So far I've managed to extract a romfs image of a uClinux installation from the binary file inside of the "System firmware" directory. I've then been able to extract the files from the compiled romfs file onto my computer.
Everything looks pretty simple so far. "/bin/init" is a shell script that mounts some ram devices or something and then runs "/bin/camera" in the background and then starts up an instance of "/bin/sh". What I'm wanting to do is compile and insert a telnet server into the romfs image, recompile that into the Foscam firmware archive and then upload it onto my camera so that I can fuck around with it. The only thing I know about the hardware the camera is running is that its processor is some ARMv7 variant. I don't know how much RAM it has, and I don't know how to go about actually compiling code for it. Any insight or pointers are welcome.
Alright, I poked around with the "/bin/camera" program and figured out that it is in a bFLT binary format, and all of contents of the program are gzip compressed (except for the bFLT header, of course) and I'm currently looking at the assembly and strings inside of the raw binary.
If it tells you that it can't figure out where the entry point is, just hit "Yes" and it'll assume it's at the beginning of the file.
Caleb Parker
What is this, a good thread on Sup Forums? Get the fuck outta here with this actual content.
Henry Stewart
where did you start on reverse engineering, would be cool if you were able to inject a ssh/telnet backdoor on these cameras.
Nathan Taylor
>where did you start on reverse engineering In general or on this particular project?
Nathan Nguyen
I've got nothing that I can contribute to your project OP, I just wanted to say that it's very interesting. Please keep us updated, and good luck!
Logan Lee
That's pretty rad.
Justin Cruz
In general, please. I'm tired of working on pointless shit.
Zachary Hill
>would be cool if you were able to inject a ssh/telnet backdoor on these cameras. Assuming I can get over the compilation hurdle, this should be pretty trivial. There's a page on the camera's built-in webserver that allows you to upload firmware binaries directly from your computer. Not sure if the binaries are supposed to be signed or not, but assuming how shitty and monolithic the /bin/camera strings/code is, I doubt that Foscam gives enough of a shit to verify that.
Ryder Long
It would probably be easier to exploit some vulnerability you might find when reversing some of the binaries on that camera. Creating your own firmware update can be easy if there's only stuff like simple checksumming involved, however you are probably most likely going to break it by doing it that way. If you mess something up while rebuilding the filesystem and the camera is actually going to update with your file, you'd be screwed.
Anthony Ramirez
Not sure how I can get around that desu. I can't find any docs online describing the hardware in detail so it's not like I can run a VM simulating the camera. If there's going to be any exploitable code, it's most likely going to be in /bin/camera or /bin/wetctl since those seem to be unique to the hardware. If only I wasn't shit at finding exploits though...
Wyatt Adams
I don't have anything to contribute but this is a great thread, thanks OP
Justin Roberts
i have these cameras pls delet this thread
Easton Howard
A statically compiled version of qemu is always helpful to debug. Most embedded devices have shit security so you should be able to find something. The firmware update function for example. Take a look at where this is being handled and what it does. It might invoke system() with some user controllable parameter.
Carter Foster
Honestly it's just a matter of finding a device or piece of software that you REALLY wanna break/crack/figure out how it works and just researching all of the methods to do so. I started out around 8 years ago with "hacking" GBA ROMs. My best piece of advice though, is if you want to know how to crack into some hardware or software, you'll learn more by trying to replicate its behavior than you will by beating your head against it over and over trying to brute-force your way in. That's just my 2 cents though, ymmv.
Michael Jackson
There's a shitton of semi-prepared shell command strings inside of /bin/camera, some of them which might also format with user input, so I think that's where I'll start. Thx friendo
That's actually the blog where I found out to trim the first 20 bytes off the firmware binary to get a slightly malformed but usable zip file. I only read his initial blog post though, I didn't realize that he posted more. Thanks
John Nguyen
In case anyone is still following along, I found another blog post that explains in detail how to run individual ARM binaries from this particular camera's firmware in qemu and also how to calculate the checksum for custom firmware.
