logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Shenzhen Pinmei / Linklemo A9 Mini Camera with Beken BK7252NQN481 – Photos, Boot Log, Flash Backup

divadiow 
Black security camera on a stand, angled slightly to the side.

The ubiquitous A9 Mini Wi-Fi Camera, in its seemingly many forms, is a compact, budget-friendly smart surveillance device, often seen for as low as $1USD as a Welcome Deal on sites like Ali Express. Positioned as a security camera, baby monitor, spycam, camcorder, it is often advertised by sellers as being 4K, having night-vision/infra-red, AI, motion detection. It can usually be said that one or more of these claims is false or at best, exaggerated. The device that is the subject of this post is listed with these "sellpoints" on Ali:

-Xiaomi Mini Camera4k Wireless Wifi Remote Camera4K Ultra Clear Image Quality:Capture every detail with 4K resolution, ensuring clear and vivid footage even in low light.
-WiFi/IP/AP Flexible Connection:Seamless connectivity with multiple modes: WiFi, IP, or AP, for uninterrupted monitoring.
-Intelligent Mobile Detection:High-precision motion sensors trigger alerts, reducing false alarms and enhancing security.
-Portable Design with Magnetic Base:Easily place the camera in any corner with its magnetic base, saving space and ensuring flexibility.
-Long Term Battery Life:Reliable performance with a large capacity battery, ensuring worry-free operation.

I am immediately sceptical about it being 4K and having anything to do with Xiaomi!

My device was sourced from Ali here https://www.aliexpress.com/item/1005008584918966.html

Xiaomi 4K WiFi mini camera with microSD card, displayed on the AliExpress store product page.

I'll now start by documenting the packaging and device before diving into the internals. Subsequent posts will detail the pairing/app user experience, as well as providing real images and videos created by the device.



The box for this came marked with reference to "Shenzhen Pinmei Technology Co., Ltd".

Blue box with a white label showing a barcode and description of a Xiaomi 4K Mini Camera. Box of a battery-powered HD IP camera labeled Smart Camera. A smart camera product box with an instruction manual placed on a carpet. IP camera set: camera, USB cable, mount, manual, and box on carpet. The interior of a small electronic device with a visible lithium-polymer battery and circuit board. A small, black, square portable speaker is lying on a light carpet. Micro USB port on a black plastic electronic device. A small, black, square speaker or electronic device with vent holes and a slot, placed on a beige carpet. A black, square-shaped webcam with a central lens and attached USB cable, lying on a carpet. Small black electronic speaker with two buttons, lying on a beige carpet. Disassembled plastic case and USB cable on a carpet. Wi-Fi device setup instructions from a mobile app shown on a paper lying on a carpet. Smart camera instruction manual with QR code, app icon, and screenshot of mobile app interface.

Inside we see a 2mb BK7252NQN481 - datasheet: https://www.elektroda.com/rtvforum/topic4118348.html#21526095

Printed circuit board with microSD slot, micro USB port, integrated circuit, and buttons. Printed circuit board with a connected battery and micro USB socket. Printed circuit board with electronic components, a micro USB port, and a camera lens on a blue surface. A circuit board with a mounted camera lens and a lithium-polymer battery on the left. Electronic module with camera lens and flat cable connector on a blue background. A printed circuit board with electronic components, including a microphone, connectors, and ICs. A circuit board with a mounted camera lens and a connected lithium-polymer battery. A printed circuit board with electronic components and a microSD card slot. Printed circuit board with electronic components, a micro USB port, memory card slot, and power wires.

from TX1 @115200 baud

Code: Text
Log in, to see the code


On one side are pads labelled TDI and TDO (accessible with camera ribbon removed). TMS and TCK are not so obvious.

PCB of the Wi-Fi A9 camera module seen from above, placed on a blue service mat.

TCK and TMS are these two:

A circuit board with a camera lens, battery, and labeled technical pins on a blue background.

I will later attempt SPI dump using these 4 pads as well as UART backup.

Close-up of BEKEN BK7252NQN48 chip on PCB with marked JTAG pins and a partial pinout diagram.

PCB text: INO-IPC-A9-V2.4 - I have not found FCC submissions for this device or company

From RX1/TX1 Easy Flasher reads in BK7252 mode but this skips bootloader. It also reads in N mode which covers the whole 2MB. Maybe BK7252N is more like BK7231N, it also seems to have a romcode like N. Maybe EF needs to have separate BK7252U and BK7252N modes. Maybe EF could have chip detect and it select the right mode if known? BK7252N CHIP_ID = 0x7252a

BKFIL is also happy with BK7252N where it wasn't interested in the older BK7252U.

Code: Text
Log in, to see the code


Screenshot of BK7231 Easy UART Flasher software with Reading success! message and memory read details.

