Recovering a Dericam/CyberNova HD IP Camera

Feb 25, 2013

This article applies to Dericam H502W, Cybernova WIP604MW and compatible models.
Although they're hard to brick, some operations may sometimes produce similar symptoms.
While your camera still works, do this...
A wise precaution to be ready in case of trouble is to perform the following backup of the camera:
- Save your settings
  In Control Panel > Device Settings, click the Download button in front of Backup
- Save your firmware via FTP
  With a FTP client like Filezilla, download the www and app folders from your camera.
That set of files will be your best recovery option if something ever goes wrong.
- Last but not least: make a backup of your board.dat (aka "license file") by using the url
http://<cameraIP>/board.dat 
Read this post to learn more about this important file.

Sometimes, the camera just looks bricked, check for port 81!
When a firmware upgrade is performed, it sometimes reset the camera to its default with may become inaccessible through its usual URL.
Remember that factory default for HTTP port on that device is not 80 but 81.
The "Master" IP Camera utility remains the easiest way to find the camera, but checking the router's table for recent additions or using a network scanner like Overlook's Fing are valid methods. Consider also that the camera may become invisible to you if its default subnet was different than yours.


The default password and url are printed on the sticker on the base of the camera. The admin password  is generally just "admin".





If the camera can't be reached from a browser...

If there's no HTTP service running, generally the FTP service is still up. Then a backup made previously or obtained from someone else (always prefer the first method!) can be uploaded to the camera.
The default FTP account can be MayGion with password maygion.com or admin/admin, depending the versions.

Once the www and app folders have been fully restored, unplug the power from the device and re-plug it.

Upon rebooting, the IP Camera Tool should see your camera. If it was restored from a personal backup,  your settings and your admin password should be back. If it came from another source, it may contain some customization (port, password, ...). You can restore the factory setting by keeping the Reset button pressed for more than 5 seconds. While there was a hole for a reset button at the bottom of my camera, it was in fact located at the back, below the SD card slot.

As a precaution, once you recovered a functional camera via FTP, it would be wise to apply an normal update (bin files) from the camera Control Panel > Update Software (app.bin) and Update WebPage (www.bin), and then reset the settings using the button in Device Settings to ensure a clean start.

Where to get the recovery files

As suggested earlier, a personal backup is your safest option. If there's none, someone can provide you with his files. That's what I do below (-:

I made a clean Recovery Pack (+ mirror) containing:






File to upload via FTP (all default settings)
Firmware files for normal update from the UI.
Instructions document (howTo.txt)
All based on the official update 05.20 published by CyberNova.

Note: Due to antivirus alerts (false positive) they cause, the following files have been separated from the main recovery pack:
ocx2.exe (normally located under the www folder) and IPCamTool.exe (IP Camera finder)
They can be downloaded separately (+ mirror)



What if nothing above worked ?
In the cases above, the  camera was never really bricked, and no matter how hard I tried, I could not yet make mine unrecoverable. If nothing above worked, you may then have a truly bricked device and should contact the manufacturer directly. Your luck is that both Cybernova and Dericam do reply to emails! Tried and tested both.

There's also now an updated version for Maygion repair tool on Dericam web site.


29 comments:

  1. Hi,
    Thanks for this great write-up: very useful.
    Tried to download firmware from my Dericam H502W (5.20 base) through FTP: actually FTP account is not the same as admin camera account!...
    Doing some more search & trial, it turns-out that user/pass is from maygion, namely:
    ftp user:MayGion
    ftp password:maygion.com

    Now this seems to imply the root firmware between those cams is a bit different, as per your article FTP user seems to be synced with camera admin account...

    Maybe it would be interesting to dig a bit further into this root firmware, as it might be a slightly different distribution version.
    On my Dericam, Telnet on the camera says:
    BusyBox v1.12.1 (2012-11-21 11:49:04 CST) built-in shell (ash)
    (BTW Telnet is NOT password protected!!! big issue here)

    Thanks for any info

    ReplyDelete
    Replies
    1. I read some other comments about that MayGion password, and I was expecting to see that too, but mine remained "admin" when reset to fact. default. Another interesting point, I do not have any FTP service running on mine. So far I though the only difference was due to my older hardware which does not support any kind of OSD (hardw/softw). I'm planning to buy a Dericam to compare them in detail...
      I'd be curious to upload a Dericam ftp backup to my device if you can share it somehow.

      Delete
    2. MayGion user is only on FTP side.
      On cam web interface, it's admin/admin
      How did you do your back-up if no FTP avail?
      Have you tried to telnet the cam? What do you get?

