logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Exploring A9 Minicam Variation: XF16 PB380EA6341 MCU, T25S80 SPI Flash, XR872, Skylark SDK

divadiow 33606 298
ADVERTISEMENT
Report a violation of the law
Reply | New topic
  • #151 21531057
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    divadiow wrote:
    curious about how the pins will work with XF16 being QFN68 and XR872AT being QFN52 and XR872ET being QFN40. We don't have a datasheet for XF16 yet.


    because of this though. QFN68

    Added after 3 [minutes]:

    dumping stuff here as I find btw
    https://github.com/divadiow/DataSheets/tree/main/GalaxyCore
    https://github.com/divadiow/DataSheets/tree/main/AllWinner_Xradiotech
  • ADVERTISEMENT
  • #152 21531066
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    So we have some camera datasheets. But wait for a moment.

    It seems that I have some UART flashing issues again. Can you triple-check if it works still as expected for you, with OpenXR?

    I am starting to think that SOMEHOW latest OpenXR872 release has flashing via UART broken.
    Helpful post? Buy me a coffee.
  • #153 21531075
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    I was flashing OK last night and now latest release is flashing too
    PhoenixMC software interface showing firmware flashing process to a device on COM72 port, progress bar at 42%.

    Added after 3 [minutes]:

    make a new cable/dev thing with spare USB-TTL adaptor and 5v out?

    Added after 6 [minutes]:

    wait.

    Added after 2 [minutes]:

    subsequent flash attempts since OpenXR872_1.18.94.img

    Screenshot of PhoenixMC software showing synchronization error during firmware upgrade via COM72 port.
  • #154 21531095
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    So this commit breaks futher UART flashing on XR872?
    Screen fragment showing configuration file changes with removal of the OTA section from image_cfg/image.cfg.
    https://github.com/openshwprojects/OpenXR872/...e17921e7e6845f234d9b861f8e77874e352cdb269345f
    That's the same commit that allowed our image to boot on 1MB flash chips.
    Helpful post? Buy me a coffee.
  • #155 21531099
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    hmm. so why could I flash after this non-GH build if that was the only change in code? https://www.elektroda.com/rtvforum/topic4074636-120.html#21530564

    Added after 14 [minutes]:

    have you a 2mb flash cam readily available that you can program with OpenXR872_1.18.94.img to see if flash size makes any difference? i'm not sure what that would prove exactly though
  • ADVERTISEMENT
  • #156 21531105
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    The camera I use for testing has 2MB flash, but I tried 1MB flash yesterday and it was the same. Maybe I should edit that config to put OTA somewhere within 1MB bounds instead of removing it entirely.

    Added after 2 [hours] 23 [minutes]:

    Done:
    Code: text Expand Select all Copy to clipboard
    
{
    "magic": "AWIH",
    "version": "0.4",
    "OTA": {
        "addr": "880K",
        "size": "4K"
    },
    "image": { "max_size": "880K" },
    "count": 6,
    "section": [

    Can you check?
    Attachments:
    • ota_but_at_880k.zip (422.67 KB) You must be logged in to download this attachment.
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #157 21531260
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    Yes, flashed that to a still-working XF16, so I didn't have to bother unsoldering yet if it didn't work, boots OK but sadly no flashes after that to same build or any other :(

    Screenshot of PhoenixMC software during firmware flashing, showing a synchronization error.

    Code: Text
    Log in, to see the code


    Added after 34 [minutes]:

    there must be some code thing to allow uart commands to be received and actioned to put it into download mode and the XR872 code currently is set to not allow this?
  • #158 21531300
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    So, you are 100% sure that version before this commit allows UART flashing:
    https://github.com/openshwprojects/OpenBK7231...mmit/0274993d7fc077c4f160556c932c98428e7c3cc1
    and versions after this commit do not?

    So, to sum up.
    First version that we got to work - with this section:
    Code: text Expand Select all Copy to clipboard
    
{
    "magic": "AWIH",
    "version": "0.4",
    "OTA": {
        "addr": "1024K",
        "size": "4K"
    },
    "image": { "max_size": "880K" },
    "count": 6,
    "section": [

    On 1MB chip, it does not boot, but it boots on my custom 2MB flash chip.
    However, on 1MB chip, it still allows UART recovery?

