Hacking Q3H (allwinner v3 - Camdroid)

thegamut

Active Member
Joined
Jul 22, 2016
Messages
118
Reaction score
68
Country
Barbados
Dash Cam
Q3H aparently.
So I've made inroads into allwinner v3 chipsets. There is 0 documentation on the allwinner and people speculate it can't do over 1080P, etc, etc Yet many people are ending up with fake 4k cameras that are more software crippled than anything.

This was done on Q3H (allwinner + Sony IMX sensor maybe)

8/20 Small Test video: https://sendvid.com/ucnobyqc
Some more samples: https://www.mediafire.com/folder/o5ncedg5ut39l/Samples
Partition structure:
cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00010000 "uboot" -bootloader
mtd1: 002c0000 00010000 "boot" -kernel + initrc
mtd2: 00630000 00010000 "system" -config files (squashfs)
mtd3: 00200000 00010000 "cfg" - file system journals/junk
mtd4: 00020000 00010000 "boot_logo"
mtd5: 00020000 00010000 "shutdown_logo"
mtd6: 00010000 00010000 "env"
mtd7: 00010000 00010000 "private"
root@camdroid:/ #

the dd copies of said partitions: http://ge.tt/1MIkNnc2
You can unsqashfs "system" with squashfs here: http://domoticx.phoenixinteractive....3-i686-windows-cygwin_(lzma+lzma2+lzo+lz4).7z


The camera runs camdroid OS equivalent to android 4.2.2. It is laid out like many allwinner tablets.
V4L is used as a backend for video encoding and MiniGUI (http://www.minigui.org/en/) is the front end.

Board/chip Pics: https://www.goprawn.com/forum/allwinner-cams/25-allwinner-v3-sony-imx179-action-cameras


How I enabled ADB:
Installed https://www.androidfilehost.com/?fid=24459283995302221 after camera detects an unknown "android" in webcam mode. It would not work at first but I connected with Phoenix Suite and hit enter recovery mode. After that ADB works fine. Try just the driver first.

Adb has root access but some files cannot be written to because of squashfs or being restored at boot.

What can be done so far:
High bitrates ~50/60 megabits w/shorter GOP.
Real sizes for 60fps and 120fps (IMX179s)
Most ISP processing disabled (IMX179s).
Sounds are fully silenced.
Busybox + Other ARM code can be run or added to the image.
Root+Data on externalSD in ext2 (no guide yet)

What I hope for:
Turn off noise reduction and sharpening and edit bit rates + image scaling.
My camera came with possibly a sony IMX179 and it uses 3kx2k for 4k/2.7k/1080P. Quality is awful because of the post processing.
Increase audio recorded beyond the awful 8000hz sampling rate.
In testing, patches from 4pda.ru
Raw Photos. The current photos aren't usable at all.
Fully boot off SD card. Doesn't automount extsd.
Exfat/128gb sd cards. Doesn't automount.
Automatic ADB over wifi.

More info:
http://pastebin.com/4xQvWC5B - system services
http://pastebin.com/rjpb0KTu - Build.prop
http://pastebin.com/nJTK6Kmr -boot up kernel messages

Flash Image:

http://www.mediafire.com/download/8ela8pnk3ugx1fj/full_img.fex
Script.fex : http://pastebin.com/QLmnUAKK

Full Recovery:
Q3H.IMG http://www.mediafire.com/download/csop12dwyb41m7i/Q3H.img
Remember, your hardware must match the script.bin Take a full backup of old firmware with DD.
Once your original script.bin is lost, all info to your camera hardware is GONE!


Edited Images:
No Shutter/Click/Startup, Edited menu.cfg: http://www.mediafire.com/download/1l82xgzyd3qblj9/Q3H-NoSounds.img
Run your code from debug_bin and debug_lib on extSD: http://www.mediafire.com/download/z6cfkaa2a6ajvtb/SDV-BinLibPath.img
Properly Patch BitRate, can record without loop: http://www.mediafire.com/download/kacyjvm4epbk56q/FixedCalculations.img
Uniform Modes with new module: http://www.mediafire.com/download/1ik4pkz4v12n56a/NewModuleUniform.img
Old Kernel + New Modules [configs save, no auto off] : http://www.mediafire.com/download/5ajmt99gd3atd0d/179s-oldkernel-newmodules.img
*a little old, see next post.
Q3H-imx179s EXT2 booting flashable (rootfs on SDcard) - http://www.mediafire.com/file/7st6ybssi9qsbgt/Q3H-EXT2_flashable_imx179s.img

F60 IMX179 firmwares from plutonio - https://www.dropbox.com/s/6gvem9cb3bxh7rj/F60 Firmwares.zip?dl=0

Modules:
New Style (355kb)
http://s000.tinyupload.com/?file_id=23181294993408074307
Old Style (317kb)
http://s000.tinyupload.com/?file_id=66147726912749918743
*a little outdated now, pull them from released rootfs


Backup Script: https://dashcamtalk.com/forum/attachments/backup-script-zip.25246/
Packers/Unpackers + Phoenix Suite: http://www.mediafire.com/download/x6u6eoi4atn2do8/Compressors.7z
Full_img.fex separator + script.bin extractor by NMD & nutsey:
http://www.mediafire.com/file/rbr2vhv23xr1c2r/3-unfex-refex-scripts.rar
Unpack/repack Boot Image/kernel by NMD: http://www.mediafire.com/file/1ybmbirb5i46e42/unpack_repack_bootimg_kernel.rar

Flashing with PhoenixSuit (Load IMG first!):
armedphoenix.jpg format.jpg

There is a 360 camera too!
 
Last edited:
would probably do better to try and get good 1080p rather than the processed mess they generally make out of these things
 
Booting from SD Card


Why?
  • You don't want to keep flashing the whole FW over and over.
  • Too much flashing may degrade the nand.
  • Quicker Startup
  • No limit to RootFS Size

What you need:

Phoenix suite, compressor pack, HXD hex editor.


How:


1. Partition the SD card like the image below.
You'll want to shrink your fat32 partition. Create an extended partition and then another partition from that. The size doesn't so much matter as long as you can fit your RootFS. Write down the starting sector.

SD-Boot.jpg

2. Uncompress any phoenix suite image that works to flash your camera with imgRePacker. Throw your full_img.fex inside and overwrite the included one. This is to keep your original script.bin, it has your hardware configuration and memory timings.​

3. Open up the hex editor and paste-overwrite the kernel with the one below. Make sure you're not changing the file size.

Kernel (starts IMX179s,IMX179,OV4689): http://www.mediafire.com/download/m1dwzyxl6l3yf6j/boot-JFFscfgSD5root-K621-allsensors.img

hint: kernel goes from: 0x40000 - 0x2DA7FF


4. Paste anything else you want into full_img.fex (logos,etc) and pack it back up.​

5. Open up HXD as administrator. Go to open disk and select your sd card. Make sure you take off "read-only". Open this RootFS (or any booting one) with the hex editor. Now go to the sector box and paste in the starting sector you wrote down and then paste the contents of RootFS.​

9/3 - RootFS: http://www.mediafire.com/download/qt0ca9r7i6arrcx/RootFS-9-3-16.hex
10/9 - RootFS: Here
10/30 - 44100 Audio: Here

hint: This is also 2-system.img from the backup scripts.


6. Flash the camera and replace the SD card. You should now be able to boot if you've done things right.​


Caveats and info:
  • You can format the card in camera, it only touches the fat partition.
  • Where is /data? Still in the flash because I'm unable to mount jffs2 on SD. I kept it because otherwise the config won't save and you'll be at default settings every time.
  • Why not EXT2/4 for both? Ext2 works now, exfat too but vold needs fixing. Only have incomplete source code. Primary Partition EXT2 Kernel
  • You have to prepare every new SD card before using it, those are the breaks.
  • If you have problems connect to adb. Logs are in /proc/kmsg ("cat /proc/kmsg") or type logcat.
EXT2 SD Card Layout

ext2.png
 
Last edited:
Depends on what the allwinner is really doing..

I would guess 1080p60 is what you should aim for based on their spec, assuming it has a suitable sensor http://www.allwinnertech.com/en/news/compnews/6041.html

A native video mode @ the highest possible allwinner encoding rate with no processing will ideally give the best results.

Agree, I always prefer native resolutions for best results

Could be the fake 720P sensor too :(.

Always a possibility unfortunately
 
Yea, that's the only doc I found on allwinner v3. It says 1080P but somehow encodes the higher resolutions, whatever the source may be.

The files are:
4k - Bits/(Pixel*Frame) : 0.142
2.7k - Bits/(Pixel*Frame) : 0.257
1080P30 - Bits/(Pixel*Frame) : 0.505
1080P60 - Bits/(Pixel*Frame) : 0.253
720P120 - Bits/(Pixel*Frame) : 0.283
720P60 - Bits/(Pixel*Frame) : 0.569
720P30 -Bits/(Pixel*Frame) : 0.283

Largest amounts of data are in 1080P30 and 720P60


Ok, here is some more info on the image processor... It will read INI files

"/system/etc/hawkview/camera.ini"
"/system/etc/hawkview/bin/"

also isp_tuning_param.ini and a few others. Maybe this can be found and the structure analyzed... they are not present on the image.

and here it is for the wrong type of camera: https://github.com/tank0412/android_vendor_ONDA_kylin_mb976a9-WD/tree/master/system/etc/hawkview

Looks like the INI can edit all of the evil post process values
https://github.com/tank0412/android...tc/hawkview/ov8858_4lane/isp_tuning_param.ini
 
Last edited:
I think this is the first time I've seen an update for an allwinner based camera, they're most often out of public design houses with no support offered
 
Yea, its pulling teeth getting firmware or docs.

New updates:

SDV binary uses the android subsystem to record. There aren't many more settings there than on a phone.
The INI mentioned above are inside the module in a data section so that seems like the best place to attack.

ie:

.data:0000C278 imx179s_1080p60_v3 isp_cfg_pt <imx179s_1080p60_v3_isp_test_settings, \
.data:0000C278 ; DATA XREF: .data:sensor_win_sizeso
.data:0000C278 imx179s_1080p60_v3_isp_3a_settings, \
.data:0000C278 imx179s_1080p60_v3_isp_tuning_settings, \
.data:0000C278 imx179s_1080p60_v3_isp_iso_settings>
.data:0000C288 EXPORT imx179s_1080p60_v3_isp_tuning_settings



My idea is:

1. Edit the module and try to load/unload through linux.

2. If that is not possible I can edit the partition and DD it back, hopefully not bricking the camera. I think the files there are loaded at boot anyways and the file system is RO because of the compressed nature of squashFS.

I should try editing the logos first. Horrible non-realtime process tho.

The modes: http://pastebin.com/dpJdAvrY

All exports : http://pastebin.com/FiS3jgha

Strangely 720P30 and 60 is missing... unless it is default. I have to check.


Default raw sensor is: 3264 x 2448, the pixel binning factor is 1. Some 1080P modes bin and some do not so its kind of a mystery what they are doing. There are 1080P 90FPS settings in there too.



.data:00001830 sensor_default_regs+4, 0, 1> ; "Raw RGB Bayer"
.data:00001844 ; sensor_win_size sensor_win_sizes[22]
.data:00001844 sensor_win_sizes DCD 0xCC0 ; width
.data:00001844 ; DATA XREF: sensor_try_fmt_internal+30o
.data:00001844 ; .text:eek:ff_130o
.data:00001844 DCD 0x990 ; height
.data:00001844 DCD 8 ; hoffset
.data:00001844 DCD 8 ; voffset
.data:00001844 DCD 0xDD8 ; hts
.data:00001844 DCD 0x9C0 ; vts
.data:00001844 DCD 0xFDAD680 ; pclk
.data:00001844 DCD 0x2793D600 ; mipi_bps
.data:00001844 DCD 0x1E ; fps_fixed
.data:00001844 DCD 1 ; bin_factor
 
Last edited:
Tried to flash FS after turning audio files to 0 and get stuck at the logo. Waiting on a recovery program since I can still hold up + power and get to a generic allwinner recovery. Too bad the FEX isn't recognized by allwinner tools like phoenix suit or live suite.

BTW, parts 4 and 5 are just PNG files with some padding at the end.

Another image I found on a youtube for "Q8" camera

https://s3.amazonaws.com/ebayimg.appinthestore.com/milantrend.com/Lisa/full_img.fex

Another with polish flashing instructions:
ftp://ftp.manta.com.pl/firmware/Kamerki/MM357/

The source is out there somewhere: http://www.eefocus.com/cj909815159/blog/16-02/377596_54012.html
 
Last edited:
Thanks.

I compared the partition that I made with 7zip and the original. I had only changed the resources so it must be the camera hanging on the blank startup wav file. I wish I could convert this fex format into an IMG format and continue. The linux sunxi tools see the recovery mode driver but do not support the SOC. All of the windows tools say "invalid image".
 
How do you boot into recovery? I got slightly different F60B cam and it hangs when I try to power on with any other button pressed.
 
Camera off, I hold up button and then hold power button and connect the USB cord. You won't see anything on the screen and get the allwinner standard recovery device: USB\VID_1F3A&PID_EFE8&REV_02;3

All of these cameras don't have a G sensor?

# insmod /system/vendor/modules/bma250.ko

its commented out.
 
Last edited:
Thanx!

All of these cameras don't have a G sensor?

# insmod /system/vendor/modules/bma250.ko

its commented out.

I guess no G sensor as there is no sofware for camera use (EIS).
 
There are Gsensor strings in the SDV program and a config for the sensitivity. In the dmesg it tries to load different drivers but not BMA. My exposure compensation and the hidden contrast setting didn't do anything either though.
 
Yep, I also tried contrast setting with no luck of couple of days ago. It just overwrites on boot.

One more interesting thing is getting script.bin from uboot partition. Managed to extract this file but can't convert it into anything usable.
 
use uberizer to convert from bin to text.

my contrast did not get overwritten at boot but still did nothing.

can't find the script.bin in part0 or part 1
 
Last edited:
fexc tool can't convert that script.bin file for some reason...

It's in mtdblock0 - starting from offset 32000

mtdblock1 (boot) is plain SIMG containing kernel.img
 
You have to use uberizer to convert it, not that tool its too old.

http://pastebin.com/QLmnUAKK

[gsensor_para]
gsensor_used = 1
gsensor_twi_id = 1
gsensor_twi_addr = 0x18
gsensor_int1 =
gsensor_int2 =

[gsensor_list_para]
gsensor_det_used = 1
bma250 = 0
da380 = 1
mma8452 = 0
mma7660 = 0
mma865x = 0
afa750 = 0
lis3de_acc = 0
lis3dh_acc = 0
kxtik = 0
dmard10 = 0
dmard06 = 0
mxc622x = 0
fxos8700 = 0
lsm303d = 0

My Gsensor is DA380
 
Last edited:
You don't have any. EXIF from my stills also says I have something I don't really have :)
 
Back
Top