Mar 5: Getting telnet access on an Edimax IC3010 webcam

The Edimax series of webcams are some of the cheapest IP webcams available, providing a variety of ways to get access to either a still picture or video stream (either mjpeg or via rtsp).

The camera is a pl1029 system and runs embedded linux (2.4.19). Since it's a linux system I'd quite like to get into it and have a poke around. Edimax do supply the source and tools to build a new firmware image, from their product site. Unfortunately, the source posted doesn't correspond to the latest firmware and some of the supplied tools are supplied in binary only format for x86_64 linux. But, lets not allow that to be a hindrance, we can extract what we want from a firmware upgrade file.


The firmware file is arranged in 4 sections, an 8 byte identifier, 768k of kernel space, 3200k of cramfs image and a single byte checksum. Since things are at fixed location we can easily extract the sections we need with dd.

dd if=upgrade_engEDIMAX_IC3010M_1.25.bin of=kernel bs=1 skip=8 count=786432
dd if=upgrade_engEDIMAX_IC3010M_1.25.bin of=cramfs bs=1 skip=786440 obs=1k count=20000000


You can then copy out the files from the cramfs partition and start to change things.

I chose to build a parallel version of busybox adding in some required applets that I thought would be useful - telnet, telnetd, tftp etc and installed them to a copy of the filesystem.

Once this is done it's time to rebuild the firmware image and reflash, using a modified script from the source tarball, my script looks like this:

dd if=header.txt of=IC3010.bin bs=1 count=8
dd if=kernel of=IC3010.bin ibs=768k obs=1k count=1 conv=sync,notrunc oflag=append
dd if=cram-image-ipcam of=IC3010.bin ibs=3200k obs=1k count=1 conv=notrunc oflag=append

cp IC3010.bin upgrade_engEDIMAX_IC3010M_1.25.1.bin

./AppendChecksum upgrade_engEDIMAX_IC3010M_1.25.1.bin


Upgrade the firmware and you can telnet in, poke around and see things like this:

BusyBox v1.01 (2007.05.04-10:49+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # cat /proc/cpuinfo
Processor       : Faraday FA526id(wb) rev 1 (v4l)
BogoMIPS        : 147.56
Features        : swp half

Hardware        : Prolific ARM9v4 - PL1029
Revision        : 0000
Serial          : 0000000000000000


Now I've just got to figure out what to do with it.
Posted by dom in tech Comments: (18) Trackbacks: (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 - Someone 2010-04-18 01:01 - (Reply)

Can you maybe find out where the cramfs is in this firmware? http://www.edimax-de.eu/images/Image/products/IC-1510Wg/upgrade_engEDIMAX_WG_IC1500Wg_1.34.bin

#2 - dom 2010-04-18 01:50 - (Reply)

Looks like there's a (lzma) squashfs at 589832 bytes in.

Looking through the firmware source code the IC1510 uses a different architecture (MIPS) to the IC3010 (arm).

To figure out how it's built, the file IC1500_RTL865X/uClinux-dist-3/vendors/Realtek/Makefile in the firmware source code looks like it's useful - it's not as simple as the IC3010 though.

#3 - Someone 2010-04-18 20:12 - (Reply)

I got it to extract the squashfs and added my busybox with telnetd, used the squashfs-lzma (with -be) from source. Copied it back to the same location in the update... Now the cam says that the file is not a valid firmware file...

#4 - dom 2010-04-18 20:40 - (Reply)

Cool, now you've got to rebuild the file header - if you look at:

uClinux-dist-3/user/boa/src/rtl865x/rome_asp.c

there's a function called _checkImage() which validates the image using simple checksum (xor of all the bytes) and the length of the file.

It looks like packbin (/IC1500_RTL865X/uClinux-dist-3/tools/packbin.src) is responsible for doing this fixup. This runs on a gz compressed kernel and a run.bix file (which includes the filesystem)

It's probably worth working through the various steps that are needed to produce the upgrade firmware image so you can produce an image from the constituent parts (header, kernel, filesystem etc)

#5 - Someone 2010-04-27 23:05 - (Reply)

Yeay. A friend got the sourcecode to work. Got a update which the device accepted. Now its bricked. Mistake in the squashfs-romfs...

