sábado, 2 de dezembro de 2017

OUVIS WifiCam Unbrick

Another day, another trouble. Today I show you how I managed to get a pair of wifi cameras back to life.
After trying to do several hard  resets the camera didnt show any sign of activity, so I did what I like to do, TEARDOWN TIME :D
First thing I want is a UART port.

This was the log I got from the serial com:

 U-Boot 2013.07 (Feb 27 2016 - 10:34:09)  
   
 Board: ISVP (Ingenic XBurst T10 SoC)  
 DRAM: 64 MiB  
 Top of RAM usable for U-Boot at: 84000000  
 Reserving 402k for U-Boot at: 83f98000  
 Reserving 32784k for malloc() at: 81f94000  
 Reserving 32 Bytes for Board Info at: 81f93fe0  
 Reserving 124 Bytes for Global Data at: 81f93f64  
 Reserving 128k for boot params() at: 81f73f64  
 Stack Pointer at: 81f73f48  
 Now running in RAM - U-Boot at: 83f98000  
 MMC:  
 the manufacturer c2  
 SF: Detected MX25L64**E  
   
 In:  serial  
 Out:  serial  
 Err:  serial  
 Net:  CPM_MACCDR(54) = a0000017  
 Jz4775-9161  
 Hit any key to stop autoboot: 0  
 the manufacturer c2  
 SF: Detected MX25L64**E  
   
 SF: 2883584 bytes @ 0x40000 Read: OK  
 ## Booting kernel from Legacy Image at 80600000 ...  
   Image Name:  Linux-3.10.14  
   Image Type:  MIPS Linux Kernel Image (gzip compressed)  
   Data Size:  2344432 Bytes = 2.2 MiB  
   Load Address: 80010000  
   Entry Point: 80404510  
   Verifying Checksum ... OK  
   Uncompressing Kernel Image ... OK  
   
 Starting kernel ...  
   
 [  0.000000] Initializing cgroup subsys cpu  
 [  0.000000] Initializing cgroup subsys cpuacct  
 [  0.000000] Linux version 3.10.14 (root@aplink-desktop) (gcc version 4.7.2 (Ingenic 2015.02) ) #14 PREEMPT Wed Mar 2 09:57:59 CST 2016  
 [  0.000000] bootconsole [early0] enabled  
 [  0.000000] CPU0 RESET ERROR PC:801EB464  
 [  0.000000] [<801eb464>] 0x801eb464  
 [  0.000000] CPU0 revision is: 00d00100 (Ingenic Xburst)  
 [  0.000000] FPU revision is: 00b70000  
 [  0.000000] CCLK:909MHz L2CLK:454Mhz H0CLK:200MHz H2CLK:200Mhz PCLK:100Mhz  
 [  0.000000] Determined physical RAM map:  
 [  0.000000] memory: 004c8000 @ 00010000 (usable)  
 [  0.000000] memory: 00038000 @ 004d8000 (usable after init)  
 [  0.926373] drivers/rtc/hctosys.c: unable to open rtc device (rtc0)  
 [  0.936245] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,2)  
 [  0.944858] Rebooting in 3 seconds..Restarting after 4 ms  

After googling with the kernel panic message and the cpu model for a while, i found a topic on 4pda.ru

It was a bit hard to understand, even with google translator, since there was no direct answer for how to fix the filesystem, but I found someone saying how it fixed.
Connect the camera using a uart adapter and using Tera Term we are going to upload a new firmware.
This can go bad if you lose power or connection in the middle of the transfer, and it's going to take about 30 minutes to transfer everything.

After plugging the uart adapter and turning on the camera, open tera terminal, choose the com port, set it to 115200bps
You should begin to see some text on the terminal, wait for the line "Hit any key to stop autoboot:" to appear and press any key.
Now we type the following commands (WARNING: this will erase the internal memory of the camera, it's better to read everything you need to do before attempting to this procedure):
(this shows the commands and the outputs, the command is what's after  "isvp # ")

 isvp # sf probe  
 the manufacturer c2  
 SF: Detected MX25L64 ** E  
 isvp # sf erase 0x040000 0x7c0000  
 SF: 8126464 bytes @ 0x40000 Erased: OK

Now we begin the upload, type "loadb" and when it's "ready for binary", in Tera Term go to, File ->   Transfer -> Kermit -> Send... and choose the NOBOOT.bin file.

And now we wait around 45 mins for the upload to finish.
After its done type: " sf write 0x82000000 0x040000 0x7c0000 " to make the changes permanent
 isvp # loadb  
 ## Ready for binary (kermit) download to 0x82000000 at 115200 bps ...  
 ## Total Size = 0x007c0000 = 8126464 Bytes  
 ## Start Addr = 0x82000000  
 isvp # sf write 0x82000000 0x040000 0x7c0000  
 SF: 8126464 bytes @ 0x40000 Written: OK   


We reset the environment and set the boot arguments for the new firmware
 isvp # env default -f -a  
 ## Resetting to default environment  
 isvp # setenv bootargs console=ttyS1,115200n8 mem=39M@0x0 ispmem=5M@0x2700000 rmem=20M@0x2C00000 rootfstype=squashfs init=/linuxrc root=/dev/mtdblock2 rw mtdparts=jz_sfc:256k(boot),2176k(kernel),3584k(rootfs),2176k(system) quiet  
 isvp # saveenv  

Type " boot " and your camera should start spinning, so be careful!

Now hold the reset button for +/- 10s until the camera fully resets. Plug in a ethernet cable to your router and access it through your browser to configure it.
Congrats, you just recovered a dead camera, but if this happened randomly it can happen again. I read something about the cpu might have a flaw that causes this.

You no longer have access to your camera using the netCam App or any other app that uses the camera ID to connect to it. Because your cloud server code has been lost.
If you have your code, you can connect over telnet to the cam as "root" and "hslwificam" as the password and change some files. You can read more on the forum.

Source: https://4pda.ru/forum/index.php?showtopic=807259
NOBoot.bin: https://yadi.sk/d/97TnRZXN3Keani
NOBoot.bin(Mirror):
https://mega.nz/#!EgRhxRiK!4Rdkufhpg5hT5UWTq8g7vMMWUleeKzHkbK_9OUbByEk

terça-feira, 13 de junho de 2017

Lenco WiFi Radio - DIR 100 : Telnet Access

Last week I got a new gadget, a Alarm Clock/WiFi Radio that can also play music from USB or UPNP or DLNA.
Pretty nice. But I want to know MORE.
Opened up NMap and scanned the Radio for open ports:


PORT     STATE SERVICE VERSION

23/tcp   open  telnet  security DVR telnetd (many brands)

80/tcp   open  http    AGK WiFi Internet radio http config

|_http-server-header: magic iradio

|_http-title: AirMusic

8080/tcp open  http    BusyBox httpd 1.13

MAC Address: XX:XX:XX:XX:XX:XX (Shenzhen Bilian Electronicltd)



Oh, hello there telnet, and it also has a webserver.
The webserver is probably incomplete:
 
Nothing is clickable, and the images aren't loading.

But the telnet, I searched the web for similar radios, and found a GitHub link: https://github.com/kayrus/iradio
login: root
password: password

There we go, we're in.
Inside the UIData folder there are some .bin files. I guess they are some kind of images. I opened a few in notepad++ and:
 

Hmm you can't see it? Let me give you a hand:
 
Yes, thats a "text" asccii like battery icon. The file name is "bat_1_step.bin" 

And thats all for now. Going to mess more with this after my finals.


Edit:
Found more info: https://sites.google.com/site/tweakradje/devices/abeo-internet-radio

Also here are the images with a better look:








s
A "colorful" 7:


A Bw 7: