logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Exploring A9 Minicam Variation: XF16 PB380EA6341 MCU, T25S80 SPI Flash, XR872, Skylark SDK

divadiow 10581 232
ADVERTISEMENT
Reply | New topic
  • #121 21530504
    divadiow
    Level 34  
    today's arrival - another XF16 A9 - same PCB as before, the same 1mb flash chip markings on recent A9 above - CF TJ25Q08M
    PCB with electronic components and a lithium-polymer battery on a blue background. Printed circuit board with electronic components, micro USB socket, ribbon connector, and microphone.

    familiar flash ID C74014. Neo detection name from my own import.xml
    Screenshot of memory programmer software showing detected GD25Q80_CLONE chip at 3.3V.

    dumps https://github.com/openshwprojects/FlashDumps...mits/f4149235555af79af280bf61abb642e41ac55f0d
    HxD says UART and SPI identical

    boot log
    Code: Text
    Log in, to see the code


    SP0828 cam seen in log and printed on ribbon

    Product label on a white box with a barcode, IP camera description, and manufacturer details. A9 camera packaging and YsxLite app instruction manual on a blue surface.
  • ADVERTISEMENT
  • #122 21530531
    p.kaczmarek2
    Moderator Smart Home
    I've got 3 today, all the same version as you:
    Three disassembled IP cameras with exposed electronics and Li-Po batteries.
    Three disassembled camera modules with visible PCBs and lenses, along with housing parts and batteries on a white surface.
    Close-up of a camera circuit board with visible lens, T25S80 flash memory chip, and connectors.
    Camera module with lens, circuit board, and connectors shown in close-up.
    Close-up of a camera circuit board with lens, T25S80 flash chip, and a lit blue LED.
    Backup of all 3 firmwares:
    https://github.com/openshwprojects/FlashDumps/commit/f736f4afcd1c96a4c7dc85d377540d048f37bf59

    Well, it seems it's hard for me to get another version. Maybe we should try something. For example... take offsets from here:
    Screenshot of a firmware configuration utility, showing details of six binary sections with addresses, sizes, and attributes.
    and enter them to OpenXR872\project\image_cfg\image.cfg

    Also, would that camera boot from 1MB flash but non-factory one? I mean, take another 1MB flash chip from a laptop or something, flash OBK to it, will it boot?
    Helpful post? Buy me a coffee.
  • #123 21530534
    divadiow
    Level 34  
    p.kaczmarek2 wrote:
    Also, would that camera boot from 1MB flash but non-factory one? I mean, take another 1MB flash chip from a laptop or something, flash OBK to it, will it boot?


    worth a try maybe. might have a 1mb on an ESP somewhere.

    Also, I think it's correct that freq: 96000000Hz is only seen in boot log for XR872 and not on factory A9 XF16 boot logs, which appear to be freq: 48000000Hz. I don't see how this relates to flash size, but what might the significance of that be?

    Added after 1 [minutes]:

    https://github.com/openshwprojects/OpenXR872/...ee15e07d/project/common/framework/psram.c#L92
  • ADVERTISEMENT
  • #124 21530540
    p.kaczmarek2
    Moderator Smart Home
    Ok I can't do the same format as in factory firmware, unless I turn off some things
    Screenshot showing a diff of the image.cfg configuration file, highlighting changes in flash_offs values across several sections.
    Screenshot of a console error message showing bin file overlap during firmware image generation.

    Added after 3 [minutes]:

    Wait, why our image cfg has OTA at offset 1024?

    A fragment of a JSON configuration file with the OTA section highlighted, showing address 1024K and size 4K.
    Helpful post? Buy me a coffee.
  • #125 21530544
    divadiow
    Level 34  
    oh. that sounds problematic if BL is checking there..?
  • #126 21530548
    p.kaczmarek2
    Moderator Smart Home
    I don't know, I would expect at least an error message on UART.

    I am trying to enter partition table as in backup, but after moving app_xipapp_xip.bin futher down in flash, I got this:
    Code: text Expand Select all Copy to clipboard
    
err: bin 4 and bin 5 were overlaped!
Overlapped size: 6708 Byte(7kB)
bin 4 name:wlan_fw.bin    begin: 0x000CA800    end: 0x000D2A34
bin 5 name:wlan_sdd_40M.bin    begin: 0x000D1000

We've rearranged bin files and generated new cfg file 'image_auto_cal.cfg', the new one is recommended.
Generate image file failed

    Spoiler:

    Code: text Expand Select all Copy to clipboard
    
{
    "magic": "AWIH",
    "version": "0.4",
    "OTA": {
        "addr": "1024K",
        "size": "4K"
    },
    "image": { "max_size": "880K" },
    "count": 6,
    "section": [
        {
            "id": "0xa5ff5a00",
            "bin": "boot_40M.bin",
            "cert": "null",
            "flash_offs": "0K",
            "sram_offs": "0x00268000",
            "ep": "0x00268101",
            "attr": "0x1"
        },
        {
            "id": "0xa5fe5a01",
            "bin": "app.bin",
            "cert": "null",
            "flash_offs": "32K",
            "sram_offs": "0x00201000",
            "ep": "0x00201101",
            "attr": "0x1"
        },
        {
            "id": "0xa5fd5a02",
            "bin": "app_xip.bin",
            "cert": "null",
            "flash_offs": "144K",
            "sram_offs": "0xffffffff",
            "ep": "0xffffffff",
            "attr": "0x2"
        },
        {
            "id": "0xa5fa5a05",
            "bin": "wlan_bl.bin",
            "cert": "null",
            "flash_offs": "806.5K",
            "sram_offs": "0xffffffff",
            "ep": "0xffffffff",
            "attr": "0x1"
        },
        {
            "id": "0xa5f95a06",
            "bin": "wlan_fw.bin",
            "cert": "null",
            "flash_offs": "810K",
            "sram_offs": "0xffffffff",
            "ep": "0xffffffff",
            "attr": "0x1"
        },
        {
            "id": "0xa5f85a07",
            "bin": "wlan_sdd_40M.bin",
            "cert": "null",
            "flash_offs": "836K",
            "sram_offs": "0xffffffff",
            "ep": "0xffffffff",
            "attr": "0x1"
        },
        {}
    ]
}


    I will give up with offsets for now, and I will give you build without OTA to check.

    Added after 8 [minutes]:

    Attaching two builds, second with OTA section removed:
    Screenshot of a code editor showing differences in a configuration file.
    Comparison of two binary files in a hex editor, highlighting byte-level differences.
    Attachments:
    Helpful post? Buy me a coffee.
  • #127 21530564
    divadiow
    Level 34  
    ota was the problem.

    to be clear, xr_system_noOTA.img boots on 1mb flash

    Code: Text
    Log in, to see the code
  • #128 21530633
    p.kaczmarek2
    Moderator Smart Home
    That's a very good news! So soon I can make XR872/XF16 flashing guide. Is there anything else we should do first?

    I've pushed config fix to main app:
    https://github.com/openshwprojects/OpenBK7231...mmit/0274993d7fc077c4f160556c932c98428e7c3cc1
    Helpful post? Buy me a coffee.
  • #129 21530699
    divadiow
    Level 34  
    not sure what should come first tbh, I guess all the pins? How would it work? Configure the most number of pins for XR872 and then see which control pins on XF16?

    Screenshot of a device configuration panel with multiple error fields and dropdown menus.

    RSSI. Powersave, ADC/battery, loads of things I guess.

    Also do you build for 2mb+ with OTA, assuming most XR871s are larger, but provide a no-OTA XF16 1mb version too?

    OpenXR872 device control panel with configuration, restart, and web app launch buttons.

    curiously, there's an XF16 A9 here with 2mb chip https://community.home-assistant.io/t/popular...mini-wi-fi-camera-the-ha-challenge/230108/247
  • #130 21530761
    p.kaczmarek2
    Moderator Smart Home
    I've been also wondering whether this driver matches the camera we have:
    https://github.com/search?q=repo%3Aopenshwprojects%2FOpenXR872%20camera&type=code
    https://github.com/openshwprojects/OpenXR872/...76418953/project/common/cmd/cmd_camera.c#L153
    Are those pins matching our board?
    Code: C / C++
    Log in, to see the code


    Do these sensors match?
    Code: C / C++
    Log in, to see the code


    Added after 52 [seconds]:

    divadiow wrote:


    curiously, there's an XF16 A9 here with 2mb chip https://community.home-assistant.io/t/popular...mini-wi-fi-camera-the-ha-challenge/230108/247

    probably older version when they kept OTA, later they have removed OTA and reduced flash size?
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #131 21530856
    divadiow
    Level 34  
    p.kaczmarek2 wrote:
    probably older version when they kept OTA, later they have removed OTA and reduced flash size?

    I guess so.

    Quote:
    Do these sensors match?


    hmm. I have GC0329C, SP0828 and I need to check 3rd XF16 again. Maybe GC0328c driver works for GC0329C. @insmod mentioned some GC0x drivers here https://www.elektroda.com/rtvforum/topic4118348.html#21526110 maybe he knows more since then

    Added after 5 [minutes]:

    https://github.com/search?q=drv_gc0329.h&type=code
  • #132 21530863
    p.kaczmarek2
    Moderator Smart Home
    do we have GC0329C or GC0328c datasheet?
    Helpful post? Buy me a coffee.
  • #134 21530904
    p.kaczmarek2
    Moderator Smart Home
    What about pins? Did you try to check them?


    Hm, this is the sample for camera, it's called jpeg:
    Code: text Expand Select all Copy to clipboard
    
tester@DESKTOP-7SD9MUK:/mnt/w/GIT/OpenXR872/project/example/jpeg/gcc$ make image

    Compilation error in terminal with multiple references to undefined function `__wrap_memset`.
    This doesn't look hard to fix

    Added after 1 [minutes]:

    I added to main.c:
    Code: C / C++
    Log in, to see the code

    only those errors remain:
    Code: text Expand Select all Copy to clipboard
    
../../../../lib/libchip.a(hal_spi.o): In function `HAL_SPI_Close':
/mnt/w/GIT/xr872_sdk/src/driver/chip/hal_spi.c:929: undefined reference to `HAL_DMA_Stop'
/mnt/w/GIT/xr872_sdk/src/driver/chip/hal_spi.c:930: undefined reference to `HAL_DMA_Stop'
../../../../lib/libchip.a(hal_spi.o): In function `HAL_SPI_Receive':
/mnt/w/GIT/xr872_sdk/src/driver/chip/hal_spi.c:1029: undefined reference to `HAL_DMA_Stop'
../../../../lib/libchip.a(hal_spi.o): In function `HAL_SPI_Transmit':
/mnt/w/GIT/xr872_sdk/src/driver/chip/hal_spi.c:1109: undefined reference to `HAL_DMA_Stop'
../../../../lib/libchip.a(hal_dcache.o): In function `HAL_Dcache_IsCacheable':
/mnt/w/GIT/xr872_sdk/src/driver/chip/hal_dcache.c:58: undefined reference to `__XIP_BASE'
/mnt/w/GIT/xr872_sdk/src/driver/chip/hal_dcache.c:58: undefined reference to `__XIP_END'
../../../../lib/librom.a(rom_core.o):(.ram_table+0x138): undefined reference to `__XIP_BASE'
../../../../lib/librom.a(rom_core.o):(.ram_table+0x13c): undefined reference to `__XIP_END'
../../../../lib/xradio_v2/libwlan.a(wlan.o): In function `wlan_ap_sta_info':
/home/xieqihai/IOT/sdk/git/wlan/src/net/wlan/wlan.c:452: undefined reference to `wpa_ctrl_request'
../../../../lib/xradio_v2/libwlan.a(wlan_ctrl.o): In function `wlan_start':
/home/xieqihai/IOT/sdk/git/wlan/src/net/wlan/wlan_ctrl.c:300: undefined reference to `wpas_start'
/home/xieqihai/IOT/sdk/git/wlan/src/net/wlan/wlan_ctrl.c:306: undefined reference to `hostapd_start'
/home/xieqihai/IOT/sdk/git/wlan/src/net/wlan/wlan_ctrl.c:314: undefined reference to `wpa_ctrl_open'
../../../../lib/xradio_v2/libwlan.a(wlan_ctrl.o): In function `wlan_stop':
/home/xieqihai/IOT/sdk/git/wlan/src/net/wlan/wlan_ctrl.c:329: undefined reference to `wpas_stop'
/home/xieqihai/IOT/sdk/git/wlan/src/net/wlan/wlan_ctrl.c:335: undefined reference to `hostapd_stop'
/home/xieqihai/IOT/sdk/git/wlan/src/net/wlan/wlan_ctrl.c:341: undefined reference to `wpa_ctrl_close'
collect2: error: ld returned 1 exit status
make: *** [../../../../project/project.mk:327: jpeg.axf] Error 1


    Added after 1 [minutes]:

    I can see HAL_DMA_Stop in code, why would it be missing https://github.com/search?q=repo%3Aopenshwprojects%2FOpenXR872%20HAL_DMA_Stop&type=code

    Added after 1 [minutes]:

    _XIP_BASE is undefined probably because of the lack of _XIP_BASE

    Fragments of two code files showing the definitions and assignments of XIP addresses in C and linker script.

    Added after 5 [minutes]:

    Ok another idea. I don't have that much time for playing, but maybe I could just put camera calls in OBK project?
    Code: C / C++
    Log in, to see the code

    Well, it actually compiled with test call to HAL_GC0328C_Suspend - no linker errors.
    Helpful post? Buy me a coffee.
  • #135 21530909
    divadiow
    Level 34  
    p.kaczmarek2 wrote:
    What about pins? Did you try to check them?


    I'm not sure what to trace and to where. With no datasheet for either XF16 or the GC0329...
  • #136 21530910
    p.kaczmarek2
    Moderator Smart Home
    Ah, we don't actually know the GPIO pinout of XF16?
    Helpful post? Buy me a coffee.
  • #137 21530911
    divadiow
    Level 34  
    p.kaczmarek2 wrote:
    Ah, we don't actually know the GPIO pinout of XF16?

    no! only XR872

    Added after 1 [minutes]:

    I've tried quite a lot to :(
  • #138 21530912
    p.kaczmarek2
    Moderator Smart Home
    Camera compiled in OBK project:
    Code: C / C++
    Log in, to see the code

    It requires SD card by default so will most likely crash
    Attachments:
    Helpful post? Buy me a coffee.
  • #139 21530919
    divadiow
    Level 34  
    Code: Text
    Log in, to see the code
  • #140 21530928
    p.kaczmarek2
    Moderator Smart Home
    Not sure if I recompiled, but here is without SD check:
    Code: C / C++
    Log in, to see the code

    updated attachment
    Attachments:
    Helpful post? Buy me a coffee.
  • #141 21530933
    divadiow
    Level 34  
    Code: Text
    Log in, to see the code
  • #142 21530934
    p.kaczmarek2
    Moderator Smart Home
    Wait I will add better printfs:

    Screenshot showing a C source code snippet implementing a memory allocation function for a camera.

    Added after 6 [minutes]:

    It probably fails here:
    Code: C / C++
    Log in, to see the code

    I don't see any external PSRAM chips so it probably uses heap path. So it fails to alloc JPEG_SRAM_SIZE bytes.
    JPEG_SRAM_SIZE can have different values:
    https://github.com/search?q=repo%3Aopenshwprojects%2FOpenXR872%20JPEG_SRAM_SIZE&type=code
    In my sample I used:
    Code: C / C++
    Log in, to see the code

    180kB, but here they use 100kB:
    https://github.com/openshwprojects/OpenXR872/...f76418953/project/common/cmd/cmd_camera.c#L67
    Let's try with 100kB


    Better logging file attached:
    Attachments:
    Helpful post? Buy me a coffee.
  • #143 21530938
    divadiow
    Level 34  
    Code: Text
    Log in, to see the code
  • ADVERTISEMENT
  • #144 21530951
    p.kaczmarek2
    Moderator Smart Home
    Better use camera cmd demo...
    Code: C / C++
    Log in, to see the code
    Attachments:
    Helpful post? Buy me a coffee.
  • #145 21530956
    divadiow
    Level 34  
    Code: Text
    Log in, to see the code
  • #146 21530962
    p.kaczmarek2
    Moderator Smart Home
    Well the alloced buffer is obviously to small for target size. I didn't check that, I just trusted the size from the camera sample and it's obviously too small.

    Ok I attached one camera, I will give it few more tries on my side

    Added after 12 [minutes]:

    Im confused.
    Code: text Expand Select all Copy to clipboard
    
size 460800
[cmd ERR] camera_mem_create():167, aadr exceeded

    for 640 x 480 this code needs 460 800 RAM, but XR872 is said to have 416KB SRAM. It supports external PSRAM, but it's not present in A9 cameras. So, how do they take 640x480 image there?

    Added after 4 [minutes]:

    Code: text Expand Select all Copy to clipboard
    
__CONFIG_JPEG: Required option. Enables the JPEG module and must be enabled.

__CONFIG_JPEG_SHAR_SRAM_64K: Optional. Configures the amount of memory to allocate for JPEG usage. This option must be enabled when the image height exceeds 576 or the width exceeds 720.

__CONFIG_PSRAM: Optional. Enables PSRAM in the project. Must be enabled if the project uses PSRAM functionality.

__CONFIG_PSRAM_CHIP_OPI32: Optional. Configures the type of PSRAM.


    Added after 28 [minutes]:

    Code: text Expand Select all Copy to clipboard
    el! @ 5255 sec
Will call my_camera_init_exec
Will call camera_mem_create
camera_mem_create will malloc
heap exhausted, incr 122888, 0x258674 >= 0x257c00
camera_mem_create: malloc fail 122880
Will call HAL_CAMERA_Init
[HAL WRN] I2C wait semaphore failed, i2c ID 0
GC0328C sccb read error
GC0328C Init error!!
[CAMERA ERR] HAL_CAMERA_Init():362, sensor config fail
[cmd ERR] my_camera_init_exec():199,  init fail
Will call my_camera_cap_one_image_exec
Will call HAL_CAMERA_CaptureImage
[CAMERA ERR] HAL_CAMERA_CaptureImage():437, not init
[cmd ERR] my_camera_cap_one_image_exec():216, cap one image failed
Will call my_camera_deinit_exec
[CAMERA ERR] HAL_CAMERA_DeInit():386, not init
Hello wordsald! @ 9322 sec
Hello wordsald! @ 10322 sec


    Added after 31 [minutes]:

    Had to do SPI recover, interestingly enough NeoProgrammer detected:
    Code: text Expand Select all Copy to clipboard
    
SPI ID: 5E3214
---------------------------------------------------------------------------
Currently selected:  ZB25WD80 [3.3V] 8 Mbits, 1 Mbytes


    Added after 11 [minutes]:

    Tried second I2C:
    Code: text Expand Select all Copy to clipboard
    
[HAL WRN] I2C wait semaphore failed, i2c ID 1
                                  
                                              GC0328C sccb read error
          
                                                                      GC0328C In
it error!!
                                                                     
    Helpful post? Buy me a coffee.
  • #148 21531035
    p.kaczmarek2
    Moderator Smart Home
    I was hoping that they just used SDK setup, but no. We need to trace pins. Maybe it's not the same type of the camera, but maybe it is and requires extra power signal. We need more information.


    For memory, it looks like we don't need YUV buffer (yuv_buf). It's used only in JPEG_MOD_OFFLINE. And in online, it will create JPEG on the fly. So it will fit to memory. This check in cmd_camera.c is incorrect in online mode:
    Code: C / C++
    Log in, to see the code

    yuv_buf could be totally removed.

    We need to find GPIO of the camera. Is XR871 GPIO matching XR872:?
    Helpful post? Buy me a coffee.
  • #150 21531055
    p.kaczmarek2
    Moderator Smart Home
    Well, XTAL (oscillator) pin positions seems to match, so why do you think that XR872 pinout does not match XF16? Pin 52 (antenna) also seem to match.
    Helpful post? Buy me a coffee.
Reply | New topic
Report a violation of the law

Topic summary

The discussion focuses on a variation of the A9 mini Wi-Fi camera featuring the XF16 PB380EA6341 MCU, an 8Mbit SPI flash chip labeled T25S80 (likely from ChipSourceTek), and the XR872 SoC running the Skylark SDK. Attempts to read and dump the flash firmware using tools like Flashrom, NeoProgrammer, and ASProgrammer faced challenges due to unrecognized SPI IDs and unreliable read/write operations, especially when the flash chip was in-circuit. Desoldering the flash chip improved read/write reliability. The firmware strings indicate the use of an RTOS and the iLnkP2P protocol for communication. The XR872 SDK (version 2.0 and later 1.2.x) was explored for building and flashing demo applications, including a "hello world" example, which successfully booted on the hardware after flashing via UART using PhoenixMC. Flashing custom firmware requires careful handling of flash erase and protection bits, with some users experiencing verification errors and random write failures. The flash layout includes an AWIH header and OTA partitions, with OTA updates compressed by XZ, raising concerns about fitting OTA images into the 1MB flash. Hardware details such as the presence of a pull-up resistor on the flash hold pin and UART pin configurations (PB02/PB03) were examined. The community also discussed the compatibility of different flash chip sizes (1MB vs 2MB) and the impact on firmware booting and flashing. Some users successfully transplanted firmware to larger flash chips (2MB) to run custom firmware like OpenXR872 (OBK). The discussion includes references to related projects for video stream capture without flashing (cam-reverse) and the challenges of flashing and booting custom firmware on these devices. Overall, the thread provides detailed technical insights into hardware probing, firmware extraction, SDK usage, flashing procedures, and troubleshooting for the XF16-based A9 mini camera variant with XR872 SoC.
Summary generated by the language model.
Popular Topics
ADVERTISEMENT