xrg

Well, I've had a bricked camera, which could only give me access to the bootloader. Using that and an extracted "clean" version of the firmware, I managed to get into the camera's filesystem and reset the accounts. The problem was that I tried to set a password containing special chars, like '$' and brackets, which seemed to have somehow been expanded. Then, I was completely unable to access the usual services of the camera (modern firmwares have closed the telnet port). The camera is a mini-bullet, has no reset button. I've soldered the serial port, as seen in your photo (HFW.. model, same pinout). Then, after loading the kernel, camera would NOT send anything on the serial port, would not provide a shell. Bad. Then, by reading the "clean" firmware, I discovered two boot parameters, as provided by U-Boot to the Linux, which control the workflow of applications: dh_keyboard: 1=no console (default), 0=use serial console appauto: 1=launch video app (default), 0=no video app Setting dh_keyboard=0 immediately caused the serial console to display all stderr of the userspace. There was some sort of login prompt "behind" that, but logs would scroll too often to let me type it. I tried, it seemed to require the same web-credentials I'd been locked out of. Then, in despair, I pressed Ctrl+C . Voila! The video app stopped, and I had a busybox shell! Only problem, that also stopped the watchdog and camera rebooted in 2min. Setting "appauto=0" fixed that, now, Linux would boot, initialize and immediately provide a busybox shell, root access. With this, I could unbrick the camera. Summary: u-boot commands to achieve that: printenv setenv dh_keyboard 0 setenv appauto 0 boot