Taixen TXW816-810 based Otoscopes: UART Logs, PCB Pinout, Firmware dump

eastarctica 1950 14

TL;DR

Teardown of cheap Wi‑Fi earwax remover otoscopes that use the Taixen TXW816-810 and expose UART, pinout, and firmware details.
Inside, the board has a 21-pin camera/LED connector and exposed pads for 3.3V, 5V, CE, DP (UART TX), CLK, TMS, and PA8.
UART logs identify hgSDK-v2.5.0.7, BK7231U-XRH-FBPRO, a HI708 sensor at 480×480, and an AP named Soulear-ae45b with DHCP from 192.168.1.10.
An STM32 Blue Pill acting as CKLink dumped the 1 MB flash in chunks, and lowering the ICE clock from 12000KHz to 1200KHz made reads reliable.
The firmware still needs proper C-Sky V2 analysis support, and a licensing-related component remains unexplained.

Generated by the language model.

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Helpful post

Post #1

21600275 07 Jul 2025 22:52

Recently it seems there has been a lot of cheap earwax remover otoscope devices popping up on amazon/aliexpress/tiktok shop similar to this:

When powered on, the button will start flashing slowly, as well as the light for the camera will turn on. After a few seconds it will start its wifi network usually with an ssid like "Soulear-ae45b" where it seems to be very generically "Company-uniq" as another device seems to show up as "Suear-4670". My device was broadcasting under the MAC of "88:17:89:0d:0e:b0" and had dhcp assigning IPs starting at 192.168.1.10 with itself at 192.168.1.1.

Once connected on a phone, its app which seems to vary based on the device you pick up, but all of which are essentially identical, allows you to take video, pictures, switch ears from left/right, enable/disable the led, as well as switch between either wide/focused lenses or switch between "horizontal" and "mirror(?)". Some also seem to have a lock icon which I'm not sure what does.

They're very difficult to get into, and from what I can tell can't be gotten into without breaking the plastic in some way. If you're opting to take it apart and keep it looking nice, I think my approach would be cutting the seam or maybe heat or something to remove the glue holding it in. Once in, you're greeted by a 21(?) pin connector for the leds + camera, 2.7V 170mAh battery, and the main pcb. PCB has a few pads exposed, of which I may have torn off CE and CLK 😬:
- 3.3V + GND (from mcu)
- 5V + GND (from usb, although GND is shared)
- CE (CHIP_EN)
- DP (PC6, This is UART TX, RX is not exposed)
- CLK (PA10, TCLK)
- TMS (PA9)
- PA8 (USB_DET?)

These (mine at least) seem to be using the Taixen TXW816-810 which has been seen similarly with the A9 minicams seen here.

UART Logs
startup:

14:06:55.069 -> [0]40 00 97 00 a8 43 12 a0
14:06:55.069 -> [0]28 e0 00 00 00 00 00 00
14:06:55.070 -> [0]00 00 00 00 00 00 00 00
14:06:55.070 -> [0]88 17 89 0d 0e 2c 76 35
14:06:55.071 -> [0]86 65 89 67 9f 57 00 00
14:06:55.071 -> [0]80 00 bb 02 a0 f7 00 00
14:06:55.071 -> [0]00 15 00 00 08 14 00 00
14:06:55.072 -> [0]00 00 00 00 00 00 0c 00
14:06:55.072 -> [0]00 00 00 40 08 84 40 08
14:06:55.072 -> [0]8c c0 08 8c c0 08 94 00
14:06:55.073 -> [0]06 4b 3f fd 92 ff 04 4e
14:06:55.073 -> [0]f0 00 4f 00 de 01 02 02
14:06:55.073 -> [0]00 ff ff ff 0f b4 04 04
14:06:55.074 -> [0]02 04 04 06 06 1f 00 17
14:06:55.074 -> [0]00 02 3e 00 00 00 00 08
14:06:55.075 -> [0]00 00 00 00 00 30 12 00
14:06:55.075 -> [0]3c 3c 0f
14:06:55.075 -> [0]validity: 1579f00d

14:06:55.076 -> ** hgSDK-v2.5.0.7-25841, app-0, build time:Dec  5 2024 12:06:20 **
14:06:55.077 -> **   libcore v2.5.0.7-26821, build time:Dec 21 2023 11:25:54
14:06:55.077 -> **   libnetutils v2.5.0.7-26821, build time:Dec 21 2023 11:26:09
14:06:55.078 -> **   libcommon v2.5.0.7-26821, build time:Dec 21 2023 11:25:58
14:06:55.078 -> **   libosal v2.5.0.7-26821, build time:Dec 21 2023 11:25:53
14:06:55.079 -> **   libatcmd v2.5.0.7-25927, build time:Nov  6 2023 16:23:19
14:06:55.080 -> **   liblmac v2.5.0.7-26821, build time:Dec 21 2023 11:26:25
14:06:55.081 -> **   libwifi v2.5.0.7-26821, build time:Dec 21 2023 11:26:38
14:06:55.081 -> ------------------------------------------------------------------
14:06:55.082 -> [0] ------- system restart fault -----------
14:06:55.082 -> [0] ---------------------------------------
14:06:55.084 -> [1]freemem:160720
14:06:55.084 -> [1]custom_mem_init:2000c740
14:06:55.084 -> [1]custom mem sram:61440
14:06:55.085 -> [2]skbpool init, total:49396 (0x20037f0c~0x20044000), max per:80%
14:06:55.086 -> [4]syscfg_read OK!
14:06:55.088 -> [4]old cfg_ver:259
14:06:55.192 -> ---xrh_io_init---

14:06:55.251 -> [154]------pwr_det_keep.........1
14:06:55.286 -> [204]------pwr_det_keep.........2
14:06:55.288 -> [205]lmac rx info size:36
14:06:55.288 -> [205]GAP0 : 20033b0c
14:06:55.288 -> [206]GAP1 : 20037f04
14:06:55.288 -> [206]lmac rx buff:20033b14, size:17392, hw rx buff size:11256, ampdu:7, max subfrm:3
14:06:55.290 -> [207]lmac priv: 2001bec4
14:06:55.290 -> [207]lmac tx  : 2001c278
14:06:55.290 -> [208]lmac rx  : 2001d444
14:06:55.290 -> [208]lmac ble rx: 00000000
14:06:55.291 -> [209]pack:8, bios_id:2
14:06:55.291 -> [209]use AMPM DPD!
14:06:55.291 -> [209]verf:0x5, ibpt:0x3, ibct:0x6, iref:0x6
14:06:55.292 -> [210]verfvco_trim:0x8, verfcp_trim:0x5, verfdiv_trim:0x5
14:06:55.292 -> [211]verfdsm_trim:0x4, verfvcc25_trim:0x1
14:06:55.293 -> [211]da cap:5, da gain:1
14:06:55.317 -> [214]txdcoc from:1, i:8, q:20
14:06:55.317 -> [214]tx imb from:1, pm:192, gm:0
14:06:55.318 -> [215]rx dcoc from:1
14:06:55.318 -> [216]g:0, ana:2112, i:11, q:3
14:06:55.318 -> [216]g:1, ana:2112, i:19, q:5
14:06:55.318 -> [216]g:2, ana:2112, i:18, q:4
14:06:55.318 -> [217]g:3, ana:2240, i:15, q:7
14:06:55.318 -> [217]g:4, ana:2240, i:14, q:7
14:06:55.318 -> [218]g:5, ana:2240, i:15, q:6
14:06:55.318 -> [218]g:6, ana:2240, i:15, q:7
14:06:55.318 -> [218]g:7, ana:2368, i:0, q:6
14:06:55.318 -> [219]rx imb from:1
14:06:55.318 -> [219]g:0, 8120, 4063
14:06:55.318 -> [220]g:1, 8120, 4064
14:06:55.318 -> [220]g:2, 8118, 4064
14:06:55.318 -> [220]g:3, 8120, 4062
14:06:55.318 -> [221]g:4, 8120, 4061
14:06:55.318 -> [221]g:5, 8122, 4061
14:06:55.318 -> [221]g:6, 8122, 4061
14:06:55.318 -> [221]g:7, 8116, 4062
14:06:55.318 -> [222]time offset:0, 23
14:06:55.318 -> [222]lmac test: 2001dbec
14:06:55.318 -> [223]lmac_bgn_lo_freq_set: 2432
14:06:55.318 -> [224]set rts_threshold =2304
14:06:55.318 -> [225]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:55.318 -> [225]*** open ADC success!

14:06:55.318 -> [226]*** add success: ADC channel cnt = 1, name:257

14:06:55.318 -> [227]*** add success: ADC channel cnt = 2, name:258

14:06:55.318 -> [227]*** add success: ADC channel cnt = 3, name:262

14:06:55.318 -> [228]*** delete success: ADC channel cnt = 2

14:06:55.318 -> [231]*** add success: ADC channel cnt = 3, name:1

14:06:55.366 -> [282]ad_pwr:2910 383
14:06:55.416 -> [332]ad_pwr:2853 376
14:06:55.465 -> [382]ad_pwr:2909 383
14:06:55.515 -> [432]ad_pwr:2991 394
14:06:55.564 -> [482]ad_pwr:2914 384
14:06:55.564 -> [482]poweron_ad_pwr:2915
14:06:55.615 -> [532]ad_pwr:2895 381
14:06:55.665 -> [582]ad_pwr:2906 383
14:06:55.716 -> [632]ad_pwr:2826 372
14:06:55.765 -> [682]ad_pwr:2939 387
14:06:55.814 -> [732]ad_pwr:2795 368
14:06:55.814 -> [732]poweron_ad_pwr:2872
14:06:55.865 -> [782]ad_pwr:2908 383
14:06:55.915 -> [832]ad_pwr:2930 386
14:06:55.966 -> [882]ad_pwr:2910 383
14:06:56.016 -> [932]ad_pwr:2859 376
14:06:56.066 -> [982]ad_pwr:2935 386
14:06:56.115 -> [1032]ad_pwr:2899 382
14:06:56.166 -> [1082]ad_pwr:2987 393
14:06:56.215 -> [1132]ad_pwr:2890 381
14:06:56.265 -> [1182]ad_pwr:3051 402
14:06:56.329 -> [1232]ad_pwr:2929 386
14:06:56.366 -> [1282]ad_pwr:2908 383
14:06:56.414 -> [1332]ad_pwr:2929 386
14:06:56.414 -> [1332]lmac_bgn_lo_freq_set: 2412
14:06:56.416 -> [1334]lmac_bgn_lo_freq_set: 2412
14:06:56.428 -> [1335]set rts_threshold =1600
14:06:56.428 -> [1336]set ac= 0 aifs= 2 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1337]set ac= 1 aifs= 6 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1337]set ac= 2 aifs= 1 cw_min= 7 cwmax= 15 txop= 128
14:06:56.428 -> [1338]set ac= 3 aifs= 1 cw_min= 3 cwmax= 7 txop= 65
14:06:56.428 -> [1339]set ac= 0 aifs= 2 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1339]set ac= 1 aifs= 6 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1340]set ac= 2 aifs= 1 cw_min= 7 cwmax= 15 txop= 128
14:06:56.428 -> [1341]set ac= 3 aifs= 1 cw_min= 3 cwmax= 7 txop= 65
14:06:56.428 -> [1342]lmac_bgn_lo_freq_set: 2432
14:06:56.428 -> [1343]inteface1: start scanning ...
14:06:56.428 -> [1344]vif1 state WPA_DISCONNECTED -> WPA_SCANNING
14:06:56.428 -> [1345]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.428 -> [1346]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.528 -> [1445]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.528 -> [1445]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.638 -> [1545]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.638 -> [1545]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.728 -> [1645]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.728 -> [1645]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.828 -> [1745]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.828 -> [1745]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.927 -> [1845]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.927 -> [1845]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.028 -> [1945]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.028 -> [1945]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.128 -> [2045]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.128 -> [2045]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.228 -> [2145]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.228 -> [2145]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.327 -> [2245]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.327 -> [2245]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.427 -> [2345]lmac_bgn_lo_freq_set: 2432
14:06:57.429 -> [2346]lmac_bgn_lo_freq_set: 2412
14:06:57.430 -> [2348]inteface1: scan done!
14:06:57.457 -> [2356][0]===>REDACTED (network name)
14:06:57.457 -> [2356][1]===>REDACTED (network name)
14:06:57.457 -> [2356][2]===>REDACTED (network name)
14:06:57.457 -> [2356][3]===>]......"'O.Y.v*6.x}].,h...6BOa...0..T8.......V"....Z.....N..WI..*.ks..y....RrV.1LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S..
.4.YK........`.....W:>..^..w....[.
14:06:57.457 -> [2359][4]===>.....V"....Z.....N..WI..*.ks..y....RrV.1LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..
E.>Rd.C-!...V..`k;g..f.~NS_i|...
14:06:57.457 -> [2362][5]===>LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D...
.^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2365][6]===>i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2367][7]===>.h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2369][8]===>.......`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2370][9]===>C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...

14:06:57.457 -> [2371][10]===>...j
14:06:57.457 -> u!"...

14:06:57.457 -> [2371][11]===>..PktK.:....^0%;u....}...[G. ..{?.j.^..^......cn.p..=..j..f.y3`_.u.;
14:06:57.457 -> [2372][12]===>......cn.p..=..j..f.y3`_.u.;
14:06:57.457 -> [2373][13]===>(.......B5..0JAZq.-.f.'g..;.kl....a.j.._\.[s.!..X.oi. .t..\....g.....$..lGDY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3

14:06:57.458 -> .jm.i.v."t~....Z
14:06:57.458 -> [2376][14]===>.._\.[s.!..X.oi. .t..\....g.....$..lGDY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.460 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.461 -> [2379][15]===>DY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.463 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.463 -> [2381][16]===>......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.465 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.465 -> [2383][17]===>.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.466 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.467 -> [2384][18]===>.!..3
14:06:57.467 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.468 -> [2385][19]===>......._F.g|.Th
14:06:57.468 -> [2386][20]===>..$.g...L.....m6.x..f.Y{.".v.3.3....P....'eAJI.*.>...X..$.,....K.F7].u.z.
14:06:57.469 -> [2387][21]===>P....'eAJI.*.>...X..$.,....K.F7].u.z.
14:06:57.470 -> [2387][22]===>W..X|.....|a.~.:.1..0.t .:>[..)#N..U...?......L.P......]+*....n8.0....Kd?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.471 -> [2389][23]===>.?......L.P......]+*....n8.0....Kd?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.472 -> [2390][24]===>d?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.473 -> [2391][25]===>...+}.|..M.ec...W&.c.`......R[@.
14:06:57.473 -> 5b..Z...9+..."b..X.j..N,...K.<r.
14:06:57.474 -> [2392][26]===>...9+..."b..X.j..N,...K.<r.
14:06:57.474 -> [2393][27]===> ......yd.m$.....d.mY..G.
14:06:57.475 -> i.O..q.@...7.....x....G.7.e~......sJ".pT.v
14:06:57.475 -> [2394][28]===>.....x....G.7.e~......sJ".pT.v
14:06:57.476 -> [2394][29]===>.^,...%.}.o.....@!W0H7.........V....Q#.lkP......to..c>.....c>_#\Oo
14:06:57.478 -> p...j.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.478 -> [2396][30]===>Q#.lkP......to..c>.....c>_#\Oo
14:06:57.479 -> p...j.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.479 -> [2397][31]===>.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.480 -> [2397]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:57.480 -> acs...
14:06:57.480 -> freq   bgrssi   ap    rx_sync   rx_err   txcnt     txtime   =>  noise factor
14:06:57.636 -> 2412    -93     0     0         10       39        152588       3912        
14:06:57.790 -> 2417    -93     0     0         4        36        149884       4163        
14:06:57.943 -> 2422    -92     4     5         4        35        150675       4305        
14:06:58.098 -> 2427    -94     3     3         3        36        151989       4221        
14:06:58.253 -> 2432    -92     2     2         5        35        152793       4365        
14:06:58.407 -> 2437    -92     4     4         6        36        150138       4170        
14:06:58.560 -> 2442    -92     3     7         9        34        150918       4438        
14:06:58.727 -> 2447    -93     5     9         15       36        163305       4536        
14:06:58.881 -> 2452    -92     2     3         8        36        151823       4217        
14:06:59.035 -> 2457    -93     0     0         14       37        150555       4069        
14:06:59.055 -> acs result: freq=2412, nf=3912
14:06:59.055 -> acs done
14:06:59.055 -> [3954]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:59.055 -> [3955]lmac_bgn_lo_freq_set: 2412
14:06:59.055 -> [40;31m[3957]ieee80211_ap_ioctl:164::set channel 1
14:06:59.055 -> [0m[3957]set ac= 0 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3958]set ac= 1 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3959]set ac= 2 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3959]set ac= 3 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3961]vif2 state WPA_DISCONNECTED -> WPA_COMPLETED
14:06:59.055 -> [3962]add w0 interface!
14:06:59.055 -> JPG start
14:06:59.055 -> [3963]csi_test start,iic init
14:06:59.055 -> [3964]iic init finish,sensor reset & set sensor clk into 6M
14:06:59.055 -> hgdvp_set_baudrate:clock:480000000
14:06:59.055 -> [3968]set sensor finish ,Auto Check sensor id
14:06:59.055 -> [3968]devSensorInitTable = 1804d148 1804d8a8
14:06:59.055 -> [3969]HI708 page0
14:06:59.055 -> [3970]SID: ff, 96, 60, 61,4
14:06:59.055 -> [3970]devSensorInitTable = 1804d348 1804d8a8
14:06:59.055 -> [3971]SID: ff, 63, 86, 87,1
14:06:59.055 -> [3972]devSensorInitTable = 1804d528 1804d8a8
14:06:59.055 -> [3973]SID: ff, de, 66, 67,1
14:06:59.056 -> [3973]devSensorInitTable = 1804b1e8 1804d8a8
14:06:59.056 -> [3974]SID: ff, 9b, 42, 43,0
14:06:59.057 -> [3974]devSensorInitTable = 1804b448 1804d8a8
14:06:59.057 -> [3975]SID: ff, a0, 42, 43,0
14:06:59.058 -> [3976]devSensorInitTable = 1804c088 1804d8a8
14:06:59.059 -> [3977]SID: ff, bb, 66, 67,f0
14:06:59.059 -> [3977]devSensorInitTable = 1804c608 1804d8a8
14:06:59.060 -> [3978]SID: ff, 10, 42, 43,f1
14:06:59.060 -> [3978]devSensorInitTable = 1804b7c8 1804d8a8
14:06:59.062 -> [3979]SID: ff, 9d, 42, 43,f0
14:06:59.062 -> [3980]devSensorInitTable = 1804c308 1804d8a8
14:06:59.063 -> result = 0
14:06:59.063 -> [3981]preset table num:2
14:06:59.064 -> [3981]SID: ff, c0, 62, 63,0
14:06:59.064 -> [3982]devSensorInitTable = 1804af28 1804d8a8
14:06:59.065 -> [3983]SID: 20, 3a, dc, dd,fc
14:06:59.066 -> [3983]devSensorInitTable = 1804ad68 1804d8a8
14:06:59.067 -> [3984]SID: a6, 3, dc, dd,fd
14:06:59.067 -> [3984]devSensorInitTable = 1804cfa8 1804d8a8
14:06:59.068 -> [3985]SID: a6, a6, dc, dd,fd
14:06:59.068 -> [3986]id =a6 num:11 sensor_id = 20a6
14:06:59.069 -> [3986]Auto Check sensor id finish
14:06:59.069 -> [3987]mclk:24000000MHz
14:06:59.069 -> hgdvp_set_baudrate:clock:480000000
14:06:59.070 -> [3987]init:1804cda0 u8Addrbytnum:1,u8Databytnum:1
14:06:59.072 -> [3988]SENSER....init
14:06:59.123 -> [4040]init table num:396
14:06:59.123 -> [4040]SENSR ident ok:480*480
14:06:59.123 -> [4040]csi init start  --
14:06:59.123 -> [4041]csi set size ====>480*480
14:06:59.124 -> [4041]csi dvp_size_set
14:06:59.124 -> [4042]csi IRQ init
14:06:59.124 -> [4042]dvpirq_register:1 180177b0  180177b0
14:06:59.125 -> [4042]dvpirq_register:0 1801779c  1801779c
14:06:59.125 -> [4043]vppirq_register:0 18017504  18017504
14:06:59.126 -> [4043]vppirq_register:1 18017948  18017948
14:06:59.126 -> [4044]vppirq_register:2 18017500  18017500
14:06:59.127 -> [4044]vppirq_register:3 1801776c  1801776c
14:06:59.128 -> [4045]vppirq_register:4 18017780  18017780
14:06:59.128 -> [4046]vppirq_register:5 180174f0  180174f0
14:06:59.128 -> [4046]vppirq_register:6 180174e0  180174e0
14:06:59.129 -> [4047]vppirq_register:7 180174d0  180174d0
14:06:59.130 -> [4047]csi IRQ init finish,start get data
14:06:59.131 -> eloop_init:287::start
14:06:59.131 -> user_eloop_run:309::run
14:06:59.134 -> [4051]dns sock :2
14:06:59.134 -> [test] init tcp server: port: 5007
14:06:59.134 -> ---tcp srvsock = 3---
14:06:59.135 -> [4052]ota num:0version:25841
14:06:59.135 -> [4053]OEM AP Default!
14:06:59.136 -> [4053]OEM NET Default!
14:06:59.136 -> [4053]OEM Firmware Default!
14:06:59.136 -> [4054]Camera TX Lib:Dec  1 2023 17:57:29
14:06:59.137 -> [4054]DVP No need Bank Size
14:06:59.137 -> [4055]client multi init
14:06:59.137 -> [4055]csock:4
14:06:59.139 -> [4055]psock:5
14:06:59.139 -> [4056]protoCtx OK!
14:06:59.139 -> [4056]eventCtx OK!
14:06:59.139 -> [4057]videoCtx OK!
14:06:59.139 -> [4057]i4 OK
14:06:59.140 -> g_sensor_init start,iic init:200014bc
14:06:59.140 -> init g_sensor,check id
14:06:59.140 -> addr:1 1 30 32
14:06:59.141 -> SID: ff, 11, 30, 32,f
14:06:59.141 -> addr:1 1 30 32
14:06:59.141 -> SID: ff, 11, 30, 32,f
14:06:59.142 -> addr:1 1 4e 50
14:06:59.142 -> SID: 13, 13, 4e, 50,1
14:06:59.142 -> id =13 num:2 
14:06:59.143 -> [4060]*** ADC module info: ADC channel repeat!!!

14:06:59.145 -> [4062]notify local[0/0]!
14:06:59.145 -> [4062]----WIFI_RUN_STATUS111----1
14:06:59.158 -> init table num:20
14:06:59.158 -> [4075][SYS]Capacity GSENSOR
14:06:59.158 -> [4075][SYS]Capacity:0x2
14:06:59.158 -> [4076][SYS]Capacity:0x3
14:06:59.159 -> version_str = HKV41   5
14:06:59.159 -> ----version_str = HKV41B   32
14:06:59.159 -> product_str = BK7231U-XRH-FBPRO
14:06:59.159 -> [4077][TX]Set Vendor: YPC
14:06:59.160 -> [4077][TX]Set Product: BK7231U-XRH-FBPRO
14:06:59.161 -> [4078][TX]Set Version: HKV41B
14:06:59.161 -> [4078]no this event(20005)...
14:06:59.161 -> [4079]scan down.......
14:06:59.289 -> [4206]inteface2 find new bss: b8:f8:53:5c:53:bb-Fios-CGrF5
14:06:59.644 -> [4561]0min:2906 65535 100 100 383
14:07:00.147 -> [5064]notify local[0/0]!
14:07:00.160 -> [5078]custom mem sram:61440
14:07:00.160 -> [5078]freemem:43736
14:07:00.315 -> --------------------
14:07:00.315 -> local:88:17:89:0d:0e:b0
14:07:00.315 ->     bios:2, pack:8 
14:07:00.315 ->     pwr idx: 1
14:07:00.315 ->     chip-temperature: 34
14:07:00.315 ->     freq:2412, bg_rssi:-87
14:07:00.316 ->     cca: -70, -60, -62
14:07:00.316 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:00.317 ->         tx dma:381, total tx:381, retry:0, tx lost:0, tx err:0
14:07:00.318 ->     rx: frms:82, data:0
    throughput: tx: 14.40 Kbps, rx: 0 bps
14:07:00.318 ->     max gain:7
14:07:00.318 -> --------------------
14:07:01.150 -> [6067]notify local[0/0]!
14:07:01.160 -> [6078]custom mem sram:61440
14:07:01.160 -> [6078]freemem:43736
14:07:02.151 -> [7067]notify local[0/0]!
14:07:02.159 -> [7078]custom mem sram:61440
14:07:02.159 -> [7078]freemem:43832
14:07:03.150 -> [8067]notify local[0/0]!
14:07:03.161 -> [8078]custom mem sram:61440
14:07:03.161 -> [8078]freemem:44024
14:07:04.150 -> [9067]notify local[0/0]!
14:07:04.172 -> [9078]custom mem sram:61440
14:07:04.172 -> [9078]freemem:44024
14:07:05.155 -> [10067]notify local[0/0]!
14:07:05.160 -> [10078]ip:101a8c0  freemem:44024
14:07:05.161 -> [10078]custom mem sram:61440
14:07:05.163 -> [10078]freemem:44024
14:07:05.315 -> --------------------
14:07:05.315 -> local:88:17:89:0d:0e:b0
14:07:05.315 ->     bios:2, pack:8 
14:07:05.315 ->     pwr idx: 1
14:07:05.315 ->     chip-temperature: 38
14:07:05.315 ->     freq:2412, bg_rssi:-88
14:07:05.315 ->     cca: -70, -60, -62
14:07:05.315 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:05.316 ->         tx dma:0, total tx:0, retry:0, tx lost:0, tx err:0
14:07:05.317 ->     rx: frms:42, data:0
14:07:05.317 ->     throughput: tx: 0 bps, rx: 0 bps
    max gain:7
14:07:05.317 -> --------------------
14:07:06.151 -> [11067]notify local[0/0]!
14:07:06.161 -> [11079]custom mem sram:61440
14:07:06.161 -> [11079]freemem:44024
14:07:07.150 -> [12067]notify local[0/0]!
14:07:07.162 -> [12079]custom mem sram:61440
14:07:07.162 -> [12079]freemem:44024
14:07:08.150 -> [13067]notify local[0/0]!
14:07:08.162 -> [13079]custom mem sram:61440
14:07:08.162 -> [13079]freemem:44024
14:07:09.150 -> [14067]notify local[0/0]!
14:07:09.162 -> [14079]custom mem sram:61440
14:07:09.162 -> [14079]freemem:44024
14:07:10.150 -> [15067]notify local[0/0]!
14:07:10.162 -> [15079]custom mem sram:61440
14:07:10.162 -> [15079]freemem:44024
14:07:10.315 -> --------------------
14:07:10.315 -> local:88:17:89:0d:0e:b0
14:07:10.315 ->     bios:2, pack:8 
14:07:10.315 ->     pwr idx: 1
14:07:10.315 ->     chip-temperature: 40
14:07:10.315 ->     freq:2412, bg_rssi:-88
14:07:10.315 ->     cca: -70, -60, -62
14:07:10.315 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:07:10.316 ->         tx dma:0, total tx:0, retry:0, tx lost:0, tx err:0
14:07:10.317 ->     rx: frms:42, data:0
14:07:10.317 ->     throughput: tx: 0 bps, rx: 0 bps
    max gain:7
14:07:10.317 -> --------------------
14:07:11.150 -> [16067]notify local[0/0]!
14:07:11.162 -> [16079]ip:101a8c0  freemem:44024
14:07:11.162 -> [16079]custom mem sram:61440
14:07:11.164 -> [16079]freemem:44024
14:07:12.152 -> [17068]notify local[0/0]!
14:07:12.162 -> [17080]custom mem sram:61440
14:07:12.162 -> [17080]freemem:44024
14:07:12.663 -> [17577]inteface2 find new bss: 78:67:0e:32:a0:08-Verizon_4Z9PNJ
14:07:13.153 -> [18069]notify local[0/0]!
14:07:13.162 -> [18080]custom mem sram:61440
14:07:13.162 -> [18080]freemem:43928

Pressing button alone while powered off:

14:06:00.437 -> [0]40 00 97 00 a8 43 12 a0
14:06:00.437 -> [0]28 e0 00 00 00 00 00 00
14:06:00.438 -> [0]00 00 00 00 00 00 00 00
14:06:00.438 -> [0]88 17 89 0d 0e 2c 76 35
14:06:00.439 -> [0]86 65 89 67 9f 57 00 00
14:06:00.439 -> [0]80 00 bb 02 a0 f7 00 00
14:06:00.439 -> [0]00 15 00 00 08 14 00 00
14:06:00.440 -> [0]00 00 00 00 00 00 0c 00
14:06:00.440 -> [0]00 00 00 40 08 84 40 08
14:06:00.440 -> [0]8c c0 08 8c c0 08 94 00
14:06:00.441 -> [0]06 4b 3f fd 92 ff 04 4e
14:06:00.441 -> [0]f0 00 4f 00 de 01 02 02
14:06:00.442 -> [0]00 ff ff ff 0f b4 04 04
14:06:00.442 -> [0]02 04 04 06 06 1f 00 17
14:06:00.442 -> [0]00 02 3e 00 00 00 00 08
14:06:00.443 -> [0]00 00 00 00 00 30 12 00
14:06:00.443 -> [0]3c 3c 0f
14:06:00.443 -> [0]validity: 1579f00d

14:06:00.449 -> ** hgSDK-v2.5.0.7-25841, app-0, build time:Dec  5 2024 12:06:20 **
14:06:00.449 -> **   libcore v2.5.0.7-26821, build time:Dec 21 2023 11:25:54
14:06:00.449 -> **   libnetutils v2.5.0.7-26821, build time:Dec 21 2023 11:26:09
14:06:00.449 -> **   libcommon v2.5.0.7-26821, build time:Dec 21 2023 11:25:58
14:06:00.449 -> **   libosal v2.5.0.7-26821, build time:Dec 21 2023 11:25:53
14:06:00.449 -> **   libatcmd v2.5.0.7-25927, build time:Nov  6 2023 16:23:19
14:06:00.449 -> **   liblmac v2.5.0.7-26821, build time:Dec 21 2023 11:26:25
14:06:00.449 -> **   libwifi v2.5.0.7-26821, build time:Dec 21 2023 11:26:38
14:06:00.449 -> ------------------------------------------------------------------
14:06:00.450 -> [0] ------- system restart fault -----------
14:06:00.450 -> [0] ---------------------------------------
14:06:00.452 -> [1]freemem:160720
14:06:00.452 -> [1]custom_mem_init:2000c740
14:06:00.452 -> [1]custom mem sram:61440
14:06:00.452 -> [2]skbpool init, total:49396 (0x20037f0c~0x20044000), max per:80%
14:06:00.454 -> [4]syscfg_read OK!
14:06:00.455 -> [4]old cfg_ver:259

Doing random things in the app:

14:08:18.401 -> [83308]Charge Status:0
14:08:51.852 -> LED:1 Control:1 1 100
14:08:51.852 -> Set LED:1 ON
14:08:51.852 -> [116763]Charge Status:0
14:08:51.886 -> LED:1 Control:1 1 100
14:08:51.886 -> Set LED:1 ON
14:08:51.886 -> [116790]Charge Status:0
14:09:00.151 -> LED:1 Control:0 0 0
14:09:00.151 -> LED:1  ON:1
14:09:00.179 -> LED:1 Control:1 0 0
14:09:00.179 -> Set LED:1 OFF
14:09:00.179 -> [125084]Charge Status:0
14:09:01.368 -> LED:1 Control:0 0 0
14:09:01.368 -> LED:1  ON:0
14:09:01.395 -> LED:1 Control:1 1 100
14:09:01.395 -> Set LED:1 ON
14:09:01.395 -> [126300]Charge Status:0

Connecting to WiFi (I believe the app may have been open in the background):

14:08:14.173 -> [79090]custom mem sram:61440
14:08:14.173 -> [79090]freemem:44024
14:08:14.192 -> [79108]notify local[0/0]!
14:08:14.608 -> [79524]lmac_bgn_add_sta: if:1, aid1, addr:6a:88:53:52:cf:f7
14:08:14.608 -> [79525]rc_init: type= 1 mcs_mask= 0x3cc
14:08:14.609 -> [79525]inteface2: sta 6a:88:53:52:cf:f7 connected
14:08:14.609 -> [79526]user_sta_add:6a 88 53 52 cf f7
14:08:14.739 -> [79655]send DHCP_OFFER ...
14:08:14.739 -> [79657]Next IP: 192.168.1.11
14:08:14.740 -> [79657]Assign IP 192.168.1.10 for 6a:88:53:52:cf:f7, flags=0 (next:192.168.1.11)
14:08:15.173 -> [80090]custom mem sram:61440
14:08:15.173 -> [80090]freemem:43488
14:08:15.196 -> [80112]notify local[1/0]!
14:08:15.319 -> --------------------
14:08:15.319 -> local:88:17:89:0d:0e:b0
14:08:15.319 ->     bios:2, pack:8 
14:08:15.319 ->     pwr idx: 1
14:08:15.319 ->     chip-temperature: 48
14:08:15.319 ->     freq:2412, bg_rssi:-87
14:08:15.319 ->     cca: -59, -49, -51
14:08:15.319 ->     tx: txq:0, ps:0, tx_stat_q:0,
14:08:15.319 ->         tx dma:12, total tx:12, retry:0, tx lost:0, tx err:0
14:08:15.319 ->     rx: frms:107, data:96
14:08:15.319 ->     throughput: tx: 2.95 Kbps, rx: 5.23 Kbps
14:08:15.319 ->     max gain:7
14:08:15.319 -> sta:6a:88:53:52:cf:f7, aid:1, rssi:-34, evm:-25, tx frm type:*0, tx mcs:*2, freq offset:20864
14:08:15.320 ->     ifidx:1, MAC:88:17:89:0d:0e:b0

14:08:15.322 -> --------------------
14:08:15.825 -> [80741]send DHCP_ACK ...
14:08:15.825 -> [80742]Assign IP 192.168.1.10 for 6a:88:53:52:cf:f7, flags=0 (next:192.168.1.11)
14:08:15.828 -> [40;32m[80744]EVENT 10007 IGNORED
14:08:15.828 -> [0m[80745]IP Pool:
14:08:15.829 -> [80746]    ip:192.168.1.10 - 6a:88:53:52:cf:f7
14:08:16.173 -> [81090]custom mem sram:61440
14:08:16.173 -> [81090]freemem:43488
14:08:16.212 -> [81128]notify local[1/0]!
14:08:17.173 -> [82090]ip:101a8c0  freemem:43488
14:08:17.174 -> [82090]custom mem sram:61440
14:08:17.174 -> [82091]freemem:43488
14:08:17.212 -> [82128]notify local[1/0]!
14:08:18.174 -> [83091]custom mem sram:61440
14:08:18.174 -> [83091]freemem:43488
14:08:18.234 -> [83145]notify local[1/0]!
14:08:18.330 -> [83220]Recv SEQ:221 CMD->ID:1 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> [83222]IP add:a01a8c0
14:08:18.330 -> [83222]*******************************************
14:08:18.330 -> [83223]mac:88:17:89:0d:0e:b0
14:08:18.330 -> [83223]->a01a8c0 fist connect
14:08:18.330 -> [83224ip:a01a8c0 0
14:08:18.330 -> [83227]Recv SEQ:221 CMD->ID:1 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> [83228]*******************************************
14:08:18.330 -> [83229]mac:88:17:89:0d:0e:b0
14:08:18.330 -> [83229]->a01a8c0 first connect
14:08:18.330 -> [83230]ip:a01a8c0 0
14:08:18.330 -> [83233]Recv SEQ:222 CMD->ID:2 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> read license = 
14:08:18.330 -> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x
00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 

14:08:18.334 -> [83250]OK=>SN:!
14:08:18.346 -> [83263]New client active:0 0
14:08:18.346 -> hgdvp_close...............................................................
14:08:18.378 -> [83294]pic port:54589
14:08:18.401 -> [83306]Recv SEQ:224 CMD->ID:10 AckNeed:1 reFlag:0 CMDLEN:3 RECVLEN:15
14:08:18.401 -> [83307]Led control:1-1-1-100
14:08:18.401 -> LED:1 Control:1 1 100
14:08:18.401 -> Set LED:1 ON
14:08:18.401 -> [83308]Charge Status:0

Firmware Extraction
To extract the firmware (and I do apologize, I'm doing recalling this from memory so it may not be perfect) I went ahead and used an STM32 blue pill board and followed this guide to get the flash programmer set up.
Once your stm32 is flashed, connect A1 to PA10 (labeled CLK), A5 to PA9 (labeled TMS), and G to GND. Additionally, if you want to read UART output from the device, connect your UART reader to GND and DP (This is the mcu's TX pin, connect to your RX pin).
Then, follow the instructions here regarding how to generally dump or flash the firmware (although I have not attempted anything besides reading).

Whenever you interface with the chip, you need to hold the button on the board, then hit read (or otherwise connect the cklink to the target). You may need to do this quickly after hitting the button and it may be somewhat finicky, I would recommend just trying out and seeing what works.

Note: When I attempted to read the flash, I was never able to in one full go and instead had to do 0x0-0x50000 then 0x10000 increments up to 0x100000 which is the size of the mcu (1 MB), I then merged these files back together into one. I'm unsure why but I assume it's to do with the STM32 being used as the CKLink, I may recommend using an official or clone devices. Thank you divadiow for letting me know that this was due to me reading at too fast of an ICE clock speed, I believe I had been dumping it at 12000KHz, lowering this down to 1200KHz as mentioned in the article solves this for me.

It also appears there's some type of licensing? I'm not sure what exactly it is but I've seen it while reversing the mobile app as well.

I've gotten this far btu I'm not really sure where to go from here, I would like to be able to disassemble the firmware in something like Ghidra or IDA but as the C-Sky V2 CPU ABI is not implemented in just about anything I'd have to implement it myself which I don't really want to do... I've attached the csky-elfabiv2-tools-x86_64-minilibc-20210423 but I'm not sure it's actually the right one for this chip, as well as the objdump output from running it on the full firmware file

I'll mention that as you might be able to tell this is my first post so I if you have any tips for better posting please let me know! 😄
AI: Could you clarify what your main goal is with the firmware analysis—are you looking to unlock features, patch the firmware, do security research, or just understand how the device works?
The mobile interface seems to have an upload firmware option for ota updates. Ideally, we'd be able to leverage that to put a custom firmware on it. I'm also interested in analyzing the firmware to find any possible vulnerabilities or issues with it. That being said, I also just like opening things and looking at them.
AI: Are you open to using alternative tools besides Ghidra or IDA for C-Sky V2 disassembly, like radare2, Binary Ninja, or any C-Sky-specific toolchains, or are you set on using Ghidra/IDA only?
Ghidra and IDA would be my ideals, but if I could get anything to properly get an analysis of it that's actually aware of where things are (ex. memory locations like strings) I could work with that.

Attachments:

pcb_front.jpg (4.1 MB) You must be logged in to download this attachment.
pcb_back.jpg (3.89 MB) You must be logged in to download this attachment.
csky-elfabiv2-tools-x86_64-minilibc-20210423.tar.gz (76.72 MB) You must be logged in to download this attachment.
C-SKY+ABIV2+Standards+Manual.pdf (658.61 KB) You must be logged in to download this attachment.
Taixen TXW816 zh-cn.pdf (2.99 MB) You must be logged in to download this attachment.
Taixen TXW816 en-US.pdf (1.7 MB) You must be logged in to download this attachment.

Cool? Ranking DIY

About Author

eastarctica eastarctica

Level 3

Offline

eastarctica wrote 3 posts with rating 8, helped 1 times. Been with us since 2025 year.

ADVERTISEMENT
#2 21600289 07 Jul 2025 23:25

divadiow divadiow

Level 38

Helpful post? (0)

Post #2
21600289 07 Jul 2025 23:25

hey. nice to see another Taixin MCU that isn't in a cam.
regarding the flash read lengths, this does feel vaguely familiar, but I don't recall what I did, if anything, to make it no longer the case. Lower ICE Clk make any difference?

Added after 7 [minutes]:

maybe this means the cam is a Hynix HI708

Code: Text
Log in, to see the code

how many pins does the ribbon have and what is the full text on it?
#3 21600564 08 Jul 2025 11:31

gulson gulson

System Administrator

» | Helpful post? (0)

Post #3
21600564 08 Jul 2025 11:31

All in all, an interesting use of the otoscope, to preview the electronics! Thanks .
Email me your shipping address and I'll send a small gift.
ADVERTISEMENT
#4 21601301 09 Jul 2025 01:39

eastarctica eastarctica

Level 3

Topic author Helpful post? (+1)

Post #4
21601301 09 Jul 2025 01:39

>>21600289 Wrote up a response yesterday but it my tab seems to have been slept and deleted so this is generally being rewritten again as well.

Haha well it may not be one of those mini cams but it's still a camera ofc, definitely has some interesting features though... Hmmm, I can't find much info on the HI-708. All I could really find were some references to their "1.0μm Black Pearl" technology. Firmware only seems to mention "708" once in that same uart log so not a ton of luck there until I get a bit further access to it (mostly getting gdb working on it).

I pulled apart the camera assembly which it seems that the camera ribbon pulls out of the metal housing without damage which is nice, images attached. Text on the ribbon is SP1508B30-B and it's got pins 1 through 21 labeled (21 pins total).

>>21600564 Definitely an abstract use for an otoscope, I have to admit that I actually got the idea from someone on reddit and if we could get the firmware to use the vertical axis for the automatic rotation thing seen in that video it could be useful as some type of board imaging thing if you tossed it on a 3d printer gantry 🤔
#5 21601414 09 Jul 2025 08:50

divadiow divadiow

Level 38

Helpful post? (0)

Post #5
21601414 09 Jul 2025 08:50

divadiow wrote:
nice to see another Taixin MCU that isn't in a cam

that isn't In an A9 cam type of device*

yeh, I've not found much about the HI708 either. A few mentions in github code and I see it's in the XF16 list along with HI704 https://www.elektroda.com/rtvforum/topic4121965.html#21549325

Added after 13 [minutes]:

ordered
#6 21611793 20 Jul 2025 20:18

divadiow divadiow

Level 38
Helpful post? (0)

Post #6
21611793 20 Jul 2025 20:18

eastarctica wrote:
Thank you divadiow for letting me know that this was due to me reading at too fast of an ICE clock speed, I believe I had been dumping it at 12000KHz, lowering this down to 1200KHz as mentioned in the article solves this for me

oh cool. didn't notice this.

my one has arrived and I'm just photographing and capturing bits before posting about my findings

Added after 1 [minutes]:

also, would you be willing to share your device firmware?

Added after 5 [hours] 34 [minutes]:

Here it is. Same Taixin TXW816-810 1mb MCU.

Code: Text
Log in, to see the code

TCK (PA10) -> STM32 A1
TMS (PA9) -> STM32 A5

T-head Debug CPU detection:
Code: Text
Log in, to see the code

The QR in the manual is for the iTiMo app from MoLink. We also see Molink referenced in the boot log along with the SSID broadcast to be joined by phone so the app cam stream from the camera
https://play.google.com/store/apps/details?id=com.molink.john.itimo&hl=en_GB

Code: Text
Log in, to see the code

Backup was taken with CDK Flash Programmer. I had to hold power button down, same as in first post, which was difficult because I ripped off the button when opening the unit. Thinking about it though, there's a KEY pad on the PCB so that maybe could have been grounded instead.

I don't see mention of the CMOS sensor in the boot log, though maybe it could be determined from the registers or other i2c stuff printed out.

1mb dump: https://github.com/openshwprojects/FlashDumps/pull/38/files

keywords:
XJY-Y25A-3H
Y8S-D-4.2mm
Manufacturer: Dongguanshi Qianyu Electronic Technology Co.,Ltd
Address: Room 501, Building 1, No. 50 Yantian Changtang Road, Fenggang Town, Dongguan City, Guangdong Province, China.

Attachments:

IMG_0119.JPG (2.86 MB) You must be logged in to download this attachment.

IMG_0118.JPG (2.98 MB) You must be logged in to download this attachment.
#7 21612232 20 Jul 2025 23:37

divadiow divadiow

Level 38

Helpful post? (0)

Post #7
21612232 20 Jul 2025 23:37

interesting strings

Code: Text
Log in, to see the code

Code: Text
Log in, to see the code
#8 21612280 21 Jul 2025 01:20

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home

Helpful post? (0)

Post #8
21612280 21 Jul 2025 01:20

FWUPG update?

I am creating multiplatform open source firmware (Tasmota replacement), right now supporting BK7231T, BK7231N, XR809, BL602, W800, W600, LN882H and soon supporting RTL and W701:
https://github.com/openshwprojects/OpenBK7231T
If you like my work, support me at: https://paypal.me/openshwprojects

Helpful post? Buy me a coffee.
#9 21612344 21 Jul 2025 08:07

divadiow divadiow

Level 38

Helpful post? (0)

Post #9
21612344 21 Jul 2025 08:07

very interesting

Added after 10 [minutes]:

Added after 7 [minutes]:

don't currently know if there's even an OTA partition in dump, if it's large enough and if the file I'm uploading is to be used for OTA. I've tried these two in AT demo dump zip
https://www.elektroda.com/rtvforum/topic4033757.html#21546489

btw there's no sign of a device info/fw upgrade section in the app - just the basic cam operation stuff
ADVERTISEMENT

#10 21613891 22 Jul 2025 18:38

eastarctica eastarctica

Level 3

Post #10

21613891 22 Jul 2025 18:38

>>21611793 Nice job getting everything dumped and working! I apologize I had thought I added the firmware to my initial post but it's attached here. Diffing them they're slightly different. Notably, yours appears to be compiled with `hgSDK-v2.5.1.7-31060, app-0, build time:Mar 26 2025 15:41:31` versus mine with `hgSDK-v2.5.0.7-25841, app-0, build time:Dec 5 2024 12:06:20`

>>21612344 There may be no mention of firmware updating in the app, but if you extract the android apk for mine at least, you'll get `com.i4season.bkCamera/lib/arm64-v8a/libWifiCamera.so` which has many interesting things... There's also `libI4Tool.so`, `libNetFrame.so`, and `libUStorageDeviceFS.so`, all of which I've attached.

Notably these exports:
cameraWifiupdateFirmware
cameraWifiupdatemcuFirmware

Full exports:


        __bss_start
        _bss_end__
        AcceptFileListForPath
        AcceptFileListForPathTieniu
        addack
        allStreamGet
        amq
        angleCopy
        batterychangefuc
        block_queue_init
        block_queue_pull
        block_queue_pull_new
        block_queue_push
        block_queue_signal
        block_queue_udata_create
        block_queue_udata_destroy
        block_queue_waiteforpull
        blockbufid_get
        CallBooleanMethod
        CallIntMethod
        CallObjectMethod
        CallVoidMethod
        cameraCheckOnline
        cameraCmd
        cameraConfGet
        cameraConfSet
        cameraDelShake
        cameraExposureGet
        cameraExposureSet
        cameraHttp
        cameraHttpApi
        cameraLicSet
        cameraParameterGet
        cameraParameterSet
        cameraSetLowPowerMode
        cameraWifiFirmInfoGet
        cameraWifiLicInfoGet
        cameraWifiStatusInfoGet
        cameraWifiupdateFirmware
        cameraWifiupdatemcuFirmware
        caWifiInit
        caWifiStart
        caWifiStop
        changemode
        check_send
        check_sendack
        connect_tieniu
        connect_tieniu
        cwificamerafuc_sethandle
        dataqueue
        delfile
        destory_allblock_buf
        destory_block_buf
        entry
        filebuttonfuc
        filelist_destroy
        filelist_destroy
        freequeue
        get_logbuf
        getBattery
        getbattey_check
        getCameraTimeout
        getCongfig
        getdevinfo
        getfilelist
        getisfilter
        getlic10_frommac
        getlictieniu
        getlist
        getPort
        getsdstatus
        getssid
        getssid_private
        getzoomdatabegin
        getzoominfo
        humidityGet
        isackok
        isAngleUpDown
        isAngleUpDownAll
        ishavemiddle
        ishavesdcard
        Java_com_jni_getCameraTimeout
        Java_com_jni_Tieniu_WifiCameraTieniu_callback
        Java_com_jni_Tieniu_WifiCameraTieniu_cameraAcceptFileList
        Java_com_jni_Tieniu_WifiCameraTieniu_changemode
        Java_com_jni_Tieniu_WifiCameraTieniu_delfile
        Java_com_jni_Tieniu_WifiCameraTieniu_getBattery
        Java_com_jni_Tieniu_WifiCameraTieniu_getdevinfo
        Java_com_jni_Tieniu_WifiCameraTieniu_getinfo
        Java_com_jni_Tieniu_WifiCameraTieniu_getzoominfo
        Java_com_jni_Tieniu_WifiCameraTieniu_ishavesdcard
        Java_com_jni_Tieniu_WifiCameraTieniu_reset
        Java_com_jni_Tieniu_WifiCameraTieniu_setB
        Java_com_jni_Tieniu_WifiCameraTieniu_setBrightness
        Java_com_jni_Tieniu_WifiCameraTieniu_setContrast
        Java_com_jni_Tieniu_WifiCameraTieniu_setG
        Java_com_jni_Tieniu_WifiCameraTieniu_setlic
        Java_com_jni_Tieniu_WifiCameraTieniu_setR
        Java_com_jni_Tieniu_WifiCameraTieniu_setResolution
        Java_com_jni_Tieniu_WifiCameraTieniu_setSharpness
        Java_com_jni_Tieniu_WifiCameraTieniu_Start
        Java_com_jni_Tieniu_WifiCameraTieniu_takePic
        Java_com_jni_Tieniu_WifiCameraTieniu_takeVideo
        Java_com_jni_Tieniu_WifiCameraTieniu_zoomdown
        Java_com_jni_Tieniu_WifiCameraTieniu_zoomup
        Java_com_jni_WifiCamera_caAllStreamGet
        Java_com_jni_WifiCamera_caInit
        Java_com_jni_WifiCamera_CallBackFucStart
        Java_com_jni_WifiCamera_CallBackStart
        Java_com_jni_WifiCamera_cameraAcceptFileList
        Java_com_jni_WifiCamera_cameraCheckOnline
        Java_com_jni_WifiCamera_cameraCmd
        Java_com_jni_WifiCamera_cameraDelShake
        Java_com_jni_WifiCamera_cameraExposureGet
        Java_com_jni_WifiCamera_cameraExposureSet
        Java_com_jni_WifiCamera_cameraFirmInfoGet
        Java_com_jni_WifiCamera_cameraLedStatusGet
        Java_com_jni_WifiCamera_cameraLedStatusSet
        Java_com_jni_WifiCamera_cameraLicInfoGet
        Java_com_jni_WifiCamera_cameraLicInfoGet
        Java_com_jni_WifiCamera_cameraParameterGet
        Java_com_jni_WifiCamera_cameraParameterSet
        Java_com_jni_WifiCamera_cameraSetLic
        Java_com_jni_WifiCamera_cameraSetLowPowerMode
        Java_com_jni_WifiCamera_cameraStatusInfoGet
        Java_com_jni_WifiCamera_camerawifiAllowUpFile
        Java_com_jni_WifiCamera_cameraWifiConfGet
        Java_com_jni_WifiCamera_cameraWifiConfSet
        Java_com_jni_WifiCamera_cameraWifiResolutionGet
        Java_com_jni_WifiCamera_camerawifiUpDir
        Java_com_jni_WifiCamera_caStart
        Java_com_jni_WifiCamera_caStop
        Java_com_jni_WifiCamera_getaudio
        Java_com_jni_WifiCamera_getisfilter
        Java_com_jni_WifiCamera_humidityGet
        Java_com_jni_WifiCamera_openLog
        Java_com_jni_WifiCamera_openVideoForceApi
        Java_com_jni_WifiCamera_screenParametersGet
        Java_com_jni_WifiCamera_screenParametersGetFromBuffer
        Java_com_jni_WifiCamera_screenParametersSet
        Java_com_jni_WifiCamera_screenParametersSetTobuffer
        Java_com_jni_WifiCamera_setCameraTimeout
        Java_com_jni_WifiCamera_setisfilter
        Java_com_jni_WifiCamera_startAviVideoRecord
        Java_com_jni_WifiCamera_stopAviVideoRecord
        Java_com_jni_WifiCamera_temperatureGet
        Java_com_jni_WifiCamera_tewlGet
        Java_com_jni_WifiCamera_updateFirmware
        Java_com_jni_WifiCamera_updatemcuFirmware
        lastangleArray
        lastangleArraytmp
        lastaudioseq
        lasteventSetEar
        lastid
        LedStatusGet
        LedStatusSet
        libwificamera_notifyport
        log_wifiwrite
        maxangle
        menubuttonfuc
        minangle
        mu_camera_data_add
        mu_camera_data_create
        mu_camera_data_create2
        mu_camera_data_destroy
        mu_camera_data_destroy2
        mu_queue_push
        mucamera_clean
        mucamera_pull
        mucamera_pull2
        mucamera_push
        mucamera_push2
        mucamera_signal
        mucamera_waiteforpull
        muqueue_init
        newcamera_audio_destory
        newcamera_pullaudio
        newcamera_start
        newcamera_stop
        newcamera_wait
        newcamerawifi_fuc
        NewObject
        noweventSetEar
        openVideoForceApi
        parsebuf
        picbuttonfuc
        private_camera_wifi_fuc
        queuedrop
        readhttphead
        reset
        runinfo
        ScreenParametersGet
        ScreenParametersGetFromBuffer
        ScreenParametersSet
        ScreenParametersSetTobuffer
        selectread
        selectread
        sendHttp
        sensor_get_xyz
        set_notify_allow
        set_notify_dir
        set_uri
        setackflag
        setB
        setBrightness
        setCameraTimeout
        setcheckproduct
        setContrast
        setG
        setisfilter
        setlic
        setR
        setResolution
        setSharpness
        sig_waite
        sleep
        start
        start_callback
        start_notify
        stop_notify
        suportCheck
        takePic
        takePicprivate
        takeVideo
        takeVideoprivate
        temperatureGet
        testStatus
        tewl
        tieniu_read
        TransformStructFileInfo
        TransformStructFileInfoTieniu
        UCallBackFucHandle1
        UCallBackFucHandle_Data
        UCallBackHandle1
        UCallBackHandle_Data
        UCallBackHandle_file_sig
        UCallBackHandle_picdata
        UCallBackHandle_sig
        UCallBackHandle_status
        videobuttionfuc
        wakeup
        wifi_closelog
        wifi_logflag
        wifi_openlog
        wifiaudioInfo2obj
        WifiCallBackFucHandle
        WifiCallBackHandle
        wifidata_audio
        wifidata_audio2
        wifidata_logwrite
        wifiPicInfo2obj
        zoomchangefuc
        zoomdown
        zoomup
        ~cameraHttp
        ~cameraHttpApi
        ~WifiCallBackFucHandle
        ~WifiCallBackHandle

Attachments:

lib.zip (5.46 MB) You must be logged in to download this attachment.
firmware_0x100000.bin (1 MB) You must be logged in to download this attachment.

ADVERTISEMENT
#11 21614421 23 Jul 2025 08:45

divadiow divadiow

Level 38

Helpful post? (0)

Post #11
21614421 23 Jul 2025 08:45

cool. thanks. Out of interest I flashed your backup and it does boot. fails at the cam sensor point though.

Code: Text
Log in, to see the code

Added after 7 [minutes]:

bin added to collection https://github.com/openshwprojects/FlashDumps/pull/38/files
#12 21648455 30 Aug 2025 09:35

divadiow divadiow

Level 38

Helpful post? (0)

Post #12
21648455 30 Aug 2025 09:35

@eastarctica you may find this interesting - development of rtsp cam support for TXW81x. Not tried on my TXW816 Otoscope

https://www.elektroda.com/rtvforum/topic4033757.html#21638429
#13 21651756 02 Sep 2025 22:42

divadiow divadiow

Level 38

Helpful post? (0)

Post #13
21651756 02 Sep 2025 22:42

OpenTXW81X_txwtest_6e2915e3d439.bin
Code: Text
Log in, to see the code

startdriver txwcam
Code: Text
Log in, to see the code

no rtsp video but a bit of static audio

Added after 13 [minutes]:

Blue LED on PCB is PA00 and the LED ring around cam is PA11
#14 21740352 03 Nov 2025 17:29

divadiow divadiow

Level 38
Helpful post? (0)

Post #14
21740352 03 Nov 2025 17:29

txw816-810-ear-pick-video-sw-key-v1-1-20230926.pdf

Attachments:

txw816-810-ear-pick-video-sw-key-v1-1-20230926.pdf (82.26 KB) You must be logged in to download this attachment.
#15 21740399 03 Nov 2025 18:18

divadiow divadiow

Level 38
Helpful post? (0)

Post #15
21740399 03 Nov 2025 18:18

manual edit translation to English

Attachments:

EN_txw816-810-ear-pick-video-sw-key-v1-1-20230926.pdf (28.11 KB) You must be logged in to download this attachment.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion focuses on inexpensive earwax remover otoscopes based on the Taixen TXW816-810 MCU, commonly found on platforms like Amazon, AliExpress, and TikTok Shop. These devices power on with a flashing button and camera light, then broadcast a Wi-Fi network with SSIDs resembling "Soulear-ae45b" or "Suear-4670," using MAC addresses such as 88:17:89:0d:0e:b0 and DHCP IP ranges starting at 192.168.1.10. Connected smartphone apps provide video capture, ear side selection, LED control, and lens mode switching (wide/focused, horizontal/mirror). A response highlights familiarity with the Taixen MCU outside of cameras and suggests the camera sensor might be a Hynix HI708, referencing a log entry "[3969]HI708 page0." The responder inquires about the ribbon cable pin count and its full labeling to assist with hardware interfacing and firmware analysis. There is also mention of flash memory read lengths and ICE clock speed adjustments as potential debugging steps.
Generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
Smart Home Devices
/
Taixen TXW816-810 based Otoscopes: UART Logs, PCB Pinout, Firmware dump

FAQ

TL;DR: For hardware hackers and firmware analysts, these 1 MB TXW816-810 otoscopes are crackable: “Lower ICE Clk” fixed failed reads, and 21-pin camera modules plus exposed UART/JTAG-style pads make dumping, logging, and cross-device comparison practical. [#21611793]

Why it matters: This FAQ turns a long reverse-engineering thread into a fast, citation-ready guide for dumping firmware, identifying pads, tracing Wi-Fi behavior, and assessing custom firmware risks on Taixen TXW816-810 otoscopes.

Option	What the thread shows	Practical result
Stock Dec 2024 firmware	hgSDK v2.5.0.7-25841, 480×480 sensor init	Boots on one device and exposes UART, Wi-Fi AP, and port 5007 services
Stock Mar 2025 firmware	hgSDK v2.5.1.7-31060, 640×480 sensor init	Adds MoLink/iTiMO branding, BLE references, and different hardware expectations
OpenTXW81X test build	hgSDK v2.5.3.7-36533, RTSP work in progress	AP and audio can start, but video still fails on this otoscope sensor

Key insight: The MCU family is accessible, but the camera and motion hardware are not interchangeable. Firmware can boot across units, yet sensor and gsensor mismatches stop full camera bring-up or orientation support. [#21614421]

Quick Facts

The main PCB exposed pads included 3.3 V, 5 V, GND, CE, DP, CLK, TMS, and PA8; DP mapped to UART TX, while RX was not exposed. [#21600275]
The otoscope used a 2.7 V, 170 mAh battery and broadcast a Wi-Fi AP at 192.168.1.1, with DHCP leases starting at 192.168.1.10. [#21600275]
The camera flex was labeled SP1508B30-B and had 21 pins, numbered 1 through 21. [#21601301]
Two dumped stock firmware branches differed materially: one logged hgSDK-v2.5.0.7-25841 built Dec 5 2024, while another logged hgSDK-v2.5.1.7-31060 built Mar 26 2025. [#21613891]

How do you dump the firmware from a Taixen TXW816-810 otoscope using an STM32 Blue Pill and CKLink wiring on PA10/TCK and PA9/TMS?

You can dump it by wiring the Blue Pill as a CKLink bridge and catching the chip during power-on. 1. Flash the STM32 Blue Pill with the CKLink-compatible programmer setup from the linked guide. 2. Wire STM32 A1 to PA10/CLK/TCK, A5 to PA9/TMS, and GND to GND; add UART RX to DP if you want logs. 3. Hold the otoscope button, start the read, and connect quickly; one successful setup read the full 1 MB after lowering ICE speed. [#21600275]

Why did the TXW816-810 flash read fail in large chunks until the ICE clock was lowered from 12000 KHz to 1200 KHz?

The read failed because the debug clock was too fast for stable transfers on this target. At 12000 KHz, one dump only worked in partial regions such as 0x0-0x50000 plus 0x10000 steps, but at 1200 KHz the same setup read correctly. One poster summed up the fix as “Lower ICE Clk,” and the original author confirmed that slowing the clock solved the issue. [#21611793]

What is CKLink, and how is it used to read or debug Taixen TXW816-810 devices?

“CKLink” is a hardware debug interface that connects to C-SKY/XuanTie MCUs, exposes low-level read, flash, and GDB control, and commonly uses TCK/TMS-style wiring rather than simple UART. On this otoscope, it was wired to PA10 and PA9 and identified the CPU as a XuanTie CK803SG. The posted detection log also showed remote GDB targets on port 1025, confirming live debug access, not just flash reading. [#21611793]

What does ICE clock mean when dumping firmware from a C-SKY or XuanTie MCU, and why does the speed matter?

“ICE clock” is the debug transport clock that times communication between the programmer and the target MCU, and its stability depends on wiring quality, target state, and adapter capability. Speed matters because an over-fast clock causes failed or partial reads. In this thread, 12000 KHz caused broken chunked dumps, while 1200 KHz produced stable full reads on the 1 MB TXW816-810. [#21600275]

Which PCB pads on the TXW816-810 otoscope are useful for UART, power, and debug access, and what are their functions?

The useful pads are 3.3 V, 5 V, shared GND, CE, DP, CLK, TMS, and PA8. The thread mapped DP to PC6 and confirmed it carries UART TX, while RX is not exposed. CLK is PA10 and TMS is PA9 for CKLink-style debug. CE is CHIP_EN, PA8 may be USB_DET, 3.3 V comes from the MCU side, and 5 V comes from USB input. [#21600275]

Why does the UART log on these otoscopes show sensor-detection strings like HI708, 20a6, and gsensor errors during boot?

The boot log prints those strings because the firmware probes several candidate camera and motion sensors before selecting one. One unit logged HI708 page0, then later detected id =a6 and sensor_id = 20a6, while another firmware branch selected id =20 num:10 and initialized 640×480. A cross-flashed unit then failed with Er: unkown!gsensor error, showing that sensor tables and expected hardware differ between otoscopes. [#21614421]

What camera sensor is likely used in these Taixen TXW816-810 otoscopes, and what clues in the boot logs point to HI708 or another sensor?

HI708 is one candidate, but the thread does not prove a single universal sensor across all TXW816 otoscopes. One boot log explicitly printed HI708 page0, which led another poster to suggest the camera “maybe means the cam is a Hynix HI708.” However, later logs detected sensor_id = 20a6 or id =20, and one cross-flash failed at camera init. That points to multiple compatible sensor tables, not one guaranteed module. [#21600289]

How many pins does the otoscope camera ribbon have, and what does the SP1508B30-B marking tell us about the module?

The camera ribbon has 21 pins, and the flex was marked SP1508B30-B. The thread only supports one solid conclusion from that marking: it identifies the specific flex or module variant used in that unit. It does not, by itself, prove the CMOS sensor model. The author also confirmed the flex labels pins 1 through 21 and can slide from the metal housing without damage. [#21601301]

What is C-SKY ABIV2, and why is it a problem for disassembling TXW816-810 firmware in Ghidra or IDA?

“C-SKY ABIV2” is an instruction-set ABI for C-SKY/XuanTie processors that defines calling conventions, register use, and binary interface details, and tools need explicit support to disassemble it correctly. It is a problem here because the author wanted Ghidra or IDA analysis with strings and memory references, but stated that C-SKY V2 was “not implemented in just about anything,” making normal reverse engineering awkward. [#21600275]

Ghidra vs IDA vs radare2 or Binary Ninja: which tool is most practical for analyzing TXW816-810 C-SKY V2 firmware dumps?

Alternative toolchains look more practical than stock Ghidra or IDA for this firmware. The author preferred Ghidra or IDA but said any tool that understands locations, strings, and memory references would help. The blocker was missing C-SKY ABIV2 support, not a lack of raw firmware bytes. In this thread, no one showed a working Ghidra or IDA setup, so the most practical path is the attached C-SKY toolchain plus objdump-style analysis until a better loader exists. [#21600275]

How does the device bring up its Wi-Fi AP, assign DHCP addresses like 192.168.1.10, and start the camera control services on port 5007?

It boots into AP mode, selects a channel, starts DHCP, and then opens its camera control socket. One full log showed channel selection settling on 2412 MHz, the AP interface moving to WPA_COMPLETED, and a TCP server starting on port 5007. When a phone joined, DHCP offered 192.168.1.10 and reserved 192.168.1.11 as the next lease, while the otoscope itself stayed at 192.168.1.1. [#21600275]

What does the AT+FWUPG command do on TXW816-810 otoscope firmware, and how might it relate to hidden update functionality?

The thread shows that AT+FWUPG exists in firmware strings, so the platform likely includes a firmware-upgrade command path. It does not prove a complete working OTA pipeline on these otoscopes. A later test tried uploaded binaries and found no obvious OTA partition or confirmed upgrade file format. That makes AT+FWUPG a strong clue for hidden update support, but not proof of a user-accessible updater. [#21612232]

Where in the Android app or native libraries can you look for firmware update support, and what do exports like cameraWifiupdateFirmware and cameraWifiupdatemcuFirmware suggest?

Look inside the Android APK’s native libraries, especially libWifiCamera.so under com.i4season.bkCamera/lib/arm64-v8a/. The exported symbols cameraWifiupdateFirmware and cameraWifiupdatemcuFirmware strongly suggest separate update paths for Wi-Fi-side firmware and MCU-side firmware. The same library also exported cameraWifiFirmInfoGet, cameraWifiLicInfoGet, and update JNI wrappers, which implies the app contains dormant or hidden upgrade logic even if the UI does not expose it. [#21613891]

Why did flashing one TXW816-810 otoscope backup onto another boot the device but fail at the camera sensor or gsensor stage?

It failed because the MCU family matched, but the attached peripherals did not. One poster flashed the December 2024 backup onto another TXW816-810 and confirmed that it booted, then stopped during sensor bring-up with Er: unkown!gsensor error. Earlier logs also showed different firmware branches using different camera resolutions, vendor strings, and sensor IDs. The lesson is simple: MCU compatibility does not guarantee camera or IMU compatibility. [#21614421]

How far has OpenTXW81X support progressed for TXW816-based otoscopes, including RTSP streaming, LED control on PA00 and PA11, and sensor compatibility issues?

OpenTXW81X has reached basic boot, AP setup, command registration, and partial media bring-up on this hardware. A September 2, 2025 test build started an RTSP-related camera path and produced static audio, but no working video. The same post mapped the blue PCB LED to PA00 and the camera LED ring to PA11. Sensor support remains the main blocker, because startdriver txwcam still ended with unknown sensor detection errors. [#21651756]