Taixen TXW816-810 based Otoscopes: UART Logs, PCB Pinout, Firmware dump

eastarctica 1170 11

📢 Listen (AI):

Helpful post

Post #1

21600275 07 Jul 2025 22:52

Recently it seems there has been a lot of cheap earwax remover otoscope devices popping up on amazon/aliexpress/tiktok shop similar to this:

When powered on, the button will start flashing slowly, as well as the light for the camera will turn on. After a few seconds it will start its wifi network usually with an ssid like "Soulear-ae45b" where it seems to be very generically "Company-uniq" as another device seems to show up as "Suear-4670". My device was broadcasting under the MAC of "88:17:89:0d:0e:b0" and had dhcp assigning IPs starting at 192.168.1.10 with itself at 192.168.1.1.

Once connected on a phone, its app which seems to vary based on the device you pick up, but all of which are essentially identical, allows you to take video, pictures, switch ears from left/right, enable/disable the led, as well as switch between either wide/focused lenses or switch between "horizontal" and "mirror(?)". Some also seem to have a lock icon which I'm not sure what does.

They're very difficult to get into, and from what I can tell can't be gotten into without breaking the plastic in some way. If you're opting to take it apart and keep it looking nice, I think my approach would be cutting the seam or maybe heat or something to remove the glue holding it in. Once in, you're greeted by a 21(?) pin connector for the leds + camera, 2.7V 170mAh battery, and the main pcb. PCB has a few pads exposed, of which I may have torn off CE and CLK 😬:
- 3.3V + GND (from mcu)
- 5V + GND (from usb, although GND is shared)
- CE (CHIP_EN)
- DP (PC6, This is UART TX, RX is not exposed)
- CLK (PA10, TCLK)
- TMS (PA9)
- PA8 (USB_DET?)

These (mine at least) seem to be using the Taixen TXW816-810 which has been seen similarly with the A9 minicams seen here.

UART Logs
startup:

14:06:55.069 -> [0]40 00 97 00 a8 43 12 a0
14:06:55.069 -> [0]28 e0 00 00 00 00 00 00
14:06:55.070 -> [0]00 00 00 00 00 00 00 00
14:06:55.070 -> [0]88 17 89 0d 0e 2c 76 35
14:06:55.071 -> [0]86 65 89 67 9f 57 00 00
14:06:55.071 -> [0]80 00 bb 02 a0 f7 00 00
14:06:55.071 -> [0]00 15 00 00 08 14 00 00
14:06:55.072 -> [0]00 00 00 00 00 00 0c 00
14:06:55.072 -> [0]00 00 00 40 08 84 40 08
14:06:55.072 -> [0]8c c0 08 8c c0 08 94 00
14:06:55.073 -> [0]06 4b 3f fd 92 ff 04 4e
14:06:55.073 -> [0]f0 00 4f 00 de 01 02 02
14:06:55.073 -> [0]00 ff ff ff 0f b4 04 04
14:06:55.074 -> [0]02 04 04 06 06 1f 00 17
14:06:55.074 -> [0]00 02 3e 00 00 00 00 08
14:06:55.075 -> [0]00 00 00 00 00 30 12 00
14:06:55.075 -> [0]3c 3c 0f
14:06:55.075 -> [0]validity: 1579f00d

14:06:55.076 -> ** hgSDK-v2.5.0.7-25841, app-0, build time:Dec  5 2024 12:06:20 **
14:06:55.077 -> **   libcore v2.5.0.7-26821, build time:Dec 21 2023 11:25:54
14:06:55.077 -> **   libnetutils v2.5.0.7-26821, build time:Dec 21 2023 11:26:09
14:06:55.078 -> **   libcommon v2.5.0.7-26821, build time:Dec 21 2023 11:25:58
14:06:55.078 -> **   libosal v2.5.0.7-26821, build time:Dec 21 2023 11:25:53
14:06:55.079 -> **   libatcmd v2.5.0.7-25927, build time:Nov  6 2023 16:23:19
14:06:55.080 -> **   liblmac v2.5.0.7-26821, build time:Dec 21 2023 11:26:25
14:06:55.081 -> **   libwifi v2.5.0.7-26821, build time:Dec 21 2023 11:26:38
14:06:55.081 -> ------------------------------------------------------------------
14:06:55.082 -> [0] ------- system restart fault -----------
14:06:55.082 -> [0] ---------------------------------------
14:06:55.084 -> [1]freemem:160720
14:06:55.084 -> [1]custom_mem_init:2000c740
14:06:55.084 -> [1]custom mem sram:61440
14:06:55.085 -> [2]skbpool init, total:49396 (0x20037f0c~0x20044000), max per:80%
14:06:55.086 -> [4]syscfg_read OK!
14:06:55.088 -> [4]old cfg_ver:259
14:06:55.192 -> ---xrh_io_init---

14:06:55.251 -> [154]------pwr_det_keep.........1
14:06:55.286 -> [204]------pwr_det_keep.........2
14:06:55.288 -> [205]lmac rx info size:36
14:06:55.288 -> [205]GAP0 : 20033b0c
14:06:55.288 -> [206]GAP1 : 20037f04
14:06:55.288 -> [206]lmac rx buff:20033b14, size:17392, hw rx buff size:11256, ampdu:7, max subfrm:3
14:06:55.290 -> [207]lmac priv: 2001bec4
14:06:55.290 -> [207]lmac tx  : 2001c278
14:06:55.290 -> [208]lmac rx  : 2001d444
14:06:55.290 -> [208]lmac ble rx: 00000000
14:06:55.291 -> [209]pack:8, bios_id:2
14:06:55.291 -> [209]use AMPM DPD!
14:06:55.291 -> [209]verf:0x5, ibpt:0x3, ibct:0x6, iref:0x6
14:06:55.292 -> [210]verfvco_trim:0x8, verfcp_trim:0x5, verfdiv_trim:0x5
14:06:55.292 -> [211]verfdsm_trim:0x4, verfvcc25_trim:0x1
14:06:55.293 -> [211]da cap:5, da gain:1
14:06:55.317 -> [214]txdcoc from:1, i:8, q:20
14:06:55.317 -> [214]tx imb from:1, pm:192, gm:0
14:06:55.318 -> [215]rx dcoc from:1
14:06:55.318 -> [216]g:0, ana:2112, i:11, q:3
14:06:55.318 -> [216]g:1, ana:2112, i:19, q:5
14:06:55.318 -> [216]g:2, ana:2112, i:18, q:4
14:06:55.318 -> [217]g:3, ana:2240, i:15, q:7
14:06:55.318 -> [217]g:4, ana:2240, i:14, q:7
14:06:55.318 -> [218]g:5, ana:2240, i:15, q:6
14:06:55.318 -> [218]g:6, ana:2240, i:15, q:7
14:06:55.318 -> [218]g:7, ana:2368, i:0, q:6
14:06:55.318 -> [219]rx imb from:1
14:06:55.318 -> [219]g:0, 8120, 4063
14:06:55.318 -> [220]g:1, 8120, 4064
14:06:55.318 -> [220]g:2, 8118, 4064
14:06:55.318 -> [220]g:3, 8120, 4062
14:06:55.318 -> [221]g:4, 8120, 4061
14:06:55.318 -> [221]g:5, 8122, 4061
14:06:55.318 -> [221]g:6, 8122, 4061
14:06:55.318 -> [221]g:7, 8116, 4062
14:06:55.318 -> [222]time offset:0, 23
14:06:55.318 -> [222]lmac test: 2001dbec
14:06:55.318 -> [223]lmac_bgn_lo_freq_set: 2432
14:06:55.318 -> [224]set rts_threshold =2304
14:06:55.318 -> [225]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:55.318 -> [225]*** open ADC success!

14:06:55.318 -> [226]*** add success: ADC channel cnt = 1, name:257

14:06:55.318 -> [227]*** add success: ADC channel cnt = 2, name:258

14:06:55.318 -> [227]*** add success: ADC channel cnt = 3, name:262

14:06:55.318 -> [228]*** delete success: ADC channel cnt = 2

14:06:55.318 -> [231]*** add success: ADC channel cnt = 3, name:1

14:06:55.366 -> [282]ad_pwr:2910 383
14:06:55.416 -> [332]ad_pwr:2853 376
14:06:55.465 -> [382]ad_pwr:2909 383
14:06:55.515 -> [432]ad_pwr:2991 394
14:06:55.564 -> [482]ad_pwr:2914 384
14:06:55.564 -> [482]poweron_ad_pwr:2915
14:06:55.615 -> [532]ad_pwr:2895 381
14:06:55.665 -> [582]ad_pwr:2906 383
14:06:55.716 -> [632]ad_pwr:2826 372
14:06:55.765 -> [682]ad_pwr:2939 387
14:06:55.814 -> [732]ad_pwr:2795 368
14:06:55.814 -> [732]poweron_ad_pwr:2872
14:06:55.865 -> [782]ad_pwr:2908 383
14:06:55.915 -> [832]ad_pwr:2930 386
14:06:55.966 -> [882]ad_pwr:2910 383
14:06:56.016 -> [932]ad_pwr:2859 376
14:06:56.066 -> [982]ad_pwr:2935 386
14:06:56.115 -> [1032]ad_pwr:2899 382
14:06:56.166 -> [1082]ad_pwr:2987 393
14:06:56.215 -> [1132]ad_pwr:2890 381
14:06:56.265 -> [1182]ad_pwr:3051 402
14:06:56.329 -> [1232]ad_pwr:2929 386
14:06:56.366 -> [1282]ad_pwr:2908 383
14:06:56.414 -> [1332]ad_pwr:2929 386
14:06:56.414 -> [1332]lmac_bgn_lo_freq_set: 2412
14:06:56.416 -> [1334]lmac_bgn_lo_freq_set: 2412
14:06:56.428 -> [1335]set rts_threshold =1600
14:06:56.428 -> [1336]set ac= 0 aifs= 2 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1337]set ac= 1 aifs= 6 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1337]set ac= 2 aifs= 1 cw_min= 7 cwmax= 15 txop= 128
14:06:56.428 -> [1338]set ac= 3 aifs= 1 cw_min= 3 cwmax= 7 txop= 65
14:06:56.428 -> [1339]set ac= 0 aifs= 2 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1339]set ac= 1 aifs= 6 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1340]set ac= 2 aifs= 1 cw_min= 7 cwmax= 15 txop= 128
14:06:56.428 -> [1341]set ac= 3 aifs= 1 cw_min= 3 cwmax= 7 txop= 65
14:06:56.428 -> [1342]lmac_bgn_lo_freq_set: 2432
14:06:56.428 -> [1343]inteface1: start scanning ...
14:06:56.428 -> [1344]vif1 state WPA_DISCONNECTED -> WPA_SCANNING
14:06:56.428 -> [1345]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.428 -> [1346]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.528 -> [1445]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.528 -> [1445]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.638 -> [1545]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.638 -> [1545]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.728 -> [1645]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.728 -> [1645]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.828 -> [1745]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.828 -> [1745]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.927 -> [1845]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.927 -> [1845]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.028 -> [1945]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.028 -> [1945]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.128 -> [2045]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.128 -> [2045]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.228 -> [2145]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.228 -> [2145]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.327 -> [2245]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.327 -> [2245]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.427 -> [2345]lmac_bgn_lo_freq_set: 2432
14:06:57.429 -> [2346]lmac_bgn_lo_freq_set: 2412
14:06:57.430 -> [2348]inteface1: scan done!
14:06:57.457 -> [2356][0]===>REDACTED (network name)
14:06:57.457 -> [2356][1]===>REDACTED (network name)
14:06:57.457 -> [2356][2]===>REDACTED (network name)
14:06:57.457 -> [2356][3]===>]......"'O.Y.v*6.x}].,h...6BOa...0..T8.......V"....Z.....N..WI..*.ks..y....RrV.1LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S..
.4.YK........`.....W:>..^..w....[.
14:06:57.457 -> [2359][4]===>.....V"....Z.....N..WI..*.ks..y....RrV.1LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..
E.>Rd.C-!...V..`k;g..f.~NS_i|...
14:06:57.457 -> [2362][5]===>LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D...
.^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2365][6]===>i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2367][7]===>.h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2369][8]===>.......`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2370][9]===>C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2371][10]===>...j
14:06:57.457 -> u!"...

14:06:57.457 -> [2371][11]===>..PktK.:....^0%;u....}...[G. ..{?.j.^..^......cn.p..=..j..f.y3`_.u.;
14:06:57.457 -> [2372][12]===>......cn.p..=..j..f.y3`_.u.;
14:06:57.457 -> [2373][13]===>(.......B5..0JAZq.-.f.'g..;.kl....a.j.._\.[s.!..X.oi. .t..\....g.....$..lGDY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3

14:06:57.458 -> .jm.i.v."t~....Z
14:06:57.458 -> [2376][14]===>.._\.[s.!..X.oi. .t..\....g.....$..lGDY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.460 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.461 -> [2379][15]===>DY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.463 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.463 -> [2381][16]===>......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.465 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.465 -> [2383][17]===>.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.466 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.467 -> [2384][18]===>.!..3
14:06:57.467 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.468 -> [2385][19]===>......._F.g|.Th
14:06:57.468 -> [2386][20]===>..$.g...L.....m6.x..f.Y{.".v.3.3....P....'eAJI.*.>...X..$.,....K.F7].u.z.
14:06:57.469 -> [2387][21]===>P....'eAJI.*.>...X..$.,....K.F7].u.z.
14:06:57.470 -> [2387][22]===>W..X|.....|a.~.:.1..0.t .:>[..)#N..U...?......L.P......]+*....n8.0....Kd?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.471 -> [2389][23]===>.?......L.P......]+*....n8.0....Kd?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.472 -> [2390][24]===>d?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.473 -> [2391][25]===>...+}.|..M.ec...W&.c.`......R[@.
14:06:57.473 -> 5b..Z...9+..."b..X.j..N,...K.<r.
14:06:57.474 -> [2392][26]===>...9+..."b..X.j..N,...K.<r.
14:06:57.474 -> [2393][27]===> ......yd.m$.....d.mY..G.
14:06:57.475 -> i.O..q.@...7.....x....G.7.e~......sJ".pT.v
14:06:57.475 -> [2394][28]===>.....x....G.7.e~......sJ".pT.v
14:06:57.476 -> [2394][29]===>.^,...%.}.o.....@!W0H7.........V....Q#.lkP......to..c>.....c>_#\Oo
14:06:57.478 -> p...j.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.478 -> [2396][30]===>Q#.lkP......to..c>.....c>_#\Oo
14:06:57.479 -> p...j.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.479 -> [2397][31]===>.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.480 -> [2397]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:57.480 -> acs...
14:06:57.480 -> freq   bgrssi   ap    rx_sync   rx_err   txcnt     txtime   =>  noise factor
14:06:57.636 -> 2412    -93     0     0         10       39        152588       3912        
14:06:57.790 -> 2417    -93     0     0         4        36        149884       4163        
14:06:57.943 -> 2422    -92     4     5         4        35        150675       4305        
14:06:58.098 -> 2427    -94     3     3         3        36        151989       4221        
14:06:58.253 -> 2432    -92     2     2         5        35        152793       4365        
14:06:58.407 -> 2437    -92     4     4         6        36        150138       4170        
14:06:58.560 -> 2442    -92     3     7         9        34        150918       4438        
14:06:58.727 -> 2447    -93     5     9         15       36        163305       4536        
14:06:58.881 -> 2452    -92     2     3         8        36        151823       4217        
14:06:59.035 -> 2457    -93     0     0         14       37        150555       4069        
14:06:59.055 -> acs result: freq=2412, nf=3912
14:06:59.055 -> acs done
14:06:59.055 -> [3954]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:59.055 -> [3955]lmac_bgn_lo_freq_set: 2412
14:06:59.055 -> [40;31m[3957]ieee80211_ap_ioctl:164::set channel 1
14:06:59.055 -> [0m[3957]set ac= 0 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3958]set ac= 1 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3959]set ac= 2 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3959]set ac= 3 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3961]vif2 state WPA_DISCONNECTED -> WPA_COMPLETED
14:06:59.055 -> [3962]add w0 interface!
14:06:59.055 -> JPG start
14:06:59.055 -> [3963]csi_test start,iic init
14:06:59.055 -> [3964]iic init finish,sensor reset & set sensor clk into 6M
14:06:59.055 -> hgdvp_set_baudrate:clock:480000000
14:06:59.055 -> [3968]set sensor finish ,Auto Check sensor id
14:06:59.055 -> [3968]devSensorInitTable = 1804d148 1804d8a8
14:06:59.055 -> [3969]HI708 page0
14:06:59.055 -> [3970]SID: ff, 96, 60, 61,4
14:06:59.055 -> [3970]devSensorInitTable = 1804d348 1804d8a8
14:06:59.055 -> [3971]SID: ff, 63, 86, 87,1
14:06:59.055 -> [3972]devSensorInitTable = 1804d528 1804d8a8
14:06:59.055 -> [3973]SID: ff, de, 66, 67,1
14:06:59.056 -> [3973]devSensorInitTable = 1804b1e8 1804d8a8
14:06:59.056 -> [3974]SID: ff, 9b, 42, 43,0
14:06:59.057 -> [3974]devSensorInitTable = 1804b448 1804d8a8
14:06:59.057 -> [3975]SID: ff, a0, 42, 43,0
14:06:59.058 -> [3976]devSensorInitTable = 1804c088 1804d8a8
14:06:59.059 -> [3977]SID: ff, bb, 66, 67,f0
14:06:59.059 -> [3977]devSensorInitTable = 1804c608 1804d8a8
14:06:59.060 -> [3978]SID: ff, 10, 42, 43,f1
14:06:59.060 -> [3978]devSensorInitTable = 1804b7c8 1804d8a8
14:06:59.062 -> [3979]SID: ff, 9d, 42, 43,f0
14:06:59.062 -> [3980]devSensorInitTable = 1804c308 1804d8a8
14:06:59.063 -> result = 0
14:06:59.063 -> [3981]preset table num:2
14:06:59.064 -> [3981]SID: ff, c0, 62, 63,0
14:06:59.064 -> [3982]devSensorInitTable = 1804af28 1804d8a8
14:06:59.065 -> [3983]SID: 20, 3a, dc, dd,fc
14:06:59.066 -> [3983]devSensorInitTable = 1804ad68 1804d8a8
14:06:59.067 -> [3984]SID: a6, 3, dc, dd,fd
14:06:59.067 -> [3984]devSensorInitTable = 1804cfa8 1804d8a8
14:06:59.068 -> [3985]SID: a6, a6, dc, dd,fd
14:06:59.068 -> [3986]id =a6 num:11 sensor_id = 20a6
14:06:59.069 -> [3986]Auto Check sensor id finish
14:06:59.069 -> [3987]mclk:24000000MHz
14:06:59.069 -> hgdvp_set_baudrate:clock:480000000
14:06:59.070 -> [3987]init:1804cda0 u8Addrbytnum:1,u8Databytnum:1
14:06:59.072 -> [3988]SENSER....init
14:06:59.123 -> [4040]init table num:396
14:06:59.123 -> [4040]SENSR ident ok:480*480
14:06:59.123 -> [4040]csi init start  --
14:06:59.123 -> [4041]csi set size ====>480*480
14:06:59.124 -> [4041]csi dvp_size_set
14:06:59.124 -> [4042]csi IRQ init
14:06:59.124 -> [4042]dvpirq_register:1 180177b0  180177b0
14:06:59.125 -> [4042]dvpirq_register:0 1801779c  1801779c
14:06:59.125 -> [4043]vppirq_register:0 18017504  18017504
14:06:59.126 -> [4043]vppirq_register:1 18017948  18017948
14:06:59.126 -> [4044]vppirq_register:2 18017500  18017500
14:06:59.127 -> [4044]vppirq_register:3 1801776c  1801776c
14:06:59.128 -> [4045]vppirq_register:4 18017780  18017780
14:06:59.128 -> [4046]vppirq_register:5 180174f0  180174f0
14:06:59.128 -> [4046]vppirq_register:6 180174e0  180174e0
14:06:59.129 -> [4047]vppirq_register:7 180174d0  180174d0
14:06:59.130 -> [4047]csi IRQ init finish,start get data
14:06:59.131 -> eloop_init:287::start
14:06:59.131 -> user_eloop_run:309::run
14:06:59.134 -> [4051]dns sock :2
14:06:59.134 -> [test] init tcp server: port: 5007
14:06:59.134 -> ---tcp srvsock = 3---
14:06:59.135 -> [4052]ota num:0version:25841
14:06:59.135 -> [4053]OEM AP Default!
14:06:59.136 -> [4053]OEM NET Default!
14:06:59.136 -> [4053]OEM Firmware Default!
14:06:59.136 -> [4054]Camera TX Lib:Dec  1 2023 17:57:29
14:06:59.137 -> [4054]DVP No need Bank Size
14:06:59.137 -> [4055]client multi init
14:06:59.137 -> [4055]csock:4
14:06:59.139 -> [4055]psock:5
14:06:59.139 -> [4056]protoCtx OK!
14:06:59.139 -> [4056]eventCtx OK!
14:06:59.139 -> [4057]videoCtx OK!
14:06:59.139 -> [4057]i4 OK
14:06:59.140 -> g_sensor_init start,iic init:200014bc
14:06:59.140 -> init g_sensor,check id
14:06:59.140 -> addr:1 1 30 32
14:06:59.141 -> SID: ff, 11, 30, 32,f
14:06:59.141 -> addr:1 1 30 32
14:06:59.141 -> SID: ff, 11, 30, 32,f
14:06:59.142 -> addr:1 1 4e 50
14:06:59.142 -> SID: 13, 13, 4e, 50,1
14:06:59.142 -> id =13 num:2 
14:06:59.143 -> [4060]*** ADC module info: ADC channel repeat!!!

14:06:59.145 -> [4062]notify local[0/0]!
14:06:59.145 -> [4062]----WIFI_RUN_STATUS111----1
14:06:59.158 -> init table num:20
14:06:59.158 -> [4075][SYS]Capacity GSENSOR
14:06:59.158 -> [4075][SYS]Capacity:0x2
14:06:59.158 -> [4076][SYS]Capacity:0x3
14:06:59.159 -> version_str = HKV41   5
14:06:59.159 -> ----version_str = HKV41B   32
14:06:59.159 -> product_str = BK7231U-XRH-FBPRO
14:06:59.159 -> [4077][TX]Set Vendor: YPC
14:06:59.160 -> [4077][TX]Set Product: BK7231U-XRH-FBPRO
14:06:59.161 -> [4078][TX]Set Version: HKV41B
14:06:59.161 -> [4078]no this event(20005)...
14:06:59.161 -> [4079]scan down.......
14:06:59.289 -> [4206]inteface2 find new bss: b8:f8:53:5c:53:bb-Fios-CGrF5
14:06:59.644 -> [4561]0min:2906 65535 100 100 383
14:07:00.147 -> [5064]notify local[0/0]!
14:07:00.160 -> [5078]custom mem sram:61440
14:07:00.160 -> [5078]freemem:43736
14:07:00.315 -> --------------------
14:07:00.315 -> local:88:17:89:0d:0e:b0
14:07:00.315 ->     bios:2, pack:8 
14:07:00.315 ->     pwr idx: 1
14:07:00.315 ->     chip-temperature: 34
14:07:00.315 ->     freq:2412, bg_rssi:-87
14:07:00.316 ->     cca: -70, -60, -62
14:07:00.316 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:00.317 ->         tx dma:381, total tx:381, retry:0, tx lost:0, tx err:0
14:07:00.318 ->     rx: frms:82, data:0
    throughput: tx: 14.40 Kbps, rx: 0 bps
14:07:00.318 ->     max gain:7
14:07:00.318 -> --------------------
14:07:01.150 -> [6067]notify local[0/0]!
14:07:01.160 -> [6078]custom mem sram:61440
14:07:01.160 -> [6078]freemem:43736
14:07:02.151 -> [7067]notify local[0/0]!
14:07:02.159 -> [7078]custom mem sram:61440
14:07:02.159 -> [7078]freemem:43832
14:07:03.150 -> [8067]notify local[0/0]!
14:07:03.161 -> [8078]custom mem sram:61440
14:07:03.161 -> [8078]freemem:44024
14:07:04.150 -> [9067]notify local[0/0]!
14:07:04.172 -> [9078]custom mem sram:61440
14:07:04.172 -> [9078]freemem:44024
14:07:05.155 -> [10067]notify local[0/0]!
14:07:05.160 -> [10078]ip:101a8c0  freemem:44024
14:07:05.161 -> [10078]custom mem sram:61440
14:07:05.163 -> [10078]freemem:44024
14:07:05.315 -> --------------------
14:07:05.315 -> local:88:17:89:0d:0e:b0
14:07:05.315 ->     bios:2, pack:8 
14:07:05.315 ->     pwr idx: 1
14:07:05.315 ->     chip-temperature: 38
14:07:05.315 ->     freq:2412, bg_rssi:-88
14:07:05.315 ->     cca: -70, -60, -62
14:07:05.315 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:05.316 ->         tx dma:0, total tx:0, retry:0, tx lost:0, tx err:0
14:07:05.317 ->     rx: frms:42, data:0
14:07:05.317 ->     throughput: tx: 0 bps, rx: 0 bps
    max gain:7
14:07:05.317 -> --------------------
14:07:06.151 -> [11067]notify local[0/0]!
14:07:06.161 -> [11079]custom mem sram:61440
14:07:06.161 -> [11079]freemem:44024
14:07:07.150 -> [12067]notify local[0/0]!
14:07:07.162 -> [12079]custom mem sram:61440
14:07:07.162 -> [12079]freemem:44024
14:07:08.150 -> [13067]notify local[0/0]!
14:07:08.162 -> [13079]custom mem sram:61440
14:07:08.162 -> [13079]freemem:44024
14:07:09.150 -> [14067]notify local[0/0]!
14:07:09.162 -> [14079]custom mem sram:61440
14:07:09.162 -> [14079]freemem:44024
14:07:10.150 -> [15067]notify local[0/0]!
14:07:10.162 -> [15079]custom mem sram:61440
14:07:10.162 -> [15079]freemem:44024
14:07:10.315 -> --------------------
14:07:10.315 -> local:88:17:89:0d:0e:b0
14:07:10.315 ->     bios:2, pack:8 
14:07:10.315 ->     pwr idx: 1
14:07:10.315 ->     chip-temperature: 40
14:07:10.315 ->     freq:2412, bg_rssi:-88
14:07:10.315 ->     cca: -70, -60, -62
14:07:10.315 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:10.316 ->         tx dma:0, total tx:0, retry:0, tx lost:0, tx err:0
14:07:10.317 ->     rx: frms:42, data:0
14:07:10.317 ->     throughput: tx: 0 bps, rx: 0 bps
    max gain:7
14:07:10.317 -> --------------------
14:07:11.150 -> [16067]notify local[0/0]!
14:07:11.162 -> [16079]ip:101a8c0  freemem:44024
14:07:11.162 -> [16079]custom mem sram:61440
14:07:11.164 -> [16079]freemem:44024
14:07:12.152 -> [17068]notify local[0/0]!
14:07:12.162 -> [17080]custom mem sram:61440
14:07:12.162 -> [17080]freemem:44024
14:07:12.663 -> [17577]inteface2 find new bss: 78:67:0e:32:a0:08-Verizon_4Z9PNJ
14:07:13.153 -> [18069]notify local[0/0]!
14:07:13.162 -> [18080]custom mem sram:61440
14:07:13.162 -> [18080]freemem:43928

Pressing button alone while powered off:

14:06:00.437 -> [0]40 00 97 00 a8 43 12 a0
14:06:00.437 -> [0]28 e0 00 00 00 00 00 00
14:06:00.438 -> [0]00 00 00 00 00 00 00 00
14:06:00.438 -> [0]88 17 89 0d 0e 2c 76 35
14:06:00.439 -> [0]86 65 89 67 9f 57 00 00
14:06:00.439 -> [0]80 00 bb 02 a0 f7 00 00
14:06:00.439 -> [0]00 15 00 00 08 14 00 00
14:06:00.440 -> [0]00 00 00 00 00 00 0c 00
14:06:00.440 -> [0]00 00 00 40 08 84 40 08
14:06:00.440 -> [0]8c c0 08 8c c0 08 94 00
14:06:00.441 -> [0]06 4b 3f fd 92 ff 04 4e
14:06:00.441 -> [0]f0 00 4f 00 de 01 02 02
14:06:00.442 -> [0]00 ff ff ff 0f b4 04 04
14:06:00.442 -> [0]02 04 04 06 06 1f 00 17
14:06:00.442 -> [0]00 02 3e 00 00 00 00 08
14:06:00.443 -> [0]00 00 00 00 00 30 12 00
14:06:00.443 -> [0]3c 3c 0f
14:06:00.443 -> [0]validity: 1579f00d

14:06:00.449 -> ** hgSDK-v2.5.0.7-25841, app-0, build time:Dec  5 2024 12:06:20 **
14:06:00.449 -> **   libcore v2.5.0.7-26821, build time:Dec 21 2023 11:25:54
14:06:00.449 -> **   libnetutils v2.5.0.7-26821, build time:Dec 21 2023 11:26:09
14:06:00.449 -> **   libcommon v2.5.0.7-26821, build time:Dec 21 2023 11:25:58
14:06:00.449 -> **   libosal v2.5.0.7-26821, build time:Dec 21 2023 11:25:53
14:06:00.449 -> **   libatcmd v2.5.0.7-25927, build time:Nov  6 2023 16:23:19
14:06:00.449 -> **   liblmac v2.5.0.7-26821, build time:Dec 21 2023 11:26:25
14:06:00.449 -> **   libwifi v2.5.0.7-26821, build time:Dec 21 2023 11:26:38
14:06:00.449 -> ------------------------------------------------------------------
14:06:00.450 -> [0] ------- system restart fault -----------
14:06:00.450 -> [0] ---------------------------------------
14:06:00.452 -> [1]freemem:160720
14:06:00.452 -> [1]custom_mem_init:2000c740
14:06:00.452 -> [1]custom mem sram:61440
14:06:00.452 -> [2]skbpool init, total:49396 (0x20037f0c~0x20044000), max per:80%
14:06:00.454 -> [4]syscfg_read OK!
14:06:00.455 -> [4]old cfg_ver:259

Doing random things in the app:

14:08:18.401 -> [83308]Charge Status:0
14:08:51.852 -> LED:1 Control:1 1 100
14:08:51.852 -> Set LED:1 ON
14:08:51.852 -> [116763]Charge Status:0
14:08:51.886 -> LED:1 Control:1 1 100
14:08:51.886 -> Set LED:1 ON
14:08:51.886 -> [116790]Charge Status:0
14:09:00.151 -> LED:1 Control:0 0 0
14:09:00.151 -> LED:1  ON:1
14:09:00.179 -> LED:1 Control:1 0 0
14:09:00.179 -> Set LED:1 OFF
14:09:00.179 -> [125084]Charge Status:0
14:09:01.368 -> LED:1 Control:0 0 0
14:09:01.368 -> LED:1  ON:0
14:09:01.395 -> LED:1 Control:1 1 100
14:09:01.395 -> Set LED:1 ON
14:09:01.395 -> [126300]Charge Status:0

Connecting to WiFi (I believe the app may have been open in the background):

14:08:14.173 -> [79090]custom mem sram:61440
14:08:14.173 -> [79090]freemem:44024
14:08:14.192 -> [79108]notify local[0/0]!
14:08:14.608 -> [79524]lmac_bgn_add_sta: if:1, aid1, addr:6a:88:53:52:cf:f7
14:08:14.608 -> [79525]rc_init: type= 1 mcs_mask= 0x3cc
14:08:14.609 -> [79525]inteface2: sta 6a:88:53:52:cf:f7 connected
14:08:14.609 -> [79526]user_sta_add:6a 88 53 52 cf f7
14:08:14.739 -> [79655]send DHCP_OFFER ...
14:08:14.739 -> [79657]Next IP: 192.168.1.11
14:08:14.740 -> [79657]Assign IP 192.168.1.10 for 6a:88:53:52:cf:f7, flags=0 (next:192.168.1.11)
14:08:15.173 -> [80090]custom mem sram:61440
14:08:15.173 -> [80090]freemem:43488
14:08:15.196 -> [80112]notify local[1/0]!
14:08:15.319 -> --------------------
14:08:15.319 -> local:88:17:89:0d:0e:b0
14:08:15.319 ->     bios:2, pack:8 
14:08:15.319 ->     pwr idx: 1
14:08:15.319 ->     chip-temperature: 48
14:08:15.319 ->     freq:2412, bg_rssi:-87
14:08:15.319 ->     cca: -59, -49, -51
14:08:15.319 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:08:15.319 ->         tx dma:12, total tx:12, retry:0, tx lost:0, tx err:0
14:08:15.319 ->     rx: frms:107, data:96
14:08:15.319 ->     throughput: tx: 2.95 Kbps, rx: 5.23 Kbps
14:08:15.319 ->     max gain:7
14:08:15.319 -> sta:6a:88:53:52:cf:f7, aid:1, rssi:-34, evm:-25, tx frm type:*0, tx mcs:*2, freq offset:20864
14:08:15.320 ->     ifidx:1, MAC:88:17:89:0d:0e:b0

14:08:15.322 -> --------------------
14:08:15.825 -> [80741]send DHCP_ACK ...
14:08:15.825 -> [80742]Assign IP 192.168.1.10 for 6a:88:53:52:cf:f7, flags=0 (next:192.168.1.11)
14:08:15.828 -> [40;32m[80744]EVENT 10007 IGNORED
14:08:15.828 -> [0m[80745]IP Pool:
14:08:15.829 -> [80746]    ip:192.168.1.10 - 6a:88:53:52:cf:f7
14:08:16.173 -> [81090]custom mem sram:61440
14:08:16.173 -> [81090]freemem:43488
14:08:16.212 -> [81128]notify local[1/0]!
14:08:17.173 -> [82090]ip:101a8c0  freemem:43488
14:08:17.174 -> [82090]custom mem sram:61440
14:08:17.174 -> [82091]freemem:43488
14:08:17.212 -> [82128]notify local[1/0]!
14:08:18.174 -> [83091]custom mem sram:61440
14:08:18.174 -> [83091]freemem:43488
14:08:18.234 -> [83145]notify local[1/0]!
14:08:18.330 -> [83220]Recv SEQ:221 CMD->ID:1 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> [83222]IP add:a01a8c0
14:08:18.330 -> [83222]*******************************************
14:08:18.330 -> [83223]mac:88:17:89:0d:0e:b0
14:08:18.330 -> [83223]->a01a8c0 fist connect
14:08:18.330 -> [83224ip:a01a8c0 0
14:08:18.330 -> [83227]Recv SEQ:221 CMD->ID:1 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> [83228]*******************************************
14:08:18.330 -> [83229]mac:88:17:89:0d:0e:b0
14:08:18.330 -> [83229]->a01a8c0 first connect
14:08:18.330 -> [83230]ip:a01a8c0 0
14:08:18.330 -> [83233]Recv SEQ:222 CMD->ID:2 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> read license = 
14:08:18.330 -> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x
00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 

14:08:18.334 -> [83250]OK=>SN:!
14:08:18.346 -> [83263]New client active:0 0
14:08:18.346 -> hgdvp_close...............................................................
14:08:18.378 -> [83294]pic port:54589
14:08:18.401 -> [83306]Recv SEQ:224 CMD->ID:10 AckNeed:1 reFlag:0 CMDLEN:3 RECVLEN:15
14:08:18.401 -> [83307]Led control:1-1-1-100
14:08:18.401 -> LED:1 Control:1 1 100
14:08:18.401 -> Set LED:1 ON
14:08:18.401 -> [83308]Charge Status:0

Firmware Extraction
To extract the firmware (and I do apologize, I'm doing recalling this from memory so it may not be perfect) I went ahead and used an STM32 blue pill board and followed this guide to get the flash programmer set up.
Once your stm32 is flashed, connect A1 to PA10 (labeled CLK), A5 to PA9 (labeled TMS), and G to GND. Additionally, if you want to read UART output from the device, connect your UART reader to GND and DP (This is the mcu's TX pin, connect to your RX pin).
Then, follow the instructions here regarding how to generally dump or flash the firmware (although I have not attempted anything besides reading).

Whenever you interface with the chip, you need to hold the button on the board, then hit read (or otherwise connect the cklink to the target). You may need to do this quickly after hitting the button and it may be somewhat finicky, I would recommend just trying out and seeing what works.

Note: When I attempted to read the flash, I was never able to in one full go and instead had to do 0x0-0x50000 then 0x10000 increments up to 0x100000 which is the size of the mcu (1 MB), I then merged these files back together into one. I'm unsure why but I assume it's to do with the STM32 being used as the CKLink, I may recommend using an official or clone devices. Thank you divadiow for letting me know that this was due to me reading at too fast of an ICE clock speed, I believe I had been dumping it at 12000KHz, lowering this down to 1200KHz as mentioned in the article solves this for me.

It also appears there's some type of licensing? I'm not sure what exactly it is but I've seen it while reversing the mobile app as well.

I've gotten this far btu I'm not really sure where to go from here, I would like to be able to disassemble the firmware in something like Ghidra or IDA but as the C-Sky V2 CPU ABI is not implemented in just about anything I'd have to implement it myself which I don't really want to do... I've attached the csky-elfabiv2-tools-x86_64-minilibc-20210423 but I'm not sure it's actually the right one for this chip, as well as the objdump output from running it on the full firmware file

I'll mention that as you might be able to tell this is my first post so I if you have any tips for better posting please let me know! 😄
AI: Could you clarify what your main goal is with the firmware analysis—are you looking to unlock features, patch the firmware, do security research, or just understand how the device works?
The mobile interface seems to have an upload firmware option for ota updates. Ideally, we'd be able to leverage that to put a custom firmware on it. I'm also interested in analyzing the firmware to find any possible vulnerabilities or issues with it. That being said, I also just like opening things and looking at them.
AI: Are you open to using alternative tools besides Ghidra or IDA for C-Sky V2 disassembly, like radare2, Binary Ninja, or any C-Sky-specific toolchains, or are you set on using Ghidra/IDA only?
Ghidra and IDA would be my ideals, but if I could get anything to properly get an analysis of it that's actually aware of where things are (ex. memory locations like strings) I could work with that.

Attachments:

Cool? Ranking DIY

About Author

eastarctica eastarctica

Level 3

Offline

eastarctica wrote 3 posts with rating 8, helped 1 times. Been with us since 2025 year.

ADVERTISEMENT
#2 21600289 07 Jul 2025 23:25

divadiow divadiow

Level 35

Helpful post? (0)

Post #2
21600289 07 Jul 2025 23:25

hey. nice to see another Taixin MCU that isn't in a cam.
regarding the flash read lengths, this does feel vaguely familiar, but I don't recall what I did, if anything, to make it no longer the case. Lower ICE Clk make any difference?

Added after 7 [minutes]:

maybe this means the cam is a Hynix HI708

Code: Text
Log in, to see the code

how many pins does the ribbon have and what is the full text on it?
#3 21600564 08 Jul 2025 11:31

gulson gulson

System Administrator

» | Helpful post? (0)

Post #3
21600564 08 Jul 2025 11:31

All in all, an interesting use of the otoscope, to preview the electronics! Thanks .
Email me your shipping address and I'll send a small gift.
#4 21601301 09 Jul 2025 01:39

eastarctica eastarctica

Level 3

Topic author Helpful post? (+1)

Post #4
21601301 09 Jul 2025 01:39

>>21600289 Wrote up a response yesterday but it my tab seems to have been slept and deleted so this is generally being rewritten again as well.

Haha well it may not be one of those mini cams but it's still a camera ofc, definitely has some interesting features though... Hmmm, I can't find much info on the HI-708. All I could really find were some references to their "1.0μm Black Pearl" technology. Firmware only seems to mention "708" once in that same uart log so not a ton of luck there until I get a bit further access to it (mostly getting gdb working on it).

I pulled apart the camera assembly which it seems that the camera ribbon pulls out of the metal housing without damage which is nice, images attached. Text on the ribbon is SP1508B30-B and it's got pins 1 through 21 labeled (21 pins total).

>>21600564 Definitely an abstract use for an otoscope, I have to admit that I actually got the idea from someone on reddit and if we could get the firmware to use the vertical axis for the automatic rotation thing seen in that video it could be useful as some type of board imaging thing if you tossed it on a 3d printer gantry 🤔
ADVERTISEMENT
#5 21601414 09 Jul 2025 08:50

divadiow divadiow

Level 35

Helpful post? (0)

Post #5
21601414 09 Jul 2025 08:50

divadiow wrote:
nice to see another Taixin MCU that isn't in a cam

that isn't In an A9 cam type of device*

yeh, I've not found much about the HI708 either. A few mentions in github code and I see it's in the XF16 list along with HI704 https://www.elektroda.com/rtvforum/topic4121965.html#21549325

Added after 13 [minutes]:

ordered
#6 21611793 20 Jul 2025 20:18

divadiow divadiow

Level 35
Helpful post? (0)

Post #6
21611793 20 Jul 2025 20:18

eastarctica wrote:
Thank you divadiow for letting me know that this was due to me reading at too fast of an ICE clock speed, I believe I had been dumping it at 12000KHz, lowering this down to 1200KHz as mentioned in the article solves this for me

oh cool. didn't notice this.

my one has arrived and I'm just photographing and capturing bits before posting about my findings

Added after 1 [minutes]:

also, would you be willing to share your device firmware?

Added after 5 [hours] 34 [minutes]:

Here it is. Same Taixin TXW816-810 1mb MCU.

Code: Text
Log in, to see the code

TCK (PA10) -> STM32 A1
TMS (PA9) -> STM32 A5

T-head Debug CPU detection:
Code: Text
Log in, to see the code

The QR in the manual is for the iTiMo app from MoLink. We also see Molink referenced in the boot log along with the SSID broadcast to be joined by phone so the app cam stream from the camera
https://play.google.com/store/apps/details?id=com.molink.john.itimo&hl=en_GB

Code: Text
Log in, to see the code

Backup was taken with CDK Flash Programmer. I had to hold power button down, same as in first post, which was difficult because I ripped off the button when opening the unit. Thinking about it though, there's a KEY pad on the PCB so that maybe could have been grounded instead.

I don't see mention of the CMOS sensor in the boot log, though maybe it could be determined from the registers or other i2c stuff printed out.

1mb dump: https://github.com/openshwprojects/FlashDumps/pull/38/files

keywords:
XJY-Y25A-3H
Y8S-D-4.2mm
Manufacturer: Dongguanshi Qianyu Electronic Technology Co.,Ltd
Address: Room 501, Building 1, No. 50 Yantian Changtang Road, Fenggang Town, Dongguan City, Guangdong Province, China.

Attachments:

IMG_0119.JPG Download (2.86 MB)

IMG_0118.JPG Download (2.98 MB)
ADVERTISEMENT
#7 21612232 20 Jul 2025 23:37

divadiow divadiow

Level 35

Helpful post? (0)

Post #7
21612232 20 Jul 2025 23:37

interesting strings

Code: Text
Log in, to see the code

Code: Text
Log in, to see the code
#8 21612280 21 Jul 2025 01:20

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #8
21612280 21 Jul 2025 01:20

FWUPG update?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#9 21612344 21 Jul 2025 08:07

divadiow divadiow

Level 35

Helpful post? (0)

Post #9
21612344 21 Jul 2025 08:07

very interesting

Added after 10 [minutes]:

Added after 7 [minutes]:

don't currently know if there's even an OTA partition in dump, if it's large enough and if the file I'm uploading is to be used for OTA. I've tried these two in AT demo dump zip
https://www.elektroda.com/rtvforum/topic4033757.html#21546489

btw there's no sign of a device info/fw upgrade section in the app - just the basic cam operation stuff
ADVERTISEMENT

#10 21613891 22 Jul 2025 18:38

eastarctica eastarctica

Level 3

Post #10

21613891 22 Jul 2025 18:38

>>21611793 Nice job getting everything dumped and working! I apologize I had thought I added the firmware to my initial post but it's attached here. Diffing them they're slightly different. Notably, yours appears to be compiled with `hgSDK-v2.5.1.7-31060, app-0, build time:Mar 26 2025 15:41:31` versus mine with `hgSDK-v2.5.0.7-25841, app-0, build time:Dec 5 2024 12:06:20`

>>21612344 There may be no mention of firmware updating in the app, but if you extract the android apk for mine at least, you'll get `com.i4season.bkCamera/lib/arm64-v8a/libWifiCamera.so` which has many interesting things... There's also `libI4Tool.so`, `libNetFrame.so`, and `libUStorageDeviceFS.so`, all of which I've attached.

Notably these exports:
cameraWifiupdateFirmware
cameraWifiupdatemcuFirmware

Full exports:


        __bss_start
        _bss_end__
        AcceptFileListForPath
        AcceptFileListForPathTieniu
        addack
        allStreamGet
        amq
        angleCopy
        batterychangefuc
        block_queue_init
        block_queue_pull
        block_queue_pull_new
        block_queue_push
        block_queue_signal
        block_queue_udata_create
        block_queue_udata_destroy
        block_queue_waiteforpull
        blockbufid_get
        CallBooleanMethod
        CallIntMethod
        CallObjectMethod
        CallVoidMethod
        cameraCheckOnline
        cameraCmd
        cameraConfGet
        cameraConfSet
        cameraDelShake
        cameraExposureGet
        cameraExposureSet
        cameraHttp
        cameraHttpApi
        cameraLicSet
        cameraParameterGet
        cameraParameterSet
        cameraSetLowPowerMode
        cameraWifiFirmInfoGet
        cameraWifiLicInfoGet
        cameraWifiStatusInfoGet
        cameraWifiupdateFirmware
        cameraWifiupdatemcuFirmware
        caWifiInit
        caWifiStart
        caWifiStop
        changemode
        check_send
        check_sendack
        connect_tieniu
        connect_tieniu
        cwificamerafuc_sethandle
        dataqueue
        delfile
        destory_allblock_buf
        destory_block_buf
        entry
        filebuttonfuc
        filelist_destroy
        filelist_destroy
        freequeue
        get_logbuf
        getBattery
        getbattey_check
        getCameraTimeout
        getCongfig
        getdevinfo
        getfilelist
        getisfilter
        getlic10_frommac
        getlictieniu
        getlist
        getPort
        getsdstatus
        getssid
        getssid_private
        getzoomdatabegin
        getzoominfo
        humidityGet
        isackok
        isAngleUpDown
        isAngleUpDownAll
        ishavemiddle
        ishavesdcard
        Java_com_jni_getCameraTimeout
        Java_com_jni_Tieniu_WifiCameraTieniu_callback
        Java_com_jni_Tieniu_WifiCameraTieniu_cameraAcceptFileList
        Java_com_jni_Tieniu_WifiCameraTieniu_changemode
        Java_com_jni_Tieniu_WifiCameraTieniu_delfile
        Java_com_jni_Tieniu_WifiCameraTieniu_getBattery
        Java_com_jni_Tieniu_WifiCameraTieniu_getdevinfo
        Java_com_jni_Tieniu_WifiCameraTieniu_getinfo
        Java_com_jni_Tieniu_WifiCameraTieniu_getzoominfo
        Java_com_jni_Tieniu_WifiCameraTieniu_ishavesdcard
        Java_com_jni_Tieniu_WifiCameraTieniu_reset
        Java_com_jni_Tieniu_WifiCameraTieniu_setB
        Java_com_jni_Tieniu_WifiCameraTieniu_setBrightness
        Java_com_jni_Tieniu_WifiCameraTieniu_setContrast
        Java_com_jni_Tieniu_WifiCameraTieniu_setG
        Java_com_jni_Tieniu_WifiCameraTieniu_setlic
        Java_com_jni_Tieniu_WifiCameraTieniu_setR
        Java_com_jni_Tieniu_WifiCameraTieniu_setResolution
        Java_com_jni_Tieniu_WifiCameraTieniu_setSharpness
        Java_com_jni_Tieniu_WifiCameraTieniu_Start
        Java_com_jni_Tieniu_WifiCameraTieniu_takePic
        Java_com_jni_Tieniu_WifiCameraTieniu_takeVideo
        Java_com_jni_Tieniu_WifiCameraTieniu_zoomdown
        Java_com_jni_Tieniu_WifiCameraTieniu_zoomup
        Java_com_jni_WifiCamera_caAllStreamGet
        Java_com_jni_WifiCamera_caInit
        Java_com_jni_WifiCamera_CallBackFucStart
        Java_com_jni_WifiCamera_CallBackStart
        Java_com_jni_WifiCamera_cameraAcceptFileList
        Java_com_jni_WifiCamera_cameraCheckOnline
        Java_com_jni_WifiCamera_cameraCmd
        Java_com_jni_WifiCamera_cameraDelShake
        Java_com_jni_WifiCamera_cameraExposureGet
        Java_com_jni_WifiCamera_cameraExposureSet
        Java_com_jni_WifiCamera_cameraFirmInfoGet
        Java_com_jni_WifiCamera_cameraLedStatusGet
        Java_com_jni_WifiCamera_cameraLedStatusSet
        Java_com_jni_WifiCamera_cameraLicInfoGet
        Java_com_jni_WifiCamera_cameraLicInfoGet
        Java_com_jni_WifiCamera_cameraParameterGet
        Java_com_jni_WifiCamera_cameraParameterSet
        Java_com_jni_WifiCamera_cameraSetLic
        Java_com_jni_WifiCamera_cameraSetLowPowerMode
        Java_com_jni_WifiCamera_cameraStatusInfoGet
        Java_com_jni_WifiCamera_camerawifiAllowUpFile
        Java_com_jni_WifiCamera_cameraWifiConfGet
        Java_com_jni_WifiCamera_cameraWifiConfSet
        Java_com_jni_WifiCamera_cameraWifiResolutionGet
        Java_com_jni_WifiCamera_camerawifiUpDir
        Java_com_jni_WifiCamera_caStart
        Java_com_jni_WifiCamera_caStop
        Java_com_jni_WifiCamera_getaudio
        Java_com_jni_WifiCamera_getisfilter
        Java_com_jni_WifiCamera_humidityGet
        Java_com_jni_WifiCamera_openLog
        Java_com_jni_WifiCamera_openVideoForceApi
        Java_com_jni_WifiCamera_screenParametersGet
        Java_com_jni_WifiCamera_screenParametersGetFromBuffer
        Java_com_jni_WifiCamera_screenParametersSet
        Java_com_jni_WifiCamera_screenParametersSetTobuffer
        Java_com_jni_WifiCamera_setCameraTimeout
        Java_com_jni_WifiCamera_setisfilter
        Java_com_jni_WifiCamera_startAviVideoRecord
        Java_com_jni_WifiCamera_stopAviVideoRecord
        Java_com_jni_WifiCamera_temperatureGet
        Java_com_jni_WifiCamera_tewlGet
        Java_com_jni_WifiCamera_updateFirmware
        Java_com_jni_WifiCamera_updatemcuFirmware
        lastangleArray
        lastangleArraytmp
        lastaudioseq
        lasteventSetEar
        lastid
        LedStatusGet
        LedStatusSet
        libwificamera_notifyport
        log_wifiwrite
        maxangle
        menubuttonfuc
        minangle
        mu_camera_data_add
        mu_camera_data_create
        mu_camera_data_create2
        mu_camera_data_destroy
        mu_camera_data_destroy2
        mu_queue_push
        mucamera_clean
        mucamera_pull
        mucamera_pull2
        mucamera_push
        mucamera_push2
        mucamera_signal
        mucamera_waiteforpull
        muqueue_init
        newcamera_audio_destory
        newcamera_pullaudio
        newcamera_start
        newcamera_stop
        newcamera_wait
        newcamerawifi_fuc
        NewObject
        noweventSetEar
        openVideoForceApi
        parsebuf
        picbuttonfuc
        private_camera_wifi_fuc
        queuedrop
        readhttphead
        reset
        runinfo
        ScreenParametersGet
        ScreenParametersGetFromBuffer
        ScreenParametersSet
        ScreenParametersSetTobuffer
        selectread
        selectread
        sendHttp
        sensor_get_xyz
        set_notify_allow
        set_notify_dir
        set_uri
        setackflag
        setB
        setBrightness
        setCameraTimeout
        setcheckproduct
        setContrast
        setG
        setisfilter
        setlic
        setR
        setResolution
        setSharpness
        sig_waite
        sleep
        start
        start_callback
        start_notify
        stop_notify
        suportCheck
        takePic
        takePicprivate
        takeVideo
        takeVideoprivate
        temperatureGet
        testStatus
        tewl
        tieniu_read
        TransformStructFileInfo
        TransformStructFileInfoTieniu
        UCallBackFucHandle1
        UCallBackFucHandle_Data
        UCallBackHandle1
        UCallBackHandle_Data
        UCallBackHandle_file_sig
        UCallBackHandle_picdata
        UCallBackHandle_sig
        UCallBackHandle_status
        videobuttionfuc
        wakeup
        wifi_closelog
        wifi_logflag
        wifi_openlog
        wifiaudioInfo2obj
        WifiCallBackFucHandle
        WifiCallBackHandle
        wifidata_audio
        wifidata_audio2
        wifidata_logwrite
        wifiPicInfo2obj
        zoomchangefuc
        zoomdown
        zoomup
        ~cameraHttp
        ~cameraHttpApi
        ~WifiCallBackFucHandle
        ~WifiCallBackHandle

Attachments:

#11 21614421 23 Jul 2025 08:45

divadiow divadiow

Level 35

Helpful post? (0)

Post #11
21614421 23 Jul 2025 08:45

cool. thanks. Out of interest I flashed your backup and it does boot. fails at the cam sensor point though.

Code: Text
Log in, to see the code

Added after 7 [minutes]:

bin added to collection https://github.com/openshwprojects/FlashDumps/pull/38/files
#12 21648455 30 Aug 2025 09:35

divadiow divadiow

Level 35

Helpful post? (0)

Post #12
21648455 30 Aug 2025 09:35

@eastarctica you may find this interesting - development of rtsp cam support for TXW81x. Not tried on my TXW816 Otoscope

https://www.elektroda.com/rtvforum/viewtopic.php?p=21638429#21638429
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

The discussion focuses on inexpensive earwax remover otoscopes based on the Taixen TXW816-810 MCU, commonly found on platforms like Amazon, AliExpress, and TikTok Shop. These devices power on with a flashing button and camera light, then broadcast a Wi-Fi network with SSIDs resembling "Soulear-ae45b" or "Suear-4670," using MAC addresses such as 88:17:89:0d:0e:b0 and DHCP IP ranges starting at 192.168.1.10. Connected smartphone apps provide video capture, ear side selection, LED control, and lens mode switching (wide/focused, horizontal/mirror). A response highlights familiarity with the Taixen MCU outside of cameras and suggests the camera sensor might be a Hynix HI708, referencing a log entry "[3969]HI708 page0." The responder inquires about the ribbon cable pin count and its full labeling to assist with hardware interfacing and firmware analysis. There is also mention of flash memory read lengths and ICE clock speed adjustments as potential debugging steps.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Devices
/
Taixen TXW816-810 based Otoscopes: UART Logs, PCB Pinout, Firmware dump

FAQ

TL;DR: Taixin TXW816-810 otoscopes run a 1 MB C-Sky V2 MCU and boot "hgSDK-v2.5.0.7" firmware [Elektroda, eastarctica, post #21600275] UART logs, exposed SWD pins and a €2 STM32 “blue-pill” let you dump flash, tweak LEDs and analyse Wi-Fi AP behaviour.

Why it matters: Full pinout and flash access open the door to custom firmware and security audits.

Quick Facts

• MCU: Taixin TXW816-810, 1 MB flash, 160 kB SRAM [Elektroda, eastarctica, post #21600275]
• Sensor: HI708, 480 × 480 px @ 24 MHz MCLK [Elektroda, eastarctica, post #21600275]
• Battery: 2.7 V 170 mAh Li-ion [Elektroda, eastarctica, post #21600275]
• Wi-Fi: 2.4 GHz AP, SSID "Soulear-xxxx", default IP 192.168.1.1 [Elektroda, eastarctica, post #21600275]
• Interface pads: 3.3 V, 5 V, DP(UART TX), CE, CLK(SWD CLK), TMS, PA8 [Elektroda, eastarctica, post #21600275]

What chips power the popular Taixin otoscope clones?

They use the Taixin TXW816-810 SoC—a C-Sky V2 core with 1 MB flash and 160 kB SRAM—paired with a Hynix HI708 480 × 480 image sensor [Elektroda, eastarctica, post #21600275]

Which test pads give me debugging access?

CLK (PA10) and TMS (PA9) expose the SWD interface; DP (PC6) is UART TX for 115 200 bps logs; 3.3 V, 5 V and GND provide power [Elektroda, eastarctica, post #21600275]

How do I dump the 1 MB firmware?

1) Flash CKLink firmware onto an STM32 “blue-pill”. 2) Wire A1→CLK, A5→TMS, G→GND. 3) Read flash in 0x10000-byte chunks (full read can stall) and merge files [Elektroda, eastarctica, post #21600275]

Why does a full-length read sometimes fail?

The DIY CKLink overstresses the SWD clock; long transfers abort after ~0x50000. Lowering ICE_CLK or chunked reads fixes it [Elektroda, divadiow, post #21600289]

Can I view live UART output while dumping?

Yes. Connect a 3.3 V UART adapter RX to DP and GND. Logs show boot banners, ADC data and Wi-Fi DHCP events [Elektroda, eastarctica, post #21600275]

What OTA mechanism does the mobile app use?

The hgSDK stack exposes an "ota num" field and port 5007 TCP; the app pushes a signed blob that the bootloader verifies before flashing [Elektroda, eastarctica, post #21600275]

Is there licensing or encryption inside the image?

A 256-byte zeroed licence block appears at 0x??000; no encryption observed, suggesting signature-only protection [Elektroda, eastarctica, post #21600275]

Which disassembler supports C-Sky V2 right now?

Ghidra and IDA lack native C-Sky V2 ABI. radare2 and Binary Ninja dev builds can import CSKY/ABIV2 ELF with limited analysis [C-Sky ABI Manual, 2020].

How bright are the onboard LEDs?

The firmware drives LED1 via PWM 0–100 %, default 100 %. Logs confirm 1 × 200 mA burst when set ON [Elektroda, eastarctica, post #21600275]

What edge-case kills Wi-Fi throughput?

If the sensor stream stops (hgdvp_close message) while a client is still connected, throughput drops to 0 bps even though DHCP remains active [Elektroda, eastarctica, post #21600275]

How many pins are on the camera ribbon?

A 21-pin FFC connects LED anodes, power and parallel CSI to the SoC—matching HI708 reference design [Elektroda, divadiow, post #21600289]

Any quick way to toggle LEDs without the app?

Send TCP packet {ID:10, data:1-1-level} to port 54589; the MCU acknowledges and sets PWM instantly [Elektroda, eastarctica, post #21600275]

What temperature does the chip reach after 5 min?

UART shows 40 °C at 5 min idle, up from 34 °C at boot—a 17 % rise [Elektroda, eastarctica, post #21600275]

Can the battery run the Wi-Fi AP for an hour?

Typical draw is 170–200 mA; the 170 mAh cell lasts ≈50 minutes with LEDs off (Calc; values from log current).

What failure occurs if the CE pad lifts?

Without CE (CHIP_EN), the SoC stays in reset; no UART, no charging, appears dead—re-soldering or pulling CE high revives it [Elektroda, eastarctica, post #21600275]

Taixen TXW816-810 based Otoscopes: UART Logs, PCB Pinout, Firmware dump

Didn't find an answer? Ask Artificial Intelligence

Topic summary