{"id":1557,"date":"2014-11-02T18:39:56","date_gmt":"2014-11-03T02:39:56","guid":{"rendered":"https:\/\/surfrock66.com\/?p=1557"},"modified":"2014-11-05T08:57:05","modified_gmt":"2014-11-05T16:57:05","slug":"improving-the-motorola-blink-baby-monitorcamera-part-4","status":"publish","type":"post","link":"https:\/\/surfrock66.com\/?p=1557","title":{"rendered":"Improving the Motorola Blink Baby Monitor\/Camera (Part 4)"},"content":{"rendered":"

\r\n

I screwed up.<\/p>\r\n

I finally did it, I figured out the commands to do a custom firmware, and I tried to flash it...now the camera is UNRESPONSIVE. It boots, but no network, the LED is on, can't talk to it, nada. I'm working on my backout plan now :) Hey, that's the price of hacking. Nevertheless, I've learned a TON which is worth sharing.<\/p>\r\n

Below is the set of commands I used to generate my custom firmware. The original firmware is a tar.gz, which contains conprog.bin and rootfs.bin.gz, then rootfs.bin.gz unpacks into rootfs.bin which can be mounted with:<\/p>
\nsudo mount -t romfs -o loop rootfs.bin \/mnt\/rootfs<\/code>
<\/p>\n

\r\n

I then copied all the contents of that to ~\/Projects\/Blink\/JoeFW.0.01\/rootfs where I made some modifications (I added <p>test<\/p> to blinkhome.html). I then ran the following commands to repack the firmware to be uploaded:<\/p>\r\n
\ngenromfs -d ~\/Projects\/Blink\/JoeFW.0.01\/rootfs\/ -f ~\/Projects\/Blink\/JoeFW.0.01\/rootfs.bin<\/p>\n

tar -C ~\/Projects\/Blink\/JoeFW.0.01\/ -zcp ~\/Projects\/Blink\/JoeFW.0.01\/rootfs.bin.gz ~\/Projects\/Blink\/JoeFW.0.01\/rootfs.bin<\/p>\n

chmod 665 rootfs.bin.gz<\/p>\n

tar -C ~\/Projects\/Blink\/JoeFW.0.01\/ -zcpf ~\/Projects\/Blink\/JoeFW.0.01\/bmfwromfs_08_052.tar.gz rootfs.bin.gz conprog.bin<\/code>
\n\r\n

So, I went to blinkhome.html, clicked firmware upgrade, then uploaded my new firmware...it uploaded successfully and said it flashed, but then it never came back on.<\/p>\r\n

Now, this is probably my fault...I actually screwed up my tar command in a rev 1.0 and added full path to my rootfs...so it was \/home\/surfrock66\/Projects\/Blink\/rootfs\/~ and I believe the flash just copied the whole thing as is, so I may have filled up the storage on there with a full 2nd copy of the firmware. FAIL.<\/p>\r\n

That being said, there's still more work to do. I began analyzing the rest of the firmware, and specifically the executables in there.<\/p>\r\n

I wanted to start analyzing the firmware update binaries. Assume the root of the rootfs, in \/mlsrb_src\/ there is fwupgrade and otatest. I wanted to see if I could figure out how the upgrade works to see if there's anything I missed, and see how the auto-online-upgrade works to see if I can't download the actual firmwares from motorola. I started with this command, which produced the following output:<\/p>\r\n
\nsurfrock66@sr66-darter:~\/Projects\/Blink\/JoeFW.0.1\/blinkromFW\/mlsrb_src$ file fwupgrade
\n
fwupgrade: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked (uses shared libs), stripped
\n
surfrock66@sr66-darter:~\/Projects\/Blink\/JoeFW.0.1\/blinkromFW\/mlsrb_src$ file otatest
\n
otatest: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked (uses shared libs), stripped
\n
surfrock66@sr66-darter:~\/Projects\/Blink\/JoeFW.0.1\/blinkromFW\/mlsrb_src$ file mlswwwn\/cgi-bin\/online_upgrade
\n
mlswwwn\/cgi-bin\/online_upgrade: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked (uses shared libs), stripped<\/code>
\n\r\n

I'm planning on installing the ELDK<\/a> to figure out some of the stuff in there, but before that, I started dumping strings from the binaries to see what I could find. I'm not outputting all of it here, but some of it will be curious to you:<\/p>\r\n
\nstrings fwupdate
\nstrings otatest
\nstrings mlswwwn\/cgi-bin\/online_upgrade<\/code>
\n\r\n

Some Interesting Snippets, first from fwupdate:<\/p>\r\n
\nmd5sum %s >\/tmp\/xyz.md5
\n
\/tmp\/xyz.md5
\n
MD5 of the file is '%s'
\n
MD5 Not Matched. ERROR ERROR ERROR
\n<\/code>
\n\r\n

HMM. An MD5 check? then my firmware shouldn't have flashed, right? So how did I break it?<\/p>\r\n

Now, onto otatest, which is FASCINATING:<\/p>\r\n
\n
\nCurrent Version (%02d-%03d)
\n
http:\/\/%s\/version_dev.txt
\n
ota.monitoreverywhere.com\/ota\/cam_patch
\n
http:\/\/%s\/version.txt
\n
Going to download this file '%s'
\n
msc2000:patch2012
\n
libcurl-agent\/1.0<\/p>\n

going to calculate Checksum
\n
md5sum %s.tar.gz > xyz.md5
\n
xyz.md5
\n
MD5 of the file is '%s'
\n
MD5 of the MD5 File is '%s'
\n
MD5 not matched
\n
WRITING TO FLASH.
\n
http:\/\/%s\/cameraservice?action=command&command=success_update&mac=%s&version=%02d%03d&random=%08X
\n
bms.monitoreverywhere.com\/BMS<\/p>\n

http:\/\/98.130.72.88\/ms85478\/2a4w00<\/p>\n

75.101.137.50\/ota\/cam_patch
\n<\/code>
\n\r\n

VERY interesting stuff. That ota.monitoreverywhere.com\/ota\/cam_patch site has a password wall...but look below, on a hunch I tried msc2000 as the username and patch2012 as the password, and it WORKED..but there's no files hosted. I assume you have to pass some sort of info over POST\/GET, I bet I'll find out more when I get to decompiling. bms.monitoreverywhere.com\/BMS goes to the client portal, with an outdated SSL cert I might add, which is a little bit of a cooler interface. I tried the other URL's in there, they go nowhere I can find, and I tried a few different ports.<\/p>\r\n

Lastly, I looked at online_upgrade...nothing particularly interesting there. I also did see a file in \/mlsrb_src called \"mjpg_streamer_iball\" (IT'S GPL MOTOROLA YOU HAVE TO RELEASE THE SOURCE >:[ ) and I string'd that, which turned up some new commands and confirmed some others:<\/p>\r\n