logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Disassembling and Dumping Flash from an SQ11 Mini DV Camera with CH341A SPI Programmer

divadiow 3717 19
ADVERTISEMENT
Report a violation of the law
Reply | New topic
  • Helpful post
    #1 21215517
    divadiow
    Level 38  
    A while ago I bought one of those cheap almost-certain-to-be-rubbish cube-like Instagram cameras off Ali Express. Almost certainly a clone of something better.
    Mini SQ11 camera with motion detection, night vision, and up to 100 minutes work time.

    The SQ11 Mini DV is sold alongside claims of "1080p", "HD", "night-vision". "infra-red". These were taken with a large pinch of salt.

    I took it apart quite a few months ago, so didn't document that, but there are many videos and pictures elsewhere online of how to open it. My most recent interest is because I was looking around for devices I already had with an 8 pin SOIC flash memory chip on which I could try my new CH341A "black" SPI programmer and clamp.

    CH341A SPI programmer with 8-pin microcontroller clamp

    Mine came with a clamp for use on 8-pin chips left in-situ. Eg (from https://winraid.level1techs.com/t/guide-how-t...-spi-programmer-flasher-with-pictures/33041):

    Device with a clip connected to a chip on a circuit board.

    Before I continue here are some pictures of the dismantled chassis and the PCB inside. Predictably there are no LED lamps, just black plastic that vaguely resembles a ring of LEDs.

    Disassembled parts of the SQ11 Mini DV camera on a blue background. Disassembled SQ11 Mini DV camera on a blue background Operating manual for SQ11 Full HD 1080P mini camera. Dismantled SQ11 Mini DV camera with wires connected to the electronic circuit. PCB with a microchip labeled 935B-V3.0 held between fingers. Close-up of a circuit board from a disassembled device with visible flash memory chip and microSD slot. Dismantled circuit board of the SQ11 Mini DV camera with connected power wires. Dismantled mini camera with visible circuit board and components. Circuit board of disassembled camera with visible chip and battery Damaged battery with two wires on a blue background Close-up of a circuit board with a microSD slot and flash memory chip. Image of a circuit board from an SQ11 Mini DV camera with a visible microSD slot. Circuit board of SQ11 Mini DV camera showing the MCU and microSD slot.

    You can see the 8-pin flash memory chip - a UC25WQ40 - just at the base of the microSD connector.

    The QFN48 MCU is a bit of mystery. At a good angle you can make out that it's labelled EA257411.1 2325NRZ.
    Close-up of a microprocessor labeled EA257411.1 2325NRZ on a circuit board of a camera.
    A Google for that and the PCB silkscreen 935B-V3.0 has not proven fruitful.

    But surely one or two of the MCU legs must be a UART log out? Maybe even one of the silver pads on the PCB? I cautiously probed around with the RX leg of a USB-TTL adaptor connected to a jumper cable with a sewing needle soldered at one end, powering the camera off and on again from an external 3.3v PSU after desoldering the useless battery. USB-TTL and the external PSU sharing a ground.
    USB to TTL converter with attached cables on a blue background.

    at 115200 baud this pad here gives an output

    View of the disassembled circuit board with a microchip and marked TX point.

    but not a very helpful one

    Code: Text
    Log in, to see the code


    Time to try the CH341A. After carefully lining up pin 1 of the SOIC with the red pin1 of the clamp

    Close-up of disassembled mini DV camera with a clip connected to a microchip. Close-up of a circuit board with a chip reading clip attached. View of an SPI programming set with a connected clip and micro camera.

    NeoProgrammer detects the IC - UC25WQ40 [3.3V] 4 Mbits, 512 Kbytes

    NeoProgrammer window detecting UC25WQ40 chip.

    NP read the entire chip and I attach the dump to this thread for reference.

    Screenshot of NeoProgrammer software showing memory data from UC25WQ40 microchip.

    It doesn't seem like there's an awful lot of code in there. Does the MCU also have onboard flash?

    Strings found are minimal
    Code: Text
    Log in, to see the code


    Tomorrow I will see if the test pad opposite the TX is an RX and if it'll respond to AT commands.
    Attachments:
    From Display to Complete System: How the Solution Team Creates Value at Unisystem [ad]
  • ADVERTISEMENT
  • #2 21216292
    divadiow
    Level 38  
    meh. not much more to say about this little thing. It does not respond to AT commands. The most I can get out of it is some SD card kind of messages when hitting buttons.

    Code: Text
    Log in, to see the code

    video and audio quality is low.
    Screenshot of the properties window for the MOVI0001.AVI video file.

    it's going back into its box

    Added after 11 [minutes]:

    tore off the lens hoping for a make/model. no

    Electronic module with detached lens on a blue background.
  • #3 21216629
    p.kaczmarek2
    Moderator Smart Home
    Interesting, maybe binwalk on flash dump could say more?

    @DeDaMrAz hacked some larger camera once with binwalk, it was running a tiny build of Linux
    Helpful post? Buy me a coffee.
  • #4 21216640
    divadiow
    Level 38  
    alas, nothing comes of a binwalk on it

    A screenshot of a terminal showing an attempt to use binwalk to analyze a binary file.
  • ADVERTISEMENT
  • #5 21216697
    p.kaczmarek2
    Moderator Smart Home
    But now to think of it... it's 4Mbits, not 4MB. Just 512KB. So maybe it's not the program.

    Can this camera work with flash chip removed?
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #6 21216876
    divadiow
    Level 38  
    well. it doesn't love it being removed. it still does something so it must have on-board flash too

    boot with flash IC removed

    Code: Text
    Log in, to see the code


    and police siren LEDs to signal its unhappiness





    Added after 8 [minutes]:

    and if you push one of the buttons while it's flashing the blue will go solid. it's putting some files on the SD card but theyre 0kb

    Screenshot showing 0 KB AVI and IDX files.

    probably a silly question but would the memory in the MCU be addressable from the SPI connections to the 4mbit flash, now removed?

    Added after 13 [minutes]:

    hmm

    Code: Text
    Log in, to see the code
  • #7 21520347
    ndria90
    Level 1  
    Is there any schematic for this minicamera? Is it possible to use it connected to esp32?
    Many thanks
  • ADVERTISEMENT
  • #8 21563567
    dragonmen
    Level 3  
    Above camera is a cheap clone of real SQ11.
    I have original one and it's completely different - mine really have IR for night mode.
    Seems that clones have that colored stripe there.
    Answer to @ndria90: It's not usable for ESP32, this small device is really integrated and probably incompatible with ESP32 chip as I cannot identify MCU, like poster above, but mine is different.
  • #9 21850565
    bewilderbeest
    Level 4  
    Hello --- I just got one of these, discovered it was terrible, pulled it apart, and was about to dump the flash before finding this post. So, thanks!

    I also had a look at the contents of the flash, and discovered two interesting things:

    (a) the instruction set is mipsel. Looks like about MIPS III. But there are a few oddities. Might it be PIC32?
    (b) there's only about 4kB of code in the 512kB flash. The rest of it is completely empty.

    So I'm guessing there's an onboard OS containing all the stuff like SD card handling, camera, etc, and the flash chip contains a very minimal payload to trick you into thinking it's a real camera.

    I had no luck getting at the flash with a programming clip (which is why I used your dump). Assuming that's just a problem with my setup and that this is easily reprogrammable, this might be an interesting hacking platform...

    Code: text Expand Select all Copy to clipboard
         3e8:       d4032000        ldc1    $f3,8192(zero)
     3ec:       48005800        mfc2    zero,$11
     3f0:       00000004        sllv    zero,zero,zero
     3f4:       9ca00000        lwu     zero,0(a1)
     3f8:       d8032800        ldc2    $3,10240(zero)
     3fc:       d8022800        ldc2    $2,10240(zero)
     400:       9c210018        lwu     at,24(at)
     404:       8521fffc        lh      at,-4(t1)
     408:       8421ffec        lh      at,-20(at)
     40c:       8441fff0        lh      at,-16(v0)
     410:       85c1fff4        lh      at,-12(t6)
     414:       8641fff8        lh      at,-8(s2)
     418:       44004800        mfc1    zero,$f9
     41c:       18a00000        blez    a1,0x420
     420:       d7e10ff8        ldc1    $f1,4088(ra)
     424:       d7e117fc        ldc1    $f1,6140(ra)
  • #10 21850567
    divadiow
    Level 38  
    gosh. I'd forgotten about this little thing. Yeh, I assumed there was some internal flash of some sort for the main app.
  • #11 21850636
    p.kaczmarek2
    Moderator Smart Home
    @bewilderbeest Have you tried loading in Ghidra? No matter which settings I use, I still get "baddata" more or less, and the instructions does not make sense.
    Helpful post? Buy me a coffee.
  • Helpful post
    #12 21851276
    bewilderbeest
    Level 4  
    On a second look --- it's not MIPS. It's very MIPS-like, but the instructions all end up being meaningless. I wonder if it's MIPS with a different opcode map, or with some flipped bits (I've seen that before elsewhere).

    I can see some structure. Functions look like they end with a 44 00 48 00. Is that... OpenRISC?

    Code: text Expand Select all Copy to clipboard
        f3c:       fc 4f e1 d7     l.sw -4(r1),r9
     f40:       f8 0f e1 d7     l.sw -8(r1),r1
     f44:       f8 ff 21 9c     l.addi r1,r1,-8
     f48:       0d ff ff 07     l.jal 0xb7c
     f4c:       08 00 21 9c     l.addi r1,r1,8
     f50:       fc ff 21 85     l.lwz r9,-4(r1)
     f54:       f8 ff 21 84     l.lwz r1,-8(r1)
     f58:       00 48 00 44     l.jr r9




    Added after 2 [hours] 28 [minutes]:

    Yup, it's OpenRISC. Little-endian, no delay slots, possibly a Beyond Silicon BA14 IP block in another softcore. Maybe a SunPlus part (but only because SunPlus is who to go to if you want things to be very, very cheap). Unfortunately Beyond Silicon purged their website of all information about this, and archive.org didn't capture the datasheet.

    https://web.archive.org/web/20130205183225/ht...ww.beyondsemi.com/26/ba14-embedded-processor/
  • #13 21851380
    divadiow
    Level 38  
    Very interesting. Thanks for looking into this.

    I wonder if I still have the parts for further probings. Internal flash dump would be good.

    Could buy another.
  • Helpful post
    #14 21851412
    max4elektroda
    Level 23  
    bewilderbeest wrote:
    Unfortunately Beyond Silicon purged their website of all information about this, and archive.org didn't capture the datasheet.

    Webarchive has some "datasheet" here. No real information

    https://web.archive.org/web/20120412212147/ht...semi.com:80/file/487/files/ba14_datasheet.pdf

    Just searched archive for pdf on http://www.beyondsemi.com/ . The small number of datasheets all seem very basic...
  • #15 21852089
    bewilderbeest
    Level 4  
    I figured out the load address and where the printstring routine is (0x00100d8c), so assuming there isn't some kind of checksum to prevent tampering, then reprogramming it to dump the card (a big assumption), then dumping the internal ROM should be easy-ish. From the addresses, I think the first 64 kB is RAM, and the internal ROM is from 0x100000 up. It'd be nice if Ghidra supported this, but it doesn't, so I'm trying to use radare2. I've already found one OpenRISC bug...

    Screenshot of an urxvt terminal showing memory addresses and assembly instructions

    Next step for me is to figure out how to reprogram the flash without desoldering it. My existing ROM burner refuses to, claiming problems with overbudget protection. It's interesting that a CH341-based ROM burner works fine; will need to investigate.
  • #16 21859474
    bewilderbeest
    Level 4  
    @divadiow: I got a CH341A programmer but am having absolutely no luck reading the chip on the board — the software just claims that no flash chip is connected. I've checked that the clip works on another flash chip, and it's fine there.

    I've always had problems working with flash chips on the board, because when the programmer powers the chip, the microprocessor gets powered too and starts interacting with the chip. I have seen the occasional flashing lights while trying the CH341, so that is happening here to a certain extent.

    Did you do anything special to yours to avoid this? And from looking at your photos, are the power leads connected to anything while reading the chip?
  • #17 21859479
    divadiow
    Level 38  
    bewilderbeest wrote:
    are the power leads connected to anything while reading the chip?


    negative. as far as I recall it was powered directly from CH341 because that carried the power.

    Added after 1 [minutes]:

    battery removed?
  • #18 21859483
    p.kaczmarek2
    Moderator Smart Home
    bewilderbeest wrote:
    the software just claims that no flash chip is connected.

    While it's probably not the solution in this case, it's worth to mention that some flash chips don't support ID read, while they still allow page read and flash.
    See: https://www.elektroda.com/rtvforum/topic4166606.html
    Helpful post? Buy me a coffee.
  • #19 21860305
    divadiow
    Level 38  
    @bewilderbeest success?
  • #20 21860684
    zachariakassim
    Level 2  
    No output to TV screen. Reason? 8-pin USB. Which pin connects to TV out?
Reply | New topic
Report a violation of the law

Topic summary

The discussion centers on disassembling a cheap SQ11 Mini DV camera, a likely clone of a better model, to access and dump its 8-pin SOIC flash memory using a CH341A SPI programmer with a clamp. The camera claims features like 1080p HD and night vision, but actual video and audio quality are low. Attempts to communicate with the device via AT commands failed, only yielding SD card-related messages. The flash memory is a 4Mbit (512KB) chip, and binwalk analysis of the flash dump revealed no meaningful data or firmware. Removing the external SPI flash chip causes the camera to malfunction, though it still partially boots, indicating some on-board memory in the MCU. The camera writes zero-byte files to the SD card when buttons are pressed during boot without flash. The MCU type remains unidentified, and the device is not compatible with ESP32 integration. It is noted that original SQ11 cameras differ significantly from clones, with genuine models featuring true IR night vision and different hardware markings. The clone version has a colored stripe on the lens assembly. Overall, the flash chip dump and hardware hacking attempts yielded limited insight into the camera’s firmware or operation.
Summary generated by the language model.
Today's popular
ADVERTISEMENT