Mini0801 Hacking (Hardware and Software)

Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,379
Reaction score
845
Location
Remote
Country
Germany
Dash Cam
none
Now collecting all information in this post.

Hi, my name is Tobias I am from Germany and I like to mess around with almost all kinds of devices I use. Mini0801 is one of them. Please excuse my english.

This thread is about hardware and software hacking.

Hardware part:
Lets go: After disassembling the camera (just for fun) I inspected those 2 pcb boards - and I found pins for UART connection!

UART Pins: http://dc.p-mc.eu

So I soldered a "diag port" to it: http://dc.p-mc.eu

Then I booted the camera with Putty listening on COM3 Baud 115200: http://dc.p-mc.eu Success!! :D At least Tx -> Rx works

After some more research I found posts from Thunderbaud regarding the GoPro in another forum. He wrote that you can get into AMBoot (Bootloader shell) when you shorten Rx & Tx while powering the device. Suprise! it worked:
amboot.png


Messed around with the commands but there is nothing really interesting (well xmdl and exec is interesting though)..

Then I got linked to another GoPro board - they describe an ambshell there. It comes with prKernel v4. GoPro users are able to enter that shell. prKernel should also load a file from SD on startup: autoexec.ash. The code is included in our Mini0801 PrKernel and in GoPro's prKernel - but unfortunately it seems that it only works (gets executed) on GoPro :(
Since I have no knowledge in Assembler I am not able to modify the PrKernel to load that file or boot into ambshell. Well.. I'm still trying. Seems a software called "eBinder" would help a lot. Unfortunately it's not availible for public use.

That's the progress I made on the hardware part.

Software:
We are able to update our firmware using flashable firmware-NO1-XXXXX.bin files. Similar to GoPro. I was able to extract the different fw parts (BST, bootloader, kernel, romfs and DST microcode) using a tool from evilwombat (GoPro Forum) he created for the GoPro firmware.
Unpacked firmware parts: https://drive.google.com/file/d/0B4FRwm9CGCLkQlhIckJ5UURPLXM/edit?usp=sharing
evilwombat also wrote a tool for unpacking the GoPro romfs - surprise: it also works with our mini0801 romfs! Had some trouble using it on a Windows system, but meh, I got it working :D Extraced romfs: https://drive.google.com/file/d/0B4FRwm9CGCLka0wzekxnckRoMzA/edit?usp=sharing
Update: Also have a look at these 2 posts:
Datasheets and stuff
Firmware header

Thats the sw-part progress so far

Misc:
System log during fw update (to 20131026 - thanks to Lunar for the fw): http://pastebin.com/zNEDZav4


Again: Big thanks to evilwombat and Thunderbaud for their progress in GoPro hacking!!
 
Last edited:
Update: All Pins discovered!!
-link removed as not available anymore-

Now going to connect my uart converter. Keep your fingers crossed.

Update:
SUCCESS!! Got some output at 115200 Baud:
-link removed as not available anymore-

Next update: Got into amboot shell :D
-link removed as not available anymore-

Update:
Done with AMBoot
prKernel is next :)

Another Update:
Hmm no idea how to enter the running rtos/linux(?)

Just decompressed 20131026 (thanks Lunar) firmware and found this:
a/b/c/...z:\autoexec.ash and .tcl
So maybe there is a way to play around with linux commands in this file?
 
Last edited:
That's most interesting , as I de-compiled a version of a Russian firmware for my Mio 368 recently, just to get a little assurance it had a English option in the languages before I updated to it, the Mio 368 is not listed on Mio's main site but it is used a lot in Russia, and the MioRussia site carries firmware updates for it, have to translate of course. Luckily I was able to decipher enough to assure myself that it did indeed support English. :)

I too.. dismantled my first mini 0801, mainly to fix the 'up button' which was not working when I received the camera, but as I've been involved in both the design and repair of electronic equipment for about 40yrs, I figured it would be something simple.. which it was, in fact dead simple..lol they simply had not soldered one side of the SM switch, a few seconds with a fine tipped antex did the job. It voided my warranty, but a hour well spent. Hardest bit was getting that end cover off (The end cover that covers the 4 securing screws) without leaving any marks, as anyone can remove it by digging down the side and getting under it, but the trick is doing it without leaving a single mark on the camera. As is often the case, sometimes it's harder to get into it than it is to repair it...lol In fairness the seller did reimburse me for 1 hr of my time. :)

Although I obviously noticed the battery, which is stuck with double sided tape immediately above the speaker, I didn't check to see what the battery was.

As you have your camera open, could you please check the rating and voltage of the battery and maybe it's type/part no.? I'm amazed I didn't look myself, as I had to use a pair of plastic tweezers to re-sit the small speaker into it's recess, as it tends to lift out when you raise the board as you have probably noticed...lol
 
Last edited:
Still stuck in getting into the RTOS console... Had to solder the cables again.. My soldering skills are bad :D

But I took a picture of the battery for you @Lunar
-link removed as not availabe anymore-

UART system log during update to 20131026 :)

http://pastebin.com/zNEDZav4
 
Last edited:
Cheers matey, if you get chance you couldn't pop a tape measure on it just to get some rough dimensions and approx. thickness... could you...lol

Good man.. ;-)
 
Huh.. Sorry, but I have no idea what you wrote there :oops:
 
Aww jokiin :D
You have any idea how to enter its shell?
 
Seems I have to arrange that using autoexec.ash (ash = ambarella shell script I guess)

But first I have to find out if that file even gets loaded during boot. Anyone else got any ideas?
 
GoPro do their own firmware version so not exactly the same but there might be some pointers there amongst the info that could help
 
That looks great! Thanks for the Links. Lets See if I can get any progress after reading..
 
Tobi@s said:
Update: All Pins discovered!!


Now going to connect my uart converter. Keep your fingers crossed.

Update:
SUCCESS!! Got some output at 115200 Baud:


Next update: Got into amboot shell :D
amboot.png


Update:
Done with AMBoot
prKernel is next :)

Another Update:
Hmm no idea how to enter the running rtos/linux(?)

Just decompressed 20131026 (thanks Lunar) firmware and found this:
a/b/c/...z:\autoexec.ash and .tcl
So maybe there is a way to play around with linux commands in this file?
Click to expand...
Looks like someones having fun.
 
Last edited by a moderator:
Could someone change the title to something like "mini0801 hacking"?

ontopic: Gonna flash procam fw again since it supports both sd cards (inner and outer). Maybe autoexec.ash only gets executed from the inner card..

So far I found pretty much identical things between goPro Hero and the mini0801. Could really help.
 
You can edit the title somewhere at the top. I'm on my mobile otherwise I would get a screen shot.


Sent from my iPhone using Tapatalk
 
Progress is really slow atm.. I messed around alot with autoexec.ash. But it seems that the file wont be read on startup. Even basic things like
Code: 
echo testing > d:\test.txt(LF break)
wont work.. This makes the whole thing pretty hard to enter. :(

Unfortunately the goPro loads the autoexec.ash on boot. Thats the big difference.

Gonna try to modify the bootloader (AMBoot) now. Since I extracted the amboot fw above it should be pretty easy to mess around with it. Then I try to inject it via amoot xmdl and jumpt to the modified version via exec <mem addr>

And I still have no idea how to mess around with romfs..
 
You must log in or register to reply here.
Back
Top