3

I want to modify the mentioned camera firmware (SJ1000). The binary (.bin) firmware file can be downloaded from archive.org. I used binwalk to scan the binary, but I'm stuck. The binwalk signature scan detects 3 signatures in the binary:

  1. 88K BCS EXECUTABLE
  2. LZMA-compressed data
  3. LZMA-compressed data

The two LZMA compression signatures seem to be false positives, because they have a negative size. I copied the LZMA-compressed data with dd, but I can't unpack it. The LZMA unpacker returns an error message: the file is not valid LZMA compressed data.

As for the 88K BCS EXECUTABLE signature: I don't know what is this. I can copy it with dd, but I can't do anything with this.

What can I do? Is it possible to decompose this file into its constituent parts, or is this impossible?

Improve this question
2
  • possible duplicate of Unpack Billion 5102 firmware Commented Feb 7, 2014 at 1:36
  • do you know anything about the hardware? Commented May 8, 2017 at 8:14

2 Answers 2

Reset to default
2

Googling for some strings (Novatek, NT96650 etc.) produces some interesting results:

Datasheet claims it's a MIPS32 CPU and indeed it seems there is some little-endian MIPS code inside:

ROM:0000070C F8 FF BD 27 addiu $sp, -8 ROM:00000710 3B 80 02 3C lui $v0, 0x803B ROM:00000714 04 00 BE AF sw $fp, 4($sp) ROM:00000718 21 F0 A0 03 move $fp, $sp ROM:0000071C 21 E8 C0 03 move $sp, $fp ROM:00000720 68 4B 42 8C lw $v0, 0x803B4B68 ROM:00000724 04 00 BE 8F lw $fp, 4($sp) ROM:00000728 08 00 E0 03 jr $ra ROM:0000072C 08 00 BD 27 addiu $sp, 8

According to the presentation, it's running an uITRON-based RTOS so apparently there's no real filesystem or modules but everything is linked into one big blob of code.

P.S. loading the firmware at 0x80000000 seems to line up the strings nicely:

ROM:8005696C sub_8005696C: # CODE XREF: sub_8000040C:loc_800006B4↑p ROM:8005696C ROM:8005696C var_20 = -0x20 ROM:8005696C var_18 = -0x18 ROM:8005696C var_14 = -0x14 ROM:8005696C var_10 = -0x10 ROM:8005696C var_C = -0xC ROM:8005696C var_8 = -8 ROM:8005696C var_4 = -4 ROM:8005696C ROM:8005696C addiu $sp, -0x30 ROM:80056970 sw $fp, 0x30+var_8($sp) ROM:80056974 move $fp, $sp ROM:80056978 sw $ra, 0x30+var_4($sp) ROM:8005697C sw $s3, 0x30+var_C($sp) ROM:80056980 sw $s2, 0x30+var_10($sp) ROM:80056984 sw $s1, 0x30+var_14($sp) ROM:80056988 lui $s2, 0x8005 ROM:8005698C lui $s1, 0x8002 ROM:80056990 sw $s0, 0x30+var_18($sp) ROM:80056994 jal sub_8005C6CC ROM:80056998 lui $s0, 0x8002 ROM:8005699C lui $a1, 0x8002 ROM:800569A0 addiu $a0, $s0, (asc_8001ED34 - 0x80020000) # "*" ROM:800569A4 addiu $a2, $s1, (a_main - 0x80020000) # "_main" ROM:800569A8 addiu $a3, $s2, (a_main_0 - 0x80050000) # "_main" ROM:800569AC li $v0, 0x36 # '6' ROM:800569B0 la $a1, aSSDN_mainBegin # "%s::%s():%d: ^N(_main begin)\r\n" ROM:800569B4 jal sub_800C3AD4 ROM:800569B8 sw $v0, 0x30+var_20($sp) ROM:800569BC lui $a1, 0x8002 ROM:800569C0 addiu $a2, $s1, (a_main - 0x80020000) # "_main" ROM:800569C4 addiu $a3, $s2, (a_main_0 - 0x80050000) # "_main" ROM:800569C8 li $v0, 0x38 # '8' ROM:800569CC la $a1, aSSDRegExpHandl # "%s::%s():%d: (reg exp handler)\r\n" ROM:800569D0 addiu $a0, $s0, (asc_8001ED34 - 0x80020000) # "*" ROM:800569D4 jal sub_800C3AD4 ROM:800569D8 sw $v0, 0x30+var_20($sp) ROM:800569DC lui $a0, 0x8005 ROM:800569E0 jal sub_8005C670 ROM:800569E4 la $a0, unk_80056BA8 ROM:800569E8 lui $a1, 0x8002 ROM:800569EC addiu $a2, $s1, (a_main - 0x80020000) # "_main" ROM:800569F0 addiu $a3, $s2, (a_main_0 - 0x80050000) # "_main" ROM:800569F4 li $v0, 0x3C # '<' ROM:800569F8 la $a1, aSSDKernelInit # "%s::%s():%d: (kernel init)\r\n" ROM:800569FC addiu $a0, $s0, (asc_8001ED34 - 0x80020000) # "*" ROM:80056A00 jal sub_800C3AD4 ROM:80056A04 sw $v0, 0x30+var_20($sp) ROM:80056A08 jal sub_8005C5F8 ROM:80056A0C lui $a0, 0x800 ROM:80056A10 lui $a0, 0x8000 ROM:80056A14 jal sub_8005C03C ROM:80056A18 lui $a1, 0x800 ROM:80056A1C jal sub_8005BDB4 ROM:80056A20 lui $s3, 0x8000 ROM:80056A24 lui $a1, 0x8002 ROM:80056A28 addiu $a2, $s1, (a_main - 0x80020000) # "_main" ROM:80056A2C addiu $a3, $s2, (a_main_0 - 0x80050000) # "_main" ROM:80056A30 la $a1, aSSDInstallCode # "%s::%s():%d: (Install code section)\r\n" ROM:80056A34 addiu $a0, $s0, (asc_8001ED34 - 0x80020000) # "*" ROM:80056A38 li $v0, 0x44 # 'D' ROM:80056A3C jal sub_800C3AD4 ROM:80056A40 sw $v0, 0x30+var_20($sp) ROM:80056A44 jal sub_8005C264 ROM:80056A48 ori $a0, $s3, 0x308 ROM:80056A4C lui $a1, 0x8002 ROM:80056A50 addiu $a2, $s1, (a_main - 0x80020000) # "_main" ROM:80056A54 addiu $a3, $s2, (a_main_0 - 0x80050000) # "_main" ROM:80056A58 la $a1, aSSDInstallCo_0 # "%s::%s():%d: (Install code zi)\r\n" ROM:80056A5C addiu $a0, $s0, (asc_8001ED34 - 0x80020000) # "*" ROM:80056A60 li $v0, 0x47 # 'G' ROM:80056A64 jal sub_800C3AD4 ROM:80056A68 sw $v0, 0x30+var_20($sp) ROM:80056A6C jal sub_8005C31C ROM:80056A70 ori $a0, $s3, 0x300 ROM:80056A74 jal sub_8005C1DC ROM:80056A78 nop ROM:80056A7C jal sub_8005BE28 ROM:80056A80 nop ROM:80056A84 lui $a1, 0x8002 ROM:80056A88 addiu $a0, $s0, (asc_8001ED34 - 0x80020000) # "*" ROM:80056A8C addiu $a2, $s1, (a_main - 0x80020000) # "_main" ROM:80056A90 addiu $a3, $s2, (a_main_0 - 0x80050000) # "_main" ROM:80056A94 li $v0, 0x50 # 'P' ROM:80056A98 la $a1, aSSDInstallDrvI # "%s::%s():%d: (Install Drv ID)\r\n" ROM:80056A9C jal sub_800C3AD4 ROM:80056AA0 sw $v0, 0x30+var_20($sp) ROM:80056AA4 jal sub_8005FCBC ROM:80056AA8 nop ROM:80056AAC lui $a1, 0x8002 ROM:80056AB0 addiu $a0, $s0, (asc_8001ED34 - 0x80020000) # "*" ROM:80056AB4 addiu $a2, $s1, (a_main - 0x80020000) # "_main" ROM:80056AB8 addiu $a3, $s2, (a_main_0 - 0x80050000) # "_main" ROM:80056ABC la $a1, aSSDInstallUser # "%s::%s():%d: (Install User ID)\r\n" ROM:80056AC0 li $v0, 0x54 # 'T' ROM:80056AC4 jal sub_800C3AD4 ROM:80056AC8 sw $v0, 0x30+var_20($sp) ROM:80056ACC jal sub_80056D60 ROM:80056AD0 nop ROM:80056AD4 jal sub_8005BE90 ROM:80056AD8 nop ROM:80056ADC jal sub_8005BEE4 ROM:80056AE0 nop ROM:80056AE4 lui $a1, 0x8002 ROM:80056AE8 addiu $a0, $s0, (asc_8001ED34 - 0x80020000) # "*" ROM:80056AEC addiu $a2, $s1, (a_main - 0x80020000) # "_main" ROM:80056AF0 addiu $a3, $s2, (a_main_0 - 0x80050000) # "_main" ROM:80056AF4 la $a1, aSSDInstallUs_0 # "%s::%s():%d: (Install User ID for mempo"... ROM:80056AF8 li $v0, 0x5C # '\' ROM:80056AFC jal sub_800C3AD4 ROM:80056B00 sw $v0, 0x30+var_20($sp) ROM:80056B04 jal sub_80056BEC ROM:80056B08 nop ROM:80056B0C jal sub_8005BF54 ROM:80056B10 nop ROM:80056B14 jal sub_80056634 ROM:80056B18 nop ROM:80056B1C jal sub_80056910 ROM:80056B20 nop ROM:80056B24 jal sub_8005B52C ROM:80056B28 nop ROM:80056B2C jal sub_8005A714 ROM:80056B30 nop ROM:80056B34 lui $a1, 0x8002 ROM:80056B38 addiu $a0, $s0, -0x12CC ROM:80056B3C addiu $a2, $s1, -0x12A8 ROM:80056B40 addiu $a3, $s2, 0x6BE4 ROM:80056B44 la $a1, aSSDKernelStart # "%s::%s():%d: (kernel startup)\r\n" ROM:80056B48 li $v0, 0x68 # 'h' ROM:80056B4C jal sub_800C3AD4 ROM:80056B50 sw $v0, 0x30+var_20($sp) ROM:80056B54 jal sub_8005BF74 ROM:80056B58 nop ROM:80056B5C lui $a1, 0x8002 ROM:80056B60 addiu $a0, $s0, -0x12CC ROM:80056B64 addiu $a2, $s1, -0x12A8 ROM:80056B68 addiu $a3, $s2, 0x6BE4 ROM:80056B6C li $v0, 0x6C # 'l' ROM:80056B70 la $a1, aSSD_mainEnd # "%s::%s():%d: (_main end)\r\n" ROM:80056B74 jal sub_800C3AD4 ROM:80056B78 sw $v0, 0x30+var_20($sp) ROM:80056B7C jal sub_800D2E64 ROM:80056B80 nop ROM:80056B84 move $sp, $fp ROM:80056B88 lw $ra, 0x30+var_4($sp) ROM:80056B8C lw $fp, 0x30+var_8($sp) ROM:80056B90 lw $s3, 0x30+var_C($sp) ROM:80056B94 lw $s2, 0x30+var_10($sp) ROM:80056B98 lw $s1, 0x30+var_14($sp) ROM:80056B9C lw $s0, 0x30+var_18($sp) ROM:80056BA0 jr $ra ROM:80056BA4 addiu $sp, 0x30 ROM:80056BA4 # End of function sub_8005696C
Improve this answer
1

Always verify the results of a signature scan before attempting extraction.

There are no LZMA-compressed regions in this binary. Here is the output of a signature scan using binwalk v2.1.1:

$ binwalk FW96650A.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 167266 0x28D62 Unix path: /15/20/24/25/30/60/120/240fps can be served.. 279206 0x442A6 Copyright string: "Copyright (c) 2012 Novatek Microelectronic Corp." 2158492 0x20EF9C JPEG image data, JFIF standard 1.02 2195060 0x217E74 MySQL ISAM compressed data file Version 6

Here are the results of the entropy analysis:

Entropy scan

$ binwalk -E FW96650A.bin DECIMAL HEXADECIMAL ENTROPY -------------------------------------------------------------------------------- 0 0x0 Falling entropy edge (0.574748) 2158592 0x20F000 Rising entropy edge (0.963265) <-- JPEG image 2170880 0x212000 Rising entropy edge (0.981137) 2179072 0x214000 Falling entropy edge (0.708192) 2363392 0x241000 Falling entropy edge (0.846409) 2426880 0x250800 Falling entropy edge (0.848443) 2496512 0x261800 Rising entropy edge (0.974327) 2510848 0x265000 Rising entropy edge (0.968564) 2525184 0x268800 Falling entropy edge (0.764579) 2529280 0x269800 Rising entropy edge (0.953455) 2533376 0x26A800 Falling entropy edge (0.717140) 2537472 0x26B800 Rising entropy edge (0.966682) 2543616 0x26D000 Rising entropy edge (0.953760) 2545664 0x26D800 Falling entropy edge (0.763122) 2588672 0x278000 Rising entropy edge (0.960725) 2592768 0x279000 Rising entropy edge (0.967902) 2603008 0x27B800 Rising entropy edge (0.966048) 2609152 0x27D000 Rising entropy edge (0.973450) 2617344 0x27F000 Falling entropy edge (0.749652)

There are some regions of high entropy, but nothing indicating LZMA compression.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.