Misery^W Fun with webcams [part 1]

So I find myself needing some more el-cheapo pan-and-tilt webcams. The last time I did this, I bought the cheapest thing I could from eBay and was pleasantly surprised to find that pretty much all the devices ran a small embedded linux, had a perfectly usable web interface and had a connector on the rear that could be used to trigger the sending of a email with captured pictures. Buoyed by past experience I ordered some more: in this case the cheapest on ebay which had the connector on the rear: the KK Moon Model  801 TP-C516.

KKMoon TP-C516
KKMoon TP-C516

They duly arrived and I connected one to a test network. It dhcp’d an address, and began trying to talk to a server in LA. There was no web interface, and the only interesting thing nmap(1) could find was telnet. After some fettling I managed to log in with the username and password of root and anni2013.  A quick look around confirmed it was running Linux. I spent an hour or so trying to find more conventional firmware without success, so I then had a look at the CPU. The camera is built around a Ralink RT5350  wifi SoC. I’ve previously ported gcc and openwrt to a similar ralink CPU, and it was a Sunday morning so I thought I might have a shot.

The camera has 32M of SDRAM and 8Mb of SPI flash in an mx25l6406e (or rather a clone). So I took the chip off and read it. The bootloader was, predictably at the beginning of the rom, and appeared to have a serial output, so the next step was to find where that came out on the hardware. A little bit of judicious hunting found two test-points next to the SPI rom.


Connecting those up and knowing from the dump of the rom that it was expecting 57600 baud gave the following:

U-Boot 1.1.3 (Oct 31 2012 - 23:46:19)
Board: Ralink APSoC DRAM: 32 MB
relocate_code Pointer at: 81fb4000
spi_wait_nsec: 42
spi device id: c2 20 17 c2 20 (2017c220)
find flash: MX25L6405D
raspi_read: from:30000 len:1000
.raspi_read: from:30000 len:1000
Ralink UBoot Version:
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
Flash component: SPI Flash
Date:Oct 31 2012 Time:23:46:19
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384
 ##### The CPU freq = 360 MHZ ####
 estimate memory size =32 Mbytes
Please choose the operation:
 1: Load system code to SDRAM via TFTP.
 2: Load system code then write to Flash via TFTP.
 3: Boot system code via Flash (default).
 4: Entr boot command line interface.
 7: Load Boot Loader code then write to Flash via Serial.
 9: Load Boot Loader code then write to Flash via TFTP.
3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40
. Image Name: Linux Kernel Image
 Created: 2014-10-30 1:46:36 UTC
 Image Type: MIPS Linux Kernel Image (lzma compressed)
 Data Size: 3044465 Bytes = 2.9 MB
 Load Address: 80000000
 Entry Point: 8041b000
raspi_read: from:50040 len:2e7471
............................................... Verifying Checksum ... OK
 Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8041b000) ...
## Giving linux memsize in MB, 32
Starting kernel ...
LINUX started...
Linux version 2.6.21 (root@sky) (gcc version 3.4.2) #1071 Thu Oct 30 09:46:24 CST 2014
Initrd not found or empty - disabling initrd
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0

So I next had a look at the openwrt side. Pleasantly openwrt trunk already had support for a non-PTZ camera based on the RT5350 (The WansView NCS601W).

Building that and feeding it to the bootloader’s option 2 via TFTP got me up and running almost immediately. Building mjpg-streamer (after fixing a bug which caused gcc’s stack canary to trip) gave me an, albeit upside-down, streamed image. Success, and all before breakfast! The next task was figuring out how to move the turret.

One thought on “Misery^W Fun with webcams [part 1]”

Leave a Reply

Your email address will not be published. Required fields are marked *