I recently found myself requiring to downgrade the firmware on the lab's in-house IP camera.
Attempts at trying to do so using the 'Upgrade Device Firmware' utility from the UI (pictured below) failed.
(Might sound counterintuitive, but it was also the obvious thing to try).
Some Internet searches later, it appeared that a downgrade might be possible using a serial connection. It was time to get se-real.
In this post I detail how I went about doing this.
In order to set up the serial connection, the camera's PCB needed to be taken out of it's housing.
(If you're trying this out yourself, note that as soon as you touch solder to the PCB, the camera's warranty is rendered null and void.)
On the model I was working on, the serial connection pins were labelled J2 and located next to the WiFi module, as seen marked in the image below.
The individual pins are identified in the figure below :
Once the serial connection pins are identified, a simple 3-wire serial connector cable needs to be soldered onto them. Only the Rx, Tx and Ground pins need to be connected.
For the soldering job, I had to seek the help of a more skilled person than myself. This is what an expert's work looked like.
The image shows the back side of the PCB that we soldered onto for convenience - explaining the reversed PIN order from the previous image.
(My attempts at soldering have been withheld from publication as they were deemed unfit for public viewing by the soldering censor board)
The other end of the connector cable was connected to a module with a MAX3232 IC that converts a serial RS-232 signal to TTL digital logic at 3.3V.
(I assumed that the use of a similar module that gives an output at 5V would fry the camera, and didn't have the resources to put that to test. [Insert IP camera equivalent of Raspberry Fry joke here])
I used PuTTY to listen in on the serial port but any other program like minicom or TeraTerm for Windows would work just as well, with the following settings.
Baud Rate : 115200
Data bits : 8
Stop bits : 1
Parity : None
Flow Control : None
Once the setup was done, the camera was rebooted and I was able to see the bootloader. Pressing Esc allows a user to enter debug mode.
Old firmware versions are not the easiest to find, but it's still possible. The System firmware file I downloaded was a single file with extension .bin
In order to 'unpack' it for uploading to the camera, a handy publicly-available tool called fostarn can be used.
This generated two files that are loaded onto the camera as explained in the next step.
Once in debug mode, an ls allows you to see memory images on the camera.
The command fx allows transferring the unpacked files onto the camera using Xmodem
Finally, it turned out that beyond one of the intermediate firmware versions (between the current and desired older version), a rollback wasn't possible.
I guess one could take their word when the README for an intermediate firmware states :
"Note: After upgrading to this version, it cannot downgrade to previous versions."
Did someone say RTFM?
However, I now have access to the filesystem on the device that runs a shell called Sash
Check back for the next post detailing more findings from FS exploration.
Special thanks to Cyrille Carrasco for his help with the soldering