Getting access to serial of VStarcam H6837WI

VStarcam H6837WI came with a serial connector (label SERIA1) soldered on the board. It is funny!

I found a connector cable in an old laptop and connected it, then I got access to U-Boot bootloader used on it:


U-Boot 1.1.6 (May 19 2011 - 16:36:28)

Flash: 8 MB
*** Warning - bad CRC, using default environment

In: serial
Out: serial
Err: serial

Let see the default environment variables:

object$ pri

Environment size: 148/32764 bytes

I noticed they are not using a valid MAC Address, the MAC address they are using (00-02-04) is registered by Bodmann Industries, a Germany company, as you can see here:

Next Step, let see the commands available on this U-Boot compilation:

object$ help
? - alias for 'help'
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dhcp - invoke DHCP client to obtain IP/boot params
echo - echo args to console
eeprom - EEPROM sub-system
erase - erase FLASH memory
exit - exit script
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
icrc32 - checksum calculation
iloop - infinite loop on address range
imd - i2c memory display
iminfo - print header information for application image
imm - i2c memory modify (auto-incrementing)
imw - memory write (fill)
inm - memory modify (constant address)
iprobe - probe to discover valid I2C chip addresses
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sleep - delay execution for some time
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
version - print monitor version

Wow, we have serial binary transfer support (ymodem and kermit) then if I flash a wrong Linux kernel it is possible to reinstall it using the serial cable.

Let me see the flash information:

object$ flinfo

Bank # 1: data:
d003d003e3e0e3e0 3c 3ce59fe59f12011201e3a0e3a02b022b02e3a0e3a0
AMD: S29GL064TFI04 (64Mbit)
Size: 8 MB in 135 Sectors
Sector Start Addresses:
10000000 (RO) 10002000 (RO) 10004000 (RO) 10006000 (RO) 10008000 (RO)
1000A000 (RO) 1000C000 (RO) 1000E000 (RO) 10010000 (RO) 10020000 (RO)
10030000 10040000 10050000 10060000 10070000
10080000 10090000 100A0000 100B0000 100C0000
100D0000 100E0000 100F0000 10100000 10110000
10120000 10130000 10140000 10150000 10160000
10170000 10180000 10190000 101A0000 101B0000
101C0000 101D0000 101E0000 101F0000 10200000
10210000 10220000 10230000 10240000 10250000
10260000 10270000 10280000 10290000 102A0000
102B0000 102C0000 102D0000 102E0000 102F0000
10300000 10310000 10320000 10330000 10340000
10350000 10360000 10370000 10380000 10390000
103A0000 103B0000 103C0000 103D0000 103E0000
103F0000 10400000 10410000 10420000 10430000
10440000 10450000 10460000 10470000 10480000
10490000 104A0000 104B0000 104C0000 104D0000
104E0000 104F0000 10500000 10510000 10520000
10530000 10540000 10550000 10560000 10570000
10580000 10590000 105A0000 105B0000 105C0000
105D0000 105E0000 105F0000 10600000 10610000
10620000 10630000 10640000 10650000 10660000
10670000 10680000 10690000 106A0000 106B0000
106C0000 106D0000 106E0000 106F0000 10700000
10710000 10720000 10730000 10740000 10750000
10760000 10770000 10780000 10790000 107A0000
107B0000 107C0000 107D0000 107E0000 107F0000 (RO)

The first 10 sectors are used by U-Boot (up to 128KB) and the last one (0x107F0000) is used to store environment variables.

More info to come, stay tuned!

2 thoughts on “Getting access to serial of VStarcam H6837WI

  1. Hello Alan,
    very goog blog here 🙂 good work!
    I also want to hack my IPCAM, but I’m not sure how to get access to the serial interface. I took my scope and measured the ‘SERIA1’ Pin, but I can’t see a signal on this line. Can you give me a little hint please. Apart from that, I assume that the line next to SERIA1 is RXD.
    I looked in my /etc/inittab and saw, that there is a line like ‘T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100’ but it is comment out 😩 and there is no write access.

    best regards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s