Mar 5: Edimax IC3010 dmesg

Extracting a meaningful dmesg from the IC3010 isn't an easy case of just typing dmesg. One of the drivers generates a lot of spam and by the time you can telnet in, the interesting information has gone.

So, after a firmware rebuild the following info was obtained:
  1. Linux version 2.4.19-pl1029 (root@neo) (gcc version 3.3.4) #680 §@ 2§Î 23 16:53:35 CST 2009
  2. CPU: Faraday FA526id(wb) revision 1
  3. ICache:16KB enabled, DCache:16KB enabled, BTB support, IDLE support
  4. Machine: Prolific ARM9v4 - PL1029
  5. Prolific arm arch version 1.0.12
  6. On node 0 totalpages: 8192
  7. zone(0): 8192 pages.
  8. zone(1): 0 pages.
  9. zone(2): 0 pages.
  10. Kernel command line: root=/dev/norblock/disc0/disc rootfstype=cramfs  nor=b:0x320000@0xe0000,c:8192@0x4000,c:40960@0x6000 prolific.keypad=GPIO_IN(11);GPIO_OE(4,5,6);
  11. Relocating machine vectors to 0xffff0000
  12. plser console driver v2.0.0
  13. Calibrating delay loop... 147.56 BogoMIPS
  14. Memory: 32MB = 32MB total
  15. Memory: 30700KB available (1249K code, 361K data, 64K init)
  16. Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
  17. Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
  18. Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
  19. Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
  20. Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
  21. POSIX conformance testing by UNIFIX
  22. PCI: Probing PCI hardware on host bus 0.
  23. Linux NET4.0 for Linux 2.4  
  24. Based upon Swansea University Computer Society NET3.039
  25. Initializing RT netlink socket
  26. tts/%d0 at MEM 0x1b000400 (irq = 2) is a PLSER
  27. Prolific addr driver v0.0.4
  28. Starting kswapd            
  29. devfs: v1.12a (20020514) Richard Gooch (rgooch@atnf.csiro.au)
  30. devfs: boot_options: 0x1    
  31. i2c-core.o: i2c core module version 2.8.1 (20031005)
  32. i2c-dev.o: i2c /dev entries driver module version 2.8.1 (20031005)
  33. Prolific i2c algorithm module v1.2
  34. Initialize Prolific I2C adapter module v1.2.1
  35. i2c-dev.o: Registered 'prolific-i2c-adapter' as minor 0
  36.  found i2c adapter at 0xd9440000 irq 17. Data tranfer clock is 100000Hz
  37. i2c-proc.o version 2.8.1 (20031005)
  38. pty: 256 Unix98 ptys configured
  39. PL-1029 NOR flash driver, version 0.8.4
  40. NOR flash type: ppi-amd 8x8 64x63
  41. NOR flash id = 0xa8        
  42. nor interrupt 30 registered
  43. Partition check:            
  44.  norblocka: unknown partition table
  45. RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
  46. PPP generic driver version 2.4.2
  47. PPP Deflate Compression module registered
  48. PPP BSD Compression module registered
  49. Prolific Audio AC97 driver version 2.2.2 for 63 and 29 Audio Module 2006/03/21
  50. ac97_codec: AC97 Audio codec, id: 0x414c:0x4740 (Realtek ALC202/202A)
  51. Prolific Real-Time Clock Driver version 1.0.0 (2003-04-02)
  52. Prolific keypad driver v1.0.8
  53. PL UART driver version 1.1.0-1 (2007-02-15)
  54. MT9M112.o version 1.0.0.2 (20080205)
  55. i2c-proc.o: found normal i2c entry for adapter 0, addr 48<7>i2c-core.o: master_xfer: prolific-i2c-adapter with 1 msgs.
  56. i2c_doAddress: died at address code.
  57. i2c-proc.o: found normal i2c entry for adapter 0, addr 5d<7>i2c-core.o: master_xfer: prolific-i2c-adapter with 1 msgs.
  58. i2c-core.o: master_xfer: prolific-i2c-adapter with 1 msgs.
  59. i2c-core.o: master_xfer: prolific-i2c-adapter with 2 msgs.
  60. CMOS sensor MT9M112 is avaliable now
  61. Initializing Cryptographic API
  62. NET4: Linux TCP/IP 1.0 for NET4.0
  63. IP Protocols: ICMP, UDP, TCP, IGMP
  64. IP: routing cache hash table of 512 buckets, 4Kbytes
  65. TCP: Hash tables configured (established 2048 bind 4096)
  66. NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
  67. NET4: Ethernet Bridge 008 for NET4.0
  68. Fast Floating Point Emulator V0.9 (c) Peter Teichmann.
  69. VFS: Mounted root (cramfs filesystem) readonly.
  70. Mounted devfs on /dev      
  71. Freeing init memory: 64K    
  72. pl serial only support even parity
  73. plmedia version 1.2.9      
  74. Hello Grabber!              
  75. Hello Encoder!              
  76. Hello PLMD!                
  77. aes interrupt 12 registered
  78. ic3010_ctrl_init...        
  79. 8139too Fast Ethernet driver 0.9.25
  80. eth0: RealTek RTL8139 Fast Ethernet at 0xc2824000, 00:50:fc:90:17:10, IRQ 5
  81. eth0:  Identified 8139 chip type 'RTL-8139C'


For good measure, here's the pci information:

  1. PCI devices found:
  2.   Bus  0, device   0, function  0:
  3.     Class 0600: PCI device 180d:1a00 (rev 1).
  4.   Bus  0, device   2, function  0:
  5.     Class 0200: PCI device 10ec:8139 (rev 16).
  6.       IRQ 5.
  7.       Master Capable.  No bursts.  Min Gnt=32.Max Lat=64.
  8.       I/O at 0xdb800000 [0xdb8000ff].
  9.       Non-prefetchable 32 bit memory at 0x1a000000 [0x1a0000ff].


I had a poke around in the internals as well (sorry, no pics), the board is obviously shared with the 3010wg, but the mini pci slot is not present unfortunately.
Posted by dom in tech Comments: (5) Trackbacks: (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 - Alexis Maldonado said:
2010-04-03 14:31 - (Reply)

Great work! It is encouraging that you managed to alter and access the firmware. That makes this inexpensive cameras much more interesting.

Owners of older models (IC-1510) have complained that the video streaming stops working after some time. Using a serial console they found out that a particular process dies. This would be easy to detect and fix (or at least restart the process) with a small modification to the firmware. I love having a device where I'm allowed to repair the innards.

For this reason I ordered four 3010wg for a new home surveillance system using Zoneminder. I will report back when I have the cameras.

#1.1 - dom 2010-04-03 15:22 - (Reply)

I've not looked at the 1510 firmware but I suspect it's built in similar way, the only problem being that there's only 2M of flash which might make adding features a bit tight, my modified firmware (without wireless) is 2.5M.

I decided against wireless and just used a passive power over ethernet connector (eg http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=270538652312) so I could just run the one cable.

Good luck with setting up your system.

#2 - Graham Jones said:
2010-12-30 15:30 - (Reply)

Hi,
Well done for getting telnet access working - I had a look at this camera during 2009, but struggled to decode the firmware binary image to modify it.
I put a little site together with the information I collected (http://ic-3010wg.webhop.net/).
Would you mind if I added your information to it?
Also if you could provide clues about how you decoded the firmware, it would be really useful for the next device I try to hack!

Thanks

Graham.

#2.1 - dom 2010-12-31 13:48 - (Reply)

Sure, feel free to add the information.

As for decoding it, hexdump and searching for various endian combinations of sqsh is my usual way in.

Taking it apart is usually easy, stitching it back together is the tricky thing - not everyone provides a nicely named script.

One of the main issues you have is that there's many versions of the sqsh filesystem all of which are incompatible!

The following project:
http://code.google.com/p/firmware-mod-kit/ contains a few of the squashfs versions which will be invaluable.

#2.1.1 - Graham Jones said:
2010-12-31 17:12 - (Reply)

Thanks Dom
I have added it (and your instructions on getting telnet working) to the site.
I still have to compare it to what I did to correct any mistakes in my original work - I'll do that over the next few days.

Graham.


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed