Serial interface for my clone Foscam FI8908W camera

I’ve opened up my Foscam-clone IP Camera, located the onboard serial port and captured the output from the bootloader and the firmware booting. This post is for anyone interested.

Edit: Based on the evidence below, it appears to be a Winbond W90N745 bootloader. Googling for “W90N745” threw up a number of online sites about this camera (here, here, here and particularly here) that pre-date my own investigations by a long shot — oh well! Mine is here for posterity too 🙂  I’ve subsequently also stumbled across  http://www.openipcam.com/ — seems like a useful site for general hacking ideas regarding this and similar IP Cameras. So now you know!

Serial port

With respect to the photo, the serial port is a set of 4 pins from the “J2” mark on the PCB.

The pins are (from closest to furthest from the “J2” mark):

        VCC
	GND
	TX (output from camera)
	RX (input to camera)

The serial port uses TTL signal levels, so I used this USB-serial adapter to connect the IP camera to my FreeBSD desktop. The IP Camera’s boot loader configures the serial line for 115200 baud, so the following FreeBSD command provided me with serial access from my desktop:

 cu -l /dev/cuaU0 -s 115200

The  boot loader

Powered the device on and entered “escape” in time to interrupt the regular boot process. Tried a couple of commands once at the bootloader prompt.

    [gja@gjadesktop] /root# cu -l /dev/cuaU0 -s 115200
    Connected
         [...powered on the IP camera....]

    W90N745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Jun 19 2006
    Memory Size is 0x800000 Bytes, Flash Size is 0x400000 Bytes
    Board designed by Winbond
    Hardware support provided at Winbond
    Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
    Boot Loader Configuration:

	    MAC Address         : 00:0D:C5:D0:47:F1
	    IP Address          : 0.0.0.0
	    DHCP Client         : Enabled
	    CACHE               : Enabled
	    BL buffer base      : 0x00300000
	    BL buffer size      : 0x00100000
	    Baud Rate           : -1
	    USB Interface       : Disabled
	    Serial Number       : 0xFFFFFFFF

    For help on the available commands type 'h'

    Press ESC to enter debug mode .

    bootloader >
    bootloader > h

    W90P710 Command Shell v1.0 Rebuilt on Jul 04 2006 at 16:20:08

    H        Display the available commands
    B        Set Baud Rate
    D        Display memory. D -? for help
    E        Edit memory. E -? for help
    G        Goto address
    I        information
    MX       Xmodem download
    MT       TFTP/USB download
    FT       Program the flash by TFTP/USB. FT -? for help
    FX       Program the flash by Xmodem. FX -? for help
    CP       Memory copy
    LS       List the images in the flash
    SET      Setting boot loader configuration. SET -? for help
    CHK      Check the flash
    RUN      Execute image
    DEL      DEL the image or flash block
    MSET     Fill memory
    TERM     Change the terminal output port
    BOOT     Reboot the system
    CACHE    Cache setting
    USB      USB interface setting
    UNZIP    Unzip image
    ATTRIB   Change the image attribution

    bootloader > i

    W90N745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Jun 19 2006
    Memory Size is 0x800000 Bytes, Flash Size is 0x400000 Bytes
    Board designed by Winbond
    Hardware support provided at Winbond
    Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
    Boot Loader Configuration:

	    MAC Address         : 00:0D:C5:D0:47:F1
	    IP Address          : 0.0.0.0
	    DHCP Client         : Enabled
	    CACHE               : Enabled
	    BL buffer base      : 0x00300000
	    BL buffer size      : 0x00100000
	    Baud Rate           : -1
	    USB Interface       : Disabled
	    Serial Number       : 0xFFFFFFFF

    For help on the available commands type 'h'

    Supports flash types:
    W19L320SB        AM29LV320DB      AM29LV320DT      AM29LV800BB
    AM29LV800BT      AM29LV160DB      AM29LV160DT      EN29LV160AB
    EN29LV160AT      SST39VF160       HY29LV160        MX28F160C3T
    MX28F160C3B      MX29LV160BT      MBM29LV160BE     MBM29LV160TE
    W19B322MB        M29WL320DT       W19L320ST        W19B320ABT
    W28J800TT        W28J800BT        W28J160TT        W28J160BT
    W28J320TT        W28J320BT        INTEL E28F320    INTEL E28F640
    SST39VF6401      INTEL E28F128    28F800C3-T       28F800C3-B
    28F160C3-T       28F160C3-B       28F320C3-T       28F320C3-B
    W39L010          W29EE011
    bootloader >
    bootloader > usb
    This bootloader doesn't support USB, please use TCP/IP instead

    bootloader > ls
    Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
    Image: 7 name:linux.bin base:0x7F020000 size:0x000BF7B0 exec:0x00008000 -acxz
    Image: 6 name:romfs.img base:0x7F0E0000 size:0x000B0800 exec:0x7F0E0000 -a

    bootloader > set
    Boot Loader Configuration:

	    MAC Address         : 00:0D:C5:D0:47:F1
	    IP Address          : 0.0.0.0
	    DHCP Client         : Enabled
	    CACHE               : Enabled
	    BL buffer base      : 0x00300000
	    BL buffer size      : 0x00100000
	    Baud Rate           : 115200
	    USB Interface       : Disabled
	    Serial Number       : 0xFFFFFFFF

    bootloader >
    bootloader > set -?
    Usage: SET      -[mac [addr],ip [addr],dhcp [0,1],cache [on, off],buffer [base] [size],baudrate [baud rate setting],sn [serial number]]
    -mac           [addr]          Set MAC  Address
    -ip            [ip addr]       IP Address
    -dhcp          [1,0]           Enable/Disable Dhcp client
    -cache [on,off]        Enable/Disable cache when processing images
    -buffer        [base] [size] Set the buffer used by UNZIP and TFTP server
    -baudrate      [baud rate setting] Set the default baud rate
    -sn            [serial number] Set the serial number

    bootloader >

Firmware (ucLinux?) booting

If I don’t interrupt the bootloader after power-on, here’s the full output from the embedded Linux-based firmware. I haven’t tinkered any further than this.

[gja@gjadesktop] /root# cu -l /dev/cuaU0 -s 115200
Connected
 [...powered on the IP camera....]

W90N745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Jun 19 2006
Memory Size is 0x800000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

 MAC Address : 00:0D:C5:D0:47:F1
 IP Address : 0.0.0.0
 DHCP Client : Enabled
 CACHE : Enabled
 BL buffer base : 0x00300000
 BL buffer size : 0x00100000
 Baud Rate : -1
 USB Interface : Disabled
 Serial Number : 0xFFFFFFFF

For help on the available commands type 'h'

Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1334 �� 3�� 24 05:56:23 CST 2010
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 2048
zone(0): 0 pages.
zone(1): 2048 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 8MB = 8MB total
Memory: 6236KB available (1479K code, 289K data, 40K init)
Dentry cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode cache hash table entries: 512 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F1907FF [VIRTUAL 7F0E0000-7F1907FF] (RO)
W19B320ABT Flash Detected
01 eth0 initial ok!
which:0
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4

 _____     ____    _    ____
|__  /   _|  _ \  / \  / ___|
  / / | | | | | |/ _ \ \___ \
 / /| |_| | |_| / ___ \ ___) |
/____\__, |____/_/   \_\____/
     |___/
ZD1211B - version 2.24.0.0
usb.c: registered new driver zd1211b
main_usb.c: VIA Networking Wireless LAN USB Driver 1.20.04
usb.c: registered new driver vntwusb
usb.c: registered new driver rt73
dvm usb cam driver 0.0.0.1 by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: mount -t ramfs none /tmp
Command: mkdir /tmp/run
Command: camera&
[8]
Command: sh
no support

Sash command shell (version 1.1.1)
/> hub.c: connect-debounce failed, port 1 disabled
new USB device :807b5004-7e8740
hub.c: new USB device 1, assigned address 2
detect_sensor: mi360
dvm cmos successfully initialized
dvm camera registered as video0
new USB device :807b5404-7e8740
hub.c: new USB device 2, assigned address 3
VIA Networking Wireless LAN USB Driver Ver. 1.20.04
Copyright (c) 2004 VIA Networking Technologies, Inc.
vntwusb_init--->eth1 initial ok!
insmod VNTWUSB SUCESSFUL...
aw version is 11.14.2.28
aw version is 2.4.8.15

Wait for auto-negotiation complete...ResetPhyChip Failed
video0 opened
1
1
1
1
1
1
set resolution 4
set brightness 82
set contrast 4
set sharpness 3
set mode 0
unknown command
_i2c_write: write i2c error
_i2c_write: write i2c error
__pthread_initial_thread_bos:39c000
manage pid:14
audio_dev.state not AU_STATE_RECORDING
wb_audio_start_record
Config_FileOperation file Not exist
Zone=[2][E][U]!!
Antenna AUX&MAIN all available!
[26]
[28]
_i2c_write: write i2c error
_i2c_write: write i2c error
AP(BSS) finding:Found a AP(BSS)..
802.11 Authen (OPEN) Successful.
AP deauthed me, reason=13.
WLAN_ASSOCIATE_WAIT:Association Fail???
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
AP(BSS) finding:Found a AP(BSS)..
802.11 Authen (OPEN) Successful.
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
WLAN_ASSOCIATE_WAIT:wait 1 times!!
WLAN_ASSOCIATE_WAIT:wait 2 times!!
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
wpa_driver_viawget_set_countermeasures - not yet implemented
WLAN_ASSOCIATE_WAIT:wait 3 times!!
wpa_set_scan-->desired [ssid=,ssid_len=0]
WLAN_ASSOCIATE_WAIT:wait 4 times!!
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
WLAN_ASSOCIATE_WAIT:wait 5 times!!
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
Trying to associate with 00:11:50:8e:9e:02 (SSID='gjahome' freq=2442 MHz)
AP(BSS) finding:Found a AP(BSS)..
802.11 Authen (OPEN) Successful.
Association Successful, AID=1.
Link with AP(SSID): gjahome
3
3
3
3
3
3
Associated with 00:11:50:8e:9e:02
SET_KEY_BEFORE_SEND_4_OF_4 == 0
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
SET_KEY_AFTER_SEND_2_OF_2 == 0
WPA: Key negotiation completed with 00:11:50:8e:9e:02 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:11:50:8e:9e:02 completed (auth)
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: