logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Exploring A9 Minicam Variation: XF16 PB380EA6341 MCU, T25S80 SPI Flash, XR872, Skylark SDK

divadiow 8280 189
ADVERTISEMENT
Reply | New topic
  • Helpful post
    #1 21219273
    divadiow
    Level 34  
    Another A9 minicam variation. Will just use this post to dump some bits rather than add to https://www.elektroda.com/rtvforum/topic4033757.html#21035231 which has been about the Beken BK7252 and Taixin TXW817 based A9s.

    The MCU in this labelled as XF16 PB380EA6341 which has a mention in that long HA thread about the A9s here https://community.home-assistant.io/t/popular...mini-wi-fi-camera-the-ha-challenge/230108/247
    Close-up of a microchip on a PCB.

    this one has an 8mbit flash chip though, labelled T25S80
    Close-up of a circuit board with a clearly visible T25S80 chip.

    which might be this from ChipSourceTek http://www.chipsourcetek.com/DataSheet/T25S80.pdf

    Flashrom, NeoProgrammer and ASProgrammer couldn't identify the SPI ID C74014. It did detect as "1313", probably the cable wasn't seated quite right, which detected as n 8mbit ST M25P80. Right or wrong, Neo dumped the firmware. Flashrom did too. both attached.

    Screenshot of NeoProgrammer software showing the memory read of M25P80 flash.

    pics of PCB

    Apparent PCB of A9 mini camera with a connected battery and USB port. Close-up view of the A9 camera's printed circuit board (PCB) with visible electronic components and a battery. PCB of A9 mini camera with visible lens and battery. PCB of A9 mini camera with various electronic components. Disassembled A9 mini camera with visible PCB and battery. Close-up of the A9 camera PCB with visible components and connected battery.

    It didn't take long to find the UART TX pad, which is this:

    Close-up of a PCB with an XF16 microprocessor.

    Perhaps most interesting so far is the content of the log:
    Code: Text
    Log in, to see the code


    as pointed out by daniel-dona here https://community.home-assistant.io/t/popular...mini-wi-fi-camera-the-ha-challenge/230108/287 (maybe @danieldona ?) it looks to be some custom XRadiotech XR872 - https://github.com/XradioTech/xradio-skylark-sdk
    Attachments:
  • ADVERTISEMENT
  • Helpful post
    #5 21278017
    andrewjhull
    Level 1  
    Quote:
    # strings Flashrom_C74014.bin.bin |grep project
    ../../../../project/demo/ilnk_demo_et_1mflash/main.c
    ../../../../project/common/runtop/sd_manager/rt_sd_dev.c
    ../../../../project/common/runtop/rt_adpt/rt_adpt_adc.c
    ../../../../project/common/runtop/rt_adpt/rt_devm_gpio.c
    ../../../../project/common/runtop/librtcommon/srcs/rt_thread_freertos.c
    ../../../../project/common/runtop/librtcommon/srcs/rt_thread_locker_freertos.c
    ../../../../project/common/runtop/ble_uart/ble_uart.c
    ../../../../project/common/runtop/rt_wifi/rt_wifi.c
    ../../../../project/common/runtop/led/led_control.c
    ../../../../project/common/runtop/led/led_proc.c
    ../../../../project/common/runtop/rt_search/rt_search.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/record_ilnk.c
    ../../../../project/common/runtop/rt_res/rt_res.c
    ../../../../project/common/runtop/routine/routine_image.c
    ../../../../project/common/runtop/camera_test/camera_test.c
    ../../../../project/common/runtop/rtb_media/rtb_av_md.c
    ../../../../project/common/runtop/rtb_media/rtb_av_api.c
    ../../../../project/common/runtop/rtb_media/imgproc.c
    ../../../../project/common/runtop/rt_time/rt_time.c
    ../../../../project/common/runtop/rtpm/rtpm_core.c
    ../../../../project/common/runtop/rt_ota/rt_ota.c
    ../../../../project/common/runtop/rtj_p2p/srcs/rtj_p2p.c
    ../../../../project/common/runtop/rtj_p2p/srcs/rt_ap.c
    ../../../../project/common/runtop/rtj_p2p/srcs/rt_playback.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/IpcCbNet.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/IpcCbEvent.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/IpcDevSys.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/IpcCbSd.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/InkP2pModule.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/IpcCbPassThrough.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/IpcDevCallback.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/IpcCbAv.c
    ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/IpcCbSys.c

    As you can see, there are strings in the Flash Dump that suggest the XF16 camera is running a version of RTOS
    https://github.com/RT-Thread/rtthread-manual-doc/blob/master/introduction/introduction.md
    [/quote]

    Added after 7 [minutes]:

    Close-up photograph of the interior of an electronic device showing the XF16 chipset.

    I have a couple of PTZ cameras that run the same protocol as the A9 Cams and have an XF16 variant processor.
    Can I ask how you dumped the firmware on yours? I presume you clipped on to the flash chip. Did you need to hold the camera in reset while you dumped it?
  • #6 21278253
    divadiow
    Level 34  
    andrewjhull wrote:
    I presume you clipped on to the flash chip. Did you need to hold the camera in reset while you dumped it?

    Hello! Yes, I clipped onto the flash chip. I did not need put anything into reset mode first.
  • Helpful post
    #7 21346099
    gusgorman402
    Level 4  
    I have the PTZ version also. The serial port is JST GH connector. Thanks for the flash dump. Strings revealed the serial password is runtop1029
  • ADVERTISEMENT
  • #8 21346105
    divadiow
    Level 34  
    oh nice. good work. I didn't do anything more with my one.

    Code snippet with console error messages and a password field.

    feel free to post all your findings!
  • Helpful post
    #9 21349910
    alistairjordan
    Level 2  
    Just opened one of these up and started looking..
    I get a similar bin extract from the SPI chip.

    Going through the strings this is an XR872 base design. The 2.0 SDK can be found on "gitee" here: https://portrait.gitee.com/Dozingfiretruck/xr872_sdk/

    The strings actually give quite a way about the base design also. I would note that the ipc application doesn't appear to be in the demos folder so there is no instant drop in solution to build.

    Other things I've noticed is the csi interface (camera) is using the driver/chip/hal_csi_jpeg.c driver.
    This gives me a good guess that all the included drivers in the repo will actually be compatible with the device (to be fair, everything does appear built into the SoC.)

    In regards to the other configuration required by configure.sh, it looks to be a 40MHz oscillator from the markings, although I may have made a mistake with this one.
  • #10 21351573
    gusgorman402
    Level 4  
    How are you getting Flashrom to work? I'm trying to use Bus Pirate with a SOIC8 clip, but it won't recognize the chip. It keeps backfeeding power into the board too, causing the lights to turn on briefly. I think my PTZ camera has a different chip too Close-up of a circuit board with visible integrated circuits.
  • #12 21351757
    divadiow
    Level 34  
    cloned here for safe keeping https://github.com/divadiow/xr872_sdk

    Added after 19 [minutes]:

    gusgorman402 wrote:
    How are you getting Flashrom to work?

    me? no more steps than what was in the first post I'm afraid.

    As it's only an 8 pin SOIC my next step would have been to desolder and then clamp up to read flash.
  • #13 21352083
    alistairjordan
    Level 2  
    So making a couple of notes on the above replies:
    * The BusPirate is a pile of doo doo, and WILL drive you nuts (Trust me I have one, long abandoned in a drawer). For your own sanity I would use a CH341A programmer (and included SOP8 clip) for reading the flash, and also you can pop it in serial mode to get access to the console.
    For the things this won't cover well, I tend to directly solder onto a RPI Pico (They are dirt cheap) and write the relevant code.
    Links: https://www.aliexpress.com/item/1005006520623353.html
    https://www.aliexpress.com/item/1005003371056277.html
    * Unless I'm wrong, https://portrait.gitee.com/Dozingfiretruck/xr872_sdk/blob/master/project/example/jpeg/main.c will only cover taking a picture and saving to SD.

    So I've come across this string in the dump:

    WAR WLAN Stealer
    (I guess WAR is warning)

    Does anyone know what this could be about?
    It sounds rather ominous.

    I will try flashing an example for the XR872 onto a board in the next few days, it should at least give a PoC that assumptions are all correct and this thread is going in the right direction.
  • Helpful post
    #14 21353025
    gusgorman402
    Level 4  
    >>21352083 I did not find the Stealer string in the dump posted on here. However I do find "WAR %d wlan steal active" if I run strings on XradioSDK libxretf.a and librxwireless.a files.
    These cameras usually transmit data in cleartext, so you could sniff the traffic if you think it's exfiltrating personal data. Sometimes the cameras use encryption, but the original A9 HA thread has posts on how to decrypt

    Added after 42 [minutes]:

    My PTZ camera, just like the A9, uses the iLnkP2P protocol, which has been pretty well documented.
    If you watch the Defcon video, he explains how to extract the video stream from the packets:. https://hacked.camera/
    The original A9 Home Assistant postings explain & link to methods to communicate UDP packets to the camera: https://github.com/DavidVentura/cam-reverse
    I think the Defcon talk shows an example of a CGI request too. You can see which CGI scripts are on the cam by searching for ".cgi" files in the Strings output. The manual for these CGI are here: https://github.com/DavidVentura/cam-reverse/blob/master/data/cgi_ip_cam.pdf
    I attached a screenshot of the serial console menu from my PTZ. The command line help isn't very helpful, so I've had to read the source code for these commands to learn their syntax. Most of the commands' source is in the xradioSDK projects/common/cmd directory

    I think if you wanted to get total control over this cam, you would have to write a script to communicate UDP packets in iLnkP2P protocol, and interact with the CGI scripts. If you get access to serial console, there are commands to edit the memory. You could change the IP address of the Chinese P2P relay servers, or change the device UID so it doesn't authenticate with the servers.
    Temu is flooded with these cams, that's where I got mine for $10. I thought it would make a good device for a hardware hacking class. I was hoping it was running embedded linux. Some of the linux versions have the iLnkP2P libraries in the filesystem, and you can RE the library to get the device ID algorithm, as explained in the Defcon talk
    Screenshot showing a serial console menu with a list of commands and threads.
  • #15 21509791
    1864mponepound
    Level 2  
    gusgorman402 wrote:
    How are you getting Flashrom to work? I'm trying to use Bus Pirate with a SOIC8 clip, but it won't recognize the chip. It keeps backfeeding power into the board too, causing the lights to turn on briefly. I think my PTZ camera has a different chip too Close-up of a circuit board with visible integrated circuits.


    hey gusgorman402
    how were you able to overcome this problem you describe?

    I have the same problem.

    My PTZ camera has the same memory chip.
  • ADVERTISEMENT
  • #16 21514728
    1864mponepound
    Level 2  
    divadiow wrote:
    Flashrom, NeoProgrammer and ASProgrammer couldn't identify the SPI ID C74014. It did detect as "1313", probably the cable wasn't seated quite right, which detected as an 8mbit ST M25P80. Right or wrong, Neo dumped the firmware. Flashrom did too. both attached.


    hi
    what tool did you use to read the flash

    I have a ch341 but for some reason it is failing - did you desolder or use a probe?
  • ADVERTISEMENT
  • Helpful post
    #19 21522142
    p.kaczmarek2
    Moderator Smart Home
    I got one:
    Close-up of a circuit board with a micro USB port, memory card slot, and XF16 chip.
    Close-up of a circuit board with a camera lens, an electronic microphone, and tweezers holding a micro USB port.
    USB programmer with a clip for chip programming connected to a small PCB.
    Trying to read flash in circuit gives me strange IDs:
    Code: text Expand Select all Copy to clipboard
    
Current programmer: CH341 Black
SPI ID: 8E8029
Current programmer: CH341 Black
SPI ID: 1313

    but later:
    Code: text Expand Select all Copy to clipboard
    
Current programmer: CH341 Black
SPI ID: C74014
Current programmer: CH341 Black
SPI ID: C74014
Current programmer: CH341 Black
SPI ID: C74014
Current programmer: CH341 Black
SPI ID: C74014
Current programmer: CH341 Black
SPI ID: C74014

    AWIH header like in other XR devices
    Hex editor view with binary data and ASCII representation.
    Attachments:
    Helpful post? Buy me a coffee.
  • Helpful post
    #21 21522159
    p.kaczmarek2
    Moderator Smart Home
    divadiow wrote:
    cloned here for safe keeping https://github.com/divadiow/xr872_sdk

    So has anyone tried to build a hello world image of that? Maybe then we could find the flash offset in that 1MB chip where we could flash this hello world...

    Added after 1 [hours] 37 [minutes]:

    Compiling under WSL experience so far:
    1. I got SDK from here:
    https://launchpad.net/gcc-arm-embedded/4.9/4.9-2015-q2-update
    2. At first, it acted like path is wrong
    Code: text Expand Select all Copy to clipboard
    
tester@DESKTOP-6SD9MUK:/mnt/w/GIT/xr872_sdk/project/demo/hello_demo/gcc$ make lib
make  -C ../../../../src install
make[1]: Entering directory '/mnt/w/GIT/xr872_sdk/src'
make _install TARGET=install
make[2]: Entering directory '/mnt/w/GIT/xr872_sdk/src'
make  -C driver/chip install
make[3]: Entering directory '/mnt/w/GIT/xr872_sdk/src/driver/chip'
~/gcc-arm/bin/arm-none-eabi-gcc -mcpu=cortex-m4 -mthumb -mfpu=fpv4-sp-d16 -mfloat-abi=softfp -c -gdwarf-2 -fno-common -fmessage-length=0 -fno-exceptions -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -Werror -Wpointer-arith -Wno-error=unused-function -MMD -MP -Os -DNDEBUG -D__CONFIG_CHIP_XR872 -D__CONFIG_CHIP_ARCH_VER=2 -D__CONFIG_ARCH_APP_CORE -D__CONFIG_CPU_CM4F -D__CONFIG_HOSC_TYPE=40 -D__CONFIG_LIBC_REDEFINE_GCC_INT32_TYPE -D__CONFIG_LIBC_PRINTF_FLOAT -D__CONFIG_LIBC_SCANF_FLOAT -D__CONFIG_LIBC_WRAP_STDIO -D__CONFIG_OS_FREERTOS -D__CONFIG_OS_FREERTOS_VER=80203 -D__CONFIG_LWIP_V1 -D__CONFIG_LWIP_VER_1_4_1 -D__CONFIG_LWIP_V1 -D__CONFIG_MBEDTLS_VER=0x02100000 -D__CONFIG_MBUF_IMPL_MODE=0 -D__CONFIG_WLAN -D__CONFIG_WLAN_STA -D__CONFIG_WLAN_AP -D__CONFIG_WLAN_MONITOR -D__CONFIG_WIFI_CERTIFIED -D__CONFIG_DEFAULT_FLASH_FLASHC -D__CONFIG_XIP -D__CONFIG_SECTION_ATTRIBUTE_XIP -D__CONFIG_SECTION_ATTRIBUTE_NONXIP -D__CONFIG_SECTION_ATTRIBUTE_SRAM -D__CONFIG_ROM -D__CONFIG_ROM_FREERTOS -D__CONFIG_ROM_XZ -D__CONFIG_PM -D__CONFIG_OTA -D__CONFIG_OTA_POLICY=0x00 -D__CONFIG_CACHE_POLICY=0x02 -D__CONFIG_DMAHEAP_PSRAM_SIZE=0 -D__CONFIG_MSP_STACK_SIZE=1024 -D__CONFIG_MALLOC_MODE=0x00 -D__CONFIG_MBUF_HEAP_MODE=0 -D__CONFIG_MBEDTLS_HEAP_MODE=0 -D__CONFIG_HTTPC_HEAP_MODE=0 -D__CONFIG_NGHTTP2_HEAP_MODE=0 -D__CONFIG_MQTT_HEAP_MODE=0 -D__CONFIG_NOPOLL_HEAP_MODE=0 -D__CONFIG_WPA_HEAP_MODE=0 -D__CONFIG_UMAC_HEAP_MODE=0 -D__CONFIG_LMAC_HEAP_MODE=0 -D__CONFIG_CEDARX_HEAP_MODE=0 -D__CONFIG_AUDIO_HEAP_MODE=0 -D__CONFIG_CODEC_HEAP_MODE=0 -D__CONFIG_ZBAR_HEAP_MODE=0 -std=gnu99 -I../../../include -I../../../include/libc -I../../../include/driver/cmsis -I../../../include/kernel/FreeRTOS/FreeRTOSv8.2.3 -I../../../include/kernel/FreeRTOS/FreeRTOSv8.2.3/portable/GCC/ARM_CM4F -I../../../include/net -I../../../include/net/lwip-1.4.1 -I../../../include/net/mbedtls-2.16.0 -I../../../include/net/nghttp2//lib/includes -I../../../include/net/lwip-1.4.1/ipv4 -o codec/ac101.o codec/ac101.c
/bin/sh: 1: /home/tester/gcc-arm/bin/arm-none-eabi-gcc: not found
make[3]: *** [../../../gcc.mk:212: codec/ac101.o] Error 127
make[3]: Leaving directory '/mnt/w/GIT/xr872_sdk/src/driver/chip'
make[2]: *** [Makefile:105: driver/chip] Error 2
make[2]: Leaving directory '/mnt/w/GIT/xr872_sdk/src'
make[1]: *** [Makefile:96: install] Error 2
make[1]: Leaving directory '/mnt/w/GIT/xr872_sdk/src'
make: *** [../../../../project/project.mk:353: lib] Error 2

    3. but path is ok. File exists, but it can't be executed, it's something else, I checked it with readelf:
    Code: text Expand Select all Copy to clipboard
    
tester@DESKTOP-6SD9MUK:/mnt/w/GIT/xr872_sdk/project/demo/wlan_demo/gcc$ readelf -l ~/gcc-arm/gcc-arm-none-eabi-4_9-2015q2-20150609-linux/gcc-arm-none-eabi-4_9-2015q2/bin/arm-none-eabi-gcc | grep interpreter
      [Requesting program interpreter: /lib/ld-linux.so.2]

    4. Then I checked for ld-linux.so:
    Code: text Expand Select all Copy to clipboard
    
tester@DESKTOP-6SD9MUK:/mnt/w/GIT/xr872_sdk/project/demo/wlan_demo/gcc$ ls /lib/ld-linux.so.3
ls: cannot access '/lib/ld-linux.so.3': No such file or directory

    5. ld-linux.so is missing, so I did update:
    Code: text Expand Select all Copy to clipboard
    
sudo apt update
sudo apt install libc6-i386 lib32z1 lib32stdc++6

    6. now it seems to compile fine?
    Terminal window showing gcc compiler output for an SDK project on ARM platform, with many lines of make output.

    More info soon

    Added after 4 [minutes]:


    Screenshot of a console with XR872 firmware build commands and system image configuration.

    Added after 3 [minutes]:

    attached firmware
    Attachments:
    Helpful post? Buy me a coffee.
  • #22 21522253
    divadiow
    Level 34  
    good going. I haven't been able to try anything since posting. I have one eye on this thread and the other on work.
  • #23 21522255
    p.kaczmarek2
    Moderator Smart Home
    Do you have time to try my binaries?

    Comparison (build vs read):
    Comparison of two binary files in a hex editor, with differences highlighted.

    Added after 39 [seconds]:

    String refs similar:
    Screenshot of a hex comparison tool displaying differences between two binary files.

    Added after 4 [minutes]:

    XR872 in original flash of A9 camera:
    Screenshot of a hex editor showing the contents of a binary file in hexadecimal and text (ASCII) form.

    Added after 31 [minutes]:

    Original bootlog:
    Code: text Expand Select all Copy to clipboard
    
[bl ERR] main():629, build:20:38:52
[FD I]: mode: 0x4, freq: 48000000Hz, drv: 0

Password:PMA: mode select:e

wlan information ===================================================
firmware:
    version : R-XR_C10.08.52.64_01.80 Jul  6 2019 20:05:10-P01.46-R
    buffer  : 12
driver:
    version : XR_V02.05
====================================================================

PMA: wlan mode:a

platform information ===============================================
XRADIO Skylark SDK 1.2.0 Oct 17 2024 10:39:50

sram heap space [0x21fc70, 0x25fc00), total size 262032 Bytes
cpu  clock 240000000 Hz
HF   clock  40000000 Hz

sdk option:
    XIP           : enable
    INT LF OSC    : enable

mac address:
    efuse         : 18:9e:2d:81:89:ce
    in use        : 38:0a:8d:47:2b:71
====================================================================

StartupState:5
[os E] OS_MutexDelete():54, handle 0
io=20 mode=0 pull=1
HAL_Wakeup_SetIO en:40 mode:0 pull:1000
Enter Sleep Mode 1
[os E] OS_MutexLock():65, handle 0
[os E] OS_MutexUnlock():80, handle 0
[os E] OS_MutexLock():65, handle 0
[os E] OS_MutexUnlock():80, handle 0
rec enter sleep mode
<-500119_192428 rtb_av_api.c:2063>media not init
ntp enter sleep mode 0
Enter Sleep Mode 2
HAL_Wakeup_ClrTimer
[bl ERR] main():629, build:20:38:52
[FD I]: mode: 0x4, freq: 48000000Hz, drv: 0

Password:PMA: mode select:e

wlan information ===================================================
firmware:
    version : R-XR_C10.08.52.64_01.80 Jul  6 2019 20:05:10-P01.46-R
    buffer  : 12
driver:
    version : XR_V02.05
====================================================================

PMA: wlan mode:a

platform information ===============================================
XRADIO Skylark SDK 1.2.0 Oct 17 2024 10:39:50

sram heap space [0x21fc70, 0x25fc00), total size 262032 Bytes
cpu  clock 240000000 Hz
HF   clock  40000000 Hz

sdk option:
    XIP           : enable
    INT LF OSC    : enable

mac address:
    efuse         : 18:9e:2d:81:89:ce
    in use        : 38:0a:8d:47:2b:71
====================================================================

StartupState:5
[os E] OS_MutexDelete():54, handle 0
io=20 mode=0 pull=1
HAL_Wakeup_SetIO en:40 mode:0 pull:1000
Enter Sleep Mode 1
[os E] OS_MutexLock():65, handle 0
[os E] OS_MutexUnlock():80, handle 0
[os E] OS_MutexLock():65, handle 0
[os E] OS_MutexUnlock():80, handle 0
rec enter sleep mode
<-500119_192428 rtb_av_api.c:2063>media not init
ntp enter sleep mode 0
Enter Sleep Mode 2
HAL_Wakeup_ClrTimer

    You can use USB breakout to get TX without soldering
    Helpful post? Buy me a coffee.
  • #24 21522282
    divadiow
    Level 34  
    just hooking up to flash now
  • #25 21522287
    p.kaczmarek2
    Moderator Smart Home
    Why verify fails at random offets, omg?
    Screenshot showing a memory verification error in the CH341 Black programmer.

    Added after 1 [seconds]:

    Why verify fails at random offets, omg?
    Screenshot showing a memory verification error in the CH341 Black programmer.

    Added after 20 [seconds]:

    Verify flash fails for randomly.

    Added after 11 [minutes]:

    UART access via USB;
    Prototype electronic circuit with wires and USB and PS/2 connectors on a white background.
    Desoldering flash:

    Close-up of a SOP16/8-DIP8 REV4 electronic adapter held in a hand.
    Trying flasher outside circuit:
    Code: text Expand Select all Copy to clipboard
    
Current programmer: CH341 Black
SPI ID: C74014

    Outside circuit, Verify is OK:
    Code: text Expand Select all Copy to clipboard
    
Current programmer: CH341 Black
15:31:59
Verify memory...
Success
Execution time: 00:00:09.503

    read_outsi...ircuit.bin Download (1 MB)
    Helpful post? Buy me a coffee.
  • #26 21522299
    divadiow
    Level 34  
    SREG read before programming. detected as 1313 first time and now C74014, as it did originally.

    A program window for reading and writing status registers (SREG) of Winbond memory, with all SREG3 checkboxes selected.
    Screenshot from NeoProgrammer showing flash chip CH341 Black detection with various SPI IDs.

    flashed with Neo but nothing from TX. trying flashrom and other things
  • #27 21522301
    p.kaczmarek2
    Moderator Smart Home
    I seemingly can flash outside circuit:
    Code: text Expand Select all Copy to clipboard
    
Current programmer: CH341 Black
15:39:48
Programming memory... Main Memory
Success
Execution time: 00:00:18.015

    but then verify always fail:
    Code: text Expand Select all Copy to clipboard
    
15:40:38
Verify memory...
Verification error on address: 0x00000008, Device: 0xA2, Buffer: 0xE2
Execution time: 00:00:00.086

    Probably it does not flash in reality.
    Helpful post? Buy me a coffee.
  • #28 21522326
    divadiow
    Level 34  
    yes, this is annoying. read-back is rubbish and erase is mostly ineffective in Neo and As. I've been toggling protections bits but still no joy. Just moving onto other flash chips I might have lying around.
  • #29 21522328
    p.kaczmarek2
    Moderator Smart Home
    Just make sure that you erase first:

    Screenshot of NeoProgrammer software with an open memory write options menu.
    but it does not help for me:
    Code: text Expand Select all Copy to clipboard
    
Current programmer: CH341 Black
16:23:42
Erasing memory...
Success
Execution time: 00:00:03.954
Current programmer: CH341 Black
16:23:46
Erasure control...
Success
Execution time: 00:00:22.254
Current programmer: CH341 Black
16:24:08
Programming memory(verifying)... Main Memory
Verification error on address: 0x00000384, Device: 0xFF, Buffer: 0x29
Execution time: 00:00:00.268
    Helpful post? Buy me a coffee.
  • #30 21522368
    divadiow
    Level 34  
    frustrating. not getting anywhere with any erase/sreg bits /programs tried.

    Added after 28 [minutes]:

    in As what do your SREG bits read out as?

    AsProgrammer window with GD25Q80 chip selected, hex editor visible, and SREG settings popup for GigaDevice memory.

    and does the selection change if you click read again and again?
Reply | New topic
Report a violation of the law

Topic summary

The discussion revolves around a variation of the A9 minicam featuring the XF16 PB380EA6341 MCU and T25S80 SPI Flash. The user shares insights on the firmware and hardware components, noting that the flash chip is an 8mbit model. There are mentions of difficulties in identifying the SPI ID C74014 using Flashrom, NeoProgrammer, and ASProgrammer, with some success in dumping the firmware. Additional posts highlight network activity, including the camera reaching out to specific IPs, and provide links to related resources and sample video captures.
Summary generated by the language model.
Popular Topics
ADVERTISEMENT