Subscriber Discussion

I Bricked My P3367 While Hacking It Hard, Any Suggestions?

U
Undisclosed #1
Aug 18, 2016
IPVMU Certified

Can only Axis fix it or does anyone know how to get a TTL console right off the chip?

2 years old.

How much do they charge do you think?

(2)
UM
Undisclosed Manufacturer #2
Aug 19, 2016

Call Axis and tell them you need warranty repair, and that you think someone hacked it.

They should want to take it seriously, and I believe they upgraded to a 3 year warranty.

JH
John Honovich
Aug 19, 2016
IPVM

P series has always, to my knowledge, had 3 year warranty.

M series only recently was increased from 1 to 3 years.

U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

Yes, I will try this as a last resort.

The reason I'm slightly concerned about doing this is because of the exact state of the camera when they get it.

I've removed the SD card, but should it have retained any video from when it was last operational, depending on the length, it could certainly reveal me as the hacker. It could be embarrassing.

You know the kind of things that you say when you are alone with a camera that refuses to bend to your will. The begging, the ridicule; at some point I may have even threatened it with a soldering iron (cold).

So there's that.

(3)
UE
Undisclosed End User #3
Aug 19, 2016

if you didn't fool around with any trivial parts, it should be able to reset to factory default... may I (we;) ask what you did when it bricked?

U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

I remounted the /usr filesystem as read-write, then I changed the symbolic link of /usr/sbin/hardfactorydefault.cgi to point to factorydefault.cgi.

To soften up the reset a bit. I forgot to remount the filesystem as read-only.

(1)
(2)
UE
Undisclosed End User #3
Aug 19, 2016

Nice one..

Do you have any access to the cam? Ping,web... Etc?

Upgraded FW?

U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

No Access.

The interface light blinks a few times on boot and then alternates red green forever.

It was quite a bonehead move looking back. I had already thwarted the hard reset thru the web interface by moving around some shtml files, but wanted to beat the button as well.

When I held the button down I figured it would either work or not, I didn't really consider what would happen if it

  1. Didn't do a hard reset
  2. Didn't do a soft reset
  3. Was left in an unbootable state

Though, in my defense I will say that ANY time you hack the hard reset you can never be totally sure that you won't need it.

Other SOC's I've played with have had a UART console that you can pin-up to, I was think maybe this one did....

(1)
UE
Undisclosed End User #3
Aug 19, 2016

I don't think that the symlink itself screwed up your cam actually, it's something else.

difference between hard and software rester is:

hardfactorydefault.cgi: echo JFFSID=\"HARD_RESET\" > /etc/release

factorydefault.cgi: echo JFFSID=\"SOFT_RESET\" > /etc/release

Try do a hardreset (will be soft since you change symlink), you have nothing to loose :)

Axis has UART too, I'm sure of that. Don't know if its TTL or RS232 levels, but for sure its there.

(1)
U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

"I don't think that the symlink itself screwed up your cam actually, it's something else."

Yes, I agree. Though I think it is the symlink that is preventing it from hard resetting. Maybe permissions or ownership I screwed up on it.

Having the root fs r/w, I may have messed something else up, I can't remember exactly, it was hard hacking like I was saying.

"Try to do a hard reset, (will be soft since you change the symlink), you have nothing to lose :)"

Except the sensation in my thumb, after initially attempting a number of resets without the use of a tool (not recommended).

UE
Undisclosed End User #3
Aug 19, 2016

Don't brick the fingers too dude :)

If you don't to bring that in to Axis, and willing to violate the warranty, open and try to find unusual "pins" (usually three - 1x TxD, 1x RxD, 1x GND) or more, put a oscilloscope (or voltmeter) on one of the pins while it's boot to see if there is some activity, should be RxD in that case.

try to listen with different speed (9600,19200,38400..etc) and no HW Flow (use XON/XOFF or None) on this pin

Maybe that will get you forward a bit, and also gain some knowledge for future hacking.

U
Undisclosed #1
Aug 19, 2016
IPVMU Certified

Here's the board, in a unusual boomerang shape:

Not seeing any header pins. I do see 6 full-hole vias, maybe serial or JTAG?

I'm looking for my uart ttl usb thing. Any other places to probe?

(1)
UE
Undisclosed End User #3
Aug 20, 2016

could be what you looking for, take a voltmeter to check levels TTL (0/5v) or RS232 (-12/+12), and probe each of them while booting, if it's activity while booting that could be RxD.

look for GND and RxD first (square could indicate pin No1 and even maybe it's ground)

I cant say how you need to do now, you are on your own.. you can find what you looking for - or something may burn ;)

(1)
U
Undisclosed #1
Aug 20, 2016
IPVMU Certified

I cant say how you need to do now, you are on your own..

Thanks, I understand.

There are a couple of things in a man's life, that are best done alone; specifically rowing in a circle and ice-skating in April. Even though this is not one of those things, you have done enough, and I will see you on the other side, sir.

til then, Skål!

(1)
U
Undisclosed #1
Aug 21, 2016
IPVMU Certified

Happy ending.

A little trial and a lot of error later I'm Enjoying the Shell

Couple things, when it came up the only ip address was ipv6 link local one. Almost everything from Axis was gone. It was running lighttpad webserver with one html page to Upgrade firmware.

Did it, done...

Thanks EU 3

(2)
UE
Undisclosed End User #3
Aug 22, 2016

Super, well done, happy that it worked out for you :)

Please, give us some more details, what pin is RxD, TxD, GND, speed, TTL/RS232 levels.. etc :)

U
Undisclosed #1
Aug 22, 2016
IPVMU Certified

Baud Rate 115,200 8,N,1

TX and RX are from camera perspective.

Levels are ~3.3v

(3)
UE
Undisclosed End User #3
Aug 22, 2016

Thanks :)

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions