My tubs of hardware to hack continues to grow and the rediscovery of Woot! (miss the OG Woot!).
Although it’s in the future, I decided to pick up a few of these cameras as they were on a steep sale.
I figured that they weren’t going to be groundbreaking but fun to hack, especially as they have no password, or wireless capability and have a USB port (maybe I could whip out the CynthionĀ !) But alas, the USB C port doesn’t carry data.
It does have a microSD but nothing special (like hidden partitions or whatever).
So time to open ‘er up.
So it has 2 holes, one labeled TX and one labeled GND.
Likely, read only UART.
No matter what button combo, etc, I did, couldn’t get more then a few characters to print out before likely it stopped UART output.
Whelp, time to check out the SPI chip.
Flash Chip Details:
Capacity: 32Mbit = 4MB
Manufacturer: Zetta
Model: 25VQ32DTIG
And uses a standard pinout:
CS -|1 8|- VCC (3.3V)
DO -|2 7|- HOLD
WP -|3 6|- CLK
GND-|4 5|- DI
Trying to use a SOIC8 CLIP (I am starting to hate this clips more and more) didn’t work. Even the uber expensive one.
So I used the semi-knock off of the bed of nails.
It worked in the sense that the chip turned on, but it seemed b/c of the way the PCB is set up, ISP is too noisy to work.
So it was time to desolder. Letting me test out my new hot air station.
Success!
Plugged in my Xgecu into one of my lab boxes, and confirmed it was seen in device manager.
If y’all are interested or regardless really, I’ll try to get a post on here on how to properly install and set up the XGecu devices, as it wasn’t super hard but an interesting experience lol.
Anyway, it worked!
So obviously common next steps was to hit it with binwalk v3 and strings.
Binwalk resulted in a bunch of image and audio files being extracted. Interesting…
And strings didn’t end up finding too much, but it did show:
āāā(gainsecćæLinuxLab1)-[~/Baby-Camera/extractions]
āā$ strings SPINORChip-Dump.bin | grep -iE 'bin'
exmend.bin
DestBin.bin
@SELFTEST.bin
Interesting…
After some research and other analysis, I came to the conclusion that
@SELFTEST.binwas for some debug checks, but didn’t actually output anything new to UART unfortunately.
The LLM said exmend.bin is for overwriting specific files and since binwalk found just media files I decided that the goal was to add a custom boot image at this point, as I didn’t see any other functionality the firmware or hardware supported that’d interest me.
Original Boot Image:
So i checked the filesize and type of the boot image, and reduced size of the image I want to change it to.
2166673 0x210F91 JPEG image dataOriginal Boot Image EXIF DATA:
Factory Boot Image:
ExifTool Version Number : 12.40
File Name : image.jpg
Directory : .
File Size : 21 KiB
File Modification Date/Time : 2025:03:26 02:42:37-04:00
File Access Date/Time : 2025:03:28 00:40:31-04:00
File Inode Change Date/Time : 2025:03:26 02:57:47-04:00
File Permissions : -rwxrwxrwx
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Exif Byte Order : Big-endian (Motorola, MM)
Orientation : Horizontal (normal)
Image Width : 320
Image Height : 240
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 320x240
Megapixels : 0.077convert custom.jpg -resize 320x240! -sampling-factor 2x2 -interlace none -quality 90 -strip prepped.jpgThen I made sure it was the right size as I was going to overwrite into the ‘exmend.bin’ file.
truncate -s 21990 prepped.jpg && echo -ne '\xFF\xD9' >> prepped.jpgSo I used ‘dd’ to generate the properly size empty .bin
dd if=/dev/zero bs=1 count=4194304 | tr '\000' '\377' > exmend.binNow add the custom image to the right spot in the bin:
dd if=custombootimage1.jpg of=exmend.bin bs=1 seek=2166673 conv=notruncThen I put it the bin on the cameras microSD, plugged it in booted it up and…nothing.
At this point I’d spent two nights on this, and honestly, wasn’t trying to spend much more time on it.
So in my exhaustion, and frustration, I renamed the exmend.bin to
DestBin.binPut the microSD card in and booted the camera up and BAM, I see an ‘Upgrading Firmware’ message.
When it finishes it goes black, and won’t turn back on. Then I realized… I just had it flash a almost completely empty bin except the boot image…
So then it became time to fix the soft brick but I still haven’t found a way to open the plastic shell up in a way where they can be put back together…
However, the probes were able to flash the original firmware and I knew that b/c I heard the jingle when it was given power via the probes after the flash finished.
So turns out likely the SOIC8 clip does work, just too much noise as I mentioned.
B/c after that, I could not longer interact with the flash chip.
OK.
So now I was pretty confident that I put the custom boot image in the right spot in a modified version of the original firmware, I’d be g2g.
So, I checked the EXIF of the original boot image and the custom one
(CUSTOM)
Custom Image:
ExifTool Version Number : 12.40
File Name : custombootimage1.jpg
Directory : .
File Size : 21 KiB
File Modification Date/Time : 2025:03:26 23:19:20-04:00
File Access Date/Time : 2025:03:27 17:01:38-04:00
File Inode Change Date/Time : 2025:03:26 23:19:20-04:00
File Permissions : -rwxrwxrwx
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Image Width : 320
Image Height : 240
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 320x240
Megapixels : 0.077The original EXIF is a little bit up in this post.
I said sweet, made a copy of the original firmware:
cp camerafirmware.bin ModifiedFirmware.binAdded the custom image to the right spot in it:
dd if=prepped.jpg of=ModifiedFirmware.bin bs=1 seek=2166673 conv=notruncCalled my wife and kid over. And had a ‘StuffMadeHere’ moment. Watched the ‘Firmware Upgrade’ message appear.
Rebooted it after, and BLANK BLACK boot image and then the menu showed up…
Now did you catch what I did wrong when I did it?
Well there’s a few fields that you can see in the original that you don’t see in mine.
Exif Byte Order : Big-endian (Motorola, MM)
Orientation : Horizontal (normal)So instead of adding them manually, I said screw it and just exported the EXIF from the original and added it to my image.
exiftool -exif -b image.jpg > factory.exifThen add it:
exiftool -overwrite_original "-exif<=factory.exif" prepped.jpgThen truncate it to the proper size
truncate -s 21990 prepped.jpg && echo -ne '\xFF\xD9' >> prepped.jpgAdd it to a new copy of the original firmware.
dd if=prepped.jpg of=ModifiedFirmware.bin bs=1 seek=2166673 conv=notruncInsert MicroSD, boot it up, let the ‘firmware upgrade’ finished, and bam! It worked!
END TRANSMISSION