I’ve opened up my Foscam-clone IP Camera, located the onboard serial port and captured the output from the bootloader and the firmware booting. This post is for anyone interested.
Edit: Based on the evidence below, it appears to be a Winbond W90N745 bootloader. Googling for “W90N745″ threw up a number of online sites about this camera (here, here, here and particularly here) that pre-date my own investigations by a long shot — oh well! Mine is here for posterity too 
I’ve subsequently also stumbled across http://www.openipcam.com/ – seems like a useful site for general hacking ideas regarding this and similar IP Cameras. So now you know!
Serial port
With respect to the photo, the serial port is a set of 4 pins from the “J2″ mark on the PCB.
The pins are (from closest to furthest from the “J2″ mark):
VCC GND TX (output from camera) RX (input to camera)
The serial port uses TTL signal levels, so I used this USB-serial adapter to connect the IP camera to my FreeBSD desktop. The IP Camera’s boot loader configures the serial line for 115200 baud, so the following FreeBSD command provided me with serial access from my desktop:
cu -l /dev/cuaU0 -s 115200
The boot loader
Powered the device on and entered “escape” in time to interrupt the regular boot process. Tried a couple of commands once at the bootloader prompt.
[gja@gjadesktop] /root# cu -l /dev/cuaU0 -s 115200
Connected
[...powered on the IP camera....]
W90N745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Jun 19 2006
Memory Size is 0x800000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:
MAC Address : 00:0D:C5:D0:47:F1
IP Address : 0.0.0.0
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0x00300000
BL buffer size : 0x00100000
Baud Rate : -1
USB Interface : Disabled
Serial Number : 0xFFFFFFFF
For help on the available commands type 'h'
Press ESC to enter debug mode .
bootloader >
bootloader > h
W90P710 Command Shell v1.0 Rebuilt on Jul 04 2006 at 16:20:08
H Display the available commands
B Set Baud Rate
D Display memory. D -? for help
E Edit memory. E -? for help
G Goto address
I information
MX Xmodem download
MT TFTP/USB download
FT Program the flash by TFTP/USB. FT -? for help
FX Program the flash by Xmodem. FX -? for help
CP Memory copy
LS List the images in the flash
SET Setting boot loader configuration. SET -? for help
CHK Check the flash
RUN Execute image
DEL DEL the image or flash block
MSET Fill memory
TERM Change the terminal output port
BOOT Reboot the system
CACHE Cache setting
USB USB interface setting
UNZIP Unzip image
ATTRIB Change the image attribution
bootloader > i
W90N745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Jun 19 2006
Memory Size is 0x800000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:
MAC Address : 00:0D:C5:D0:47:F1
IP Address : 0.0.0.0
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0x00300000
BL buffer size : 0x00100000
Baud Rate : -1
USB Interface : Disabled
Serial Number : 0xFFFFFFFF
For help on the available commands type 'h'
Supports flash types:
W19L320SB AM29LV320DB AM29LV320DT AM29LV800BB
AM29LV800BT AM29LV160DB AM29LV160DT EN29LV160AB
EN29LV160AT SST39VF160 HY29LV160 MX28F160C3T
MX28F160C3B MX29LV160BT MBM29LV160BE MBM29LV160TE
W19B322MB M29WL320DT W19L320ST W19B320ABT
W28J800TT W28J800BT W28J160TT W28J160BT
W28J320TT W28J320BT INTEL E28F320 INTEL E28F640
SST39VF6401 INTEL E28F128 28F800C3-T 28F800C3-B
28F160C3-T 28F160C3-B 28F320C3-T 28F320C3-B
W39L010 W29EE011
bootloader >
bootloader > usb
This bootloader doesn't support USB, please use TCP/IP instead
bootloader > ls
Image: 0 name:BOOT INFO base:0x7F010000 size:0x00000038 exec:0x7F010000 -af
Image: 7 name:linux.bin base:0x7F020000 size:0x000BF7B0 exec:0x00008000 -acxz
Image: 6 name:romfs.img base:0x7F0E0000 size:0x000B0800 exec:0x7F0E0000 -a
bootloader > set
Boot Loader Configuration:
MAC Address : 00:0D:C5:D0:47:F1
IP Address : 0.0.0.0
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0x00300000
BL buffer size : 0x00100000
Baud Rate : 115200
USB Interface : Disabled
Serial Number : 0xFFFFFFFF
bootloader >
bootloader > set -?
Usage: SET -[mac [addr],ip [addr],dhcp [0,1],cache [on, off],buffer [base] [size],baudrate [baud rate setting],sn [serial number]]
-mac [addr] Set MAC Address
-ip [ip addr] IP Address
-dhcp [1,0] Enable/Disable Dhcp client
-cache [on,off] Enable/Disable cache when processing images
-buffer [base] [size] Set the buffer used by UNZIP and TFTP server
-baudrate [baud rate setting] Set the default baud rate
-sn [serial number] Set the serial number
bootloader >
Firmware (ucLinux?) booting
If I don’t interrupt the bootloader after power-on, here’s the full output from the embedded Linux-based firmware. I haven’t tinkered any further than this.
[gja@gjadesktop] /root# cu -l /dev/cuaU0 -s 115200
Connected
[...powered on the IP camera....]
