Wednesday 23 April 2014

Hacking a ScoutGuard camera - part 3

In the previous posts [1] [2] I mentioned that the ultimate goal was to load modified firmware on to the device and one possible route would be via JTAG. It was hoped that the test points in the bottom left corner would provide JTAG access:



A quick check with the oscilloscope though and a bit of digging around showed that the signals were analogue and related to the camera - possibly used for setting the focus.


J22 & J15
J19 & J18




J16 & J20
J21 & J17
From analysing the dumped out firmware, it was apparent that my particular camera did not come with an update mechanism. Or more correctly, the library code for doing most of the heavy lifting was present but the vendor code to call it was missing. In the downloaded HCO firmware, the routine for checking for the image on the SD card then verifying the USB DFU checksum was very prominent. This is very different from the firmware on my device.

Just in case the update functionality had inadvertently been left out of the dump (there were parts where I know the dump failed, but it was only a few hundred bytes) I spliced the controller wiring and a standard USB cable into a single 10 pin USB mini connector in the hope that this would simulate the devices that have separate controller and USB ports. The instructions for updating the HCO devices are simply to copy the firmware (called image.bin) on to the SD card, turn the camera on and follow the on screen instructions. Other instructions though said that the device must be plugged in via USB and the firmware copied to the SD card using that connection. It was that situation I was trying to check.


Unsurprisingly, it didn't work. A message on the controller saying that functionality was disabled while in USB mode was displayed and this is what was expected based on the disassembly.

So still no success updating the firmware. There is still another possible route, but that will be left for a later post.

No comments:

Post a Comment