Mini0801 Hacking (Hardware and Software)

[Tobi@s]

Just finished the first unpacker version. It unpacks the known sections + their headers. PRI and DSP sections can be extracted with an archiver.

Usage:

java -jar fwunpacker.jar path/to/fw.bin
Please use the absoulte filepath (e.g C:\blah\fw.bin)

 

[Tobi@s]

Just finished the first packer version. It calculates the new start/end address for each section and recalculates ist CRC32 checksum. I just compiled a test firmware but unfortunately this is what I got:


So the sections need a specified length. Maybe the length which is included in section header information.. Will try and report back.

 

[Tobi@s]

First success in "compiling" a modified fw file.
mini0801 20131026 rom + procam cx4 filesystem.
No issues so far lol

I am not responsible for any problems that may occur!!!
If some1 wants to try:

 

[MadJawa]

Awesome news! I did not try your modified firmware as the CX4 firmware I tried before bricked my cam. Can you post your java fw packer? That'd be neat

 

[Tobi@s]

I'll post it very soon. First I have try some FS mods and clean my packer code.. You don't really want code like that

        packedFw = new byte[fwheader.length + bst_header.length + bst_section.length + bld_header.length + bld_section.length + pri_header.length + pri_section.length + rfs_header.length + rfs_section.length + dsp_header.length + dsp_section.length];
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        baos.write(fwheader);
        BST.real_start_addr = baos.toByteArray().length;
        bst_header = patchSectionSecurity(BST, bst_header);
        baos.write(bst_header);
        baos.write(bst_section);
        BST.real_end_addr = baos.toByteArray().length -1;
        BLD.real_start_addr = baos.toByteArray().length;
        bld_header = patchSectionSecurity(BLD, bld_header);
        baos.write(bld_header);
        baos.write(bld_section);
        BLD.real_end_addr = baos.toByteArray().length -1;
        PRI.real_start_addr = baos.toByteArray().length;
        pri_header = patchSectionSecurity(PRI, pri_header);

 

[Tobi@s]

If someone wants a stock 20131026 with my sexy bootlogo (different to video) you can try this:

(I am not responsible for what you are doing with this firmware file)

Works fine for me.

Packer will be released soon.

 

[promethian]

Just a quick question, what filename would you use to enable firmware 1026 to see this new firmware when placed in the root of memory.

 

[MadJawa]

Seems to work correctly Did you base it on the GPS + no internal memory firmware? Still can't wait for the packer

Just a quick question, what filename would you use to enable firmware 1026 to see this new firmware when placed in the root of memory.

Try firmware-NO1-SPIF-TB15.bin or firmware-NO1-SPI-TB15.bin

 

[Tobi@s]

Since I don't have the time (school starts again tomorrow and I have to finish a project till friday) to rewrite the packer I'll release the messy-code version. It works fine but is not very OOP nor performant. This code was just plain out of my head and not very planned.


How to use:
1. You need header and section files from fwunpacker v1.0-beta (dl link at the end of this post)
2. run fwpacker.jar using this cmd: java -jar fwpacker.jar
3. Read everything.
4. You'll be prompted to enter your working dir. It is the directory where the header and section files are stored. Enter an absolute path like /home/tobi/bla/unpacked/ or C:\unpacked\
5. The tool prints what it is doing. If you encounter any exceptions please let me know
6. The compiled firmware is located in the working dir named "fwcompiled.bin"
7. Flash the binary and you'll see if it works


fwunpacker v1.0-beta:
fwpacker v0.2-alpha:

Edit: Saw that I forgot to close a few java streams. Just wanted to let you know..

 

[MadJawa]

Seems to work fine, but I did something wrong because it won't boot with my custom FW How did you change the logo.jpg file? evilwombat's tool for packing the romfs expects the file's length to be the same as the original one apparently.

Also, for the packer, use File.separator instead of "\" in fwpacker, as backslashes don't work on Unix (Mac in my case). I had to run it in my windows VM. The fwunpacker works fine on Mac though

 

[Tobi@s]

Ooops.. I used File.separator most of the time but a single time i used "\\"... Fixed. Just redownload it.

To use evilwombats fs updater correctly you have to run the update script with the existing rfs section file since it only copies via dd and seeks to the specific parts of the original file. If you set a new desination file it just copies the files into it but it doesn't create a header.

 

[MadJawa]

Ooops.. I used File.separator most of the time but a single time i used "\\"... Fixed. Just redownload it.

To use evilwombats fs updater correctly you have to run the update script with the existing rfs section file since it only copies via dd and seeks to the specific parts of the original file. If you set a new desination file it just copies the files into it but it doesn't create a header.

Ha that was it, I wasn't updating the original file. It works now! Thank you.

For those who want it, here is the 2013-10-26 firmware with Tobi@s' logo and boot/shutdown sounds removed: http://dl.madjawa.net/20131026-logo-nosound.zip
I just replaced dd's input with /dev/zero for the poweroff/on files

 

[Tobi@s]

Great job mate.. Didn't think about /dev/Zero

Maybe we should create a custom firmware thread

 

[Tobi@s]

I think I just obtained µITRON 4.0 c++ src.
If any dev is interested, drop me a PM.

 

[ryanprins]

Yes, I agree with you. But since the mini0801 is my first dashcam I didn't want to spend much money on it. I also think that the "low-budget" Hardware may restricts the possibilities. Huge changes/features are therefore not posssible. But I hope I'll be able to do some small fs modifications and maybe a MPH firmware.
However I'm probably going to buy a better dashcam in early 2014 - but atm I have no idea which one

I like what your doing! Just a suggestion for your next dashcam: think about gettin one with an a5 or a7 chip in it as thats the brand that gopro uses. there will be more hacking info out there and what you have done here would be applicable to it i would think.

 

[Tobi@s]

Yeah like I wrote somewhere before I'm gonna get a better dcam in early 2014. Need the money for other things at the moment

 

[Tobi@s]

This is the MAKE config of 20131202:
http://pastebin.com/kmbyVRkv

What a shame we don't have the kernel source/the kernel is proprietary

#Thats why its the mph version
1219.USER_DEFNINED_STAMP_VELOCITY_MPH=y

 

[Troon]

Plenty of typos at the end - wonder if that has any effect:

# USER_DEFNINED_STAMP_VELOCITY_NORMAL is not set
# USER_DEFNINED_STAMP_VELOCITY_KM is not set
USER_DEFNINED_STAMP_VELOCITY_MPH=y
# USER_DEFNINED_STAMP_VELOCITY_INT is not set
USER_DEFINDED_MENU=y

ENABLE_TIME_ZOME=y
# USER_DFEINED_SELF_FILENAME is not set

 

[Tobi@s]

yeah, seems like they have trouble with "defined"..
But since the latest release (which included the make config) is an MPH version - and there is USER_DEFNINED_STAMP_VELOCITY_MPH=y - I guess they set it up with the typo

 

[Tobi@s]

I'm browsing through the make config at the moment.. I guess I found some other device names for the mini0801:

# USER_DEFIEND_0801_PROCAM is not set
--> Already known

# USER_DEFIEND_0801_ROYAL is not set
--> ??

# USER_DEFIEND_0801_CHELONG is not set
--> http://chelong.en.alibaba.com/produ...xels_gps_dvr_Ambarella_Mini_0801_car_DVR.html

# USER_DEFIEND_0801_OJOCAM is not set
--> https://www.amazon.com/gp/B00G6UC9MU
# USER_DEFIEND_0801_ROADMAX530 is not set
--> ??

# USER_DEFIEND_0801_ROADMAX600 is not set
--> http://connector.by/catalog/roadmax/vidreg/vr5139.html