Exploring A9 Minicam Variation: XF16 PB380EA6341 MCU, T25S80 SPI Flash, XR872, Skylark SDK

divadiow 9564 232

#211 21587274 23 Jun 2025 16:17

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #211
21587274 23 Jun 2025 16:17

Nice, just make sure that XR872 image can still work on 1MB flash. XF16 cameras have it.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#212 21587276 23 Jun 2025 16:23

insmod insmod

Level 24

Helpful post? (0)

Post #212
21587276 23 Jun 2025 16:23

>>21587274
EF and LFS offsets are tailored to 1MB flash. OTA header is moved to 1020K to make sure that 1MB flash still boots, but for those that have more can potentially use OTA in the future.
#213 21587286 23 Jun 2025 16:46

divadiow divadiow

Level 34

Topic author Helpful post? (0)

Post #213
21587286 23 Jun 2025 16:46

yaaaaay. will test stuff as soon as I can. thank you
#214 21587287 23 Jun 2025 16:51

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #214
21587287 23 Jun 2025 16:51

Did you double check if it works with OTA header outside 1MB space? I seem to remember that somewhere in this thread I concluded that OTA entry for 1MB+space breaks booting on 1MB chips while it still works on 2MB memory.

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#215 21587291 23 Jun 2025 16:55

insmod insmod

Level 24

Helpful post? (0)

Post #215
21587291 23 Jun 2025 16:55

>>21587287
It would break if header is at 1024K. But since it is at 1020K with 4K size, it works fine.
@divadiow already tested this, and it was merged in https://github.com/openshwprojects/OpenXR872/commit/51073378c7002df8a1aab5c5813a95b640992cd8
Helpful post

#216 21587381 23 Jun 2025 18:28

divadiow divadiow

Level 34

Topic author Helpful post? (+1)

Helpful post
Post #216
21587381 23 Jun 2025 18:28

XF16 _xradios_0ee37d864e12

boot to AP and client connect to AP log:
Code: Text
Log in, to see the code

save config OK. wifi joined. startup command, MQTT connected but HA discovery not resulting in any new devices being added. Some of this in logs:
Code: Text
Log in, to see the code

LFS OK and persists through reboot. it's v quick to reboot and join wifi.

PWM on PA21 to control blue LED on this cam PCB works. dimmer works.

full pin list!!! 😁❤❤❤

oh and this is with 1mb. console upgrade interrupt works still in PhoenixMC
#217 21587386 23 Jun 2025 18:34

insmod insmod

Level 24

Helpful post? (0)

Post #217
21587386 23 Jun 2025 18:34

I think you shouldn't try to flash XR806 board.
Or if you do, use 3.3v and not Type-C 5V.
Just now found this thread: https://bbs.aw-ol.com/topic/1124/%E4%B8%A5%E9...AD%90%E4%BC%9A%E7%83%A7%E6%8E%89/3?lang=en-US

Can fry the cpu?
ADVERTISEMENT
#218 21587388 23 Jun 2025 18:38

divadiow divadiow

Level 34

Topic author Helpful post? (0)

Post #218
21587388 23 Jun 2025 18:38

divadiow wrote:
MQTT connected but HA discovery not resulting in any new devices being added

well that took an age and many reboots/discoveries. I'll restart my HA, but it's not usually sluggish.

Added after 3 [minutes]:

>>21587386

ah thank you. that explains what happened to my first board then!

I can use WXU still
#219 21587395 23 Jun 2025 18:40

insmod insmod

Level 24

Helpful post? (0)

Post #219
21587395 23 Jun 2025 18:40

False alarm, it seems that since 1.2.1 (we use 1.2.2) LDO is used by default, while that problem was when DCDC was used.
Topic mentions 1.2, not 1.2.0 and i assumed that it is still a problem.
#220 21587400 23 Jun 2025 18:43

divadiow divadiow

Level 34

Topic author Helpful post? (0)

Post #220
21587400 23 Jun 2025 18:43

phew OK. I'm trying to remember something. I think I left AllWinner board running OBK all night a few weeks ago. hmm
#221 21587644 23 Jun 2025 23:12

johndoudou johndoudou

Level 3
Helpful post? (0)

Post #221
21587644 23 Jun 2025 23:12

p.kaczmarek2 wrote:

Image is created that way:
Code: text Expand Select all Copy to clipboard
E:projectIOTtoolsxr-mkimageRelease>mkimage.exe

so you would want mkimage source

If that tool is responsible to assemble the different partitions into a bin file starting with AWIH, yes we need to reverse it
#222 21587646 23 Jun 2025 23:15

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #222
21587646 23 Jun 2025 23:15

You can load it in Ghidra to see how files are processed:

Just one question - why? What is your goal here?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
ADVERTISEMENT
#223 21587748 24 Jun 2025 07:32

divadiow divadiow

Level 34

Topic author Helpful post? (0)

Post #223
21587748 24 Jun 2025 07:32

>>21587395
I do note however that the AllWinner XR806 board came with
Code: Text
Log in, to see the code

https://github.com/openshwprojects/FlashDumps...R806AF2L_BaseboardV1.0_Dev_Board-divadiow.bin

could that just mean code can be toggled to use DCDC/LDO but maybe SDK default changed?

Added after 12 [minutes]:

Code: Text
Log in, to see the code

https://github.com/divadiow/xr806_sdk/blob/f7...aab4dd18c7b947c2f261/ChangeLog.md?plain=1#L57
#224 21588441 24 Jun 2025 20:05

johndoudou johndoudou

Level 3

Helpful post? (0)

Post #224
21588441 24 Jun 2025 20:05

>>21587646

Thanks, I want to start reverse engineering the content of the stock firmware to find all accepted "commands" by the camera (on/off, record video to SD card, AP/client mode etc.)
I saw that there are different "apps" inside a firmware: boot, app, app_xip, wlan_bl, wlan_fw, wlan_sdd
https://obrazki.elektroda.pl/7685058500_1744977818_bigthumb.jpg

So we need first to "slice" the stock firmware bin to then start reverse-engineer interesting apps.
#225 21588563 24 Jun 2025 21:51

divadiow divadiow

Level 34

Topic author Helpful post? (0)

Post #225
21588563 24 Jun 2025 21:51

in attachment - example parts from xr872 demo build - might help seeing what's in each when compared to the whole?
https://www.elektroda.com/rtvforum/topic4074636-30.html#21523102
#226 21589963 26 Jun 2025 11:12

johndoudou johndoudou

Level 3

Helpful post? (0)

Post #226
21589963 26 Jun 2025 11:12

>>21588563

Thanks, maybe it can help!
#227 21589985 26 Jun 2025 19:53

divadiow divadiow

Level 34

Topic author Helpful post? (0)

Post #227
21589985 26 Jun 2025 19:53

also. if you search a dump for each of those hex values in little-endian format

Code: Text
Log in, to see the code

=
Code: Text
Log in, to see the code

Added after 8 [hours] 21 [minutes]:

>>21581680

here she is

can't get anyone to send me the damned datasheet and I can't find it. the closest is the newer Aimachip S710 https://docs.aimachip.com/zh-cn/latest/_stati...%E8%AE%BE%E8%AE%A1%E6%8C%87%E5%AF%BC-V1.3.pdf

probably overkill, but this would be easier/nicer
#228 21590642 26 Jun 2025 21:51

insmod insmod

Level 24
Helpful post? (0)

Post #228
21590642 26 Jun 2025 21:51

I flashed my XR872 board via SPI.
HTTP OTA worked for me.
Used MAC and OBK MAC are different
Code: text Expand Select all Copy to clipboard
mac address: efuse : 18:9e:2d:xx:xx:xx in use : f8:15:49:xx:xx:xx

In openwrt i see mac "in use", in OBK i see efuse mac.
#229 21590655 26 Jun 2025 21:59

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #229
21590655 26 Jun 2025 21:59

How do you flash XR via SPI?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#230 21590660 26 Jun 2025 22:02

insmod insmod

Level 24

Helpful post? (0)

Post #230
21590660 26 Jun 2025 22:02

>>21590655
CH341a to flash chip via clip
Helpful post

#231 21590664 27 Jun 2025 20:01

divadiow divadiow

Level 34
Topic author Helpful post? (+1)

Helpful post
Post #231
21590664 27 Jun 2025 20:01

2MB XF16. HTTP _xradios_f3bf9e1b0ede -> _xradios_30beb8223658 ✅
Code: Text
Log in, to see the code

Added after 3 [minutes]:

Code: Text
Log in, to see the code

Added after 10 [hours] 36 [minutes]:

AM-01-S610 module - 8mb GigaDevice GD25Q64CSIG. Flash shipped blank.

OpenXR872 first boot.
Code: Text
Log in, to see the code

not sure what this other little 32-pin chip is yet

Added after 11 [hours] 16 [minutes]:

>>21575844

slowly. GPIOs are obviously easier than all the non-GPIO. Anyone see any pins that are obviously/probably x pin because of what it's connected to that I haven't marked yet?

Also interesting to see how similar it is to the XR872AT

Attachments:

XF16_tracings_WIP.jpg Download (5.51 MB)
#232 21591822 28 Jun 2025 07:41

divadiow divadiow

Level 34

Topic author Helpful post? (0)

Post #232
21591822 28 Jun 2025 07:41

divadiow wrote:
not sure what this other little 32-pin chip is yet

YC1021 YiChip bluetooth
#233 21592614 29 Jun 2025 08:35

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #233
21592614 29 Jun 2025 08:35

How is it connected to XR? Here's datasheet first page

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Topic summary

The discussion revolves around a variation of the A9 minicam featuring the XF16 PB380EA6341 MCU and T25S80 SPI Flash. The user shares insights on the firmware and hardware components, noting that the flash chip is an 8mbit model. There are mentions of difficulties in identifying the SPI ID C74014 using Flashrom, NeoProgrammer, and ASProgrammer, with some success in dumping the firmware. Additional posts highlight network activity, including the camera reaching out to specific IPs, and provide links to related resources and sample video captures.
Summary generated by the language model.