Modifying the original NOR Flash layer of IP Camera to support a big uncompressed kernel

The original VStarCAM H6837WI NOR flash reserves only 1.5MiB for Kernel, 4MiB for main rootfs and about 2.3MiB for IPCamFS.

Then I decided to increase the kernel size to 3.3MiB, the my layout becomes:

[ 0.870000] 0x000000000000-0x000000030000 : "ARMboot"
[ 0.880000] 0x000000030000-0x000000390000 : "Kernel"
[ 0.890000] 0x000000390000-0x000000770000 : "RootFS"
[ 0.900000] 0x000000770000-0x0000007f0000 : "IpcamFS"
[ 0.910000] 0x0000007f0000-0x000000800000 : "param"

These are the mtd partition size:

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00030000 00010000 "ARMboot"
mtd1: 00360000 00010000 "Kernel"
mtd2: 003e0000 00010000 "RootFS"
mtd3: 00080000 00010000 "IpcamFS"
mtd4: 00010000 00010000 "param"

This is the command I used to create the decompressed kernel uImage :

$ mkimage -A arm -O linux -T kernel -C none -a 0x50C08000 -e 0x50C08000 -n '2.6.24ssl' -d arch/arm/boot/Image uImage
Image Name:   2.6.24ssl
Created:      Tue Jun  2 17:21:23 2015
Image Type:   ARM Linux Kernel Image (uncompressed)
Data Size:    2737056 Bytes = 2672.91 kB = 2.61 MB
Load Address: 0x50C08000
Entry Point:  0x50C08000

This is the bootargs to map this new layout:

bootargs=mtdparts=physmap-flash.0:192k(ARMboot)ro,3456k(Kernel),3968k(RootFS),512k(IpcamFS),-(param) mem=20M console=ttyS0,115200n8 init=/sbin/init root=/dev/mtdblock2

Flashing Kernel:

object$ loady
object$ erase 0x10030000 0x1038FFFF
object$ cp.b 0x50C07FC0 0x10030000 0x360000

Flashing RootFS:

object$ erase 0x10390000 0x1076FFFF
object$ loady
object$ cp.b 0x50C07FC0 0x10390000 0x200000
object$ loady
object$ cp.b 0x50C07FC0 0x10590000 0x1E0000

Flashing IpcamFS:

object$ loady
object$ erase 0x10770000 0x107EFFFF
object$ cp.b 0x50C07FC0 0x10770000 0x80000

Flashing param:

object$ loady
object$ protect off 1:134 
object$ erase 0x107F0000 0x107FFFFF
object$ cp.b 0x50C07FC0 0x107F0000 0x10000
object$ protect on 1:134 

Now I can boot but I’m facing a segmentation fault:

U-Boot 1.1.6 (May 19 2011 - 16:36:28)

DRAM:  64 MB
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
 0 

 Starting kernel ...

[    0.000000] Linux version 2.6.24ssl (alan@devmac) (gcc version 3.4.6) #3 PREEMPT Thu Jun 4 18:16:01 EDT 2015
[    0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[    0.000000] Machine: object h264 ipcam
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] CPU0: D VIVT write-back cache
[    0.000000] CPU0: I cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
[    0.000000] CPU0: D cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
[    0.000000] Built 1 zonelists in Zone order, mobility grouping off.  Total pages: 5080
[    0.000000] Kernel command line: mtdparts=physmap-flash.0:192k(ARMboot)ro,3456k(Kernel),3968k(RootFS),512k(IpcamFS),-(pa2
[    0.000000] intc: init info - ver=1,0
[    0.000000] gpio: init info - ver=1,0 
[    0.000000] clock: init info - ver=1,0 
[    0.000000] MAGUS Clocks : ARM-240.000 MHz, HCLK-120.000 MHz, PCLK-60.000 MHz, PERCLK1-60.000 MHz, PERCLK2-24.000 MHz
[    0.000000] PID hash table entries: 128 (order: 7, 512 bytes)
[    0.000000] Console: colour dummy device 80x30
[    0.000000] console [ttyS0] enabled
[    0.010000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.020000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.030000] Memory: 20MB = 20MB total
[    0.030000] Memory: 17180KB available (2768K code, 221K data, 76K init)
[    0.270000] Mount-cache hash table entries: 512
[    0.270000] CPU: Testing write buffer coherency: ok
[    0.290000] net_namespace: 64 bytes
[    0.300000] NET: Registered protocol family 16
[    0.330000] dma: init info - ver 1.0 fifosize=128, 8 channels
[    0.330000] MAGUS cpu freq change driver v1.0
[    0.340000] 
[    0.340000] cpufreq: magus_set_target: request for target_freq = 240000 KHz
[    0.350000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz
[    0.380000] SCSI subsystem initialized
[    0.390000] usbcore: registered new interface driver usbfs
[    0.400000] usbcore: registered new interface driver hub
[    0.410000] usbcore: registered new device driver usb
[    0.470000] NET: Registered protocol family 2
[    0.570000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.580000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    0.590000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.590000] TCP: Hash tables configured (established 1024 bind 1024)
[    0.600000] TCP reno registered
[    0.630000] Power Management for MAGUS. V0.1.1
[    0.630000] NetWinder Floating Point Emulator V0.97 (extended precision)
[    0.650000] JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.660000] io scheduler noop registered
[    0.660000] io scheduler deadline registered (default)
[    0.690000] Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
[    0.700000] ttyS0: autoconf (0x0000, 0xf000300c): uart: id=7000041
[    0.700000] type=16550A
[    0.710000] serial8250: ttyS0 at MMIO 0x0 (irq = 16) is a 16550A
[    0.710000] ttyS1: autoconf (0x0000, 0xf000400c): uart: id=7000041
[    0.720000] type=16550A
[    0.720000] serial8250: ttyS1 at MMIO 0x0 (irq = 17) is a 16550A
[    0.730000] dm9000a Ethernet Driver
[    0.740000] Driver 'sd' needs updating - please use bus_type methods
[    0.740000] Driver 'sr' needs updating - please use bus_type methods
[    0.760000] physmap platform flash device: 00800000 at 10000000
[    0.760000] physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank
[    0.770000]  Amd/Fujitsu Extended Query Table at 0x0040
[    0.780000] number of CFI chips: 1
[    0.780000] cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
[    0.790000] 5 cmdlinepart partitions found on MTD device physmap-flash.0
[    0.790000] Creating 5 MTD partitions on "physmap-flash.0":
[    0.800000] 0x00000000-0x00030000 : "ARMboot"
[    0.810000] 0x00030000-0x00390000 : "Kernel"
[    0.820000] 0x00390000-0x00770000 : "RootFS"
[    0.820000] 0x00770000-0x007f0000 : "IpcamFS"
[    0.830000] 0x007f0000-0x00800000 : "param"
[    0.840000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1
[    0.850000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1
[    0.860000] Initializing USB Mass Storage driver...
[    0.870000] usbcore: registered new interface driver usb-storage
[    0.870000] USB Mass Storage support registered.
[    0.880000] usbcore: registered new interface driver libusual
[    0.880000] i2c /dev entries driver
[    0.900000] i2c: init info - ver=1,0
[    0.900000] 
[    0.900000] cpufreq: magus_set_target: request for target_freq = 240000 KHz
[    0.910000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz
[    0.920000] Advanced Linux Sound Architecture Driver Version 1.0.15 (Tue Nov 20 19:16:42 2007 UTC).
[    0.930000] ASoC version 0.13.1
[    0.940000] ALSA device list:
[    0.940000]   No soundcards found.
[    0.940000] TCP cubic registered
[    0.950000] NET: Registered protocol family 1
[    0.950000] NET: Registered protocol family 17
[    0.960000] VFS: Can't find an ext2 filesystem on dev mtdblock2.
[    0.980000] VFS: Mounted root (cramfs filesystem) readonly.
[    0.990000] Freeing init memory: 76K
/usr/bin/sdupdate: error while loading shared libraries: libgpioctrl.so: cannot open shared object file: No such file or diy
[    3.600000] Micrel KSZ8851 driver with MLL interface
[    3.600000] io fc000000 fc000000
[    3.600000] Micrel KSZ8851 1.0.4 (Apr 23, 2009)
[    3.610000] zqh base:fc000000
[    3.610000] read ID by zqh
[    3.620000] Unable to handle kernel paging request at virtual address fc000004
[    3.620000] pgd = c0c04000
[    3.640000] [fc000004] *pgd=00000000
[    3.640000] Internal error: Oops: 805 [#1] PREEMPT
[    3.640000] Modules linked in: device
[    3.640000] CPU: 0    Not tainted  (2.6.24ssl #3)
[    3.640000] PC is at dev_probe+0x90/0x444 [device]
[    3.640000] LR is at vprintk+0x354/0x3b0
[    3.640000] pc : []    lr : []    psr: 40000013
[    3.640000] sp : c1357238  ip : c13571ac  fp : c1357e2c
[    3.640000] r10: fc000000  r9 : c0c30000  r8 : 00000ba4
[    3.640000] r7 : c1357254  r6 : c0305a3c  r5 : c0c30000  r4 : c0c30000
[    3.640000] r3 : fc000000  r2 : 000030c0  r1 : 00000001  r0 : 00000021
[    3.640000] Flags: nZcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[    3.640000] Control: 0005317f  Table: 51804000  DAC: 00000015
[    3.640000] Process insmod (pid: 183, stack limit = 0xc1356258)
[    3.640000] Stack: (0xc1357238 to 0xc1358000)
[    3.640000] 7220:                                                       00000000 00000000 
[    3.640000] 7240: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7260: ffffffff 00000020 00000000 fc000000 fc000000 00000000 00000000 bede3f85 
[    3.640000] 7280: 00000011 40014602 00000002 400145d4 00000024 40014606 00000002 4001dd7f 
[    3.640000] 72a0: 0000000e 400145fc 00000002 4001dd60 0000001e 400145fc 00000002 40014c38 
[    3.640000] 72c0: 00000019 40014612 00000001 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 72e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7300: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7320: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7340: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7360: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7380: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 73a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 73c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 73e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7400: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7420: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7440: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7460: 00000000 00000000 4001d000 fffffffe 40006110 00000000 00000000 00000000 
[    3.640000] 7480: 00000000 00000000 4001dd7f 4001dd60 00000002 4001d000 bede3988 bede34a8 
[    3.640000] 74a0: 4000c838 4000c3dc 4000b8cc 40014600 bede3f85 4001d000 4001dd7f 400145fc 
[    3.640000] 74c0: 4001dd60 400145fc 40014c38 7273752f 62696c2f 62696c00 6f697067 6c727463 
[    3.640000] 74e0: 006f732e 6f732e6c 732e6c00 2e6c006f 2e006f73 00006f73 00050718 4001ce14 
[    3.640000] 7500: bede34d5 00000018 00000001 00000000 4001cf3c 00000000 0000000f 00008445 
[    3.640000] 7520: 00001f02 00000000 00000000 00001864 000041ff 00000001 00000000 00000000 
[    3.640000] 7540: 00000000 00000000 00000000 00000168 00000000 00001000 00000001 00000000 
[    3.640000] 7560: 00000000 00000000 00000000 00000000 00000000 00000000 00001864 00000000 
[    3.640000] 7580: 4001d700 00008445 4001d700 4001d700 00008445 4001d700 00000000 ffffffff 
[    3.640000] 75a0: 00000000 4001d000 40006e80 bede35d4 bede35d8 00000000 00000000 00000000 
[    3.640000] 75c0: 00000000 00000000 0000000f 00000001 00000000 00000000 00000000 00000000 
[    3.640000] 75e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7600: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7620: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7640: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7660: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7680: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 76a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 76c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 76e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7700: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7720: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7740: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7760: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7780: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 77a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 77c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 bede3940 
[    3.640000] 77e0: 00008445 00000000 00008445 bede38ec 4001d700 4001d000 bede3988 4000a524 
[    3.640000] 7800: 00000000 00000000 00000000 00000000 4000ba3c 4001d640 bede3940 4000a4e0 
[    3.640000] 7820: bede3938 bede393c 4001dd7f 4001dd60 00011474 00008445 00000000 00008445 
[    3.640000] 7840: bede38ec 4001d700 4001d000 bede3988 bede3814 4000ba1c 00000000 00000000 
[    3.640000] 7860: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7880: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 78a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 78c0: 00000000 00000000 00000000 00011474 00008445 00000000 00008445 00000001 
[    3.640000] 78e0: 4001d700 4001d000 4000b3d0 00000001 4001d700 00000000 4001ce62 00000004 
[    3.640000] 7900: 4001ce80 f43e1a80 0098963a cda2d282 c1357960 c1357920 c00338a8 c0112eb0 
[    3.640000] 7920: c02ef090 00989680 00000000 f4d6b100 0098963a c02ef098 c02eecc8 c02eecc8 
[    3.640000] 7940: c0379340 c02f317c c1357a88 00000000 00000000 c02eecf8 00000400 c02eec3c 
[    3.640000] 7960: c02eecf8 00000000 c13579a0 c1357978 c0033ec4 c0033a80 c02eec3c c02eecf8 
[    3.640000] 7980: 00000400 c02eecc8 c02ef0bc c1356000 00000000 c13579b8 c13579a4 c103fcb4 
[    3.640000] 79a0: 00000003 00000001 00000000 60000013 00770028 00000000 c13579ec c13579c8 
[    3.640000] 79c0: c0036ed0 c0035068 00000000 00770028 c103fc60 c1020ca4 c1020ca4 c103fc98 
[    3.640000] 79e0: c1357a14 c13579f0 c015b46c c0036e88 c103fc60 00770028 c103fc60 c02de5e0 
[    3.640000] 7a00: 00000000 00000000 c02de5bc c02de5bc c1357a48 c1357a20 c03213c0 c1038ad0 
[    3.640000] 7a20: 00000001 00000001 00000001 00000001 00000001 c03a8460 00000000 c1039830 
[    3.640000] 7a40: 00000008 c1356000 00000008 00000000 c1357b28 c1357a60 c0101004 c0100d90 
[    3.640000] 7a60: c1357a8c c1357a70 c0082f1c c0112eb0 c1038ad0 c1038ad0 00000000 c03816a0 
[    3.640000] 7a80: c1357a9c c1357a90 c0066658 c0082f08 c1357ad4 c03a8460 c03a8460 c006664c 
[    3.640000] 7aa0: c02eecf8 0000046e c02eec3c c02eecf8 00000000 00000000 c1038ad0 00000000 
[    3.640000] 7ac0: 00000000 c1020ce0 c1020ce0 00000008 c1357af4 c1357ae0 c00fedd0 c010e290 
[    3.640000] 7ae0: c1020ce0 c1039830 c1357b10 c1357af8 c0107298 c00fed6c 00010404 c1020ce0 
[    3.640000] 7b00: c1039830 00000000 feced300 ffffffff c0387658 c1357b4c c1357b24 c0033c9c 
[    3.640000] 7b20: c010e290 00000001 c02eec80 c039e690 00000000 c0062668 c1042000 c02de5e0 
[    3.640000] 7b40: 00000000 00000000 c02de5bc c02de5bc c1357b88 c1357b60 c0067ee4 c0067254 
[    3.640000] 7b60: c02de5e0 00000000 00000001 00000000 c02de5bc 001200d2 00000000 c1357bb0 
[    3.640000] 7b80: c1357b8c c0068134 c0035068 c02de5bc c02de5d4 60000013 c02de5bc c13f2aac 
[    3.640000] 7ba0: 00000000 c1357bf4 c1357bb4 c00683b8 c0035068 00000000 00000000 00000000 
[    3.640000] 7bc0: 00000000 c02dedd4 00000044 c02dedd4 001200d2 c02dedd0 fd2eec00 0098963a 
[    3.640000] 7be0: d693a402 c1357c34 c1357bf4 c00338a8 c0112eb0 c02ef090 00989680 00000000 
[    3.640000] 7c00: fdc78280 0098963a c02ef098 c02eecc8 c02eecc8 c0379340 c02f317c c1357d5c 
[    3.640000] 7c20: 00000000 00000000 c02eecf8 0000086e c02eec3c c02eecf8 00000000 c1357c74 
[    3.640000] 7c40: c1357c4c c0033ec4 c0033a80 c02eec3c c02eecf8 0000086e c02eecc8 c02ef0bc 
[    3.640000] 7c60: c1356000 00000036 c1357c8c c1357c78 c0034510 c0033e70 fdc78280 0098963a 
[    3.640000] 7c80: d72c3a82 c1357cd4 c1357c94 c00338a8 c0112eb0 c02ef090 00000000 00000000 
[    3.640000] 7ca0: fdc78280 0098963a c02ef098 c02eecc8 c02eecc8 c02efc89 c02d658c 00000001 
[    3.640000] 7cc0: 60000013 00000024 c1357ce8 c1357cd8 c1357cfc c1357ce0 c01351f4 c01333d0 
[    3.640000] 7ce0: c02efcaa 00000021 c0135148 c03040ec c1357d20 c1357d00 c013290c c0135158 
[    3.640000] 7d00: c03040ec 00000021 c02efc89 00000093 00000001 c1357d48 c1357d24 c0135374 
[    3.640000] 7d20: c0035068 c02e50bc 000022a9 000022ca c02d658c fffff000 00000024 c1357d64 
[    3.640000] 7d40: c1357d4c c003b41c c0135214 000022ca c02d655c 60000093 c1357d7c c1357d68 
[    3.640000] 7d60: c003b4bc c003b3ac 000022ca 000022ca c1357da0 c1357d80 c003ba78 c003b830 
[    3.640000] 7d80: c1356000 00000000 c02d6568 c02ef948 00000034 c1357e0c c1357da4 c003be38 
[    3.640000] 7da0: c0035068 00094ed0 5b3e343c 20202020 31362e33 30303030 c100205d c0068e1c 
[    3.640000] 7dc0: c0035068 00000000 00000000 c1357e83 0000000a c1357e54 ffffffff 00000002 
[    3.640000] 7de0: c1357e80 c0c30000 00000000 c0305a3c c0c30000 c1868594 000030c0 c1862000 
[    3.640000] 7e00: c1357e1c c0c30000 c0c30000 c0305a3c c0c30000 c1868594 00000000 c1862000 
[    3.640000] 7e20: c1357e88 c1357e30 bf009044 bf004bec c01bea78 c010f260 c0305a3c c0c32000 
[    3.640000] 7e40: c0c30000 00000004 c1357e80 c0c30000 c1868594 c0c30000 00000004 c010effc 
[    3.640000] 7e60: c0c30000 c0c30000 c0305a3c 00000016 c1868594 00000000 c1862000 c1357ea8 
[    3.640000] 7e80: c1357e8c c01c298c bf009010 c1357ea8 c0c30000 00000000 bf007800 c1357ec0 
[    3.640000] 7ea0: c1357eac c01c2c60 c01c293c c0c30000 00000000 c1357ed8 c1357ec4 bf0096f8 
[    3.640000] 7ec0: c01c2c2c bf007800 00000000 c1357fa4 c1357edc c005d470 bf009684 00000000 
[    3.640000] 7ee0: 00000348 c0216310 c0216310 000001ec 00000034 00000016 c01b90e8 bf0067f4 
[    3.640000] 7f00: 00000000 0000012f 0000012f 00000054 00000050 0000003c c1356000 00000000 
[    3.640000] 7f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
[    3.640000] 7f40: 00000008 00000000 0000000f 00000000 00000000 00000009 00000015 00000014 
[    3.640000] 7f60: c1869bf4 c102d420 c18684e4 be9f3f58 be9f3e94 00000000 00000000 0000a038 
[    3.640000] 7f80: be9f3f51 be9f3e94 00000080 c001c024 c1356000 0006c784 00000000 c1357fa8 
[    3.640000] 7fa0: c001be80 c005bf68 be9f3f51 be9f3e94 00900080 00088060 0000a038 00088050 
[    3.640000] 7fc0: 0000a038 be9f3f51 be9f3e94 00000000 be9f3f58 be9f3e94 0006c784 00085324 
[    3.640000] 7fe0: be9f3c9c be9f3c90 00012bc4 401b8570 60000010 00900080 00657461 00000000 
[    3.640000] Backtrace: 
[    3.640000] [] (dev_probe+0x0/0x444 [device]) from [] (ks8851_netdev_init+0x44/0x674 [device])
[    3.640000] [] (ks8851_netdev_init+0x0/0x674 [device]) from [] (register_netdevice+0x60/0x2f0)
[    3.640000] [] (register_netdevice+0x0/0x2f0) from [] (register_netdev+0x44/0x54)
[    3.640000]  r6:bf007800 r5:00000000 r4:c0c30000
[    3.640000] [] (register_netdev+0x0/0x54) from [] (init_module+0x84/0xd4 [device])
[    3.640000]  r5:00000000 r4:c0c30000
[    3.640000] [] (init_module+0x0/0xd4 [device]) from [] (sys_init_module+0x1518/0x1594)
[    3.640000]  r5:00000000 r4:bf007800
[    3.640000] [] (sys_init_module+0x0/0x1594) from [] (ret_fast_syscall+0x0/0x2c)
[    3.640000] Code: eb40dc8c e5973018 e3a02dc3 e18720b8 (e1c320b4) 
[    3.650000] ---[ end trace fad711ab882f40be ]---
Segmentation fault
[    3.730000] piu reg start addr 0xc1862000, phy addr 0xd0132000
[    3.740000] PIU driver loaded - mem @ 0x503FFF00
[    3.960000] vpp in maj=252
[    4.160000] VIP: Module has been loaded into the kernel 
[    4.360000] DV Module loaded into the kernel 
[    4.940000] enter magus_init func
[    4.950000] PM: Adding info for platform:soc-audio
[    4.970000] wm8731: WM8731 Audio Codec 0.13
[    4.980000] exit magus_init func OK, device added
[    5.790000] PM: Adding info for No Bus:gadget
[    5.890000] sslotg: Set Magus as Host.
[    5.890000] otg: init info - ver=0041
[    5.890000] PM: Adding info for platform:ehci
[    5.910000] ehci ehci: ssl ehci
[    5.940000] drivers/usb/core/inode.c: creating file 'devices'
[    5.940000] drivers/usb/core/inode.c: creating file '001'
[    5.970000] ehci ehci: new USB bus registered, assigned bus number 1
[    5.970000] ehci ehci: park 0
[    5.990000] ehci ehci: irq 14, io mem 0x08403000
[    6.000000] ehci ehci: reset command 080b02 park=3 ithresh=8 period=1024 Reset HALT
[    6.010000] ehci ehci: init command 010009 (park)=0 ithresh=1 period=256 RUN
[    6.030000] ehci ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
[    6.030000] usb usb1: default language 0x0409
[    6.040000] PM: Adding info for usb:usb1
[    6.040000] usb usb1: uevent
[    6.080000] usb usb1: usb_probe_device
[    6.090000] PM: Adding info for No Bus:usbdev1.1_ep00
[    6.100000] usb usb1: configuration #1 chosen from 1 choice
[    6.100000] usb usb1: adding 1-0:1.0 (config #1, interface 0)
[    6.120000] PM: Adding info for usb:1-0:1.0
[    6.120000] usb 1-0:1.0: uevent
[    6.160000] hub 1-0:1.0: usb_probe_interface
[    6.160000] hub 1-0:1.0: usb_probe_interface - got id
[    6.170000] hub 1-0:1.0: USB hub found
[    6.170000] hub 1-0:1.0: 1 port detected
[    6.200000] hub 1-0:1.0: standalone hub
[    6.200000] hub 1-0:1.0: individual port power switching
[    6.200000] hub 1-0:1.0: individual port over-current protection
[    6.250000] hub 1-0:1.0: Single TT
[    6.250000] hub 1-0:1.0: TT requires at most 8 FS bit times (666 ns)
[    6.270000] hub 1-0:1.0: power on to power good time: 20ms
[    6.270000] hub 1-0:1.0: local power source is good
[    6.280000] hub 1-0:1.0: enabling power on all ports
[    6.390000] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0000
[    6.390000] PM: Adding info for No Bus:usbdev1.1_ep81
[    6.430000] PM: Adding info for No Bus:usbdev1.1
[    6.440000] drivers/usb/core/inode.c: creating file '001'
[    6.440000] ehci ehci: GetStatus port 1 status 10001803 POWER sig=j CSC CONNECT
[    6.450000] hub 1-0:1.0: port 1, status 0101, change 0001, 12 Mb/s
[    6.460000] usb usb1: new device strings: Mfr=3, Product=2, SerialNumber=1
[    6.460000] usb usb1: Product: ssl ehci
[    6.480000] usb usb1: Manufacturer: Linux 2.6.24ssl ssl ehci
[    6.480000] usb usb1: SerialNumber: ssl_ehci
[    6.620000] hub 1-0:1.0: debounce: port 1: total 100ms stable 100ms status 0x101
[    6.680000] hub 1-0:1.0: port 1 not reset yet, waiting 50ms
[    6.740000] CI reset done
[    6.740000] ehci ehci: GetStatus port 1 status 11001805 POWER sig=j PE CONNECT
[    6.810000] usb 1-1: new full speed USB device using ehci and address 2
[    6.880000] CI reset done
[    6.880000] ehci ehci: GetStatus port 1 status 11001805 POWER sig=j PE CONNECT
daemon: error while loading shared libraries: libgpioctrl.so: cannot open shared object file: No such [    6.980000] usb 1-b
file or directory
[    7.000000] usb 1-1: default language 0x0409
[    7.020000] PM: Adding info for usb:1-1
[    7.020000] usb 1-1: uevent
[    7.060000] usb 1-1: usb_probe_device
[    7.060000] PM: Adding info for No Bus:usbdev1.2_ep00
[    7.090000] usb 1-1: configuration #1 chosen from 1 choice
[    7.090000] usb 1-1: adding 1-1:1.0 (config #1, interface 0)
[    7.100000] PM: Adding info for usb:1-1:1.0
[    7.110000] usb 1-1:1.0: uevent
[    7.130000] PM: Adding info for No Bus:usbdev1.2_ep81
[    7.170000] PM: Adding info for No Bus:usbdev1.2_ep01
[    7.190000] PM: Adding info for No Bus:usbdev1.2_ep02
[    7.220000] PM: Adding info for No Bus:usbdev1.2_ep03
[    7.260000] PM: Adding info for No Bus:usbdev1.2_ep04
[    7.280000] PM: Adding info for No Bus:usbdev1.2_ep05
[    7.360000] PM: Adding info for No Bus:usbdev1.2_ep06
[    7.380000] PM: Adding info for No Bus:usbdev1.2
[    7.400000] drivers/usb/core/inode.c: creating file '002'
[    7.400000] usb 1-1: new device strings: Mfr=1, Product=2, SerialNumber=3
[    7.410000] usb 1-1: Product: 802.11 n WLAN
[    7.410000] usb 1-1: Manufacturer: Ralink
[    7.420000] usb 1-1: SerialNumber: 1.0
encoder: error while loading shared libraries: libgpioctrl.so: cannot open shared object file: No such file or directory

