New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
demo.bin sigh verify fail #1603
Comments
"sigh" apparently means "signature" and indeed they verify a EdDSA (ed25519) signature which should be located at the end of the demo.bin image (last 0x40 bytes) using the public key:
-> without their private key, this can't be used to deploy firmware modifications... However there is a second way looking a lot more feasible: u-boot checks for an u-boot image file (no cryptographic, only the usual header and crc32 payload checks) on the SD card called
-> one could try to for example chainboot a patched u-boot image (disguised as a Linux kernel image) where the user can interrupt autoboot and/or where a patched firmware image is flashed without any user interaction. If we had the T31 Linux kernel source one could even more easily just boot an appropriately prepared image (with initrd). |
interesting, here are sources for u-boot and Linux kernel that include support for the more recent Ingenic SoCs: t21, t30, and t31: |
Thank you for taking your time and answering. Since you found a compatible linux kernel how would one proceed now? Im willing to learn. It would be nice if you could help me some more or drop some keywords/sources where i can get more information :) |
Depends on your goals :) For this Github project it would be nice to have an entry point for flashing a custom firmware without needing to open the cam and attach wires to the PCB.
I can already confirm that this works as an entry point - it does boot (you can even take the original kernel without any compiling, only make sure you don't have any extra data at the end of the image file). As for compiling the kernel sources: for some reason they miss all *.S files (assembly sources). Fortunately one can just add them, e.g., from the T20 kernel sources (https://github.com/Dafang-Hacks/kernel/tree/master) and a bootable kernel can be compiled with the Ingenic toolchain (https://github.com/Dafang-Hacks/Main):
However this is only a starting point; now one has to carefully check functionality and configuration of this compiled kernel (which is most likely for a devkit/prototype hardware with possibly different periphery/board cfg) against the kernel image found originally on the cam; at least with regard to SD card and/or wifi usage (to be able to load a custom firmware image) and flashing a modified rootfs itself. |
Very good! I would be really interested in seeing this develop further. |
Turned out that this has been a straight forward process; no surprises regarding getting SD card and wifi to work. https://github.com/ingenic-t30/kernel/releases/tag/0.0.1 Of course, more must be done to understand, whether this ip cam can be used with open source software. Still at least now everyone should have an even easier time to take a look at it: with the proper SD card and wifi setup no UART cables should be required anymore. Also writing to MTD partitions (on the internal flash) should work - but untested, because essentially unneeded. One more thing: For analysis purposes, the customized rootfs integrates parts of the original firmware. In particular the configs MTD partition (/dev/mtdblock6, jffs) is mounted readwrite to |
This works great, except for the RTSP Stream. Does it work for you @bfroemel ? I get this error: |
One major issue is that libraries (and maybe also driver interfaces) have changed on the T31 platform compared to T10/T20, e.g., libimp header files from v4l2rtspserver-master are not compatible with /system/lib/libimp.so provided with Azarton's firmware. One could reverse engineer how /system/bin/iCamera_app interacts with the kernel/drivers and libimp interfaces. Another way would be to ask and obtain a license from Azarton or Ingenic; just to get their updated header files and being able to use them in open source projects. I am currently attempting the second way and after some back and forth Ingenic kindly provided me (in the capacity of a professional/company) their comprehensive T31 SDK. I wasn't able to obtain a definitive statement regarding sharing any parts of the SDK openly/with others yet. I'll first verify that I can get v4l2rtspserver into a minimally working state, then try to get necessary permissions for sharing the required information from the SDK (at least some parts of the libimp headers). |
Lucky that you get the SDK from Ingenic. I did ask but they declined :-( |
Well, not sure what their policies regarding the SDK are exactly - quite possible that I really was only lucky (as a medium/larger chip-producing company I wouldn't have invested the effort to interact with an individual, embedded systems freelancer or not). There is a different version scheme, probably started at 1.0.0 for T31 and currently it's: 1.1.1 The folder structure is quite similar to 3.12. Kernel and u-boot parts in the opensource directory are mostly the same as here: |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi, I was trying to get the uimage provided by bfroemel to work on my Azarton C1 cam. However, I am always running into a kernel panic after the following error:
Any idea how to solve this? Seems like there is either a problem finding /linuxrc (its there) or there is a problem executing /bin/busybox? I've already tried everything that came to my mind, but I am out of ideas. Thanks in advance! |
Exact camera hardware: Azarton-c-t31 slightly different model using the T31 SoC
Same as #1589
Description
I tried to flash the original firmware back but got a
demo.bin verfiy fail
errorI extracted the firmware with dd to the SDCard, tried to re-package it with the packer.py, copied to SDCard, tried to boot
Evidence
modified following packer.py lines:
def cli(kernel, rootfs, app, outfile): dic = [ ("kernel", 0x1f0000, click.format_filename(kernel)), ("rootfs", 0x3d0000, click.format_filename(rootfs)), ("app", 0x3d0000, click.format_filename(app)),
Boot log
`U-Boot 2013.07 (Jun 02 2020 - 18:53:44)
Board: ISVP (Ingenic XBurst T31 SoC)
DRAM: 128 MiB
Top of RAM usable for U-Boot at: 84000000
Reserving 435k for U-Boot at: 83f90000
Reserving 32772k for malloc() at: 81f8f000
Reserving 32 Bytes for Board Info at: 81f8efe0
Reserving 124 Bytes for Global Data at: 81f8ef64
Reserving 128k for boot params() at: 81f6ef64
Stack Pointer at: 81f6ef48
Now running in RAM - U-Boot at: 83f90000
MMC: msc: 0
the manufacturer 1c
SF: Detected EN25QH128A
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
misc_init_r before change the wifi_enable_gpio
gpio_request lable = wifi_enable_gpio gpio = 57
misc_init_r after gpio_request the wifi_enable_gpio ret is 57
misc_init_r after change the wifi_enable_gpio ret is 0
misc_init_r before change the yellow_gpio
gpio_request lable = yellow_gpio gpio = 38
misc_init_r after gpio_request the yellow_gpio ret is 38
misc_init_r after change the yellow_gpio ret is 0
misc_init_r before change the blue_gpio
gpio_request lable = blue_gpio gpio = 39
misc_init_r after gpio_request the blue_gpio ret is 39
misc_init_r after change the blue_gpio ret is 1
gpio_request lable = night_gpio gpio = 49
misc_init_r after gpio_request the night_gpio ret is 49
misc_init_r after change the night_gpio ret is 0
gpio_request lable = USB_able_gpio gpio = 47
misc_init_r after gpio_request the USB_able_gpio ret is 47
misc_init_r after change the USB_able_gpio ret is 1
gpio_request lable = SPK_able_gpio gpio = 63
misc_init_r after gpio_request the SPK_able_gpio ret is 63
misc_init_r after change the SPK_able_gpio ret is 0
gpio_request lable = TF_en_gpio gpio = 50
misc_init_r after gpio_request the TF_en_gpio ret is 50
misc_init_r after change the TF_en_gpio ret is 0
gpio_request lable = TF_cd_gpio gpio = 59
misc_init_r after gpio_request the TF_cd_gpio ret is 59
misc_init_r after change the TF_cd_gpio ret is 0
gpio_request lable = SD_able_gpio gpio = 48
misc_init_r after gpio_request the SD_able_gpio ret is 48
misc_init_r after change the SD_able_gpio ret is 0
misc_init_r before change the wifi_enable_gpio
gpio_request lable = wifi_enable_gpio gpio = 57
misc_init_r after gpio_request the wifi_enable_gpio ret is 57
misc_init_r after change the wifi_enable_gpio ret is 1
Hit any key to stop autoboot: 0
Interface: MMC
Device 0: Vendor: Man 000003 Snr 96c04401 Rev: 0.10 Prod: SN64G�
Type: Removable Hard Disk
Capacity: 60906.0 MB = 59.4 GB (124735488 x 512)
Filesystem: FAT32 "USBDRIVE "
file_fat_detectfs OK
reading factory_t31_ZMC6tiIDQN
factory_t31_ZMC6tiIDQN not found
gpio_request lable = sdupgrade gpio = 51
the manufacturer 1c
SF: Detected EN25QH128A
Interface: MMC
Device 0: Vendor: Man 000003 Snr 96c04401 Rev: 0.10 Prod: SN64G�
Type: Removable Hard Disk
Capacity: 60906.0 MB = 59.4 GB (124735488 x 512)
Filesystem: FAT32 "USBDRIVE "
file_fat_detectfs OK
reading demo.bin
reading demo.bin
demo.bin sigh verify fail
the manufacturer 1c
SF: Detected EN25QH128A
--->probe spend 4 ms
SF: 2031616 bytes @ 0x40000 Read: OK
--->read spend 654 ms
Booting kernel from Legacy Image at 80600000 ...
Image Name: Linux-3.10.14__isvp_swan_1.0__
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1695824 Bytes = 1.6 MiB
Load Address: 80010000
Entry Point: 803ab950
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Starting kernel ...
`
The text was updated successfully, but these errors were encountered: