Shenzhen Pinmei / Linklemo A9 Mini Camera with Beken BK7252NQN481 – Photos, Boot Log, Flash Backup

divadiow 8247 110

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

#61 21632638 12 Aug 2025 07:25

divadiow divadiow

Level 36
Topic author Helpful post? (+1)

Post #61
21632638 12 Aug 2025 07:25

yes, I believe app and bootloader are CRCd

also printed out in boot log

Code: Text
Log in, to see the code

Code: Text
Log in, to see the code

Added after 31 [minutes]:

this *might* be the unCRCd app partition from my device

method: https://github.com/ouaibe/dreo-cloudcutter

Attachments:

BK7252N_Pinmei_App_unCRC.bin Download (960 KB)
ADVERTISEMENT
#62 21633267 12 Aug 2025 17:42

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #62
21633267 12 Aug 2025 17:42

divadiow wrote:
https://github.com/ouaibe/dreo-cloudcutter

very interesting but ltchiptool gives me lots of ValueError: Invalid Magic 1 (b'\x0e\x00\x00\xea'), ValueError: Input file is not 34-byte aligned and segfaults, can't read chip nor identify
ADVERTISEMENT
#63 21633280 12 Aug 2025 18:05

divadiow divadiow

Level 36

Topic author Helpful post? (0)

Post #63
21633280 12 Aug 2025 18:05

Yes. I mean the unCRC bit specifically further down in the article. You can edit the python somewhere to not fail on 34 byte alignment. Cutting the app partition out from 0x11000 and feeding that in I did not get 34 byte error
#64 21633312 12 Aug 2025 18:47

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #64
21633312 12 Aug 2025 18:47

great! I'll try.
In my ignorance it's incredible that there is a CRC16 every 32 bytes!!!!
Anyway I tried to calculate CRC for the first 32 bytes with every available model and I didn't get the result of bytes 33-34.
I'll check later... thanks a lot!
#65 21633326 12 Aug 2025 19:08

divadiow divadiow

Level 36

Topic author Helpful post? (0)

Post #65
21633326 12 Aug 2025 19:08

I could be wrong of course. Good luck!
#66 21633412 12 Aug 2025 21:21

Laloshifrin Laloshifrin

Level 9

Helpful post? (+1)

Post #66
21633412 12 Aug 2025 21:21

Still don't know how ltchiptool calculates CRC but I changed one character of wifi password and added correct CRC. Worked like a charm!!! Booted correctly and I can connect to wifi in AP mode with the new password. Little step.... next one is feeding Ghidra with the uncrcd app partition and next is analyze ltchiptool python scripts to understand how it calculates CRC (just curious). I'll let you know and possibly ask for help. Hoping to eventually modify software to trigger mpeg_server on boot. Thank you.
ADVERTISEMENT
#67 21634096 13 Aug 2025 17:27

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #67
21634096 13 Aug 2025 17:27

For anybody interested... the firmware on my BK7252N (I assume also others) uses CRC16 CMS variant (model). ltchiptool library crc16 class contains over 50 different models and uses "CMS" for BEKEN72XX.
CMS poly=0x8005, init=0xFFFF, ref=False, out=0x0000
#68 21635182 15 Aug 2025 00:55

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #68
21635182 15 Aug 2025 00:55

There's a gzipped json file in application partition:
{"base":{"protocol":"pprpc","encode":1,"encrypt":3,"sec_code":0,"hb_interval":0,"offline_cmd":1,"offlime_interval":10,"led":0,"battery":1,"send_mode":0,"apsec":0,"events":[9,12,255],"tamper":0,"sync_name":0,"threshold":0,"file_forwarding":1,"reboot_time":60,"multi_rom":0,"multi_rom_names":[],"sleep_recv":0,"contact":0,"var_chan":0,"pbs_len":256,"multi_msg":0,"unbind":1,"only_matter":0,"time_task":0,"datacid":[],"spu_type":[],"notify_add":0,"dp":0},"mconf":[{"class_code":"IPAV","conf":{"spec":1,"audio":2,"mic":1,"speaker":0,"siren":0,"light":0,"pixel":[2,1,3],"pixel_local":[0],"sdcard":1,"aspect_ratio":"4:3","motionzones":1,"ptz":0,"face":0,"clouds":2,"can_buy":0,"zoom":1,"ai_vendor":0,"pir":{"num":0,"ranging":0,"values":[0,1,2,3]},"num":0,"flip":1,"app_rotate":0,"view_rec":0,"osd":2,"psp":0,"cruise":0,"sound_detect":0,"audio_codec":0,"video_codec":0,"gps":1,"local_httpdown":1,"remote_action":0,"night_light":0,"vqos":[],"record_mode":0,"link":1,"power_freq":[0,50,60],"low_power_state":0,"ircut_level":1,"auto_close":1,"ap":2,"video":0,"ring_expired":0,"motion_grid_scale":"4:3","render":1,"chans":1,"dec_mix":1}}],"support_cmds":[{"class_code":"PUBLIC","cmds":[60]},{"class_code":"IPAV","cmds":[2600,2601,2602,2603,2610,2611,2612,2613,2614,2615,2616,2617,2625,2626,2627,2628,2630,2631,2632,2635,2636,2639,2640,2647,2648,2649,2650,2661,2662,2663,2664,2685,2780,551,573,574,575,576,587,577,578,582,584,585,579,580,581,586,590,560]}]}
It seems more like descriptive of device characteristics but I'm wondering if modifying "local_httpdown" or "video" variables something good could happen...
Anybody dealt with anything similar?

Added after 3 [hours] 39 [minutes]:

Last two lines must be RPC commands. 2610 is VideoPlay.
All happens through TCP port 20190. Sniffed traffic... hope I can catch a magic packet.

Added after 34 [minutes]:

Traffic must be encrypted 🤬
I don't even know protocol...
I know it's an mpeg stream. In your experience those devices use HTTP, RTP or some raw proprietary protocol?
#69 21635760 15 Aug 2025 16:21

divadiow divadiow

Level 36

Topic author Helpful post? (0)

Post #69
21635760 15 Aug 2025 16:21

I'm watching with interest. I don't know the answers to your latest questions, but please keep updating the thread with new findings
#70 21635792 15 Aug 2025 16:53

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #70
21635792 15 Aug 2025 16:53

Wouldn't this help? We can access this camera stream... if it's the same camera.
https://www.elektroda.com/rtvforum/topic4117962.html

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#71 21635815 15 Aug 2025 17:41

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #71
21635815 15 Aug 2025 17:41

I already read that thread but unfortunately cam-reverse doesn't work on this camera. Camera is similar but not the same. I'll try to post some pictures...

Added after 23 [minutes]:

Here's my cam:

Added after 6 [minutes]:

https://www.aliexpress.us/item/3256807542361615.html
#72 21636791 17 Aug 2025 09:56

Testerrr Testerrr

Level 25

» | Helpful post? (0)

Post #72
21636791 17 Aug 2025 09:56

p.kaczmarek2 wrote:
Wouldn't that help? We can access the stream from that camera.... If it's the same camera.
https://www.elektroda.com/rtvforum/topic4117962.html

The cam-reverse is for cameras based on the TXW817a, not the BK7252N.
Post 19 and 24 mentions unsuccessful attempts to extract the stream from BK7252N based cameras using cam-reverse.
#73 21641673 22 Aug 2025 17:46

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #73
21641673 22 Aug 2025 17:46

Almost stuck...
ADVERTISEMENT
#74 21644182 25 Aug 2025 15:59

cristianizaquita cristianizaquita

Level 1

Helpful post? (0)

Post #74
21644182 25 Aug 2025 15:59

Hello!

I have the same camera (A9) with the same chip BK7252NQN481 AU4508XA INO-IPC-A9-V2.4.

There is a tutorial how to change the firmware to an opensource one?

Thanks.
#75 21644712 26 Aug 2025 01:36

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #75
21644712 26 Aug 2025 01:36

This thread contains everything you need though at the moment afaik there's no readymade firmware with cam support. Anyway wait for gurus confirmation about what I wrote.
#76 21644729 26 Aug 2025 03:13

insmod insmod

Level 29

Helpful post? (+1)

Post #76
21644729 26 Aug 2025 03:13

While there is a firmware that can boot, there is no support for cameras.
The only things you would've been able to do is control leds, buttons and get battery voltage.
#77 21703243 28 Sep 2025 15:43

insmod insmod

Level 29

Helpful post? (+2)

Post #77
21703243 28 Sep 2025 15:43

Received my order of 4 cameras.
One of them is TXW817-810, but 3 others are ALL BK7252N.
One is the same as here, but with a blue PCB.
#78 21703251 28 Sep 2025 15:50

divadiow divadiow

Level 36

Topic author Helpful post? (0)

Post #78
21703251 28 Sep 2025 15:50

interesting. I didn't know those X5 barrel types were also BK7252N. Not a surprise they vary though.

your TXW looks to be the same as @d1nuc0m's https://www.elektroda.com/rtvforum/topic4033757-120.html#21694718
#79 21703292 28 Sep 2025 16:44

insmod insmod

Level 29
Helpful post? (+1)

Post #79
21703292 28 Sep 2025 16:44

Cameras:
With this one - GC0329C
TXW817 A9 - SP0828
X5 - GC0310(a3)/GC0312(b3)
The square one, marked as INO-A13N-V2.2 - GC0329C

Added after 20 [minutes]:

This one backup is named 7252n, square one - 7252n_square.
Didn't take X5 backup, UART pins are difficult to solder, and i didn't bother because i need only one for a dev board.

Attachments:

backups.rar Download (1.86 MB)
#80 21703318 28 Sep 2025 16:46

insmod insmod

Level 29

Helpful post? (0)

Post #80
21703318 28 Sep 2025 16:46

There is no RF partition, only MAC as text at 0x1F6000
#81 21703655 28 Sep 2025 21:23

divadiow divadiow

Level 36

Topic author Helpful post? (0)

Post #81
21703655 28 Sep 2025 21:23

insmod wrote:
TXW817 A9 - SP0828

im getting close(r) with SP0828 driver.

Can I trouble you for your backup of TXW when you get to that point?
#82 21704864 29 Sep 2025 21:54

divadiow divadiow

Level 36

Topic author Helpful post? (0)

Post #82
21704864 29 Sep 2025 21:54

insmod wrote:
i need only one for a dev board.

would be interested to know how far you go with one. removing resistors and components to get as many pure IOs as possible? sticking to test pads only?

I never did make anything yet with any of the cams. I don't have a 3D printer so decent casing is maybe an issue.
#83 21706769 01 Oct 2025 16:52

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #83
21706769 01 Oct 2025 16:52

One of them is identical to mine. Hope you can do something with it. I gave up after trying to replicate sniffed traffic with scapy. Camera reacts but no stream. Also traffic is encrypted with no known patterns and also with strange packets over 5k in size! Think new firmware is the only way to go. Please keep us updated! 😊
#84 21706771 01 Oct 2025 16:55

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #84
21706771 01 Oct 2025 16:55

Currently I'm trying to make a better SPI flasher for them so development is easier:

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#85 21706777 01 Oct 2025 16:59

insmod insmod

Level 29

Helpful post? (0)

Post #85
21706777 01 Oct 2025 16:59

Well, it all depends on which chip your camera is using.
If BK7252U or BK7252N - then camera support looks to be pretty far away.
If TXW817 - then camera already works and can be used right away.
TXW806 - not supported, but it probably can be
#86 21706792 01 Oct 2025 17:11

Laloshifrin Laloshifrin

Level 9

Helpful post? (0)

Post #86
21706792 01 Oct 2025 17:11

Laloshifrin wrote:
I already read that thread but unfortunately cam-reverse doesn't work on this camera. Camera is similar but not the same. I'll try to post some pictures...

Added after 23 [minutes]:

Here's my cam:

Added after 6 [minutes]:

https://www.aliexpress.us/item/3256807542361615.html

it has BK7252N
#87 21706838 01 Oct 2025 17:55

divadiow divadiow

Level 36

Topic author Helpful post? (0)

Post #87
21706838 01 Oct 2025 17:55

insmod wrote:
TXW806 - not supported, but it probably can be

still yet to get a TXW806
#88 21708747 03 Oct 2025 14:09

divadiow divadiow

Level 36

Topic author Helpful post? (+1)

Post #88
21708747 03 Oct 2025 14:09

A9 BK7252N arrived. item number https://www.aliexpress.com/item/1005008148506131.html
#89 21708766 03 Oct 2025 14:27

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #89
21708766 03 Oct 2025 14:27

Yes! Do a flash backup!
(also pls include screenshot from alie because this link will expire probably relatively soon)

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#90 21708767 03 Oct 2025 17:36

divadiow divadiow

Level 36

Topic author Helpful post? (+1)

Post #90
21708767 03 Oct 2025 17:36

p.kaczmarek2 wrote:
Yes! Do a flash backup!

always

p.kaczmarek2 wrote:
(also pls include screenshot from alie because this link will expire probably relatively soon)

added

Added after 3 [hours] 7 [minutes]:

>>21708747

another Linklemo/XCThings device.
Code: Text
Log in, to see the code

Spoiler:
Backup name has not been set, so output file will only contain flash type/date.

Starting read!
Read parms: start 0x00 (sector 0), len 0x200000 (0 sectors)
Now is: 03 October 2025 16:22:15.
Flasher mode: BK7252N
Going to open port: COM51.
Serial port open!
Getting bus... (now, please do reboot by CEN or by power off/on)
Getting bus success!
Going to set baud rate setting (921600)!
Will try to read device flash MID (for unprotect N):
Flash MID loaded: 1560EB
Will now search for Flash def in out database...
Flash def found! For: 1560EB
Flash information: mid: 1560EB, icName: TH25Q16HB, manufacturer: TH, szMem: 200000, szSR: 2, cwUnp: 0, cwEnp: 7, cwMsk: 407C, sb: 2, lb: 5, cwdRd: 05-35-FF-FF, cwdWr: 01-FF-FF-FF
Flash size is 2MB
Entering SetProtectState(True)...
sr: 0
sr: 0
final sr: 0
msk: 407c
cw: 0, sb: 2, lb: 5
bfd: 0
SetProtectState(True) success!
Going to start reading at offset 0x00...
Reading 0x00... Ok! Reading 0x1000... Ok! Reading 0x2000... Ok! Reading 0x3000... Ok! Reading 0x4000... Ok! Reading 0x5000... Ok! Reading 0x6000... Ok! Reading 0x7000... Ok! Reading 0x8000... Ok! Reading 0x9000... Ok! Reading 0xA000... Ok! Reading 0xB000... Ok! Reading 0xC000... Ok! Reading 0xD000... Ok! Reading 0xE000... Ok! Reading 0xF000... Ok! Reading 0x10000... Ok! Reading 0x11000... Ok! Reading 0x12000... Ok! Reading 0x13000... Ok! Reading 0x14000... Ok! Reading 0x15000... Ok! Reading 0x16000... Ok! Reading 0x17000... Ok! Reading 0x18000... Ok! Reading 0x19000... Ok! Reading 0x1A000... Ok! Reading 0x1B000... Ok! Reading 0x1C000... Ok! Reading 0x1D000... Ok! Reading 0x1E000... Ok! Reading 0x1F000... Ok! Reading 0x20000... Ok! Reading 0x21000... Ok! Reading 0x22000... Ok! Reading 0x23000... Ok! Reading 0x24000... Ok! Reading 0x25000... Ok! Reading 0x26000... Ok! Reading 0x27000... Ok! Reading 0x28000... Ok! Reading 0x29000... Ok! Reading 0x2A000... Ok! Reading 0x2B000... Ok! Reading 0x2C000... Ok! Reading 0x2D000... Ok! Reading 0x2E000... Ok! Reading 0x2F000... Ok! Reading 0x30000... Ok! Reading 0x31000... Ok! Reading 0x32000... Ok! Reading 0x33000... Ok! Reading 0x34000... Ok! Reading 0x35000... Ok! Reading 0x36000... Ok! Reading 0x37000... Ok! Reading 0x38000... Ok! Reading 0x39000... Ok! Reading 0x3A000... Ok! Reading 0x3B000... Ok! Reading 0x3C000... Ok! Reading 0x3D000... Ok! Reading 0x3E000... Ok! Reading 0x3F000... Ok! Reading 0x40000... Ok! Reading 0x41000... Ok! Reading 0x42000... Ok! Reading 0x43000... Ok! Reading 0x44000... Ok! Reading 0x45000... Ok! Reading 0x46000... Ok! Reading 0x47000... Ok! Reading 0x48000... Ok! Reading 0x49000... Ok! Reading 0x4A000... Ok! Reading 0x4B000... Ok! Reading 0x4C000... Ok! Reading 0x4D000... Ok! Reading 0x4E000... Ok! Reading 0x4F000... Ok! Reading 0x50000... Ok! Reading 0x51000... Ok! Reading 0x52000... Ok! Reading 0x53000... Ok! Reading 0x54000... Ok! Reading 0x55000... Ok! Reading 0x56000... Ok! Reading 0x57000... Ok! Reading 0x58000... Ok! Reading 0x59000... Ok! Reading 0x5A000... Ok! Reading 0x5B000... Ok! Reading 0x5C000... Ok! Reading 0x5D000... Ok! Reading 0x5E000... Ok! Reading 0x5F000... Ok! Reading 0x60000... Ok! Reading 0x61000... Ok! Reading 0x62000... Ok! Reading 0x63000... Ok! Reading 0x64000... Ok! Reading 0x65000... Ok! Reading 0x66000... Ok! Reading 0x67000... Ok! Reading 0x68000... Ok! Reading 0x69000... Ok! Reading 0x6A000... Ok! Reading 0x6B000... Ok! Reading 0x6C000... Ok! Reading 0x6D000... Ok! Reading 0x6E000... Ok! Reading 0x6F000... Ok! Reading 0x70000... Ok! Reading 0x71000... Ok! Reading 0x72000... Ok! Reading 0x73000... Ok! Reading 0x74000... Ok! Reading 0x75000... Ok! Reading 0x76000... Ok! Reading 0x77000... Ok! Reading 0x78000... Ok! Reading 0x79000... Ok! Reading 0x7A000... Ok! Reading 0x7B000... Ok! Reading 0x7C000... Ok! Reading 0x7D000... Ok! Reading 0x7E000... Ok! Reading 0x7F000... Ok! Reading 0x80000... Ok! Reading 0x81000... Ok! Reading 0x82000... Ok! Reading 0x83000... Ok! Reading 0x84000... Ok! Reading 0x85000... Ok! Reading 0x86000... Ok! Reading 0x87000... Ok! Reading 0x88000... Ok! Reading 0x89000... Ok! Reading 0x8A000... Ok! Reading 0x8B000... Ok! Reading 0x8C000... Ok! Reading 0x8D000... Ok! Reading 0x8E000... Ok! Reading 0x8F000... Ok! Reading 0x90000... Ok! Reading 0x91000... Ok! Reading 0x92000... Ok! Reading 0x93000... Ok! Reading 0x94000... Ok! Reading 0x95000... Ok! Reading 0x96000... Ok! Reading 0x97000... Ok! Reading 0x98000... Ok! Reading 0x99000... Ok! Reading 0x9A000... Ok! Reading 0x9B000... Ok! Reading 0x9C000... Ok! Reading 0x9D000... Ok! Reading 0x9E000... Ok! Reading 0x9F000... Ok! Reading 0xA0000... Ok! Reading 0xA1000... Ok! Reading 0xA2000... Ok! Reading 0xA3000... Ok! Reading 0xA4000... Ok! Reading 0xA5000... Ok! Reading 0xA6000... Ok! Reading 0xA7000... Ok! Reading 0xA8000... Ok! Reading 0xA9000... Ok! Reading 0xAA000... Ok! Reading 0xAB000... Ok! Reading 0xAC000... Ok! Reading 0xAD000... Ok! Reading 0xAE000... Ok! Reading 0xAF000... Ok! Reading 0xB0000... Ok! Reading 0xB1000... Ok! Reading 0xB2000... Ok! Reading 0xB3000... Ok! Reading 0xB4000... Ok! Reading 0xB5000... Ok! Reading 0xB6000... Ok! Reading 0xB7000... Ok! Reading 0xB8000... Ok! Reading 0xB9000... Ok! Reading 0xBA000... Ok! Reading 0xBB000... Ok! Reading 0xBC000... Ok! Reading 0xBD000... Ok! Reading 0xBE000... Ok! Reading 0xBF000... Ok! Reading 0xC0000... Ok! Reading 0xC1000... Ok! Reading 0xC2000... Ok! Reading 0xC3000... Ok! Reading 0xC4000... Ok! Reading 0xC5000... Ok! Reading 0xC6000... Ok! Reading 0xC7000... Ok! Reading 0xC8000... Ok! Reading 0xC9000... Ok! Reading 0xCA000... Ok! Reading 0xCB000... Ok! Reading 0xCC000... Ok! Reading 0xCD000... Ok! Reading 0xCE000... Ok! Reading 0xCF000... Ok! Reading 0xD0000... Ok! Reading 0xD1000... Ok! Reading 0xD2000... Ok! Reading 0xD3000... Ok! Reading 0xD4000... Ok! Reading 0xD5000... Ok! Reading 0xD6000... Ok! Reading 0xD7000... Ok! Reading 0xD8000... Ok! Reading 0xD9000... Ok! Reading 0xDA000... Ok! Reading 0xDB000... Ok! Reading 0xDC000... Ok! Reading 0xDD000... Ok! Reading 0xDE000... Ok! Reading 0xDF000... Ok! Reading 0xE0000... Ok! Reading 0xE1000... Ok! Reading 0xE2000... Ok! Reading 0xE3000... Ok! Reading 0xE4000... Ok! Reading 0xE5000... Ok! Reading 0xE6000... Ok! Reading 0xE7000... Ok! Reading 0xE8000... Ok! Reading 0xE9000... Ok! Reading 0xEA000... Ok! Reading 0xEB000... Ok! Reading 0xEC000... Ok! Reading 0xED000... Ok! Reading 0xEE000... Ok! Reading 0xEF000... Ok! Reading 0xF0000... Ok! Reading 0xF1000... Ok! Reading 0xF2000... Ok! Reading 0xF3000... Ok! Reading 0xF4000... Ok! Reading 0xF5000... Ok! Reading 0xF6000... Ok! Reading 0xF7000... Ok! Reading 0xF8000... Ok! Reading 0xF9000... Ok! Reading 0xFA000... Ok! Reading 0xFB000... Ok! Reading 0xFC000... Ok! Reading 0xFD000... Ok! Reading 0xFE000... Ok! Reading 0xFF000... Ok! Reading 0x100000... Ok! Reading 0x101000... Ok! Reading 0x102000... Ok! Reading 0x103000... Ok! Reading 0x104000... Ok! Reading 0x105000... Ok! Reading 0x106000... Ok! Reading 0x107000... Ok! Reading 0x108000... Ok! Reading 0x109000... Ok! Reading 0x10A000... Ok! Reading 0x10B000... Ok! Reading 0x10C000... Ok! Reading 0x10D000... Ok! Reading 0x10E000... Ok! Reading 0x10F000... Ok! Reading 0x110000... Ok! Reading 0x111000... Ok! Reading 0x112000... Ok! Reading 0x113000... Ok! Reading 0x114000... Ok! Reading 0x115000... Ok! Reading 0x116000... Ok! Reading 0x117000... Ok! Reading 0x118000... Ok! Reading 0x119000... Ok! Reading 0x11A000... Ok! Reading 0x11B000... Ok! Reading 0x11C000... Ok! Reading 0x11D000... Ok! Reading 0x11E000... Ok! Reading 0x11F000... Ok! Reading 0x120000... Ok! Reading 0x121000... Ok! Reading 0x122000... Ok! Reading 0x123000... Ok! Reading 0x124000... Ok! Reading 0x125000... Ok! Reading 0x126000... Ok! Reading 0x127000... Ok! Reading 0x128000... Ok! Reading 0x129000... Ok! Reading 0x12A000... Ok! Reading 0x12B000... Ok! Reading 0x12C000... Ok! Reading 0x12D000... Ok! Reading 0x12E000... Ok! Reading 0x12F000... Ok! Reading 0x130000... Ok! Reading 0x131000... Ok! Reading 0x132000... Ok! Reading 0x133000... Ok! Reading 0x134000... Ok! Reading 0x135000... Ok! Reading 0x136000... Ok! Reading 0x137000... Ok! Reading 0x138000... Ok! Reading 0x139000... Ok! Reading 0x13A000... Ok! Reading 0x13B000... Ok! Reading 0x13C000... Ok! Reading 0x13D000... Ok! Reading 0x13E000... Ok! Reading 0x13F000... Ok! Reading 0x140000... Ok! Reading 0x141000... Ok! Reading 0x142000... Ok! Reading 0x143000... Ok! Reading 0x144000... Ok! Reading 0x145000... Ok! Reading 0x146000... Ok! Reading 0x147000... Ok! Reading 0x148000... Ok! Reading 0x149000... Ok! Reading 0x14A000... Ok! Reading 0x14B000... Ok! Reading 0x14C000... Ok! Reading 0x14D000... Ok! Reading 0x14E000... Ok! Reading 0x14F000... Ok! Reading 0x150000... Ok! Reading 0x151000... Ok! Reading 0x152000... Ok! Reading 0x153000... Ok! Reading 0x154000... Ok! Reading 0x155000... Ok! Reading 0x156000... Ok! Reading 0x157000... Ok! Reading 0x158000... Ok! Reading 0x159000... Ok! Reading 0x15A000... Ok! Reading 0x15B000... Ok! Reading 0x15C000... Ok! Reading 0x15D000... Ok! Reading 0x15E000... Ok! Reading 0x15F000... Ok! Reading 0x160000... Ok! Reading 0x161000... Ok! Reading 0x162000... Ok! Reading 0x163000... Ok! Reading 0x164000... Ok! Reading 0x165000... Ok! Reading 0x166000... Ok! Reading 0x167000... Ok! Reading 0x168000... Ok! Reading 0x169000... Ok! Reading 0x16A000... Ok! Reading 0x16B000... Ok! Reading 0x16C000... Ok! Reading 0x16D000... Ok! Reading 0x16E000... Ok! Reading 0x16F000... Ok! Reading 0x170000... Ok! Reading 0x171000... Ok! Reading 0x172000... Ok! Reading 0x173000... Ok! Reading 0x174000... Ok! Reading 0x175000... Ok! Reading 0x176000... Ok! Reading 0x177000... Ok! Reading 0x178000... Ok! Reading 0x179000... Ok! Reading 0x17A000... Ok! Reading 0x17B000... Ok! Reading 0x17C000... Ok! Reading 0x17D000... Ok! Reading 0x17E000... Ok! Reading 0x17F000... Ok! Reading 0x180000... Ok! Reading 0x181000... Ok! Reading 0x182000... Ok! Reading 0x183000... Ok! Reading 0x184000... Ok! Reading 0x185000... Ok! Reading 0x186000... Ok! Reading 0x187000... Ok! Reading 0x188000... Ok! Reading 0x189000... Ok! Reading 0x18A000... Ok! Reading 0x18B000... Ok! Reading 0x18C000... Ok! Reading 0x18D000... Ok! Reading 0x18E000... Ok! Reading 0x18F000... Ok! Reading 0x190000... Ok! Reading 0x191000... Ok! Reading 0x192000... Ok! Reading 0x193000... Ok! Reading 0x194000... Ok! Reading 0x195000... Ok! Reading 0x196000... Ok! Reading 0x197000... Ok! Reading 0x198000... Ok! Reading 0x199000... Ok! Reading 0x19A000... Ok! Reading 0x19B000... Ok! Reading 0x19C000... Ok! Reading 0x19D000... Ok! Reading 0x19E000... Ok! Reading 0x19F000... Ok! Reading 0x1A0000... Ok! Reading 0x1A1000... Ok! Reading 0x1A2000... Ok! Reading 0x1A3000... Ok! Reading 0x1A4000... Ok! Reading 0x1A5000... Ok! Reading 0x1A6000... Ok! Reading 0x1A7000... Ok! Reading 0x1A8000... Ok! Reading 0x1A9000... Ok! Reading 0x1AA000... Ok! Reading 0x1AB000... Ok! Reading 0x1AC000... Ok! Reading 0x1AD000... Ok! Reading 0x1AE000... Ok! Reading 0x1AF000... Ok! Reading 0x1B0000... Ok! Reading 0x1B1000... Ok! Reading 0x1B2000... Ok! Reading 0x1B3000... Ok! Reading 0x1B4000... Ok! Reading 0x1B5000... Ok! Reading 0x1B6000... Ok! Reading 0x1B7000... Ok! Reading 0x1B8000... Ok! Reading 0x1B9000... Ok! Reading 0x1BA000... Ok! Reading 0x1BB000... Ok! Reading 0x1BC000... Ok! Reading 0x1BD000... Ok! Reading 0x1BE000... Ok! Reading 0x1BF000... Ok! Reading 0x1C0000... Ok! Reading 0x1C1000... Ok! Reading 0x1C2000... Ok! Reading 0x1C3000... Ok! Reading 0x1C4000... Ok! Reading 0x1C5000... Ok! Reading 0x1C6000... Ok! Reading 0x1C7000... Ok! Reading 0x1C8000... Ok! Reading 0x1C9000... Ok! Reading 0x1CA000... Ok! Reading 0x1CB000... Ok! Reading 0x1CC000... Ok! Reading 0x1CD000... Ok! Reading 0x1CE000... Ok! Reading 0x1CF000... Ok! Reading 0x1D0000... Ok! Reading 0x1D1000... Ok! Reading 0x1D2000... Ok! Reading 0x1D3000... Ok! Reading 0x1D4000... Ok! Reading 0x1D5000... Ok! Reading 0x1D6000... Ok! Reading 0x1D7000... Ok! Reading 0x1D8000... Ok! Reading 0x1D9000... Ok! Reading 0x1DA000... Ok! Reading 0x1DB000... Ok! Reading 0x1DC000... Ok! Reading 0x1DD000... Ok! Reading 0x1DE000... Ok! Reading 0x1DF000... Ok! Reading 0x1E0000... Ok! Reading 0x1E1000... Ok! Reading 0x1E2000... Ok! Reading 0x1E3000... Ok! Reading 0x1E4000... Ok! Reading 0x1E5000... Ok! Reading 0x1E6000... Ok! Reading 0x1E7000... Ok! Reading 0x1E8000... Ok! Reading 0x1E9000... Ok! Reading 0x1EA000... Ok! Reading 0x1EB000... Ok! Reading 0x1EC000... Ok! Reading 0x1ED000... Ok! Reading 0x1EE000... Ok! Reading 0x1EF000... Ok! Reading 0x1F0000... Ok! Reading 0x1F1000... Ok! Reading 0x1F2000... Ok! Reading 0x1F3000... Ok! Reading 0x1F4000... Ok! Reading 0x1F5000... Ok! Reading 0x1F6000... Ok! Reading 0x1F7000... Ok! Reading 0x1F8000... Ok! Reading 0x1F9000... Ok! Reading 0x1FA000... Ok! Reading 0x1FB000... Ok! Reading 0x1FC000... Ok! Reading 0x1FD000... Ok! Reading 0x1FE000... Ok! Reading 0x1FF000... Ok!
Basic read operation finished, but now it's time to verify...
Starting CRC check for 512 sectors, starting at offset 0x00
CRC matches 0x3EFBEAEB!
All read!
Loaded total 0x200000 bytes
Wrote 2097152 to readResult_BK7252N_QIO_2025-03-10-16-22-54.bin
Backup created, now will attempt to extract OBK config.
It's not an OBK config, header is bad
OBK config not found.
Backup created, now will attempt to extract Tuya config.
Failed to extract Tuya keys - magic constant header not found in binary
Sorry, failed to find Tuya Config in backup binary.

https://github.com/openshwprojects/FlashDumps...mits/fb257d97171a68c62b111014448e6dded70e512d
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion focuses on the Shenzhen Pinmei / Linklemo A9 Mini Wi-Fi Camera featuring the Beken BK7252NQN481 chipset. This budget smart camera, often sold for around $1 USD, is marketed with exaggerated claims such as 4K resolution and advanced AI features. Technical analysis reveals the device uses a BK7252N chip, with bootloader and firmware characteristics similar to BK7231 series but distinct in memory mapping and encryption behavior. The camera sensor identified is the GC0329C (GalaxyCore 0.3MP, 640x480@15fps). Firmware dumping and boot log extraction have been performed via serial pads and SPI interfaces, with attempts to flash BK7238 binaries unsuccessful. The device broadcasts an access point (SSID: LLM_H0A9_xxxxxx) with default key, assigning IP 192.168.9.252, exposing several open TCP/UDP ports. Local video stream access is possible without firmware modification, but pairing requires cloud interaction via the Linklemo app, which demands registration and communicates with external servers. Efforts to bypass cloud dependency have been limited by pairing timeouts and app restrictions. OpenBK7231T firmware support for BK7252N is in development, with recent successful OTA flashing and boot logs indicating stable operation. Memory management issues such as realloc instability on BK7252N are under investigation. The community is exploring creating development boards from these cameras and expanding device support tags for better cataloging. Overall, the device is a low-cost, partially hackable smart camera with limited local control and ongoing firmware development efforts.
Summary generated by the language model.

FAQ

TL;DR: The Pinmei/Linklemo A9 mini-camera uses a Beken BK7252NQN481 Wi-Fi MCU. You can read its entire 2 MB flash, disable/alter protections, and load OpenBK7231 firmware via UART or SPI. OpenBK boots and OTA-updates cleanly, while the stock app streams MJPEG video at about 10 fps (640 × 480) in AP mode [Elektroda, divadiow, post #21526681]

Quick Facts


• MCU : Beken BK7252NQN481, Cortex-M4F, 120 MHz [Beken Datasheet, 2023]
• On-chip Flash : 2 MiB mapped; device reports 4 MiB wrap-around [Elektroda, insmod, post #21527046]
• Video Sensor : GalaxyCore GC0329C, 0.3 MP, 640 × 480 @ 15 fps max [Elektroda, divadiow, post #21528651]
• Default AP : SSID “LLM_H0A9_xxxxxx”, password “12345678” [Elektroda, divadiow, post #21529763]
• Stock Ports : TCP 20023/20190, UDP 20190/62562, DHCP 67 [Elektroda, divadiow, post #21529763]

What microcontroller is inside the square Pinmei/Linklemo A9 camera?

It uses a Beken BK7252NQN481 SoC, an ARM Cortex-M4F Wi-Fi/BT chip with integrated 2 MiB flash and 256 KiB SRAM [Beken Datasheet, 2023; Elektroda, divadiow, #21526681].

Is the internal flash 2 MiB or 4 MiB?

The silicon contains 2 MiB, but the boot ROM lets addresses wrap after 0x200000. Tools therefore show a virtual 4 MiB space, with the upper half mirroring the lower [Elektroda, insmod, post #21527046]

Can I dump the firmware?

Yes. BKFIL 3.0.1.4 reads 0x0-0x200000 over UART in 191 s without disabling protection [Elektroda, divadiow, post #21526681] SPI pads (TDI,TDO,TMS,TCK) also accept standard CH341A ISP.

Is the vendor firmware encrypted?

No. Full flash contains readable ASCII strings; the reported efuse key 00E46D00 is only a placeholder when read-back is enabled [Elektroda, p.kaczmarek2, post #21526914]

Which pads are JTAG/SPI?

Pads labelled TDI and TDO sit beside the camera ribbon; two un-marked pads near them carry TMS and TCK, giving a complete 4-wire SW-JTAG/SPI interface [Elektroda, divadiow, post #21526681]

How do I enter the UART bootloader?

Connect RX1/TX1 to a USB-TTL adapter at 115200 bps and momentarily pull CEN low during power-up. BKFIL auto-detects the chip as BK7252N and opens the ROM monitor [Elektroda, divadiow, post #21526681]

Does OpenBK7231 firmware run on BK7252N?

Yes. Build 1680_merge_55ebe0a12aba boots, controls GPIO P2 (blue LED), and supports OTA upgrades both ways without crashes [Elektroda, divadiow, post #21584909]

How can I view video without the Linklemo cloud?

When the camera is in pairing mode it runs a Soft-AP (192.168.9.252). However, the vendor protocol on TCP 20023/20190 is proprietary. Community tools have not yet decoded it, so local MJPEG requires custom firmware [Elektroda, Testerrr, post #21540472]

What stream rate does the stock firmware provide?

Boot logs show JPEG frames reported at 10 fps with a 60 KB average chunk size, indicating ~4.8 Mbit/s peak throughput [Elektroda, divadiow, post #21529763]

Does realloc still corrupt memory on BK7252N?

Developers observed occasional byte corruption; wrapping realloc to os_realloc inside hal_main_bk7231.c avoids the issue on both BK7231T and BK7252N [Elektroda, p.kaczmarek2, post #21587279]

Is Deep-Sleep supported?

Deep-Sleep works; the recent PR modified only SDK wrappers and did not change functional paths [Elektroda, insmod, post #21587275]

What OTA partition layout does OpenBK use?

Bootloader (0x0-0x10000), App (0x10000-0x132000), Download (0x132000-0x1E0000). OTA writes to Download, verifies, then swaps vector to App [Elektroda, OTA log, post #21584909]