Disassembling and Dumping Flash from an SQ11 Mini DV Camera with CH341A SPI Programmer

A while ago I bought one of those cheap almost-certain-to-be-rubbish cube-like Instagram cameras off Ali Express. Almost certainly a clone of something better.


The SQ11 Mini DV is sold alongside claims of "1080p", "HD", "night-vision". "infra-red". These were taken with a large pinch of salt.

I took it apart quite a few months ago, so didn't document that, but there are many videos and pictures elsewhere online of how to open it. My most recent interest is because I was looking around for devices I already had with an 8 pin SOIC flash memory chip on which I could try my new CH341A "black" SPI programmer and clamp.



Mine came with a clamp for use on 8-pin chips left in-situ. Eg (from https://winraid.level1techs.com/t/guide-how-t...-spi-programmer-flasher-with-pictures/33041):



Before I continue here are some pictures of the dismantled chassis and the PCB inside. Predictably there are no LED lamps, just black plastic that vaguely resembles a ring of LEDs.



You can see the 8-pin flash memory chip - a UC25WQ40 - just at the base of the microSD connector.

The QFN48 MCU is a bit of mystery. At a good angle you can make out that it's labelled EA257411.1 2325NRZ.

A Google for that and the PCB silkscreen 935B-V3.0 has not proven fruitful.

But surely one or two of the MCU legs must be a UART log out? Maybe even one of the silver pads on the PCB? I cautiously probed around with the RX leg of a USB-TTL adaptor connected to a jumper cable with a sewing needle soldered at one end, powering the camera off and on again from an external 3.3v PSU after desoldering the useless battery. USB-TTL and the external PSU sharing a ground.


at 115200 baud this pad here gives an output



but not a very helpful one



Time to try the CH341A. After carefully lining up pin 1 of the SOIC with the red pin1 of the clamp



NeoProgrammer detects the IC - UC25WQ40 [3.3V] 4 Mbits, 512 Kbytes



NP read the entire chip and I attach the dump to this thread for reference.



It doesn't seem like there's an awful lot of code in there. Does the MCU also have onboard flash?

Strings found are minimal


Tomorrow I will see if the test pad opposite the TX is an RX and if it'll respond to AT commands.

meh. not much more to say about this little thing. It does not respond to AT commands. The most I can get out of it is some SD card kind of messages when hitting buttons.


video and audio quality is low.


it's going back into its box

Added after 11 [minutes]:

tore off the lens hoping for a make/model. no

Interesting, maybe binwalk on flash dump could say more?

@DeDaMrAz hacked some larger camera once with binwalk, it was running a tiny build of Linux

alas, nothing comes of a binwalk on it

But now to think of it... it's 4Mbits, not 4MB. Just 512KB. So maybe it's not the program.

Can this camera work with flash chip removed?

well. it doesn't love it being removed. it still does something so it must have on-board flash too

boot with flash IC removed



and police siren LEDs to signal its unhappiness



Added after 8 [minutes]:

and if you push one of the buttons while it's flashing the blue will go solid. it's putting some files on the SD card but theyre 0kb



probably a silly question but would the memory in the MCU be addressable from the SPI connections to the 4mbit flash, now removed?

Added after 13 [minutes]:

hmm

Is there any schematic for this minicamera? Is it possible to use it connected to esp32?
Many thanks

Above camera is a cheap clone of real SQ11.
I have original one and it's completely different - mine really have IR for night mode.
Seems that clones have that colored stripe there.
Answer to @ndria90: It's not usable for ESP32, this small device is really integrated and probably incompatible with ESP32 chip as I cannot identify MCU, like poster above, but mine is different.