Mar 5: Edimax IC3010 dmesg
So, after a firmware rebuild the following info was obtained:
- Linux version 2.4.19-pl1029 (root@neo) (gcc version 3.3.4) #680 §@ 2§Î 23 16:53:35 CST 2009
- CPU: Faraday FA526id(wb) revision 1
- ICache:16KB enabled, DCache:16KB enabled, BTB support, IDLE support
- Machine: Prolific ARM9v4 - PL1029
- Prolific arm arch version 1.0.12
- On node 0 totalpages: 8192
- zone(0): 8192 pages.
- zone(1): 0 pages.
- zone(2): 0 pages.
- Kernel command line: root=/dev/norblock/disc0/disc rootfstype=cramfs nor=b:0x320000@0xe0000,c:8192@0x4000,c:40960@0x6000 prolific.keypad=GPIO_IN(11);GPIO_OE(4,5,6);
- Relocating machine vectors to 0xffff0000
- plser console driver v2.0.0
- Calibrating delay loop... 147.56 BogoMIPS
- Memory: 32MB = 32MB total
- Memory: 30700KB available (1249K code, 361K data, 64K init)
- Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
- Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
- Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
- Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
- Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
- POSIX conformance testing by UNIFIX
- PCI: Probing PCI hardware on host bus 0.
- Linux NET4.0 for Linux 2.4
- Based upon Swansea University Computer Society NET3.039
- Initializing RT netlink socket
- tts/%d0 at MEM 0x1b000400 (irq = 2) is a PLSER
- Prolific addr driver v0.0.4
- Starting kswapd
- devfs: v1.12a (20020514) Richard Gooch (email@example.com)
- devfs: boot_options: 0x1
- i2c-core.o: i2c core module version 2.8.1 (20031005)
- i2c-dev.o: i2c /dev entries driver module version 2.8.1 (20031005)
- Prolific i2c algorithm module v1.2
- Initialize Prolific I2C adapter module v1.2.1
- i2c-dev.o: Registered 'prolific-i2c-adapter' as minor 0
- found i2c adapter at 0xd9440000 irq 17. Data tranfer clock is 100000Hz
- i2c-proc.o version 2.8.1 (20031005)
- pty: 256 Unix98 ptys configured
- PL-1029 NOR flash driver, version 0.8.4
- NOR flash type: ppi-amd 8x8 64x63
- NOR flash id = 0xa8
- nor interrupt 30 registered
- Partition check:
- norblocka: unknown partition table
- RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
- PPP generic driver version 2.4.2
- PPP Deflate Compression module registered
- PPP BSD Compression module registered
- Prolific Audio AC97 driver version 2.2.2 for 63 and 29 Audio Module 2006/03/21
- ac97_codec: AC97 Audio codec, id: 0x414c:0x4740 (Realtek ALC202/202A)
- Prolific Real-Time Clock Driver version 1.0.0 (2003-04-02)
- Prolific keypad driver v1.0.8
- PL UART driver version 1.1.0-1 (2007-02-15)
- MT9M112.o version 22.214.171.124 (20080205)
- i2c-proc.o: found normal i2c entry for adapter 0, addr 48<7>i2c-core.o: master_xfer: prolific-i2c-adapter with 1 msgs.
- i2c_doAddress: died at address code.
- i2c-proc.o: found normal i2c entry for adapter 0, addr 5d<7>i2c-core.o: master_xfer: prolific-i2c-adapter with 1 msgs.
- i2c-core.o: master_xfer: prolific-i2c-adapter with 1 msgs.
- i2c-core.o: master_xfer: prolific-i2c-adapter with 2 msgs.
- CMOS sensor MT9M112 is avaliable now
- Initializing Cryptographic API
- NET4: Linux TCP/IP 1.0 for NET4.0
- IP Protocols: ICMP, UDP, TCP, IGMP
- IP: routing cache hash table of 512 buckets, 4Kbytes
- TCP: Hash tables configured (established 2048 bind 4096)
- NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
- NET4: Ethernet Bridge 008 for NET4.0
- Fast Floating Point Emulator V0.9 (c) Peter Teichmann.
- VFS: Mounted root (cramfs filesystem) readonly.
- Mounted devfs on /dev
- Freeing init memory: 64K
- pl serial only support even parity
- plmedia version 1.2.9
- Hello Grabber!
- Hello Encoder!
- Hello PLMD!
- aes interrupt 12 registered
- 8139too Fast Ethernet driver 0.9.25
- eth0: RealTek RTL8139 Fast Ethernet at 0xc2824000, 00:50:fc:90:17:10, IRQ 5
- eth0: Identified 8139 chip type 'RTL-8139C'
For good measure, here's the pci information:
- PCI devices found:
- Bus 0, device 0, function 0:
- Class 0600: PCI device 180d:1a00 (rev 1).
- Bus 0, device 2, function 0:
- Class 0200: PCI device 10ec:8139 (rev 16).
- IRQ 5.
- Master Capable. No bursts. Min Gnt=32.Max Lat=64.
- I/O at 0xdb800000 [0xdb8000ff].
- Non-prefetchable 32 bit memory at 0x1a000000 [0x1a0000ff].
I had a poke around in the internals as well (sorry, no pics), the board is obviously shared with the 3010wg, but the mini pci slot is not present unfortunately.
Great work! It is encouraging that you managed to alter and access the firmware. That makes this inexpensive cameras much more interesting.
Owners of older models (IC-1510) have complained that the video streaming stops working after some time. Using a serial console they found out that a particular process dies. This would be easy to detect and fix (or at least restart the process) with a small modification to the firmware. I love having a device where I'm allowed to repair the innards.
For this reason I ordered four 3010wg for a new home surveillance system using Zoneminder. I will report back when I have the cameras.
I've not looked at the 1510 firmware but I suspect it's built in similar way, the only problem being that there's only 2M of flash which might make adding features a bit tight, my modified firmware (without wireless) is 2.5M.
I decided against wireless and just used a passive power over ethernet connector (eg http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=270538652312) so I could just run the one cable.
Good luck with setting up your system.
Well done for getting telnet access working - I had a look at this camera during 2009, but struggled to decode the firmware binary image to modify it.
I put a little site together with the information I collected (http://ic-3010wg.webhop.net/).
Would you mind if I added your information to it?
Also if you could provide clues about how you decoded the firmware, it would be really useful for the next device I try to hack!
Sure, feel free to add the information.
As for decoding it, hexdump and searching for various endian combinations of sqsh is my usual way in.
Taking it apart is usually easy, stitching it back together is the tricky thing - not everyone provides a nicely named script.
One of the main issues you have is that there's many versions of the sqsh filesystem all of which are incompatible!
The following project:
http://code.google.com/p/firmware-mod-kit/ contains a few of the squashfs versions which will be invaluable.
I have added it (and your instructions on getting telnet working) to the site.
I still have to compare it to what I did to correct any mistakes in my original work - I'll do that over the next few days.