Bricked Foscam C2 brought back to life after 2 years...

2 year ago my Foscam C2 got bricked and would not boot up anymore since than it was in my box of last remains of electronic gadgets...

But last week I stumbled upon a post which had the missing password I was looking to unlock the loader and address the error on the nand memory.

As in my previous post  the way to access the device is connecting to the serial port on the device.
You use a program like terraterm / putty or similar at 115200 bautrate and 8N1 setting

To enter into the boot / debug console keep the enter key pressed while booting.
So the magic Amerella amboot password to use and proceed to the commandline is "ipc.fos~"

This will bring you into the amboot screen.

To fix my problem I needed to repair the broken filesystem. To do this, the original files need to be flashed to the device.... the big problem.. as the device is not starting this was not possible.

Foscam support was sending some files that allows recovery from sd card, but this was not working as that requires the boot process to work (somewhat)

The way to proceed is by loading the firmware from the network
You can do so by defining the network parameters manually (fixed ip, own defined mac)
Depending on the amboot version you need to define eth0 or eth1... but it doesnt hurt if you define both.

you do that like this:

amboot> setenv eth 1 ip 192.168.6.230
amboot> setenv eth 1 mac 00:62:1A:1A:1A:1A
amboot> setenv eth 1 mask 255.255.255.0
amboot> setenv eth 1 gw 192.168.6.1

amboot> setenv eth 0 ip 192.168.6.230 
amboot> setenv eth 0 mac 00:62:1A:1A:1A:1B
amboot> setenv eth 0 mask 255.255.255.0
amboot> setenv eth 0 gw 192.168.6.1


Once that is done, the next step is to somehow get the right firmware files. Foscam support was not helpful in getting these... had to scout the internet's few references to find the file for my device. The file to look for was "Serial port updating for C2.zip" 
Note that same logic can be used for quite a few foscam camera's (C2 / R2 / FI9900P / FI9900EP / R4 / FI9961EP / R2E / P4 / Z2 / FI9928P / FI9926P / FI9936P)

With the network settings defined as above, and with the recovery file, you need to fire up a tftp serverand serve the recovery bin file.

then issue the command  to start the update process
tftp program flash_C2_1.11.1.8_2.72.1.26.bin



amboot> 

             ___  ___  _________                _   
            / _ \ |  \/  || ___ \              | |  
           / /_\ \| .  . || |_/ /  ___    ___  | |_ 
           |  _  || |\/| || ___ \ / _ \  / _ \ | __|
           | | | || |  | || |_/ /| (_) || (_) || |_ 
           \_| |_/\_|  |_/\____/  \___/  \___/  \__|
----------------------------------------------------------
Amboot(R) Ambarella(R) Foscam(R) Copyright (C) 2004-2014 2015-05-23
Foscam(R) Copyright (C) 2015-05-23
will reset phy by g95.
reset phy completed, gpios2 data: 0xF8001E00.
             ___  ___  _________                _   
            / _ \ |  \/  || ___ \              | |  
           / /_\ \| .  . || |_/ /  ___    ___  | |_ 
           |  _  || |\/| || ___ \ / _ \  / _ \ | __|
           | | | || |  | || |_/ /| (_) || (_) || |_ 
           \_| |_/\_|  |_/\____/  \___/  \___/  \__|
----------------------------------------------------------
Amboot(R) Ambarella(R) Copyright (C) 2004-2014
Boot From: NAND 2048 RC 
SYS_CONFIG: 0x3006005B POC: 101
Cortex freq: 600000000
iDSP freq: 144000000
Dram freq: 528000000
Core freq: 144000000
AHB freq: 72000000
APB freq: 36000000
UART freq: 24000000
SD freq: 48000000
SDIO freq: 48000000
SDXC freq: 48000000
1st input Passwd:
2st input Passwd:
2st input Passwd:
3st input Passwd:
3st input Passwd:
amboot> setenv eth 1 ip 192.168.6.230
amboot> setenv eth 1 mac 00:62:1A:1A:1A:1A
amboot> setenv eth 1 mask 255.255.255.0
amboot> setenv eth 1 gw 192.168.6.1
amboot> ping 192.168.6.1
link down ...
amboot> setenv eth 0 ip 192.168.6.230 
amboot> setenv eth 0 mac 00:62:1A:1A:1A:1B
amboot> setenv eth 0 mask 255.255.255.0
amboot> setenv eth 0 gw 192.168.6.1
amboot> ping 192.168.6.1
link down ...
amboot> ping 192.168.6.230
link down ...
amboot> tftp program flash_C2_1.11.1.6_2.72.1.18.bin
downloading [flash_C2_1.11.1.6_2.72.1.18.bin]:
................................................................
................................................................
................................................................
................................. got 59093948 bytes
Jumping to 0x00100000

------------------------------------------------------
In-memory Firmware Flash Programming Utility (by C.C.)
Ambarella(R) Copyright (C) 2004-2008
------------------------------------------------------
Boot From: NAND 2048 RC 
SYS_CONFIG: 0x3006005B POC: 101
Cortex freq: 600000000
iDSP freq: 144000000
Dram freq: 528000000
Core freq: 144000000
AHB freq: 72000000
APB freq: 36000000
UART freq: 24000000
SD freq: 48000000
SDIO freq: 48000000
SDXC freq: 48000000
hook_pre_memfwprog
bst code found in firmware!
crc32: 0xAEA0712B
ver_num: 1.3
ver_date: 2015/12/15
img_len: 2048
mem_addr: 0x00000000
flag: 0x00000001
magic: 0xA324EB90
verifying image crc ... done
program bst into NAND
progress: 100%
program ok
bld code found in firmware!
crc32: 0xCFF3A746
ver_num: 1.3
ver_date: 2015/12/15
img_len: 169220
mem_addr: 0x00000000
flag: 0x00000000
magic: 0xA324EB90
verifying image crc ... done
program bld into NAND
progress: 77%progress: 100%
program ok
pba code found in firmware!
crc32: 0xB1A95A68
ver_num: 0.1
ver_date: 2015/12/15
img_len: 15210320
mem_addr: 0x00208000
flag: 0x00000002
magic: 0xA324EB90
verifying image crc ... done
program pba into NAND
program ok
pri code found in firmware!
crc32: 0x596AE333
ver_num: 0.1
ver_date: 2015/12/15
img_len: 5183312
mem_addr: 0x00208000
flag: 0x00000000
magic: 0xA324EB90
verifying image crc ... done
program pri into NAND
program ok
lnx code found in firmware!
crc32: 0xA4703DF8
ver_num: 0.1
ver_date: 2015/12/15
img_len: 36438016
mem_addr: 0x00000000
flag: 0x00000001
magic: 0xA324EB90
verifying image crc ... done
program lnx into NAND
program ok
add code found in firmware!
crc32: 0xA63719C9
ver_num: 0.1
ver_date: 2015/12/15
img_len: 1966080
mem_addr: 0x00000000
flag: 0x00000001
magic: 0xA324EB90
verifying image crc ... done
program add into NAND
program ok
DTB found in firmware!
program ok
------ Report ------
bst: success
bld: success
pba: success
pri: success
lnx: success
add: success
hook_post_memfwprog

While things looked very well until this point... I rebooted the device but no joy... it still did not work


 

             ___  ___  _________                _   
            / _ \ |  \/  || ___ \              | |  
           / /_\ \| .  . || |_/ /  ___    ___  | |_ 
           |  _  || |\/| || ___ \ / _ \  / _ \ | __|
           | | | || |  | || |_/ /| (_) || (_) || |_ 
           \_| |_/\_|  |_/\____/  \___/  \___/  \__|
----------------------------------------------------------
Amboot(R) Ambarella(R) Foscam(R) Copyright (C) 2004-2014 2015-05-23
Foscam(R) Copyright (C) 2015-05-23
will reset phy by g95.
reset phy completed, gpios2 data: 0xF8001E00.
             ___  ___  _________                _   
            / _ \ |  \/  || ___ \              | |  
           / /_\ \| .  . || |_/ /  ___    ___  | |_ 
           |  _  || |\/| || ___ \ / _ \  / _ \ | __|
           | | | || |  | || |_/ /| (_) || (_) || |_ 
           \_| |_/\_|  |_/\____/  \___/  \___/  \__|
----------------------------------------------------------
Amboot(R) Ambarella(R) Copyright (C) 2004-2014
Boot From: NAND 2048 RC 
SYS_CONFIG: 0x3006005B POC: 101
Cortex freq: 600000000
iDSP freq: 144000000
Dram freq: 528000000
Core freq: 144000000
AHB freq: 72000000
APB freq: 36000000
UART freq: 24000000
SD freq: 48000000
SDIO freq: 48000000
SDXC freq: 48000000
1st input Passwd:
amboot> ls
'ls' is not a recognized command! Type 'help' for help...
amboot> boot
pri image absent... skipping
sec image absent... skipping
amboot> boot 
pri image absent... skipping
sec image absent... skipping

 

The error in the screen was that the pri and sec image was  absent... not good...
But searching some more (and not in the in the pdf included in the zip file from foscam)
it became clear that the partition needed to be ereased


pri image absent... skipping
sec image absent... skipping
amboot> e erase
partition needs to be specified!
Help for 'erase':
erase [bst|ptb|bld|spl|pba|pri|sec|bak|rmd|rom|dsp|lnx|raw|all|os]
Where [os] means pba,pri,sec,bak,rmd,rom,dsp,lnx,swp,add,adc
      [all] means full chip.
Erase a parition as specified
amboot> erase os
erase pba ... 
done
erase pri ... 
done
erase sec ... 
done
erase bak ... 
done
erase rmd ... 
done
erase rom ... 
done
erase dsp ... 
done
erase lnx ... 
done
erase swp ... 
done
erase add ... 
done
erase adc ... 
done

After that don't reboot..but repeat the steps for downloading the recovery firmware... but this time joy... yeahh it is working again...

No thanks to Foscam... they did never provide the right files.. they did provide files for sdcard recovery but not the onces for serial recovery

Location: Nederland

Reacties

  1. olathehackl23 februari 2022 om 20:36

    Deze reactie is verwijderd door een blogbeheerder.

    BeantwoordenVerwijderen
  2. bastin2 januari 2023 om 18:32

    Hello,
    i don't finde "Serial port updating for C2.zip"  .

    Can you help me, please?

    BeantwoordenVerwijderen
    Reacties
    1. ALXS9 april 2023 om 20:40

      Hi, I have the same problem. Can You Send me "Serial port updating for C2.zip" file on iamalxs@gmail.com, please

      Verwijderen
  3. Marcel1 februari 2023 om 12:30

    I have send the file. Good luck

    BeantwoordenVerwijderen
    Reacties
    1. ALXS9 april 2023 om 20:38

      Hi, Can You Send me "Serial port updating for C2.zip" on iamalxs@gmail.com, please

      Verwijderen

Een reactie posten

Populaire posts van deze blog

Onkyo TX-NR656 hacking

Afbeelding
Onkyo TX-NR656 Recently bought a  Onkyo TX-NR656   and obviously interested how I can integrate it in my Home Automation. Searching the internet I found this interesting link   where it was clear the amplifier was running Linux and could be accessed with a serial connection. Well... how much easier it seems now with my TX-NR656 ssh to your amp with putty or any other ssh client logon with userid:  root     password:   morimori Some details: Onkyo TX-NR656 System Details Main Chipset TI AM335x ARM® Cortex®-A8-based core Wifi/BT chipset   RTL8821A   802.11ac, BT 4.0 Linux Version Linux am335x-opt 3.19.0 #1 Mon Sep 12 12:10:29 JST 2016 armv7l GNU/Linux Memory Total 249348 kB BusyBox details BusyBox v1.22.1 (2015-08-07 20:03:25 JST) [, [[, addgroup, adduser, ar, ash, awk, basename, bunzip2, bzcat, cat, chattr, chgrp, chmod, chown, chroot, chvt, clear, cmp, cp, cpio, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, df, diff, dirname, dmesg, dnsdom
Read more »

P1 port als energiemeter voor SolarEdge omvormer

Afbeelding
Zou jij ook graag beter inzicht in het Import, Export en energie verbruik willen hebben in de SolarEdge monitoring site, maar niet de €225 uitgeven voor een SE-MTR-3Y-400V-A solarEdge energie meter... (want je hebt toch gratis van je netbeheerder al een energie meter..) lees dan verder.  Met behulp van een eenvoudige computer zoals een Raspberry Pi's en voor enkele euro's aan hardware is dit mogelijk als je al een slimme meter hebt.  De SolarEdge app geeft dan productie, netto gebruik, in & export weer. Hardware Software Algemene werking Serial port on the Raspberry Pi (RPI) TTL naar RS485 /Modbus Adapter Module module SolarEdge Configuratie Hardware Raspberry Pi + USB voeding + SD kaart (andere hardware is goed mogelijk, bv oude laptop of iets dergelijks, zolang het een redelijk recente linux kan draaien zit het goed). In mijn geval heb ik een oude RPI2 gebruikt die al een tijdje stof aan het happen was P1 hardware (in mijn geval 1 transitor + weerstand kosten ca € 0,50
Read more »

Energie meter uitlezen via P1 poort

Afbeelding
Om beter bij te houden wat mijn energie verbruik & opbrengst is wil ik mijn meterkast elektronisch uitlezen. In mijn meterkast is sinds kort een z.g. slimme meter geplaatst en ook de gasmeter is vervangen. Het doel is om deze alle 2 uit te lezen en het verbruik inzichtelijk te maken. Natuurlijk kan je commerciële pakketten kopen zoals de pakketten van de energie leveranciers zoals de Toon of Nuons e-manager maar dan ben je geen baas over je eigen data.   Youless lijkt ook leuk, maar kan volgens mij niet meten wat ik terug lever met mijn zonnepanelen. en natuurlijk wil ik dit allemaal zo goedkoop mogelijk meten ;) Mijn meter is van het type kamstrup 382j, zover ik kan zien zijn er verschillende manieren om de meter uit te lezen. via de z.g. P1 poort Optisch vie de knipper let (S0). Deze led geeft met de knipper frequentie aan hoe veel het verbruik is. Optisch via 2 weg communicatie met infrarode oogje Mijn eerste poging is om uit te lezen via de P1 poort is vrij goe
Read more »