Finally got a chance to play around with the second ipcam I bought.

This one is a little bit smarter than the previous one – its running off an ARM5ARM7 CPU (Nuvoton NUC745ADN), so has a bit more oomph. 16M ram is a whole lot more to play with for a start! The last device only had 16KB, so this puppy can be taught to do some tricks!

Serial was a little bit trickier to solder on this time – my initial connectors were too small, so had to resolder with larger ones, and I managed to mess up a tad. Never said my soldering was any good 😉
Getting it to talk to the computer was a bit painful too – eventually I settled on 115,200 8,n,1, xon/xoff which should have worked the first time around, but I was getting garbage.

Probably flow control (xon/xoff), as fiddling with the connections got it going eventually.

First output from the board is below – this is from a clean boot (with no ethernet or wifi).


W90P745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Dec 10 2009
Memory Size is 0x1000000 Bytes, Flash Size is 0x200000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:

Wait for auto-negotiation complete...ResetPhyChip Failed
video0 opened
1
1
1
1
1
1
set resolution 5
set brightness 144
set contrast 3
set sharpness 3
set mode 2
__pthread_initial_thread_bos:34c000
manage pid:16
audio_dev.state not AU_STATE_RECORDING
wb_audio_start_record
=> usb_rtusb_open
retide_ddns.c: can not get server dns.camcctv.com ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
get oray info
upnp get ip error
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===255.255.255.255
*args===netmask
*args===eth1
inet_sr.c INET_rinput 321
action===1
options==33
inet_sr.c INET_setroute 75
*args===default
*args===gw
*args===eth1
MlmeAssocReqAction(): WPA2/WPA2PSK fill the ReqVarIEs with CipherTmp!
3
3
3
3
3
3


Initially I had the board setup on its own without the camera attached, but the boot scripts require it connected, otherwise they reboot..
Ostensibly, this is the same hardware as the fi8908w (who are just reselling the OEM version with marginally different firmware as far as I can tell).

Next step is to setup a cross compiler for uclinux so I can make some binaries, and test.
Luckily all the available tools are open source / free. Yay!

I’m in contact with the factory, and they’ll be sending an SDK over at some point soonish, although its only in Chinese.
Luckily for me, that shouldn’t be a problem, as i’m reasonably capable at groking both code, and simplified chinese 🙂

ucLinux should be easy enough to build a rom image for though – tons of examples, and I already have a few firmware files to compare.

It shouldn’t be too hard for me to roll another firmware with ssh installed, so that we can get in without serial, that would be more useful for others too.

I’ve had a quick look inside the folders in the device from the device itself – fairly minimal, pretty much the only binaries are the necessary ones.
My initial aim is to redo the UI to a nicer one, and fix some of the more glaring bugs. The factory people are at a trade show in Taiwan this week, so hopefully next week I’ll get some dev tools (otherwise its reverse engineering, bleh…).

Some more people are playing with these as well (links below):

http://irishjesus.wordpress.com/2010/03/30/hacking-the-foscam-fi8908w/

http://www.gadgetvictims.com/2009/12/bring-your-fi8908w-paperweight-back-to.html

Unfortuanately for me, both are variably accessible. WordPress is available this week woohoo, but its an on / off dealio with the GFW…, so I might have to stop commenting there once the government decides if WordPress is “teh evil” again.

The irishjesus blog guy has done some of the harder bits like file extraction already (although not strictly necessary, as there are existing tools for that kind of thing).

—

Updates

Have some docs from the factory now, see attached file for the CGI spec.

IP Camera CGI 应用指南-1.11

I have others, but not so relevant especially for those than don’t read Chinese!

Data sheet for the Chip and build instructions here –

http://www.nuvoton.com/hq/enu/ProductAndSales/ProductLines/ConsumerElectronicsIC/ARMMicrocontroller/ARMMicrocontroller/NUC745A.htm

When I was younger, I used to like taking things apart.  I still do that, but they tend to work better these days, hehe

This last few weeks I’ve been playing with IP Camera’s for a pet project that started off as a request over Skype for info about surveillance.
As the ever useful Taobao is full of vendors selling the same 4 or 5 camera’s for reasonable prices I ordered a couple to take a peek at.

I’ve only taken one apart so far – the really really cheap one that I installed in the office so I can get a look at who comes up the stairs without having to move my fat ass out of the chair.  A quick shortcut in FF, and it works quite nicely as a separate browser window in the corner of the desktop.

Onto the discovery phase 🙂

I had a quick spin with NMAP, but other than discovering that they rather naughtily misuse a Mac Address assigned to the evil Cisco, not much help.
Also nothing appeared to be running on any other ports than the web port 🙁
nmap -A 192.168.0.88

\r\n\r\n</BODY>\r
SF:\n</HTML>\r\n");
MAC Address: 00:0A:42:33:66:54 (Cisco Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop


Next up is the usual dissection. I had done some minor googling on the device I bought, which is basically this below:

As its an OEM product, this is available under a whole bunch of different names – mostly with IP-510 or similar in the title, eg LTI-510 etc.

For a cheap OEM product, it actually seems to be reasonably well made though – the Case is an nice and solid aluminium sheath that looks like its been repurposed from something else, and the board itself is suprisingly well diagrammed. Its almost made for hacking!

Chips onboard are as follows:

25.0618mhz crystal from TXC – bonus points for why its 25mhz. Reply in the comments 🙂
Davicom DM9008AEP, TRC9016NLE (both for Ethernet. imho Davicom is a second-rate Realtek)
ViMicro VC0528BRVC (Camera processor / CCD Controller)
And last, but not least, our CPU, which is an 8051, although not from ATMEL.
Part number on that is C8051F340. My first guess is that it incorporates some integrated flash on there for firmware. Unfortunately its likely to be all C and Assembler, and the last time I did embedded 8051 stuff was in the early 90’s.

Google confirms it – basically its an all in one controller with 32 or 64KB onboard, and roughly 4k ram. Woohoo!

Datasheet here – http://www.alldatasheet.com/datasheet-pdf/pdf/182721/SILABS/C8051F340.html

Good news is that the board has serial out clearly labeled on the top left side. Better news is that the chip has an onboard debug mode, so I don’t even need any ICE (In Circuit Emulation) tools should I want to take a look. Bad news is that I’m probably going to be too lazy to do it, as its more work and less fun than the second one I bought, which has Linux running on it.

That said, this one is cheap. Real cheap. Cheap enough that its probably worth knocking out a decent firmware, and reselling it with a better UI, and more features.
Might be possible, although anything more than whats there is probably stretching it given the ram / storage constraints. Looks like its all offboard processing/streaming for this model!

There are also some unpopulated spots on the board, which I strongly suspect would be for audio, given the board has a MIC input and no Mic, and the main controller is a ViMicro, which supports MP3 output also…

I’ll see if I can find a firmware file, and do a disassembly, or more probably see what I get out of the serial port connection in the near future.

Photos below. [Excuse the pasty white hands, its still winter for some reason in Shanghai, despite being April… Oh global warming. Where art thou, when I needest thee!]:

Some further files for the curious here –

http://kuklin.ru/ip400cam

I’ve been seeing a bunch of failed Apple Time Capsules recently.
The issue is that the PSU’s are dying, as opposed to the HDD’s.

I took one apart to take a look, and the issue is the oh too familiar someone bought cheap capacitors that use the wrong formula. Tsk tsk Apple!

Here are some photos of a faulty power supply from a Time Capsule I’ve taken apart to demonstrate –

Read more »

Background:
Vietnam airlines had a special for 1400RMB return including tax to Hanoi.
As I’ve never been to Vietnam, I thought I’d take it.

Photo’s to follow once I’m back in Shanghai, as no card reader!

First impressions I receive of Hanoi – rats and Mopeds.
Not sure which there are more of, both are visible in the corner of your eye at all times. The mopeds are more vociferous though, and a walk through the streets is a cacophony of hooting, and avoidance.
At least, much as in China, sensible manners get you across the roads. Just walk, and they’ll drive around. Hesitate, and you are doomed. Vespa (Piaggio) owns the market, with Honda coming in a close 1st. Sure, there are more Honda’s than Vespa’s numberwise, but *everyone* drives a vespa. Its a city of cool from that respect.

Hanoi is a shithole. Nothing to really recommend it. Its the same generic Southeast Asia template, albeit on a marginally more industrialized level. Its a dirty city, and the remaining architecture is neither interesting, nor beautiful. The delapidated is being torn down, and replaced by the generic concrete in much the same shape and form. House fronts still narrow as driven by taxes on shopfront sizes from regimes long gone.

Car hooters are a pseudo interesting thing. Echo… co… co… co… co… style fade outs that make the noise less of an annoyance. Admittedly it is a rather cool effect. Hooters here are used as indicators and lights might be in the West. Hooting is a way of saying here i am, rather than get out of the way. Echo-location bat style in metal form.

Guidebooks are not necessarily a great help. I picked up a Lonely Planet; deriguer tourist accessory that it is, and had a quick scan through the Hanoi section. “Every stranger on the street wants to help you”. What a crock of horseshit. They neglected the the last part of that sentence – “…away from your money”.

Trust no-one.

Everyone is after something. From moped drivers lazing on their bikes every two metres, to hotel staff trying to sell tickets to Halong Bay, to street peddlars hastling and hustling, the annoyances are endless.

For every act of kindness, the balance is broken fourfold by someone doing something equally retarded and obvious scamwise. Seek and ye shall find. Maybe I just don’t want to be found.

Sit at a bar called half man, half noodle. Sign says drink here, or we shoot the puppy. Why is it my thoughts tend to shoot the damn puppy.

Vietnam is supposed to be cheap. For european tourists, maybe. Coming from China, seems expensive. Not overly so, but seen through my experienced “I know what things cost” eyes, they aren’t as cheap as they should be.

Walk around the semi endless streets around the lake, many shops doing color copies of older Propaganda posters. Not originals, but badly offset color printing on semi decent rice paper.
Ask pricing at one – small $5, large $15.
That’s about 100RMB for a large one, which is about right if you counter in staff, rentals etc, so a fair price.
Roll it up, seal, suddenly price is $50.
So, small copies $5, now $15 -> $50? Walk out, as price starts coming down again. Not interested anymore. Shitty ass city, can’t wait to be back in Shanghai.

Its the little things here that pile up. Maybe its just I’m being a miserable git, which undoubtedly I am, but still, the vibe here is wrong.

Book a trip out of the city for a change of air. Reasonable for a day trip – $22, although on the way I spot another agency for $12. Thats my fault for not checking a couple of places first, and doing something spur of the moment in the hotel. Not really concerned about that, its still a fair price, and although I feel vaguely ripped off, i’m not worried about it.
An hour into our journey we stop off “for a rest”. That pissed me off. The oh so blatant detour 30 minutes drive in the opposite direction away from our destination to a handicraft / coffee shop where they get paid by head. At least in China they knowingly sell you those trips, and prices are discounted accordingly.
Outside poorer people touting fruit and whatnot, like flies around shit. We tourists, are the shit.
Quite apt considering how tourism generally denigrates and fucks up a place.

Not as bad as Tang Hui near Huang Shan (which I still think should be nuked from orbit), but on its slow inexorable decline into dependance on the teat of handouts and third world poverty that can only be made possible by our own consumer driven culture.
Ponder the thought of cult in culture.
Flash back to Iain Banks – “The Culture“.
We export our beliefs, borg like, to be absorbed.

Always Coca-Cola.

Is that the anthem for the 21st Century?

Anthem or anathema, who knows. Maybe we do deserve to be quarantined from the rest of the galaxy, lest we infect it.

What is tourism anyway?
Voyeurism made global.
“Look how much better we have it.”, back on the bus, as we can always leave.

Wake up late the next day to banging on my door. Cleaning staff obnoxiously do not take no for an answer, and come back three separate times until I launch into a tirade that gets rid of them. That I’m rather hung over, and stink of stale alcohol isn’t helping my demeanor either.
Once again, HBO is showing something watchable and I pass in and out of consciousness till about 3pm.
Shower, and am feeling much better with the world, and myself.

Funky Buddha is pretty much the only decent late nightlife in Hanoi. Few obnoxiously loud drunk Ozzies, and more of a local scene. Still shuts early though. 2am more or less the cut off point for the town.

I’ll be glad to leave this place.

Good to get out of China, and see a different place, but Vietnam isn’t for me. Death of a thousand cuts would be apt. Lot of little niggling issues, rather than large ones, but the blatant amount of petty bullshit ripoff’s makes Vietnam somewhere to be missed.

I’ve done lots of Asia, and Vietnam is a third world version pastiche of other places that just do it better.
My summation in two words – don’t come.

Things to buy:
Nu Rou Gan. Some great dried beef available in some of the streets around the market area north of the Hoan Kiem lake.

Lacquerware.
Available pretty much everywhere, pricing is reasonable – $5-10 for reasonable sized copies of Tintin covers.

Books (on scooters). Beware, pricing is silly at first. While I don’t mind gouging per se, I often refuse to do business with someone because they start with an initially silly price. There is ballpark, and there is out of the ballpark figure, most here start with the ball so far out of the ballpark, that you cannot even see the stadium. Example pricing – random copied Lonely planet guides – they’ll start at around 500,000, you can get for 50,000. 1000% markup anyone?

Hip and Trendy:
Not that much here, only 2 semi cool shops next to each other on Ta Hien.
Bo Sua on 24d Ta Hien is worth a browse if you’re in the vicinity, but don’t make a trip otherwise.
Design idea’s are good, but need nurturing.

Clubbing:
Funky Buddha 2 Ta Hien

Not much else decent, unless you like shitty Babyface clones in smaller sizes, or backpacker packed foreigner bars.

Food:
Street food probably the best bet. Vietnamese food probably better experienced outside of Vietnam.
Avoid the foreign looking restaurants, pricing is sky high, and quality rock bottom.

Do try coffee though, the coffee bars have good coffee (strong, and sweet), and most of the cooler local looking places are plastered with paintings, and make for a good 10-15 minute stop over to rest weary feet.

When DNS goes bad

This year someone in China misconfigured something which effectively exported China’s main method of implementing blocks (man in the middle DNS spoofing) semi globally over the Global Crossing backbone for the last few weeks.

Effectively, China’s blocking, went global (for certain providers).

Read more »

Obviously I’ve had waaaaaaaaaay too much fun with my newly purchased coffee machine today.
Photo’s (and story) below.

Its a match of the titans.

Frog design vs A+P Cahen.

No rolls barred, its Cube vs Cube.

In the left corner, we have the old, the venerable…

G4 Cube

Part frakkin Toaster, part computer, (ex) fishtank, part space heater.

VS

The newcomer with an attitude, he’s shiny, and he isn’t afraid to show it off.

Le Cube

Read more »

I was reading a post up at Carsonified (http://carsonified.com/blog/dev/bulletproof-backups-for-mysql/), which talked about MySQL backups.

While he slightly re-invents the wheel, its fairly similar to what we do over at Computer Solutions as a solution for Backup.

How do we do it?

Read more »

As its been a while since I did any hardware stuff (other than some dabbling in Arduino), I decided I would try and resuscitate a bricked 941n router. I had given it to the staff to fiddle with, but they needed a push in the right direction for where to start.

First I needed tools.
Luckily China is pretty awesome when it comes to getting electronic bits and pieces so most of what I needed was a mere Taobao away.

As the crap soldering irons in the office weren’t going to hack it, my first purchase was a decent soldering iron.
I took a look at the Wellers (which I used in a previous lifetime), and decided that the pricing was a little too steep for my liking!
Taobao had plenty of cough, cough ‘clone’ Hako 936’s though, so I bought one of those, 10 tips and some solder for a little less than 200RMB delivered to the office.

I could have gone to buy it over in the electronics mall over in Beijing lu, but seriously, Taobao is easier.

While I was at it, I also orderd a Rek DC power supply, and some JTAG cables.
The PSU isn’t totally useful for router hacking, but we do have a lot of people that forget to bring laptop chargers with them, so it will come in handy for that. Looks pretty nifty too.

Hako 936 and Rek DC PSU

Next up was a serial to ttl adaptor, as the TP-Link uses TTL voltage apparently, and I needed to convert into standard pc serial.
I bought 2 adaptors, one USB one, with rather crappily made headers, and a rather nicer serial one with pin’s.

As I’m rather crap at soldering, I totally expected things to bork something up, but amazingly I got the headers installed relatively easily, and even managed to bridge pad (R356) to enable serial first go (as per the wiki).

I plugged in my serial adaptor to the computer, and powered up the router.
Suprisingly everything worked first time around, and I got some serial output in HyperTerminal.

A few nanoseconds later I got to experience again how much I hated HyperTerminal.
Grumble cpu usage grumble frozen input grumble mutter,… and installed PuttyTel instead.

Putty also seems to autodetect the kernel speed nicely (as boot changes from 9600 to 115,200baud), which is a bonus.

I still need to time it right so I can catch the u-boot in time to stop it, and, I also still need to reflash it, but the hard part is done!

Total cost – roughly 250RMB for parts (soldering iron, tips, serial ttl adaptor, pin headers, jtag stuff etc), plus about an hour of time, most of which emcompassed clearing my desk enough so I could solder 🙂

I’m all setup for more journeys into equipment though, and I can now completely recover borked equipment handily.