    Second version (introduced here https://github.com/openshwprojects/OpenBK7231...mmit/0274993d7fc077c4f160556c932c98428e7c3cc1 ) - with this section removed:
    Code: text Expand Select all Copy to clipboard
    
{
    "magic": "AWIH",
    "version": "0.4",
    "image": { "max_size": "880K" },
    "count": 6,
    "section": [

    It boots on both 1MB and 2MB chips, but does not allow UART flash.

    Third version (the one I added in attachment):
    Code: text Expand Select all Copy to clipboard
    
{
    "magic": "AWIH",
    "version": "0.4",
    "OTA": {
        "addr": "880K",
        "size": "4K"
    },
    "image": { "max_size": "880K" },

    It also boots on both 1MB and 2MB chips, but does not allow UART flash?
    Helpful post? Buy me a coffee.
  • #159 21531310
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    I'd need to flash again to be 100% sure. I appear to have lost track of what worked when and on what. I currently have 2 1mb cams that boot but no UART flash ability and 1 2mb cam that doesn't boot into anything and won't allow UART flash either. If I desolder to flash again, I guess I could flash A9 factory then we're open for UART to anything from that point.

    Added after 45 [minutes]:

    OK. I have two 1mb cams that I can do uart with now. In case you've already gone further with your own testing, is there anything specific you want me to flash right now?

    Added after 40 [minutes]:

    I have flashed 1.18.93 to both 1mb cams (2mb isnt behaving at the moment) and neither boot (as we know) but both can be communicated with in PhoenixMC again after flash
  • ADVERTISEMENT
  • #160 21531400
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    Ok fresh tests on 2MB:
    Code: text Expand Select all Copy to clipboard
    
SPI ID: C84015
---------------------------------------------------------------------------
Currently selected:  GD25Q16x [3.3V] 16 Mbits, 2 Mbytes
---------------------------------------------------------------------------

    I flashed original backup via SPI (desoldered chip), then I flashed 1.18.93 via UART. Then flashed 1.18.93 via UART again. Then power off and power on, then I am not able to flash via UART anymore.
    So... 1.18.93 still has the problem?

    Attempt 2. I restored original backup via SPI (desoldered chip), then I flashed 1.18.94 via UART. Then flashed 1.18.94 via UART again. Then flashed 1.18.94 via UART again. Then flashed 1.18.94 via UART again. Then flashed 1.18.93 via UART. Then flashed 1.18.94 via UART. Then power off and power on, then I am not able to flash via UART anymore.

    Attempt 3. I restored original backup via SPI (desoldered chip), then I flashed 1.18.90 via UART. And again. Then power off and power on, then I am not able to flash via UART anymore.

    Conclusion so far: all previous tests were more or less incorrect. It seems that something that allows UART flashing is persistent in RAM until power off. So the UART problem started earlier or it was present from the start.
    Helpful post? Buy me a coffee.
  • #161 21531407
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    to confuse things a little, I am flashing 1.18.93 over and over uart to 1mb flash and removing all power from device in between

    Added after 9 [minutes]:

    is your experience different because with a 2mb flash you are booting into the app and response to commands from uart are ignored because this ability is disabled in code? whereas with no boot, ie not getting past bootloader, on 1mb flash, the BL still allows UART comms?

    what I mean is, regardless of flash size, is the issue that something needs changing in the SDK to allow commands from uart to be received to put device into uart download mode?
  • #162 21531421
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    Let's check this build:
    Code: text Expand Select all Copy to clipboard
    
#79 21523387  18 Apr 2025 18:16 https://www.elektroda.com/rtvforum/viewtopic.php?p=21523387#21523387

    Flashed factory firmware via desoldered flash chip. Flashed this build via UART. It boots:
    A RealTerm program window displaying yellow diagnostic messages related to TCP_server thread creation errors.
    UART is ok. I can flash again. And again.
    Wireless signal icon next to the text OpenXR872_000000000.
    Now power off... and on.
    Part of a software window with a greyed-out set buf button and the message Open comm OK !.
    Well, this version seems to allow UART even after power off and on cycle? That's very strange? That would suggest that something between 18 Apr and the XR872 addition to online builds has changed?

    I've flashed XR872 at_demo build now locally and lost again ability to flash via UART.

    Could the culprit be here?
    https://github.com/openshwprojects/OpenXR872/commits/main/
    Update image.cfg or FIX FLASH CONFIG SAVE?
    Helpful post? Buy me a coffee.
  • #163 21531440
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    1 mo. I *may* have found something. Is it possible that we need OTA module defined (right word?) even if we're not doing actual OTA.

    Screenshot of documentation showing a section from localconfig.mk configuration with xplayer, XIP, and OTA options in Chinese and English.

    Looking at XR872development_manual.pdf it seems there's another program pictured - iflymod - where a "jyd ota..." command is sent and it looks like it's sending this over UART.

    dunno, just a thought

    Screenshot from the XR872 Chinese manual showing instructions and iflymod program window with commands related to firmware upload via UART.
  • #164 21531441
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    I've put obk in "hello_ world" project and I believe this is enabled there, but you can double check:
    https://github.com/openshwprojects/OpenXR872/...in/project/demo/hello_demo/gcc/localconfig.mk
    https://github.com/openshwprojects/OpenXR872/blob/main/project/demo/hello_demo/prj_config.h

    Added after 5 [minutes]:

    Degraded back SDK to version from 8 days ago:
    Screenshot from GitHub showing the commit history of the OpenXR872 project with the Make mkimage executable commit highlighted.
    Still nothing. Here's another idea - maybe logging printf blocks UART? That "every second" stuff?
    Next test incoming...
    Helpful post? Buy me a coffee.
  • #165 21531566
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    p.kaczmarek2 wrote:
    I've put obk in "hello_ world" project and I believe this is enabled there, but you can double check:

    double-check = flash original hello_world binary?

    p.kaczmarek2 wrote:
    Next test incoming...

    how's it going?
  • #166 21532842
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    Code: Text
    Log in, to see the code


    is present in localconfig.mk but not in prj_config.h
  • Helpful post
    #167 21534886
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    if you sniff out the UART comms as PhoenixMC opens com and sends reboot/download mode command:

    gif
    Screenshot of a Chinese firmware upgrade tool showing a synchronization error on COM port.

    Code: Text
    Log in, to see the code


    5x 10 sets of U until timeout



    with a receptive firmware the device will acknowledge with this response

    gif
    Firmware upgrade software showing a synchronization error while uploading a .img file.

    Code: Text
    Log in, to see the code


    https://github.com/search?q=repo%3Aopenshwprojects%2FOpenXR872+BROM&type=code

    so, https://github.com/openshwprojects/OpenXR872/blob/main/project/common/cmd/cmd_upgrade.c ?

    Code: C / C++
    Log in, to see the code


    Added after 8 [hours] 50 [minutes]:

    p.kaczmarek2 wrote:
    maybe logging printf blocks UART? That "every second" stuff?


    on this, if you set loglevel 0 then PhoenixMC takes longer to error, like it's getting to send full 5x 10 'U' and getting no response. With higher logging you get a quicker synchron error return, presumably because it sends the first 10 Us but with a more chatty uart it gets the wrong response

    Screenshot of a terminal with system logs, the upgrade command, and repeated U characters.
  • #169 21536627
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    Hey, can you check whether flashing old OpenXR809 also breaks uart download mode without grounding required pins?

    Added after 6 [minutes]:

    So you think this code prints that "OK"? The one which is send by XR872 back to flasher?
    Code: C / C++
    Log in, to see the code

    Well, you may be right:
    Screenshot of C code from OpenXR872's cmd_util.c file, showing status description arrays and a function returning command status descriptions.
    So we have reboot command for firmware update and just classic reboot?
    Code: C / C++
    Log in, to see the code

    that would mean that we need to run cmd_upgrade_exec, but where is it called from?
    https://github.com/search?q=repo%3Aopenshwpro...%2FOpenXR872%20cmd_upgrade_exec&type=code
    QR code demo has command "upgrade":
    Screenshot of a code editor showing the definition of a command array in the command.c file from an OpenXR872-based project.
    Which matches what XR tool sends, wow, it seems you've really find it! I guess we need to add this command for OBK now? Or... do we even build with AT commands on?
    Helpful post? Buy me a coffee.
  • #170 21536637
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    yeh baby! :D

    I did a search too in the Tuya XR806 SDK to see where such references might pop up in demos
    Screenshot of a code editor showing a search for the term “upgrade” in Tuya XR806 SDK files.

    I started to try something but it doesn't work and I guess with what you've added, more is required

    https://github.com/openshwprojects/OpenBK7231...:OpenBK7231T_App:refs/heads/xr809_cmd_upgrade
    https://github.com/openshwprojects/OpenXR809/...are/master...divadiow:OpenXR809:cmd_upgrade.c
  • #171 21536653
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    Maybe you don't need to add more. It seems it's already in hello_demo, which I used as container for OBK, due to the lack of time:
    A code snippet in command.c listing command registrations including mem, heap, thread, and upgrade.
    https://github.com/openshwprojects/OpenXR872/...6418953/project/demo/hello_demo/command.c#L89
    but it doesn't change the fact that it does not recognize those commands yet, so something must be missing. Maybe removed by accident.
    This is the entry point:
    https://github.com/openshwprojects/OpenXR872/...8023bf76418953/project/demo/hello_demo/main.c
    Well, but it only has platform_init call, the original hello_demo has it as well:
    https://github.com/divadiow/xr872_sdk/blob/dev/project/demo/hello_demo/main.c
    |So we probably need a compile time switch that enables AT commands. CONFIG_something

    Added after 1 [minutes]:

    If you look for main_cmd_exec in the SDK, you can find line 666:
    Screenshot from GitHub editor showing code in platform_init.c file. The macro PRJCONF_CONSOLE_EN and assignment cparam.cmd_exec main_cmd_exec are underlined at line 666.
    Helpful post? Buy me a coffee.
  • #173 21536783
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    Very good, you have solved the problem! Is it tested well, with power off and on cycles? Then I can merge.

    This only leaves one question - why it worked with new firmware before power off/on cycle?
    Helpful post? Buy me a coffee.
  • #174 21536793
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    p.kaczmarek2 wrote:
    Is it tested well, with power off and on cycles?

    yes. Camera unplugged and re-plugged fresh a few times.

    p.kaczmarek2 wrote:
    why it worked with new firmware before power off/on cycle?

    hmm. I can't think why really. Anything to do with reset options selected here in settings?

    Software settings window for firmware programming with highlighted Restart after programming and Hardware location burning mode options.

    that "hardware location burning mode" translation is a little bit wrong. I have seen it referred to as "Hardware reset burning mode" in a couple of PDFs or guides. for example:

    Code: Text
    Log in, to see the code

    https://zhuanlan.zhihu.com/p/694447378

    PhoenixMC settings window with the hardware reset burning mode option highlighted and checked.

    I should probably replace pictures in posts with correction

    Added after 5 [minutes]:

    also confirming that "reboot" button from the debug menu also works after successful com open in PhoenixMC
  • #175 21536798
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    I have merged your changes. Now, doesn't the same work for XR806 and XR809?
    Helpful post? Buy me a coffee.
  • #176 21536807
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    cool.

    I started on XR809 but was getting all my branches mixed up so shifted to XR872 only.
    https://github.com/openshwprojects/OpenBK7231T_App/actions/runs/14788805529/job/41522009963

    if enabled it complains about:

    Code: Text
    Log in, to see the code


    and with command.h added it complains about partition overlap https://github.com/openshwprojects/OpenBK7231T_App/actions/runs/14789021450/job/41522592014

    but maybe this was the point I mixed something up. I anticipated starting again with XR809
  • #177 21536815
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    Probably you did good, but it just enabled so many commands that it ran out of flash memory. What kind of command.c source code did you use? I think we just need that upgrade and reboot command. We do not need full AT command line.
    Helpful post? Buy me a coffee.
  • #178 21536820
    divadiow
    Level 38  
    Posts: 4839
    Help: 420
    Rate: 852
    https://github.com/openshwprojects/OpenXR809/commit/731618ff67c61b88b9981acfe0768a5f84b6cdac

    maybe from https://github.com/openshwprojects/OpenXR809/tree/master/project/wlan_demo - can't actually remember now!

    there's also the potential to save 7-9k with newer toolchain on XR809 but I haven't tested anything but build https://github.com/openshwprojects/OpenBK7231T_App/pull/1619
  • #179 21536893
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14394
    Help: 650
    Rate: 12316
    I'd remove all commands except update and upgrade.
    Helpful post? Buy me a coffee.
Reply | New topic
Report a violation of the law

Topic summary

✨ The discussion focuses on a variation of the A9 mini Wi-Fi camera featuring the XF16 PB380EA6341 MCU, an 8Mbit SPI flash chip labeled T25S80 (likely from ChipSourceTek), and the XR872 SoC running the Skylark SDK. Attempts to read and dump the flash firmware using tools like Flashrom, NeoProgrammer, and ASProgrammer faced challenges due to unrecognized SPI IDs and unreliable read/write operations, especially when the flash chip was in-circuit. Desoldering the flash chip improved read/write reliability. The firmware strings indicate the use of an RTOS and the iLnkP2P protocol for communication. The XR872 SDK (version 2.0 and later 1.2.x) was explored for building and flashing demo applications, including a "hello world" example, which successfully booted on the hardware after flashing via UART using PhoenixMC. Flashing custom firmware requires careful handling of flash erase and protection bits, with some users experiencing verification errors and random write failures. The flash layout includes an AWIH header and OTA partitions, with OTA updates compressed by XZ, raising concerns about fitting OTA images into the 1MB flash. Hardware details such as the presence of a pull-up resistor on the flash hold pin and UART pin configurations (PB02/PB03) were examined. The community also discussed the compatibility of different flash chip sizes (1MB vs 2MB) and the impact on firmware booting and flashing. Some users successfully transplanted firmware to larger flash chips (2MB) to run custom firmware like OpenXR872 (OBK). The discussion includes references to related projects for video stream capture without flashing (cam-reverse) and the challenges of flashing and booting custom firmware on these devices. Overall, the thread provides detailed technical insights into hardware probing, firmware extraction, SDK usage, flashing procedures, and troubleshooting for the XF16-based A9 mini camera variant with XR872 SoC.
Generated by the language model.
Today's popular

FAQ

TL;DR: With 1MB stock flash, many XF16 A9 cameras can be dumped and restored over UART, and one contributor confirmed "OpenXR872 ... boots on 1mb flash" only after fixing the image layout. This FAQ helps XR872/XF16 camera owners back up firmware, understand AWIH partitions, fix PhoenixMC/UART issues, and avoid bad SPI-flash writes. [#21530564]

Why it matters: XF16 A9 cameras look identical externally, but small changes in flash size, OTA layout, console settings, and sensor wiring decide whether firmware boots, flashes, or bricks.

Method What works best Main strengths Main failure mode
PhoenixMC over UART Read/write on XF16/XR872 without opening some A9 units No desoldering; can restore stock dumps Custom builds may lose UART flashing after power cycle if console support is wrong
CH341A + SOIC8 clip Quick first dump attempts Cheap; widely available In-circuit reads often return bad IDs like 1313 or 8E8029
CH341A with desoldered flash Most reliable SPI backup/restore Stable verification; works with replacement chips Some flash chips still fail erase/write unless decoupling is added
Bus Pirate Usually poor choice here Can talk SPI/UART Backfeeds power and often fails chip detection

Key insight: The hardest XF16 problems were not caused by the XR872 core. They came from image layout, OTA header placement, console enablement, and fragile SPI flash behavior on specific 1MB chips.

Quick Facts

  • XF16 boot logs repeatedly report 240000000 Hz CPU, 40000000 Hz HF clock, and XRADIO Skylark SDK builds such as 1.2.0 Jun 20 2024 10:58:31 or 1.2.2 test builds, which makes the platform easy to fingerprint from UART alone. [#21219273]
  • The stock A9 XF16 camera flash is commonly 8 Mbit / 1 MB with IDs such as C74014 or 5E3214, while test replacements that booted OpenXR872 included 2 MB and even 64 Mbit chips. [#21522966]
  • UART flashing can work through the camera’s USB path on some XF16 A9 boards because RX/TX are routed through the USB connector traces; contributors built simple USB-TTL adapters from NodeMCU or CH340 hardware to exploit that. [#21528571]
  • The stock firmware exposes a local AP at 192.168.238.1/24, while OpenXR872 test builds used 192.168.51.1/24 or 192.168.4.1/24, so IP range alone can reveal whether you are in factory or custom firmware. [#21219273]
  • Confirmed XF16 camera-connector tracing mapped SDA/SCL to PA18/PA17, PCLK to PA08, MCLK to PA09, HSYNC to PA10, VSYNC to PA11, and DVP data lines across PA00–PA07. [#21732686]

How can I dump and restore firmware on an XF16 A9 minicam with a T25S80 or C74014 SPI flash chip using a CH341A, clip, or PhoenixMC over UART?

You can dump and restore XF16 firmware either over SPI or over UART. 1. For SPI, clip or desolder the 8-pin flash, then read it with a CH341A in NeoProgrammer, ASProgrammer, or EasyFlasher. 2. For UART, connect through the XF16 USB-routed RX/TX path and use PhoenixMC to read or flash without opening some cameras. 3. Always verify the dump and keep at least one known-good stock backup before testing OpenXR872. One contributor confirmed they clipped directly onto the flash and did not need reset mode first. [#21278253]

Why do some XF16 A9 cameras report strange SPI flash IDs like 1313, 8E8029, C74014, or 5E3214 when reading the flash in-circuit?

Those odd IDs usually mean the in-circuit SPI read is unstable, not that the chip is truly changing identity. The thread showed 1313, 8E8029, and then stable C74014 on the same 1MB camera, while a desoldered read later became consistent and verified correctly. Shared power rails, leakage from the rest of the board, bad clip contact, and marginal CH341A supply decoupling all caused false IDs. A clean off-board read or UART dump was much more trustworthy than an in-circuit first pass. [#21522287]

What is the AWIH header in XR872/XF16 firmware dumps, and how can it help identify image sections like boot, app, app_xip, and wlan_fw?

"AWIH is a firmware image header that marks XR/XF system images, stores image metadata, and helps separate boot, app, XIP, and WLAN sections." In this thread, contributors matched AWIH-tagged section IDs such as 0xa5ff5a00, 0xa5fe5a01, 0xa5fd5a02, 0xa5fa5a05, and 0xa5f95a06 to boot_40M.bin, app.bin, app_xip.bin, wlan_bl.bin, and wlan_fw.bin. Searching a dump for those little-endian markers was enough to start slicing it for Ghidra or manual comparison. [#21589985]

What is iLnkP2P on these A9 and PTZ cameras, and how is it related to the YSX/YSXLite apps and cam-reverse tools?

"iLnkP2P is a peer-to-peer camera transport protocol that carries control and media traffic, identifies devices with UIDs, and lets mobile apps reach cameras through local AP mode or relay servers." These XF16 and PTZ cameras logged IpcP2pStart, device rtuid, and p2pID, then worked with YSX or YSXLite. The same protocol is what cam-reverse and related reversing notes target, including video extraction and CGI-style control. Multiple posts linked the protocol directly to the apps and to the reverse-engineering workflow. [#21353025]

Why did OpenXR872 boot on a 2MB flash chip but initially fail on the stock 1MB flash chip in the XF16 A9 camera?

It failed because the early image layout still assumed space beyond the stock 1MB boundary. The same OpenXR872 image booted when the original dump was transplanted to a 2MB flash chip, but not on the original 1MB flash. That exposed a layout problem rather than a CPU or sensor problem. The boot logs showed image max size is invalid and missing XIP section errors on the 1MB setup, while the 2MB chip could tolerate the oversized placement. [#21525075]

How was the 1MB XF16 boot issue solved by changing the OpenXR872 image configuration and OTA header placement?

The fix was to shrink the effective image layout for 1MB flash and move the OTA header out of the failing location. First, contributors rebuilt with max_size around 880K. Later they proved that a no-OTA image booted on 1MB stock flash, then refined the layout so the OTA header sat at 1020K with 4K size instead of the breaking 1024K arrangement. After that, 1MB XF16 boards booted OpenXR872 normally. As one post put it, “ota was the problem.” [#21530564]

Why does UART flashing through PhoenixMC stop working on some OpenXR872 builds after a power cycle, and how was PRJCONF_CONSOLE_EN involved in fixing it?

UART flashing stopped because the custom build no longer exposed the console command path that PhoenixMC uses after reboot. The breakthrough was enabling #define PRJCONF_CONSOLE_EN 1, which restored the upgrade command path and made Open comm OK ! survive fresh power cycles on 1MB XF16 boards. Before that fix, some builds could still be reflashed only until RAM state was lost, which made the problem look random. After the console option was re-enabled, PhoenixMC download-mode entry became reliable again. [#21536774]

CH341A vs Bus Pirate vs PhoenixMC over UART — which works best for reading and flashing XF16/XR872 camera firmware, and what problems should I expect with each?

PhoenixMC over UART is the best day-to-day method on XF16 once stock firmware or a console-enabled OpenXR872 build is present. CH341A is best for first-rescue backups, off-board writes, and recovery when UART entry is gone. Bus Pirate was the worst performer here: users reported non-detection, backfeeding power, and brief LED power-up when clipped in. CH341A also had pitfalls, especially with sensitive 1MB chips, but it still worked reliably after desoldering or after adding extra capacitance. [#21352083]

How do I enter XR872/XF16 download mode over UART without grounding PB02 or PB03, and what commands does PhoenixMC actually send?

You do it by speaking the stock console protocol, not by forcing strap pins low. PhoenixMC sends the text command upgrade, then repeated U sync bytes; a receptive firmware answers with OK and a BROM response. Later reversing tied that behavior to the XR command handler where cmd_upgrade_exec() reboots with PRCM_CPUA_BOOT_FROM_SYS_UPDATE. That is why stock firmware and console-enabled OpenXR872 can enter download mode over UART without grounding PB02 or PB03 at all. [#21534886]

What does the XRADIO Skylark SDK boot log tell me about an XF16 camera, including CPU clock, flash mode, sensor detection, and network behavior?

The boot log gives you the board fingerprint in one place. It exposes flash mode like [FD I]: mode: 0x4, CPU at 240000000 Hz, HF clock at 40000000 Hz, SDK build date, MAC addresses, sensor probe results such as detect sp0828, and AP behavior such as 192.168.238.1 on stock firmware. It also shows whether the camera starts in AP mode, tries STA mode, fails SD mount, or enters iLnkP2P. For XF16 debugging, the UART log is the fastest way to identify variant, sensor, and failure stage. [#21219273]

How can I build XR872 SDK demos under WSL, and which toolchain and 32-bit libraries are needed to compile hello_demo or jpeg examples successfully?

Builds under WSL worked after installing the older ARM GCC toolchain plus missing 32-bit runtime libraries. The thread used gcc-arm-embedded 4.9-2015-q2-update, then fixed execution errors by installing libc6-i386, lib32z1, and lib32stdc++6. Without those, WSL reported missing loader errors even when the path was correct. Once the 32-bit compatibility packages were installed, make lib and example builds such as hello_demo started compiling normally. [#21522159]

Why do some SPI flash chips like TJ25Q08M, T25S80, or 25QH32CHIG fail erase/write verification in NeoProgrammer or EasyFlasher unless extra capacitance or special handling is used?

These chips appear unusually sensitive to supply stability during SPI writes. The thread documented random verify errors, partial writes, and false erases on desoldered chips until extra capacitance was added directly on the CH341A setup; after that, the same chip verified cleanly. One test with a 25QH32CHIG failed repeatedly, then passed once a capacitor was added across the supply. Some users also had to experiment with protection-register handling, but the strongest repeated fix was better decoupling on the programmer side. [#21709832]

How can I trace the 18-pin FFC camera connector on an XF16 A9 board to map SDA, SCL, DVP data pins, MCLK, HSYNC, VSYNC, and PCLK to XR872 GPIOs?

The cleanest method is continuity tracing plus a pin-toggle test firmware. On the confirmed XF16 A9 mapping, pin 2 is SDA on PA18, pin 3 is SCL on PA17, pin 13 is MCLK on PA09, pin 12 is HSYNC on PA10, pin 11 is VSYNC on PA11, pin 15 is PCLK on PA08, and DVP data runs from PA00–PA07. Contributors validated the map with an 18-pin FFC walker that pulsed each GPIO while a multimeter watched the connector. [#21732686]

Which camera sensors seem to be supported or referenced in XF16/XR872 firmware strings, and how can I start adapting drivers for parts like SP0828, GC0328C, GC0329, or HI0704?

The firmware strings reference many sensors, including ov9660, ov7740, sp2518, gc0310, gc0328, gc0329, hi0704, hi0708, and sp0828. Start by reusing initialization tables and SCCB/I2C setup from the closest supported driver, then confirm the actual sensor with ribbon markings or UART detection logs. For XF16 A9 specifically, sp0828 was repeatedly detected in stock logs, while separate posts confirmed useful initialization arrays existed for hi704-class parts. That makes driver adaptation a sensor-data problem more than a core XR872 problem. [#21547719]

How can I split or parse a stock XF16 firmware dump into PhoenixMC-style partitions for reverse engineering in Ghidra, and where does mkimage fit into that process?

Use the AWIH section markers and the XR image config as your map, then reverse from there. Search the dump for little-endian IDs like 005affa5, 015afea5, 025afda5, 055afaa5, and 065af9a5 to locate boot, app, app_xip, wlan_bl, and wlan_fw boundaries. The SDK’s mkimage.exe is the packer that assembles those partitions into one AWIH image, so it is the right binary to study if you want PhoenixMC-style slicing for Ghidra. The thread specifically identified mkimage.exe as the image-creation step. [#21587062]
Generated by the language model.
ADVERTISEMENT