W90N745 Boot Loader [ Version 1.1 $Revision: 1 $ ] Rebuilt on Jun 19 2006
Memory Size is 0x800000 Bytes, Flash Size is 0x400000 Bytes
Board designed by Winbond
Hardware support provided at Winbond
Copyright (c) Winbond Limited 2001 - 2006. All rights reserved.
Boot Loader Configuration:
MAC Address : 00:0D:C5:D0:47:F1
IP Address : 0.0.0.0
DHCP Client : Enabled
CACHE : Enabled
BL buffer base : 0x00300000
BL buffer size : 0x00100000
Baud Rate : -1
USB Interface : Disabled
Serial Number : 0xFFFFFFFF
For help on the available commands type 'h'
Press ESC to enter debug mode ......
Cache enabled!
Processing image 1 ...
Processing image 2 ...
Processing image 3 ...
Processing image 4 ...
Processing image 5 ...
Processing image 6 ...
Processing image 7 ...
Unzip image 7 ...
Executing image 7 ...
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1334 �� 3�� 24 05:56:23 CST 2010
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 2048
zone(0): 0 pages.
zone(1): 2048 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 8MB = 8MB total
Memory: 6236KB available (1479K code, 289K data, 40K init)
Dentry cache hash table entries: 1024 (order: 1, 8192 bytes)
Inode cache hash table entries: 512 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled
ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F1907FF [VIRTUAL 7F0E0000-7F1907FF] (RO)
W19B320ABT Flash Detected
01 eth0 initial ok!
which:0
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4
_____ ____ _ ____
|__ / _| _ \ / \ / ___|
/ / | | | | | |/ _ \ \___ \
/ /| |_| | |_| / ___ \ ___) |
/____\__, |____/_/ \_\____/
|___/
ZD1211B - version 2.24.0.0
usb.c: registered new driver zd1211b
main_usb.c: VIA Networking Wireless LAN USB Driver 1.20.04
usb.c: registered new driver vntwusb
usb.c: registered new driver rt73
dvm usb cam driver 0.0.0.1 by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
Shell invoked to run file: /bin/init
Command: mount -t proc none /proc
Command: mount -t ramfs none /usr
Command: mount -t ramfs none /swap
Command: mount -t ramfs none /var/run
Command: mount -t ramfs none /etc
Command: mount -t ramfs none /flash
Command: mount -t ramfs none /home
Command: mount -t ramfs none /tmp
Command: mkdir /tmp/run
Command: camera&
[8]
Command: sh
no support
Sash command shell (version 1.1.1)
/> hub.c: connect-debounce failed, port 1 disabled
new USB device :807b5004-7e8740
hub.c: new USB device 1, assigned address 2
detect_sensor: mi360
dvm cmos successfully initialized
dvm camera registered as video0
new USB device :807b5404-7e8740
hub.c: new USB device 2, assigned address 3
VIA Networking Wireless LAN USB Driver Ver. 1.20.04
Copyright (c) 2004 VIA Networking Technologies, Inc.
vntwusb_init--->eth1 initial ok!
insmod VNTWUSB SUCESSFUL...
aw version is 11.14.2.28
aw version is 2.4.8.15
Wait for auto-negotiation complete...ResetPhyChip Failed
video0 opened
1
1
1
1
1
1
set resolution 4
set brightness 82
set contrast 4
set sharpness 3
set mode 0
unknown command
_i2c_write: write i2c error
_i2c_write: write i2c error
__pthread_initial_thread_bos:39c000
manage pid:14
audio_dev.state not AU_STATE_RECORDING
wb_audio_start_record
Config_FileOperation file Not exist
Zone=[2][E][U]!!
Antenna AUX&MAIN all available!
[26]
[28]
_i2c_write: write i2c error
_i2c_write: write i2c error
AP(BSS) finding:Found a AP(BSS)..
802.11 Authen (OPEN) Successful.
AP deauthed me, reason=13.
WLAN_ASSOCIATE_WAIT:Association Fail???
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
AP(BSS) finding:Found a AP(BSS)..
802.11 Authen (OPEN) Successful.
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
WLAN_ASSOCIATE_WAIT:wait 1 times!!
WLAN_ASSOCIATE_WAIT:wait 2 times!!
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
wpa_driver_viawget_set_countermeasures - not yet implemented
WLAN_ASSOCIATE_WAIT:wait 3 times!!
wpa_set_scan-->desired [ssid=,ssid_len=0]
WLAN_ASSOCIATE_WAIT:wait 4 times!!
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
WLAN_ASSOCIATE_WAIT:wait 5 times!!
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
Trying to associate with 00:11:50:8e:9e:02 (SSID='gjahome' freq=2442 MHz)
AP(BSS) finding:Found a AP(BSS)..
802.11 Authen (OPEN) Successful.
Association Successful, AID=1.
Link with AP(SSID): gjahome
3
3
3
3
3
3
Associated with 00:11:50:8e:9e:02
SET_KEY_BEFORE_SEND_4_OF_4 == 0
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
SET_KEY_AFTER_SEND_2_OF_2 == 0
WPA: Key negotiation completed with 00:11:50:8e:9e:02 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:11:50:8e:9e:02 completed (auth)
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
ntpc.c: can not resolve ntpserver(time.nist.gov)'s ip
