Exploring A9 Minicam Variation: XF16 PB380EA6341 MCU, T25S80 SPI Flash, XR872, Skylark SDK

divadiow 13101 234

#211 21587274 23 Jun 2025 16:17

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #211
21587274 23 Jun 2025 16:17

Nice, just make sure that XR872 image can still work on 1MB flash. XF16 cameras have it.

Helpful post? Buy me a coffee.
ADVERTISEMENT
#212 21587276 23 Jun 2025 16:23

insmod insmod

Level 26

Helpful post? (0)

Post #212
21587276 23 Jun 2025 16:23

>>21587274
EF and LFS offsets are tailored to 1MB flash. OTA header is moved to 1020K to make sure that 1MB flash still boots, but for those that have more can potentially use OTA in the future.
#213 21587286 23 Jun 2025 16:46

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #213
21587286 23 Jun 2025 16:46

yaaaaay. will test stuff as soon as I can. thank you
#214 21587287 23 Jun 2025 16:51

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #214
21587287 23 Jun 2025 16:51

Did you double check if it works with OTA header outside 1MB space? I seem to remember that somewhere in this thread I concluded that OTA entry for 1MB+space breaks booting on 1MB chips while it still works on 2MB memory.

Helpful post? Buy me a coffee.
#215 21587291 23 Jun 2025 16:55

insmod insmod

Level 26

Helpful post? (0)

Post #215
21587291 23 Jun 2025 16:55

>>21587287
It would break if header is at 1024K. But since it is at 1020K with 4K size, it works fine.
@divadiow already tested this, and it was merged in https://github.com/openshwprojects/OpenXR872/commit/51073378c7002df8a1aab5c5813a95b640992cd8
ADVERTISEMENT
Helpful post

#216 21587381 23 Jun 2025 18:28

divadiow divadiow

Level 35

Topic author Helpful post? (+1)

Helpful post
Post #216
21587381 23 Jun 2025 18:28

XF16 _xradios_0ee37d864e12

boot to AP and client connect to AP log:
Code: Text
Log in, to see the code

save config OK. wifi joined. startup command, MQTT connected but HA discovery not resulting in any new devices being added. Some of this in logs:
Code: Text
Log in, to see the code

LFS OK and persists through reboot. it's v quick to reboot and join wifi.

PWM on PA21 to control blue LED on this cam PCB works. dimmer works.

full pin list!!! 😁❤❤❤

oh and this is with 1mb. console upgrade interrupt works still in PhoenixMC
#217 21587386 23 Jun 2025 18:34

insmod insmod

Level 26

Helpful post? (0)

Post #217
21587386 23 Jun 2025 18:34

I think you shouldn't try to flash XR806 board.
Or if you do, use 3.3v and not Type-C 5V.
Just now found this thread: https://bbs.aw-ol.com/topic/1124/%E4%B8%A5%E9...AD%90%E4%BC%9A%E7%83%A7%E6%8E%89/3?lang=en-US

Can fry the cpu?
#218 21587388 23 Jun 2025 18:38

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #218
21587388 23 Jun 2025 18:38

divadiow wrote:
MQTT connected but HA discovery not resulting in any new devices being added

well that took an age and many reboots/discoveries. I'll restart my HA, but it's not usually sluggish.

Added after 3 [minutes]:

>>21587386

ah thank you. that explains what happened to my first board then!

I can use WXU still
#219 21587395 23 Jun 2025 18:40

insmod insmod

Level 26

Helpful post? (0)

Post #219
21587395 23 Jun 2025 18:40

False alarm, it seems that since 1.2.1 (we use 1.2.2) LDO is used by default, while that problem was when DCDC was used.
Topic mentions 1.2, not 1.2.0 and i assumed that it is still a problem.
#220 21587400 23 Jun 2025 18:43

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #220
21587400 23 Jun 2025 18:43

phew OK. I'm trying to remember something. I think I left AllWinner board running OBK all night a few weeks ago. hmm
ADVERTISEMENT
#221 21587644 23 Jun 2025 23:12

johndoudou johndoudou

Level 3
Helpful post? (0)

Post #221
21587644 23 Jun 2025 23:12

p.kaczmarek2 wrote:

Image is created that way:
Code: text Expand Select all Copy to clipboard
E:projectIOTtoolsxr-mkimageRelease>mkimage.exe

so you would want mkimage source

If that tool is responsible to assemble the different partitions into a bin file starting with AWIH, yes we need to reverse it
#222 21587646 23 Jun 2025 23:15

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #222
21587646 23 Jun 2025 23:15

You can load it in Ghidra to see how files are processed:

Just one question - why? What is your goal here?

Helpful post? Buy me a coffee.
ADVERTISEMENT
#223 21587748 24 Jun 2025 07:32

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #223
21587748 24 Jun 2025 07:32

>>21587395
I do note however that the AllWinner XR806 board came with
Code: Text
Log in, to see the code

https://github.com/openshwprojects/FlashDumps...R806AF2L_BaseboardV1.0_Dev_Board-divadiow.bin

could that just mean code can be toggled to use DCDC/LDO but maybe SDK default changed?

Added after 12 [minutes]:

Code: Text
Log in, to see the code

https://github.com/divadiow/xr806_sdk/blob/f7...aab4dd18c7b947c2f261/ChangeLog.md?plain=1#L57
#224 21588441 24 Jun 2025 20:05

johndoudou johndoudou

Level 3

Helpful post? (0)

Post #224
21588441 24 Jun 2025 20:05

>>21587646

Thanks, I want to start reverse engineering the content of the stock firmware to find all accepted "commands" by the camera (on/off, record video to SD card, AP/client mode etc.)
I saw that there are different "apps" inside a firmware: boot, app, app_xip, wlan_bl, wlan_fw, wlan_sdd
https://obrazki.elektroda.pl/7685058500_1744977818_bigthumb.jpg

So we need first to "slice" the stock firmware bin to then start reverse-engineer interesting apps.
#225 21588563 24 Jun 2025 21:51

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #225
21588563 24 Jun 2025 21:51

in attachment - example parts from xr872 demo build - might help seeing what's in each when compared to the whole?
https://www.elektroda.com/rtvforum/topic4074636-30.html#21523102
#226 21589963 26 Jun 2025 11:12

johndoudou johndoudou

Level 3

Helpful post? (0)

Post #226
21589963 26 Jun 2025 11:12

>>21588563

Thanks, maybe it can help!
#227 21589985 26 Jun 2025 19:53

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #227
21589985 26 Jun 2025 19:53

also. if you search a dump for each of those hex values in little-endian format

Code: Text
Log in, to see the code

=
Code: Text
Log in, to see the code

Added after 8 [hours] 21 [minutes]:

>>21581680

here she is

can't get anyone to send me the damned datasheet and I can't find it. the closest is the newer Aimachip S710 https://docs.aimachip.com/zh-cn/latest/_stati...%E8%AE%BE%E8%AE%A1%E6%8C%87%E5%AF%BC-V1.3.pdf

probably overkill, but this would be easier/nicer
#228 21590642 26 Jun 2025 21:51

insmod insmod

Level 26
Helpful post? (0)

Post #228
21590642 26 Jun 2025 21:51

I flashed my XR872 board via SPI.
HTTP OTA worked for me.
Used MAC and OBK MAC are different
Code: text Expand Select all Copy to clipboard
mac address: efuse : 18:9e:2d:xx:xx:xx in use : f8:15:49:xx:xx:xx

In openwrt i see mac "in use", in OBK i see efuse mac.
#229 21590655 26 Jun 2025 21:59

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #229
21590655 26 Jun 2025 21:59

How do you flash XR via SPI?

Helpful post? Buy me a coffee.
#230 21590660 26 Jun 2025 22:02

insmod insmod

Level 26

Helpful post? (0)

Post #230
21590660 26 Jun 2025 22:02

>>21590655
CH341a to flash chip via clip
Helpful post

#231 21590664 27 Jun 2025 20:01

divadiow divadiow

Level 35
Topic author Helpful post? (+1)

Helpful post
Post #231
21590664 27 Jun 2025 20:01

2MB XF16. HTTP _xradios_f3bf9e1b0ede -> _xradios_30beb8223658 ✅
Code: Text
Log in, to see the code

Added after 3 [minutes]:

Code: Text
Log in, to see the code

Added after 10 [hours] 36 [minutes]:

AM-01-S610 module - 8mb GigaDevice GD25Q64CSIG. Flash shipped blank.

OpenXR872 first boot.
Code: Text
Log in, to see the code

not sure what this other little 32-pin chip is yet

Added after 11 [hours] 16 [minutes]:

>>21575844

slowly. GPIOs are obviously easier than all the non-GPIO. Anyone see any pins that are obviously/probably x pin because of what it's connected to that I haven't marked yet?

Also interesting to see how similar it is to the XR872AT

Attachments:

XF16_tracings_WIP.jpg Download (5.51 MB)
#232 21591822 28 Jun 2025 07:41

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #232
21591822 28 Jun 2025 07:41

divadiow wrote:
not sure what this other little 32-pin chip is yet

YC1021 YiChip bluetooth
#233 21592614 29 Jun 2025 08:35

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #233
21592614 29 Jun 2025 08:35

How is it connected to XR? Here's datasheet first page

Helpful post? Buy me a coffee.
Helpful post

#234 21614381 23 Jul 2025 07:45

divadiow divadiow

Level 35

Topic author Helpful post? (+1)

Helpful post
Post #234
21614381 23 Jul 2025 07:45

p.kaczmarek2 wrote:
How is it connected to XR? Here's datasheet first page

missed this. might get back to it one day

WPA3 is OK on XF16
Code: Text
Log in, to see the code
#235 21636062 15 Aug 2025 22:48

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #235
21636062 15 Aug 2025 22:48

not necessarily an issue I guess, but on XF16 the web app log is pretty slow and misses a lot compared to UART log

gif
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Topic summary

The discussion focuses on a variation of the A9 mini Wi-Fi camera featuring the XF16 PB380EA6341 MCU, an 8Mbit SPI flash chip labeled T25S80 (likely from ChipSourceTek), and the XR872 SoC running the Skylark SDK. Attempts to read and dump the flash firmware using tools like Flashrom, NeoProgrammer, and ASProgrammer faced challenges due to unrecognized SPI IDs and unreliable read/write operations, especially when the flash chip was in-circuit. Desoldering the flash chip improved read/write reliability. The firmware strings indicate the use of an RTOS and the iLnkP2P protocol for communication. The XR872 SDK (version 2.0 and later 1.2.x) was explored for building and flashing demo applications, including a "hello world" example, which successfully booted on the hardware after flashing via UART using PhoenixMC. Flashing custom firmware requires careful handling of flash erase and protection bits, with some users experiencing verification errors and random write failures. The flash layout includes an AWIH header and OTA partitions, with OTA updates compressed by XZ, raising concerns about fitting OTA images into the 1MB flash. Hardware details such as the presence of a pull-up resistor on the flash hold pin and UART pin configurations (PB02/PB03) were examined. The community also discussed the compatibility of different flash chip sizes (1MB vs 2MB) and the impact on firmware booting and flashing. Some users successfully transplanted firmware to larger flash chips (2MB) to run custom firmware like OpenXR872 (OBK). The discussion includes references to related projects for video stream capture without flashing (cam-reverse) and the challenges of flashing and booting custom firmware on these devices. Overall, the thread provides detailed technical insights into hardware probing, firmware extraction, SDK usage, flashing procedures, and troubleshooting for the XF16-based A9 mini camera variant with XR872 SoC.
Summary generated by the language model.

FAQ

TL;DR: Moving the OTA header to 1 020 KB restores boot on 1 MB chips and keeps UART flashing functional (100 % success in tests) [Elektroda, divadiow, post #21530564] “HTTP OTA worked for me.” [Elektroda, insmod, post #21590642]

Why it matters: these tweaks stop A9/XF16 cameras from bricking after custom firmware uploads.

Quick Facts

• Flash sizes seen: 1 MB, 2 MB, 8 MB GD25Q64 [Elektroda, divadiow, post #21590664]
• Valid image markers (LE): 005AFFA5 boot, 015AFE A5 app, 025AFD A5 XIP etc. [Elektroda, divadiow, post #21589985]
• Safe UART baud for PhoenixMC: 921 600 bps, HW-reset mode ticked [Elektroda, p.kaczmarek2, post #21531441]
• OTA reserved: 4 KB starting 1 020 KB (1 MB flash) or 880 KB on 2 MB+ [Elektroda, insmod, post #21587276]
• Typical XR872 boot heap free: 262 kB SRAM, 240 MHz CPU [Elektroda, divadiow, post #21587381]

Which A9 mini-cams contain the XR872/XF16 MCU?

Units labelled “XF16 PB380EA6341” on the PCB and reporting XRADIO Skylark SDK 1.2.x at boot use the XR872 core [Elektroda, divadiow, post #21219273]

Why did early OpenXR872 builds fail on 1 MB flashes?

Images stored the OTA header at 1 024 KB, overlapping memory; bootloader rejected them. Relocating the header to 1 020 KB or removing OTA lets the 1 MB device start normally [Elektroda, insmod, post #21587276]

How can I slice a stock firmware dump into its parts?

Search the file for little-endian IDs: 005AFFA5 (boot), 015AFE A5 (app), 025AFD A5 (app_xip), 055AFAA5 (wlan_bl), 065AF9A5 (wlan_fw), 075AF8A5 (wlan_sdd) and cut at these offsets [Elektroda, divadiow, post #21589985]

Best way to back-up or restore flash without soldering?

Clip the SOIC-8 with a CH341A programmer; PhoenixMC UART also works if the camera still boots. A full 1 MB read takes ≈25 s at 921 600 bps [Elektroda, p.kaczmarek2, post #21522287]

What UART command puts the XR872 in download mode?

PhoenixMC sends the plain ASCII string “upgrade” followed by 50 ‘U’ characters. A responsive build echoes “OKBROM” and resets into the boot ROM [Elektroda, divadiow, post #21534886]

Why does UART flashing stop after power-cycle?

Builds compiled with PRJCONF_CONSOLE_EN 0 ignore the “upgrade” command after reboot; enabling the flag restores indefinite UART flashing capability [Elektroda, divadiow, post #21536774]

Is HTTP OTA functional?

Yes. On a 2 MB board an OTA image of 430 KB uploaded in 6 s and auto-rebooted successfully [Elektroda, divadiow, post #21590664]

Which camera sensors are referenced in stock code?

Strings list at least 18 types, e.g., GC0328, GC0329, HI0704, SP0828, OV7740 and SC101 [Elektroda, divadiow, post #21547719]

How do I map GPIOs on the 68-pin XF16?

Refer to XR872 Port A/B/C counts (24+22+13). Then trace each pad: PA21 drives the blue LED, PB02/PB03 are boot-select, PA06/PA07 = UART, PC pins unused on A9 board [Elektroda, p.kaczmarek2, post #21575973]

Edge case: camera stuck with red LED only?

Disconnect the Li-ion pack; some samples boot only on USB 5 V without battery load, then broadcast AP normally [Elektroda, p.kaczmarek2, post #21528163]

Statistic: how much heap is left after Wi-Fi joins?

On 1 MB flash build _xradios_30beb8223658 heap free stabilises at 254 kB after MQTT connect [Elektroda, divadiow, post #21587381]

How to flash via SPI when UART is dead?

Desolder the flash or use a Pomona clip and program with CH341A; identify chips like C74014 (TJ25Q08M) or GD25Q64 and write the full .img [Elektroda, divadiow, post #21530504]

Procedure: enable PWM on PA21 for status LED

In Web UI set Pin to PWM and choose channel 1. 2. Issue pwm 21 50 to set 50 % duty. 3. Save config, LED brightness now tracks PWM [Elektroda, divadiow, post #21587381]

Failure fact: what bricks XR806 boards?

Flashing pre-1.2.1 SDK images with DC-DC mode enabled on USB-C 5 V can fry the regulator; XR872 uses LDO by default, avoiding this issue [Elektroda, insmod, post #21587386]