Using strings to recreate a Linux kernel config

Using the Linux kernel Image file (aka “piggy”) that recovered from camera I started rebuilding the original kernel configuration of VStarCAM H6837WI camera.

All we need to do is it:

$ strings piggy > strings_kernel_orig.txt
$ strings Image > strings_kernel_new.txt

The “piggy” file is from camera and Image is the Linux kernel image that I compiled.

Basically we just need to compare strings_kernel_orig.txt and strings_kernel_new.txt using a file comparator as the meld program.

When you find a readable text in piggy that doesn’t exist in our Image then you need to search for this string in the Linux kernel source tree:

user@linux/$ grep -r somestring

You will find a C file with this string, then open the Makefile at this C file directory to discover which CONFIG_ symbol includes the compilation of this C file.

Now you need to open the kernel configuration menu (“make menuconfig”) and search (press “/”) for this CONFIG_ symbol. You need to enable the feature of this symbol and compile the kernel again.

Repeat the process from generating the string_kernel_new.txt and comparing until you get both kernel with same strings. Then you will have a very similar kernel firmware at end.

Note: You can also search for strange symbol like “nYgq,” etc

How to do backup of MTD partitions of your IPCamera

This is the way I did my backup of IP Camera partitions:

The MTD0 is the whole flash (8MiB) :

/ # dd if=/dev/mtd0 of=/tmp/mtd0_fullflash.img bs=1k                                                         
8192+0 records in
8192+0 records out 

Send it to your FTP server:

/ # ftpput -v -u yourusername -p yourpassword 192.168.1.10 mtd0_fullflash.img /tmp/mtd0_fullflash.img

Replace the address 192.168.1.10 by your FTP server address, same to yourusername and yourpassword.

Just repeat this same approach for all other /dev/mtdN partitions.

P.S.: Instead of using ftpput to upload the file to your FTP server you could just copy these file to www-root (i.e. /mnt/www/) of your IPCamera.

Do you think IP camera is unsafe? Welcome Baby!

I bought an IP Camera (to use inside a product we are developing) similar to this one:
http://www.alibaba.com/product-detail/H-264-960H-the-smallest-38x38mm_1389016530.html

Unfortunately it arrived with no documentation. Even the IP I should figure out myself, it was not a big issue because normally IP Cameras use the 192.168.1.x range.

Using the ping command it was easy to figure out it was in the address 192.168.1.168.

Now let me see which ports are opened:

$ sudo nmap -sS -P0 192.168.1.168

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-08 20:47 EST
Nmap scan report for 192.168.1.168
Host is up (0.099s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
3001/tcp open  nessus
8080/tcp open  http-proxy
MAC Address: 00:A7:21:63:A7:7F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds

Wow, telnet port is open, let try it:

$ telnet 192.168.1.168
Trying 192.168.1.168...
Connected to 192.168.1.168.
Escape character is '^]'.

A320D login: root
Welcome!Baby!
[~]#

CRAZY!!! It allows me to log in as root with not password and printed a funny “Welcome!Baby!” msg!

Well, it is funny to me, but for people using these cameras connected to Internet to protect their property it is very dangerous.

UPDATE: More info about the camera hw/processor:

[~]#cat /proc/cpuinfo
Processor       : FA626TE rev 1 (v5l)
BogoMIPS        : 532.48
Features        : swp half thumb 
CPU implementer : 0x66
CPU architecture: 5TE
CPU variant     : 0x0
CPU part        : 0x626
CPU revision    : 1

Hardware        : Faraday GM8126
Revision        : 0000
Serial          : 0000000000000000

UPDATE 2: I didn’t find a serial connector in the board, then I searched in the datasheet and discovered UART1 RX is pin 87 and TX is pin 88. Then I connected a small wire from my USB/serial dongle to pins 87 and 88, then after testing many serial configuration I discovered that they are using an unusual baudrate 38400 8n1 and finally got the boot log:

MP SPI-NOR Bootstrap v0.2
Boot image offset: 0x10000. Booting Image .....
0567Will set the following freq...
PLL1: 800 MHz, PLL2: 540 MHz, CPU freq: 540 MHz, AHB freq: 270 MHz, DDR freq: 8z
go...

*********************************************
Please input Space to run Linux
Please input ESC to run UBOOT
Please input . to run burn-in
Otherwise, system will run Linux after 5 sec
*********************************************
Load image from SPI-NOR offset 0x80000 to sdram 0x4000000
Jump 0x4000000
Uncompressing Linux.............................................................
Linux version 2.6.28 (root@localhost.localdomain) (gcc version 4.4.0 (Faraday C3
CPU: FA626TE [66056261] revision 1 (ARMv5TE), cr=0000797f
CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
Machine: Faraday GM8126
Warning: bad configuration page, trying to continue
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: mem=128M console=uart,shift,2,io,0xF9830000,38400
Early serial console at I/O port 0xf9830000 (options '38400', shift 2)          
console [uart0] enabled                                                         
PID hash table entries: 512 (order: 9, 2048 bytes)                              
IC: GM8128 MP                                                                   
GM Clock: CPU = 540 MHz, AHBCLK = 270 MHz, PLL1CLK = 800 MHz, PLL2CLK = 540 MHz 
console handover: boot [uart0] -> real [ttyS0]                                  
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)                  
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)                    
Memory: 128MB = 128MB total                                                     
Memory: 118528KB available (3697K code, 187K data, 7316K init)                  
Calibrating delay loop... 532.48 BogoMIPS (lpj=266240)                          
Mount-cache hash table entries: 512                                             
CPU: Testing write buffer coherency: ok                                         
net_namespace: 424 bytes                                                        
Fmem: node 0 is online, alloc pages = 20480(active pages = 32768)               
high_memory:0xc8000000, VM Start:0xc8800000, End:0xe0000000                     
NET: Registered protocol family 16                                              
PMU: Mapped at 0xf9900000                                                       
pmu_get_cpu_clk:221                            
Attach GM AHB-DMA Driver                                                        
SCSI subsystem initialized                                                      
usbcore: registered new interface driver usbfs                                  
usbcore: registered new interface driver hub                                    
usbcore: registered new device driver usb                                       
Switched to NOHz mode on CPU #0                                                 
NET: Registered protocol family 2                                               
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)                  
TCP established hash table entries: 4096 (order: 3, 32768 bytes)                
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)                       
TCP: Hash tables configured (established 4096 bind 4096)                        
TCP reno registered                                                             
NET: Registered protocol family 1                                               
Video Timer(timer3) Max 31000ms in 0xf9720840 HZ.                               
JFFS2 version 2.2. (NAND) �© 2001-2006 Red Hat, Inc.                            
msgmni has been set to 231                                                      
io scheduler noop registered                                                    
io scheduler anticipatory registered (default)                                  
io scheduler deadline registered                                                
io scheduler cfq registered                                                     
probe ftgpio010.0 OK!!, at c8858000                                             
probe ftgpio010.1 OK!!, at c885c000                                             
probe ftgpio010.2 OK!!, at c8860000                                             
Serial: 8250/16550 driver 4 ports, IRQ sharing disabled                         
serial8250: ttyS0 at I/O 0xf9830000 (irq = 9) is a 16550A                       
serial8250: ttyS1 at I/O 0xf9840000 (irq = 10) is a 16550A                      
serial8250: ttyS2 at I/O 0xf9850000 (irq = 20) is a 16550A                      
serial8250: ttyS3 at I/O 0xf9880000 (irq = 21) is a 16550A                      
brd: module loaded                                                              
loop: module loaded                                                             
PPP generic driver version 2.4.2                                                
NET: Registered protocol family 24                                              
rtl8150: v0.6.2 (2004/08/27):rtl8150 based usb-ethernet driver                  
usbcore: registered new interface driver rtl8150                                
usbcore: registered new interface driver asix                                   
usbcore: registered new interface driver cdc_ether                              
usbcore: registered new interface driver net1080                                
usbcore: registered new interface driver cdc_subset                             
usbcore: registered new interface driver zaurus                                 
Linux video capture interface: v2.00                                            
Driver 'sd' needs updating - please use bus_type methods                        
Driver 'sr' needs updating - please use bus_type methods                        
Creating 6 MTD partitions on "wb_spi_flash":                                    
0x00080000-0x00eff000 : "Linux Section"                                         
0x00f00000-0x01000000 : "User Section"                                          
0x00001000-0x00010000 : "Loader Section"                                        
0x00010000-0x00060000 : "BurnIn Section"                                        
0x00060000-0x0007e000 : "UBoot Section"                                         
0x0007e000-0x00080000 : "CFG Section"                                           
Probe FTSSP010 SPI Controller at 0x98200000 (irq 6)                             
usbmon: debugfs is not available                                                
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver                      
AMBA bus_register ok                                                            
Enter Device A                                                                  
temp = 340                                                                      
Drive Vbus because of ID pin shows Device A                                     
otg2xx device_register ok                                                       
AMBA_bus_match(...) Found Driver FOTG2XX_DRV                                    
AMBA_bus_match(...) Found Driver FOTG2XX_DRV                                    
FOTG2XX_DRV fotg2xx_dev: GM  USB2.0 Host Controller                             
FOTG2XX_DRV fotg2xx_dev: new USB bus registered, assigned bus number 1          
FOTG2XX_DRV fotg2xx_dev: irq 4, io mem 0xf9220000                               
FOTG2XX_DRV fotg2xx_dev: USB 2.0 started, EHCI 1.00                             
usb usb1: configuration #1 chosen from 1 choice                                 
hub 1-0:1.0: USB hub found                                                      
hub 1-0:1.0: 1 port detected                                                    
FOTG200 Controller Initialization                                               
fotg200 int enable = 1f30                                                       
Initializing USB Mass Storage driver...                                         
usbcore: registered new interface driver usb-storage                            
USB Mass Storage support registered.                                            
mice: PS/2 mouse device common for all mice                                     
i2c /dev entries driver                                                         
ftiic010 ftiic010.0: irq 18, mapped at c886c000                                 
usbcore: registered new interface driver usbhid                                 
usbhid: v2.6:USB HID core driver                                                
Advanced Linux Sound Architecture Driver Version 1.0.18rc3.                     
ALSA device list:                                                               
  No soundcards found.                                                          
TCP cubic registered                                                            
NET: Registered protocol family 17                                              
RPC: Registered udp transport module.                                           
RPC: Registered tcp transport module.                                           
Freeing init memory: 7316K                                                      
***************************************                                         
Busybox starts to run                                                           
***************************************                                         
Mounting root fs rw ...                                                         
Mounting other filesystems ...                                                  
Setting hostname ...                                                            
Mounting user's MTD partion                                                     
FTMAC with FARADAY Internal PHY support                                         
Has JFFS2 on mtdblock1FTMAC110 Driver (Linux 2.6) 01/10/11 - (C) 2011 GM Corp.  
                                                                                
reset Faraday Internal PHY.                                                     
mmc0: SDHCI controller on  [ftsdc010] using DMA                           
ftrtc011 ftrtc011: rtc core: registered ftrtc011 as rtc0                        
                                                                                
Frammap: 1536 pages in DDR0 are freed.                                          
Frammap: DDR0: memory base=0x1800000, memory size=0x4a00000, alignment=256K     
Frammap: version 0.28.3, 1 DDR is managed.                                      
                                                                                
VideoGraph v0.44 You may use                                                    
   #echo 11 > /proc/videograph/dbg                                              
to enable debug mode (0xbf05050c)                                               
Debug message at 0xc88fc000 start pointer 0xbf0705f0 size 0x124f80              
Insert dvr_common driver done.                                                  
Platform GM812600                                                               
    enc_in0=(buf: 4177920,6,0)                                                  
    enc_in0_d=(buf: 4177920,6,1)                                                
    enc_out0=(res: 1920,1088)                                                   
    enc_out0=(buf: 1775616,4,0)                                                 
    ssenc_out0=(buf: 1775616,1,0)                                               
    sub1_enc_out0=(res: 1920,1088)                                              
    sub1_enc_out0=(buf: 1775616,3,0)                                            
    sub2_enc_out0=(res: 1920,1088)                                              
    sub2_enc_out0=(buf: 1775616,3,0)                                            
    enc_in1=(buf: 614400,4,0)                                                   
    enc_in1_d=(buf: 614400,4,1)                                                 
    enc_out1=(res: 640,480)                                                     
    enc_out1=(buf: 261120,4,0)                                                  
    scl0_out1=(res: 320,240)                                                    
    scl0_out1=(buf: 153600,2,0)                                                 
    scl1_out1=(res: 160,112)                                                    
    scl1_out1=(buf: 35840,2,0)                                                  
    ssenc_out1=(buf: 261120,1,0)                                                
    sub1_enc_out1=(res: 640,480)                                                
    sub1_enc_out1=(buf: 261120,3,0)                                             
    sub2_enc_out1=(res: 640,480)                                                
    sub2_enc_out1=(buf: 261120,3,0)                                             
    enc_in2=(buf: 153600,4,0)                                                   
    enc_in2_d=(buf: 153600,4,1)                                                 
    enc_out2=(res: 320,240)                                                     
    enc_out2=(buf: 65280,4,0)                                                   
    ssenc_out2=(buf: 65280,1,0)                                                 
    sub1_enc_out2=(res: 320,240)                                                
    sub1_enc_out2=(buf: 65280,3,0)                                              
    sub2_enc_out2=(res: 320,240)                                                
    sub2_enc_out2=(buf: 65280,3,0)                                              
    enc_in3=(buf: 35840,4,0)                                                    
    enc_in3_d=(buf: 35840,4,1)                                                  
    enc_out3=(res: 160,112)                                                     
    enc_out3=(buf: 15232,4,0)                                                   
    ssenc_out3=(buf: 15232,1,0)                                                 
    sub1_enc_out3=(res: 160,112)                                                
    sub1_enc_out3=(buf: 15232,3,0)                                              
    sub2_enc_out3=(res: 160,112)                                                
    sub2_enc_out3=(buf: 15232,3,0)                                              
ISP v3.06, built @ Mar  8 2013 16:32:20                                         
set cmos clk out 27000000 Hz                                                    
sen_ar0331(init): sensor v:8192                                                 
                                                                                
pclk(74250000) XCLK(27000000)                                                   
t_row=2963 pclk=74250000                                                        
fcap: V0.3.13                                                                   
vcap_dev: [0]:bAlbum_bug=0, bCrop_bug=1, bCU_bug=0                              
                LL_BusDeadlock_bug=0, bSupportSplitOSDDispRamWritePort=1        
                                                                                
fcap: [0]: Link List mode!                                                      
fcap: fosd00: minor=56                                                          
fcap: fosd02: minor=55                                                          
fcap: fosd01: minor=54                                                          
fcap: fosd03: minor=53                                                          
vcap_dev: [1]:bAlbum_bug=0, bCrop_bug=1, bCU_bug=0                              
                LL_BusDeadlock_bug=0, bSupportSplitOSDDispRamWritePort=1        
                                                                                
fcap: [1]: Link List mode!                                                      
fcap: fosd10: minor=52                                                          
fcap: fosd12: minor=51                                                          
fcap: fosd11: minor=50                                                          
fcap: fosd13: minor=49                                                          
load CFG: /mnt/mtd/isp_ar0331.cfg                                               
glare_enable(0), entry_S1base_ev(1723), glare_th(150)                           
pclk(74250000) XCLK(27000000)                                                   
t_row=2963 pclk=74250000                                                        
SCL: Version, v1.17                                                             
SCL: div:4                                                                      
FAVC Encoder IRQ mode(29)v4.2.1                                                 
FAVC codec Max Resolution is 1920x1072, built @ Apr 24 2013 15:37:02            
                                                                                
FTDI210 registers 32 entities to video graph!                                   
FTDI210 Driver v1.4 (1 engine(s))                                               
ft-32ssp: common[ver:0.3.4] INIT OK!                                            
card->cardno = 2                                                                
card->pbase = 98a00000                                                          
card->vbase = c8bfe000                                                          
card->irq = 11                                                                  
my_card->capture.dma_ch = 4                                                     
my_card->playback.dma_ch = 5                                                    
ft-32ssp: SoundCard(2) attached OK (c65561d0)                                   
I2S probe ok in Slave mode.                                                     
Init SAR ADC done.                                                              
register sar adc device (0) OK!!                                                
Please: mknod /dev/th_gpio c 222 0                                              
crwth_gpio init() ok!                                                           
-rw----    1 root     root     254,   0 Jan  1 00:00 /dev/rtc0                  
***************************************                                         
  Please: mknod /dev/th_key c 223 0                                             
  th_key init() ok!                                                             
  IP camera starts to run                                                       
***************************************                                         
mount: mounting /dev/mmcblk0p1 on /sd/ failed: No such file or directory        
                                                                                
                                                                                
                                                                                
