Mini0801 Hacking (Hardware and Software)

[Tobi@s]

I think I finally found out why I can't access the RTOS shell Interface (ambsh). A2 chipsets only support 1 UART channel. Since the dashcam has GPS (which uses a serial connection -> UART) it needs to switch to GPS "channel": BAUD 9600. But: The debugging interface uses 115200.

Some information I collected on this (from the A2SDK):

#define GPS_UART_GPIO  GPIO(35)

Select the UART baud rate under the RTOS. By default 115200 is for UART debug.
9600 is for GPS UART communication.

printk("Set GPS_UART_GPIO to high in order to use GPS USB-UART interface.");
printk("Set GPS_UART_GPIO to low to disable GPS USB-UART interface.");

printk("Before start recording video, set GPS_UART_GPIO to high in order to use GPS USB-UART interface.");
printk("Before start recording video, set GPS_UART_GPIO to high in order to use GPS USB-UART interface.");

Need to figure out how to find GPIO 35

Edit: Just tried NO-GPS Firmware - what shall I say.. I'm in

Edit 2:
uname-like command: ver

Output:
  prkapp: zhoujie@E-WELLY Sat Mar 8 14:17:58 HKT 2014
  prkv4: cychen@jingaysen Mon Nov 16 16:00:48 CST 2009
  prfile2: kfchen@jingaysen Wed Apr 7 19:47:32 CST 2010
  prusb: cychou@trovatore Wed Aug 11 16:50:01 CST 2010
  bondopt: cychen@jingaysen Fri Sep 14 11:25:15 CST 2012

Edit 3:
GPIO dump:

gpio0:  HW 1
gpio1:  HW 1
gpio2:  HW 1
gpio3:  HW 0
gpio4:  HW 0
gpio5:  HW 1
gpio6:  HW 1
gpio7:  SW 1
gpio8:  HW 0
gpio9:  HW 1
gpio10:  SW 1
gpio11:  HW 1
gpio12:  HW 0
gpio13:  HW 0
gpio14:  HW 1
gpio15:  HW 1
gpio16:  HW 0
gpio17:  HW 0
gpio18:  HW 0
gpio19:  HW 0
gpio20:  HW 0
gpio21:  HW 0
gpio22:  HW 0
gpio23:  HW 0
gpio24:  HW 0
gpio25:  HW 0
gpio26:  HW 0
gpio27:  HW 0
gpio28:  HW 0
gpio29:  HW 0
gpio30:  HW 1
gpio31:  HW 0
gpio32:  HW 0
gpio33:  HW 0
gpio34:  HW 0
gpio35:  HW 0
gpio36:  SW 1
gpio37:  HW 0
gpio38:  SW 0
gpio39:  SW 0
gpio40:  SW 1
gpio41:  SW 1
gpio42:  HW 0
gpio43:  SW 0
gpio44:  HW 0
gpio45:  SW 1
gpio46:  SW 0
gpio47:  SW 0
gpio48:  HW 1
gpio49:  SW 0
gpio50:  HW 0
gpio51:  SW 1
gpio52:  HW 0
gpio53:  HW 0
gpio54:  HW 0
gpio55:  HW 0
gpio56:  HW 0
gpio57:  HW 0
gpio58:  SW 1
gpio59:  HW 0
gpio60:  HW 0
gpio61:  HW 0
gpio62:  HW 0
gpio63:  HW 0
gpio64:  SW 1
gpio65:  HW 0
gpio66:  HW 0
gpio67:  HW 0
gpio68:  HW 0
gpio69:  HW 0
gpio70:  HW 0
gpio71:  HW 0
gpio72:  HW 0
gpio73:  HW 0
gpio74:  HW 0
gpio75:  HW 0
gpio76:  HW 0
gpio77:  HW 0
gpio78:  HW 0
gpio79:  HW 0
gpio80:  HW 0

 

[Tobi@s]

I was able to clone the eeprom 0, maybe this could get handy some time.
https://drive.google.com/file/d/0B4FRwm9CGCLkMUx6dVkwR081NlU/edit?usp=sharing
EEPROM size is exactly 8 MiB and there are two of them but only one holds data.