      Delete
    3. sorry, typo, I meant: no telnet service. The ftp always worked, and uses the same admin/admin as the web interface.

      Delete
  2. After a recent power outage my Dericam H502W stopped connecting to the wireless access point. It seemed OK if I plugged in Ethernet.

    I tried the reset procedure with the button on the back of the unit but now I'm stuck in repair mode. I can access the FTP via 192.168.1.111, but no matter which firmware I try to upload I cannot acess the web interface.

    It does not look good for my poor Dericam. =[

    ReplyDelete
    Replies
    1. Did you try accessing it via port 81 ?

      Delete
    2. Yes, always port 81.

      Somehow I have managed to resurrect it. I logged on via telnet using PuTTY and started poking around in the filesystem. I have very very little knowledge of linux systems, but enough to do some damage. I found a file: /etc_ro/rcS which appears to be a script of somesort, one thing I noticed was that it referenced /tmp/eye which is where the FTP defaults to when you manually upload firmware.

      I then looked at some of the other scripts in /sbin and accidently ran init. I couldn't break out of this and had to re-srart the telnet session. I then ran exec reboot and when it came back, 05.20 had loaded and my device managed to get a DHCP IP and showed up in IPCamTool. Everything seems to be working again. I'm not sure if any of what I did effected the change but I am not complaining.

      WARNING - I DO NOT RECOMMEND PLAYING AROUND VIA TELNET LIKE I DID, I TAKE NO RESPONSIBILTY IF SOMEONE BREAKS THEIR CAMERA.

      Would be great if someone with serious linux knowledge could play around in here and see what else this little camera has inside. I must look into this busybox thing further: http://en.wikipedia.org/wiki/BusyBox

      Here is the fule rcS file:
      #!/bin/sh
      mount -a
      mkdir -p /var/run
      mkdir /tmp/eye
      mount -t jffs2 /dev/mtdblock5 /tmp/eye
      cat /etc_ro/motd
      cd /sbin
      internet.sh
      sleep 1
      ifconfig eth2.1 192.168.1.111
      cd /bin
      #ftpd&
      fd&
      telnetd&
      wpp&
      apploader&
      #./cs&
      mii_mgr -s -p 0 -r 0 -v 0x3900
      mii_mgr -s -p 1 -r 0 -v 0x3900
      mii_mgr -s -p 2 -r 0 -v 0x3900
      mii_mgr -s -p 3 -r 0 -v 0x3900
      #for syslogd
      mkdir -p /var/log


      Delete
    3. Thanks for the update. The guys @ www.openipcam.com could help maybe?

      Delete
    4. I'll try the forum, cheers.

      Another update. Thought it was all working fine, managed to reboot it multiple times in the process of changing various settings. Rebooted it without the thernet plugged in and it connected to the wireless fine.

      Then I unplug it from the wall and move it into the baby's room and it won't connect. ARGH! Bring it back to the computer, its back to 192.168.1.111 recovery mode.

      I telnet in and do "exec reboot", it starts up properly and connects.

      Seems that something is screwed with the boot process, if I unplug power it won;t boot, but if I soft reboot (from telnet or from the web interface) it's fine.

      Really bloody annoying now. Considering buying a second Dericam from same seller and cloning all the firmware off it. I've obviously managed to mess something up in the multiples of times I have re-loaed it.

      Delete
  3. Hello,

    I have a problem with this camera, it starts only 192.168.1.111.

    Port 81 is never up.

    I can see the telnet and I see that the operating system files are missing.

    For example, the / etc directory is empty??

    is there a way to restore that part of the camera?

    thank you

    ReplyDelete
    Replies
    1. Hi Thomas,
      you should try accessing the camera FTP server as explained in this post. From there you just need to upload the recovery pack provided above, or just take the latest official update from Maygion and use mkbin utility to extract the filess and do the same FTP operation.

      Delete
    2. Hi
      thank you for your reply,
      your procedure is used to update / restore apps and www directories ?
      I've copied and www apps with originals available on your site but the problem persists.
      I think my problem is the OS side. In telnet I notice that the directories /etc /sbin are empty and therefore rc boot does not start.
      My system may be normal? and my problem elsewhere
      Thanks for your help.

      Delete
    3. Thomas, try this full ftp backup I made from my IPC. You should be able to restore etc, etc_ro and others. If it works I suggest that you re-apply a clean firmware update just after.

      Delete
    4. Bubbah,

      I restored all via FTP,
      copy of the directory /lib freeze probably cause the files are used.

      In /etc_ro/rc.S starts :
      #!/bin/sh
      mount -a
      mkdir -p /var/run
      mkdir /tmp/eye
      mount -t jffs2 /dev/mtdblock5 /tmp/eye
      cat /etc_ro/motd
      cd /sbin
      internet.sh
      sleep 1
      ifconfig eth2.1 192.168.1.111
      cd /bin
      #ftpd&
      fd&
      telnetd&
      wpp&
      apploader&
      #./cs&
      mii_mgr -s -p 0 -r 0 -v 0x3900
      mii_mgr -s -p 1 -r 0 -v 0x3900
      mii_mgr -s -p 2 -r 0 -v 0x3900
      mii_mgr -s -p 3 -r 0 -v 0x3900
      #for syslogd
      mkdir -p /var/log

      It marks me when apploader& lunch the following error:

      /tmp/eye/app/cs: can't load library 'ead_DetectNetworkReachable'

      Have you any idea?

      thank you

      Delete
    5. Maybe there are still files missing, I know the FTP transfer is very unstable in my case too, I use Filezilla and it reconnects several times before the transfer is complete, you may need to insist.

      Delete
  4. You are my saviour! Thanks, Bubbah! Very useful, I don't know, what I will do without your rescue package and this instruction.

    ReplyDelete
    Replies
    1. You're welcome Dmitry, I'm glad it helped you!

      Delete
  5. And Bubbah, I think you know, but… My camera's FTP didn't allow access before I enter my changed admins settings. I had different admin login (dmitry) and my custom password. So maybe it will be useful too.

    ReplyDelete
  6. I have tried the steps above a number of times and CuteFTP is giving me messages it is out of storage space. I even tried deleting some of the foreign language HTML files and OCX2.exe in hopes of creating space. Space was created, CuteFTP uploaded more, but in the end I cannot get a complete upload done. Any advice for someone getting messages like that? Thanks - Phil

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. Hi, Could you please upload the recovery files again? It says it contains a virus and may only be downloaded by the owner.

    I have a copy of this cam "sumvision" aka "wanscam", I know *right. It's been stripped of many features to force you using their viewing software. no mjpeg or web interface I'm 95% sure this is the same hardware

    ~ # cat /proc/cpuinfo
    system type : Ralink SoC (RT5350)
    processor : 0
    cpu model : MIPS 24K V4.12

    Or I'm going mad from 10 hours solid on this

    I'm deep into the hack and have already experimented with flashing openWRT with success (rofl it became an AP). I've merged the app.bin onto my kernel and flashed with tftp but it complains that the JFFS2 isn't compatible with my old kernel. I'd like to experiment if you have mtd4&5 (assuming that's what was in the recovery files).

    Willing to share my mtd blocks if interested

    Regards

    ReplyDelete
    Replies
    1. Hi, the link from FileFactory should work now. I have re-uploaded the files after scanning them with the latest Trend OfficeScan. I removed the link from Gdrive as it still reports the zip as infected. Likely a false positive caused by the ocx2.exe or IPCamTool.exe in the archive.
      Cheers

      Delete
    2. Thank you.

      I was hoping the zip contained raw copys

      dev: size erasesize name
      (offset 0x00500000)
      mtd4: 00400000 00010000 "Kernel"
      mtd5: 003b0000 00010000 "file system"

      I'd buy a beer for "cat /dev/mtd0 > /mnt/mmc/mtd0backup" but It's not essential now as I've put OpenWRT on mine with a mjpg-streamer to get the job done. Pan & Tilt was a little more fun toggling GPIOs to step motors.

      If anyone's interested in embedded linux these cameras are great to pull out the cpu board and use. It's cheaper than buying an olimex for example and you get a not shabby usb camera on a PT table.

      Happy hacking for your next victim

      Delete
    3. Hi Nicolas, can you explain us how to do this please ?

      thks ;)

      Delete
  9. Dear Bubbah,
    Can you please upload the Full FTP Backup as it says it contains a virus.

    ReplyDelete
    Replies
    1. I have already re-uploaded the files last month (see previous comment).
      The whole content was scanned with no thread detected by the latest Trend OfficeScan.
      It is very likely a false positive caused by the ocx2.exe or IPCamTool.exe contained in the archive.
      The backup was extracted from my own camera and was also scanned using Avast at that time, so it is clean.
      I may re-upload a version in the future with the .exe files removed.
      Cheers

      Delete
    2. Hi, the recovery pack is now available without the exe files. I've put these in a separate download link.
      Cheers

      Delete
  10. I'm unable to download the recovery pack because the file hoster is limited,can anyone help?

    ReplyDelete
    Replies
    1. I have updated the links and removed the .exe files from the recovery pack file.
      The ipcamtool.exe and ocx2.exe that are likely causing false positive from some antivirus are now available separately.

      Delete