1

I bought an IP camera on which is installed proprietary software (no HTTP server). This prevents me to integrate it into my home network.

I want to replace the software (ELF closed source) by the motion package I already use and add some features.

I have no particular system competence and it's been over a week since I travel the net to learn but I can not get out. I have access to the U-boot console (USB-TTL adapter) and telnet (root). The webcam has a SD card reader that I could use if I need space. I started by making a backup of the three partitions (with dd).

I unzipped the file mtdblock2 (binwalk -e). Which generates a classical Linux tree with links to Busybox, some binary system and proprietary software.

I tried to unzip mtdblock1 which generates zImage. The decompression zImage generates two directories and one file (console). Yet I need the kernel modules that are in it. What to do? I also want to get the kernel compilation settings, is this possible?

I unpacked the firmware available on the manufacturer's website. It contains only updating the ELF, one .so file and some Bash scripts.

At first I thought the three partitions directly migrate to Qemu. But if I understand this is not possible because the memory addresses are hard-coded into the kernel. I understand good?

So I think I have one solution: build a new kernel and rebuild a rootfs from scratch. Is this only solution?

I started playing with Buildroot but I can not find the configuration file for board based on Hisilicon Hi3518. I looked bad or is it useless? For my first test I used board/qemu/arm-versatile. This is the right choice? This will not prevent me from migrating to the physical machine?

For testing, if I managed to rebuild a kernel and rootfs I would install these partitions on the SD not to break anything. For this, it is "sufficient" to modify kernel parameters (in bootargs variable) is that right? So I don't need to rebuild a U-boat partition for my device?

In short, you guessed I ask myself a lot of questions (yet others but "one" thing at a time). I need advice about whether I take the right road. Please, if I am talking nonsense feel free to correct me. If you have ideas or subjects of reflection I'm interested.

# cat /proc/cpuinfo 
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 218.72
Features        : swp half thumb fastmult edsp java 
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : hi3518
Revision        : 0000
Serial          : 0000000000000000

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00010000 "boot"
mtd1: 00300000 00010000 "kernel"
mtd2: 00c00000 00010000 "rootfs"

# binwalk mtdblock0 
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
122044        0x1DCBC         CRC32 polynomial table, little endian

# binwalk mtdblock1
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x853F419E, created: 2014-07-22 02:45:04, image size: 2890840 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0xB24E77CA, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.8"
22608         0x5850          gzip compressed data, maximum compression, from Unix, NULL date:
# binwalk zImage
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
113732        0x1BC44         ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000"
113848        0x1BCB8         ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000"
113972        0x1BD34         ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"
114088        0x1BDA8         ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
1903753       0x1D0C89        Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
4188800       0x3FEA80        Linux kernel version "3.0.8 (cwen@ubuntu) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #1 Tue Jul 22 10:45:00 H"
4403540       0x433154        CRC32 polynomial table, little endian
5053435       0x4D1BFB        Unix path: /mtd/devices/hisfc350/hisfc350_spi_gd25qxxx.c
5054731       0x4D210B        Unix path: /mtd/devices/hisfc350/hisfc350.c
5058939       0x4D317B        Unix path: /net/wireless/rt2x00/rt2x00dev.c
5059323       0x4D32FB        Unix path: /net/wireless/rt2x00/rt2x00config.c
5060683       0x4D384B        Unix path: /net/wireless/rt2x00/rt2x00usb.c
5060851       0x4D38F3        Unix path: /net/wireless/rt2x00/rt2x00.h
5061171       0x4D3A33        Unix path: /net/wireless/rt2x00/rt73usb.c
5081107       0x4D8813        Unix path: /S70/S75/505V/F505/F707/F717/P8
5102399       0x4DDB3F        Unix path: /mmc/host/himciv100/himci.c
5141264       0x4E7310        Neighborly text, "NeighborSolicits/ipv6/inet6_hashtables.c"
5141284       0x4E7324        Neighborly text, "NeighborAdvertisementses.c"

# binwalk mtdblock2
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JFFS2 filesystem, little endian
722980        0xB0824         JFFS2 filesystem, little endian
732282        0xB2C7A         Zlib compressed data, compressed
737031        0xB3F07         Zlib compressed data, compressed
738287        0xB43EF         Zlib compressed data, compressed
.... most other lines in the same genre

IP Camera QQZM N5063 http://www.zmvideo.com/product/detail.php?id=60
Firmware http://bbs.zmmcu.com/forum.php?mod=attachment&aid=MzU2fDBiY2M4NDdjfDE0MTkxMTEzODl8MzQ4fDIwMzc%3D

artless noise
  • 21,212
  • 6
  • 68
  • 105
Mauricio
  • 670
  • 1
  • 8
  • 23
  • I think *mtd0* is u-boot. *mtd1* is a linux image with an 'initrd' which is a cpio archive. The *mtd2* is probably a JFFS2 partition which you have access to. If you have `nandread /dev/mtd0`, this is better as you may have bad blocks and `dd` will not be useable. Your best bet is to get the u-boot console and see if you can network load your own kernel; serial/usb, etc. There maybe a */proc/config.gz* or possibly something in */boot/config*. Make sure you can read and restore the *mtd* properly before you burn anything. – artless noise Jan 08 '15 at 22:51
  • 1
    I also don't understand why you want to run this on *qemu*. You have shell access. You just need to an ARM compiler and you can place an HTTP server on the device. It may already be there. See if you have any network interfaces, like whatever you telnet in on? – artless noise Jan 08 '15 at 22:59
  • The / proc / config does not exist. If I understand the kernel was compiled with a special option to not generate it. Yesterday I broke my webcam wanting to restore partitions. Now she loop kernel loading :( I followed this tutorial and explained my problem: http://felipe.astroza.cl/hacking-hi3518-based-ip-camera/ – Mauricio Jan 10 '15 at 16:39
  • You're right, I did not need to use Qemu. Thank you – Mauricio Jan 10 '15 at 16:59

1 Answers1

2

First of all, you do not want to replace U-Boot as this may render your device unbootable. On the U-Boot console, check if you can boot from the SD card mmc rescan 0; fatload mmc 0 ${loadaddr} uImage or from the network dhcp ${loadaddr} ${serverip}:uImage. You'll need to look for documentation for these commands to get more help.

But perhaps you don't even need to replace the kernel. You already know it's a 3.0.8 kernel, so you can build a userspace for this kernel version. And any proprietary modules that are used by it can be lifted from the jffs2 filesystem. On your telnet session, do lsmod to find out which modules are loaded. You can mount an SD card and copy them to it. The modules are located in /lib/modules/3.0.8.

So you probably don't even need to build a kernel in buildroot, only the rootfs. First, check in the telnet session which filesystems are supported: cat /proc/filesystems. Then choose the appropriate filesystem in the buildroot configuration. For the target architecture, choose arm926t. And select the 3.0 kernel headers in the toolchain configuration, or choose the Arago ARMv5 2011.09 external toolchain (it has old kernel headers).

As remarked by artless noise, you don't need to test it in qemu, since the SD card is safe.

Arnout
  • 2,927
  • 16
  • 24
  • I have no choice now, I have to find a way to boot from the SD card. At worst from the network. You are both right, in fact I did not need to use Qemu. Thank you for your answers. – Mauricio Jan 10 '15 at 16:46
  • If I had known before we could create a rootfs without repeating the core I would not have touched the boot partition. You're right, the best solution is to rebuild the rootfs without touching the core. And start from SD or network. I will work in this direction. Thank you very much – Mauricio Jan 10 '15 at 16:54