Announcement

Collapse
No announcement yet.

XTU X2 Action cam Hi3556A + IMX377 Any idea where to start to customize it?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    XTU X2 Action cam Hi3556A + IMX377 Any idea where to start to customize it?

    I'm wondering if anyone can point me in the right direction for where to start customizing this firmware. I can't find a firmware update online for this camera, so I'm not sure where to start. I'm happy to do a bunch fo reading if someone can just give me a hint....

    Thanks!
    Tags: None
  • #2
    What's your stock fw version? Seems like I've got an idea where to get 3.0.0.10.20190108 for XTU X2.
    Donate here if you want to support my efforts and this site.

    Email me if you have any offers, requests or ideas.

    Comment

    • #3
      Mine came with 11.8.3.1.20191207, any chance it would be able to downgrade?

      Comment

      • nutsey
        #3.1
        nutsey commented
        01-06-2021, 01:29 PM
        Editing a comment
        I guess there are two hardware revisions of this cam: I've found 3.0.0.10.20190108 (X2-dv-3556A-imx377-ap6255) and 11.8.3.2.20190928 (XTUX2-dv-3556A-imx377-rtl8189) firmwares. At least they use different WiFi modules and flash memory type.
    • #4
      I would think the 11.8.3.2.20190928 would be me for my camera. Interesting how the version number seems to be higher, but the date seems older.

      Comment

    • #5
      I took a few pics in case it's interesting.

      Dumb question, where would one connect such a flash programming device? Also do you think this firmware will upgrade/downgrade?

      I've done lots of programming of small AVR, holtek and some STM32. (btu that I just mean I know the concept and have done it in some form before) I'm just not sure where to start with Hi3556. Any help is much appreciated.
      Inside of XTU X2 Inside of XTU X2
      2 Photos

      Comment

      • nutsey
        #5.1
        nutsey commented
        01-06-2021, 01:48 PM
        Editing a comment
        This little eight-legged guy: https://www.winbond.com/resource-fil..._g_feb1714.pdf

        Or you can try finding RX/TX pcb testpoints to get access to console for cloning fw mtd parts.
      • metri
        #5.2
        metri commented
        01-06-2021, 01:50 PM
        Editing a comment
        You are my new hero! I seem to recall RX TX pins... let me take it apart again.
      • metri
        #5.3
        metri commented
        01-06-2021, 02:01 PM
        Editing a comment
        No straight forward RX TX points I can see. There are a bunch of test points on the PCB. I'll poke with the scope tomorrow or see if anything lines up with the reference Hi3556 design.
    • #6
      I found this little programmer, CH341A USB Mini Programmer, sound like the right tool for the job?
      https://cableforum.blogspot.com/2020...-software.html

      Let me know if you know a better one. I don't have anything that will read it on hand.

      Comment

      • nutsey
        #6.1
        nutsey commented
        01-06-2021, 03:00 PM
        Editing a comment
        It should do the job and I have a couple of those cheap CH341A dongles, but I prefer this: https://www.amazon.com/Flashcat-Memo...dp/B00F2P9AS6/

        It's faster, more stable, supports much more flash memory chips and gets frequent software updates (the latest was on December 29, 2020).

        Flashcat site: https://www.embeddedcomputers.net/products/FlashcatUSB/
        Last edited by nutsey; 01-06-2021, 03:07 PM.
      • metri
        #6.2
        metri commented
        01-07-2021, 12:56 AM
        Editing a comment
        Thanks. I'm going to try the CH341A because it's cheap, but also because I can't get the Flashcat in my area. I'm going to try an XTW100 programmer also, as it's was just a few bucks more to buy both.
    • #7
      I found the RX/TX pins. The TX is the one with the wire connected and the tinned test point beside it is almost certainly RX. I just pulled GND from a convenient screw. Baud rate is 115200, and here is the log file from boot and power off.

      Any tips on how to interact over serial?
      Attached Files

      Comment

      • #8
        I looked through the long file:
        Click image for larger version Name: autoboot.jpg Views: 149 Size: 81.0 KB ID: 19287
        This stuck out as what I want to do. So I hooked up RX on the camera

        Black wire is TX, Red wire is RX
        Click image for larger version Name: CAM_0004.JPG Views: 141 Size: 1.35 MB ID: 19290
        I uploaded the putty log. The system info is:

        hisilicon # getinfo spi
        Block:64KB Chip:16MB*1
        ID:0xEF 0x60 0x18
        Name:"W25Q128FW"
        hisilicon # getinfo version
        version: U-Boot 2016.11

        hisilicon # eve nve pr print -a
        arch=arm
        baudrate=115200
        board=hi3556av100
        board_name=hi3556av100
        bootargs=mem=128M quiet console=ttyAMA0,115200 clk_ignore_unused rw root=/dev/mtdblock6 rootfstype=jffs2 mtdparts=hi_sfc:768K(u-boot.bin),128K(rawparam),128K(rawparambak),3456K(m edia_app_zip.bin),512K(resImage),2560K(uImage),256 0K(rootfs.jffs2),6272K(appfs.jffs2)
        bootcmd=sf probe 0;sf read 0x24f00000 0x460000 0x80000;sf read 0x27000000 0xc0000 0x20000;sf read 0x27100000 0xe0000 0x20000;cread 0x27000000 0x27100000 0x20000 0x22000000;go_a53cpu1 0x22100000 0x33000000 0x100000 0x360000;sf read 0x27000000 0x4e0000 0x280000;bootm 0x27000000
        bootdelay=0
        cpu=armv7
        soc=hi3556av100
        stderr=serial
        stdin=serial
        stdout=serial
        swver56a=B1PRO_1207164444
        vendor=hisilicon
        verify=n

        Environment size: 769/131068 bytes
        hisilicon #

        It's amusing it logs all the backspaces I did from typing errors....

        So now that I'm in, what can I do? What I really want to do is change the bootup/closedown animations. Is that possible with this level of access?
        Attached Files

        Comment

        • #9
          Originally posted by metri View Post
          What I really want to do is change the bootup/closedown animations.
          I believe it's here: /dev/mtdblock0. Packed u-boot.bin binary starts at 0x2040.
          Donate here if you want to support my efforts and this site.

          Email me if you have any offers, requests or ideas.

          Comment

          • #10
            Is there somewhere that has a brief overview of what I need to do or what I can do? I'm not sure the file you refer to is in the firmware image or I can access it over the serial connection on the camera.
            If it's in the firmware image, I'm not sure what tools to use to pack/unpack it.
            If it's on the camera, I'm not sure how to access it. I did briefly go through the commands available at the hisilicon prompt, but didn't see anything that jumped out at me as the right command.
            I feel bad asking such basic info about what are the general steps of how to modify firmware on these devices. Is there somewhere you could point me to read? Then I could ask you more intelligent questions. I'm not a newb to electronics, but a newb to camera modding.

            Comment

            • nutsey
              #10.1
              nutsey commented
              01-07-2021, 07:13 AM
              Editing a comment
              Seems like the shell prompt is disabled in your case. Maybe you can find something useful here: http://marcusjenkins.com/hacking-cheap-ebay-ip-camera/
            • metri
              #10.2
              metri commented
              01-07-2021, 01:41 PM
              Editing a comment
              There are less command available on my U-boot than on that cheap IP Camera so I'm not sure how I can get to a prompt. I can read the SPI flash when I get the reader. Is that something I can then edit in a useful way and write back? Do I need to extract the data over something like TFTP or is reading directly off the flash possible?
            • nutsey
              #10.3
              nutsey commented
              01-07-2021, 01:55 PM
              Editing a comment
              You can read the flash dump directly with an SPI programmer and split it into separate files. Then you will get access to the filesystem (jffs2), u-boot.bin and a gziped binary (media_app.bin) with some interesting data in it like cmos sensor regs and so on.
            • metri
              #10.4
              metri commented
              01-08-2021, 02:13 AM
              Editing a comment
              Is it then possible to write it back to the SPI flash to perform changes in the firmware?
            • nutsey
              #10.5
              nutsey commented
              01-08-2021, 04:54 AM
              Editing a comment
              Sure.
          • #11
            Oh I see, I have access to U-Boot but not the shell. Oh this is much more intense than I was hoping.... I wonder if TFTD can work over wifi, as there is no physical ethernet connection

            Comment

            • #12
              I read the SPI Flash. I don't have time to do anything with it tonight, but here it is if anyone wants to take a look. Read with CH341A, I ran a verify on the read, no errors detected.

              https://www.dropbox.com/s/0onfds7yh3...91207.zip?dl=0

              Let me know if you have any problems with the link
              • 1 like

              Comment

              • nutsey
                #12.1
                nutsey commented
                01-08-2021, 04:29 PM
                Editing a comment
                Thanks for sharing! Your 20191207 fw is based on a newer SDK comparing to 20190928 I shared above. There were many thing added: 4 video shooting modes, sharpness, saturation and contrast control...
              • metri
                #12.2
                metri commented
                01-09-2021, 04:06 AM
                Editing a comment
                Is it possible to modify the flash to enable the shell prompt? I'm sure we can extract the root password too.
              • nutsey
                #12.3
                nutsey commented
                01-10-2021, 03:21 AM
                Editing a comment
                I suppose that secure shell (SSH) or telnet would be more convenient to use.
            • #13
              https://www.dropbox.com/s/1ytyrtanis...91207.zip?dl=0

              I tried to make SD card version of firmware from flash. Seems to work OK
              uas at your own risk

              Comment

              • nutsey
                #13.1
                nutsey commented
                01-11-2021, 10:41 AM
                Editing a comment
                I believe 0xFF tailing bytes in the end of .jffs2 files shoud be removed.
            • #14
              I wasn't sure if I should be removing trailing FF on all of those files. The last time I burned it, it was working properly. I would think that uncompressed files wouldn't need to remove the trailing FF?

              Comment

              • metri
                #14.1
                metri commented
                01-11-2021, 11:48 AM
                Editing a comment
                I used to cat to combine all the files into a single image and it was a byte for byte match of the flash image. So when written to memory that is what it looks like. I'm a bit unsure about the FF's
            • #15
              What's the difference between the X1 and X2.

              Comment

              Previous template Next
              Working...
              X