Hacking Q3H (allwinner v3 - Camdroid)

@Rodrigo Emedy, Since you have a cams with Sony IMX179s sensor, why do not you try one of the firmwares available on GoPrawn that have the motion detection feature?

I think it would solve your problems of size of the video files and you would not be recording useless video without any kind of action.

@NMD , I searched for this motion detection firmware, but could not find it... Anyway, this would not work for what I need.. i read that it takes a few seconds to begin recording.. and the bad people action, is right when they just pass by my car.. so I really need to record this all the time.. it is really fast what they do. :/

@kizwan , if you're right and #0x1E is framerate, it should be 30... so how to know whats the HEX code for like 15, 10 fps? According to my post above about the yi hack, 30fps would be 0x41f0 .. all its codes had 4 digits after 0... and at the sdv file it had 2 or 3 digits.. have you tested it? I was trying to open in IDA Pro 5 Free, but it came with an ARM error... I installed the IDA 6 Demo and now it opened, but really dont know how to find those numbers.. :(
 
Last edited:
@kizwan , if you're right and #0x1E is framerate, it should be 30... so how to know whats the HEX code for like 15, 10 fps? According to my post above about the yi hack, 30fps would be 0x41f0 .. all its codes had 4 digits after 0... and at the sdv file it had 2 or 3 digits.. have you tested it? I was trying to open in IDA Pro 5 Free, but it came with an ARM error... I installed the IDA 6 Demo and now it opened, but really dont know how to find those numbers.. :(
You can trial and error in IDA until you get the FPS you want or just simply use http://armconverter.com/. Copy HEX value from Thumb-2 HEX box after you converted the instruction at that site. Use HEX editor like HxD to edit the file.

Right now I'm trying to figure out whether I need to fix checksum after editing the file. This is not something easy for me to figure out myself unfortunately. I did tried the modded firmware with 15FPS & ~16.8Mbps bitRate but all I get is welcome screen boot loop. So, there's checksum need fixing I guess.
 
@NMD, is it normal to generate different 2-system.img (HEX compare but the contents are the same when I extract them) when I run squashfs-make.bat?

When I regenerate my fully working full_img.fex using 3-unfex-refex-scripts (unfex.bat >> squashfs_unmake.bat >> squashfs_make.bat >> refex.bat):-
- squashfs_make.bat : generate different 2-system.img when HEX compare with original file but when extracted, the contents are identical with original files.
- refex.bat : since squashfs_make.bat generate different 2-system.img, this therefore also generate different full_img.fex

The generated firmware (img) also unusable because it caused boot loop.
 
@Rodrigo Emedy, Since you have a cams with Sony IMX179s sensor, why do not you try one of the firmwares available on GoPrawn that have the motion detection feature?

I think it would solve your problems of size of the video files and you would not be recording useless video without any kind of action.

I tried to use the Beike (xdv boot logo) 2016-06-04 (shows 20160726) as it has a motion detection feature, and replaced the 0-uboot.img with mine... Result: Black screen and nothing happened.

Just turned it back into the 20161016V2.3 which was working.. :( Still need badly a lower bitrate and framerate... guuuuuyyss!!!
 
Managed to build squashfs-tool from latest development version from git repository. This time I'm getting workable 2-system.img. Patching 1080p 30FPS to 15FPS attempt is unsuccessful but bitRate mod is a success.

15FPS_NOT-SUCCESS 16777216bps_bitRate_SUCCESS.jpg
 
Last edited:
GREAT!! But you did changed the framerate, from 30fps to 29.97fps, which is a well known NTSC framerate..

Can you give us a step by step, so I could try thoses codes on my firmware? For sure, just the bitrate will do the trick, but knowing how to change the framerate will help a lot too.

Congrats, @kizwan !! My best.
 
I'm trying at least to find where to edit, and really... it's a mess here.. there's a lot of that 0x1E on my sdv file... And I still didn't get how you can trial and error, to transform the 55mbps to 18mbps... I tried the ARM to HEX, and HEX to ARM... but still don't have the idea of how to make it... :(

idaq_2017-02-17_23-13-04.png
 
The trial and error I mentioned earlier is referring to changing the HEX value in Hex View-A tab and see the changes in IDA View-A tab. With http://armconverter.com/ available, we don't need to do this.

If your target is 1920x1080 30FPS, just search for 1920x1080 resolution. 1920 in HEX is 0x780.

image_347.jpg

Even our camera produced by different manufacturer, the codes pretty much similar and sometime almost identical. Even if we didn't understand the assembly language, we can look at the pattern.

Resolution_FPS_bitRate_settings_IDA_Original.jpg

Resolution_FPS_bitRate_settings_IDA.jpg

Regarding FPS, thegamut did mentioned the MOVS instruction is FPS in his post. We just need to confirm this by changing the value and see whether FPS does changed. If the change we did doesn't stick, likely we'll need to edit libvencoder.so as well. I have not explored this yet. Anyway, 0x1E in decimal is 30. So this is the routines we are looking for, 1920x1080 30FPS.

For bitRate, pretty much I got the clue from thegamut's post. The MOV.W R3, #0x3400000 where 0x3400000 is 54525952 in decimal = 54.5Mbps bitRate. Same thing here, I just changed this to see whether this is true.

We use http://armconverter.com/ to convert MOV.W R3, #0x3400000. It is Thumb mode instruction. So basically just copy the value in Thumb-2 HEX field at armconverter.com site. You can confirm this is Thumb mode instruction by converting MOV.W R3, #0x3400000. You will get 4FF05073 in Thumb-2 HEX and you should be able to see the value is identical with the value you can see in Hex View-A tab in IDA. If you convert 4FF05073 to ARM code (using ARMv7 THUMB), you should get MOV.W R3, #0x3400000. Write down the offset to this instruction, e.g. 0x29422, because you will need to locate it in HEX editor.

Let say we want to reduced the bitRate to 0x1000000 which is ~16.7Mbps, just convert it at armconverter.com; MOV.W R3, #0x1000000 == 4FF08073. Open sdv in HEX editor of your choice, e.g. HxD is free, then go to offset you write down earlier, e.g. 0x29422, then replaced 4FF05073 with 4FF08073. Just paste it on top of original value.

If you get boot loop after flashing the modded firmware, you can use latest development version from git. I already compiled for you. The exe is in squashfs-code\squashfs-tools\bin.
https://drive.google.com/open?id=0B_32SYawOggYT29URFo0YzhBcWM (file too large unfortunately to upload it here)
mirror: http://www.mediafire.com/file/8s3t6hjydu19kp3/squashfs-code.zip
SHA-256: 9A44329C8BADF7EE65E8DD33F9D885E00F2A1E5B3AED02B7F531E83491DBBDE9
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For 32-bit cygwin/windows:-

https://drive.google.com/open?id=0B_32SYawOggYVkQ0TGE3Z19pa2M
mirror: http://www.mediafire.com/file/oo2yyyh6i0uss78/squashfs-code-32-bit.zip
SHA-256: B9D2CD98D1047CC13BD5180E40B09662341BF92DD8BDEE5E88B61DFD565BE72C

Just need to put squashfs-root folde in bin folder, the same place where the executable files are and then run this command:-
Code:
mksquashfs.exe squashfs-root 2-system.img -comp xz -Xbcj x86 -noappend -no-recovery -root-owned

Copy the resulted 2-system.img to the 3-unfex-refex-scripts for creating the full_img.fex.

Good luck!
 
Last edited:
@kizwan , I managed to get your workflow.. Can't I just edit the 0x3400000 code inside IDA and save from there? What I was missing is just the decimal do hex convertion.. with this, I found resolution, bitrate and framerate.. just need to edit those and compile using your squashfs code. You really enlight how to do this.. the IDA version I was working on wasn't opening it correctly, it was giving a missing ARM processor or something like that..
 
@nutsey I can only get workable 2-system.img IF I mksquashfs in cygwin terminal. If I did in windows command prompt, the 2-system.img will not usable and only cause boot loop.

@kizwan , I managed to get your workflow.. Can't I just edit the 0x3400000 code inside IDA and save from there? What I was missing is just the decimal do hex convertion.. with this, I found resolution, bitrate and framerate.. just need to edit those and compile using your squashfs code. You really enlight how to do this.. the IDA version I was working on wasn't opening it correctly, it was giving a missing ARM processor or something like that..
I don't think you can edit the HEX and save directly in IDA. I usually use IDA for reference only and edit the file directly using HEX editor.
 
Do older versions of squashfs-tools show same results for you?
Just tested right now, yeah, same thing with older version. I use Windows 10. Probably Windows 10 messing with mksquash.exe. Good thing it's working in cygwin environment.
 
@kizwan Thank you for the information. Does it work in 32- or 64-bit cygwin?
 
It is very strange mksquash.exe not to be working in .bat but to be working on the cygwin terminal.

@kizwan, Could you just test call cygwin on .bat file or on windows terminal in this way?
Code:
set PATH=C:\cygwin\bin;%PATH%
bash mksquash ... ... ...
 
mksquashfs.exe is indeed working in producing squash image when running in windows command prompt, either using the .bat file or running the mksquashfs.exe directly. I did tried both as well as with regular and elevated (admin) command prompt. However all of the attempts only producing unusable squashfs image, likely corrupted file system. Only when I build the squashfs image in cygwin terminal, I get workable image.
 
@kizwan .. I tried your method.. Did everything correctly.. Changed the bitrate from 0x1E00000 to 0x0A00000 (from 31kbps to 10kbps)... ran the mksquashfs.exe inside Cygwin64.. it created the 2-system.img, then the full_img.fex with the refex.bat, and converted it to img and pushed it to the camera with Phoenix.. No boot loop, but not 10kbps either.. all files, from all resolutions, all the same.. just the 4k with 23kbps.. all the rest still with 31kbps..
I tried to change the libvencoder.so as well, but without success..

Any clue?
 
I fixed this problem. I was making a mistake, and just creating the Phoenix image from the same old file at the goprawn.img.dump folder..

But now, making everything right, I got the boot loop. I'm using Cygwin64 running the command:
run mksquashfs.exe squashfs-root 2-system.img -comp xz -Xbcj x86 -noappend -no-recovery -root-owned

And I'm using the mksquashfs.exe that you compiled. :(

I'll try the Cygwin 32bit.. Do I need to install any specific Cygwin package, at Cygwin's installation?
 
Last edited:
Back
Top