logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Exploring A9 Minicam Variation: XF16 PB380EA6341 MCU, T25S80 SPI Flash, XR872, Skylark SDK

divadiow 10575 232
ADVERTISEMENT
Reply | New topic
  • #61 21523107
    p.kaczmarek2
    Moderator Smart Home
    This is what the code should do (hello_demo example):

    A fragment of C code that prints Hello world! in a loop.
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • Helpful post
    #62 21523144
    divadiow
    Level 34  
    second bin gives me this again

    Code: Text
    Log in, to see the code


    at that point my needle on TX slipped off. I'd like to do flash it again to be 100% sure. de-soldering chip every time sucks. could do with a zif mod

    also, I'd like to try grounding these to see if they're PB02/PB03 (assuming uart download mode is same as XR872):
    Close-up of a PCB with an XF16 chip and four signal pads highlighted by a red border.

    for comparison. 2nd demo build vs original dump
    Screenshot of the PhoenixMC tool showing the configuration for flashing the xr_system.img file to an XR872 device.
    Screenshot of the PhoenixMC tool showing firmware sections and details while selecting a .bin file for device flashing.

    Added after 20 [minutes]:

    hmm. tried again. full log from second demo build
    Code: Text
    Log in, to see the code
  • #63 21523166
    p.kaczmarek2
    Moderator Smart Home
    I shorted your two pads to GND - I get synchron errors.
    I disconnected them from GND. And then I got - how?
    Screenshot showing the PhoenixMC program interface and a folder with debugging tools files.

    Screenshot of the XV132 hex editor with an open binary file and active Data Inspector window.

    Added after 42 [seconds]:



    PhoenixMC software window for Flash memory operations and list of COM ports.
    Helpful post? Buy me a coffee.
  • #64 21523171
    divadiow
    Level 34  
    lol. nice. I was just in the process of doing that too. I guess they are PB02/03 or something

    Added after 3 [minutes]:

    first I need a better UART connection. I just noticed the traces and now I know what your USB/uart flash cable was about

    Micro USB connector soldered to a green PCB with visible pins and burn marks near the pins.
  • ADVERTISEMENT
  • #65 21523179
    p.kaczmarek2
    Moderator Smart Home
    Wait, I don't even remember now - those PB pads should be held low (ground) at reboot and then released, and then you can flash? Or should they be held all the time low during flash? It seems they should be released.
    Here's what I read:
    Attachments:
    Helpful post? Buy me a coffee.
  • #66 21523182
    divadiow
    Level 34  
    p.kaczmarek2 wrote:
    Or should they be held all the time low during flash?

    well, XR809 and XR806 we've been keeping low and it's fine. but maybe XF16 is different.

    This is in XR872 DS

    Table showing bootstrap modes and associated pins with descriptions for PA23 and PB02, PB03.
  • #67 21523185
    p.kaczmarek2
    Moderator Smart Home
    EDIT: I have PB pads shorted together, but not to ground. I disconnected totally USB power, reconnected it, and I can still flash....
    but I also get SSID if I don't attempt to flash:
    Wi-Fi icon and the network name BATA825001CKETR on a light background.

    Maybe... maybe phoenixMC sends via UART something to enable flash mode programmatically?

    Added after 1 [minutes]:

    I opened PhoenixMC again, it did "Open comm OK" and AP is gone, and I can flash.

    So.... it can flash without user intervention? I wonder what will happen if I flash my binary now.... will it keep the ability to flash without external reset/stuff...

    Added after 1 [minutes]:

    Trying to flash:


    PhoenixMC software interface while loading firmware file to a microcontroller on COM3 port, with 10% progress.
    Helpful post? Buy me a coffee.
  • #68 21523188
    divadiow
    Level 34  
    p.kaczmarek2 wrote:
    I opened PhoenixMC again, it did "Open comm OK" and AP is gone, and I can flash.


    What the heck. This whole time...
  • #69 21523195
    p.kaczmarek2
    Moderator Smart Home
    We would need to check if PhoenixMC sends something via UART to let know the chip that it wants program mode.

    Flashed.
    Screenshot of PhoenixMC software used for firmware upgrades via COM ports; operation completed successfully.

    Added after 45 [seconds]:

    Still can open com after flash?
    Screenshot of software windows for communication with devices via COM ports and flash memory operations.

