Announcement

Collapse
No announcement yet.

iCatch (Sunplus) firmware hacks.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • iCatch (Sunplus) firmware hacks.

    There are several ways to update an iCatch camera firmware. One of those is in-camera update with a BRN (SPHOST.BRN by default) file placed to the root of the memory card.

    So let's see what's the structure of such BRN files:
    Click image for larger version

Name:	brn-header.png
Views:	2071
Size:	10.3 KB
ID:	10334

    0x000-0x1FF byte range is the fw header. It has 'SUNP BURN FILE' title at the 0x000 offset. Then at 0x010 we have the fw filesize (little-endian dword) and six offsets of firmware partitions at 0x14, 0x18, 0x1C, 0x20, 0x24 and 0x28. Another partition starts right after the header thus it has no special offset here. The header ends with a CRC (checksum) value at 0x1FC.
    Donate here if you want to support my efforts and this site.

    Email me if you have any offers, requests or ideas.

  • #2
    BRN partitions:
    0 - ISP bootloader,
    1 - AIMG FAT16,
    2 - BIMG FAT12,
    3 - CIMG (not used ?),
    4 - firmware BIN file,
    5 - Bad pixel calibration info,
    6 - DRAM settings.
    Donate here if you want to support my efforts and this site.

    Email me if you have any offers, requests or ideas.

    Comment


    • #3
      do you have ram map of cameras? i 'd like to reflash dead camera, but it looks its only allow to use terminal commands. such dump and others...so i'd like to write firmware directly to RAM to allow update VIA SD card...

      Comment


      • #4
        Originally posted by nutsey View Post
        There are several ways to update an iCatch camera firmware. One of those is in-camera update with a BRN (SPHOST.BRN by default) file placed to the root of the memory card.

        So let's see what's the structure of such BRN files:
        Click image for larger version

Name:	brn-header.png
Views:	2071
Size:	10.3 KB
ID:	10334

        0x000-0x1FF byte range is the fw header. It has 'SUNP BURN FILE' title at the 0x000 offset. Then at 0x010 we have the fw filesize (little-endian dword) and six offsets of firmware partitions at 0x14, 0x18, 0x1C, 0x20, 0x24 and 0x28. Another partition starts right after the header thus it has no special offset here. The header ends with a CRC (checksum) value at 0x1FC.
        Hey. I did not understand which part of the file is checked for CRC and which CRC algorithm?

        Comment


        • nutsey
          nutsey commented
          Editing a comment
          Check the sumpatch.exe tool at any modern iCatch FRM software.

        • Zormax
          Zormax commented
          Editing a comment
          I don’t understand how to run sumpatch.exe and what command line to write ..

      • #5
        Originally posted by nutsey View Post
        The header ends with a CRC (checksum) value at 0x1FC.
        Help please describe the example of running sumpatch.exe and what command line to write ...

        Comment


        • nutsey
          nutsey commented
          Editing a comment
          I didn't try it, but I found this:
          sumpatch `bin' [-s `skip'] `patch_ofs'

        • Zormax
          Zormax commented
          Editing a comment
          This work:
          sumpatch.exe firmware.bin 508

          508 == 0x1FC - 1
          Last edited by Zormax; 08-23-2019, 02:40 PM.

      • #6
        And? Can you modify firmware? Can you add digital stabilization in firmware (SPCA6350 can do this)?

        Comment


      • #7
        Hi there!
        I have spend some time this weekend on reversing the firmware for iCatch V50 cameras, and more specifically for my Akaso V50 Pro SE (apparently it actually has a slightly different firmware from the normal V50 Pro).

        I have written a small script to carve out the different bin files from the firmware at the provided offsets. It seems like the data at offset 3 has something to do with the Linux OS and/or RTOS running on the SoC, and offset 2 just has a FAT partition with data the system is using.
        Now, I have spend quite some time on trying to find some actual assembly functions in offset 0 and offset 3, however I am not very experienced in this. I am struggling with how the data inside of the binaries is structured, which part is code, which data etc. There is a clear difference between string data and the rest though: https://imgur.com/a/opMYQpI
        I am posting everything interesting I find on github: https://github.com/Linouth/iCatch-V50-Playground

        I have also modified the V4 BRN file by changing the startup sound by a reversed version. Since the V4 firmware has a CRC of 0, I assume the checksum is not required. I have yet to test this firmware image, since it is for the V50 Pro and I have a V50 Pro SE. If anyone is willing to test it, please let me know whether it worked or not.

        Next week I will be on a skiing trip (so I need the camera, working :P), but after that I am going to dump the SPI flash so I can restore the firmware whenever anything breaks, hopefully.

        Also, if anyone has a BRN firmware file for the Akaso V50 Pro SE, please send it to me.

        Comment


        • Linouth
          Linouth commented
          Editing a comment
          Okay, the code in offset3 is mapped to 0x40000000. I have (probably) been able to find some basic functions such as printf, sprintf, some log function, and maybe a file_open function.
          I hope to find a uart debug port once I open my device again, which should help a lot with reversing. My goal, for now, is to add an extra entry in one of the menus.

        • petesimon
          petesimon commented
          Editing a comment
          oooh. very interesting. here is V50 Pro SE firmware - https://yadi.sk/d/7lHZkYHXVr71lg
          and here is more firmware for other Akaso models - https://yadi.sk/d/JoxghlhkrNNBkw
          be sure to use the latest Winrar/Unrar or 7-zip for the .rar files.

          I found links to Akaso firmware in this Facebook group - https://www.facebook.com/groups/2279303618833000/

        • nutsey
          nutsey commented
          Editing a comment
          Both A (FAT16) and B (FAT12) images are stored inside the 'offset2' file. B is at 0x500120 offset.

          You BRN structure should look like this:
          offset0 - spca6500isp.bin
          offset1 - ???
          offset2 - A and B images
          offset3 - firmware binary (f.e. WDV4k.bin)
          offset4 - n/a
          offset5 - bad pixel stuff
          offset6 - dram config .prm

        • Linouth
          Linouth commented
          Editing a comment
          petesimon Oh great! That firmware is gonna come in handy.

          nutsey I completely missed that FAT12 partition, oops.
          Where did you find those filenames, or is that just speculation what they could be called?

        • nutsey
          nutsey commented
          Editing a comment
          Check your Vikcam V50 fw. It's all there at 'download' folder. You can inspect 'frm_user.ini' and other files and run 'frm.exe' and go to 'Advanced' tab for more details.

        • Linouth
          Linouth commented
          Editing a comment
          Ooohh, interesting. I completely ignored that program since I could not get my device to go into recovery mode.

      • #8
        DBpower EX7000 (SPCA6350/V35+MN34110) flash memory dump: https://mega.nz/#!yuZUGabb!mCwbyLdAN...sNkV8hYQTIjzeI

        The dump was saved with this cool programming device: https://www.embeddedcomputers.net/products/FlashcatUSB/
        Donate here if you want to support my efforts and this site.

        Email me if you have any offers, requests or ideas.

        Comment


        • petesimon
          petesimon commented
          Editing a comment
          oooh. so the sensor is not OV4689 but is the Panasonic 14 MP sensor. nice.
          well huh, I sold the camera already... 😸

        • nutsey
          nutsey commented
          Editing a comment
          I really love this cam. Just tested batteries - both are 900+mAh allowing to shoot with each for almost 2 hours at 1080p30 with low LCD brightness.

          It's internal design is also very impressive - metal battery holder, metal front heat dissipation plate, bluetooth, reflective pads for LED indicators (never seen those before) etc. The lens quality is quite good as well. Absolutely worth every penny

      • #9
        A quick update. I have dumped my SPI flash to revert back to. Already had to use it after I had botched the firmware . The firmware is dumped using a Buspirate using flashrom, though any SPI capable device should be able to dump the flash. My flash dump can be found here: https://github.com/Linouth/iCatch-V5...nbond_dump.bin


        I have also found the pins for serial access. It uses a baudrate of 115200. There is a lot of information and quite some tools available there (the commands available). Especially the dump, w, fill and mapExe are useful.

        I was also able to create a very simple custom firmware image: https://i.imgur.com/w4obtay.png
        The version string is simply changed using a hex editor. The red text at the bottom is added by mounting the fat16 file system and changing the INFO_BACKGROUND.JPG file. It doesn't look like the checksum is being checked by the device when flashing.
        Next thing I want to try is to add some code somewhere in the firmware, maybe a new serial command or a new entry in the menu.

        Comment


        • PolyEsther
          PolyEsther commented
          Editing a comment
          Thank you. I really wanted to like this camera, but its really low 4K bitrate and oversharpening aren't making it easy. I hope you can unlock some new options one day.

        • Angel_Hranitel
          Angel_Hranitel commented
          Editing a comment
          Hello. You can disassemble the firmware for V50Elite? https://yadi.sk/d/BvirJLYeU1l32Q

      • #10
        Hello. You can disassemble the firmware for V50Elite? https://yadi.sk/d/BvirJLYeU1l32Q
        Last edited by Angel_Hranitel; 1 week ago.

        Comment

        Working...
        X