaveProvider.DiscardOnBufferOverflow = true;
_wavePlayer.Init(_bufferedWaveProvider);
=========================================
Regards,
Vinicius
viniciusvbf said this on May 4, 2012 at 6:10 pm |
Thank you for taking the time to respond. your comment was very helpful!
marko popovich said this on May 5, 2012 at 7:11 pm
Ok, this is a draft of what I got so far by sniffing the network packets. I actually have a PowerShell script which discovers and get some jpegs from the camera. These data were taken from my test environment.
Sorry for the poor format. As I said before, this is just a draft.
Hope it helps other devs.
===============================================
Header Length = always 23 bytes
Header Offset 4 = Command ID
Header Offset 15 = (word) Data length
Data Offset always start at offset 23.
Send (Hello)
4D 4F 5F 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MO_O……………….
Receive (Kind of “Hello Back” + Camera MAC)
4D 4F 5F 4F 01 00 00 00 00 00 00 00 00 00 00 1B 00 00 00 1B 00 00 00 00 00 30 30 30 44 43 35 44 30 34 37 46 31 00 00 00 00 01 00 00 00 00 0B 0E 02 1C
MO_O…………………000DC5D047F1………….
Send (Authenticate)
4D 4F 5F 4F 02 00 00 00 00 00 00 00 00 00 00 1A 00 00 00 1A 00 00 00 61 64 6D 69 6E 00 00 00 00 00 00 00 00 63 32 48 37 69 66 33 36 00 00 00 00 00
MO_O……………….admin……..c2h7if36…..
Data Offset 0 = username (13 bytes)
Data Offset 13 = password (13 bytes)
Receive (Kind of Authentication OK)
4D 4F 5F 4F 03 00 00 00 00 00 00 00 00 00 00 03 00 00 00 03 00 00 00 00 00 02
MO_O………………….
Send (Get Configured Cameras?)
4D 4F 5F 4F 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MO_O……………….
Receive (Configured Cameras missing the first charater for everything.)
4D 4F 5F 4F 1C 00 00 00 00 00 00 00 00 00 00 80 04 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 6C 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 32 2E 31 36 38 2E 32 2E 31 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 6D 69 6E 00 00 00 00 00 00 00 00 00 32 48 37 69 66 33 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 65 70 6C 65 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 39 32 2E 31 36 38 2E 32 2E 31 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 6D 69 6E 00 00 00 00 00 00 00 00 00 32 48 37 69 66 33 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6E 6F 6E 79 6D 6F 75 73 00 00 00 00 00 00 00 00 00 00 00 00 00 39 32 2E 31 36 38 2E 32 2E 31 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 6D 69 6E 00 00 00 00 00 00 00 00 00 32 48 37 69 66 33 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MO_O………..………………………………………………………………………………………………………………………………….ale………………92.168.2.11………………………………………………..dmin………2h7if36………………..epler…………….92.168.2.13………………………………………………..dmin………2h7if36………………..nonymous………….92.168.2.14………………………………………………..dmin………2h7if36…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
Send (Get video token or something like that)
4D 4F 5F 4F 04 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 02
MO_O………………..
Receive (Command 0x11?)
4D 4F 5F 4F 11 00 00 00 00 00 00 00 00 00 00 08 00 00 00 08 00 00 00 20 60 04 02 02 03 00 00
MO_O………………. `……
Receive (Generated Video Token)
4D 4F 5F 4F 05 00 00 00 00 00 00 00 00 00 00 06 00 00 00 06 00 00 00 00 00 19 E8 FC 6A
MO_O………………….èüj
Data Offset 2 = Video Token
Send (Start sending video)
4D 4F 5F 56 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 19 E8 FC 6A
MO_V………………..èüj
Data Offset 0 = Video Token
Send (Command 0x07?)
4D 4F 5F 4F 07 00 00 00 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 00 00 00 00
MO_O…………………..
Receive (Sequence of jpegs or jpeg chunks. Not fully tested)
4D 4F 5F 56 01 00 00 00 00 00 00 00 00 00 00 4F 40 00 00 4F 40 00 00 24 CA 24 16 1A 4C A4 4F 00 42 40 00 00 FF D8 FF DB 00 84 00 0A 07 07 08 07 06 0A 08 08 08 0B 0A 0A 0B 0E 18 10 0E 0D 0D 0E 1D 15 16 11 18 23 1F 25 24 22 1F 22 21 26 2B 37 2F 26 29 34 29 21 22 30 41 31 34 39 3B 3E 3E 3E 25 2E 44 49 43 3C 48 37 3D 3E 3B 01 0A 0B 0B 0E 0D 0E 1C 10 10 1C 3B 28 22 28 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B 3B FF C4 01 A2 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0A 0B 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0A 0B 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 42 B1 C1 15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73 74 75 76 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09 23 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 D5 D6 D7 D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9 FA FF C0 00 11 08 01 E0 02 80 03 01 21 00 02 11 01 03 11 01 FF DA 00 0C 03 01 00 02 11 03 11 00 3F 00 E1 01 A0 9A D4 CC 39 A3 AD 20 F4 0E FE D4 B4 C0 3B D2 D0 16 03 DA 94 1A 37 10 B4 A3 A5 03 B0 BC 62 9C 3A 51 E8 01 4A 3D E8 1F 41 73 F9 53 E5 91 A5 60 CC 00 20 63 81 8A 2C AF 71 A9 B5 17 1E E3 78 E9 4A 29 91 60 A5 07 8A 10 C5 06 94 1E 31 40 0A 09 A5 0D 4C 5B 06 69 73 DA 96 C1 61 05 28 EB ED 4C 18 B9 E2 80 69 05 B4 0C F3 45 00 14 0A 00 3B D0 29 80 71 40 C5 20 02 29 A4 71 40 08 01 ED 41 A0 60 45 37 14 5C 00 F1 DA 93 3E B4 74 01 28 CF 3C 52 01 28 3D 38 A0 04 E6 90 9E 94 B4 01 29 3B 50 30 A2 80 18 7D A9 28 01 0D 25 02 1A 33 48 7A D0 31 0D 18 F6 A1 30 B8 9D BA 51 C6 69 00 52 52 18 51 4C 40 28 A0 02 8A 00 28 A4 02 52 D3 01 D9 A5 FA D5 74 00 ED 47 23 9A 40 83 34 1C 91 4C 03 AD 3B B5 00 02 94 52 B8 85 A7 0F 4A 3C 80 3A 11 4B DB AD 30 4C 70 E9 4B E9 48 60 38 A5 A2 E2 17 A7 D6 94 7A 53 01 71 48 3A D0 98 0B 4A 29 DC 05 14 A2 81 5D 0B DA 8A 13 05 B0 0E 94 A2 81 89 46 68 B8 AE 19 A3 9A 00 01 C5 1B 8D 00 19 34 02 7D 68 18 7E 34 99 A0 10 BB BD E9 32 68 0D 84 DD 8A 33 EF 45 C1 58 4C D1 45 C0 4A 09 A5 70 42 0A 53 C7 6A 57 0B 0D EE 29 68 01 A4 7B D2 1A 2E 31 28 A0 04 3D 29 31 40 09 8E 29 3B 50 C4 36 92 8B 80 84 52 77 A3 A0 C0 83 49 ED 4A FD 80 43 40 A5 76 1B 09 DE 8A 00 28 A0 04 E2 8A 2E 02 D1 40 08 3A 51 8A 3A 00 51 8A 00 7D 1D AA AE 80 06 71 48 29 80 A2 8F 40 28 15 80 00 3B D2 9A 57 05 D8 55 E9 4E A1 85 C5 14 A3 8A 04 28 A5 1C 53 1D 85 A5 A0 2C 28 A5 1D A9 6C 16 16 97 3E 94 EE 16 00 69 46 28 EB A0 00 E2 8A 62 16 97 BD 2D C7 60 E2 94 71 4C 05 CD 26 45 00 06 81 8A 05 D0 0F B5 03 1E 94 26 09 5C 4A 38 A0 10 B4 82 8D 02 C1 FC A9 28 B8 05 1D A8 D0 62 76 A5 A2 E2 13 8C D1 48 00 E3 14 83 8A 16 C3 0A 4E D4 80 43 45 00 21 34 94 0D 01 A4 A2 E2 B0 9D 45 14 AE 82 C1 4C 23 F2 A3 70 0A 4A 00 6E 29 08 A2 E3 42 1E D4 86 90 06 38 A4 A3 A8 82 8A 34 1D 84 EF 4B 40 09 45 00 1C 51 D2 80 0C D2 77 EB 42 18 B9 14 99 A0 56 1F 47 6A A0 0A 3F 95 1A 09 00 EB 45 08 6B B0 B4 53 01 C3 1C 53 85 16 13 01 4E FA 52 0B 80 C5 3B E9 4E C0 B7 14 F4 14 A2 81 85 38 52 01 78 18 A0 70 31 40 85 A3 8F 5A 6B 40 B0 A2 8A 10 83 D2 9D 8E 45 30 01 4A 28 18 52 62 98 AC 28 1C 51 C7 A5 21 D8 43 ED 47 6A 00 4F 6A 51 47 40 10 51 40 74 B0 0A 0D 2B 85 82 81 F4 A0 04 EF 47 4A 2F A8 58 3B F4 A0 D0 02 0A 29 00 52 71 40 06 68 CD 16 01 A6 8F A5 03 12 92 80 01 49 DE 86 16 10 D2 1E 94 6C 21 BE D4 52 01 0F B5 37 93 D6 8D 83 A0 98 A0 81 40 C6 D1 DA 90 05 14 00 52 0A 00 4F AD 03 02 81 86 7D A8 E3 BD 00 19 F4 A4 A0 00 50 68 0B 12 76 A4 A6 20 1E D4 B4 F4 00 1D 29 71 CD 17 B0 06 28 14 C0 70 1C 52 AF 4A 5D 00 5A 70 E9 42 10 0A 77 E3 40 5C 5F 41 4B
MO_V………..O@..O@..$Ê$..L¤O.B@..ÿØÿÛ.………………………#.%$”.”!&+7/&)4)!”0A149;>>>%.DIC;………..;(“(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ÿÄ.¢………………………………………………………………..}……..!1A..Qa.”q.2¡.#B±Á.RÑð$3br…….%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùú…………….w…….!1..AQ.aq.”2..B¡±Á.#3Rð.brÑ..$4á%ñ….&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚâãäåæçèéêòóôõö÷øùúÿÀ….à...!…….ÿÚ……….?.á. ÔÌ9£ ô.þÔ´À;ÒÐ..Ú.7.´£¥.°¼b:Qè.J=è.AsùSå¥`Ì. c,¯q©µ..ãxéJ)`¥..Å..1@..¥.L[.isÚÁa.(ëíL.¹âi.´.óE….;Ð)q@Å .)¤q@..íA `E7.\.ñÚ>´t.(Ï<R.(=8 .æ´.);P0¢.}©(..%..3HzÐ1..ö¡0¸ºQÆi.RR.QL@( ..(¤.RÓ.Ù¥úÕt.íG#@4.L.;µ..R¸ §.Jî..iF(ë .âb.½-Ç`âqL.Í&E...Ð.µ..&.\J8 .´.Áü©(¸..¨Ðbv¥¢â.ÑH.ã..Ã.NÔCE.!4..¤¢â°E.®ÁL#ò£p.J.n).¢ãB.Ô.8¤£¨4.ïK@.E..QÒ.ÒwëB.¹. V.Gj .?…ëE.k°´S.Ã.S …NúR.Å;éNÀ·.ô.¢ 8R.x. p1@ £Zk@°¢.ÒE0.J(.Rb¬(.QÇ¥!ØCíGj.OjQG@.Q@t°..+ ô .ïGJ/¨X;ô Ð..).Rq@.hÍ..¦¥...IÞ..Ò.l!¾ÔR..µ7Ö @ÆÑÚ…R..O..}¨ã½..ô¤ .Ph..v¤¦ .Ô´ô..)qÍ.°.(.Àp.R¯J].ZpéB..wã@\_AK
4
Data Offset 0 = Image offset start (byte)
viniciusvbf said this on May 4, 2012 at 6:00 pm |
Did you ever work out how to decode the final stream into images or video? I’m stumped :S
Phil said this on August 28, 2012 at 6:27 pm |
Hey,
This has been a great read as well as a tremendous help so thank you to everyone for your input….your awesome! ok now for the question i have, has anyone ever had a problem with their camera not able to find any wireless networks when using the “Original WebUI” because for some reason after having the camera hooked up working perfectly for 3 months, then being stored for another 5 months, i hooked it up and now it will not find my Wi-Fi connection or any other wireless network. I’ve tried using everything from “no security” to “wpa2 tkip-aes” even tried my old router and it is all the same! So i opened my camera from the bottom and checked that the antenna was connected, no change, switched it to the “aux” and same as before…. nothing! So no its back to the “main” placement like it was and I’m stuck, wondering if anyone has any suggestions for me. Any help would be appreciated greatly.
Thanks,
Spencer
Spencer William Leuschen said this on June 16, 2012 at 3:19 am |
[…] Googling for “W90N745″ threw up a number of online sites about this camera (here, here and here) that pre-date my own investigations by a long shot — oh well! Mine is here for […]
Serial interface for my clone Foscam FI8908W camera « Thinking too much said this on July 5, 2012 at 2:38 pm |
Hi, just wanted to say, I enjoyed this post. It was funny. Keep on posting!
Aruba said this on July 24, 2012 at 9:12 am |
Here are two generic browser interface examples, both with live demos. Both are free. For MJPEG IP Cameras: Click Here for MJPEG IP Cameras For H.264 Cameras: Click Here for H.264 IP Cameras
Don Kennedy said this on August 9, 2012 at 7:20 am |
First of all I want to say great blog! I had a quick question that I’d like to ask if you do not mind. I was interested to know how you center yourself and clear your thoughts prior to writing. I have had trouble clearing my thoughts in getting my ideas out there. I do take pleasure in writing however it just seems like the first 10 to 15 minutes tend to be lost simply just trying to figure out how to begin. Any recommendations or hints? Cheers!
Winrar Free said this on September 24, 2012 at 11:40 pm |
Thanks. Short answer: just write. Start with “so today I was thinking…” And let your brain dump. The beauty of the digital age is you can edit and edit to your hearts content, until you are satisfied. Of course, you shouldn’t otherwise you’ll never post, but… Let your brain dump, then go back and figure out “how to begin” after you’ve finished.
kylemallory said this on September 25, 2012 at 7:25 am |
Go you geeks!!! The world would stop without you guys! While you are at it, put the brightness issue on the list of to do… thank you.
Maduro said this on October 19, 2012 at 10:16 am |
The following will let you extract and mount the OS:
7z e lr_cmos_11_37_2_46.bin
mount -o loop linux.bin mount -t binfmt_misc
Jon Snell said this on March 22, 2013 at 6:18 pm |
The above wasn’t quite right, but *this* works:
export BINLEN=`od -A n -l -j 12 -N 4 ../lr_cmos_11_37_2_46.bin | awk ‘{ print $1; }’`
dd if=lr_cmos_11_37_2_46.bin bs=1 count=$BINLEN skip=20 of=linux.bin.gz
gzip -d linux.bin.gz
dd if=lr_cmos_11_37_2_46.bin bs=1 skip=$(($BINLEN + 20)) of=fs.bin
mkdir mount
sudo mount -o loop fs.bin mount -t romfs
you can then cd into mount/ to examine the files.
Jon Snell said this on March 22, 2013 at 7:02 pm |
Hello all,
I seem to have brick my Tenvis IPRobot 3 after loading their frimware 1.1.6.2 that is linked on the tervis forums. They post it voids the warranty if you try the use their forum firmware. Contacting their support was disappointing in all they would say was the camera was now broken. After a few emails and pointing out the bootloader was still intact, they offered a discount for a new camera or to send the camara to china if I pay the shipping round trip. They would not help when I pointed out I could get into the boot loader myself. I found that J9 on the main board is the serial console and with a USB to 3.3v TTL, it works great. The baud rate is 38400 and the pin order is 3.3v, gnd, rx, tx on the pcb. They are using U-Boot as the bootloader. What I need help is is decoding their firmware file. It looks to have multi parts that I can see with a hex editor. The file has a .pk2 extension which is just their own extension. I have more data I have collected and would be happy to share it. Does anyone have any experience with the IPRobot3 or know of any websites that do? What I need are the bin files and the memory locations so I can load them via the bootloader.
Thanks
Robo
Robo said this on April 5, 2013 at 11:38 pm |
Please remove “Contacting their support was disappointing in all they would say was the camera was now broken. After a few emails and pointing out the bootloader was still intact, they offered a discount for a new camera or to send the camara to china if I pay the shipping round trip. They would not help when I pointed out I could get into the boot loader myself” from my last post.
Robo said this on April 15, 2013 at 11:23 pm |
[…] I found a few very interesting sites: http://www.gadgetvictims.com/2009/12/bring-your-fi8908w-paperweight-back-to.html http://www.computersolutions.cn/blog/2010/05/ip-cam-hacking-%E2%80%93-pt6/ https://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/ […]
Foscam Clone Recovery Tool | Morrison Tech .Net said this on July 1, 2013 at 12:20 am |
[…] https://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/ […]
foscam Ip-cam hack firmware – links collections | rodezio said this on August 22, 2013 at 5:16 am |
Hello everyone!
I am trying to play an audio file in the camera through native protocol..
I have almost got it, but the audio quaility is not good enough..
I send an audio file: ADPCM 8khz, 32kbs, mono.. in the TALK_DATA packets..
I would appreciate any clue!!
Thanks!
Mai
Maite said this on September 10, 2013 at 3:20 am |