Flash ID is familiar EB6015 and coeff in efuse is 00e46d00 00e46d00 00e46d00 00e46d00

Code: Text
Log in, to see the code


I propose a split of BK7252U and N folders in FlashDumps https://github.com/openshwprojects/FlashDumps/pull/28

If accepted my backups will land in https://github.com/openshwprojects/FlashDumps/tree/main/IoT/BK7252N

that's it for tonight with this cam
About Author
divadiow
divadiow wrote 2731 posts with rating 469 , helped 245 times. Live in city Bristol. Been with us since 2023 year.

Comments

Add a comment
p.kaczmarek2 22 Apr 2025 10:07

Are you sure that this device is encrypted? This encryption keys looks like the NiceMCU keys, which are invalid because readout is disabled. @insmod ? Is your device working with this exploit (get... [Read more]

divadiow 22 Apr 2025 10:17

not yet analysed dump to see if encryption is used. that's just what was read from efuse. if readout is disallowed isn't the read 00000s rather than an actual key? not yet attempted [Read more]

p.kaczmarek2 22 Apr 2025 10:37

There are string references, so I guess not encrypted. https://obrazki.elektroda.pl/4216102700_1745310632_thumb.jpg https://obrazki.elektroda.pl/5699160000_1745310638_thumb.jpg I think we... [Read more]

divadiow 22 Apr 2025 10:59

I assumed/hoped so. I'll get working SPI method then confirm by killing 0x0-> Added after 5 [minutes]: I've not looked inside it, but the rom dump was also successful. In flashdumps. [Read more]

insmod 22 Apr 2025 11:20

Rom mentions BK7238 at 0x18B8, so i guess you would have to try to boot 7238 binaries, and not N. And keys readout is not disabled, since we can get at least something out of them, but addresses were... [Read more]

divadiow 22 Apr 2025 11:26

cool cool. ah yes. did notice this in main flash dump actually https://obrazki.elektroda.pl/9584955000_1745313993_thumb.jpg [Read more]

insmod 22 Apr 2025 12:38

Maybe you should also try to take a 4M backup? FAL prints that flash length is 4M, even if partitions are configured to 2M [D/FAL] (fal_flash_init:63) Flash device | ... [Read more]

divadiow 22 Apr 2025 12:49

interesting. 0x0-0x400000 result from BKFIL attached. shows repeat at 2mb though https://obrazki.elektroda.pl/6538363600_1745318908_bigthumb.jpg [Read more]

p.kaczmarek2 22 Apr 2025 15:20

It's the address wrap around I've mentioned recently. This is the way we can read bootloader on BK7231T. BK7231T has read offset 0x0 to 0x11000 protected, but if we add 2MB, then we can both read.... and... [Read more]

divadiow 22 Apr 2025 21:42

xref: accidental post about this cam in other thread re SPI https://www.elektroda.com/rtvforum/viewtopic.php?p=21527527#21527527 [Read more]

austin007 23 Apr 2025 09:07

Thank you for sharing your work. Is it the same hardware as in the round A9 camera from the thread discussed earlier*? I looked at a picture of one customer on Aliexpress and it looks better than the... [Read more]

error105 23 Apr 2025 11:36

And I'm interested in whether it outputs any stream? For 9£ a nice option to read my analogue water meter, I have an ESP32CAM there but this one so much more convenient because it has a case etc :) [Read more]

p.kaczmarek2 23 Apr 2025 11:50

@austin007 we've already seen about four variants of these A9s and their batches are not interchangeable with each other (there is either BK7525, or BK7525N, or XF16, or some other chip). On the other... [Read more]

divadiow 23 Apr 2025 21:44

that sample pic looks too good to be an A9 cam though doesn't it? The aspect ratio and wide angle lens isn't something I've seen I don't think for a camera at this level, not my A9s anyway. on the subject... [Read more]

p.kaczmarek2 23 Apr 2025 22:44

salve_id is in BK code: https://obrazki.elektroda.pl/4020509400_1745441017_thumb.jpg Btw maybe we should add a "camera" tag for Devices List? https://openbekeniot.github.io/webapp/devicesList... [Read more]

divadiow 23 Apr 2025 22:50

sure. there are other platforms missing too though. [Read more]

p.kaczmarek2 24 Apr 2025 09:05

This also needs to be fixed - there is just one result for "camera" on our site: https://obrazki.elektroda.pl/4604837300_1745478292_thumb.jpg [Read more]

divadiow 24 Apr 2025 20:45

On the subject of the Pinmei A9 BK7252 cam: in pairing mode it broadcasts an AP - the SSID and key for which can be seen in the boot log ssid:LLM_H0A9_06615F key:12345678 https://obrazki.elektroda.pl/9768568200_1745516984_thumb.jpg... [Read more]

p.kaczmarek2 24 Apr 2025 23:04

Are you able to pair with this app without pairing with cloud? Via access point? Can you provide here the APK file of this app? Maybe we could analyze it. [Read more]