Skip to content

Step by Step Guide

Jump to bottom Edit New page
AragurDEV edited this page Aug 1, 2020 · 9 revisions

ATTENTION: This guide is currently under development and incomplete.

IMPORTANT: All information here without guarantee and at your own risk!

Step by Step guide to hack your CAM

What you need

  • 3 small wires,
  • a USB-to-UART adapter for 3.3V (e.g. from Amazon)
  • Soldering Iron
  • a Linux system (e.g. Ubuntu 20.04) or a VM with it (e.g. VirtualBox)
  • the HxD Hex-Editor
  • SD-Card fitting your CAM
  • Card-Reader fitting your SD-Card
  • a tool to copy a raw image from an SD-Card

The hardware stuff

  1. Open the bottom of your CAM.
  2. Identify the UART port:

  1. Locate the serial port (see picture). The exact location can vary, but it number and order of the pin usually does match.
  2. Solder the wires to the PCB and connect it to the UART-USB adapter. Depending on the labeling of your adapter you may have to connect RX of the adapter with RX of the cam and vice versa
  3. Open a terminal app, and set the baud rate to 115.200bps, 1 stop-bit, 8 data-bit and no party check (SW neither HW).

Connect to the device

For the step it might be helpful to get a second pair of hands. Depending on the settings of uboot the timeout may be set to 0. I also observed that connecting the serial port before powering up can prevent the CAM to boot. In this case you need to the following to get access:

  1. Unplug the UART from the adapter
  2. One should power the CAM
  3. While another one shall immediately connect the UART wires AND
  4. within one second (or even lesser) presses Ctrl+C in the terminal app.

A successful "break in" looks like this:

Download Firmware

  1. Insert the SD-Card into the CAM and give the device some time to settle.

  2. Read the complete 16Mbyte flash into RAM at 0x2000000, this may take a few seconds: sf read 0x02000000 0 1000000

  3. Copy the data from the RAM to the SD-Card mmc write 0x02000000 0 0x8000

  4. You should get something like this: MMC write: dev # 0, block # 0, count 32768 ... 32768 blocks write: OK

  5. Eject the card from the CAM and insert it into your card reader.

  6. Take care: Windows may now complain about a non-formatted device – don't format it by canceling the dialog.

  7. Copy the SD -card with an appurtenant tool (e.g. HDD Raw Copy Tool (Windows), Roadkill Disk imager (Windows), dd (Linux), ...). Once the tool copied over 16MB you can abort the copy process.

Reading the partition table

There are two ways to gather the partition data:

  • Via Boot dump/messages or
  • by Analyzing the image.

Via Boot dump:

  1. Connect the UART adapter to your CAM. If your CAM doesn't want to boot with the adapter being connected, you'll have to wait little while after powering the CAM before connecting it, usually its about 1 to 2 sec.

  2. Let it boot. At a specific point you'll see something like this rushing by:

  1. The MTD partitions are what we are looking for. The End of the first partition, here called "UBOOT" is the start of the second partition "LINUX".
  2. Be aware that the end addresses are part of the subsequent partition. In our example the start of the second partition is at address 0x060000. So, the last data address of the of the first partition is one address below 0x060000, so 0x05FFFF.
  3. The size of a partition is the end address minus the end address.

Analyzing the Image

  1. Open the sd-card image file in HxD via menu "Extras" – "Open disk image…". The editor will suggest a sector size of 512, and that's fine for us, so just confirm.
  2. Set the "Bytes per line" to toolbar to 20. That makes reading the partition table much easier.

For several steps it's important to know the exact size of the table as we are going to replace the USER0 partition with our own data. The start address of the first partition is located from 0x16 to 0x18 (highlighted range)

I'm not jet sure what the rest of the bytes does. It looks like the size of the partition is in Byte 0x20 and 0x21, but a trailing byte would be missing. Maybe something like Endianness? Not sure jet.

So the 1. partition starts at address 0x010000. The start addresses of the second partition can be found below the first address, and so on. Finally, we get the following data:

Start address 2. partition 0x060000, called "LINUX" Start address 3. partition 0x300000, called "FS" Start address 4. partition 0x900000, called "USER0" Start address 5. partition 0xFF0000, called "USER1"

If we expect the size being in byte 0x20 and 0x21 and add a trailing byte, we get the following for size of 1. partition 0x050000. The End Address is calculated as follows: Start address + size -1 = end address. Doing this for all addresses we get the following table:

Whatever way you follow, according our example we get the following table:

Part Nr. Start Size End
1 0x010000 0x050000 0x05FFFF
2 0x060000 0x2A0000 0x2FFFFF
3 0x300000 0x600000 0x8FFFFF
4 0x900000 0x6F0000 0xFEFFFF
5 0xFF0000 0x010000 0xFFFFFF

Check your results

You can test your results by continue investigation of the image. If you jump to 0x010000 you should find the start of the data of the first partition. Usually the previous area is not filled up and so some empty can be found. (indicated as subsequent bytes filled with 0xFF). It should look something like this:

Extract the USER0 Partition

Our target is the USER0 Partition, in this example starting at 0x900000 and ending 0xFEFFFF at. We need now to copy the data to a single file. I did this using HxD.

  1. Open the image file, if not already done
  2. Go to "Edit" and "Select Block…"
  3. enter the start and end address from the USER0 partition (Remember: The end address is the start address minus one). In our example Start = 0x900000 and End = 0xFEFFFF.
  4. Press "OK" – now the related data is selected.
  5. Right click on the selected blocks and chose "Copy"
  6. Press Ctrl+n to create a new file
  7. Insert the content by Ctrl+v – you'll get a warning – confirm it by pressing "OK"
  8. Check if you copied the right stuff.
  9. Save the file.

Manipulating the USER0 image

For this step I highly recommend to use any Linux. If so, you'll need the kernel modules mtdram and mtdblock available on it. I used Ubuntu 20.04 desktop.

Changing the data

  1. Copy the file to linux
  2. Open a terminal or console.
  3. load mtd and mtdblock with the following commands: sudo modprobe mtdram total_size=xxx, where xx must match your partition size (take the size, convert it to decimal and divide it by 1024). In our case it's the size is 16319: so sudo modprobe mtdram total_size=16319
  4. Load the block driver, by executing sudo modprobe mtdblock
  5. Copy the file into the new created mtdblock: sudo dd if=/path/to/user0.img of=/dev/mtdblock0
  6. Create a working directory mkdir fs
  7. Mount the block device. The Image is a JFFS2 file-system: sudo mount -t jffs2 /dev/mtdblock0 ./fs
  8. Enter the directory cd ./fs

Depending on your goal you can do now the following

  • You can enable telnet by creating a empty file called "flag_debug_telnet", doing this: touch ./flag_debug_telnet. these will allow you to connect to your CAM via telnet, port 9527 (telnet ip-of-the-cam 9527).
  • You can enable the development mode by creating an empty file called "flag_debug_dev_start", doing this: touch ./flag_debug_dev_start. Be aware, that it will prevent the CAM from fully starting up - but you'll be able to access the CAM via the UART adapter without password. just enter root as username at the login prompt.

NOTE: The CAM is configured to set the root password to a random string periodically. This prevents one from login in via telnet or the console, if the development mode is not activated. To workaround this and get permanent root access, without the development mode being activated, see the instructions under "Workaround to gain root access" below.

Save the image back to the device:

  1. Leave the working directory fs.
  2. Unmount the file-system sudo umount /dev/mtdblock0
  3. copy the data back into a image file: dd if=/dev/mtdblock0 of=/path/to/user0new.img
  4. Format your SD card with FAT32 and but the changed file back on it.
  5. Connect again to the CAM, following the steps under "Connect to the device"
  6. Insert the SD card into the device
  7. execute the command mmc rescan
  8. Load the file from the SD card into RAM fatload mmc 0:1 2000000 user0new.img: if this command fails try this one: fatload mmc 0:0 2000000 user0new.img.
  9. update the flash memory from RAM with the following command sf update 2000000 xxx yyy, where xxx is the start address of the USER0 partition and yyy is the size of the USER0 partition. In our example it would look like this sf update 2000000 900000 6F0000 You'll see a output tell you how many bytes have been updated, how many (unchanged) bytes have been skipped, etc..
  10. Eject the sd card and reset the CAM be un- and re-plugging the power of it.

Workaround to gain root access

Once you activated the development mode you can create a script, which resets the root password periodically.

  1. Activate the development mode
  2. login to the device and change to /dev_data by executing cd /dev_data
  3. run the following script (copy and paste it to the terminal, press enter after the last line)
echo "#!/bin/sh" >>dev_pwd.sh
echo while true >>dev_pwd.sh
echo do >>dev_pwd.sh
echo   echo setting root pwd to root >>dev_pwd.sh
echo   "echo \"root:root\"|chpasswd" >>dev_pwd.sh
echo   sleep 10 >>dev_pwd.sh
echo done >>dev_pwd.sh
echo  >>dev_pwd.sh
echo "/mnt/mtd/dev_data/dev_pwd.sh &" >>dev_init.sh
echo >>dev_init.sh
  1. execute chmod +x /mnt/mtd/dev_data/dev_pwd.sh to make it executable
  2. execute reboot, wait a few seconds and unplug the CAM
  3. powre the CAM again Now you can login via UART adapter / terminal app or if you created the file for telnet via telnet ip-of-the-cam 9527. You may have to try several times. It's a competition between the reset script above the and script randomly changing the the password.
Add a custom footer
Add a custom sidebar

Clone this wiki locally