Now ne need to test the serial port ^^"

#6 - robert 2010-05-30 19:20 - (Reply)

Hi,
could you give more detail how to rebuild the firmware image Please? It's very helpful for those who are not techie like me.
I have added telnetd and ftp programs but don't know how to rebuild it.
Thanks
Robert

#7 - Paul 2010-06-14 09:55 - (Reply)

Any ideas of the structure of this firmware for the following device:

http://www.edimax.co.uk/en/produce_detail.php?pl1_id=2&pl2_id=14&pl3_id=120&pd_id=199

FW: http://www.edimax.co.uk/en/support_detail.php?pd_id=199&pl1_id=2

I'm looking at the possibility of extending its list of supported printers.

#8 - dom 2010-06-14 10:20 - (Reply)

I'll take a look at it tonight. Since this board is just a standard RDC chip have you considered a bifferboard? - http://bifferos.bizhat.com/

It has the same hardware, runs debian, slackware or OpenWRT and comes with a serial port should you end up bricking it!

#9 - dom 2010-06-14 12:01 - (Reply)

Sniffing around the place it seems fairly sane (well saner than the IC1510)!

The image consists of a bzImage kernel followed by a 8MB ext2 ramdisk that's been compressed.

Key scripts are:

AP/mkimg/mkps2207 - creates the filesystem
linux-2.4.25-rdc/DoLinux.sh - creates a final image. This uses the magic cvimg tool to nobble the files in a special way.

The cvimg source might be here: http://svn.evkanet.net/trac.cgi/browser/firmware/edimax/trunk/src/tools/cvimg.c?rev=15

It looks like there might be more info here: http://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg04024.html

Have fun.

#10 - Paul 2010-06-14 18:52 - (Reply)

Awesome, thanks for the helping hand there. I'll take a proper look at these when I get back from work.

Had a quick look though, from the source of cvimg there is a pheader (9bytes) and a checksum (2bytes) appended to the beginning of the file which describe the length of the bzImage.

I asume I should be able to read these values and then split the bin into its partitions, if I read the source correctly (this was a quick look of course)

#11 - net8048 2010-07-07 07:31 - (Reply)

Hello,
i know i am maybe asking too much, but for others like me who are not linux geeks yet, it would be really helpful if you could provide your alternate firmware (incl. telnetd, ftpd or sshd) based on the latest version for the IC-3010Wg as download .bin file.

#12 - dom 2010-08-07 00:14 - (Reply)

I've only got an image for an IC3010 i.e. without the wireless. I've put it up here: http://www.suborbital.org.uk/edimax/upgrade_engEDIMAX_IC3010M_1.25.1.bin in case it's any help

#13 - Werner 2010-09-20 20:28 - (Reply)

Very cool, thank you very much!!!
Tried it with my IC-3010WG and it worked :-)
I uploaded the image I made here: http://sajuwe.de/werner/images/upgrade_engEDIMAX_WG_IC3010M_WG_1.38.telnet.bin

#14 - Werner 2010-09-23 18:52 - (Reply)

It would be pretty cool to have also inetd available. Do you still have everything to compile busybox2 on your system and could compile such a version?
Unfortunatelly I'm not so good in linux cross compiling and can't do it by myself :-(

#15 - francesco 2010-10-01 19:28 - (Reply)

hello
is this firmware safely uploadable in a 3010wg? is this allowing telnet/ssh access?
it would be useful to restart daemons since httpd is crashing very often on my cam (any other way to fix this?)
regards
fracnesco

#16 - francesco 2010-10-01 20:51 - (Reply)

I couldn't wait and I flashed my 3010wg with your firmware. seems to be ok, I've telnet enabled (with no authentication... :-( )
I hope to be able to restart web interface when it fails (shall I restart enet or completely reboot the cam...? or something else??)
it would be great to have a modded firmware restarting web server every x minutes.
is this somehow possible to do?
thanks a lot
francesco

#17 - Zygmunt 2011-08-30 12:38 - (Reply)

Could You give more deatail how You've managed to mount squashfs-lzma partition? I try to do it for Edimax IC-3030 camera but I have incompatilble squashfs in my system.
regards
zygmunt

#18 - dom 2011-09-12 19:28 - (Reply)

I had to go back through quite a few revisions to find the right version - unfortunately the machine I used is out of action at the moment so I can't find which one actually works.

But http://code.google.com/p/firmware-mod-kit/ had quite a few to download so just experiment.


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed