Threat Research

Getting Serial on an IP Camera

By Ruchna Nigam | November 19, 2014

I recently found myself requiring to downgrade the firmware on the lab's in-house IP camera.

Attempts at trying to do so using the 'Upgrade Device Firmware' utility from the UI (pictured below) failed.
(Might sound counterintuitive, but it was also the obvious thing to try).

Firmware Upgrade using the UI

Some Internet searches later, it appeared that a downgrade might be possible using a serial connection. It was time to get se-real.

In this post I detail how I went about doing this.

1. Solder connections to IP Camera Serial Pins

In order to set up the serial connection, the camera's PCB needed to be taken out of it's housing.
(If you're trying this out yourself, note that as soon as you touch solder to the PCB, the camera's warranty is rendered null and void.)

On the model I was working on, the serial connection pins were labelled J2 and located next to the WiFi module, as seen marked in the image below. Title

The individual pins are identified in the figure below : Individual pins in J2

Once the serial connection pins are identified, a simple 3-wire serial connector cable needs to be soldered onto them. Only the Rx, Tx and Ground pins need to be connected.

For the soldering job, I had to seek the help of a more skilled person than myself. This is what an expert's work looked like. Soldered J2 pins The image shows the back side of the PCB that we soldered onto for convenience - explaining the reversed PIN order from the previous image.
(My attempts at soldering have been withheld from publication as they were deemed unfit for public viewing by the soldering censor board)

2. Connect cable to Serial-TTL module

The other end of the connector cable was connected to a module with a MAX3232 IC that converts a serial RS-232 signal to TTL digital logic at 3.3V.

Serial-TTL converter module

(I assumed that the use of a similar module that gives an output at 5V would fry the camera, and didn't have the resources to put that to test. [Insert IP camera equivalent of Raspberry Fry joke here])

3. Connect module to Serial Port on PC

4. Listen on Serial Port

I used PuTTY to listen in on the serial port but any other program like minicom or TeraTerm for Windows would work just as well, with the following settings.

Baud Rate : 115200
Data bits : 8
Stop bits : 1
Parity : None
Flow Control : None

5. Bootloader!

Once the setup was done, the camera was rebooted and I was able to see the bootloader. Pressing Esc allows a user to enter debug mode.

Bootloader menu on Camera

6. Prepare Firmware version of interest

Old firmware versions are not the easiest to find, but it's still possible. The System firmware file I downloaded was a single file with extension .bin

Firmware File

In order to 'unpack' it for uploading to the camera, a handy publicly-available tool called fostarn can be used.

fostarn Output

This generated two files that are loaded onto the camera as explained in the next step.

7. Load Firmware

Once in debug mode, an ls allows you to see memory images on the camera.

The command fx allows transferring the unpacked files onto the camera using Xmodem

Loading Firmware onto Camera


Finally, it turned out that beyond one of the intermediate firmware versions (between the current and desired older version), a rollback wasn't possible.

I guess one could take their word when the README for an intermediate firmware states :
"Note: After upgrading to this version, it cannot downgrade to previous versions."
Did someone say RTFM?

However, I now have access to the filesystem on the device that runs a shell called Sash

Sash shell

Check back for the next post detailing more findings from FS exploration.

Acknowledgements :
Special thanks to Cyrille Carrasco for his help with the soldering

Join the Discussion