logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Taixen TXW816-810 based Otoscopes: UART Logs, PCB Pinout, Firmware dump

eastarctica  14 1950 Cool? (+6)
📢 Listen (AI):

TL;DR

  • Teardown of cheap Wi‑Fi earwax remover otoscopes that use the Taixen TXW816-810 and expose UART, pinout, and firmware details.
  • Inside, the board has a 21-pin camera/LED connector and exposed pads for 3.3V, 5V, CE, DP (UART TX), CLK, TMS, and PA8.
  • UART logs identify hgSDK-v2.5.0.7, BK7231U-XRH-FBPRO, a HI708 sensor at 480×480, and an AP named Soulear-ae45b with DHCP from 192.168.1.10.
  • An STM32 Blue Pill acting as CKLink dumped the 1 MB flash in chunks, and lowering the ICE clock from 12000KHz to 1200KHz made reads reliable.
  • The firmware still needs proper C-Sky V2 analysis support, and a licensing-related component remains unexplained.
Generated by the language model.
Recently it seems there has been a lot of cheap earwax remover otoscope devices popping up on amazon/aliexpress/tiktok shop similar to this:


When powered on, the button will start flashing slowly, as well as the light for the camera will turn on. After a few seconds it will start its wifi network usually with an ssid like "Soulear-ae45b" where it seems to be very generically "Company-uniq" as another device seems to show up as "Suear-4670". My device was broadcasting under the MAC of "88:17:89:0d:0e:b0" and had dhcp assigning IPs starting at 192.168.1.10 with itself at 192.168.1.1.

Once connected on a phone, its app which seems to vary based on the device you pick up, but all of which are essentially identical, allows you to take video, pictures, switch ears from left/right, enable/disable the led, as well as switch between either wide/focused lenses or switch between "horizontal" and "mirror(?)". Some also seem to have a lock icon which I'm not sure what does.




They're very difficult to get into, and from what I can tell can't be gotten into without breaking the plastic in some way. If you're opting to take it apart and keep it looking nice, I think my approach would be cutting the seam or maybe heat or something to remove the glue holding it in. Once in, you're greeted by a 21(?) pin connector for the leds + camera, 2.7V 170mAh battery, and the main pcb. PCB has a few pads exposed, of which I may have torn off CE and CLK 😬:
- 3.3V + GND (from mcu)
- 5V + GND (from usb, although GND is shared)
- CE (CHIP_EN)
- DP (PC6, This is UART TX, RX is not exposed)
- CLK (PA10, TCLK)
- TMS (PA9)
- PA8 (USB_DET?)

These (mine at least) seem to be using the Taixen TXW816-810 which has been seen similarly with the A9 minicams seen here.

UART Logs
startup:
Code: text Expand Select all Copy to clipboard
14:06:55.069 -> [0]40 00 97 00 a8 43 12 a0
14:06:55.069 -> [0]28 e0 00 00 00 00 00 00
14:06:55.070 -> [0]00 00 00 00 00 00 00 00
14:06:55.070 -> [0]88 17 89 0d 0e 2c 76 35
14:06:55.071 -> [0]86 65 89 67 9f 57 00 00
14:06:55.071 -> [0]80 00 bb 02 a0 f7 00 00
14:06:55.071 -> [0]00 15 00 00 08 14 00 00
14:06:55.072 -> [0]00 00 00 00 00 00 0c 00
14:06:55.072 -> [0]00 00 00 40 08 84 40 08
14:06:55.072 -> [0]8c c0 08 8c c0 08 94 00
14:06:55.073 -> [0]06 4b 3f fd 92 ff 04 4e
14:06:55.073 -> [0]f0 00 4f 00 de 01 02 02
14:06:55.073 -> [0]00 ff ff ff 0f b4 04 04
14:06:55.074 -> [0]02 04 04 06 06 1f 00 17
14:06:55.074 -> [0]00 02 3e 00 00 00 00 08
14:06:55.075 -> [0]00 00 00 00 00 30 12 00
14:06:55.075 -> [0]3c 3c 0f
14:06:55.075 -> [0]validity: 1579f00d

14:06:55.076 -> ** hgSDK-v2.5.0.7-25841, app-0, build time:Dec  5 2024 12:06:20 **
14:06:55.077 -> **   libcore v2.5.0.7-26821, build time:Dec 21 2023 11:25:54
14:06:55.077 -> **   libnetutils v2.5.0.7-26821, build time:Dec 21 2023 11:26:09
14:06:55.078 -> **   libcommon v2.5.0.7-26821, build time:Dec 21 2023 11:25:58
14:06:55.078 -> **   libosal v2.5.0.7-26821, build time:Dec 21 2023 11:25:53
14:06:55.079 -> **   libatcmd v2.5.0.7-25927, build time:Nov  6 2023 16:23:19
14:06:55.080 -> **   liblmac v2.5.0.7-26821, build time:Dec 21 2023 11:26:25
14:06:55.081 -> **   libwifi v2.5.0.7-26821, build time:Dec 21 2023 11:26:38
14:06:55.081 -> ------------------------------------------------------------------
14:06:55.082 -> [0] ------- system restart fault -----------
14:06:55.082 -> [0] ---------------------------------------
14:06:55.084 -> [1]freemem:160720
14:06:55.084 -> [1]custom_mem_init:2000c740
14:06:55.084 -> [1]custom mem sram:61440
14:06:55.085 -> [2]skbpool init, total:49396 (0x20037f0c~0x20044000), max per:80%
14:06:55.086 -> [4]syscfg_read OK!
14:06:55.088 -> [4]old cfg_ver:259
14:06:55.192 -> ---xrh_io_init---

14:06:55.251 -> [154]------pwr_det_keep.........1
14:06:55.286 -> [204]------pwr_det_keep.........2
14:06:55.288 -> [205]lmac rx info size:36
14:06:55.288 -> [205]GAP0 : 20033b0c
14:06:55.288 -> [206]GAP1 : 20037f04
14:06:55.288 -> [206]lmac rx buff:20033b14, size:17392, hw rx buff size:11256, ampdu:7, max subfrm:3
14:06:55.290 -> [207]lmac priv: 2001bec4
14:06:55.290 -> [207]lmac tx  : 2001c278
14:06:55.290 -> [208]lmac rx  : 2001d444
14:06:55.290 -> [208]lmac ble rx: 00000000
14:06:55.291 -> [209]pack:8, bios_id:2
14:06:55.291 -> [209]use AMPM DPD!
14:06:55.291 -> [209]verf:0x5, ibpt:0x3, ibct:0x6, iref:0x6
14:06:55.292 -> [210]verfvco_trim:0x8, verfcp_trim:0x5, verfdiv_trim:0x5
14:06:55.292 -> [211]verfdsm_trim:0x4, verfvcc25_trim:0x1
14:06:55.293 -> [211]da cap:5, da gain:1
14:06:55.317 -> [214]txdcoc from:1, i:8, q:20
14:06:55.317 -> [214]tx imb from:1, pm:192, gm:0
14:06:55.318 -> [215]rx dcoc from:1
14:06:55.318 -> [216]g:0, ana:2112, i:11, q:3
14:06:55.318 -> [216]g:1, ana:2112, i:19, q:5
14:06:55.318 -> [216]g:2, ana:2112, i:18, q:4
14:06:55.318 -> [217]g:3, ana:2240, i:15, q:7
14:06:55.318 -> [217]g:4, ana:2240, i:14, q:7
14:06:55.318 -> [218]g:5, ana:2240, i:15, q:6
14:06:55.318 -> [218]g:6, ana:2240, i:15, q:7
14:06:55.318 -> [218]g:7, ana:2368, i:0, q:6
14:06:55.318 -> [219]rx imb from:1
14:06:55.318 -> [219]g:0, 8120, 4063
14:06:55.318 -> [220]g:1, 8120, 4064
14:06:55.318 -> [220]g:2, 8118, 4064
14:06:55.318 -> [220]g:3, 8120, 4062
14:06:55.318 -> [221]g:4, 8120, 4061
14:06:55.318 -> [221]g:5, 8122, 4061
14:06:55.318 -> [221]g:6, 8122, 4061
14:06:55.318 -> [221]g:7, 8116, 4062
14:06:55.318 -> [222]time offset:0, 23
14:06:55.318 -> [222]lmac test: 2001dbec
14:06:55.318 -> [223]lmac_bgn_lo_freq_set: 2432
14:06:55.318 -> [224]set rts_threshold =2304
14:06:55.318 -> [225]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:55.318 -> [225]*** open ADC success!

14:06:55.318 -> [226]*** add success: ADC channel cnt = 1, name:257

14:06:55.318 -> [227]*** add success: ADC channel cnt = 2, name:258

14:06:55.318 -> [227]*** add success: ADC channel cnt = 3, name:262

14:06:55.318 -> [228]*** delete success: ADC channel cnt = 2

14:06:55.318 -> [231]*** add success: ADC channel cnt = 3, name:1

14:06:55.366 -> [282]ad_pwr:2910 383
14:06:55.416 -> [332]ad_pwr:2853 376
14:06:55.465 -> [382]ad_pwr:2909 383
14:06:55.515 -> [432]ad_pwr:2991 394
14:06:55.564 -> [482]ad_pwr:2914 384
14:06:55.564 -> [482]poweron_ad_pwr:2915
14:06:55.615 -> [532]ad_pwr:2895 381
14:06:55.665 -> [582]ad_pwr:2906 383
14:06:55.716 -> [632]ad_pwr:2826 372
14:06:55.765 -> [682]ad_pwr:2939 387
14:06:55.814 -> [732]ad_pwr:2795 368
14:06:55.814 -> [732]poweron_ad_pwr:2872
14:06:55.865 -> [782]ad_pwr:2908 383
14:06:55.915 -> [832]ad_pwr:2930 386
14:06:55.966 -> [882]ad_pwr:2910 383
14:06:56.016 -> [932]ad_pwr:2859 376
14:06:56.066 -> [982]ad_pwr:2935 386
14:06:56.115 -> [1032]ad_pwr:2899 382
14:06:56.166 -> [1082]ad_pwr:2987 393
14:06:56.215 -> [1132]ad_pwr:2890 381
14:06:56.265 -> [1182]ad_pwr:3051 402
14:06:56.329 -> [1232]ad_pwr:2929 386
14:06:56.366 -> [1282]ad_pwr:2908 383
14:06:56.414 -> [1332]ad_pwr:2929 386
14:06:56.414 -> [1332]lmac_bgn_lo_freq_set: 2412
14:06:56.416 -> [1334]lmac_bgn_lo_freq_set: 2412
14:06:56.428 -> [1335]set rts_threshold =1600
14:06:56.428 -> [1336]set ac= 0 aifs= 2 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1337]set ac= 1 aifs= 6 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1337]set ac= 2 aifs= 1 cw_min= 7 cwmax= 15 txop= 128
14:06:56.428 -> [1338]set ac= 3 aifs= 1 cw_min= 3 cwmax= 7 txop= 65
14:06:56.428 -> [1339]set ac= 0 aifs= 2 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1339]set ac= 1 aifs= 6 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1340]set ac= 2 aifs= 1 cw_min= 7 cwmax= 15 txop= 128
14:06:56.428 -> [1341]set ac= 3 aifs= 1 cw_min= 3 cwmax= 7 txop= 65
14:06:56.428 -> [1342]lmac_bgn_lo_freq_set: 2432
14:06:56.428 -> [1343]inteface1: start scanning ...
14:06:56.428 -> [1344]vif1 state WPA_DISCONNECTED -> WPA_SCANNING
14:06:56.428 -> [1345]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.428 -> [1346]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.528 -> [1445]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.528 -> [1445]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.638 -> [1545]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.638 -> [1545]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.728 -> [1645]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.728 -> [1645]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.828 -> [1745]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.828 -> [1745]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.927 -> [1845]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.927 -> [1845]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.028 -> [1945]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.028 -> [1945]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.128 -> [2045]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.128 -> [2045]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.228 -> [2145]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.228 -> [2145]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.327 -> [2245]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.327 -> [2245]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.427 -> [2345]lmac_bgn_lo_freq_set: 2432
14:06:57.429 -> [2346]lmac_bgn_lo_freq_set: 2412
14:06:57.430 -> [2348]inteface1: scan done!
14:06:57.457 -> [2356][0]===>REDACTED (network name)
14:06:57.457 -> [2356][1]===>REDACTED (network name)
14:06:57.457 -> [2356][2]===>REDACTED (network name)
14:06:57.457 -> [2356][3]===>]......"'O.Y.v*6.x}].,h...6BOa...0..T8.......V"....Z.....N..WI..*.ks..y....RrV.1LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S..
.4.YK........`.....W:>..^..w....[.
14:06:57.457 -> [2359][4]===>.....V"....Z.....N..WI..*.ks..y....RrV.1LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..
E.>Rd.C-!...V..`k;g..f.~NS_i|...
14:06:57.457 -> [2362][5]===>LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D...
.^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2365][6]===>i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2367][7]===>.h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2369][8]===>.......`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2370][9]===>C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2371][10]===>...j
14:06:57.457 -> u!"...

14:06:57.457 -> [2371][11]===>..PktK.:....^0%;u....}...[G. ..{?.j.^..^......cn.p..=..j..f.y3`_.u.;
14:06:57.457 -> [2372][12]===>......cn.p..=..j..f.y3`_.u.;
14:06:57.457 -> [2373][13]===>(.......B5..0JAZq.-.f.'g..;.kl....a.j.._\.[s.!..X.oi. .t..\....g.....$..lGDY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3

14:06:57.458 -> .jm.i.v."t~....Z
14:06:57.458 -> [2376][14]===>.._\.[s.!..X.oi. .t..\....g.....$..lGDY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.460 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.461 -> [2379][15]===>DY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.463 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.463 -> [2381][16]===>......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.465 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.465 -> [2383][17]===>.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.466 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.467 -> [2384][18]===>.!..3
14:06:57.467 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.468 -> [2385][19]===>......._F.g|.Th
14:06:57.468 -> [2386][20]===>..$.g...L.....m6.x..f.Y{.".v.3.3....P....'eAJI.*.>...X..$.,....K.F7].u.z.
14:06:57.469 -> [2387][21]===>P....'eAJI.*.>...X..$.,....K.F7].u.z.
14:06:57.470 -> [2387][22]===>W..X|.....|a.~.:.1..0.t .:>[..)#N..U...?......L.P......]+*....n8.0....Kd?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.471 -> [2389][23]===>.?......L.P......]+*....n8.0....Kd?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.472 -> [2390][24]===>d?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.473 -> [2391][25]===>...+}.|..M.ec...W&.c.`......R[@.
14:06:57.473 -> 5b..Z...9+..."b..X.j..N,...K.<r.
14:06:57.474 -> [2392][26]===>...9+..."b..X.j..N,...K.<r.
14:06:57.474 -> [2393][27]===> ......yd.m$.....d.mY..G.
14:06:57.475 -> i.O..q.@...7.....x....G.7.e~......sJ".pT.v
14:06:57.475 -> [2394][28]===>.....x....G.7.e~......sJ".pT.v
14:06:57.476 -> [2394][29]===>.^,...%.}.o.....@!W0H7.........V....Q#.lkP......to..c>.....c>_#\Oo
14:06:57.478 -> p...j.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.478 -> [2396][30]===>Q#.lkP......to..c>.....c>_#\Oo
14:06:57.479 -> p...j.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.479 -> [2397][31]===>.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.480 -> [2397]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:57.480 -> acs...
14:06:57.480 -> freq   bgrssi   ap    rx_sync   rx_err   txcnt     txtime   =>  noise factor
14:06:57.636 -> 2412    -93     0     0         10       39        152588       3912        
14:06:57.790 -> 2417    -93     0     0         4        36        149884       4163        
14:06:57.943 -> 2422    -92     4     5         4        35        150675       4305        
14:06:58.098 -> 2427    -94     3     3         3        36        151989       4221        
14:06:58.253 -> 2432    -92     2     2         5        35        152793       4365        
14:06:58.407 -> 2437    -92     4     4         6        36        150138       4170        
14:06:58.560 -> 2442    -92     3     7         9        34        150918       4438        
14:06:58.727 -> 2447    -93     5     9         15       36        163305       4536        
14:06:58.881 -> 2452    -92     2     3         8        36        151823       4217        
14:06:59.035 -> 2457    -93     0     0         14       37        150555       4069        
14:06:59.055 -> acs result: freq=2412, nf=3912
14:06:59.055 -> acs done
14:06:59.055 -> [3954]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:59.055 -> [3955]lmac_bgn_lo_freq_set: 2412
14:06:59.055 -> [40;31m[3957]ieee80211_ap_ioctl:164::set channel 1
14:06:59.055 -> [0m[3957]set ac= 0 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3958]set ac= 1 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3959]set ac= 2 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3959]set ac= 3 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3961]vif2 state WPA_DISCONNECTED -> WPA_COMPLETED
14:06:59.055 -> [3962]add w0 interface!
14:06:59.055 -> JPG start
14:06:59.055 -> [3963]csi_test start,iic init
14:06:59.055 -> [3964]iic init finish,sensor reset & set sensor clk into 6M
14:06:59.055 -> hgdvp_set_baudrate:clock:480000000
14:06:59.055 -> [3968]set sensor finish ,Auto Check sensor id
14:06:59.055 -> [3968]devSensorInitTable = 1804d148 1804d8a8
14:06:59.055 -> [3969]HI708 page0
14:06:59.055 -> [3970]SID: ff, 96, 60, 61,4
14:06:59.055 -> [3970]devSensorInitTable = 1804d348 1804d8a8
14:06:59.055 -> [3971]SID: ff, 63, 86, 87,1
14:06:59.055 -> [3972]devSensorInitTable = 1804d528 1804d8a8
14:06:59.055 -> [3973]SID: ff, de, 66, 67,1
14:06:59.056 -> [3973]devSensorInitTable = 1804b1e8 1804d8a8
14:06:59.056 -> [3974]SID: ff, 9b, 42, 43,0
14:06:59.057 -> [3974]devSensorInitTable = 1804b448 1804d8a8
14:06:59.057 -> [3975]SID: ff, a0, 42, 43,0
14:06:59.058 -> [3976]devSensorInitTable = 1804c088 1804d8a8
14:06:59.059 -> [3977]SID: ff, bb, 66, 67,f0
14:06:59.059 -> [3977]devSensorInitTable = 1804c608 1804d8a8
14:06:59.060 -> [3978]SID: ff, 10, 42, 43,f1
14:06:59.060 -> [3978]devSensorInitTable = 1804b7c8 1804d8a8
14:06:59.062 -> [3979]SID: ff, 9d, 42, 43,f0
14:06:59.062 -> [3980]devSensorInitTable = 1804c308 1804d8a8
14:06:59.063 -> result = 0
14:06:59.063 -> [3981]preset table num:2
14:06:59.064 -> [3981]SID: ff, c0, 62, 63,0
14:06:59.064 -> [3982]devSensorInitTable = 1804af28 1804d8a8
14:06:59.065 -> [3983]SID: 20, 3a, dc, dd,fc
14:06:59.066 -> [3983]devSensorInitTable = 1804ad68 1804d8a8
14:06:59.067 -> [3984]SID: a6, 3, dc, dd,fd
14:06:59.067 -> [3984]devSensorInitTable = 1804cfa8 1804d8a8
14:06:59.068 -> [3985]SID: a6, a6, dc, dd,fd
14:06:59.068 -> [3986]id =a6 num:11 sensor_id = 20a6
14:06:59.069 -> [3986]Auto Check sensor id finish
14:06:59.069 -> [3987]mclk:24000000MHz
14:06:59.069 -> hgdvp_set_baudrate:clock:480000000
14:06:59.070 -> [3987]init:1804cda0 u8Addrbytnum:1,u8Databytnum:1
14:06:59.072 -> [3988]SENSER....init
14:06:59.123 -> [4040]init table num:396
14:06:59.123 -> [4040]SENSR ident ok:480*480
14:06:59.123 -> [4040]csi init start  --
14:06:59.123 -> [4041]csi set size ====>480*480
14:06:59.124 -> [4041]csi dvp_size_set
14:06:59.124 -> [4042]csi IRQ init
14:06:59.124 -> [4042]dvpirq_register:1 180177b0  180177b0
14:06:59.125 -> [4042]dvpirq_register:0 1801779c  1801779c
14:06:59.125 -> [4043]vppirq_register:0 18017504  18017504
14:06:59.126 -> [4043]vppirq_register:1 18017948  18017948
14:06:59.126 -> [4044]vppirq_register:2 18017500  18017500
14:06:59.127 -> [4044]vppirq_register:3 1801776c  1801776c
14:06:59.128 -> [4045]vppirq_register:4 18017780  18017780
14:06:59.128 -> [4046]vppirq_register:5 180174f0  180174f0
14:06:59.128 -> [4046]vppirq_register:6 180174e0  180174e0
14:06:59.129 -> [4047]vppirq_register:7 180174d0  180174d0
14:06:59.130 -> [4047]csi IRQ init finish,start get data
14:06:59.131 -> eloop_init:287::start
14:06:59.131 -> user_eloop_run:309::run
14:06:59.134 -> [4051]dns sock :2
14:06:59.134 -> [test] init tcp server: port: 5007
14:06:59.134 -> ---tcp srvsock = 3---
14:06:59.135 -> [4052]ota num:0version:25841
14:06:59.135 -> [4053]OEM AP Default!
14:06:59.136 -> [4053]OEM NET Default!
14:06:59.136 -> [4053]OEM Firmware Default!
14:06:59.136 -> [4054]Camera TX Lib:Dec  1 2023 17:57:29
14:06:59.137 -> [4054]DVP No need Bank Size
14:06:59.137 -> [4055]client multi init
14:06:59.137 -> [4055]csock:4
14:06:59.139 -> [4055]psock:5
14:06:59.139 -> [4056]protoCtx OK!
14:06:59.139 -> [4056]eventCtx OK!
14:06:59.139 -> [4057]videoCtx OK!
14:06:59.139 -> [4057]i4 OK
14:06:59.140 -> g_sensor_init start,iic init:200014bc
14:06:59.140 -> init g_sensor,check id
14:06:59.140 -> addr:1 1 30 32
14:06:59.141 -> SID: ff, 11, 30, 32,f
14:06:59.141 -> addr:1 1 30 32
14:06:59.141 -> SID: ff, 11, 30, 32,f
14:06:59.142 -> addr:1 1 4e 50
14:06:59.142 -> SID: 13, 13, 4e, 50,1
14:06:59.142 -> id =13 num:2 
14:06:59.143 -> [4060]*** ADC module info: ADC channel repeat!!!

14:06:59.145 -> [4062]notify local[0/0]!
14:06:59.145 -> [4062]----WIFI_RUN_STATUS111----1
14:06:59.158 -> init table num:20
14:06:59.158 -> [4075][SYS]Capacity GSENSOR
14:06:59.158 -> [4075][SYS]Capacity:0x2
14:06:59.158 -> [4076][SYS]Capacity:0x3
14:06:59.159 -> version_str = HKV41   5
14:06:59.159 -> ----version_str = HKV41B   32
14:06:59.159 -> product_str = BK7231U-XRH-FBPRO
14:06:59.159 -> [4077][TX]Set Vendor: YPC
14:06:59.160 -> [4077][TX]Set Product: BK7231U-XRH-FBPRO
14:06:59.161 -> [4078][TX]Set Version: HKV41B
14:06:59.161 -> [4078]no this event(20005)...
14:06:59.161 -> [4079]scan down.......
14:06:59.289 -> [4206]inteface2 find new bss: b8:f8:53:5c:53:bb-Fios-CGrF5
14:06:59.644 -> [4561]0min:2906 65535 100 100 383
14:07:00.147 -> [5064]notify local[0/0]!
14:07:00.160 -> [5078]custom mem sram:61440
14:07:00.160 -> [5078]freemem:43736
14:07:00.315 -> --------------------
14:07:00.315 -> local:88:17:89:0d:0e:b0
14:07:00.315 ->     bios:2, pack:8 
14:07:00.315 ->     pwr idx: 1
14:07:00.315 ->     chip-temperature: 34
14:07:00.315 ->     freq:2412, bg_rssi:-87
14:07:00.316 ->     cca: -70, -60, -62
14:07:00.316 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:00.317 ->         tx dma:381, total tx:381, retry:0, tx lost:0, tx err:0
14:07:00.318 ->     rx: frms:82, data:0
    throughput: tx: 14.40 Kbps, rx: 0 bps
14:07:00.318 ->     max gain:7
14:07:00.318 -> --------------------
14:07:01.150 -> [6067]notify local[0/0]!
14:07:01.160 -> [6078]custom mem sram:61440
14:07:01.160 -> [6078]freemem:43736
14:07:02.151 -> [7067]notify local[0/0]!
14:07:02.159 -> [7078]custom mem sram:61440
14:07:02.159 -> [7078]freemem:43832
14:07:03.150 -> [8067]notify local[0/0]!
14:07:03.161 -> [8078]custom mem sram:61440
14:07:03.161 -> [8078]freemem:44024
14:07:04.150 -> [9067]notify local[0/0]!
14:07:04.172 -> [9078]custom mem sram:61440
14:07:04.172 -> [9078]freemem:44024
14:07:05.155 -> [10067]notify local[0/0]!
14:07:05.160 -> [10078]ip:101a8c0  freemem:44024
14:07:05.161 -> [10078]custom mem sram:61440
14:07:05.163 -> [10078]freemem:44024
14:07:05.315 -> --------------------
14:07:05.315 -> local:88:17:89:0d:0e:b0
14:07:05.315 ->     bios:2, pack:8 
14:07:05.315 ->     pwr idx: 1
14:07:05.315 ->     chip-temperature: 38
14:07:05.315 ->     freq:2412, bg_rssi:-88
14:07:05.315 ->     cca: -70, -60, -62
14:07:05.315 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:05.316 ->         tx dma:0, total tx:0, retry:0, tx lost:0, tx err:0
14:07:05.317 ->     rx: frms:42, data:0
14:07:05.317 ->     throughput: tx: 0 bps, rx: 0 bps
    max gain:7
14:07:05.317 -> --------------------
14:07:06.151 -> [11067]notify local[0/0]!
14:07:06.161 -> [11079]custom mem sram:61440
14:07:06.161 -> [11079]freemem:44024
14:07:07.150 -> [12067]notify local[0/0]!
14:07:07.162 -> [12079]custom mem sram:61440
14:07:07.162 -> [12079]freemem:44024
14:07:08.150 -> [13067]notify local[0/0]!
14:07:08.162 -> [13079]custom mem sram:61440
14:07:08.162 -> [13079]freemem:44024
14:07:09.150 -> [14067]notify local[0/0]!
14:07:09.162 -> [14079]custom mem sram:61440
14:07:09.162 -> [14079]freemem:44024
14:07:10.150 -> [15067]notify local[0/0]!
14:07:10.162 -> [15079]custom mem sram:61440
14:07:10.162 -> [15079]freemem:44024
14:07:10.315 -> --------------------
14:07:10.315 -> local:88:17:89:0d:0e:b0
14:07:10.315 ->     bios:2, pack:8 
14:07:10.315 ->     pwr idx: 1
14:07:10.315 ->     chip-temperature: 40
14:07:10.315 ->     freq:2412, bg_rssi:-88
14:07:10.315 ->     cca: -70, -60, -62
14:07:10.315 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:10.316 ->         tx dma:0, total tx:0, retry:0, tx lost:0, tx err:0
14:07:10.317 ->     rx: frms:42, data:0
14:07:10.317 ->     throughput: tx: 0 bps, rx: 0 bps
    max gain:7
14:07:10.317 -> --------------------
14:07:11.150 -> [16067]notify local[0/0]!
14:07:11.162 -> [16079]ip:101a8c0  freemem:44024
14:07:11.162 -> [16079]custom mem sram:61440
14:07:11.164 -> [16079]freemem:44024
14:07:12.152 -> [17068]notify local[0/0]!
14:07:12.162 -> [17080]custom mem sram:61440
14:07:12.162 -> [17080]freemem:44024
14:07:12.663 -> [17577]inteface2 find new bss: 78:67:0e:32:a0:08-Verizon_4Z9PNJ
14:07:13.153 -> [18069]notify local[0/0]!
14:07:13.162 -> [18080]custom mem sram:61440
14:07:13.162 -> [18080]freemem:43928

Pressing button alone while powered off:
Code: text Expand Select all Copy to clipboard
14:06:00.437 -> [0]40 00 97 00 a8 43 12 a0
14:06:00.437 -> [0]28 e0 00 00 00 00 00 00
14:06:00.438 -> [0]00 00 00 00 00 00 00 00
14:06:00.438 -> [0]88 17 89 0d 0e 2c 76 35
14:06:00.439 -> [0]86 65 89 67 9f 57 00 00
14:06:00.439 -> [0]80 00 bb 02 a0 f7 00 00
14:06:00.439 -> [0]00 15 00 00 08 14 00 00
14:06:00.440 -> [0]00 00 00 00 00 00 0c 00
14:06:00.440 -> [0]00 00 00 40 08 84 40 08
14:06:00.440 -> [0]8c c0 08 8c c0 08 94 00
14:06:00.441 -> [0]06 4b 3f fd 92 ff 04 4e
14:06:00.441 -> [0]f0 00 4f 00 de 01 02 02
14:06:00.442 -> [0]00 ff ff ff 0f b4 04 04
14:06:00.442 -> [0]02 04 04 06 06 1f 00 17
14:06:00.442 -> [0]00 02 3e 00 00 00 00 08
14:06:00.443 -> [0]00 00 00 00 00 30 12 00
14:06:00.443 -> [0]3c 3c 0f
14:06:00.443 -> [0]validity: 1579f00d

14:06:00.449 -> ** hgSDK-v2.5.0.7-25841, app-0, build time:Dec  5 2024 12:06:20 **
14:06:00.449 -> **   libcore v2.5.0.7-26821, build time:Dec 21 2023 11:25:54
14:06:00.449 -> **   libnetutils v2.5.0.7-26821, build time:Dec 21 2023 11:26:09
14:06:00.449 -> **   libcommon v2.5.0.7-26821, build time:Dec 21 2023 11:25:58
14:06:00.449 -> **   libosal v2.5.0.7-26821, build time:Dec 21 2023 11:25:53
14:06:00.449 -> **   libatcmd v2.5.0.7-25927, build time:Nov  6 2023 16:23:19
14:06:00.449 -> **   liblmac v2.5.0.7-26821, build time:Dec 21 2023 11:26:25
14:06:00.449 -> **   libwifi v2.5.0.7-26821, build time:Dec 21 2023 11:26:38
14:06:00.449 -> ------------------------------------------------------------------
14:06:00.450 -> [0] ------- system restart fault -----------
14:06:00.450 -> [0] ---------------------------------------
14:06:00.452 -> [1]freemem:160720
14:06:00.452 -> [1]custom_mem_init:2000c740
14:06:00.452 -> [1]custom mem sram:61440
14:06:00.452 -> [2]skbpool init, total:49396 (0x20037f0c~0x20044000), max per:80%
14:06:00.454 -> [4]syscfg_read OK!
14:06:00.455 -> [4]old cfg_ver:259

Doing random things in the app:
Code: text Expand Select all Copy to clipboard
14:08:18.401 -> [83308]Charge Status:0
14:08:51.852 -> LED:1 Control:1 1 100
14:08:51.852 -> Set LED:1 ON
14:08:51.852 -> [116763]Charge Status:0
14:08:51.886 -> LED:1 Control:1 1 100
14:08:51.886 -> Set LED:1 ON
14:08:51.886 -> [116790]Charge Status:0
14:09:00.151 -> LED:1 Control:0 0 0
14:09:00.151 -> LED:1  ON:1
14:09:00.179 -> LED:1 Control:1 0 0
14:09:00.179 -> Set LED:1 OFF
14:09:00.179 -> [125084]Charge Status:0
14:09:01.368 -> LED:1 Control:0 0 0
14:09:01.368 -> LED:1  ON:0
14:09:01.395 -> LED:1 Control:1 1 100
14:09:01.395 -> Set LED:1 ON
14:09:01.395 -> [126300]Charge Status:0