    Added after 2 [minutes]:

    Code: text Expand Select all Copy to clipboard
    

platform information ===============================================
XRADIO Skylark SDK 1.2.2 Apr 17 2025 14:29:49

sram heap space [0x21545c, 0x26dc00), total size 362404 Bytes
cpu  clock 240000000 Hz
HF   clock  40000000 Hz

sdk option:
    XIP           : enable
    INT LF OSC    : enable

mac address:
    efuse         : 18:9e:2d:81:89:ce
    in use        : 38:0a:8d:47:2b:71
====================================================================

Hello world! @ 10131 sec
Hello world! @ 20131 sec
Hello world! @ 30131 sec
Hello world! @ 40131 sec
Hello world! @ 50131 sec
Hello world! @ 60131 sec
    Helpful post? Buy me a coffee.
  • #70 21523203
    divadiow
    Level 34  
    yay. me too
    Screenshot of PhoenixMC software updating firmware on a device connected via COM50 port. Progress bar at 28%.
    Warning dialog window in phoenixMC with BROM version and flash ID information.

    Added after 2 [minutes]:

    no uart log for me. hmm.
  • #71 21523211
    p.kaczmarek2
    Moderator Smart Home
    Are you sure? It has a 10 seconds delay (chosen by XRadio). Only for patient users.
    Console with C project build errors, showing detailed error messages during compilation.
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #72 21523230
    divadiow
    Level 34  
    so weird. waiting for a while. i can flash A9 dump back and that boots and outputs without issue.
  • #74 21523305
    divadiow
    Level 34  
    Yep. I do all the usual power discharge troubleshooting steps. Odd factory firmware boots ok though and UART logs as expected. I soldered other flash to it too.

    I've stopped for now. Will come back to it.

    Are you porting OBK right now? 😁🥳
  • #75 21523309
    p.kaczmarek2
    Moderator Smart Home
    I'm trying and I just discovered that if I flash broken binary, then I can't flash via PhoenixMC anymore.
    Helpful post? Buy me a coffee.
  • #76 21523337
    divadiow
    Level 34  
    hmm. what was on your flash when you first uart flashed build and it booted? Was it factory flashed back in Neo? And had you switched back to 1mb chip or is all this on 2mb?
  • #77 21523347
    p.kaczmarek2
    Moderator Smart Home
    I flashed original 1MB to 2MB flash chip and it works with that flash chip. UART bootloader works as long as working XR872 project is flashed (original firmware or hello world from SDK)


    So many problems...
    Wi-Fi signal icon and network name OpenXR872_00000000 on a light background.

    Added after 10 [minutes]:

    Screenshot from RealTerm program displaying network device initialization logs and Wi-Fi connection attempts.
    I get -3 here:
    Code: text Expand Select all Copy to clipboard
    

   err = OS_ThreadCreate(thread,
                      name,
                      function,
                      arg,
                      new_priority,
                      stack_size);

    Invalid parameter, huh?
    Code: text Expand Select all Copy to clipboard
    
typedef enum {
   OS_OK           = 0,    /* success */
   OS_FAIL         = -1,   /* general failure */
   OS_E_NOMEM      = -2,   /* out of memory */
   OS_E_PARAM      = -3,   /* invalid parameter */
   OS_E_TIMEOUT    = -4,   /* operation timeout */
   OS_E_ISR        = -5,   /* not allowed in ISR context */
} OS_Status;


    Added after 10 [minutes]:

    i suspect configTOTAL_HEAP_SIZE

    Added after 9 [minutes]:

    There are two RTOS to choose:
    Code: text Expand Select all Copy to clipboard
    
ifeq ($(__CONFIG_OS_FREERTOS), y)
#   - 80203: FreeRTOS 8.2.3
#   - 100201: FreeRTOS 10.2.1
__CONFIG_OS_FREERTOS_VER ?= 100201
endif


    Added after 7 [minutes]:


    OpenXR872 control panel with four large buttons: Config, Restart, Launch Web Application, and About. Shows XR872 device status.
    Helpful post? Buy me a coffee.
  • #78 21523384
    divadiow
    Level 34  
    😁👏😁 good stuff
  • #79 21523387
    p.kaczmarek2
    Moderator Smart Home
    can you check? 192.168.51.1
    Attachments:
    Helpful post? Buy me a coffee.
  • #80 21523389
    divadiow
    Level 34  
    Ah. Id love to but I can't now until tomorrow afternoon 😭

    Added after 1 [hours] 22 [minutes]:

    curious about how the pins will work with XF16 being QFN68 and XR872AT being QFN52 and XR872ET being QFN40. We don't have a datasheet for XF16 yet.
  • #81 21523463
    p.kaczmarek2
    Moderator Smart Home
    No idea, for now I've added Github builds:
    A list of successful app builds on GitHub Actions platform.
    but much is still missing, we don't even have config save.

    Added after 46 [minutes]:

    config save works

    Console with yellow text on black background showing Wi-Fi connection logs for an embedded device.

    Added after 1 [hours] 20 [minutes]:

    I am investigating OTA currently:

    A fragment of the project.mk file with makefile code, showing conditions related to OTA configuration.

    Code: text Expand Select all Copy to clipboard
    
> localconfig.mk:
> * __CONFIG_XIP:可选项,配置是否开启XIP功能
> * __CONFIG_OTA:可选项,配置是否开启OTA功能


    Added after 14 [minutes]:

    but how will OTA fit into 1MB...
    Helpful post? Buy me a coffee.
  • #82 21523641
    divadiow
    Level 34  
    Sorry I can't test anything at the moment.

    This is all very good.

    Does what you're discovering also make XR806 easier whenever that can be attacked again?

    Added after 11 [minutes]:

    p.kaczmarek2 wrote:
    but how will OTA fit into 1MB

    I wonder if A9 factory XF16 layout allows for OTA. I seem to recall A9s offering fw updates in the Ysx app, but maybe that was the Taixin variety 🤔
  • #83 21523744
    p.kaczmarek2
    Moderator Smart Home
    divadiow wrote:

    Does what you're discovering also make XR806 easier whenever that can be attacked again?

    I don't think so, as far as I remember I managed to boot XR806 OBK correctly but it was failing to connect to WiFi. I may try to revisit that soon if there is futher demand.

    In case of this XR872, I haven't run into the wall yet.

    It's just that OTA worries me. I can clearly see that this SDK has ota compressed by XZ just like BL602 does, but it still doesn't change the fact that OTA requires us to fit like almost a second whole image in the flash....

    Maybe we can investigate: https://github.com/search?q=repo%3Aopenshwprojects%2FOpenXR872%20OTA&type=code

    ota_update_image_process seems to be doing update
    Hm
    Code: C / C++
    Log in, to see the code

    Code: C / C++
    Log in, to see the code

    Is this OTA buffer?>
    Code: C / C++
    Log in, to see the code

    Code: C / C++
    Log in, to see the code

    I'm not sure yet where do they write this OTA image - at which flash offset.

    Added after 2 [minutes]:


    A fragment of C code from sysinfo.c, showing conditional statements and preprocessor directives.
    A fragment of the image_etf.cfg configuration file with conditional code related to OTA policy.

    Added after 36 [minutes]:

    out of curiosity, I ran xr806 compilation and it has OTA space in partitions layout:


    Screenshot of a terminal with code compilation and flash memory configuration for the XR806 project.
    Helpful post? Buy me a coffee.
  • #84 21524574
    divadiow
    Level 34  
    this is still weird for me. flashed to factory using CH341A then UART OpenXR872 and no boot. odd
  • #85 21524768
    p.kaczmarek2
    Moderator Smart Home
    Let's test more.
    So I have this page:
    Screenshot of the OpenXR872 device control panel with buttons for configuration, restart, launching web application, and device information.
    I have only USB to UART connected.
    I open pheoenixmc and try to flash original firmware:
    Screenshot of PhoenixMC software showing firmware file details and COM ports list.
    PhoenixMC software window flashing a binary image to flash memory via COM3 port, with 10% progress.
    Screenshot of PhoenixMC software showing a completed firmware upgrade process and a partition list.
    I do reboot:
    Window of a flash memory operation program with various read, write, and system management options.
    |I got factory firmware AP and fast led blink, ok:
    Wi-Fi signal icon with the text BATA825001CKETR on a light background.
    Ok, now I try to flash firmware I compiled myself (It's OBK, I put it in hello demo project):
    Window of the PhoenixMC software used for updating XR872 microcontroller firmware, with the process completed at 100%.
    It flashes:
    Screenshot of PhoenixMC software during firmware update process via COM port.
    I reboot:
    A software window for flash memory operations with buttons for reading, writing, and device reboot.
    I get OBK AP:
    Wi-Fi signal icon and the text OpenXR872_00000000 on a white background.
    Conclusion: I can reboot and flash just via USB connector RX and TX, didn't have to repower or reattach anything.

    Extra test:
    Screenshot of the PhoenixMC software updating firmware on a device via COM port.
    revoot

    A tool window for flash memory operations with buttons for reading, writing, erasing, and address input fields.
    it works
    Web interface screen of the OpenXR872 device with control buttons visible.

    Conclusions:
    - all is done via phoenix mc, no reattaching wires needed, no cycling, etc
    - i can easily switch between online build, original fw and my local build

    Questions?

    Added after 32 [seconds]:

    Remember that I am using a reliable dump that I taken with IC desoldered.
    Helpful post? Buy me a coffee.
  • #86 21524776
    divadiow
    Level 34  
    yep. all the same for me. Even my old backups of A9 from last year boot, just not OpenXR872. I am using same version of PhoenixMC, same settings in debug as you. flashing always starts OK and completes. I've desolered flash to put factory back on then UART over the top.

    Added after 43 [seconds]:

    Maybe I should find 100k resistor for 1st cam and repair that. I just don't see why this isn't booting for me.
  • #87 21524778
    p.kaczmarek2
    Moderator Smart Home
    The one i used.
    Attachments:
    Helpful post? Buy me a coffee.
  • #88 21524781
    divadiow
    Level 34  
    yep. that boots fine after flashing and I get BATxxx AP

    Screenshot showing the process of programming flash memory using PhoenixMC tool and a terminal window with network system startup logs.

    I am flashing via soldered wires

    A printed circuit board with connected wires, a micro USB port, and an SD card slot.
  • #89 21524787
    p.kaczmarek2
    Moderator Smart Home
    So now you have to.... remove the incorrect flash dumps from our repository, I guess?

    That's why I specifically taken yet another backup after desoldering the Flash chip from the circuit. I was worried that it might come to this.
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #90 21524791
    divadiow
    Level 34  
    im not sure I follow. the factory A9 dumps boot fine...
Reply | New topic
Report a violation of the law

Topic summary

The discussion focuses on a variation of the A9 mini Wi-Fi camera featuring the XF16 PB380EA6341 MCU, an 8Mbit SPI flash chip labeled T25S80 (likely from ChipSourceTek), and the XR872 SoC running the Skylark SDK. Attempts to read and dump the flash firmware using tools like Flashrom, NeoProgrammer, and ASProgrammer faced challenges due to unrecognized SPI IDs and unreliable read/write operations, especially when the flash chip was in-circuit. Desoldering the flash chip improved read/write reliability. The firmware strings indicate the use of an RTOS and the iLnkP2P protocol for communication. The XR872 SDK (version 2.0 and later 1.2.x) was explored for building and flashing demo applications, including a "hello world" example, which successfully booted on the hardware after flashing via UART using PhoenixMC. Flashing custom firmware requires careful handling of flash erase and protection bits, with some users experiencing verification errors and random write failures. The flash layout includes an AWIH header and OTA partitions, with OTA updates compressed by XZ, raising concerns about fitting OTA images into the 1MB flash. Hardware details such as the presence of a pull-up resistor on the flash hold pin and UART pin configurations (PB02/PB03) were examined. The community also discussed the compatibility of different flash chip sizes (1MB vs 2MB) and the impact on firmware booting and flashing. Some users successfully transplanted firmware to larger flash chips (2MB) to run custom firmware like OpenXR872 (OBK). The discussion includes references to related projects for video stream capture without flashing (cam-reverse) and the challenges of flashing and booting custom firmware on these devices. Overall, the thread provides detailed technical insights into hardware probing, firmware extraction, SDK usage, flashing procedures, and troubleshooting for the XF16-based A9 mini camera variant with XR872 SoC.
Summary generated by the language model.
Popular Topics
ADVERTISEMENT