Hacking Linksys IP Cameras (pt 5)

Fri, 05 Jun 2009 08:04:55 GMT

This article is a continuation of the following GNUCITIZEN articles: pt 1, pt 2, pt 3, pt 4.

Mounting the filesystem on your workstation

There are many ways to mount the camera's filesystem using the firmware binary. In this post, we'll explain one way to mount firmware version v1.00R24 which is the latest available for the WVC54GCA model.

If you were to only use the firmware binary, things could be a bit difficult, as you don't know the format of the binary at all. However, having the GPL firmware helps a lot as we'll see next. I emailed Linksys back on Apr 23, 2009 informing them that although the GPL firmware was available on their site for other Linksys products, they hadn't uploaded the one for the WVC54GCA camera. A few days later, on Apr 27, 2009, Linksys kindly made it available and has been available ever since (the file to download is wvc54gca_v1.00R24.tgz).

Thanks to Lex Landa's tips I was able to figure out the parameters required to mount the firmware binary, by analysing the data contained in the ./scripts/wvc54gc_usa_english/combine.cfg file which is included with the GPL firmware:

size = 00400000
file = WVC54GCA.bin
f1_name = loader
f1_start = 00000000
f2_name=loader.ver
f2_start=00007FFE
f3_name=**kernel**
f3_start=**00020000**
f4_name=**filesystem**
f4_start=**000E0000**
f5_name=PID
f5_start=003FFFB2

I simply focused on the kernel and filesystem parameters. The previous settings show that then kernel starts at 0x20000 (131072 bytes / 128 KB), and the filesystem starts at 0xE0000 (917504 bytes / 896 KB). In order to start dd) reading at 0xE0000, we need to keep 7 chunks of 131072 bytes. i.e.:7*131072=917504 bytes=0xE0000 (the position we want)

$ dd if=DYFF08-402-1024.bin bs=**131072** of=fs.img skip=**7**
25+0 records in
25+0 records out
3276800 bytes (3.3 MB) copied, 0.019424 s, 169 MB/s

We then verify that our image file is a valid squashfs filesystem:

$ file fs.img 
fs.img: Squashfs filesystem, little endian, version 3.0, 2216311 bytes, 475 inodes, blocksize: 65536 bytes, created: Fri Nov  9 03:58:52 2007

A finally mount it on our hardrive:

$ sudo mkdir /mnt/test
$ sudo mount -t squashfs fs.img /mnt/test -o ro,loop
$ ls /mnt/test/
bin  dev  etc  lib  mnt  proc  root  sbin  tmp  usr  var
joshjosh
Here are some pictures of the insides of the Linksys WVC54GCA Webcam along with liks to the data sheets for some of the chips... http://www.flickr.com/photos/bigjosh/3750837001/in/photostream/ ...just to save oneone the time of taking thiers appart. -josh
pagvacpagvac
sweet, thanks for that josh!
paulpaul
So one you have mounted the bin, cant you edit that to setup some back door to let you in, or better yet to enable telnet???
RicardoRicardo
I have a question. The camera has a surveilance mode that lets you record event-driven video of up to 5 (yes, five) seconds before/after the event itself. Is there any way to have the camera record something like, maybe 10 minutes worth of video instead of 5 seconds?
nicknick
Ricardo, Unlikely. The device only has 32MB of onboard RAM and a not very powerful processor. To be able to "record" 10 minutes worth of video at any useable resolution and then send that by ftp (forget email due to the size of the video file) would require processing power and RAM that the device just does not have. Best scenario is to use the video stream produced by the device and feed that into a PC running security software that would detect motion and record the event. Such software is available.
BrunoBruno
You can disassemble the firmware binary and mount the filesystem. Q: can you assemble it back to a valid firmware binary?
diggerdigger
Sorry to bother you, but on my side of the planet ftp.linksys.com seems to be broken so I can't find any download source for R22 and R24 releases (both firmware and gpl code). If either of you have them backed up please give me a link, torrent, rapidshare, megaupload ... whatever. Thanks in advance.
valexvalex
The ftp site is down, anyone with a stashed copy of the R24 firmware + code ?
LukeLuke
Very nice stuff you folks did but little beyond me. So could you help a mere mortal with what I think is a simple question. Would there be a command that would do a warm reboot of the camera (cf the reset to factory defaults). All the pieces seem to be there but I don't know how to do that.
PaulPaul
The source code wvc54gca_v1.00R24.tgz is there... http://downloads.linksysbycisco.com/downloads/wvc54gca_v1.00R24.tgz
NickNick
Bruno, I had a go at doing this since I wanted hack the root password. However, the problem I had was that I could not generate a squashfs image that was the same size as the same size as the original. I gave up when the new firmware was made available, since seemed to solve the main issue I had with the previous f/w (motion detect ridiculously sensitive). Only problem I have with the camera at the moment is that it won't stay on the wireless network for any length of time. Just drops off and has to be hard reset. Digger/Valex. Linksys site appears okay at present. Current f/w is Ver.1.1.00 build 02. Luke. I don't know of a hack to reset the camera. When logged in with admin privs I thought that there was an option to reset it, but unfortunately, my camera is not online at the moment and I cannot get it to come up on the wi-fi network so I cannot check that - sorry.
LukeLuke
In case anybody else needs it the command to software reset the camera: http://ip_address:port/adm/reboot.cgi The reboot command will respond with a simple OK. Sometimes the camera blacks-out (there is no image) but you still can access the the built-in webserver. If you are in luck the reboot will restore the image. However if the camera really locks-up (the webserver doesn't respond) you need to unplug the camera.
Return PrivacyReturn Privacy
Hi all, I need firmware v1.1.00 build 02 for wvc54gca. Linksys tech support had me update to v1.1.01 build 01 and it totally broke the motion detection recording function. I need the v1.1.00 build 02, that worked fine. I found the problem was a router, I should have never called them. The v1.1.00 build 02 worked great. I did find a copy of v1.00R24 on another site, but that won't work with wpa2, and some other things don't work right. If you have v1.1.00 build 02, please share it with me so I can get this camera working again. Thank you.
Return PrivacyReturn Privacy
I found the firmware v1.1.00 build 02 and it fixed all the problems with this camera. Do NOT use the newer v1.1.01 build 01, it breaks the motion detection recording completely! If anyone else wants the download link, it is a german drivers site, here it is: http://translate.google.com/translate?hl=en&sl=de&u=http://www.treiberupdate.de/treiber-download/download-182342-treiber-LinkSys-WVC54GCAWireless-G.html&ei=LVZxTJHJL4P_8AbF_-T9DA&sa=X&oi=translate&ct=result&resnum=2&ved=0CB0Q7gEwATiWAQ&prev=/search%3Fq%3Dfirmware%2Bwvc54gca%26start%3D150%26hl%3Den%26client%3Dsafari%26sa%3DN%26rls%3Den
ryanryan
hello , I am trying to mount this firmware so I can explore the other cgi options available within. Why? I have a Sercomm wireless IP camera and the commands I HAVE unconvered are very similar to those in this article. Except, my firmware was already updated to prevent the exploits. Therefore, if I can mount it and explore the filesystem, I may have luck decoding more cgi commands for my camera ... If anyone astill has access to or a copy of the firmware source code, I would love to host it publicly for all. All links provided in this comment thread no longer work as of the date of this post. Google turns up nothing. I see the BIN posted, but I need the source code! Thanks for any help!