                                                                                
            ****************************************************
                            NVS & DVS & IPCAM                    

                    SoftVersion : V24.13292.01.71
  
                    FileVersion : 2013.10.28
  
            ****************************************************

1970-01-01 00:00:04
SDTimeJudError1 = 1
killall: rtsp: no process killed
sh: /app/rtsp: not found
connect_to_server fd:0 
Y--ExistWiFi 0 
NotExistAudio 0 
NotExistIO    0 
NotExistRS485 0 
fcap: [0]:OSD P0 default fonts num=42

ispfcap: [0]:OSD P1 default fonts num=42

_set_init() OK!
Init                                                                            
H264 rate control version: fix 0.95                                             
SigPlatform 8126 version 81262210                                               
nafcap: [0]:IN=ISP                                                              
l RecvEvent! SenseSignalID:64                                                   
TApp::TApp()                                                                    
Init TDiskMgr                                                                   
Init (UDP) Talk in IP:239.255.255.250 Port:3001                                 
Init CtrlPTZ                                                                    
 BPS 2400 DataBit 8 ParityCheck 0 StopBit 0                                     
InitPTZ() OK!                                                                   
(dataout_0) Timeout to wait AP buffer get, skip! (0x952d,0x973f flow 528)       
                                                                                
##### Transfer Group 0 Done,746ms!                                              
fcap_lli(dev_handle_irq): [0]:P1 miss frame done!(frame_cnt=0x00000018,mach_sta)
                                                                                
Init (TCP) CmdSvr in LocalPort:3001                                             
Init (UDP) uPnP in IP:239.255.255.250 Port:1900                                 
1970-01-01 00:00:05                                                             
open /dev/fosd00                                                                
open device:/dev/fosd00 successfully!                                           
open /dev/fosd01                                                                
open device:/dev/fosd01 successfully!                                           
input_mode = 1                                                                  
fcap_lli(do_Reset_workqueue): [0]:Do reset after 1964 ms.(2000 ms)              
                                                                                
killall: onvif_gm: no process killed                                            
arg is error                                                                    
                                                                                
##### Transfer Group 1 Done,4136ms!                                             
/bin/sh: can't access tty; job control turned off                               
/ # Connect 19 LocalPort 3001 RemoteIP 127.0.0.1 RemotePort 60720               
main  gCNetName:eth0!!!!                                                        
Connect 20 LocalPort 3001 RemoteIP 127.0.0.1 RemotePort 60721                   
Connect 21 LocalPort 3001 RemoteIP 127.0.0.1 RemotePort 60722                   
ForceKeyFrame[0] == true                                                        
ForceKeyFrame_sub[0] == true

Using VLC to visualize Anben IP Camera’s video

$ vlc rtsp://192.168.1.123:554//mpeg4cif

Username: admin
Password: 123456

I found the suggestion for this RTSP path at http://www.ispyconnect.com/man.aspx?n=china

Update: You can call it directly without enter user/pass all the time:

$ vlc rtsp://admin:123456@192.168.1.123:554/mpeg4cif

I got new Hi3518 IP Camera modules

I got two new IP Camera modules and found its serial pins:

U-Boot 2010.06 (Aug 06 2013 - 11:53:06)                                      
                                                                             
DRAM:  256 MiB                                                               
NAND:  Special Nand id table Version 1.35                   
Nand ID: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00            
No NAND device found!!!                                     
0 MiB                                                       
Check spi flash controller v350... Found                    
Spi(cs1) ID: 0xEF 0x40 0x18 0x00 0x00 0x00                  
Spi(cs1): Block:64KB Chip:16MB Name:"W25Q128B"
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0 
16384 KiB hi_sfc at 0:0 is now current device

## Booting kernel from Legacy Image at 82000000 ...
   Image Name:   Linux-3.0.8
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2724796 Bytes = 2.6 MiB
   Load Address: 80008000
   Entry Point:  80008000
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Linux version 3.0.8 (root@johhnny-desktop) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+ea3
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: hi3518
Memory policy: ECC disabled, Data cache writeback
AXI bus clock 200000000.
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 18796
Kernel command line: mem=74M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=cramfs mtdparts=hi_sfc:1)
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 74MB = 74MB total
Memory: 69892k/69892k available, 5884k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    DMA     : 0xffc00000 - 0xffe00000   (   2 MB)
    vmalloc : 0xc5000000 - 0xfe000000   ( 912 MB)
    lowmem  : 0xc0000000 - 0xc4a00000   (  74 MB)
    modules : 0xbf000000 - 0xc0000000   (  16 MB)
      .init : 0xc0008000 - 0xc0028000   ( 128 kB)
      .text : 0xc0028000 - 0xc04c9000   (4740 kB)
      .data : 0xc04ca000 - 0xc04e97c0   ( 126 kB)
       .bss : 0xc04e97e4 - 0xc0504e80   ( 110 kB)
SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:32 nr_irqs:32 32
sched_clock: 32 bits at 100MHz, resolution 10ns, wraps every 42949ms
Console: colour dummy device 80x30
Calibrating delay loop... 218.72 BogoMIPS (lpj=1093632)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 5) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 5) is a PL011 rev2
bio: create slab  at 0
SCSI subsystem initialized
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
NetWinder Floating Point Emulator V0.97 (double precision)
VFS: Disk quotas dquot_6.5.2
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
JFFS2 version 2.2. (NAND) �© 2001-2006 Red Hat, Inc.
fuse init (API version 7.16)
msgmni has been set to 136
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
TS82 driver for HI3518C
Pass authentication ... ... 
brd: module loaded
loop: module loaded
Spi id table Version 1.22
Spi(cs1) ID: 0xEF 0x40 0x18 0x00 0x00 0x00
SPI FLASH start_up_mode is 3 Bytes
Spi(cs1): 
Block:64KB 
Chip:16MB 
Name:"W25Q128B"
spi size: 0x16777216
chip num: 1
4 cmdlinepart partitions found on MTD device hi_sfc
Creating 4 MTD partitions on "hi_sfc":
0x000000000000-0x000000100000 : "boot"
0x000000100000-0x000000400000 : "kernel"
0x000000400000-0x000000480000 : "dataBlock"
0x000000480000-0x000001000000 : "rootfs"
Fixed MDIO Bus: probed
himii: probed
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
mousedev: PS/2 mouse device common for all mice
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
NET: Registered protocol family 17
NET: Registered protocol family 15
lib80211: common routines for IEEE802.11 drivers
Registering the dns_resolver key type
registered taskstats version 1
drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
�VFS: Mounted root (cramfs filesystem) readonly on device 31:3.
Freeing init memory: 128K

            _ _ _ _ _ _ _ _ _ _ _ _
            \  _  _   _  _ _ ___
            / /__/ \ |_/
           / __   /  -  _ ___
          / /  / /  / /
  _ _ _ _/ /  /  \_/  \_ ______
___________\___\__________________

[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S01udev
udevd (463): /proc/463/oom_adj is deprecated, please use /proc/463/oom_score_adj instead.
CMEMK module: built on Mar  6 2013 at 16:34:50
  Reference Linux version 3.0.8
  File /AppData/his/sdk/Hi3518_SDK_V1.0.3.0/drv_test/cmem/src/module/cmemk.c
allocated heap buffer 0xc6000000 of size 0xe00000
cmemk initialized
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0008: 0x00000000 --> 0x00000001 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0018: 0x00000000 --> 0x00000001 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f001c: 0x00000000 --> 0x00000001 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0124: 0x00000000 --> 0x00000000 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20140400: 0x00000038 --> 0x00000002 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x201403fc: 0x00000034 --> 0x00000002 
[END]
ADC_CH0 driver ADC detect
Set IR-CUT default
1111, set ircut to night mod
2222, set ircut to day mod
3333, ircut init
Init IRCUT ADC
Current ADC. Vol. 92
Hisilicon Watchdog Timer: 0.01 initialized. default_margin=30 sec (nowayout= 0, nodeamon= 1)
hi_i2c init is ok!
(none) login: *** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20030030: 0x00000000 --> 0x00000001 
[END]
reset sensor ov9712 finish ...
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20030030: 0x00000001 --> 0x00000005 
[END]
reset sensor ar0130 finish ...
hi3518_detect_sensor_type():  hi3518c_detect_sensor_type(): get ar0130 sensor, GPIO0_7=0
detected sensor type is 3
Hisilicon Media Memory Zone Manager
hi3518_base: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Hisilicon UMAP device driver interface: v3.00
pa:84a00000, va:c5200000
load sys.ko for Hi3518...OK!
load viu.ko for Hi3518...OK!
ISP Mod init!
load vpss.ko ....OK!
load vou.ko ....OK!
load venc.ko for Hi3518...OK!
load group.ko for Hi3518...OK!
load chnl.ko for Hi3518...OK!
load h264e.ko for Hi3518...OK!
load jpege.ko for Hi3518...OK!
load rc.ko for Hi3518...OK!
load region.ko ....OK!
load vda.ko ....OK!
hi_i2c init is ok!
Kernel: ssp initial ok!
acodec inited!
insert audio
==== Your input Sensor type is ar0130 ====
sys_montor enter main loop...
tcp_mon start main loop...
encode_mon enter main loop...
sys_daemon mount /dev/mtdblock2 success
sys_daemon disable console
ADDRCONF(NETDEV_UP): eth0: link is not ready
Set IR-CUT default
SET IRCUT PASSIVE MODE
get cmd to enable adc printk
i=1, curVol=0x1e, tmpVOL=0x153, ircutMode=1, ircutStatus=0
PHY: himii:01 - Link is Up - 100/Full
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

Login timed out after 60 seconds
IPNC login: 

Linux boot log from a cheap Hi3518 chinese IP Camera

We bought this IP Camera from Alibaba:

http://www.alibaba.com/product-detail/Low-Lux-1-3-Megapixel-HD_1498636656.html

Although the camera module they sent me is not exactly the same from this link’s picture it appears a new version. Doing some debug I discovered that the serial TX/RX pins are connected to pins 15 and 16 respectively from a 20-pin flexible cable connector:

Connecting these pins to USB/Serial adapter and configuring a serial console terminal to 115200 8n1 I got this bootloader/kernel log:

U-Boot 2010.06 (Feb 26 2013 - 17:14:54)

DRAM:  128 MiB
Check spi flash controller v350... Found
Spi(cs1) ID: 0xEF 0x40 0x18 0x00 0x00 0x00
Spi(cs1): Block:64KB Chip:16MB Name:"W25Q128B"
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0 
16384 KiB hi_sfc at 0:0 is now current device


