Hacking the Xenta IP-11IR-H264-PT IP camera from Ebuyer part three - network access

Just a quick update.  I was going to try to get sshd working but decided to try to get telnetd working first as it is already on there (but disabled).

Firstly, to get to a command line through serial without having to use the ctrl+z method described previously.  Get to the command once once using that method, then use vi to edit the file /etc/boottab, this controls the programs that start on boot.

Find a line near the end:

/bin/vs/vs_auto.sh

and add an ampersand at the end like this:

/bin/vs/vs_auto.sh &

Then save the file.  This will background the vs_server program so you can get to the command line with it running.

The device has a watchdog running on it, this looks for various events and makes sure various processes are running.  If they are not then the camera reboots.  It is this that reboots the device if you stop vs_server by doing ctrl+c or ctrl+z once it's finished booting before editing the boottab file.

There's not much you can do with the watchdog as it is controlled by the program /bin/vs/vs_server which is a compiled ELF executable and not editable.

You can run telnetd now but you will find that it attempts to start a 2nd copy of vs_server, which then crashes and causes another reboot almost as soon as you telnet in!

To get telnet starting at boot, find a comment in the /etc/boottab file that reads:

#start Telnetd

And add:

/bin/telnetd &

On the next line.  Save and close the file.

Now your problem is stopping vs_server running a second time when you telnet in.  Edit the file /etc/profile file (which is executed whenever a user logs in) and find the line:

/etc/boottab ipcamera

Remove this line and replace it with the following section of code:

if [ -z "$(pidof vs_server)" ]
  then                    
  /etc/boottab ipcamera
fi

Save and close the file.  This code means the vs_server is only started if the vs_server process does not already exist.  So vs_server still starts when the camera boots (as well as the watchdog it has the web server, rtsp server etc... built into it).  But, it wont attempt to run again when you telnet in, or log in via any other method for that matter.

That's it.  Now you can put away your serial cable and telnet to your camera whenever you want!

 

Hacking the Xenta IP-11IR-H264-PT IP camera from Ebuyer part two - getting root access over serial

OK so this next post was supposed to be about my external web interface to view the camera from Linux.  

I've decided to skip that as my new soldering iron arrived so I have now successfully got serial access to the camera and modified part of the web interface directly on the camera itself.

Like many embedded devices these days, this camera is of course based on Linux.  More often than not there is a UART/serial port hidden on the PCB somewhere which usually consists of a 4 pin connector or 4 pads on the board.

On opening up the Xenta/Foscam casing, I located what appears to be a JTAG header but also 4 through-hole pads at the front of the board that looked like a hopeful candidate for a UART.  Firstly, I soldered 4 wires to these headers:

Next, to figure out what the pins are.  A 4 pin UART/serial will consist of a +'ve connection, -'ve connection, TX and RX.  Powering up the camera and using a multimeter in volts mode allows the + and - to be identified.  In this case, two pins had a solid 3.3v across them.  So the other two are clearly RX and TX.

Now to get it hooked up to a PC.  I have a nice little serial-to-USB adaptor (based on the common FTDI chipset) which is switch-able between 3.3v and 5v and very handy for things like this, I bought it off ebay a year or so ago.

I used the breadboard in-between so I could easily swap the wires around to figure out what was what.  
The serial pins on the Xenta/Foscam turned out to be as follows, the order from left to right is as you look at the PCB from the front with the camera the correct way up - as you see it in the pictures:

+3.3v - GND - TX - RX

Make sure you use a serial adaptor that is 3.3v not the more common 5v!

Then it's just a case of firing up your friendly serial communication program.  I use minicom.  Connect using these settings:

• baud rate: 115200
• data bits: 8
• parity: N
• stop bits: 1
• hardware & software flow control: off

Then power up the camera and you'll see the console messages fly past:

 Right near the start of the boot process you can halt the boot by pressing a key when prompted and go into the bootloader menu.  This uses the common uboot software.  There's not really much you can do here other than reloading firmware etc...  This shows the list of bootloader commands available:

Of much more interest is getting to the Linux command prompt with the filesystem mounted.  If you let the camera finish booting normally then you are locked out of the command line.  You can press ctrl+c or ctrl+z here to stop the running process but after a couple of seconds the camera will reboot itself (I guess this is some protection against people doing this kind of thing built into the software).  
To get to a stable Linux prompt without the device rebooting itself, during the boot process (but after the "press any key" prompt for the bootloader), keep hitting ctrl+z and it will eventually halt the boot process and drop you back to the command prompt with no rebooting:

The camera is using an operating system called HiLinux which seems to be Chinese made.  As is often the case with embedded systems, it's using Busybox which gives most of the common Linux commands you'd expect.  The text editor 'vi' is present too.

I discovered most of the web interface files in the folder /bin/vs (which seems an odd place for them!).  To get going, I modified the "mobile.html" file which provides the next to useless web interface page for viewing on phones.  I replaced any reference to the file "auto.jpg" with "snap.jpg" in that file using vi and then saved it  "auto.jpg" gives you a very small, low resolution image where as "snap.jpg" gives a full size, full resolution image.

Now you have a usable web interface page for Linux (and anything else with a Javascript enabled web browser capable of displaying a jpeg image!):

That's all for now, next I intend to install an ssh server so I can copy files to/from the device easily.  I noticed that telnetd is running so I might just be configure that to allow network access.
I would also like to figure out how it decodes it's firmware so I can de-construct that myself and create my own firmware with the new web interface I plan on building.