Hacking the Foscam – Part IV

As a result of bricking and subsequently recovering my Foscam, I found a few interesting things out tonight.

If you enter the ‘debug’ mode on the camera, and issue the “boot” command, you can retain access to the console once the camera has booted (this may be possible directly, but it wasn’t apparent).  From here you can access the camera as a linux machine, with standard shell commands, browse directories, etc.

The WebUI firmware is mounted on /home, and it is stored in a separate volume in flash memory.  Despite my bricked camera, and erasing and reloading volumes 6 and 7 with romfs.img and linux.zip images, my hacked WebUI was still present, as was all of my camera settings.  This is particularly interesting since, while the romfs.img may appear to be limited to a physical size of 2MB, it should be possible to load larger binaries onto the camera (like sshd) from the WebUI firmware, and still have the /etc/init (in romfs) run them from /home/sshd, and possibly also specify a local /home/sshd.conf file.  I am also curious if its possible to symlink /home/root to /, thereby allowing access to the entire memory from the WebUI.

What’s more interesting (though lower-level) about all of this WebUI stuff, is that there are other aspects of the flash memory that are utilized, and can possibly be reallocated for different needs.  Ie, now there is a 2MB ROMFS, and a who-know-how-big WebUI, but in theory, from what I was seeing, you could potentially combine these volumes into a single volume that could more easily accommodate larger images.

The Sparkfun USB-Serial UART interface I bought was actually small enough that I was able to push it inside the camera, still wired onto the board, and reassemble the camera.  My son is insisting that I “put it in there all the time”, and make small cutout for the Mini-B USB port, so that I can connect the camera via USB at any time, without having to disassemble the camera.  A very tempting thought.

I noticed after booting the camera, and looking around in the /dev folder, there are 2 video devices.  I need to find a way to dump the data from these devices, selectively across the network, or console.  I find the prospect of two devices interesting.  My gut suspicion is that they are for different image resolutions (since the camera supports 2 modes, 320×240 and 640×480).  One of my long-term hacking goals is to write code that will allow the camera to track motion.  This would be a great start along those lines.

At this point, the ideal next step would be finding source for the ‘camera’ application, but I’d be happy with some decompiled sources.  I guess its about time I start installing the ARM/ucLinux build tools.

Advertisements

~ by kylemallory on May 10, 2010.

108 Responses to “Hacking the Foscam – Part IV”

  1. hi there i have managed to dump the index html by using this comand hexdump index.htm

    Thanks dave

  2. There a simple way to cut off the WebUI, modify it, and repack finally?
    Im a bit interested on modify some html.

    • Yes, check out my SourceForge project, foscam-util . It has a utility to unpack the foscam WebUI file into its file/folder structure, and also allows you to repackage it back together. Feel free to post about your changes and even share your new WebUI with us.

      • Thank you Kyle, foscam for WebUI works fine. I can modify all the object.
        It fails when i try to unpack the whole firmware from a .bin file.
        Exactly I tested it on lr_cmos_11_14_1_46.bin (usage says lc_cmos_11_14_1_46.bin). There are some differences?

        Thank you again.

  3. i have a clone (pearl px-3309, germany) of the foscom running. After a bricking and recovering action i’ve lost the whole webUI. The Cam is running fine (whole CGI-stuff is working). If i try to flash a webUI file, the camera process core dumps…

    how can i mount/flash manually this section of the flash?

    • I believe the webui is actually one of the subsequent images that can be flashed through the JTAG interface, but I don’t know specifics. I know Lawrence has done a lot of discovery in this regard, you might want to check his page out.

  4. Another issue.
    I have difficulties compiling the driver of the IP Cam.
    I have to compile a driver for Z-Star Vimicro (Vendor 0x0ac8 / Product / 0x303b).
    Kernel’s Cam is 2.4.20-uc0.

  5. I have the complete CGI API and there is a Comm_write.cgi command that work good and I can pass serial data to the jtag port.
    What I really need is a way to read serial data from the jtag and showing it on the HTML pages somewhere. This function don’t exist and reading this site and Lawrence Sheed site I starting to believe it is possible.can it? did any one successes to recompile the bin file?

    • We’ve had success building a new firmware, with *additional* bin files, such as FTP or Telnet. But, without the source code for the camera bin file, we don’t have anything to recompile, that would give you that specific functionality.

      • Actually I have 😉

        Video driver is in the kernel, so unless we need to recompile it (which we don’t imho) we’re cool.
        Uses video4linux V2, so any of the standard tools to grab will work. My last comment in ipcam post6 talks a little on that (in my blog)

        WordPress is visible again in China, so I can see where you’re at again too 🙂

        NB, this post is slightly misleading. Essentially from my notes factory just flash the webui as a mountable partition at the end of the existing ones. The filesystem they use allows that.

