I managed to open my camera without breaking any clips. I used one of those iPod opening tools with a simple wedge along the end. Placing the tool flat against the grey rim caused it to slip and scratch the front a bit. But, placing the tool at an angle with the cut surface of the wedge parallel to the rim allowed me to disengage the clips. I was pushing at approximately the midpoint of one side. The grey rim stays with the back and the front separates from the grey rim.
Then I hooked up a serial connection. I could boot various sysupgrade.bin files, but they failed to find root, giving a lot of JFFS errors like jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x000e0024: 0xc1a8 instead. Flashing them didn't help either. i could not boot factoryupgrade.bin files directly from TFTP, because the bootloader said "Verifying Checksum ... Bad Data CRC".
Then I finally tried to flash openwrt-ramips-rt305x-dcs-930-squashfs-factory.bin and I bricked the device. They factory.bin files ar exactly 4 megabytes, the same size as the flash, but they're "u-boot legacy uImage" files. They start with a header, which starts with a magic number. However, the original firmware DCS-930L_REVA_FIRMWARE_1.16.04.BIN, which is the same size, starts with MIPS code, with a branch instruction going to what definitely seems like startup code. The original firmware also contains bootloader strings.
So, I overwrote the bootloader with garbage, and bricked the device such that only JTAG or maybe the apparently undocumented iNIC boot using internal ROM could recover it. I'm left wondering what's the point of the factory.bin files. How could they work with this device? Why is OpenWrt releasing them?
(Last edited by dreamlayers on 1 Jan 2018, 04:32)