## Booting kernel from Legacy Image at 82000000 ...
   Image Name:   Linux-3.0.8
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1795784 Bytes = 1.7 MiB
   Load Address: 80008000
   Entry Point:  80008000
## Loading init Ramdisk from Legacy Image at 83000000 ...
   Image Name:   JUAN filesystem
   Image Type:   ARM Linux RAMDisk Image (gzip compressed)
   Data Size:    6557696 Bytes = 6.3 MiB
   Load Address: 83000000
   Entry Point:  83000000
   Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Linux version 3.0.8 (root@ubuntu) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #2 Fri Jan 4 15:10:00 HKT 2013
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: hi3518
Memory policy: ECC disabled, Data cache writeback
AXI bus clock 200000000.
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 20320
Kernel command line: mem=80M console=ttyAMA0,115200 root=0100 init=/linuxrc mtdparts=hi_sfc:256K(uboot),128K(env),128K(user),256K(config),3328K(kernel),12M(rootfs) ramdisk_size=0XC00000
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 80MB = 80MB total
Memory: 69828k/69828k available, 12092k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    DMA     : 0xffc00000 - 0xffe00000   (   2 MB)
    vmalloc : 0xc5800000 - 0xfe000000   ( 904 MB)
    lowmem  : 0xc0000000 - 0xc5000000   (  80 MB)
    modules : 0xbf000000 - 0xc0000000   (  16 MB)
      .init : 0xc0008000 - 0xc0028000   ( 128 kB)
      .text : 0xc0028000 - 0xc0486000   (4472 kB)
      .data : 0xc0486000 - 0xc04ad9e0   ( 159 kB)
       .bss : 0xc04ada04 - 0xc04ca620   ( 116 kB)
SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:32 nr_irqs:32 32
sched_clock: 32 bits at 100MHz, resolution 10ns, wraps every 42949ms
Console: colour dummy device 80x30
Calibrating delay loop... 218.72 BogoMIPS (lpj=1093632)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
Serial: AMBA PL011 UART driver
uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 5) is a PL011 rev2
console [ttyAMA0] enabled
uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 5) is a PL011 rev2
bio: create slab  at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (junk in compressed archive); looks like an initrd
Freeing initrd memory: 6404K
NetWinder Floating Point Emulator V0.97 (double precision)
VFS: Disk quotas dquot_6.5.2
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2. (NAND) �é 2001-2006 Red Hat, Inc.
fuse init (API version 7.16)
msgmni has been set to 148
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
brd: module loaded
loop: module loaded
Spi id table Version 1.22
Spi(cs1) ID: 0xEF 0x40 0x18 0x00 0x00 0x00
SPI FLASH start_up_mode is 3 Bytes
Spi(cs1): 
Block:64KB 
Chip:16MB 
Name:"W25Q128B"
spi size: 0x16777216
chip num: 1
6 cmdlinepart partitions found on MTD device hi_sfc
Creating 6 MTD partitions on "hi_sfc":
0x000000000000-0x000000040000 : "uboot"
0x000000040000-0x000000060000 : "env"
0x000000060000-0x000000080000 : "user"
0x000000080000-0x0000000c0000 : "config"
0x0000000c0000-0x000000400000 : "kernel"
0x000000400000-0x000001000000 : "rootfs"
Special nand id table Version 1.35
Hisilicon Nand Flash Controller V301 Device Driver, Version 1.10
Nand ID: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
No NAND device found.
Fixed MDIO Bus: probed
himii: probed
usbcore: registered new interface driver rt2500usb
usbcore: registered new interface driver rt73usb
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
hiusb-ehci hiusb-ehci.0: HIUSB EHCI
hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1
hiusb-ehci hiusb-ehci.0: irq 15, io mem 0x100b0000
hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
hiusb-ohci hiusb-ohci.0: HIUSB OHCI
hiusb-ohci hiusb-ohci.0: new USB bus registered, assigned bus number 2
hiusb-ohci hiusb-ohci.0: irq 16, io mem 0x100a0000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
usbcore: registered new interface driver cdc_acm
cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
usbcore: registered new interface driver cdc_wdm
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver ums-alauda
usbcore: registered new interface driver ums-datafab
usbcore: registered new interface driver ums-freecom
usbcore: registered new interface driver ums-isd200
usbcore: registered new interface driver ums-jumpshot
usbcore: registered new interface driver ums-sddr09
usbcore: registered new interface driver ums-sddr55
usbcore: registered new interface driver mdc800
mdc800: v0.7.5 (30/10/2000):USB Driver for Mustek MDC800 Digital Camera
mousedev: PS/2 mouse device common for all mice
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
NET: Registered protocol family 17
NET: Registered protocol family 15
lib80211: common routines for IEEE802.11 drivers
Registering the dns_resolver key type
registered taskstats version 1
drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
�RAMDISK: squashfs filesystem found at block 0
RAMDISK: Loading 6403KiB [1 disk] into ram disk... done.
VFS: Mounted root (squashfs filesystem) readonly on device 1:0.
Freeing init memory: 128K

            _ _ _ _ _ _ _ _ _ _ _ _
            \  _  _   _  _ _ ___
            / /__/ \ |_/
           / __   /  -  _ ___
          / /  / /  / /
  _ _ _ _/ /  /  \_/  \_ ______
___________\___\__________________

[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S01udev
udevd (509): /proc/509/oom_adj is deprecated, please use /proc/509/oom_score_adj instead.
[RCS]: /etc/init.d/S10mpp
ADDRCONF(NETDEV_UP): eth0: link is not ready
[RCS]: /etc/init.d/S80network
Hisilicon Media Memory Zone Manager
hi3518_base: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Hisilicon UMAP device driver interface: v3.00
pa:85000000, va:c5a00000
load sys.ko for Hi3518...OK!
load viu.ko for Hi3518...OK!
load vpss.ko ....OK!
load vou.ko ....OK!
load venc.ko for Hi3518...OK!
load group.ko for Hi3518...OK!
load chnl.ko for Hi3518...OK!
load h264e.ko for Hi3518...OK!
load jpege.ko for Hi3518...OK!
load rc.ko for Hi3518...OK!
load region.ko ....OK!
load vda.ko ....OK!
hi_i2c init is ok!
I2C->[i2cm_init]:588 I2C master for HI3518a @ 14:11:12 Jan  9 2013

WATCHDOG->[watchdog_init]:244 Watchdog register succeed!
Kernel: ssp initial ok!
ISP Mod init!
acodec inited!
insert audio
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x200f0124: 0x00000000 --> 0x00000000 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20140400: 0x00000020 --> 0x00000022 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20140008: 0x00000000 --> 0x00000002 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20140008: 0x00000002 --> 0x00000000 
[END]
*** Board tools : ver0.0.1_20120501  *** 
[debug]: {source/utils/cmdshell.c:166}cmdstr:himm
0x20140008: 0x00000000 --> 0x00000002 
[END]
do you want to run app.out(y or n)?
Application Trigger!
hwclock: can't open '/dev/misc/rtc': No such file or directory
enter main application
[   sysconf.c: 385] SOC = HI3518C model = hi3518c-inception
[   sysconf.c: 270] Load sysconf success! verion: 1.1.3.1569B10, build:2013-10-25 11:11:2
device sn:C23C0234902512
[   sysconf.c: 338] Build CRC32 72b74581
Device Name: ip-camera
Device Model: IPC
Device ID: C23C0234902512
Device Software Version: 1.1.3 1569B10

Camera: 1
Audio: 0
Sensor: 1
Alarm: 0
Hard Disk Driver: 0
Series Code: C2


[      usrm.c: 210] MD5 "3b1a09a78a862d5c731ed6b5604ded0a"
WATCHDOG->[WATCHDOG_init]:297 get watchdog timeout:10 

hi3518c-inception
0x3000 0xffff
0xa 0x97
0xb 0x11
OV9712 sensor 720P30fps init success!
daylight mode!
saturation:128
[ media_buf.c:  42] media buf init success
[media_pool.c: 222] create media buf ch0_0.264
!!!!fps:25
TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:104 add a task @ 0 interval 1

id:660
APP_OVERLAY_id_display :ID:234902512

0 684  --IPCAM
TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:120 remove a task @ 0
TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:104 add a task @ 0 interval 1

0 342  --IPCAM
[media_pool.c: 222] create media buf ch0_1.264
!!!!fps:25
0_0/1_2 title
overlay:0x6e6d78

0_0/1_2 id
overlay:0x6e6d40

0_0/1_2 clock
overlay:0x6e6d08

TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:120 remove a task @ 0
TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:104 add a task @ 0 interval 1

id:660
APP_OVERLAY_id_display :ID:234902512
isp_ircut_control_daylight

0 684  --IPCAM
0_1/1_2 title
overlay:0x6e6f00

0_1/1_2 clock
overlay:0x6e6ec8

TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:120 remove a task @ 0
TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:104 add a task @ 0 interval 1

0 342  --IPCAM
CH: 0
MODE: bitmap
THRESHOLD: 0.500
SIZE: 20x15
MASK:
####################
####################
####################
####################
####################
####################
####################
####################
####################
####################
####################
####################
####################
####################
####################
saturation set:50
contrast set:50
hue set:50
brightness set:50
SDK_ISP_set_scene_mode:0
pstAntiflicker.bEnable = 0
SDK_ISP_sensor_flicker---0:255   mode:1
SDK_ISP_set_WB_mode:0
SDK_ISP_set_ircut_control_mode:0
SDK_ISP_set_ircut_mode:0
SDK_ISP_set_WDR_enable:1
SDK_ISP_set_exposure_mode:0
SDK_ISP_set_denoise_enable:1
SDK_ISP_set_advance_anti_fog_enable:0
[   sysconf.c: 338] Build CRC32 72b74581
TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:104 add a task @ 1 interval 5
TIMERTASK->[/root/nfs/git_ipc_1.1.x/path_trunk/ipcam/ipc_v1.1.x.1569/app_rebulid_release/src/timertask/timertask.c]:104 add a task @ 2 interval 5
cmd:ifconfig eth0:1 192.168.3.33 netmask 255.255.255.0
cmd:ifconfig eth0:2 192.168.168.168 netmask 255.255.255.0
IPCAM_network_init:GMT-8
[     httpd.c:  43] Add a new cgi "/livestream/11"
[     httpd.c:  43] Add a new cgi "/livestream/12"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/getidentify.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/param.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/getvdisplayattr.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/getvencattr.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/ptzctrl.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/preset.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/ptzup.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/ptzdown.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/ptzleft.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/ptzright.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/ptzzoomin.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/hi3510/ptzzoomout.cgi"
[     httpd.c:  43] Add a new cgi "/user/user_list.xml"
[     httpd.c:  43] Add a new cgi "/user/add_user.xml"
[     httpd.c:  43] Add a new cgi "/user/del_user.xml"
[     httpd.c:  43] Add a new cgi "/user/edit_user.xml"
[     httpd.c:  43] Add a new cgi "/user/set_pass.xml"
[     httpd.c:  43] Add a new cgi "/cgi-bin/gw2.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/upload.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/upgrade_rate.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/view.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin//view.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/flv.cgi"
[     httpd.c:  43] Add a new cgi "/cgi-bin/today.jpg"
[     httpd.c:  43] Add a new cgi "/moo"
[     httpd.c:  43] Add a new cgi "/whoami"
[     httpd.c:  43] Add a new cgi "/shell"
[     httpd.c:  43] Add a new cgi "/snapshot"
[     httpd.c:  43] Add a new cgi "/mjpeg"
[     httpd.c:  43] Add a new cgi "/mjpeg.html"
[     httpd.c:  43] Add a new cgi "/email"
[     httpd.c:  43] Add a new cgi "/hls.html"
[     httpd.c:  43] Add a new cgi "/m3u8"
[     httpd.c:  43] Add a new cgi "/hls/live.ts"
[     httpd.c:  43] Add a new cgi "/reg"
[     httpd.c:  43] Add a new cgi "/bubble/live"
reflesh arp:ping 192.168.1.1 -c 2
[     spook.c: 217] pid=766 tid=425aa4c0 begin
[     spook.c: 322] "minirtsp" got a spook vocation @ 0!
[     spook.c: 322] "owsp" got a spook vocation @ 1!
[     spook.c: 322] "bubble" got a spook vocation @ 2!
[     spook.c: 322] "onvif" got a spook vocation @ 3!
[     spook.c: 322] "httpd" got a spook vocation @ 4!
[     spook.c: 322] "rtmp" got a spook vocation @ 5!
[     spook.c: 322] "regRW" got a spook vocation @ 6!
PING 192.168.1.1 (192.168.1.1): 56 data bytes
device_id:IP_cameradf9690a02d179a6buozxfFc
generate device id: IP_cameradf9690a02d179a6buozxfFc
gw 192.168.1.1
me 192.168.1.168
[RUDPA |rudpa.c:473:RUDPA_init ]Rudpa start
ESEE DEVICE ID:JAC23C0234902512
send buf=12000000
[  ants_lib.c:2652] [IPC][ants_lib.c:00002652:ANTSLIB_init] Initialize Begin
get para type:ANTS_MID_GET_DEVICECFG -513
[  ants_lib.c:2654] [IPC][ants_lib.c:00002654:ANTSLIB_init] Initialize
[  ants_lib.c:2655] [IPC][ants_lib.c:00002655:ANTSLIB_init] Initialize End
[media_pool.c: 117] Media Pool(ch0_0.264) user changed(1/5)
[media_pool.c: 117] Media Pool(ch0_1.264) user changed(1/8)

--- 192.168.1.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
[RUDPA |esee.c:413:GetEseePlatInfo ]

Cant Get the EseePlatInfo

A step-by-step tutorial explaing how to reverse engineering VStarCam H6837WI firmware

In this tutorial I will explain how to debug the encoder application to discover how it is controlling camera motor.