I am also trying to find out which GPIO does what, added a listener to every GPIO of all 81. The strange thing is that I was able to discover the functions of only 4 of them.
GPIO 38: Power (button)
GPIO 43: Blue LED (LOW = on, HIGH = off)
GPIO 41: Screen ****up (well.. it really ****s up everything on the Display)
GPIO 49: Screen on/off. (HIGH = on, LOW = off)

+already known GPIO 35: GPS UART CHANNEL

Really no idea how the other Buttons are handled but they don't seem to be attached to GPIO 0 - 80.

EDIT: According to the yamaha datasheet this is the GPIO description:
edit:---see two Posts below (directly from sdk)

 

[borland]

There's only 4 buttons on the mini 0801, so a 2x2 key pad matrix wouldn't save any GPIO processor pins. Likely all buttons are connected to separate processor pins.

 

[Tobi@s]

Yeah I think so, too. But I can't find out which io pins are used for the keys

edit: GPIO definitions from A2 SDK

/************************/
/* GPIO pins definition */
/************************/
IDC_CLK GPIO(0)
IDC_DATA GPIO(1)
SSI0_CLK GPIO(2)
SSI0_MOSI GPIO(3)
SSI0_MISO GPIO(4)
SSI0_EN0 GPIO(5)
SSI0_EN1 GPIO(6)
VD_HVLD GPIO(7)
VD_VVLD GPIO(8)
STRIG0 GPIO(9)
STRIG1 GPIO(10)
TIMER0 GPIO(11)
TIMER1 GPIO(12)
TIMER2 GPIO(13)
UART0_TX GPIO(14)
UART0_RX GPIO(15)
VD_PWM0 GPIO(16)
/* There is no GPIO(17) */
VD_OUT6 GPIO(18)
VD_OUT7 GPIO(19)
VD_OUT8 GPIO(20)
VD_OUT9 GPIO(21)
VD_OUT10 GPIO(22)
VD_OUT11 GPIO(23)
VD_OUT12 GPIO(24)
VD_OUT13 GPIO(25)
VD_OUT14 GPIO(26)
VD_OUT15 GPIO(27)
SD12 GPIO(28)
SD13 GPIO(29)
SD14 GPIO(30)
SD15 GPIO(31)
CF_CD2 GPIO(32)
VD_SPL GPIO(33)
VD_VCOMAC GPIO(34)
IR_IN GPIO(35)
STSCHG GPIO(36)
CF_PULL_CTL GPIO(37)
CF_PWRCYC GPIO(38)
FL_WP GPIO(39)
SC_A0 GPIO(40)
SC_A1 GPIO(41)
SC_A2 GPIO(42)
SC_A3 GPIO(43)
SC_A4 GPIO(44)
SC_B0 GPIO(45)
SC_B1 GPIO(46)
SC_B2 GPIO(47)
SC_B3 GPIO(48)
SC_B4 GPIO(49)
SC_C0 GPIO(50)
SC_C1 GPIO(51)
SC_C2 GPIO(52)
SC_C3 GPIO(53)
SC_C4 GPIO(54)
SD16 GPIO(55)
SD17 GPIO(56)
SD18 GPIO(57)
SD19 GPIO(58)
A17 GPIO(18)
A18 GPIO(19)
A19 GPIO(20)
A20 GPIO(21)
A21 GPIO(22)
A22 GPIO(23)
I2S_SO_2 GPIO(40)
I2S_SI_2 GPIO(41)
I2S_WS_2 GPIO(42)
I2S_CLK_2 GPIO(43)
PWM1 GPIO(45)
PWM2 GPIO(46)
NAND_CE1 GPIO(47)
SSIO_EN2 GPIO(48)
SSIO_EN3 GPIO(49)
NAND_CE2 GPIO(52)
NAND_CE3 GPIO(53)

//A2 specific
SMIO_2 GPIO(64)
SMIO_3 GPIO(65)
SMIO_4 GPIO(66)
SMIO_5 GPIO(67)
SD1_CD GPIO(67)
SMIO_6 GPIO(68)
SMIO_38 GPIO(69)
SMIO_39 GPIO(70)
SMIO_40 GPIO(71)
SMIO_41 GPIO(72)
SMIO_42 GPIO(73)
SMIO_43 GPIO(74)
SMIO_44 GPIO(75)
SMIO_45 GPIO(76)
I2S_WS GPIO(77)
I2S_CLK GPIO(78)
I2S_SO GPIO(79)
I2S_SI GPIO(80)
CLK_AU GPIO(81)

 

[Tobi@s]

This is the difference the NOGPS and GPS Firmware configs have:

Note config is from GPS enabled fw, nogps fw doesn't have this config

#
# Uart Devices
#
USER_DEFINED_ENABLE_UART_DEVICES=y
USER_DEFINED_ENABLE_GPS=y
USER_DEFINED_GPS_CHANNEL=0
# USER_DEFINED_GPS_PLUGGABLE is not set
# USER_DEFINED_GPS_POWER_CONTROL is not set

Edit: Gonna fry some eggs now. Overclocked the device to 324 MHZ (thats over 100MHZ more than stock freq 216)

 

[knoxco]

Edit: Gonna fry some eggs now. Overclocked the device to 324 MHZ (thats over 100MHZ more than stock freq 216)

That's funny right there! What's next, liquid cooling?
More seriously, what's the OC benefit? Higher transfer speeds when writing files, maybe?

 

[Tobi@s]

I think theres no benefit. I just try whatever is possible cause I have nothing to loose (camera crashes everytime it should auto-poweroff when using it in the car + recording a video).
Also everything above 300MHZ is very unstable. I get random bugs like these;

 

[Tobi@s]

No progress in "hacking" but something I wanted to share: I got a new 0801 a few weeks ago and planned not to mess around with it. Well...... I still managed to brick it by flashing a corrupted rtos image

"No problem" I thought, "Just unbrick it using Direct USB". But I was unable to flash any elf onto it. I was able to conntect it to Direct USB and transmit the data but nothing happened afterwards. Direct USB told me that it was unable to start the bootloader. I had (and still have) no idea whats going on there.

So I had to solder an UART converter onto the PCB to enter the amboot shell. In this shell I loaded a working rtos image into the memory and executed it and flashed a working firmware.
Afterwards I entered the usbdl mode again (but this time I started it from amboot) and was able to flash via DirectUSB.

Summary:

• usbdl mode started from amboot works on this device

but

• usbdl mode through connecting it with a bunrning cable and start it via Direct USB didn't work.

The cable is working well with my second "not working" 0801..

 

[niko]

No progress in "hacking" but something I wanted to share: I got a new 0801 a few weeks ago and planned not to mess around with it. Well...... I still managed to brick it by flashing a corrupted rtos image

"No problem" I thought, "Just unbrick it using Direct USB". But I was unable to flash any elf onto it. I was able to conntect it to Direct USB and transmit the data but nothing happened afterwards. Direct USB told me that it was unable to start the bootloader. I had (and still have) no idea whats going on there.

So I had to solder an UART converter onto the PCB to enter the amboot shell. In this shell I loaded a working rtos image into the memory and executed it and flashed a working firmware.
Afterwards I entered the usbdl mode again (but this time I started it from amboot) and was able to flash via DirectUSB.

Summary:

• usbdl mode started from amboot works on this device

but

• usbdl mode through connecting it with a bunrning cable and start it via Direct USB didn't work.

The cable is working well with my second "not working" 0801..

I am afraid I have similat situation. After few days trying to unbrick via direct usb - no luck. So I might need trying your-way.

 

[Tobi@s]

pretty easy, after having access to the bootloader shell it takes max ~5 minutes.
3 minutes of transfering the rtos image via XMODEM protocol
10 seconds to exec the transfered image at adress 0xc0100000
~2 minutes to flash a new firmware

 

[niko]

pretty easy, after having access to the bootloader shell it takes max ~5 minutes.
3 minutes of transfering the rtos image via XMODEM protocol
10 seconds to exec the transfered image at adress 0xc0100000
~2 minutes to flash a new firmware

Easy for hacker like you

 

[Tobi@s]

Well you just need to solder 3 cables to very small soldering pads, thats the hardest part

 

[batal]

btw, I successfully changed exposure metering table and bitrate (from 10 vbr to 16 vbr)

 

[Tobi@s]

Don't wait and tell me what you did ^^
I already searched in the whole PRI section for possible values but I never found anything xD

 

[batal]

Do you know that our (mini0801) PRI section is actually zip archive?)

 

[Tobi@s]

Yeah it is a gzip and contains a file called prkapp_release.bin

 

[niko]

Well you just need to solder 3 cables to very small soldering pads, thats the hardest part

Thanks for tips. I have to find magnifier and try it out.

 

[batal]

Correct

Then you can find exposure metering table (3 tables) by searcing for "01010101010101010"

Thats metering table looks like (cebnter, average, spot, 3 tables)

01 01 01 01 01 01 01 01 01 01 01 01 - 01 01 01 01 01 01 01 01 01 01 01 01 - 00 00 00 00 00 00 00 00 00 00 00 00
01 01 01 01 01 02 02 01 01 01 01 01 - 01 01 01 01 01 01 01 01 01 01 01 01 - 00 00 00 00 00 00 00 00 00 00 00 00
01 01 01 01 02 03 03 02 01 01 01 01 - 01 01 01 01 01 01 01 01 01 01 01 01 - 00 00 00 00 00 01 01 00 00 00 00 00
01 01 01 02 03 05 05 03 02 01 01 01 - 01 01 01 01 01 01 01 01 01 01 01 01 - 00 00 00 00 01 03 03 01 00 00 00 00
01 01 01 02 03 05 05 03 02 01 01 01 - 01 01 01 01 01 01 01 01 01 01 01 01 - 00 00 00 00 01 03 03 01 00 00 00 00
01 01 02 03 04 05 05 04 03 02 01 01 - 01 01 01 01 01 01 01 01 01 01 01 01 - 00 00 00 00 00 01 01 00 00 00 00 00
01 02 03 04 04 04 04 04 04 03 02 01 - 01 01 01 01 01 01 01 01 01 01 01 01 - 00 00 00 00 00 00 00 00 00 00 00 00
02 03 04 04 04 04 04 04 04 04 03 02 - 01 01 01 01 01 01 01 01 01 01 01 01 - 00 00 00 00 00 00 00 00 00 00 00 00


Search for "000080400000804000008040" - thats beginig of bitrate values. Not shure what values is our, so I've changes all of them ( 36 values)
I thinkg our is 00002041 (10mbs) or 00000041 (8mbs).
In sdk this values look like (dont have it at work, socant tell exactly)
15 12 10 (for different quality (some devices allow to choose).

So, I think our is 3 line:
000040410000202100000041

And of course be very carefull when building your firmware

 

[Tobi@s]

Thanks for sharing!

Dont have access to the SDK at the moment, neither. I always looked for values like dec10485760 or 0xA00000(10mbps),etc but never found them.
Can you tell me why 00002041 are 10mbps? I don't get it right now :S

 

[batal]

http://www.h-schmidt.net/FloatConverter/IEEE754.html

10 is 41200000, and reversed 00002041