Connecting to WiFi (I believe the app may have been open in the background):
Code: text Expand Select all Copy to clipboard
14:08:14.173 -> [79090]custom mem sram:61440
14:08:14.173 -> [79090]freemem:44024
14:08:14.192 -> [79108]notify local[0/0]!
14:08:14.608 -> [79524]lmac_bgn_add_sta: if:1, aid1, addr:6a:88:53:52:cf:f7
14:08:14.608 -> [79525]rc_init: type= 1 mcs_mask= 0x3cc
14:08:14.609 -> [79525]inteface2: sta 6a:88:53:52:cf:f7 connected
14:08:14.609 -> [79526]user_sta_add:6a 88 53 52 cf f7
14:08:14.739 -> [79655]send DHCP_OFFER ...
14:08:14.739 -> [79657]Next IP: 192.168.1.11
14:08:14.740 -> [79657]Assign IP 192.168.1.10 for 6a:88:53:52:cf:f7, flags=0 (next:192.168.1.11)
14:08:15.173 -> [80090]custom mem sram:61440
14:08:15.173 -> [80090]freemem:43488
14:08:15.196 -> [80112]notify local[1/0]!
14:08:15.319 -> --------------------
14:08:15.319 -> local:88:17:89:0d:0e:b0
14:08:15.319 ->     bios:2, pack:8 
14:08:15.319 ->     pwr idx: 1
14:08:15.319 ->     chip-temperature: 48
14:08:15.319 ->     freq:2412, bg_rssi:-87
14:08:15.319 ->     cca: -59, -49, -51
14:08:15.319 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:08:15.319 ->         tx dma:12, total tx:12, retry:0, tx lost:0, tx err:0
14:08:15.319 ->     rx: frms:107, data:96
14:08:15.319 ->     throughput: tx: 2.95 Kbps, rx: 5.23 Kbps
14:08:15.319 ->     max gain:7
14:08:15.319 -> sta:6a:88:53:52:cf:f7, aid:1, rssi:-34, evm:-25, tx frm type:*0, tx mcs:*2, freq offset:20864
14:08:15.320 ->     ifidx:1, MAC:88:17:89:0d:0e:b0

14:08:15.322 -> --------------------
14:08:15.825 -> [80741]send DHCP_ACK ...
14:08:15.825 -> [80742]Assign IP 192.168.1.10 for 6a:88:53:52:cf:f7, flags=0 (next:192.168.1.11)
14:08:15.828 -> [40;32m[80744]EVENT 10007 IGNORED
14:08:15.828 -> [0m[80745]IP Pool:
14:08:15.829 -> [80746]    ip:192.168.1.10 - 6a:88:53:52:cf:f7
14:08:16.173 -> [81090]custom mem sram:61440
14:08:16.173 -> [81090]freemem:43488
14:08:16.212 -> [81128]notify local[1/0]!
14:08:17.173 -> [82090]ip:101a8c0  freemem:43488
14:08:17.174 -> [82090]custom mem sram:61440
14:08:17.174 -> [82091]freemem:43488
14:08:17.212 -> [82128]notify local[1/0]!
14:08:18.174 -> [83091]custom mem sram:61440
14:08:18.174 -> [83091]freemem:43488
14:08:18.234 -> [83145]notify local[1/0]!
14:08:18.330 -> [83220]Recv SEQ:221 CMD->ID:1 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> [83222]IP add:a01a8c0
14:08:18.330 -> [83222]*******************************************
14:08:18.330 -> [83223]mac:88:17:89:0d:0e:b0
14:08:18.330 -> [83223]->a01a8c0 fist connect
14:08:18.330 -> [83224ip:a01a8c0 0
14:08:18.330 -> [83227]Recv SEQ:221 CMD->ID:1 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> [83228]*******************************************
14:08:18.330 -> [83229]mac:88:17:89:0d:0e:b0
14:08:18.330 -> [83229]->a01a8c0 first connect
14:08:18.330 -> [83230]ip:a01a8c0 0
14:08:18.330 -> [83233]Recv SEQ:222 CMD->ID:2 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> read license = 
14:08:18.330 -> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x
00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 

14:08:18.334 -> [83250]OK=>SN:!
14:08:18.346 -> [83263]New client active:0 0
14:08:18.346 -> hgdvp_close...............................................................
14:08:18.378 -> [83294]pic port:54589
14:08:18.401 -> [83306]Recv SEQ:224 CMD->ID:10 AckNeed:1 reFlag:0 CMDLEN:3 RECVLEN:15
14:08:18.401 -> [83307]Led control:1-1-1-100
14:08:18.401 -> LED:1 Control:1 1 100
14:08:18.401 -> Set LED:1 ON
14:08:18.401 -> [83308]Charge Status:0


Firmware Extraction
To extract the firmware (and I do apologize, I'm doing recalling this from memory so it may not be perfect) I went ahead and used an STM32 blue pill board and followed this guide to get the flash programmer set up.
Once your stm32 is flashed, connect A1 to PA10 (labeled CLK), A5 to PA9 (labeled TMS), and G to GND. Additionally, if you want to read UART output from the device, connect your UART reader to GND and DP (This is the mcu's TX pin, connect to your RX pin).
Then, follow the instructions here regarding how to generally dump or flash the firmware (although I have not attempted anything besides reading).

Whenever you interface with the chip, you need to hold the button on the board, then hit read (or otherwise connect the cklink to the target). You may need to do this quickly after hitting the button and it may be somewhat finicky, I would recommend just trying out and seeing what works.

Note: When I attempted to read the flash, I was never able to in one full go and instead had to do 0x0-0x50000 then 0x10000 increments up to 0x100000 which is the size of the mcu (1 MB), I then merged these files back together into one. I'm unsure why but I assume it's to do with the STM32 being used as the CKLink, I may recommend using an official or clone devices. Thank you divadiow for letting me know that this was due to me reading at too fast of an ICE clock speed, I believe I had been dumping it at 12000KHz, lowering this down to 1200KHz as mentioned in the article solves this for me.

It also appears there's some type of licensing? I'm not sure what exactly it is but I've seen it while reversing the mobile app as well.

I've gotten this far btu I'm not really sure where to go from here, I would like to be able to disassemble the firmware in something like Ghidra or IDA but as the C-Sky V2 CPU ABI is not implemented in just about anything I'd have to implement it myself which I don't really want to do... I've attached the csky-elfabiv2-tools-x86_64-minilibc-20210423 but I'm not sure it's actually the right one for this chip, as well as the objdump output from running it on the full firmware file

I'll mention that as you might be able to tell this is my first post so I if you have any tips for better posting please let me know! 😄
AI: Could you clarify what your main goal is with the firmware analysis—are you looking to unlock features, patch the firmware, do security research, or just understand how the device works?
The mobile interface seems to have an upload firmware option for ota updates. Ideally, we'd be able to leverage that to put a custom firmware on it. I'm also interested in analyzing the firmware to find any possible vulnerabilities or issues with it. That being said, I also just like opening things and looking at them.
AI: Are you open to using alternative tools besides Ghidra or IDA for C-Sky V2 disassembly, like radare2, Binary Ninja, or any C-Sky-specific toolchains, or are you set on using Ghidra/IDA only?
Ghidra and IDA would be my ideals, but if I could get anything to properly get an analysis of it that's actually aware of where things are (ex. memory locations like strings) I could work with that.
Attachments:
  • pcb_front.jpg (4.1 MB) You must be logged in to download this attachment.
  • pcb_back.jpg (3.89 MB) You must be logged in to download this attachment.
  • csky-elfabiv2-tools-x86_64-minilibc-20210423.tar.gz (76.72 MB) You must be logged in to download this attachment.
  • C-SKY+ABIV2+Standards+Manual.pdf (658.61 KB) You must be logged in to download this attachment.
  • Taixen TXW816 zh-cn.pdf (2.99 MB) You must be logged in to download this attachment.
  • Taixen TXW816 en-US.pdf (1.7 MB) You must be logged in to download this attachment.
About Author
eastarctica wrote 3 posts with rating 8 , helped 1 times. Been with us since 2025 year.

Comments

divadiow 07 Jul 2025 23:25

hey. nice to see another Taixin MCU that isn't in a cam. regarding the flash read lengths, this does feel vaguely familiar, but I don't recall what I did, if anything, to make it no longer the case.... [Read more]

gulson 08 Jul 2025 11:31

All in all, an interesting use of the otoscope, to preview the electronics! Thanks ;) . Email me your shipping address and I'll send a small gift. [Read more]

eastarctica 09 Jul 2025 01:39

Wrote up a response yesterday but it my tab seems to have been slept and deleted so this is generally being rewritten again as well. Haha well it may not be one of those mini cams but it's still a camera... [Read more]

divadiow 09 Jul 2025 08:50

that isn't In an A9 cam type of device* :D yeh, I've not found much about the HI708 either. A few mentions in github code and I see it's in the XF16 list along with HI704 https://www.elektroda.com/rtvforum/viewtopic.php?p=21549325#21549325 ... [Read more]

divadiow 20 Jul 2025 20:18

oh cool. didn't notice this. my one has arrived and I'm just photographing and capturing bits before posting about my findings Added after 1 [minutes]: also, would you be willing to share your... [Read more]

divadiow 20 Jul 2025 23:37

interesting strings {"factory":true,"soc":"TX816","ssid_head":"iTiMO-","ssid":"","key":"","wifi_channel":11,"brand":"iTiMO","model":"iTiMO-0877","hardware":"1.0.0","firmware":"1.0.0","fw_date":"Mar... [Read more]

p.kaczmarek2 21 Jul 2025 01:20

FWUPG update? [Read more]

divadiow 21 Jul 2025 08:07

very interesting https://obrazki.elektroda.pl/2355074600_1753076969_bigthumb.jpg Added after 10 [minutes]: https://obrazki.elektroda.pl/4128283100_1753077594_bigthumb.jpg Added after... [Read more]

eastarctica 22 Jul 2025 18:38

Nice job getting everything dumped and working! I apologize I had thought I added the firmware to my initial post but it's attached here. Diffing them they're slightly different. Notably, yours appears... [Read more]

divadiow 23 Jul 2025 08:45

cool. thanks. Out of interest I flashed your backup and it does boot. fails at the cam sensor point though. [0]40 00 17 00 57 0a 12 a0 [0]28 6e 00 00 00 00 00 00 [0]00 00 00 00 00 00 00 00 [0]85... [Read more]

divadiow 30 Aug 2025 09:35

@eastarctica you may find this interesting - development of rtsp cam support for TXW81x. Not tried on my TXW816 Otoscope https://www.elektroda.com/rtvforum/viewtopic.php?p=21638429#21638429 [Read more]

divadiow 02 Sep 2025 22:42

OpenTXW81X_txwtest_6e2915e3d439.bin [0]40 00 17 00 57 0a 12 a0 [0]28 6e 00 00 00 00 00 00 [0]00 00 00 00 00 00 00 00 [0]85 05 92 04 50 3b 55 47 [0]a5 e5 89 66 71 67 00 00 [0]80 00 cd 02 a0 f2 00... [Read more]

divadiow 03 Nov 2025 17:29

txw816-810-ear-pick-video-sw-key-v1-1-20230926.pdf https://obrazki.elektroda.pl/7995016600_1762187968_bigthumb.jpg https://obrazki.elektroda.pl/5602846000_1762187960_bigthumb.jpg [Read more]

divadiow 03 Nov 2025 18:18

manual edit translation to English [Read more]

FAQ

TL;DR: For hardware hackers and firmware analysts, these 1 MB TXW816-810 otoscopes are crackable: “Lower ICE Clk” fixed failed reads, and 21-pin camera modules plus exposed UART/JTAG-style pads make dumping, logging, and cross-device comparison practical. [#21611793]

Why it matters: This FAQ turns a long reverse-engineering thread into a fast, citation-ready guide for dumping firmware, identifying pads, tracing Wi-Fi behavior, and assessing custom firmware risks on Taixen TXW816-810 otoscopes.

Option What the thread shows Practical result
Stock Dec 2024 firmware hgSDK v2.5.0.7-25841, 480×480 sensor init Boots on one device and exposes UART, Wi-Fi AP, and port 5007 services
Stock Mar 2025 firmware hgSDK v2.5.1.7-31060, 640×480 sensor init Adds MoLink/iTiMO branding, BLE references, and different hardware expectations
OpenTXW81X test build hgSDK v2.5.3.7-36533, RTSP work in progress AP and audio can start, but video still fails on this otoscope sensor

Key insight: The MCU family is accessible, but the camera and motion hardware are not interchangeable. Firmware can boot across units, yet sensor and gsensor mismatches stop full camera bring-up or orientation support. [#21614421]

Quick Facts

  • The main PCB exposed pads included 3.3 V, 5 V, GND, CE, DP, CLK, TMS, and PA8; DP mapped to UART TX, while RX was not exposed. [#21600275]
  • The otoscope used a 2.7 V, 170 mAh battery and broadcast a Wi-Fi AP at 192.168.1.1, with DHCP leases starting at 192.168.1.10. [#21600275]
  • The camera flex was labeled SP1508B30-B and had 21 pins, numbered 1 through 21. [#21601301]
  • Two dumped stock firmware branches differed materially: one logged hgSDK-v2.5.0.7-25841 built Dec 5 2024, while another logged hgSDK-v2.5.1.7-31060 built Mar 26 2025. [#21613891]

How do you dump the firmware from a Taixen TXW816-810 otoscope using an STM32 Blue Pill and CKLink wiring on PA10/TCK and PA9/TMS?

You can dump it by wiring the Blue Pill as a CKLink bridge and catching the chip during power-on. 1. Flash the STM32 Blue Pill with the CKLink-compatible programmer setup from the linked guide. 2. Wire STM32 A1 to PA10/CLK/TCK, A5 to PA9/TMS, and GND to GND; add UART RX to DP if you want logs. 3. Hold the otoscope button, start the read, and connect quickly; one successful setup read the full 1 MB after lowering ICE speed. [#21600275]

Why did the TXW816-810 flash read fail in large chunks until the ICE clock was lowered from 12000 KHz to 1200 KHz?

The read failed because the debug clock was too fast for stable transfers on this target. At 12000 KHz, one dump only worked in partial regions such as 0x0-0x50000 plus 0x10000 steps, but at 1200 KHz the same setup read correctly. One poster summed up the fix as “Lower ICE Clk,” and the original author confirmed that slowing the clock solved the issue. [#21611793]

What is CKLink, and how is it used to read or debug Taixen TXW816-810 devices?

“CKLink” is a hardware debug interface that connects to C-SKY/XuanTie MCUs, exposes low-level read, flash, and GDB control, and commonly uses TCK/TMS-style wiring rather than simple UART. On this otoscope, it was wired to PA10 and PA9 and identified the CPU as a XuanTie CK803SG. The posted detection log also showed remote GDB targets on port 1025, confirming live debug access, not just flash reading. [#21611793]

What does ICE clock mean when dumping firmware from a C-SKY or XuanTie MCU, and why does the speed matter?

“ICE clock” is the debug transport clock that times communication between the programmer and the target MCU, and its stability depends on wiring quality, target state, and adapter capability. Speed matters because an over-fast clock causes failed or partial reads. In this thread, 12000 KHz caused broken chunked dumps, while 1200 KHz produced stable full reads on the 1 MB TXW816-810. [#21600275]

Which PCB pads on the TXW816-810 otoscope are useful for UART, power, and debug access, and what are their functions?

The useful pads are 3.3 V, 5 V, shared GND, CE, DP, CLK, TMS, and PA8. The thread mapped DP to PC6 and confirmed it carries UART TX, while RX is not exposed. CLK is PA10 and TMS is PA9 for CKLink-style debug. CE is CHIP_EN, PA8 may be USB_DET, 3.3 V comes from the MCU side, and 5 V comes from USB input. [#21600275]

Why does the UART log on these otoscopes show sensor-detection strings like HI708, 20a6, and gsensor errors during boot?

The boot log prints those strings because the firmware probes several candidate camera and motion sensors before selecting one. One unit logged HI708 page0, then later detected id =a6 and sensor_id = 20a6, while another firmware branch selected id =20 num:10 and initialized 640×480. A cross-flashed unit then failed with Er: unkown!gsensor error, showing that sensor tables and expected hardware differ between otoscopes. [#21614421]

What camera sensor is likely used in these Taixen TXW816-810 otoscopes, and what clues in the boot logs point to HI708 or another sensor?

HI708 is one candidate, but the thread does not prove a single universal sensor across all TXW816 otoscopes. One boot log explicitly printed HI708 page0, which led another poster to suggest the camera “maybe means the cam is a Hynix HI708.” However, later logs detected sensor_id = 20a6 or id =20, and one cross-flash failed at camera init. That points to multiple compatible sensor tables, not one guaranteed module. [#21600289]

How many pins does the otoscope camera ribbon have, and what does the SP1508B30-B marking tell us about the module?

The camera ribbon has 21 pins, and the flex was marked SP1508B30-B. The thread only supports one solid conclusion from that marking: it identifies the specific flex or module variant used in that unit. It does not, by itself, prove the CMOS sensor model. The author also confirmed the flex labels pins 1 through 21 and can slide from the metal housing without damage. [#21601301]

What is C-SKY ABIV2, and why is it a problem for disassembling TXW816-810 firmware in Ghidra or IDA?

“C-SKY ABIV2” is an instruction-set ABI for C-SKY/XuanTie processors that defines calling conventions, register use, and binary interface details, and tools need explicit support to disassemble it correctly. It is a problem here because the author wanted Ghidra or IDA analysis with strings and memory references, but stated that C-SKY V2 was “not implemented in just about anything,” making normal reverse engineering awkward. [#21600275]

Ghidra vs IDA vs radare2 or Binary Ninja: which tool is most practical for analyzing TXW816-810 C-SKY V2 firmware dumps?

Alternative toolchains look more practical than stock Ghidra or IDA for this firmware. The author preferred Ghidra or IDA but said any tool that understands locations, strings, and memory references would help. The blocker was missing C-SKY ABIV2 support, not a lack of raw firmware bytes. In this thread, no one showed a working Ghidra or IDA setup, so the most practical path is the attached C-SKY toolchain plus objdump-style analysis until a better loader exists. [#21600275]

How does the device bring up its Wi-Fi AP, assign DHCP addresses like 192.168.1.10, and start the camera control services on port 5007?

It boots into AP mode, selects a channel, starts DHCP, and then opens its camera control socket. One full log showed channel selection settling on 2412 MHz, the AP interface moving to WPA_COMPLETED, and a TCP server starting on port 5007. When a phone joined, DHCP offered 192.168.1.10 and reserved 192.168.1.11 as the next lease, while the otoscope itself stayed at 192.168.1.1. [#21600275]

What does the AT+FWUPG command do on TXW816-810 otoscope firmware, and how might it relate to hidden update functionality?

The thread shows that AT+FWUPG exists in firmware strings, so the platform likely includes a firmware-upgrade command path. It does not prove a complete working OTA pipeline on these otoscopes. A later test tried uploaded binaries and found no obvious OTA partition or confirmed upgrade file format. That makes AT+FWUPG a strong clue for hidden update support, but not proof of a user-accessible updater. [#21612232]

Where in the Android app or native libraries can you look for firmware update support, and what do exports like cameraWifiupdateFirmware and cameraWifiupdatemcuFirmware suggest?

Look inside the Android APK’s native libraries, especially libWifiCamera.so under com.i4season.bkCamera/lib/arm64-v8a/. The exported symbols cameraWifiupdateFirmware and cameraWifiupdatemcuFirmware strongly suggest separate update paths for Wi-Fi-side firmware and MCU-side firmware. The same library also exported cameraWifiFirmInfoGet, cameraWifiLicInfoGet, and update JNI wrappers, which implies the app contains dormant or hidden upgrade logic even if the UI does not expose it. [#21613891]

Why did flashing one TXW816-810 otoscope backup onto another boot the device but fail at the camera sensor or gsensor stage?

It failed because the MCU family matched, but the attached peripherals did not. One poster flashed the December 2024 backup onto another TXW816-810 and confirmed that it booted, then stopped during sensor bring-up with Er: unkown!gsensor error. Earlier logs also showed different firmware branches using different camera resolutions, vendor strings, and sensor IDs. The lesson is simple: MCU compatibility does not guarantee camera or IMU compatibility. [#21614421]

How far has OpenTXW81X support progressed for TXW816-based otoscopes, including RTSP streaming, LED control on PA00 and PA11, and sensor compatibility issues?

OpenTXW81X has reached basic boot, AP setup, command registration, and partial media bring-up on this hardware. A September 2, 2025 test build started an RTSP-related camera path and produced static audio, but no working video. The same post mapped the blue PCB LED to PA00 and the camera LED ring to PA11. Sensor support remains the main blocker, because startdriver txwcam still ended with unknown sensor detection errors. [#21651756]
Generated by the language model.
%}