Inside camera (serial terminal) execute:

# ./gdbserver 192.168.1.1:3333 /mnt/system/bin/encoder                   
Process /mnt/system/bin/encoder created; pid = 326                              
Listening on port 3333

On your workstation:

$ arm-linux-gdb encoder
(gdb) target remote 192.168.1.126:3333

Listing all defined functions:

(gdb) info fun
Non-debugging symbols:
0x0000a930  _init
0x0000a958  fileno
0x0000a964  getpagesize
0x0000a970  fputs
0x0000a97c  abort
0x0000a988  __errno_location
0x0000a994  sigemptyset
0x0000a9a0  sprintf
0x0000a9ac  popen
0x0000a9b8  open
0x0000a9c4  connect
0x0000a9d0  mmap
0x0000a9dc  snd_pcm_hw_params_any
0x0000a9e8  statfs64
0x0000a9f4  getpid
0x0000aa00  snd_output_close
0x0000aa0c  strerror
0x0000aa18  snd_pcm_close
0x0000aa24  getsockname
0x0000aa30  memcmp
0x0000aa3c  inet_ntoa
0x0000aa48  shutdown
0x0000aa54  snd_pcm_status_get_state
0x0000aa60  msgget
0x0000aa6c  signal
0x0000aa84  realloc
0x0000aa90  snd_pcm_hw_params_set_period_time_near
0x0000aa9c  snd_pcm_sw_params_get_xfer_align
0x0000aaa8  __xstat64
0x0000aab4  localtime
0x0000aac0  snd_pcm_prepare
0x0000aacc  snd_pcm_sw_params_sizeof
0x0000aad8  getgrnam
0x0000aae4  strchr
0x0000aaf0  vsnprintf
0x0000aafc  recv
0x0000ab08  getenv
0x0000ab14  sem_wait
0x0000ab20  inet_addr
0x0000ab2c  system
0x0000ab38  strncpy
0x0000ab44  putchar
0x0000ab50  write
0x0000ab5c  sendto
0x0000ab68  listen
0x0000ab74  lseek64
0x0000ab80  fgets
0x0000ab8c  memset
0x0000ab98  setitimer
0x0000aba4  fopen64
0x0000abb0  snd_pcm_status_get_trigger_tstamp
0x0000abbc  __strtol_internal
0x0000abc8  snd_pcm_hw_params_get_period_size
0x0000abd4  __libc_start_main
0x0000abe0  execl
0x0000abec  _IO_getc
0x0000abf8  _exit
0x0000ac04  snd_pcm_hw_params
0x0000ac10  snd_pcm_sw_params_set_avail_min
0x0000ac1c  strrchr
0x0000ac28  tcgetattr
0x0000ac34  snd_pcm_hw_params_sizeof
0x0000ac40  set_gpio_input
0x0000ac4c  piulib_init
0x0000ac58  read
0x0000ac64  msgsnd
0x0000ac70  perror
0x0000ac7c  usleep
0x0000ac88  snd_pcm_open
0x0000ac94  gettimeofday
0x0000aca0  fdopen
0x0000acac  __ctype_toupper_loc
0x0000acb8  free
0x0000acc4  siglongjmp
0x0000acd0  __lxstat64
0x0000acdc  snd_pcm_sw_params_set_xfer_align
0x0000ace8  snd_pcm_sw_params_set_sleep_min
0x0000acf4  access
0x0000ad00  sigaction
0x0000ad0c  fflush
0x0000ad18  snd_pcm_sw_params
0x0000ad24  piulib_exit
0x0000ad30  opendir
0x0000ad3c  accept
0x0000ad48  tcflush
0x0000ad54  ioctl
0x0000ad60  socket
0x0000ad6c  dup2
0x0000ad78  __ctype_b_loc
0x0000ad84  fseek
0x0000ad90  inet_aton
0x0000ad9c  pthread_mutex_unlock
0x0000ada8  snd_pcm_status_sizeof
0x0000adb4  isatty
0x0000adc0  umask
0x0000adcc  fclose
0x0000add8  setuid
0x0000ade4  snd_pcm_writei
0x0000adf0  mktime
0x0000adfc  readdir64
0x0000ae08  memcpy
0x0000ae14  cfsetospeed
0x0000ae20  strlen
0x0000ae2c  snd_pcm_wait
0x0000ae38  fopen
0x0000ae44  snd_pcm_readi
0x0000ae50  snd_pcm_resume
0x0000ae5c  snd_strerror
0x0000ae68  unlink
0x0000ae74  snd_pcm_sw_params_set_stop_threshold
0x0000ae80  getpwuid
0x0000ae8c  getppid
0x0000ae98  waitpid
0x0000aea4  feof
0x0000aeb0  strcpy
0x0000aebc  longjmp
0x0000aec8  printf
0x0000aed4  ftok
0x0000aee0  chdir
0x0000aeec  ctime
0x0000aef8  bind
0x0000af04  getuid
0x0000af10  snd_config_update_free_global
0x0000af1c  atoi
0x0000af28  mkstemp64
0x0000af34  select
0x0000af40  closedir
0x0000af4c  close
0x0000af58  fwrite
0x0000af64  snd_pcm_format_physical_width
0x0000af70  snd_pcm_hw_params_get_buffer_time_max
0x0000af7c  fprintf
0x0000af88  strstr
0x0000af94  time
0x0000afa0  setvbuf
0x0000afac  execve
0x0000afb8  malloc
0x0000afc4  snd_pcm_state_name
0x0000afd0  snd_pcm_hw_params_get_buffer_size
0x0000afdc  pthread_mutex_lock
0x0000afe8  sigprocmask
0x0000aff4  snd_pcm_info_sizeof
0x0000b000  gethostname
0x0000b00c  snd_pcm_hw_params_set_rate_near
0x0000b018  pthread_create
0x0000b024  snd_pcm_hw_params_set_access
0x0000b030  sleep
0x0000b03c  sigaddset
0x0000b048  msgrcv
0x0000b054  strncasecmp
0x0000b060  memmove
0x0000b06c  strcat
0x0000b078  send
0x0000b084  snd_pcm_hw_params_set_channels
0x0000b090  getcwd
0x0000b09c  sem_post
0x0000b0a8  snd_pcm_format_set_silence
0x0000b0b4  settimeofday
0x0000b0c0  puts
0x0000b0cc  fork
0x0000b0d8  __fxstat64
0x0000b0e4  setsockopt
0x0000b0f0  tcsetattr
0x0000b0fc  fcntl
0x0000b108  snd_pcm_hw_params_set_buffer_time_near
0x0000b114  sscanf
0x0000b120  gmtime
0x0000b12c  memchr
0x0000b138  strncmp
0x0000b144  open64
0x0000b150  snd_pcm_info
0x0000b15c  munmap
0x0000b168  pipe
0x0000b174  fread
0x0000b180  getsockopt
0x0000b18c  setgid
0x0000b198  snprintf
0x0000b1a4  mmap64
0x0000b1b0  init_gpio_lib
0x0000b1bc  snd_output_stdio_attach
0x0000b1c8  gethostbyname
0x0000b1d4  recvfrom
0x0000b1e0  ferror
0x0000b1ec  getpwnam
0x0000b1f8  strcmp
0x0000b204  __sigsetjmp
0x0000b210  herror
0x0000b21c  piu_register
0x0000b228  __strdup
0x0000b234  exit
0x0000b240  cfsetispeed
0x0000b24c  pclose
0x0000b258  sem_init
0x0000b264  set_gpio_output
0x0000b270  snd_pcm_hw_params_set_format
0x0000b27c  getgid
0x0000b288  snd_pcm_sw_params_current
0x0000b294  get_gpio_value
0x0000b2a0  snd_pcm_status
0x0000b2ac  piu_tx
0x0000b2b8  snd_pcm_sw_params_set_start_threshold
0x0000b2c4  geteuid
0x00049070  _fini
0x40008b20  _dl_rtld_di_serinfo
0x0000b294  get_gpio_value
0x0000b2a0  snd_pcm_status
0x0000b2ac  piu_tx
0x0000b2b8  snd_pcm_sw_params_set_start_threshold
0x0000b2c4  geteuid
0x00049070  _fini
0x40008b20  _dl_rtld_di_serinfo
0x4000f660  _dl_debug_state
0x40010f60  _dl_mcount
0x40011320  __tls_get_addr
0x40011670  _dl_tls_setup
0x40011740  _dl_get_tls_static_info
0x40011850  _dl_allocate_tls_init
0x40011a90  _dl_allocate_tls
0x40011ac0  _dl_deallocate_tls
0x40011e60  ___tls_get_addr
0x400122a0  _dl_make_stack_executable
0x400157b0  __libc_memalign
0x400158c0  malloc
0x400158f0  calloc
0x40015950  free
0x40015a30  realloc
(gdb)

We are insterested to know which files were opened and what was write to it.

Then we will put breackpoints at open, open64, fopen and write:

(gdb) b open
Breakpoint 1 at 0xa9b8
(gdb) b fopen
Breakpoint 2 at 0xae38
(gdb) b write
Breakpoint 3 at 0xab50
(gdb) b open64
Breakpoint 6 at 0xb144
(gdb) b popen
Breakpoint 7 at 0xa9ac
(gdb) c
Continuing.

Now let us to discover what is happening.

(gdb) target remote run
A program is being debugged already. Kill it? (y or n) n
Program not killed.
(gdb) c
Continuing.

Breakpoint 3, 0x0000ab50 in write ()
(gdb)

Let’s find out which file descriptor and what is written on it:

(gdb) p /x $r0
$1 = 0x4

Hmm, file descriptor 4, let us to know what is it…

$ telnet 192.168.1.126
Trying 192.168.1.126...
Connected to 192.168.1.126.
Escape character is '^]'.

(none) login: root
warning: cannot change to home directory
/ # ps ax
  ...
  323 root       1728 S   ./gdbserver 192.168.1.126:3333 /mnt/system/bin/encode
  326 root       3868 T   /mnt/system/bin/encoder 
  327 root       2840 S   -sh 
  351 root       2840 R   ps ax 
/ #

Ok, Process ID of encoder is 326, then let see which files are opened for this process:

/ # ls -l /proc/326/fd/
lrwx------    1 root     root           64 Jan  1 01:13 0 -> /dev/ttyS0
lrwx------    1 root     root           64 Jan  1 01:13 1 -> /dev/ttyS0
lrwx------    1 root     root           64 Jan  1 01:13 2 -> /dev/ttyS0
lrwx------    1 root     root           64 Jan  1 01:13 3 -> socket:[148]
lrwx------    1 root     root           64 Jan  1 01:13 4 -> /dev/i2c-0

Wow, it is /dev/i2c-0

Now let us to return to gdb interface to know what will be write to it:

Breakpoint 3, 0x0000ab50 in write ()
(gdb) p /x $r0
$1 = 0x4
(gdb) x /1x $r1
0xbed7d9d7:	0x0000000a
(gdb) p /x $r2
$2 = 0x1

Hmm, it will write only 1 byte (r2 = 1) and this byte it 0x0A (pointer at r1).

Ok, move on…

Another write operation:

Breakpoint 3, 0x0000ab50 in write ()
(gdb) p /x $r0
$3 = 0x4
(gdb) x /1x $r1
0xbed7d9d7:	0x0000000b
(gdb) p /x $r2
$4 = 0x1

Hey, it should be reading something from i2c as well, let us to put a breakpoint at read function:

(gdb) b read
Breakpoint 4 at 0xac58
(gdb) c
Continuing.

Breakpoint 4, 0x0000ac58 in read ()

Let gather more information:

(gdb) info frame
Stack level 0, frame at 0xbed7d9d4:
 pc = 0xac58 in read; saved pc 0x28d5c
 called by frame at 0xbed7d9d4
 Arglist at 0xbed7d9d4, args: 
 Locals at 0xbed7d9d4, Previous frame's sp is 0xbed7d9d4

This function was called from 0x28d5c (saved pc).

We could obtain this information from link register (lr) as well, lr is an alias to r14:

(gdb) p /x $r14
$5 = 0x28d5c

Good, let put a breakpoint at 0x28d5c

(gdb) b *0x28d5c
Breakpoint 5 at 0x28d5c

Now, let run the read function and wait it return to 0x28d5c

Breakpoint 5, 0x00028d5c in ?? ()
(gdb) p /x $r0
$6 = 0x1
(gdb) x /1x $r1
0xbed7d9d6:	0x21

Ok, it read 1 byte as expected and this byte is 0x21.

Keep going:

(gdb) c
Continuing.

Breakpoint 3, 0x0000ab50 in write ()

A new write:

(gdb) p /x $r0
$7 = 0x4
(gdb) x /1x $r1
0xbed7d9e0:	0x12
(gdb) p /x $r2
$8 = 0x2

It is writing at same file descriptor (4 = i2c-0), but now it is write 2 bytes, first one is 0x12, but let us see both:

(gdb) x /1x 0xbed7d9e0
0xbed7d9e0:	0x12
(gdb) x /1x 0xbed7d9e1
0xbed7d9e1:	0x80

Ok, let’s to continue:

(gdb) c
Continuing.

Breakpoint 3, 0x0000ab50 in write ()
(gdb) p /x $r0
$9 = 0x4
(gdb) x /1x $r1
0xbed7d9e0:	0x12
(gdb) p /x $r2
$10 = 0x2
(gdb) x /1x 0xbed7d9e1
0xbed7d9e1:	0x00

And another write, but now the second value is 0x00 instead of 0x80.

In this mean time I noticed these text printed at minicom (where gdbserver is running) :

ov7725 id1 id2:77-21                                                            
this is ov7725                                                                  
reglen 97

So, this writing/reading is to initialize ov7725 camera, nice to know, but I’m not interested on camera sensor, not yet.

Then let to remove breakpoints at write and read, and keep only with open and fopen:

Delete write breakpoint:
(gdb) delete 3
Delete read breakpoint:
(gdb) delete 4
Delete breakpoint of read function return:
(gdb) delete 5

Program received signal SIG32, Real-time event 32.
0x4002712c in ?? ()
(gdb) c

Then it will open in the sequence:
/dev/piu
/dev/mem
/dev/vip-note
/dev/dv
/dev/vip
avc_enc.dlm

And now this is a very suspect file:

Breakpoint 6, 0x0000b144 in open64 ()
(gdb) x /1s $r0
0x4ad40:	"/dev/ttyS1"

Let us to put a breakpoint at return of this function, then we will know the file descriptor number of this file:

(gdb) p /x $r14
$12 = 0x12ac4
(gdb) b *0x12ac4
Breakpoint 9 at 0x12ac4
(gdb) c
Continuing.

You will see many this signal events, before open64 function to return:

Program received signal SIG32, Real-time event 32.
[Switching to Thread 369]
0x4002712c in ?? ()
(gdb) c
Continuing.
[Switching to Thread 326]

If you get bored then you could remove the breakpoint at open64, it will speed up this process:

Breakpoint 6, 0x0000b144 in open64 ()
(gdb) delete 6
(gdb) c
Continuing.

And finally:

Breakpoint 9, 0x00012ac4 in ?? ()
(gdb)

Now we can see the file descriptor number:

(gdb) p /x $r0
$13 = 0xc

In fact I can see it at proc:

/ # ls -l /proc/326/fd/
...
lrwx------    1 root     root           64 Jan  1 01:47 12 -> /dev/ttyS1

This is file descriptor 12 (0xC).

Please continue with debugging until point where camera start to do self calibration.

Now we can return with breackpoint at write function:

(gdb) b write
Breakpoint 10 at 0xab50
(gdb) c

Now switch to telnet terminal and execute the CGI script to move camera up:

/tmp # export QUERY_STRING=command=1\&user=admin\&pwd=
/tmp # ./decoder_control.cgi 
Content-Type:text/plain
Cache-Control:no-cache

/tmp #

Switch back to gdb terminal and continue with execution:

(gdb) c
Continuing.
[New Thread 355]
[Switching to Thread 355]

Breakpoint 10, 0x0000ab50 in write ()

The encoder is now trying to write something in the camera:

(gdb) p /x $r0
$16 = 0xc
(gdb) x /1s $r1
0xbe5fe044:	"\34201\n\377"
(gdb) p /x $r2
$17 = 0x8

It is expecting to write 8 bytes, let see what are these bytes:

(gdb) x /1x 0xbe5fe044
0xbe5fe044:	0xe2
(gdb) x /1x 0xbe5fe045
0xbe5fe045:	0x01
(gdb) x /1x 0xbe5fe046
0xbe5fe046:	0x0a
(gdb) x /1x 0xbe5fe047
0xbe5fe047:	0xff
(gdb) x /1x 0xbe5fe048
0xbe5fe048:	0x00
(gdb) x /1x 0xbe5fe049
0xbe5fe049:	0x00
(gdb) x /1x 0xbe5fe04a
0xbe5fe04a:	0x00
(gdb) x /1x 0xbe5fe04b
0xbe5fe04b:	0x23
(gdb)

Great, we could try to send these sequence directly from telnet terminal:

/tmp # printf "\xE2\x01\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Worked fine!!! Now these are other commands:

Move Up:
# printf "\xE2\x01\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Move Down:
# printf "\xE2\x02\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Move Right:
# printf "\xE2\x03\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Move Left
# printf "\xE2\x06\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Move Right-Up
# printf "\xE2\x04\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Move Left-Down:
# printf "\xE2\x08\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Move Right-Down:
# printf "\xE2\x05\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Move Left-Up:
# printf "\xE2\x07\x0A\xFF\x00\x00\x00\x23" > /dev/ttyS1

Other commands are also supported as horizontal/vertical patrol.

Update: Other interesting start point to you know more about GDB:
http://brundlelab.wordpress.com/2010/06/21/playing-with-gdb-reverse-engineer-your-way/

Reflashing VStarcam H6837WI partitions with backup of original MTD partitions

This is how camera partition is defined:

[ 0.870000] Creating 5 MTD partitions on "NOR flash on ipcam":
[ 0.870000] 0x000000000000-0x000000030000 : "ARMboot"
[ 0.880000] 0x000000030000-0x0000001a0000 : "Kernel"
[ 0.890000] 0x0000001a0000-0x0000005a0000 : "RootFS"
[ 0.900000] 0x0000005a0000-0x0000007f0000 : "IpcamFS"
[ 0.910000] 0x0000007f0000-0x000000800000 : "param"

Flashing Kernel:

object$ loady
object$ erase 0x10030000 0x1019FFFF
object$ cp.b 0x50C07FC0 0x10030000 0x170000

Flashing RootFS:

object$ erase 0x101A0000 0x1059FFFF
object$ loady
object$ cp.b 0x50C07FC0 0x101A0000 0x200000
object$ loady
object$ cp.b 0x50C07FC0 0x103A0000 0x200000

Flashing IpcamFS:

object$ loady
object$ erase 0x105A0000 0x107EFFFF
object$ cp.b 0x50C07FC0 0x105A0000 0x250000

Flashing param:

object$ loady
object$ protect off 1:134 
object$ erase 0x107F0000 0x107FFFFF
object$ cp.b 0x50C07FC0 0x107F0000 0x10000
object$ protect on 1:134 

Update: NickE suggested me to change loady offset to transfer big files (RootFS) : “if you change the loady offset to 0x5100000 rather than the default, it will transfer larger files. The largest I have done is just slightly less than 4mb (mtdblock3).” :

$ loady 0x5100000
$ cp.b 0x05100000 0x101A0000 0x00400000

U-Boot of VStarCAM H6837WI fails to transfer file bigger than 3MB

If you try to transfer files bigger than 3MB using ymodem protocol on H6837WI it will fail.

Then we should to divide our big file (4MB) in 2 chunk files of 2MB each:

$ dd if=mtd3_RootFS_noreboot.img of=mtd3_RootFS_noreboot_part1.img bs=1k count=2048
2048+0 registros de entrada
2048+0 registros de saída
2097152 bytes (2,1 MB) copiados, 0,0111315 s, 188 MB/s

$ dd if=mtd3_RootFS_noreboot.img of=mtd3_RootFS_noreboot_part2.img bs=1k skip=2048
2000+0 registros de entrada
2000+0 registros de saída
2048000 bytes (2,0 MB) copiados, 0,0146331 s, 140 MB/s

$ cat mtd3_RootFS_noreboot_part1.img mtd3_RootFS_noreboot_part2.img > mtd3_RootFS_noreboot_rebuild.img

$ cmp mtd3_RootFS_noreboot.img mtd3_RootFS_noreboot_rebuild.img 

If cmp command returned nothing than original and reconstructed file are equals (good)!