        There are different sized flash depending on factory order also. So some only have 2m, some have 4m etc.
        If we want to get factory to supply our own spec units, I can do so (although need min qty’s for that)

        My current status last time I had time was:
        Working video capture

        I need to wrap up my work notes and make another post, probably do that this week.

        One issue I have now is the movement.
        I theorized that it would be i2c driven, but its not, uses IO ports directly.

        I need to go find a datasheet for the motors, and possibly a scope to watch how long to pull i/o pins high/low etc.
        I don’t have a scope though 😦
        Scopes are about 1500rmb though, so if push comes to shove, I could buy a new toy.
        Worst case I can bother Maverick with minor q&a (the guy who wrote the current firmware), but I need to do that work myself, as although he has been helpful, he’s not too interested in helping random stranger on internet, and the factory isn’t 100% interested in open sourcing stuff (although long term helps sell more). I’m getting there though!

    • I was just thinking about this some more… unfortunately, there are no easy ways to modify file contents via the JTAG directly (very limited shell, which doesn’t even support redirection, that I could see), but an alternate shell, or additional binary that took input and wrote an updated .js file in the /home directory could then be loaded on the page and rendered via javascript in whatever way you wanted should be easily possible with the existing tools.

  6. Really enjoyed this fascinating series of posts. As you are, I’m very impressed with the Foscam cameras.

    Do you have any thoughts on how to get the audio from the camera to stream in a Unix or Mac environment? Surprised that, with all this openness, they’re using ASF. Sure, VLC can play it, but I’d rather use something more open so I can stream the audio to my phone.

  7. Hi there. I have about 12 Foscam Clones (Heden VisionCam) – they are great and the distributor recently put up a new firewall which adds PTZ speed control via the interface etc.
    I own a QNAP VioStor unit that is able to handle 16 channels, however it is a shame that I can’t use the PTZ functions of these cams with it. Since QNAP will not do anything to support them, I was thinking of taking the WebUI and modifying it so that it behaves like another generic IPcam (say, a Cisco WVC200 or something) – Qnap would recognize it as so and the PTZ URLs would be remapped.

    Fostar.c cannot unpack the WebUI file that I have. The filename is aw_fr_0_4_3_1.bin (yes it is in French) and it can be downloaded at http://www.heden.fr/media/manuele-soft/Firmware_aug10.rar – it is contained in the Version2 archive.

    I don’t have access to the previous firmware to see if that one can be unpacked by fostar.c

    What do you think about this idea? I know that the video will be limited to mjpeg but at least PTZ would work and I could even implement PTZ patrols and profiles and whatnot.

    Has anyone looked into whether the cam has enough processing power to provide a mpeg4 stream instead of a mjpeg stream?

    Pascal

  8. Really interesting, I hope you will be able to “break in” so others can help out 🙂

    What I’m looking at is to hack the WiFi so that it either act as a hotspot or can connect to a Ad-Hoc network, thus allowing an iPhone/XPeria to connect directly without any AP around. This would enable the camera to be used “in the field”, i.e. a backup camera or nanny-cam in the RV.
    Would it be possible to release a firmware with telnet so others can hack around?

  9. So what you saying is that there is a new firmware .
    What I really need is a way to read serial data from the jtag and showing it on the HTML pages somewhere. This function don’t exist
    Can we add this functionality?

  10. I might be doing some work with a Foscam (FI8909W) but I noticed the motion-detection only sends an FTP or email alert.. is there a way to make the live stream kick in instead? It seems the regular streaming is only possible when you directly ask for it.

    I was thinking about making the FTP event simply set a flag on a remote server which will in turn tell the camera to start streaming but I’m worried about the delay that could cause. It would probably be much quicker if the camera did so itself from the start without having to be prompted.

    Hope that makes sense, I haven’t actually gotten my hands on one yet so I may be a bit confused about some things.

  11. Hey kylemallory Any news on this project??

    • No, it kind of stalled when I bricked my camera… I was able to recover it, but it kind of put the kibosh on any more development until I could get another one… I’ve had other expenses keeping from buying another. :-/

      • Oh ! Well.. 😉
        Isnt someone told you that he have discount if you want?
        But I know what you mean, talking about useless expense 🙂

      • Yeah, they did, but when I inquired, I never got a response. :-/ Turns out the kids going to bed has taken a turn for the better over the last two weeks. Might find that the camera isn’t the necessity that its been in the last few months… we’ll see.

  12. Kyle, I got a full dozen of yet _another_ Foscam clone off ebay. They work fine for what I want them for, but I just hadda play, and of course, bricked one.

    So… have you seen any of the clones that have the 0.0.2.4 Web UI? It’s a clone with only one audio jack on the back, and no fancy packaging. It comes from Shenzhen Municipality Science & Technology, LTD.

    I’m ordering a Sparkfun board so I can play, and maybe I can suck out the web UI from a good camera. But it would be nice if someone had all the recovery files already.

    LS

    • Lloyd, I haven’t. My own personal experience is solely with my honest-to-god Foscam. Perhaps someone else might, though. Best of luck on you’re recovery. It sucks when they brick!

  13. Hi! Many thanks for your posts!
    Is there any way to add support of secured smtp to this camera? So I will be able to use my gmail account to send messages.
    Thanks.

  14. Kyle, I had an idea. (duck!) A LONG time ago, I used to be an AIX “power user”, but that was more than 20 years ago, and I don’t presently have the skills to do this. But I still have the ideas for other folks to “do” .

    Anyway: Remember I said I had a dozen of the YAFCC (yet another Foscam Clone)? I finally got an RS232 (3.3v) interface and hooked it up to my bad cam. I got a good bootloader, was able to explore some, then hooked it up to a GOOD camera.

    Well… the images the bad one needs are in the good one’s flash memory. So…

    What about a (pre-compiled) utility that will Xmodem the images drectly from flash back to my PC, so those could be used to fix bricked ones? This could work? Yes, no?

    I think I could muster up the skills to do this — in about two years . (but it does sound like a worthy project for someone who could do it faster. Anyone with access to a good copy of a bricked XYZ IPcam could fix theirs.

    Thanks,
    LLoyd

    • PS on this last one. If anyone is game, I’ll do the testing on this particular camera, do all the documentation, pictures, etc. so others can identify it if they get one, etc.

      LLoyd

  15. Hi I’ve used the fostar.c and was able extract the web interface used in controlling a clone of foscam. The majority of the files extracted were .htm files and I can see the source code in them. May I ask if fostar.c is really intended to extract the source code of the camera’s web interface only or can it extract some other files found in the “root” of the camera itself?

    Also, is it possible to control the camera by editing the .htm files of its web interface? And if I want to change the pan/tilt functions of the camera, how do I know which .htm files to edit/change? Thanks

    • The fostar.c on sourceforge can extract and reassemble both firmware files.. Ie, both the WebUI and the Core/System (the “root” of the camera itself). The core/system firmware is a bit more complicated, because you have to have a linux system to mount and modify the ramfs image, in order to change its contents. The webui can’t change a lot of camera behavior because most of that functionality is controlled by the ‘camera’ binary that is part of the ramfs image. However, you change change how the camera interfaces with the user, and also with the core camera by changing those HTML files, incorporating javascript, etc, and moving the functionality onto the client-side. You can also use the webui package to put other binary files onto the camera, though by default, they will be places under the /home directory.

      • Kyle,

        How can I put any files through WebUI to /home directory.

      • Igor,
        You’ll have to extract the standard WebUI contents, and then repackage it with your new files, and then upload the new file as part of the firmware. Unfortunately, I don’t think my tools work with the latest WebUI files, because Foscam has changed the format slightly, and I have been too busy lately to fix it. 😦

  16. Kyle, I think I understand the purposes of fostar.c, but I don’t understand how it would help in the specific task I asked about.

    What I would like to be able to do is Xmodem the flash images of the core and the UI from a good camera out to the “world” so those images could be used to resurrect a bricked camera.

    Do I misunderstand fostar.c? Can it do that?

    Thanks,
    LLoyd

    • Lloyd,

      Nope. I suspect there might be a way, depending on the bootloader for your camera, to download the images from a camera, but fostar.c definitely will not do this. Fostar is akin to a “zip” utility (Fostar = Foscam Tar, from the Unix ‘tar’ command), that combines/extracts multiple files into/from a single file.

      For example, the webui firmware, despite being a single “bin” file, actually contains a few dozen (dare I say, a hundred?) html files that are served by the camera’s web interface.

      Fostar.c allows you to extract those files, make changes to them, and repackage them into a new bin file that can be uploaded to your camera (so, you could change the graphics in the webpages for example).

  17. The boot loader on my clones is pretty light. It will accept one-way Xmodem transfers, only.

    I guess I’ll have to create a utility to do it, no?

    LLoyd

    • Yes. Assuming the camera has a means to allow reading the flash memory and dumping its values across an interface accessible to the PC. Hardware isn’t my strong-suit, so I can’t offer much help there. It is definitely possible to do, but I don’t know if it is something that can be done via purely software…

  18. Hardware is (well, was) my strong point. But in this case, I don’t believe you need to know much about it. The existing Linux init reads the images from flash, and unzips Image 7, so I don’t see it as an “If”, but a “How”. It might take picking apart some code to see how it’s done… but that’s what this group is all about, no? 😉

    LLoyd

  19. I was just able to see the contents of the ‘.img file’ (by mounting it) and the ‘linux’ folder which were both located in the ‘system’ folder. The problem now is that most of the files are .bin files and I can’t open them even if I have linux as my OS. So how could I see the contents of these .bin files?

    By the way, my main problem is how to control the pan and tilt functions of my camera. I can make it pan or tilt by just typing something like /decoder_control.cgi?command=0 where 0 commands the camera to tilt up. But if I type this command in my browser, the camera tilts all the way up. The same thing happens when I try to make it tilt down (it tilts all the way down). My goal is to just make it pan/tilt in smaller amounts (like it will tilt up for some angle but not all the way up). Could I change the .htm files only to do this? I can see the source code of some .htm files that have the functions for pan and tilt. Thanks

    • the command I’m typing in my browser to make the camera tilt up is something like IP_address_of_camera/decoder_control.cgi?command=0

  20. Not for nothing, but the existing WebUI has all the controls for P&T operations. The WebUI works reliably, so I’d say it’s a good place to look for advice on how to do it.

    LLoyd

  21. Also, if I edit the .htm files how do I upload the new files to the camera? Do I have to repack the whole extracted folder and do socket programming of some sort? Thanks again.

  22. As far as I can see, the present scheme requires that you do re-pack an entire WebUI image file.

    But I’m beginning to think that a general-purpose Xmodem utility that would allow uploads or downloads directly from/to the camera’s directories would be a “good thing”.

    What you want to do just _shouldn’t_ require rebuilding and re-packing the entire WebUI (except, if you wanted it to “stick” past the next re-boot). It should be easier to test minor changes.

    LLoyd

    • That would be ideal… Even more ideal would be access to the filesystem via SSH/SCP or FTP, so you don’t even have to connect via a terminal… this was the point of our work: to allow adding additional binaries to the camera’s OS, and thus allowing more direct access and manipulation of the camera itself.

      Lawrence had made some progress on getting FTP and Telnet on the camera, but SSHd proved too large to fit in the 2M firmware limit.

      But, specifically, the point of repacking the WebUI bin, was to allow planting new or modified files on the camera without having to use the bootloader/JTAG interface… and it’s something that can be done without any modification to the camera’s existing firmware. Ie, you can edit and repack the WebUI firmware, and then you can upload it to the camera via the web interface (hence, no xmodem, no JTAG, no serial, etc).

  23. I’m a little confused as to why Lawrence felt the need to add FTP to the kernel, when the cams are already FTP-equipped. One of the options in the UI is to have frames FTP’d to a host during motion detection.

    If it can go one way, it would seem we only need to find the hooks to make it go the other. Telnet would be nice, but for FTP, I don’t think the kernel needs to be rebuilt. Could be wrong, though — it’s been a long time since I built a new kernel for any platform; decades, even.

    LLoyd

  24. Well… I have a new motivation to become adept at ucLinux.

    A good friend wants to do some visual pattern-recognition work in a self-contained uC environment for a robotics project. I couldn’t find a faster, more capable microcontroller for his work than what’s already in a Foscam for any reasonable price. So, of course, I told him to buy one, and we’d “figure it out”.
    (foot in mouth disease ;))

    LLoyd

  25. I think I almost have a solution to the “bricked XYZ camera” problem.

    This evening, I uploaded a known-not-working linux.zip to my bricked camera. With some tools I wrote last night, I re-extracted it from the camera.

    Almost there… the two files diff by 15 bytes (*not at the end, sorry*). I’ve mangled some data somehow, but I will find it in the next day or so.

    Then, I think we have a recovery system for the “541_CPU.PCB” cameras from goodstore.2010.

    LLoyd

  26. Oh my god Guys I LOVE reading you
    Hope something gonna get out of this 😉

  27. OK… progress is good, but slow. I got the linux.zip correctly re-built, and my bricked camera now boots successfully. I have not figured out yet how to get the romfs image to be accepted. It downloads, shows the same execution address and size, but /home ends up empty after “processing image 6″, yet I appear to have a faithful image of what’s in the good camera.

    FWIW… the linux bootup declares the correct amount of memory now, and all the networking stuff works. There just aren’t any .cgi files in /home to get my user interface working. The camera talks, though… just doesn’t send vids yet.

    LLoyd

    • Lloyd,

      the /home directory is populated with the WebUI bin file, and not the romfs.img. The romfs is actually the main linux file system, including /usr, /dev, /etc, etcetera. linux.zip is the boot image/kernel.

      I was upgrading my camera just last week, and nuked the webui as well. In order to load the /home (webui) folder, without a pre-existing webui, I had to extract the .htm files from the webui .bin, find the .htm file that uploads the firmware and modify the post address in the html forms to submit to the ip address of the camera. Then, I could load that modified file from my local hard drive in Firefox, specify the proper firmware, and submit.

      …unless you know a better way to POST a file to a webserver. Let me know if you have questions. It was a pain, but its doable. I can walk you through it, if you need.

    • FYI, if you’re interested, and willing to share your code, I’d love to include it as part of the foscam-utils. Let me know.

  28. Kyle, thanks! That means both of my images are working!

    I _will_ share the files and the tools as soon as I get this completely working.

    I’ll warn you right away that I’m an “out of the box” thinker, and the tools are weird (but now I’ve determined that they WORK!).

