-
Notifications
You must be signed in to change notification settings - Fork 11
Notes
ok, root telnet access can be obtained using the modified upgrade file(s) here:
For those who want to get into more detail, read on....
See images page for connection details.
Serial is 3.3v at 115kbaud.
Uboot has 3 second timer to stop boot.
Native firmware has root user enabled, but password is randomly set every boot.
To dump the COMPLETE flash, abort boot in uboot.
Insert an SD card which you don't mind reformatting.
Read the complete 16MByte flash into RAM at 0x2000000: type in uboot:
sf read 0x02000000 0 1000000
Write the flash content to the SD card; in uboot type:
mmc write 0x02000000 0 0x8000
move the SD card to windows, ignore format request.
Use Roadkill Diskimager to image physical disk to file ('cancel' after file > 16m).
Use HxD to cut the image file to 16M.
separate partitions according to table in boot dump; i did this in HxD:
0x000000010000-0x000000060000 : "UBOOT"
0x000000060000-0x000000400000 : "LINUX"
0x000000400000-0x000000a00000 : "FS"
0x000000a00000-0x000000ff0000 : "USER0"
0x000000ff0000-0x000001000000 : "USER1"
Use 7zip to view/extract squashfs FS partition.
To read the JFFS2 USER0 partition, on linux, use:
sudo modprobe mtdram total_size=6080
sudo dd if=user0.img of=/dev/mtdblock0
mkdir fs
sudo mount -t jffs2 /dev/mtdblock0 ./fs
Note: this does allow modification of the JFFS2 partition; BUT on my linux system after adding a larger file, the camera complained about not having compression type 7. So if you want to modify the JFFS2 heavily, you may need an older version to be compatible with the camera.
To extract the modified JFFS2 on linux, use:
sudo dd if=/dev/mtdblock0 of=user0updated.img
You can then copy this to a formatted SD card, and overwrite the camera's JFFS2 partition using uboot:
mmc rescan
fatload mmc 0:1 2000000 user0new.img
sf update 2000000 a00000 5f0000
mount the JFFS2 in linux, and create a file called flag_debug_dev_start in the root. (I did this by copying flag_sensor_model to flag_debug_dev_start - which involved minimal JFFS2 changes). This file is referenced in dev_data/dev_init.sh in the JFFS2 (may only be present in updated firmware?).
Copy the new JFFS2 image back to the camera as described above.
When booted, the camera will abort starting, and allow login as root/no password.
Once booted, I did a really crass mod to get telnetd and root access every boot:
Boot to root prompt. From the camera, we can modify the JFFS2 partition without compatibility concerns. If a file 'flag_debug_telnet' exists, then telnetd is run on port 9527, but in a normal boot, the root password is still randomised. So I did two things:
create a file /mnt/mtd/flag_debug_telnet
echo "#!/bin/sh" >>dev_pwd.sh
echo while true >>dev_pwd.sh
echo do >>dev_pwd.sh
echo echo setting root pwd to root >>dev_pwd.sh
echo "echo \"root:root\"|chpasswd" >>dev_pwd.sh
echo sleep 10 >>dev_pwd.sh
echo done >>dev_pwd.sh
echo >>dev_pwd.sh
echo "/mnt/mtd/dev_data/dev_pwd.sh &" >>dev_init.sh
echo >>dev_init.sh
If the FS partition is put on an SD card, the camera will boot from it using:
sf probe 0:0
run lm
setenv bootargs mem=128M gmmem=90M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mmcblk0p1 rootfstype=squashfs rootwait panic=10
bootm 0x2000000
BUT.... a modified squashfs did not boot. At this point until further investigation, it could be that I'm using the wrong squashfs (from the SDK?), or that the FS in this camera is checksummed/crced or otherwise protected from modification.
One assumes that in fact, we could put the SDK version of the kernel, and a new suqashfs on a card, and it should work.
Note that the original firmware seems to destroy an SD card which has two partitions on it (some form of SD card 'repair').
Enjoy :).