Hacking the Xenta IP-11IR-H264-PT IP camera from Ebuyer part two - getting root access over serial

OK so this next post was supposed to be about my external web interface to view the camera from Linux.  

I've decided to skip that as my new soldering iron arrived so I have now successfully got serial access to the camera and modified part of the web interface directly on the camera itself.

Like many embedded devices these days, this camera is of course based on Linux.  More often than not there is a UART/serial port hidden on the PCB somewhere which usually consists of a 4 pin connector or 4 pads on the board.

On opening up the Xenta/Foscam casing, I located what appears to be a JTAG header but also 4 through-hole pads at the front of the board that looked like a hopeful candidate for a UART.  Firstly, I soldered 4 wires to these headers:

Next, to figure out what the pins are.  A 4 pin UART/serial will consist of a +'ve connection, -'ve connection, TX and RX.  Powering up the camera and using a multimeter in volts mode allows the + and - to be identified.  In this case, two pins had a solid 3.3v across them.  So the other two are clearly RX and TX.

Now to get it hooked up to a PC.  I have a nice little serial-to-USB adaptor (based on the common FTDI chipset) which is switch-able between 3.3v and 5v and very handy for things like this, I bought it off ebay a year or so ago.

I used the breadboard in-between so I could easily swap the wires around to figure out what was what.  
The serial pins on the Xenta/Foscam turned out to be as follows, the order from left to right is as you look at the PCB from the front with the camera the correct way up - as you see it in the pictures:

+3.3v - GND - TX - RX

Make sure you use a serial adaptor that is 3.3v not the more common 5v!

Then it's just a case of firing up your friendly serial communication program.  I use minicom.  Connect using these settings:

• baud rate: 115200
• data bits: 8
• parity: N
• stop bits: 1
• hardware & software flow control: off

Then power up the camera and you'll see the console messages fly past:

 Right near the start of the boot process you can halt the boot by pressing a key when prompted and go into the bootloader menu.  This uses the common uboot software.  There's not really much you can do here other than reloading firmware etc...  This shows the list of bootloader commands available:

Of much more interest is getting to the Linux command prompt with the filesystem mounted.  If you let the camera finish booting normally then you are locked out of the command line.  You can press ctrl+c or ctrl+z here to stop the running process but after a couple of seconds the camera will reboot itself (I guess this is some protection against people doing this kind of thing built into the software).  
To get to a stable Linux prompt without the device rebooting itself, during the boot process (but after the "press any key" prompt for the bootloader), keep hitting ctrl+z and it will eventually halt the boot process and drop you back to the command prompt with no rebooting:

The camera is using an operating system called HiLinux which seems to be Chinese made.  As is often the case with embedded systems, it's using Busybox which gives most of the common Linux commands you'd expect.  The text editor 'vi' is present too.

I discovered most of the web interface files in the folder /bin/vs (which seems an odd place for them!).  To get going, I modified the "mobile.html" file which provides the next to useless web interface page for viewing on phones.  I replaced any reference to the file "auto.jpg" with "snap.jpg" in that file using vi and then saved it  "auto.jpg" gives you a very small, low resolution image where as "snap.jpg" gives a full size, full resolution image.

Now you have a usable web interface page for Linux (and anything else with a Javascript enabled web browser capable of displaying a jpeg image!):

That's all for now, next I intend to install an ssh server so I can copy files to/from the device easily.  I noticed that telnetd is running so I might just be configure that to allow network access.
I would also like to figure out how it decodes it's firmware so I can de-construct that myself and create my own firmware with the new web interface I plan on building.