Reverse enginering a Linux based USB camera

I bought an IP camera on which is installed proprietary software (no HTTP server). This prevents me to integrate it into my home network.

I want to replace the software (ELF closed source) by the motion package I already use and add some features.

I have no particular system competence and it's been over a week since I travel the net to learn but I can not get out. I have access to the U-boot console (USB-TTL adapter) and telnet (root). The webcam has a SD card reader that I could use if I need space. I started by making a backup of the three partitions (with dd).

I unzipped the file mtdblock2 (binwalk -e). Which generates a classical Linux tree with links to Busybox, some binary system and proprietary software.

I tried to unzip mtdblock1 which generates zImage. The decompression zImage generates two directories and one file (console). Yet I need the kernel modules that are in it. What to do? I also want to get the kernel compilation settings, is this possible?

I unpacked the firmware available on the manufacturer's website. It contains only updating the ELF, one .so file and some Bash scripts.

At first I thought the three partitions directly migrate to Qemu. But if I understand this is not possible because the memory addresses are hard-coded into the kernel. I understand good?

So I think I have one solution: build a new kernel and rebuild a rootfs from scratch. Is this only solution?

I started playing with Buildroot but I can not find the configuration file for board based on Hisilicon Hi3518. I looked bad or is it useless? For my first test I used board/qemu/arm-versatile. This is the right choice? This will not prevent me from migrating to the physical machine?

For testing, if I managed to rebuild a kernel and rootfs I would install these partitions on the SD not to break anything. For this, it is "sufficient" to modify kernel parameters (in bootargs variable) is that right? So I don't need to rebuild a U-boat partition for my device?

In short, you guessed I ask myself a lot of questions (yet others but "one" thing at a time). I need advice about whether I take the right road. Please, if I am talking nonsense feel free to correct me. If you have ideas or subjects of reflection I'm interested.

# cat /proc/cpuinfo 
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 218.72
Features        : swp half thumb fastmult edsp java 
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : hi3518
Revision        : 0000
Serial          : 0000000000000000

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00010000 "boot"
mtd1: 00300000 00010000 "kernel"
mtd2: 00c00000 00010000 "rootfs"

# binwalk mtdblock0 
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
122044        0x1DCBC         CRC32 polynomial table, little endian

# binwalk mtdblock1
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x853F419E, created: 2014-07-22 02:45:04, image size: 2890840 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0xB24E77CA, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.8"
22608         0x5850          gzip compressed data, maximum compression, from Unix, NULL date:
# binwalk zImage
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
113732        0x1BC44         ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000"
113848        0x1BCB8         ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000"
113972        0x1BD34         ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"
114088        0x1BDA8         ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
1903753       0x1D0C89        Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
4188800       0x3FEA80        Linux kernel version "3.0.8 (cwen@ubuntu) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #1 Tue Jul 22 10:45:00 H"
4403540       0x433154        CRC32 polynomial table, little endian
5053435       0x4D1BFB        Unix path: /mtd/devices/hisfc350/hisfc350_spi_gd25qxxx.c
5054731       0x4D210B        Unix path: /mtd/devices/hisfc350/hisfc350.c
5058939       0x4D317B        Unix path: /net/wireless/rt2x00/rt2x00dev.c
5059323       0x4D32FB        Unix path: /net/wireless/rt2x00/rt2x00config.c
5060683       0x4D384B        Unix path: /net/wireless/rt2x00/rt2x00usb.c
5060851       0x4D38F3        Unix path: /net/wireless/rt2x00/rt2x00.h
5061171       0x4D3A33        Unix path: /net/wireless/rt2x00/rt73usb.c
5081107       0x4D8813        Unix path: /S70/S75/505V/F505/F707/F717/P8
5102399       0x4DDB3F        Unix path: /mmc/host/himciv100/himci.c
5141264       0x4E7310        Neighborly text, "NeighborSolicits/ipv6/inet6_hashtables.c"
5141284       0x4E7324        Neighborly text, "NeighborAdvertisementses.c"

# binwalk mtdblock2
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JFFS2 filesystem, little endian
722980        0xB0824         JFFS2 filesystem, little endian
732282        0xB2C7A         Zlib compressed data, compressed
737031        0xB3F07         Zlib compressed data, compressed
738287        0xB43EF         Zlib compressed data, compressed
.... most other lines in the same genre

IP Camera QQZM N5063 http://www.zmvideo.com/product/detail.php?id=60
Firmware http://bbs.zmmcu.com/forum.php?mod=attachment&aid=MzU2fDBiY2M4NDdjfDE0MTkxMTEzODl8MzQ4fDIwMzc%3D

First of all, you do not want to replace U-Boot as this may render your device unbootable. On the U-Boot console, check if you can boot from the SD card mmc rescan 0; fatload mmc 0 ${loadaddr} uImage or from the network dhcp ${loadaddr} ${serverip}:uImage. You'll need to look for documentation for these commands to get more help.

But perhaps you don't even need to replace the kernel. You already know it's a 3.0.8 kernel, so you can build a userspace for this kernel version. And any proprietary modules that are used by it can be lifted from the jffs2 filesystem. On your telnet session, do lsmod to find out which modules are loaded. You can mount an SD card and copy them to it. The modules are located in /lib/modules/3.0.8.

So you probably don't even need to build a kernel in buildroot, only the rootfs. First, check in the telnet session which filesystems are supported: cat /proc/filesystems. Then choose the appropriate filesystem in the buildroot configuration. For the target architecture, choose arm926t. And select the 3.0 kernel headers in the toolchain configuration, or choose the Arago ARMv5 2011.09 external toolchain (it has old kernel headers).

As remarked by artless noise, you don't need to test it in qemu, since the SD card is safe.