Mini0801 Hacking (Hardware and Software)

[Tobi@s]

Still no progress on entering ambshell...

But I finally was able to unpack the romfs!
Zip archive containing all files.. No idea how to decode the included .bin files (strings/bitmaps/fonts). And it includes some PCM files?
https://drive.google.com/file/d/0B4FRwm9CGCLka0wzekxnckRoMzA/edit?usp=sharing

Update: Hmm eBinder seems to be the solution of my problems.. Unfortunately it is not free. I'd also love to have a look at the A2SDKbut I can't find any download links
Update 2: Updated the original post.

 

[Tobi@s]

Found some interesting datasheets regarding the used components https://drive.google.com/folderview?id=0B4FRwm9CGCLka21DNXAzUTdmb00&usp=sharing

Maybe I'll find the mentioned JTAG Pins.. Would be great to use my Bus Pirate with it


No real hacking progress, but: To prevent more disassembling I replaced the hdmi port with my Serial UART port

 

[beavis]

Still no progress on entering ambshell...

But I finally was able to unpack the romfs!
Zip archive containing all files.. No idea how to decode the included .bin files (strings/bitmaps/fonts). And it includes some PCM files?
https://drive.google.com/file/d/0B4FRwm9CGCLka0wzekxnckRoMzA/edit?usp=sharing

Update: Hmm eBinder seems to be the solution of my problems.. Unfortunately it is not free. I'd also love to have a look at the A2SDKbut I can't find any download links
Update 2: Updated the original post.

Do you think it would be possible to replace the logo.jpg and logo_off.jpg files?
If yes, how could I do that on my own device?

Bests,
Beavis

 

[Tobi@s]

It is possible, yes.
But: At the moment I am just able to repack the romfs with custom files but I had no success in creating a flashable binary so far.. Just Keep an eye on this thread, I'll post it here, once I succeed.

 

[MadJawa]

Found a way to remove the annoying startup sound yet? Wouldn't it be possible to just replace/noop the place where those sound files are in the firmware file using a hex editor? We'd have to recalculate the proper checksum then, but would that work theoretically?

I'm thinking about just physically disconnect the speaker since it doesn't serve me any purpose.

 

[Tobi@s]

Well.. I am able to unpack and repack the romfs(with empty boot and shutdown sounds). The main problem is repacking the whole firmware binary. I always get a corrupted header. And I don't understand why there are hex-ff filled spaces between the different parts in the original bin.
Now looking into C programming (never did that before.. just php and java experience) to understand the unpacking algorithm from evilwombat. Once I understand that I should be able to port that to Java - and then I'll be able to create a repacker
TLDR: Still WIP.

 

[Tobi@s]

Yey.. some progress "Discovered" most parts of the fw Header

At the moment I'm developing a Java-based fwunpacker. After that I'll do a repacker.

 

[Aloux]

Awesome. Thanks for your hard work. Sometimes, I wish that the manufacturer would provide all the tools and leaves the development of the firmware open source. That would give the opportunity for some to fix what they can t.

 

[jokiin]

Awesome. Thanks for your hard work. Sometimes, I wish that the manufacturer would provide all the tools and leaves the development of the firmware open source. That would give the opportunity for some to fix what they can t.

personally I'd love to do an open source camera, the source code belongs to the chipset manufacturer though so not something I have a choice in

 

[Tobi@s]

Awesome. Thanks for your hard work. Sometimes, I wish that the manufacturer would provide all the tools and leaves the development of the firmware open source. That would give the opportunity for some to fix what they can t.

man.. I'd love to get an open sourced dashcam.
GoPro is doing it right. http://gopro.com/support/open-source

 

[jokiin]

built on a different platform but there still might be some hints amongst this as there's a possibility (slim chance) of some similarities inherent to the chipset

 

[Tobi@s]

Just finished the first version of the java-based firmware parser.
Features so far: Prints start address, end address, crc32, version, build date, section length, entry address, flag and magic of every known section.

Usage: java -jar fwparser.jar firmware.bin

Coming soon:
unpacking feature
repacking feature

I'd love to get some feedback on different build-date firmware versions (If the tool still works with them)

Download: http://straubinger-web.de/mini0801/fwparser.jar

 

[Aloux]

Hi Tobias, could you provide a guide for dummies on what you are doing? I am not sure I understand your work but a the same time, I am interested by it.

 

[MadJawa]

Here is the output on the 24-09-2013 firmware (GPS/no internal memory) (firmware-NO1-SPI-TB15.bin)

$ java -jar fwparser.jar firmware-NO1-SPI-TB15.bin
Tobi@s' mini0801 firmware parser v0.1-alpha
- - - - - - - - - - - - - - - - -
BST:
    Start:    2048
    End:    18077
    CRC32:    0x8756b57f
    Vers:    0.1
    Build:    24.9.2013
    Length:    15773
    Entry:    0xc0100000
    Flag:    0x0
    Magic:    0xa324eb90

BLD:
    Start:    18432
    End:    144096
    CRC32:    0x7e371fe3
    Vers:    1.3
    Build:    24.9.2013
    Length:    125408
    Entry:    0xc0000000
    Flag:    0x0
    Magic:    0xa324eb90

PRI:
    Start:    145408
    End:    1826756
    CRC32:    0x50548124
    Vers:    0.1
    Build:    24.9.2013
    Length:    1681092
    Entry:    0xc0100000
    Flag:    0x2
    Magic:    0xa324eb90

RFS:
    Start:    1826816
    End:    3774720
    CRC32:    0x4f1ebfa1
    Vers:    2.0
    Build:    24.9.2013
    Length:    1947648
    Entry:    0x00000000
    Flag:    0x1
    Magic:    0xa324eb90

DSP:
    Start:    3776512
    End:    4175747
    CRC32:    0xfc5391d5
    Vers:    1.0
    Build:    24.9.2013
    Length:    398979
    Entry:    0xc34fffb0
    Flag:    0x2
    Magic:    0xa324eb90

- - - - - - - - - - - - - - - - -
Thanks to evilwombat

Can't wait for the packer/unpacker. Don't hesitate if you need any help, I know C as well as Java

 

[Tobi@s]

Hi Tobias, could you provide a guide for dummies on what you are doing? I am not sure I understand your work but a the same time, I am interested by it.

What exactly should I explain more detailed?

Here is the output on the 24-09-2013 firmware (GPS/no internal memory) (firmware-NO1-SPI-TB15.bin)
[..]
Can't wait for the packer/unpacker. Don't hesitate if you need any help, I know C as well as Java

Glad it works. And good to know that there are other Java devs

 

[Aloux]

What exactly should I explain more detailed?

Hi Tobias, I would like to know what do you expect to be the end goal and in a few words how to you plan to achieve it ?

Your work seems very interesting and I would like to get a better idea of the big picture of your project.

Thanks.

 

[Tobi@s]

I'm not really sure where this is leading to.. On the hardware side I'm thinking of "root-access" (access to ambarella root shell via serial port or usb - equivalent to windows cmd but more powerful) and Access to the GPIOs
Whilst on the software side I'm thinking about custom firmwares.

 

[jokiin]

I'm not really sure where this is leading to.. On the hardware side I'm thinking of "root-access" (access to ambarella root shell via serial port or usb - equivalent to windows cmd but more powerful) and Access to the GPIOs
Whilst on the software side I'm thinking about custom firmwares.

I think its good that you're having a go at this, possibly a good learning experience but I think you're going to be somewhat restricted by the hardware, would be good if you had a model that had more system resources, the hardware for this model is quite limited

 

[Tobi@s]

I think its good that you're having a go at this, possibly a good learning experience but I think you're going to be somewhat restricted by the hardware, would be good if you had a model that had more system resources, the hardware for this model is quite limited

Yes, I agree with you. But since the mini0801 is my first dashcam I didn't want to spend much money on it. I also think that the "low-budget" Hardware may restricts the possibilities. Huge changes/features are therefore not posssible. But I hope I'll be able to do some small fs modifications and maybe a MPH firmware.
However I'm probably going to buy a better dashcam in early 2014 - but atm I have no idea which one

 

[jokiin]

What you learn now might help decide what's next