Useful pages:
http://wiki.openwrt.org/inbox/tp-link.tl-wr941nd (Pinouts)
https://forum.openwrt.org/viewtopic.php?id=18354&p=1 (Thread on TL-WR941 hacking)

Firmware files:
http://downloads.openwrt.org/snapshots/trunk/ar71xx/

Taobao shopping:
http://item.taobao.com/auction/item_detail-db1-3fbe7be878a7aa35dd4ec1e4260113e8.jhtml (RS232 TTL)
http://item.taobao.com/auction/item_detail-db2-3c9886e66da40119a6c72fe03c4b8d38.jhtml (Hakko 936 + tips)
http://item.taobao.com/auction/item_detail-0db1-4fbc4e80f96ae37dbd34b9cb466aa642.jhtml?cm_cat=0 (Wiggler JTAG)

Currently I have an iPhone (ancient 2G), and have just bought a Dell Mini3i (600RMB with an 18month contract @ China Telecom), as I donated my 3G iPhone to one of the extended family back home.

The Mini3i runs an Android variant called OPhone.

The 3i is a little underwhelming software wise.

Its quite crap at the moment as its sitting on Android 1.0 (OPhone 1.0), but for all intents and purposes Android = Ophone its pretty much the same underneath.

There are a bunch of similar phones to this – the Lenovo O1, LG GW880, Motorola something or other (can’t be hassled to go look) etc.

While I haven’t rooted mine just yet, I have been playing around, and reading the Chinese forums.

Boot loader appears to be similar on all the devices – its made by BORQ’s in Beijing, and appears to be quite basic.

Motorola and O1 seem to have the best support for now, the main problem in the Chinese forums is people bitching about being stuck on older versions.

Some are running 1.6, most on 1.5, and the unlucky few 1.0 “Ophone”
2.0 and 2.1 has yet to hit the mainstream here.

There are people with N1/G5’s (Nexus 1 / HTC G5) on 2.1 though (yes, thats you in Beijing Tom!), pretty much any phone is available, although anything with wifi is essentially grey import from overseas (HK mostly)

Back to the phone –

Thankfully you can install any apps as apk’s, no need to hack for that – so its fairly easy to get info on the innards.

RootExplorer is your friend 🙂

RootExplorer also allows you to remount partitions r/w, so root access is fairly easy too. There are precompiled su binaries for 1.5 out there, although I’ve yet to do my phone.

The Dell mini3 is running on a Marvell Tabor. Fast chip, nice touchscreen, decent resolution, just crap on 1.0.

Firmware files for most of the “ophones” (except motorola) are mff files.

The mff files appear to just be compressed images with instructions for how to write the various partitions out.

eg the Lenovo O1 mff has this in the “mff” zip

2010/02/25 10:53 147,111,936 factory_CHERRY.fbf
2010/02/25 10:53 249 factory_CHERRY.mff.mlt
2010/02/25 10:53 364 JADE_EVB_RawNANDx16.ini
2010/02/25 10:53 327 magic_fbf.ini
2010/02/25 10:53 2,692 magic_fbf_inner.ini
2010/02/25 10:53 10,236,719 mfw.pac
2010/02/25 10:53 54,180 MHLV_NTDKB_h.bin
2010/02/25 10:53 176 MHLV_NTDKB_TIM.bin
2010/02/25 10:53 858 NTIM_td.ini

magic_fbf_inner.ini has the layout

[INTEL_FLASH_DEVICE_INPUT_FILE]
Number_of_Images=24

[IMAGE_HEADER_0]
Start_Address=0x240000
Image_Length=0x40000
EraseBlocks=1
WriteImage=0
VerifyWrite=0

[IMAGE_HEADER_1]
Start_Address=0x6900000
Image_Length=0xf00000
EraseBlocks=1
WriteImage=0
VerifyWrite=0

(etc)

Different phones have different firmware writing software, the Motorola’s are using RSDLite, LG – SML_OMS, CTHall, others something homegrown called Firebolt, which is written by BORQS. I have all the firmware tools already, despite the Ophone8 forums lack of courtesy in sharing, grrr.

Most firmware tools appear similar though functionality wise.
Haven’t played around inside the phone yet to see if its easy to get jtag access, although that was mostly because i couldn’t work out how to remove the top part without breaking it.

If anyone wants more info, or a firmware dump let me know.

Hopefully there is some interest out there in the English speaking world for these!

Occasionally even in a well maintained system, qmail has issues.

One semi-common issue I get to see, is when a server we send mail to doesn’t timeout. This ties up an outgoing mail slot. Over a period of time, this can lead to issues where the whole outgoing or incoming queue is sitting doing nothing, as every connection is tied up by ‘tarpitted’ connections.

Ideally Qmail should be able to cope with these.  There are settings in qmail to control how long a connection takes, and how long it should wait for.  These settings are covered in the following files (usually set in /var/qmail/control)

Read more »