    I suspect they will work with any brand camera.

    LLoyd

  29. I should have said, “Any ARM-7 FosCam clone…” 😉
    LLoyd

  30. If I can locate the /home directory in flash, I think I can extract it, and copy it to the bad camera.

    Anybody know its origin?

    Also… it MUST occupy an image in flash, but only 0, 6, and 7 show up in a bootloader ls. Kyle, do you happen to know what the WebUI image number is? Technically, I need the image number, the origin, and the length. I can probably figure out the length if I have the other two pieces of information.

    Would that be in the html POST commands?

    LLoyd

  31. DONE!

    I’m at work until 5pm tomorrow, then I’ll start getting my notes together.

    I have successfully un-bricked my 541_cpu.pcb cam from goodstore.2010.

    There are some “tricks” involved.

    It works! (dang!)

    LLoyd

  32. Kyle,
    I have a writeup and several files to submit.
    I don’t have a personal site on which to offer these,
    so if you’ll contact me by email about where I can send a zip of them, I’ll let you go over them before we post the whole diatribe.

    LLoyd

  33. You should have them now, Kyle.

    I forgot to send a boot sequence dump, which I will gather and transmit.

    LLoyd

  34. I was very lucky today.
    Lloyd was kind enough to send me the firmware files (and the instructions) for my bricked Foscam clone, and i was able to bring it back to life. I’ve tried all the other firmwares i could find on the net, but none of them was able to bring my camera back to life. Only Lloyd’s files were correct for my model.

    My FOSCAM Clone has the following info:
    ————————————————————
    W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Dec 10 2009
    Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
    Board designed by Winbond
    ————————————————————-

    The PCB is 541_CPU.PCB

    Well done Lloyd.
    Thank you once more.

    • To Vagelis or Lloyd

      Hi I have an identical camrea to the one you speak about would it be possible for one of you guys to email me the recovery files (my email is rick_rock@hotmail.co.uk). 🙂
      It would make me a very happy man. after christmas hopefully you can see the cam working at http://www.tanziemo.com/puppycam.html

      W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Dec 10 2009
      Memory Size is 0×1000000 Bytes, Flash Size is 0×200000 Bytes
      Board designed by Winbond

      thanks very much

      rick

  35. A follow-up. My “stone axe” method of extracting files has a hidden advantage. (actually, a couple) 1) it can be duplicated in almost any programming environment, even though I was knapping flint with Kermit 95 scripts. 2) After talking with Kyle, I realized that one need not know exactly how long the WebUI image is if you want to store it as an invisible (-nofooter) image on your camera. You can just download everything from flash from the beginning of the image to the end of flash, and subsequently upload that same image. If it’s a -nofooter image, it doesn’t really _have_ a recorded length.

    LLoyd

  36. Another concept Kyle and I talked about was to go ahead and take the time to extract the _entire_ contents of flash — for analysis in a friendlier environment, like in your Linux or PC system.

    When I get geared up to understand the Foscam software, that’s sure the way I will go. It’ll be a lot easier than exploring the stuff with the bootloader, or trying out one variant after another of new kernels that don’t work.

    LLoyd

  37. A friend of mine bought a newer 8918W to use as a development platform for a new video image recognition project. I’ve asked him to extract the recovery files before he starts. It’ll be nice to compare the extracted files with the published update files.

    LLoyd

  38. hi,
    if someone wants to play with the foscam without flashing it, here (http://www.megaupload.com/?d=RSWWCTGB) you can download a homebrew kernel (build from scratch this summer) that loads entirely and only in the ram of the foscam! (using ttl and load into ram from the bootloader)
    It has dhcp for ethernet and ftp/telnet enabled. So you can upload almost everything you want into your webcam to try it with no risk.
    With this homebrew kernel and a binary program (not done = todo) we could dump/extract the flash before trying to flash another…

    • Yop,

      I tried this homebrew firmware, it works really nice, but is it possible to put this instead of keeping the original ?

      Thx,

      • This homebrew kernel is specially designed to be in ram : during the config to compile the kernel the ram has been declared to 7mo vs 8mo, and the adress of the romfs has been set also to point to ram…
        But that’s all (so it would be easy to remake the same kernel to flash).
        It lacks wifi driver & video driver (module spca5xx loads ok, but nothing more. Video for linux doesn’t seem to work well).
        I think this kernel could be a good start to make a tool to dump the flash rom of some foscam clones before trying to flash another firmware for example.
        Some binaries and config files can be picked from the homebrew romfs and maybe added in a “modified official firmware”, but there’s a little things to do with this because in the “official firmware” everything is encapsulated in a binary named “camera” ( web server, cgi …), and drivers are not as external modules but in the kernel (maybe not sure) and … it’s closed source.
        A open source firmware for this little gem (the foscam) would have been a killer gadget !

    • Hi,

      Given that Megaupload is now banned/bricked, does anyone have a valid/working link to the homebrew kernel?

      Regards,
      Carlos

  39. Hello,

    I have an error while the extracting of the webui (20_8_2_15) : “Disassembling firmware file ‘decompressed/webui/WEB UI_20_8_2_15.bin’ to ‘webui_extracted/20_8_2_15/’
    File size doesn’t match that reported in the header: 1141676733/626289”

    I think the problem is the .bin file, what can to do to fix it ?

    Thanks,

  40. Whoot! Great work, thank you very much!

    To the “Dumping data over the network”: It could be done with netcat (which I suppose is not included in the default fw) – or probably even simpler: Link /dev/videoX to the root of the webserver (/home ?) and access it with wget or mplayer from your machine. (i.e. ln -s /dev/video0 /home/video0)

    Try mplayer -cache 2000 http://webcam_uri/video0 – the cache option is needed in some cases. If the video is laggy or the stream drops after a few seconds, increase the cache size.

    If mplayer won’t play it, you might want to try wget’ing the file and then playing it…

    Do you happen to know where the .cgi scripts are in the firmware image? I have extracted all available files from the firmware images I could find, but none included a binary that looks as if it would handle the cgi stuff (did only test with “strings” though).

    What I’m looking for is a not-so-invasive way to start telnetd (is there one in the default fw image?) or run commands by exploting the cgi scripts/handler – but without the source, it’s kinda hard 😉

  41. I am trying to compile fostar.c but got an error. I wonder if anybody has pre-compiled fostar.c in windows that I can use. I want to make some change in WebUI. thanks.

    • Kevin,

      The code should be pretty straight forward. What errors are you getting, and maybe I can help you through them. Unfortunately, I don’t use Windows, so I can’t provide a binary.

      • Kyle
        Thanks for replying so quick.
        These are the errors I am getting.
        fostar.c(288) error C2143: syntax error: missing ‘;’ before ‘type’
        fostar.c(292) error C2065: ‘file_len’ : undeclared identifier
        fostar.c(293) error C2065: ‘file_len’ : undeclared identifier

      • Ahh… My bad. Okay, a few lines above line 288, it says:

        int max_data = 0;

        Change that to read:

        int max_data = 0, file_len = 0;

        Then, on line 288, where it says:

        int file_len = ftell(f);

        Delete the ‘int’ from the start of the line, so it looks like this:

        file_len = ftell(f);

        Then save, and recompile. Apparently, your compiler doesn’t like inline declarations. Something I should have avoided, but the ease of which usually gets the better of me. It looks like I avoided to that elsewhere, with one exception further on down, with the “FILE *f2 = fopen(…)”, here:

        } else if (type == 1) {
        FILE *f2 = fopen(dst_file, "wb");
        if (f2 == NULL) {
        fprintf(stderr, "Unable to write file: %s", dst_file);
        exit(-1);
        }

        Hope that helps. If you have problems with the FILE one, let me know. I should probably just update the code on SF.net.

  42. Kyle,
    Now I am getting fostar.obj errors.
    fostar.obj: error LNK2019: unresolved exteral symbol _optind referenced in function _main
    fostar.obj: error LNK2019: unresolved exteral symbol _optarg referenced in function _main
    fostar.obj: error LNK2019: unresolved exteral symbol _getopt_long referenced in function _main

    Is there something I am not doing correctly? I am using VS2010.

    • Hey Kevin,
      You might be on your own at this point. The problem is the use of the GNU command-line processing code, “getopt” (getopt.h). You can try downloading the following 3 source code files, including them in your project, and hoping for the best. There are WIN32 directives in the code, and the function declarations appear to be the same, but I make no promises to how smooth your sailing will be.

      https://gforge.inria.fr/scm/viewvc.php/trunk/itkAddOn/getoptcompat/?root=vtkinria3d

      • Thanks for your help. I had the wrong getopt file. But I still can’t compile it. I have very limited program skill so I going to give up. but thanks for your help.

      • there is now a windows version on the openipcam website

  43. Hello ,
    I have compiled the util and it is working perfectly, but
    for the webUI firmware 2.4.8.15 it is generating this error
    while extracting its contents “File size doesn’t match that
    reported in the header: 1141676733/795384”

    I do not know exactly how the fread() is getting an
    incorrect file size according to the webUI header.

    Can you please advise ? …
    Btw I have alrady loaded this 2.4.8.15 in the camera and is
    working fine =/ so no more downgrading…
    Or can I downgrade ? to 2.4.8.12 / 14 ?

    • Hello!
      Too interested in this question. A new version WEBU gives this error. tell me how to edit a file fostar.k, what would it work?

      • I made a patch a few days ago for this that should be working (at least partially)… though, I may not have committed it yet. I’ll double-check, though lately I’ve been easily distracted by shinny and/or curvy things of late, so… FYI, Foscam changed the header of the WebUI firmware, and add/moved/removed some fields around. At first glance, it looks like they added some kind of a checksum to the file, which I have been slowly working on.

  44. After bricking my foscam clone camera I have brought it back with usb uart cable method. But unfortunately, web ui is still at 0.0.0.0
    I tried to update it with the latest version of IP cam tools but it didnt work. Update starts but cam stops at some points and needs a restart.
    I have tried curl method as well but the result is same.
    Is there any other way to update web ui?

  45. Hello, friends!

    I have one 541_CPU.PCB camera (Fake Foscam), but it have bricked because of updating by Foscam’s firmware. So, I’m looking for un-bricking firmware files.

    Please tell me how can I get them.

  46. Hello, friends!

    I have one 541_CPU.PCB camera (Fake Foscam), but it has bricked because of updating by Foscam’s firmware. So, I’m looking for un-bricking firmware files.

    Anyone, please tell me how I can get them.

  47. Need email. Will send you full version with docs.

    (I’m still looking for someone who’d like to host this file)

    LLoyd

  48. Hi, LLoyd.

    I applied your firmware files to my cam.

    System firmware works well, but WEBUI does not work.

    Some CGI commands (snapshot, videostream, get_status, get_params, get_camera_params, get_misc, reboot etc.) successfully respond.

    Setting-up network is performed by Foscams IPCam Tools.

    Differnce of boot log is below(pickuped, not all).
    It seems WEBUI is not loaded.
    I tried to update WEBUI to 541WebUI.bin by Foscams IPCam Tools, but cam says “Error file of WebUI!”.
    EasyNP’s WEBUI file “aw_4_3_3_39.bin” is succeeded By Foscam Tool, but cam log says “files error”. So cam responds “version error” on WEB.

    —————————————–
    aw version is 21.23.2.15
    aw not exist !
    aw version is 0.0.0.0

    Wait for auto-negotiation complete…OK
    100MB – FULL
    video0 opened
    1
    1
    1
    1
    1
    1
    unknown command
    __pthread_initial_thread_bos:360000
    manage pid:16
    audio_dev.state not AU_STATE_RECORDING
    wb_audio_start_record
    inet_sr.c INET_rinput 321
    action===1
    options==33
    inet_sr.c INET_setroute 75
    *args===255.255.255.255
    *args===netmask
    *args===eth0
    2
    2
    2
    2
    2
    2
    [28]
    update_smarteye_ddns: can not get server ip
    ntpc adjust ok
    —————————————–

    Yuhsai

    • Hello Yuhsai,
      My colleague and I are building an iPhone and Android app around a Foscam and/or Y-cam MJPEG camera. The challenge that we are facing is extracting the audio from the camera into our mobile app (or any app for that matter). I found that Sunshine iPhone app and a couple others are successfully extracting the audio, however we cannot duplicate it. We believe its in the Mo_V http header packet and that its using G.726. Can anybody help us here. We have been trying for such a long time to get this going but we keep running into a dead end on this front. Thank you in advance, Marko.

  49. It’s not entirely clear that you actually sent the webui file to the camera.

    My instructions omit telling you to initiate an Xmodem send of 541WebUI… which you must do. (I guess I though it was so obvious I just skipped over it, but specificity is everything).

    Merely entering the “FX 8 webui 0x7f180000 0x7f180000 -a -nofooter” without then SENDing the file 541WebUI via xmodem will cause the webui to be missing.

    You can do this alone, without repeating the image 6 and 7 steps.

    (Kyle, I’m updating my instructions, because I’ll bet this is the problem.)

    LLoyd

    • Hi LLoyd.
      Sorry, I mistook reading instructions.
      After flash image 8 by “541WebUI.bin” file, all got excellent!
      Thanks lots.

      Yuhsai

  50. Great! I’ll update to fix my omission.

    LLoyd

  51. This is all very exciting to read, I am thinking of getting one of these camera’s aswell in the near/far future, but wonder if there has been done something similar for other camera’s aswell?

    In any case, assuming the whole linux part can be built from scratch and leave us with a completly working system, the thing that would be missing is the ‘camera’ application?

    In regard to the webserver being built into the camera binary, wouldn’t it be possible they are using the webserver that can be build into the kernel?

  52. 2 ways around this.

    Option 1: (easier)
    Use existing kernel + modules (drivers), replace the romfs with our own.

    Option 2: (harder)
    Recompile kernel with relevant modules (drivers), replace romfs with our own.

    I’m currently working on both #1 and #2 over at http://www.openipcam.com

    Webserver – probably going to use mathopd – its small, and compiles without issue.

    Capture – videodog or similar (I have lots of v4l capture code also)

    Basically its a matter of compiling that up and putting it all together. As I’m a masochist, I’m currently going with option 1 (as a few people are interested in the end result)

    Lawrence.

  53. Hi, can anyone let me know if a compiled fostar.c exists for Windows?
    I have no idea how to make this… 😉
    It would be awesome if you guys could help me. I have Visual Studio 2010 but not so much knowledge in how to make it work.

    Thanks a lot. Email is AaronRiber@gmail.com

  54. q@ubuntu:~$ ./fostar -u 2.4.18.15.004.bin lpoo
    *** REMEMBER! ALWAYS KEEP A BACKUP OF YOUR ORIGINAL FIRMWARE ***
    *** I AM NOT RESPONSIBLE FOR YOU TURNING YOUR CAMERA INTO A PAPERWEIGHT ***
    *** USE OF THIS SOFTWARE IS AT YOUR OWN RISK ***
    *** ***
    *** If you don’t agree to this, press ‘Ctrl+C’ now. ***

    File size (567184) doesn’t match the reported header sizes (2140509334). File may be corrupt.
    ??????????? HELP ME!!

  55. I have two files (lr_cmos_11_15_1_42.bin and 2.4.18.15.004.bin) lr_cmos_11_15_1_42.bin unpacked and 2.4.18.15.004.bin not give an error (File size (567,184) doesn’t match the reported header sizes (2140509334) . File may be corrupt.
    what to do please help

    • Sergot,

      Foscam updated the header structure in the newer firmware files. Your file is probably not corrupt, but Fostar won’t be able to extract its contents either… I’ve looked into this, enough to know what the problem is, but not enough to actually fix it. I’ve been swamped with real-life lately, and unfortunately, this is a low-priority for me at the moment. If someone wanted to pick up where I left off, I’d be happy to share what I’ve found. –Kyle

  56. Just to let you know :
    http://www.openipcam.com/
    but you probably already know this link 😉
    nice development here

  57. Hi, thanks a lot for this. I think your posts are very insightful and definitely useful. It’s like I am reading a professional magazine. I would recommend adding more recent articles and keeping up to date. Two thumbs up mate! Keep up the good work!

  58. Hi, I have to agree on you on most points. It seems you really know your stuff. May I ask what is your profession?

    • Laker,
      Very gracious words of yours. Thanks. I am a software engineer with 20 years experience, by trade. I started coding when I was 8, and I started writing code for my Dad’s business at the age of 12 (that his own staff couldn’t figure out). As a hobbyist, I am a technologist, artist, independent filmmaker, entrepreneur, and philosopher. I have spent my entire either making stuff (electrical, mechanical, visual, etc), or taking things apart to figure out how they work.

  59. Hi, I am not familiar with your expert topic but it looks like you may have a solution I am starving to find : I would like to use a Foscam IP cam to Wake up PCs on the same LAN (WoL) since the IP Cam is always on and low energy consumption. I don’t have a router that allows port forwarding so I cant do Wake on Wan from internet (which is what I want to be able to do). So I need to make it from a powered-on device. (= Foscam IP cam)… I would imagine transferring a small WOL program onto the IP CAm and have access to it when I want to wake up any PC on the LAN . I am not a Linux Geek but reading through this blog, it looks like you may have a clue on how to do this 🙂 Thank you for your hints !

  60. Hi

    Great site, just wondered if anyone had managed to hook a foscam upto a gsm modem for sending images on motion detection?

  61. Hello All,

    My colleague and I are building an iPhone and Android app around a Foscam and/or Y-cam MJPEG camera. The challenge that we are facing is extracting the audio from the camera into our mobile app (or any app for that matter). I found that Sunshine iPhone app and a couple others are successfully extracting the audio, however we cannot duplicate it. We believe its in the Mo_V http header packet and that its using G.726. Can anybody help us here. We have been trying for such a long time to get this going but we keep running into a dead end on this front. Thank you in advance, Marko.

  62. Hi at all,
    i just got here cause i found the fostar util.
    with this i unpacked the 2.4.18.17.bin web-ui added some files and repacked it.
    if i try to update the web-ui it uploads the file through my browser, than it says “rebooting”.
    but nothing happend, the newly added files aren’t.
    did i do something wrong? or is it the mentioned checksum in newer firmware versions?

    hopefully there is a solution.
    i’m trying to build full working web-ui for mac-os (10.7) cause there is no more support for vlc-plugin. i rewrote the stream-player using jw-player.

    thanks for your help and work.

  63. Hi:
    Is it possible to disable rotation and relay test on camera reboot?
    I`m controlling a garage door and it`s a problem that each time camera reboots, garage door opens.
    Thanks you in advance.

  64. All I really want to do is add a banner and remove the control panel in the left column of the interface for visitors. I know HTML, JavaScript, CSS and some server side web languages, but I don’t know jack squat about C or C++. Does anyone know of a basic step-by-step guide to accomplishing this?

  65. Hello, Lloyd Sponenburgh and friends!
    I have one FI8910W camera (Fake Foscam i guess?), but it has bricked because of updating by Foscam’s firmware. So, I’m looking for un-bricking firmware files.
    my email is afnabua24@yahoo.com

    thanks a lot!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: