Hacking the Foscam – Part IV
As a result of bricking and subsequently recovering my Foscam, I found a few interesting things out tonight.
If you enter the ‘debug’ mode on the camera, and issue the “boot” command, you can retain access to the console once the camera has booted (this may be possible directly, but it wasn’t apparent). From here you can access the camera as a linux machine, with standard shell commands, browse directories, etc.
The WebUI firmware is mounted on /home, and it is stored in a separate volume in flash memory. Despite my bricked camera, and erasing and reloading volumes 6 and 7 with romfs.img and linux.zip images, my hacked WebUI was still present, as was all of my camera settings. This is particularly interesting since, while the romfs.img may appear to be limited to a physical size of 2MB, it should be possible to load larger binaries onto the camera (like sshd) from the WebUI firmware, and still have the /etc/init (in romfs) run them from /home/sshd, and possibly also specify a local /home/sshd.conf file. I am also curious if its possible to symlink /home/root to /, thereby allowing access to the entire memory from the WebUI.
What’s more interesting (though lower-level) about all of this WebUI stuff, is that there are other aspects of the flash memory that are utilized, and can possibly be reallocated for different needs. Ie, now there is a 2MB ROMFS, and a who-know-how-big WebUI, but in theory, from what I was seeing, you could potentially combine these volumes into a single volume that could more easily accommodate larger images.
The Sparkfun USB-Serial UART interface I bought was actually small enough that I was able to push it inside the camera, still wired onto the board, and reassemble the camera. My son is insisting that I “put it in there all the time”, and make small cutout for the Mini-B USB port, so that I can connect the camera via USB at any time, without having to disassemble the camera. A very tempting thought.
I noticed after booting the camera, and looking around in the /dev folder, there are 2 video devices. I need to find a way to dump the data from these devices, selectively across the network, or console. I find the prospect of two devices interesting. My gut suspicion is that they are for different image resolutions (since the camera supports 2 modes, 320×240 and 640×480). One of my long-term hacking goals is to write code that will allow the camera to track motion. This would be a great start along those lines.
At this point, the ideal next step would be finding source for the ‘camera’ application, but I’d be happy with some decompiled sources. I guess its about time I start installing the ARM/ucLinux build tools.