Shenzhen Pinmei / Linklemo A9 Mini Camera with Beken BK7252NQN481 – Photos, Boot Log, Flash Backup

divadiow 4137 71

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#61 21632638 12 Aug 2025 07:25

divadiow divadiow

Level 35
Topic author Helpful post? (0)

Post #61
21632638 12 Aug 2025 07:25

yes, I believe app and bootloader are CRCd

also printed out in boot log

Code: Text
Log in, to see the code

Code: Text
Log in, to see the code

Added after 31 [minutes]:

this *might* be the unCRCd app partition from my device

method: https://github.com/ouaibe/dreo-cloudcutter

Attachments:

BK7252N_Pinmei_App_unCRC.bin Download (960 KB)
ADVERTISEMENT
#62 21633267 12 Aug 2025 17:42

Laloshifrin Laloshifrin

Level 6

Helpful post? (0)

Post #62
21633267 12 Aug 2025 17:42

divadiow wrote:
https://github.com/ouaibe/dreo-cloudcutter

very interesting but ltchiptool gives me lots of ValueError: Invalid Magic 1 (b'\x0e\x00\x00\xea'), ValueError: Input file is not 34-byte aligned and segfaults, can't read chip nor identify
#63 21633280 12 Aug 2025 18:05

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #63
21633280 12 Aug 2025 18:05

Yes. I mean the unCRC bit specifically further down in the article. You can edit the python somewhere to not fail on 34 byte alignment. Cutting the app partition out from 0x11000 and feeding that in I did not get 34 byte error
#64 21633312 12 Aug 2025 18:47

Laloshifrin Laloshifrin

Level 6

Helpful post? (0)

Post #64
21633312 12 Aug 2025 18:47

great! I'll try.
In my ignorance it's incredible that there is a CRC16 every 32 bytes!!!!
Anyway I tried to calculate CRC for the first 32 bytes with every available model and I didn't get the result of bytes 33-34.
I'll check later... thanks a lot!
ADVERTISEMENT
#65 21633326 12 Aug 2025 19:08

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #65
21633326 12 Aug 2025 19:08

I could be wrong of course. Good luck!
#66 21633412 12 Aug 2025 21:21

Laloshifrin Laloshifrin

Level 6

Helpful post? (+1)

Post #66
21633412 12 Aug 2025 21:21

Still don't know how ltchiptool calculates CRC but I changed one character of wifi password and added correct CRC. Worked like a charm!!! Booted correctly and I can connect to wifi in AP mode with the new password. Little step.... next one is feeding Ghidra with the uncrcd app partition and next is analyze ltchiptool python scripts to understand how it calculates CRC (just curious). I'll let you know and possibly ask for help. Hoping to eventually modify software to trigger mpeg_server on boot. Thank you.
#67 21634096 13 Aug 2025 17:27

Laloshifrin Laloshifrin

Level 6

Helpful post? (0)

Post #67
21634096 13 Aug 2025 17:27

For anybody interested... the firmware on my BK7252N (I assume also others) uses CRC16 CMS variant (model). ltchiptool library crc16 class contains over 50 different models and uses "CMS" for BEKEN72XX.
CMS poly=0x8005, init=0xFFFF, ref=False, out=0x0000
ADVERTISEMENT
#68 21635182 15 Aug 2025 00:55

Laloshifrin Laloshifrin

Level 6

Helpful post? (0)

Post #68
21635182 15 Aug 2025 00:55

There's a gzipped json file in application partition:
{"base":{"protocol":"pprpc","encode":1,"encrypt":3,"sec_code":0,"hb_interval":0,"offline_cmd":1,"offlime_interval":10,"led":0,"battery":1,"send_mode":0,"apsec":0,"events":[9,12,255],"tamper":0,"sync_name":0,"threshold":0,"file_forwarding":1,"reboot_time":60,"multi_rom":0,"multi_rom_names":[],"sleep_recv":0,"contact":0,"var_chan":0,"pbs_len":256,"multi_msg":0,"unbind":1,"only_matter":0,"time_task":0,"datacid":[],"spu_type":[],"notify_add":0,"dp":0},"mconf":[{"class_code":"IPAV","conf":{"spec":1,"audio":2,"mic":1,"speaker":0,"siren":0,"light":0,"pixel":[2,1,3],"pixel_local":[0],"sdcard":1,"aspect_ratio":"4:3","motionzones":1,"ptz":0,"face":0,"clouds":2,"can_buy":0,"zoom":1,"ai_vendor":0,"pir":{"num":0,"ranging":0,"values":[0,1,2,3]},"num":0,"flip":1,"app_rotate":0,"view_rec":0,"osd":2,"psp":0,"cruise":0,"sound_detect":0,"audio_codec":0,"video_codec":0,"gps":1,"local_httpdown":1,"remote_action":0,"night_light":0,"vqos":[],"record_mode":0,"link":1,"power_freq":[0,50,60],"low_power_state":0,"ircut_level":1,"auto_close":1,"ap":2,"video":0,"ring_expired":0,"motion_grid_scale":"4:3","render":1,"chans":1,"dec_mix":1}}],"support_cmds":[{"class_code":"PUBLIC","cmds":[60]},{"class_code":"IPAV","cmds":[2600,2601,2602,2603,2610,2611,2612,2613,2614,2615,2616,2617,2625,2626,2627,2628,2630,2631,2632,2635,2636,2639,2640,2647,2648,2649,2650,2661,2662,2663,2664,2685,2780,551,573,574,575,576,587,577,578,582,584,585,579,580,581,586,590,560]}]}
It seems more like descriptive of device characteristics but I'm wondering if modifying "local_httpdown" or "video" variables something good could happen...
Anybody dealt with anything similar?

Added after 3 [hours] 39 [minutes]:

Last two lines must be RPC commands. 2610 is VideoPlay.
All happens through TCP port 20190. Sniffed traffic... hope I can catch a magic packet.

Added after 34 [minutes]:

Traffic must be encrypted 🤬
I don't even know protocol...
I know it's an mpeg stream. In your experience those devices use HTTP, RTP or some raw proprietary protocol?
#69 21635760 15 Aug 2025 16:21

divadiow divadiow

Level 35

Topic author Helpful post? (0)

Post #69
21635760 15 Aug 2025 16:21

I'm watching with interest. I don't know the answers to your latest questions, but please keep updating the thread with new findings
ADVERTISEMENT
#70 21635792 15 Aug 2025 16:53

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #70
21635792 15 Aug 2025 16:53

Wouldn't this help? We can access this camera stream... if it's the same camera.
https://www.elektroda.com/rtvforum/topic4117962.html

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#71 21635815 15 Aug 2025 17:41

Laloshifrin Laloshifrin

Level 6

Helpful post? (0)

Post #71
21635815 15 Aug 2025 17:41

I already read that thread but unfortunately cam-reverse doesn't work on this camera. Camera is similar but not the same. I'll try to post some pictures...

Added after 23 [minutes]:

Here's my cam:

Added after 6 [minutes]:

https://www.aliexpress.us/item/3256807542361615.html
#72 21636791 17 Aug 2025 09:56

Testerrr Testerrr

Level 25

» | Helpful post? (0)

Post #72
21636791 17 Aug 2025 09:56

p.kaczmarek2 wrote:
Wouldn't that help? We can access the stream from that camera.... If it's the same camera.
https://www.elektroda.com/rtvforum/topic4117962.html

The cam-reverse is for cameras based on the TXW817a, not the BK7252N.
Post 19 and 24 mentions unsuccessful attempts to extract the stream from BK7252N based cameras using cam-reverse.
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion focuses on the Shenzhen Pinmei / Linklemo A9 Mini Wi-Fi Camera featuring the Beken BK7252NQN481 chipset. This budget smart camera, often sold for around $1 USD, is marketed with exaggerated claims such as 4K resolution and advanced AI features. Technical analysis reveals the device uses a BK7252N chip, with bootloader and firmware characteristics similar to BK7231 series but distinct in memory mapping and encryption behavior. The camera sensor identified is the GC0329C (GalaxyCore 0.3MP, 640x480@15fps). Firmware dumping and boot log extraction have been performed via serial pads and SPI interfaces, with attempts to flash BK7238 binaries unsuccessful. The device broadcasts an access point (SSID: LLM_H0A9_xxxxxx) with default key, assigning IP 192.168.9.252, exposing several open TCP/UDP ports. Local video stream access is possible without firmware modification, but pairing requires cloud interaction via the Linklemo app, which demands registration and communicates with external servers. Efforts to bypass cloud dependency have been limited by pairing timeouts and app restrictions. OpenBK7231T firmware support for BK7252N is in development, with recent successful OTA flashing and boot logs indicating stable operation. Memory management issues such as realloc instability on BK7252N are under investigation. The community is exploring creating development boards from these cameras and expanding device support tags for better cataloging. Overall, the device is a low-cost, partially hackable smart camera with limited local control and ongoing firmware development efforts.
Summary generated by the language model.

FAQ

TL;DR: The Pinmei/Linklemo A9 mini-camera uses a Beken BK7252NQN481 Wi-Fi MCU. You can read its entire 2 MB flash, disable/alter protections, and load OpenBK7231 firmware via UART or SPI. OpenBK boots and OTA-updates cleanly, while the stock app streams MJPEG video at about 10 fps (640 × 480) in AP mode [Elektroda, divadiow, post #21526681]

Quick Facts


• MCU : Beken BK7252NQN481, Cortex-M4F, 120 MHz [Beken Datasheet, 2023]
• On-chip Flash : 2 MiB mapped; device reports 4 MiB wrap-around [Elektroda, insmod, post #21527046]
• Video Sensor : GalaxyCore GC0329C, 0.3 MP, 640 × 480 @ 15 fps max [Elektroda, divadiow, post #21528651]
• Default AP : SSID “LLM_H0A9_xxxxxx”, password “12345678” [Elektroda, divadiow, post #21529763]
• Stock Ports : TCP 20023/20190, UDP 20190/62562, DHCP 67 [Elektroda, divadiow, post #21529763]

What microcontroller is inside the square Pinmei/Linklemo A9 camera?

It uses a Beken BK7252NQN481 SoC, an ARM Cortex-M4F Wi-Fi/BT chip with integrated 2 MiB flash and 256 KiB SRAM [Beken Datasheet, 2023; Elektroda, divadiow, #21526681].

Is the internal flash 2 MiB or 4 MiB?

The silicon contains 2 MiB, but the boot ROM lets addresses wrap after 0x200000. Tools therefore show a virtual 4 MiB space, with the upper half mirroring the lower [Elektroda, insmod, post #21527046]

Can I dump the firmware?

Yes. BKFIL 3.0.1.4 reads 0x0-0x200000 over UART in 191 s without disabling protection [Elektroda, divadiow, post #21526681] SPI pads (TDI,TDO,TMS,TCK) also accept standard CH341A ISP.

Is the vendor firmware encrypted?

No. Full flash contains readable ASCII strings; the reported efuse key 00E46D00 is only a placeholder when read-back is enabled [Elektroda, p.kaczmarek2, post #21526914]

Which pads are JTAG/SPI?

Pads labelled TDI and TDO sit beside the camera ribbon; two un-marked pads near them carry TMS and TCK, giving a complete 4-wire SW-JTAG/SPI interface [Elektroda, divadiow, post #21526681]

How do I enter the UART bootloader?

Connect RX1/TX1 to a USB-TTL adapter at 115200 bps and momentarily pull CEN low during power-up. BKFIL auto-detects the chip as BK7252N and opens the ROM monitor [Elektroda, divadiow, post #21526681]

Does OpenBK7231 firmware run on BK7252N?

Yes. Build 1680_merge_55ebe0a12aba boots, controls GPIO P2 (blue LED), and supports OTA upgrades both ways without crashes [Elektroda, divadiow, post #21584909]

How can I view video without the Linklemo cloud?

When the camera is in pairing mode it runs a Soft-AP (192.168.9.252). However, the vendor protocol on TCP 20023/20190 is proprietary. Community tools have not yet decoded it, so local MJPEG requires custom firmware [Elektroda, Testerrr, post #21540472]

What stream rate does the stock firmware provide?

Boot logs show JPEG frames reported at 10 fps with a 60 KB average chunk size, indicating ~4.8 Mbit/s peak throughput [Elektroda, divadiow, post #21529763]

Does realloc still corrupt memory on BK7252N?

Developers observed occasional byte corruption; wrapping realloc to os_realloc inside hal_main_bk7231.c avoids the issue on both BK7231T and BK7252N [Elektroda, p.kaczmarek2, post #21587279]

Is Deep-Sleep supported?

Deep-Sleep works; the recent PR modified only SDK wrappers and did not change functional paths [Elektroda, insmod, post #21587275]

What OTA partition layout does OpenBK use?

Bootloader (0x0-0x10000), App (0x10000-0x132000), Download (0x132000-0x1E0000). OTA writes to Download, verifies, then swaps vector to App [Elektroda, OTA log, #21584909].