Recently it seems there has been a lot of cheap earwax remover otoscope devices popping up on amazon/aliexpress/tiktok shop similar to this:
When powered on, the button will start flashing slowly, as well as the light for the camera will turn on. After a few seconds it will start its wifi network usually with an ssid like "Soulear-ae45b" where it seems to be very generically "Company-uniq" as another device seems to show up as "Suear-4670". My device was broadcasting under the MAC of "88:17:89:0d:0e:b0" and had dhcp assigning IPs starting at 192.168.1.10 with itself at 192.168.1.1.
Once connected on a phone, its app which seems to vary based on the device you pick up, but all of which are essentially identical, allows you to take video, pictures, switch ears from left/right, enable/disable the led, as well as switch between either wide/focused lenses or switch between "horizontal" and "mirror(?)". Some also seem to have a lock icon which I'm not sure what does.
They're very difficult to get into, and from what I can tell can't be gotten into without breaking the plastic in some way. If you're opting to take it apart and keep it looking nice, I think my approach would be cutting the seam or maybe heat or something to remove the glue holding it in. Once in, you're greeted by a 21(?) pin connector for the leds + camera, 2.7V 170mAh battery, and the main pcb. PCB has a few pads exposed, of which I may have torn off CE and CLK 😬:
- 3.3V + GND (from mcu)
- 5V + GND (from usb, although GND is shared)
- CE (CHIP_EN)
- DP (PC6, This is UART TX, RX is not exposed)
- CLK (PA10, TCLK)
- TMS (PA9)
- PA8 (USB_DET?)
These (mine at least) seem to be using the Taixen TXW816-810 which has been seen similarly with the A9 minicams seen here.
UART Logs
startup:
Pressing button alone while powered off:
Doing random things in the app:
Connecting to WiFi (I believe the app may have been open in the background):
Firmware Extraction
To extract the firmware (and I do apologize, I'm doing recalling this from memory so it may not be perfect) I went ahead and used an STM32 blue pill board and followed this guide to get the flash programmer set up.
Once your stm32 is flashed, connect A1 to PA10 (labeled CLK), A5 to PA9 (labeled TMS), and G to GND. Additionally, if you want to read UART output from the device, connect your UART reader to GND and DP (This is the mcu's TX pin, connect to your RX pin).
Then, follow the instructions here regarding how to generally dump or flash the firmware (although I have not attempted anything besides reading).
Note: When I attempted to read the flash, I was never able to in one full go and instead had to do 0x0-0x50000 then 0x10000 increments up to 0x100000 which is the size of the mcu (1 MB), I then merged these files back together into one. I'm unsure why but I assume it's to do with the STM32 being used as the CKLink, I may recommend using an official or clone devices.
It also appears there's some type of licensing? I'm not sure what exactly it is but I've seen it while reversing the mobile app as well.
I've gotten this far btu I'm not really sure where to go from here, I would like to be able to disassemble the firmware in something like Ghidra or IDA but as the C-Sky V2 CPU ABI is not implemented in just about anything I'd have to implement it myself which I don't really want to do... I've attached the csky-elfabiv2-tools-x86_64-minilibc-20210423 but I'm not sure it's actually the right one for this chip, as well as the objdump output from running it on the full firmware file
I'll mention that as you might be able to tell this is my first post so I if you have any tips for better posting please let me know! 😄
AI: Could you clarify what your main goal is with the firmware analysis—are you looking to unlock features, patch the firmware, do security research, or just understand how the device works?
The mobile interface seems to have an upload firmware option for ota updates. Ideally, we'd be able to leverage that to put a custom firmware on it. I'm also interested in analyzing the firmware to find any possible vulnerabilities or issues with it. That being said, I also just like opening things and looking at them.
AI: Are you open to using alternative tools besides Ghidra or IDA for C-Sky V2 disassembly, like radare2, Binary Ninja, or any C-Sky-specific toolchains, or are you set on using Ghidra/IDA only?
Ghidra and IDA would be my ideals, but if I could get anything to properly get an analysis of it that's actually aware of where things are (ex. memory locations like strings) I could work with that.
When powered on, the button will start flashing slowly, as well as the light for the camera will turn on. After a few seconds it will start its wifi network usually with an ssid like "Soulear-ae45b" where it seems to be very generically "Company-uniq" as another device seems to show up as "Suear-4670". My device was broadcasting under the MAC of "88:17:89:0d:0e:b0" and had dhcp assigning IPs starting at 192.168.1.10 with itself at 192.168.1.1.
Once connected on a phone, its app which seems to vary based on the device you pick up, but all of which are essentially identical, allows you to take video, pictures, switch ears from left/right, enable/disable the led, as well as switch between either wide/focused lenses or switch between "horizontal" and "mirror(?)". Some also seem to have a lock icon which I'm not sure what does.
They're very difficult to get into, and from what I can tell can't be gotten into without breaking the plastic in some way. If you're opting to take it apart and keep it looking nice, I think my approach would be cutting the seam or maybe heat or something to remove the glue holding it in. Once in, you're greeted by a 21(?) pin connector for the leds + camera, 2.7V 170mAh battery, and the main pcb. PCB has a few pads exposed, of which I may have torn off CE and CLK 😬:
- 3.3V + GND (from mcu)
- 5V + GND (from usb, although GND is shared)
- CE (CHIP_EN)
- DP (PC6, This is UART TX, RX is not exposed)
- CLK (PA10, TCLK)
- TMS (PA9)
- PA8 (USB_DET?)
These (mine at least) seem to be using the Taixen TXW816-810 which has been seen similarly with the A9 minicams seen here.
UART Logs
startup:
14:06:55.069 -> [0]40 00 97 00 a8 43 12 a0
14:06:55.069 -> [0]28 e0 00 00 00 00 00 00
14:06:55.070 -> [0]00 00 00 00 00 00 00 00
14:06:55.070 -> [0]88 17 89 0d 0e 2c 76 35
14:06:55.071 -> [0]86 65 89 67 9f 57 00 00
14:06:55.071 -> [0]80 00 bb 02 a0 f7 00 00
14:06:55.071 -> [0]00 15 00 00 08 14 00 00
14:06:55.072 -> [0]00 00 00 00 00 00 0c 00
14:06:55.072 -> [0]00 00 00 40 08 84 40 08
14:06:55.072 -> [0]8c c0 08 8c c0 08 94 00
14:06:55.073 -> [0]06 4b 3f fd 92 ff 04 4e
14:06:55.073 -> [0]f0 00 4f 00 de 01 02 02
14:06:55.073 -> [0]00 ff ff ff 0f b4 04 04
14:06:55.074 -> [0]02 04 04 06 06 1f 00 17
14:06:55.074 -> [0]00 02 3e 00 00 00 00 08
14:06:55.075 -> [0]00 00 00 00 00 30 12 00
14:06:55.075 -> [0]3c 3c 0f
14:06:55.075 -> [0]validity: 1579f00d
14:06:55.076 -> ** hgSDK-v2.5.0.7-25841, app-0, build time:Dec 5 2024 12:06:20 **
14:06:55.077 -> ** libcore v2.5.0.7-26821, build time:Dec 21 2023 11:25:54
14:06:55.077 -> ** libnetutils v2.5.0.7-26821, build time:Dec 21 2023 11:26:09
14:06:55.078 -> ** libcommon v2.5.0.7-26821, build time:Dec 21 2023 11:25:58
14:06:55.078 -> ** libosal v2.5.0.7-26821, build time:Dec 21 2023 11:25:53
14:06:55.079 -> ** libatcmd v2.5.0.7-25927, build time:Nov 6 2023 16:23:19
14:06:55.080 -> ** liblmac v2.5.0.7-26821, build time:Dec 21 2023 11:26:25
14:06:55.081 -> ** libwifi v2.5.0.7-26821, build time:Dec 21 2023 11:26:38
14:06:55.081 -> ------------------------------------------------------------------
14:06:55.082 -> [0] ------- system restart fault -----------
14:06:55.082 -> [0] ---------------------------------------
14:06:55.084 -> [1]freemem:160720
14:06:55.084 -> [1]custom_mem_init:2000c740
14:06:55.084 -> [1]custom mem sram:61440
14:06:55.085 -> [2]skbpool init, total:49396 (0x20037f0c~0x20044000), max per:80%
14:06:55.086 -> [4]syscfg_read OK!
14:06:55.088 -> [4]old cfg_ver:259
14:06:55.192 -> ---xrh_io_init---
14:06:55.251 -> [154]------pwr_det_keep.........1
14:06:55.286 -> [204]------pwr_det_keep.........2
14:06:55.288 -> [205]lmac rx info size:36
14:06:55.288 -> [205]GAP0 : 20033b0c
14:06:55.288 -> [206]GAP1 : 20037f04
14:06:55.288 -> [206]lmac rx buff:20033b14, size:17392, hw rx buff size:11256, ampdu:7, max subfrm:3
14:06:55.290 -> [207]lmac priv: 2001bec4
14:06:55.290 -> [207]lmac tx : 2001c278
14:06:55.290 -> [208]lmac rx : 2001d444
14:06:55.290 -> [208]lmac ble rx: 00000000
14:06:55.291 -> [209]pack:8, bios_id:2
14:06:55.291 -> [209]use AMPM DPD!
14:06:55.291 -> [209]verf:0x5, ibpt:0x3, ibct:0x6, iref:0x6
14:06:55.292 -> [210]verfvco_trim:0x8, verfcp_trim:0x5, verfdiv_trim:0x5
14:06:55.292 -> [211]verfdsm_trim:0x4, verfvcc25_trim:0x1
14:06:55.293 -> [211]da cap:5, da gain:1
14:06:55.317 -> [214]txdcoc from:1, i:8, q:20
14:06:55.317 -> [214]tx imb from:1, pm:192, gm:0
14:06:55.318 -> [215]rx dcoc from:1
14:06:55.318 -> [216]g:0, ana:2112, i:11, q:3
14:06:55.318 -> [216]g:1, ana:2112, i:19, q:5
14:06:55.318 -> [216]g:2, ana:2112, i:18, q:4
14:06:55.318 -> [217]g:3, ana:2240, i:15, q:7
14:06:55.318 -> [217]g:4, ana:2240, i:14, q:7
14:06:55.318 -> [218]g:5, ana:2240, i:15, q:6
14:06:55.318 -> [218]g:6, ana:2240, i:15, q:7
14:06:55.318 -> [218]g:7, ana:2368, i:0, q:6
14:06:55.318 -> [219]rx imb from:1
14:06:55.318 -> [219]g:0, 8120, 4063
14:06:55.318 -> [220]g:1, 8120, 4064
14:06:55.318 -> [220]g:2, 8118, 4064
14:06:55.318 -> [220]g:3, 8120, 4062
14:06:55.318 -> [221]g:4, 8120, 4061
14:06:55.318 -> [221]g:5, 8122, 4061
14:06:55.318 -> [221]g:6, 8122, 4061
14:06:55.318 -> [221]g:7, 8116, 4062
14:06:55.318 -> [222]time offset:0, 23
14:06:55.318 -> [222]lmac test: 2001dbec
14:06:55.318 -> [223]lmac_bgn_lo_freq_set: 2432
14:06:55.318 -> [224]set rts_threshold =2304
14:06:55.318 -> [225]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:55.318 -> [225]*** open ADC success!
14:06:55.318 -> [226]*** add success: ADC channel cnt = 1, name:257
14:06:55.318 -> [227]*** add success: ADC channel cnt = 2, name:258
14:06:55.318 -> [227]*** add success: ADC channel cnt = 3, name:262
14:06:55.318 -> [228]*** delete success: ADC channel cnt = 2
14:06:55.318 -> [231]*** add success: ADC channel cnt = 3, name:1
14:06:55.366 -> [282]ad_pwr:2910 383
14:06:55.416 -> [332]ad_pwr:2853 376
14:06:55.465 -> [382]ad_pwr:2909 383
14:06:55.515 -> [432]ad_pwr:2991 394
14:06:55.564 -> [482]ad_pwr:2914 384
14:06:55.564 -> [482]poweron_ad_pwr:2915
14:06:55.615 -> [532]ad_pwr:2895 381
14:06:55.665 -> [582]ad_pwr:2906 383
14:06:55.716 -> [632]ad_pwr:2826 372
14:06:55.765 -> [682]ad_pwr:2939 387
14:06:55.814 -> [732]ad_pwr:2795 368
14:06:55.814 -> [732]poweron_ad_pwr:2872
14:06:55.865 -> [782]ad_pwr:2908 383
14:06:55.915 -> [832]ad_pwr:2930 386
14:06:55.966 -> [882]ad_pwr:2910 383
14:06:56.016 -> [932]ad_pwr:2859 376
14:06:56.066 -> [982]ad_pwr:2935 386
14:06:56.115 -> [1032]ad_pwr:2899 382
14:06:56.166 -> [1082]ad_pwr:2987 393
14:06:56.215 -> [1132]ad_pwr:2890 381
14:06:56.265 -> [1182]ad_pwr:3051 402
14:06:56.329 -> [1232]ad_pwr:2929 386
14:06:56.366 -> [1282]ad_pwr:2908 383
14:06:56.414 -> [1332]ad_pwr:2929 386
14:06:56.414 -> [1332]lmac_bgn_lo_freq_set: 2412
14:06:56.416 -> [1334]lmac_bgn_lo_freq_set: 2412
14:06:56.428 -> [1335]set rts_threshold =1600
14:06:56.428 -> [1336]set ac= 0 aifs= 2 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1337]set ac= 1 aifs= 6 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1337]set ac= 2 aifs= 1 cw_min= 7 cwmax= 15 txop= 128
14:06:56.428 -> [1338]set ac= 3 aifs= 1 cw_min= 3 cwmax= 7 txop= 65
14:06:56.428 -> [1339]set ac= 0 aifs= 2 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1339]set ac= 1 aifs= 6 cw_min= 15 cwmax= 1023 txop= 79
14:06:56.428 -> [1340]set ac= 2 aifs= 1 cw_min= 7 cwmax= 15 txop= 128
14:06:56.428 -> [1341]set ac= 3 aifs= 1 cw_min= 3 cwmax= 7 txop= 65
14:06:56.428 -> [1342]lmac_bgn_lo_freq_set: 2432
14:06:56.428 -> [1343]inteface1: start scanning ...
14:06:56.428 -> [1344]vif1 state WPA_DISCONNECTED -> WPA_SCANNING
14:06:56.428 -> [1345]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.428 -> [1346]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.528 -> [1445]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.528 -> [1445]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.638 -> [1545]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.638 -> [1545]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.728 -> [1645]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.728 -> [1645]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.828 -> [1745]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.828 -> [1745]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:56.927 -> [1845]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:56.927 -> [1845]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.028 -> [1945]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.028 -> [1945]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.128 -> [2045]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.128 -> [2045]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.228 -> [2145]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.228 -> [2145]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.327 -> [2245]lmac dbg!!!mac addr err:00:00:00:00:00:00
14:06:57.327 -> [2245]Func:lmac_bgn_tx_check Line:746 LR=0x18027198
14:06:57.427 -> [2345]lmac_bgn_lo_freq_set: 2432
14:06:57.429 -> [2346]lmac_bgn_lo_freq_set: 2412
14:06:57.430 -> [2348]inteface1: scan done!
14:06:57.457 -> [2356][0]===>REDACTED (network name)
14:06:57.457 -> [2356][1]===>REDACTED (network name)
14:06:57.457 -> [2356][2]===>REDACTED (network name)
14:06:57.457 -> [2356][3]===>]......"'O.Y.v*6.x}].,h...6BOa...0..T8.......V"....Z.....N..WI..*.ks..y....RrV.1LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S..
.4.YK........`.....W:>..^..w....[.
14:06:57.457 -> [2359][4]===>.....V"....Z.....N..WI..*.ks..y....RrV.1LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..
E.>Rd.C-!...V..`k;g..f.~NS_i|...
14:06:57.457 -> [2362][5]===>LtT....m.d.r..H.48.6..Hp.......-z..G$..i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D...
.^y....j
14:06:57.457 -> u!"...
14:06:57.457 -> [2365][6]===>i....s...j......n..E.B6......^..Gv....C..h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...
14:06:57.457 -> [2367][7]===>.h|.#\#.../lK.LJ$~*....../.S...4.YK........`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...
14:06:57.457 -> [2369][8]===>.......`.....W:>..^..w....[...U(..E.>Rd.C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...
14:06:57.457 -> [2370][9]===>C-!...V..`k;g..f.~NS_i|......^D....^y....j
14:06:57.457 -> u!"...
14:06:57.457 -> [2371][10]===>...j
14:06:57.457 -> u!"...
14:06:57.457 -> [2371][11]===>..PktK.:....^0%;u....}...[G. ..{?.j.^..^......cn.p..=..j..f.y3`_.u.;
14:06:57.457 -> [2372][12]===>......cn.p..=..j..f.y3`_.u.;
14:06:57.457 -> [2373][13]===>(.......B5..0JAZq.-.f.'g..;.kl....a.j.._\.[s.!..X.oi. .t..\....g.....$..lGDY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.458 -> .jm.i.v."t~....Z
14:06:57.458 -> [2376][14]===>.._\.[s.!..X.oi. .t..\....g.....$..lGDY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.460 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.461 -> [2379][15]===>DY,...V.?..|A.-I.W 9...U.R./.C.@>.M......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.463 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.463 -> [2381][16]===>......x...*.G.3......Y......lgo....x.sF.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.465 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.465 -> [2383][17]===>.k....PZteSo.....o....%3.-&.....l...!..3
14:06:57.466 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.467 -> [2384][18]===>.!..3
14:06:57.467 -> .jm.i.v."t~....ZY1^.x..0Z.4.{......._F.g|.Th
14:06:57.468 -> [2385][19]===>......._F.g|.Th
14:06:57.468 -> [2386][20]===>..$.g...L.....m6.x..f.Y{.".v.3.3....P....'eAJI.*.>...X..$.,....K.F7].u.z.
14:06:57.469 -> [2387][21]===>P....'eAJI.*.>...X..$.,....K.F7].u.z.
14:06:57.470 -> [2387][22]===>W..X|.....|a.~.:.1..0.t .:>[..)#N..U...?......L.P......]+*....n8.0....Kd?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.471 -> [2389][23]===>.?......L.P......]+*....n8.0....Kd?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.472 -> [2390][24]===>d?p.Zr.....F..V.v}jc..S'.=.Uxl]...F/..
14:06:57.473 -> [2391][25]===>...+}.|..M.ec...W&.c.`......R[@.
14:06:57.473 -> 5b..Z...9+..."b..X.j..N,...K.<r.
14:06:57.474 -> [2392][26]===>...9+..."b..X.j..N,...K.<r.
14:06:57.474 -> [2393][27]===> ......yd.m$.....d.mY..G.
14:06:57.475 -> i.O..q.@...7.....x....G.7.e~......sJ".pT.v
14:06:57.475 -> [2394][28]===>.....x....G.7.e~......sJ".pT.v
14:06:57.476 -> [2394][29]===>.^,...%.}.o.....@!W0H7.........V....Q#.lkP......to..c>.....c>_#\Oo
14:06:57.478 -> p...j.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.478 -> [2396][30]===>Q#.lkP......to..c>.....c>_#\Oo
14:06:57.479 -> p...j.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.479 -> [2397][31]===>.7.'LYc.C.:;3. d.....G..Dl.@.E..`
14:06:57.480 -> [2397]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:57.480 -> acs...
14:06:57.480 -> freq bgrssi ap rx_sync rx_err txcnt txtime => noise factor
14:06:57.636 -> 2412 -93 0 0 10 39 152588 3912
14:06:57.790 -> 2417 -93 0 0 4 36 149884 4163
14:06:57.943 -> 2422 -92 4 5 4 35 150675 4305
14:06:58.098 -> 2427 -94 3 3 3 36 151989 4221
14:06:58.253 -> 2432 -92 2 2 5 35 152793 4365
14:06:58.407 -> 2437 -92 4 4 6 36 150138 4170
14:06:58.560 -> 2442 -92 3 7 9 34 150918 4438
14:06:58.727 -> 2447 -93 5 9 15 36 163305 4536
14:06:58.881 -> 2452 -92 2 3 8 36 151823 4217
14:06:59.035 -> 2457 -93 0 0 14 37 150555 4069
14:06:59.055 -> acs result: freq=2412, nf=3912
14:06:59.055 -> acs done
14:06:59.055 -> [3954]lmac set mac0 addr:88:17:89:0d:0e:b0
14:06:59.055 -> [3955]lmac_bgn_lo_freq_set: 2412
14:06:59.055 -> [40;31m[3957]ieee80211_ap_ioctl:164::set channel 1
14:06:59.055 -> [0m[3957]set ac= 0 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3958]set ac= 1 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3959]set ac= 2 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3959]set ac= 3 aifs= 1 cw_min= 1 cwmax= 3 txop= 0
14:06:59.055 -> [3961]vif2 state WPA_DISCONNECTED -> WPA_COMPLETED
14:06:59.055 -> [3962]add w0 interface!
14:06:59.055 -> JPG start
14:06:59.055 -> [3963]csi_test start,iic init
14:06:59.055 -> [3964]iic init finish,sensor reset & set sensor clk into 6M
14:06:59.055 -> hgdvp_set_baudrate:clock:480000000
14:06:59.055 -> [3968]set sensor finish ,Auto Check sensor id
14:06:59.055 -> [3968]devSensorInitTable = 1804d148 1804d8a8
14:06:59.055 -> [3969]HI708 page0
14:06:59.055 -> [3970]SID: ff, 96, 60, 61,4
14:06:59.055 -> [3970]devSensorInitTable = 1804d348 1804d8a8
14:06:59.055 -> [3971]SID: ff, 63, 86, 87,1
14:06:59.055 -> [3972]devSensorInitTable = 1804d528 1804d8a8
14:06:59.055 -> [3973]SID: ff, de, 66, 67,1
14:06:59.056 -> [3973]devSensorInitTable = 1804b1e8 1804d8a8
14:06:59.056 -> [3974]SID: ff, 9b, 42, 43,0
14:06:59.057 -> [3974]devSensorInitTable = 1804b448 1804d8a8
14:06:59.057 -> [3975]SID: ff, a0, 42, 43,0
14:06:59.058 -> [3976]devSensorInitTable = 1804c088 1804d8a8
14:06:59.059 -> [3977]SID: ff, bb, 66, 67,f0
14:06:59.059 -> [3977]devSensorInitTable = 1804c608 1804d8a8
14:06:59.060 -> [3978]SID: ff, 10, 42, 43,f1
14:06:59.060 -> [3978]devSensorInitTable = 1804b7c8 1804d8a8
14:06:59.062 -> [3979]SID: ff, 9d, 42, 43,f0
14:06:59.062 -> [3980]devSensorInitTable = 1804c308 1804d8a8
14:06:59.063 -> result = 0
14:06:59.063 -> [3981]preset table num:2
14:06:59.064 -> [3981]SID: ff, c0, 62, 63,0
14:06:59.064 -> [3982]devSensorInitTable = 1804af28 1804d8a8
14:06:59.065 -> [3983]SID: 20, 3a, dc, dd,fc
14:06:59.066 -> [3983]devSensorInitTable = 1804ad68 1804d8a8
14:06:59.067 -> [3984]SID: a6, 3, dc, dd,fd
14:06:59.067 -> [3984]devSensorInitTable = 1804cfa8 1804d8a8
14:06:59.068 -> [3985]SID: a6, a6, dc, dd,fd
14:06:59.068 -> [3986]id =a6 num:11 sensor_id = 20a6
14:06:59.069 -> [3986]Auto Check sensor id finish
14:06:59.069 -> [3987]mclk:24000000MHz
14:06:59.069 -> hgdvp_set_baudrate:clock:480000000
14:06:59.070 -> [3987]init:1804cda0 u8Addrbytnum:1,u8Databytnum:1
14:06:59.072 -> [3988]SENSER....init
14:06:59.123 -> [4040]init table num:396
14:06:59.123 -> [4040]SENSR ident ok:480*480
14:06:59.123 -> [4040]csi init start --
14:06:59.123 -> [4041]csi set size ====>480*480
14:06:59.124 -> [4041]csi dvp_size_set
14:06:59.124 -> [4042]csi IRQ init
14:06:59.124 -> [4042]dvpirq_register:1 180177b0 180177b0
14:06:59.125 -> [4042]dvpirq_register:0 1801779c 1801779c
14:06:59.125 -> [4043]vppirq_register:0 18017504 18017504
14:06:59.126 -> [4043]vppirq_register:1 18017948 18017948
14:06:59.126 -> [4044]vppirq_register:2 18017500 18017500
14:06:59.127 -> [4044]vppirq_register:3 1801776c 1801776c
14:06:59.128 -> [4045]vppirq_register:4 18017780 18017780
14:06:59.128 -> [4046]vppirq_register:5 180174f0 180174f0
14:06:59.128 -> [4046]vppirq_register:6 180174e0 180174e0
14:06:59.129 -> [4047]vppirq_register:7 180174d0 180174d0
14:06:59.130 -> [4047]csi IRQ init finish,start get data
14:06:59.131 -> eloop_init:287::start
14:06:59.131 -> user_eloop_run:309::run
14:06:59.134 -> [4051]dns sock :2
14:06:59.134 -> [test] init tcp server: port: 5007
14:06:59.134 -> ---tcp srvsock = 3---
14:06:59.135 -> [4052]ota num:0version:25841
14:06:59.135 -> [4053]OEM AP Default!
14:06:59.136 -> [4053]OEM NET Default!
14:06:59.136 -> [4053]OEM Firmware Default!
14:06:59.136 -> [4054]Camera TX Lib:Dec 1 2023 17:57:29
14:06:59.137 -> [4054]DVP No need Bank Size
14:06:59.137 -> [4055]client multi init
14:06:59.137 -> [4055]csock:4
14:06:59.139 -> [4055]psock:5
14:06:59.139 -> [4056]protoCtx OK!
14:06:59.139 -> [4056]eventCtx OK!
14:06:59.139 -> [4057]videoCtx OK!
14:06:59.139 -> [4057]i4 OK
14:06:59.140 -> g_sensor_init start,iic init:200014bc
14:06:59.140 -> init g_sensor,check id
14:06:59.140 -> addr:1 1 30 32
14:06:59.141 -> SID: ff, 11, 30, 32,f
14:06:59.141 -> addr:1 1 30 32
14:06:59.141 -> SID: ff, 11, 30, 32,f
14:06:59.142 -> addr:1 1 4e 50
14:06:59.142 -> SID: 13, 13, 4e, 50,1
14:06:59.142 -> id =13 num:2
14:06:59.143 -> [4060]*** ADC module info: ADC channel repeat!!!
14:06:59.145 -> [4062]notify local[0/0]!
14:06:59.145 -> [4062]----WIFI_RUN_STATUS111----1
14:06:59.158 -> init table num:20
14:06:59.158 -> [4075][SYS]Capacity GSENSOR
14:06:59.158 -> [4075][SYS]Capacity:0x2
14:06:59.158 -> [4076][SYS]Capacity:0x3
14:06:59.159 -> version_str = HKV41 5
14:06:59.159 -> ----version_str = HKV41B 32
14:06:59.159 -> product_str = BK7231U-XRH-FBPRO
14:06:59.159 -> [4077][TX]Set Vendor: YPC
14:06:59.160 -> [4077][TX]Set Product: BK7231U-XRH-FBPRO
14:06:59.161 -> [4078][TX]Set Version: HKV41B
14:06:59.161 -> [4078]no this event(20005)...
14:06:59.161 -> [4079]scan down.......
14:06:59.289 -> [4206]inteface2 find new bss: b8:f8:53:5c:53:bb-Fios-CGrF5
14:06:59.644 -> [4561]0min:2906 65535 100 100 383
14:07:00.147 -> [5064]notify local[0/0]!
14:07:00.160 -> [5078]custom mem sram:61440
14:07:00.160 -> [5078]freemem:43736
14:07:00.315 -> --------------------
14:07:00.315 -> local:88:17:89:0d:0e:b0
14:07:00.315 -> bios:2, pack:8
14:07:00.315 -> pwr idx: 1
14:07:00.315 -> chip-temperature: 34
14:07:00.315 -> freq:2412, bg_rssi:-87
14:07:00.316 -> cca: -70, -60, -62
14:07:00.316 -> tx: txq:0, ps:0, tx_stat_q:0,
14:07:00.317 -> tx dma:381, total tx:381, retry:0, tx lost:0, tx err:0
14:07:00.318 -> rx: frms:82, data:0
throughput: tx: 14.40 Kbps, rx: 0 bps
14:07:00.318 -> max gain:7
14:07:00.318 -> --------------------
14:07:01.150 -> [6067]notify local[0/0]!
14:07:01.160 -> [6078]custom mem sram:61440
14:07:01.160 -> [6078]freemem:43736
14:07:02.151 -> [7067]notify local[0/0]!
14:07:02.159 -> [7078]custom mem sram:61440
14:07:02.159 -> [7078]freemem:43832
14:07:03.150 -> [8067]notify local[0/0]!
14:07:03.161 -> [8078]custom mem sram:61440
14:07:03.161 -> [8078]freemem:44024
14:07:04.150 -> [9067]notify local[0/0]!
14:07:04.172 -> [9078]custom mem sram:61440
14:07:04.172 -> [9078]freemem:44024
14:07:05.155 -> [10067]notify local[0/0]!
14:07:05.160 -> [10078]ip:101a8c0 freemem:44024
14:07:05.161 -> [10078]custom mem sram:61440
14:07:05.163 -> [10078]freemem:44024
14:07:05.315 -> --------------------
14:07:05.315 -> local:88:17:89:0d:0e:b0
14:07:05.315 -> bios:2, pack:8
14:07:05.315 -> pwr idx: 1
14:07:05.315 -> chip-temperature: 38
14:07:05.315 -> freq:2412, bg_rssi:-88
14:07:05.315 -> cca: -70, -60, -62
14:07:05.315 -> tx: txq:0, ps:0, tx_stat_q:0,
14:07:05.316 -> tx dma:0, total tx:0, retry:0, tx lost:0, tx err:0
14:07:05.317 -> rx: frms:42, data:0
14:07:05.317 -> throughput: tx: 0 bps, rx: 0 bps
max gain:7
14:07:05.317 -> --------------------
14:07:06.151 -> [11067]notify local[0/0]!
14:07:06.161 -> [11079]custom mem sram:61440
14:07:06.161 -> [11079]freemem:44024
14:07:07.150 -> [12067]notify local[0/0]!
14:07:07.162 -> [12079]custom mem sram:61440
14:07:07.162 -> [12079]freemem:44024
14:07:08.150 -> [13067]notify local[0/0]!
14:07:08.162 -> [13079]custom mem sram:61440
14:07:08.162 -> [13079]freemem:44024
14:07:09.150 -> [14067]notify local[0/0]!
14:07:09.162 -> [14079]custom mem sram:61440
14:07:09.162 -> [14079]freemem:44024
14:07:10.150 -> [15067]notify local[0/0]!
14:07:10.162 -> [15079]custom mem sram:61440
14:07:10.162 -> [15079]freemem:44024
14:07:10.315 -> --------------------
14:07:10.315 -> local:88:17:89:0d:0e:b0
14:07:10.315 -> bios:2, pack:8
14:07:10.315 -> pwr idx: 1
14:07:10.315 -> chip-temperature: 40
14:07:10.315 -> freq:2412, bg_rssi:-88
14:07:10.315 -> cca: -70, -60, -62
14:07:10.315 -> tx: txq:0, ps:0, tx_stat_q:0,
14:07:10.316 -> tx dma:0, total tx:0, retry:0, tx lost:0, tx err:0
14:07:10.317 -> rx: frms:42, data:0
14:07:10.317 -> throughput: tx: 0 bps, rx: 0 bps
max gain:7
14:07:10.317 -> --------------------
14:07:11.150 -> [16067]notify local[0/0]!
14:07:11.162 -> [16079]ip:101a8c0 freemem:44024
14:07:11.162 -> [16079]custom mem sram:61440
14:07:11.164 -> [16079]freemem:44024
14:07:12.152 -> [17068]notify local[0/0]!
14:07:12.162 -> [17080]custom mem sram:61440
14:07:12.162 -> [17080]freemem:44024
14:07:12.663 -> [17577]inteface2 find new bss: 78:67:0e:32:a0:08-Verizon_4Z9PNJ
14:07:13.153 -> [18069]notify local[0/0]!
14:07:13.162 -> [18080]custom mem sram:61440
14:07:13.162 -> [18080]freemem:43928Pressing button alone while powered off:
14:06:00.437 -> [0]40 00 97 00 a8 43 12 a0
14:06:00.437 -> [0]28 e0 00 00 00 00 00 00
14:06:00.438 -> [0]00 00 00 00 00 00 00 00
14:06:00.438 -> [0]88 17 89 0d 0e 2c 76 35
14:06:00.439 -> [0]86 65 89 67 9f 57 00 00
14:06:00.439 -> [0]80 00 bb 02 a0 f7 00 00
14:06:00.439 -> [0]00 15 00 00 08 14 00 00
14:06:00.440 -> [0]00 00 00 00 00 00 0c 00
14:06:00.440 -> [0]00 00 00 40 08 84 40 08
14:06:00.440 -> [0]8c c0 08 8c c0 08 94 00
14:06:00.441 -> [0]06 4b 3f fd 92 ff 04 4e
14:06:00.441 -> [0]f0 00 4f 00 de 01 02 02
14:06:00.442 -> [0]00 ff ff ff 0f b4 04 04
14:06:00.442 -> [0]02 04 04 06 06 1f 00 17
14:06:00.442 -> [0]00 02 3e 00 00 00 00 08
14:06:00.443 -> [0]00 00 00 00 00 30 12 00
14:06:00.443 -> [0]3c 3c 0f
14:06:00.443 -> [0]validity: 1579f00d
14:06:00.449 -> ** hgSDK-v2.5.0.7-25841, app-0, build time:Dec 5 2024 12:06:20 **
14:06:00.449 -> ** libcore v2.5.0.7-26821, build time:Dec 21 2023 11:25:54
14:06:00.449 -> ** libnetutils v2.5.0.7-26821, build time:Dec 21 2023 11:26:09
14:06:00.449 -> ** libcommon v2.5.0.7-26821, build time:Dec 21 2023 11:25:58
14:06:00.449 -> ** libosal v2.5.0.7-26821, build time:Dec 21 2023 11:25:53
14:06:00.449 -> ** libatcmd v2.5.0.7-25927, build time:Nov 6 2023 16:23:19
14:06:00.449 -> ** liblmac v2.5.0.7-26821, build time:Dec 21 2023 11:26:25
14:06:00.449 -> ** libwifi v2.5.0.7-26821, build time:Dec 21 2023 11:26:38
14:06:00.449 -> ------------------------------------------------------------------
14:06:00.450 -> [0] ------- system restart fault -----------
14:06:00.450 -> [0] ---------------------------------------
14:06:00.452 -> [1]freemem:160720
14:06:00.452 -> [1]custom_mem_init:2000c740
14:06:00.452 -> [1]custom mem sram:61440
14:06:00.452 -> [2]skbpool init, total:49396 (0x20037f0c~0x20044000), max per:80%
14:06:00.454 -> [4]syscfg_read OK!
14:06:00.455 -> [4]old cfg_ver:259Doing random things in the app:
14:08:18.401 -> [83308]Charge Status:0
14:08:51.852 -> LED:1 Control:1 1 100
14:08:51.852 -> Set LED:1 ON
14:08:51.852 -> [116763]Charge Status:0
14:08:51.886 -> LED:1 Control:1 1 100
14:08:51.886 -> Set LED:1 ON
14:08:51.886 -> [116790]Charge Status:0
14:09:00.151 -> LED:1 Control:0 0 0
14:09:00.151 -> LED:1 ON:1
14:09:00.179 -> LED:1 Control:1 0 0
14:09:00.179 -> Set LED:1 OFF
14:09:00.179 -> [125084]Charge Status:0
14:09:01.368 -> LED:1 Control:0 0 0
14:09:01.368 -> LED:1 ON:0
14:09:01.395 -> LED:1 Control:1 1 100
14:09:01.395 -> Set LED:1 ON
14:09:01.395 -> [126300]Charge Status:0Connecting to WiFi (I believe the app may have been open in the background):
14:08:14.173 -> [79090]custom mem sram:61440
14:08:14.173 -> [79090]freemem:44024
14:08:14.192 -> [79108]notify local[0/0]!
14:08:14.608 -> [79524]lmac_bgn_add_sta: if:1, aid1, addr:6a:88:53:52:cf:f7
14:08:14.608 -> [79525]rc_init: type= 1 mcs_mask= 0x3cc
14:08:14.609 -> [79525]inteface2: sta 6a:88:53:52:cf:f7 connected
14:08:14.609 -> [79526]user_sta_add:6a 88 53 52 cf f7
14:08:14.739 -> [79655]send DHCP_OFFER ...
14:08:14.739 -> [79657]Next IP: 192.168.1.11
14:08:14.740 -> [79657]Assign IP 192.168.1.10 for 6a:88:53:52:cf:f7, flags=0 (next:192.168.1.11)
14:08:15.173 -> [80090]custom mem sram:61440
14:08:15.173 -> [80090]freemem:43488
14:08:15.196 -> [80112]notify local[1/0]!
14:08:15.319 -> --------------------
14:08:15.319 -> local:88:17:89:0d:0e:b0
14:08:15.319 -> bios:2, pack:8
14:08:15.319 -> pwr idx: 1
14:08:15.319 -> chip-temperature: 48
14:08:15.319 -> freq:2412, bg_rssi:-87
14:08:15.319 -> cca: -59, -49, -51
14:08:15.319 -> tx: txq:0, ps:0, tx_stat_q:0,
14:08:15.319 -> tx dma:12, total tx:12, retry:0, tx lost:0, tx err:0
14:08:15.319 -> rx: frms:107, data:96
14:08:15.319 -> throughput: tx: 2.95 Kbps, rx: 5.23 Kbps
14:08:15.319 -> max gain:7
14:08:15.319 -> sta:6a:88:53:52:cf:f7, aid:1, rssi:-34, evm:-25, tx frm type:*0, tx mcs:*2, freq offset:20864
14:08:15.320 -> ifidx:1, MAC:88:17:89:0d:0e:b0
14:08:15.322 -> --------------------
14:08:15.825 -> [80741]send DHCP_ACK ...
14:08:15.825 -> [80742]Assign IP 192.168.1.10 for 6a:88:53:52:cf:f7, flags=0 (next:192.168.1.11)
14:08:15.828 -> [40;32m[80744]EVENT 10007 IGNORED
14:08:15.828 -> [0m[80745]IP Pool:
14:08:15.829 -> [80746] ip:192.168.1.10 - 6a:88:53:52:cf:f7
14:08:16.173 -> [81090]custom mem sram:61440
14:08:16.173 -> [81090]freemem:43488
14:08:16.212 -> [81128]notify local[1/0]!
14:08:17.173 -> [82090]ip:101a8c0 freemem:43488
14:08:17.174 -> [82090]custom mem sram:61440
14:08:17.174 -> [82091]freemem:43488
14:08:17.212 -> [82128]notify local[1/0]!
14:08:18.174 -> [83091]custom mem sram:61440
14:08:18.174 -> [83091]freemem:43488
14:08:18.234 -> [83145]notify local[1/0]!
14:08:18.330 -> [83220]Recv SEQ:221 CMD->ID:1 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> [83222]IP add:a01a8c0
14:08:18.330 -> [83222]*******************************************
14:08:18.330 -> [83223]mac:88:17:89:0d:0e:b0
14:08:18.330 -> [83223]->a01a8c0 fist connect
14:08:18.330 -> [83224ip:a01a8c0 0
14:08:18.330 -> [83227]Recv SEQ:221 CMD->ID:1 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> [83228]*******************************************
14:08:18.330 -> [83229]mac:88:17:89:0d:0e:b0
14:08:18.330 -> [83229]->a01a8c0 first connect
14:08:18.330 -> [83230]ip:a01a8c0 0
14:08:18.330 -> [83233]Recv SEQ:222 CMD->ID:2 AckNeed:1 reFlag:0 CMDLEN:0 RECVLEN:12
14:08:18.330 -> read license =
14:08:18.330 -> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x
00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
14:08:18.334 -> [83250]OK=>SN:!
14:08:18.346 -> [83263]New client active:0 0
14:08:18.346 -> hgdvp_close...............................................................
14:08:18.378 -> [83294]pic port:54589
14:08:18.401 -> [83306]Recv SEQ:224 CMD->ID:10 AckNeed:1 reFlag:0 CMDLEN:3 RECVLEN:15
14:08:18.401 -> [83307]Led control:1-1-1-100
14:08:18.401 -> LED:1 Control:1 1 100
14:08:18.401 -> Set LED:1 ON
14:08:18.401 -> [83308]Charge Status:0Firmware Extraction
To extract the firmware (and I do apologize, I'm doing recalling this from memory so it may not be perfect) I went ahead and used an STM32 blue pill board and followed this guide to get the flash programmer set up.
Once your stm32 is flashed, connect A1 to PA10 (labeled CLK), A5 to PA9 (labeled TMS), and G to GND. Additionally, if you want to read UART output from the device, connect your UART reader to GND and DP (This is the mcu's TX pin, connect to your RX pin).
Then, follow the instructions here regarding how to generally dump or flash the firmware (although I have not attempted anything besides reading).
Note: When I attempted to read the flash, I was never able to in one full go and instead had to do 0x0-0x50000 then 0x10000 increments up to 0x100000 which is the size of the mcu (1 MB), I then merged these files back together into one. I'm unsure why but I assume it's to do with the STM32 being used as the CKLink, I may recommend using an official or clone devices.
It also appears there's some type of licensing? I'm not sure what exactly it is but I've seen it while reversing the mobile app as well.
I've gotten this far btu I'm not really sure where to go from here, I would like to be able to disassemble the firmware in something like Ghidra or IDA but as the C-Sky V2 CPU ABI is not implemented in just about anything I'd have to implement it myself which I don't really want to do... I've attached the csky-elfabiv2-tools-x86_64-minilibc-20210423 but I'm not sure it's actually the right one for this chip, as well as the objdump output from running it on the full firmware file
I'll mention that as you might be able to tell this is my first post so I if you have any tips for better posting please let me know! 😄
AI: Could you clarify what your main goal is with the firmware analysis—are you looking to unlock features, patch the firmware, do security research, or just understand how the device works?
The mobile interface seems to have an upload firmware option for ota updates. Ideally, we'd be able to leverage that to put a custom firmware on it. I'm also interested in analyzing the firmware to find any possible vulnerabilities or issues with it. That being said, I also just like opening things and looking at them.
AI: Are you open to using alternative tools besides Ghidra or IDA for C-Sky V2 disassembly, like radare2, Binary Ninja, or any C-Sky-specific toolchains, or are you set on using Ghidra/IDA only?
Ghidra and IDA would be my ideals, but if I could get anything to properly get an analysis of it that's actually aware of where things are (ex. memory locations like strings) I could work with that.
