sofent / firmware-mod-kit

Automatically exported from code.google.com/p/firmware-mod-kit
0 stars 0 forks source link

Additional Device Support Request: D-Link DCS-930 #34

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I recently bought an inexpensive network camera. By pure chance it turned out 
to be Linux driven! By default you can telnet into it and it provides you with 
a root shell; there are, however, fairly few executables on the device, and I 
have yet to find and install a proper toolchain to cross-compile some useful 
things.

The SoC seems to be used by a fair few 802.11n-routers as well, so it seems to 
be powerful enough for that. It also seems to have USB host functionality, 
which could provide for some cool mods in the future (I'm thinking 3G modem, to 
be able to truly place it anywhere). I have yet to open it up, however, as 
there seems to be no easy way of doing just that.

$ telnet 192.168.0.20
Trying 192.168.0.20...
Connected to 192.168.0.20.
Escape character is '^]'.

(none) login: admin
Password: 

BusyBox v1.12.1 (2010-08-02 15:08:25 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /proc/cpuinfo 
system type             : Ralink SoC
processor               : 0
cpu model               : MIPS 24K V4.12
BogoMIPS                : 212.99
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
VCED exceptions         : not available
VCEI exceptions         : not available

# cat /proc/meminfo
MemTotal:        27532 kB
MemFree:         10676 kB
Buffers:             0 kB
Cached:           8460 kB
SwapCached:          0 kB
Active:           3648 kB
Inactive:         6292 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        1520 kB
Mapped:           1480 kB
Slab:             4556 kB
SReclaimable:     1664 kB
SUnreclaim:       2892 kB
PageTables:        272 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:     13764 kB
Committed_AS:     3716 kB
VmallocTotal:  1048404 kB
VmallocUsed:      1848 kB
VmallocChunk:  1046556 kB
#

Firmware attached.

Original issue reported on code.google.com by benja...@mysteriousquilt.se on 3 Oct 2011 at 3:37

Attachments:

GoogleCodeExporter commented 9 years ago
Indeed, many embedded devices have developed derivatives of Linux. The #1 
reason is that is is free, with #2 being that it works, and has wide 
application support.

Did you try running the FW through the extract-ng.sh script? Or is that implied 
(or stated somewhere I missed).

Original comment by jeremy.collake@gmail.com on 3 Oct 2011 at 9:44

GoogleCodeExporter commented 9 years ago
Outout of extract-ng.sh 

[root@dans34 trunk]# ./extract-ng.sh DCS-930_A1_FW_v100_build_9.bin  firmware24 
Firmware Mod Kit (build-ng) 0.71 beta, (c)2011 Craig Heffner, Jeremy Collake
http://www.bitsum.com

Scanning firmware...

DECIMAL         HEX             DESCRIPTION
--------------------------------------------------------------------------------
-----------------------
18509776        0x6567616D      uImage header, header size: 64 bytes, header 
CRC: 0x7A0B5F72, created: Mon Aug  2 08:12:49 2010, image size: 3419904 bytes, 
Data Address: 0x80000000, Entry Point: 0x803B6000, data CRC: 0x52EEAAC, OS: 
Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image 
name: Linux Kernel Image

Extracting 0 bytes of  header image at offset 0
ERROR: No supported file system found! Aborting...

Original comment by danarn...@gmail.com on 4 Oct 2011 at 11:44

GoogleCodeExporter commented 9 years ago
Output of extract_firmware.sh

[root@dans34 trunk]# ./extract_firmware.sh DCS-930_A1_FW_v100_build_9.bin  
firmware24

 Firmware Mod Kit (extract) v0.71 beta, (c)2010-2011 Jeremy Collake, - Newer NG edition by Craig Heffner
 Checking for updates ...
  You have the latest version of this kit.
 LINUX system detected. Compatibility ok.
 Testing file system of firmware24 ...
 Building tools ...
 Build seems successful.
 Preparing working directory ...
 Removing any previous files ...
 Creating directories ...
 Extracting firmware
! untrx failed, trying splitter3
 Not recognized by splitter3
 Attempting raw linux style firmware package (i.e. TEW-632BRP) ...
 Extracting DCS-930_A1_FW_v100_build_9.bin to firmware24 ...
 Error: filesystem not extracted properly.
  firmware image format not compatible?

Original comment by danarn...@gmail.com on 4 Oct 2011 at 11:46

GoogleCodeExporter commented 9 years ago
Although there are several string references to CramFS, there is no CramFS 
signature in the firmware.  Although gunzip is also referenced in the firmware, 
I don't see any valid looking gzip headers either.

Since you have a telnet shell on the device, can you cat out /proc/mtd? This 
should list which mtd block holds the file system. You should be able to 
extract the file system from the device (most embedded systems have a tftp 
client/server, or you could post the file to a web page using wget/curl, it 
just depends on what executables you have available on the device).

For example, if the root file system is located on mtdblock3, you could do:

# cat /dev/mtdblock3 > /tmp/filesystem
# tftp -p <ip address of your pc running a tftp server> -l /tmp/filesystem -r 
filesystem

Note that the tftp syntax above is the usual syntax for the busybox tftp 
client; they may be using something different, so syntax may vary.

If we can get a copy of the file system as it is stored in flash, it will help 
narrow down what we should be looking for in the firmware image.

Other useful output would be:

# cat /etc/fstab
# mount

Thanks!

Original comment by heffne...@gmail.com on 4 Oct 2011 at 1:37

GoogleCodeExporter commented 9 years ago
As for building a toolchain, I would just build a generic MIPS-I cross compiler 
using buildroot (http://buildroot.uclibc.org/). These usually work fine, 
especially if you statically link your binaries. 

If you can get a toolchain from the vendor this may (or may not...) work 
better, but I find going the buildroot route is usually easier.

Original comment by heffne...@gmail.com on 4 Oct 2011 at 1:40

GoogleCodeExporter commented 9 years ago
Thy will be done! :)

# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00030000 00010000 "Bootloader"
mtd1: 00010000 00010000 "Config"
mtd2: 00010000 00010000 "Factory"
mtd3: 003b0000 00010000 "Kernel"
# mount
rootfs on / type rootfs (rw)
proc on /proc type proc (rw)
none on /var type ramfs (rw)
none on /etc type ramfs (rw)
none on /tmp type ramfs (rw)
none on /media type ramfs (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw)
none on /proc/bus/usb type usbfs (rw)
mdev on /dev type ramfs (rw)
devpts on /dev/pts type devpts (rw)

As for /etc/fstab, it does not exist.

Problem is, there is no tftp client. There is a binary named tftpupload, and 
I'll try doing something with it. Meanwhile, these are the binaries available 
to me:

[                    config-udhcpd.sh     goahead              killall          
    mount                pppoecd              switch               vconfig
[[                   config-vlan.sh       gpio                 klogd            
    mount.ntfs-3g        printf               syslogd              vi
ash                  config.sh            grep                 lan.sh           
    msmtp                ps                   tc                   video.sh
ated                 cp                   halt                 lanconfig        
    mtd_write            pwd                  telnetd              
vpn-passthru.sh
audiopush            date                 hostname             lld2d            
    nat.sh               qos_run              test                 wan.sh
automount.sh         ddns.sh              ifconfig             logger           
    ntfs-3g              ralink_init          tftpupload           wc
basename             dhcp.sh              imagetp              login            
    ntp.sh               reboot               touch                web.sh
bpacket              echo                 inadyn               logread          
    ntpclient            reg                  ucp                  
wifi_unload.sh
brctl                ethtool              inetd                ls               
    nvram_daemon         rm                   udev                 wlan.sh
busybox              expr                 init                 lsmod            
    nvram_get            rmmod                udhcpc               wscd
cat                  fdisk                insmod               mail             
    nvram_set            route                udhcpc.sh
chmod                firewall.sh          internet.sh          mdev             
    pcmcmd               schedule             udhcpd
chpasswd             free                 ipush                mii_mgr          
    ping                 sed                  umount
chpasswd.sh          ftpd                 iwconfig             mkdir            
    ping6                sh                   upgradefw
config-dns.sh        ftpputimage          iwpriv               mkdosfs          
    poweroff             sleep                uptime
config-igmpproxy.sh  global.sh            kill                 mknod            
    pppoe.sh             storage.sh           uvc_stream

Original comment by benja...@mysteriousquilt.se on 4 Oct 2011 at 7:17

GoogleCodeExporter commented 9 years ago
Hm. I'm trying to make builroot, but the menuconfig won't let me change target 
architecture. Grr.

Original comment by benja...@mysteriousquilt.se on 4 Oct 2011 at 7:32

GoogleCodeExporter commented 9 years ago
It looks like there is ftpd though, see if you can fire that up and transfer 
files.

Odd about buildroot; I have no problems with it. The target architecture should 
be the first option in menuconfig.

Original comment by heffne...@gmail.com on 6 Oct 2011 at 1:10

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Marking this as accepted and leaving open until we can get some more 
information on the device.

Original comment by heffne...@gmail.com on 9 Oct 2011 at 2:54

GoogleCodeExporter commented 9 years ago
I have the DCS-930 and I want to control a two electrical motors through the 
camera (ser2net). 
For do it I must compile Linux image. I was download source code 
(http://tsd.dlink.com.tw/downloads2008.asp). But I can`t find and configure Web 
User Interface. I am just get only Linux image without WebUI. Help me please!!!

Original comment by rx9...@gmail.com on 22 Nov 2011 at 3:49

GoogleCodeExporter commented 9 years ago
rx9abc:

We can't support vendors GPL code (or lack thereof, as the case may be). 
However, I'm downloading the GPL code now myself; if the right squashfs code is 
there, I will be able to update the FMK to support extracting and re-building 
the DCS-930 firmware.

Original comment by heffne...@gmail.com on 23 Nov 2011 at 12:17

GoogleCodeExporter commented 9 years ago
Thank you. I will be wait positive or negative result.

Original comment by rx9...@gmail.com on 24 Nov 2011 at 11:35

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
I know it's been a while, but I was looking at the DCS-930 firmware again 
recently. It appears that the file system is located inside the compressed LZMA 
kernel image (located immediately after the uImage header). 

You can dd the LZMA compressed kernel out of the image, then run p7zip to 
decompress it. One of the last results binwalk reports is an LZMA compressed 
section with the properties 0x5D. If you dd that out of the uncompressed kernel 
image, you can decompress it (again using p7zip), and the file utility reports 
that it is a CPIO archive. Extract that using the cpio utility and you've got 
your file system.

This is different enough that I don't see FMK supporting it in the near future. 
But you should be able to manually re-construct the image with a modified file 
system, and build-ng/crcalc will re-calculate the uImage CRC for you.

Original comment by heffne...@gmail.com on 18 Jun 2012 at 12:15

GoogleCodeExporter commented 9 years ago

Original comment by heffne...@gmail.com on 9 Jul 2012 at 3:37