Xiaofang with ARM Processor bricked

[cablesky]

Hello,

I bricked my Xiaofang camera with an ARM chip by following the instructions on https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/flashinguboot.md. Unfortunately, I realized too late that this hack is only applicable to Ingenic T20 processors.

Now, when I connect to the camera's serial interface, it only displays "<<" and "hw:x", sometimes "sf:err" as well. I can still enter commands, but there is no response.

Since I've read that flashing the uboot bootloader by EliasKotlyar is not possible on ARM processor models, I wanted to ask if there's anything else I can do or if I have to consider this as a lesson learned.

Thank you in advance for your responses!

Martin

[c---]

I don't know anything about the Arm versions but typically with the Ingenic versions the flash memory is an external chip. If "bricked" you can connect directly to that chip and write whatever is needed. Depending on the circuit design you may have to remove the chip or at least disconnect its ground and power legs so you can power it without powering anything else on the board.

Something similar to: https://github.com/Dafang-Hacks/spiflasher

Chips can be flashed via a variety of methods like an Arduino or dedicated device.

If the flash is internal to the Arm chip there may still be a way to do something similar except directly on the microcontroller.

Of course you will need a working flash image to write. Maybe extracted from a firmware update or something else for the MCU.

[cablesky]

Thank you for the tips. Can you give me more info about "flashing nand chips with arduino"? I googled it but didn't find anything useful...

The big problem is finding a suitable image for ARM-based Xiaofang cameras. Then I could also get a Nand flasher for 4 euros on ebay ;-)

If anyone knows of another option, please let us know!

Thank you!

greeting Martin

[c---]

frser-duino is compatible with the flashrom utility

There are utilities for doing it from a Raspberry too

[cablesky]

Super, thank you!!!!

I had created a dump before flashing /dev/mtd0. The dump is called dump-mtd0.bin. There are different "partitions" on the chip. mtd0 is - as far as I know - the boot partition.

It should be possible to save only the boot "partition" with my dump back to the chip - right?

The partition table is available at https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/firmware-dump.md. What should my flashrom command look like so that I can only flash the boot partition?

Instructions are available at https://github.com/Dafang-Hacks/spiflasher. But if I only want to flash the boot partition - how would I have to change the "dd if=/dev/zero of=fullflash.bin bs=1 count=1 seek=16777215" command?

Thanks again :)

[c---]

I don't know if the Arm partition map is the same but the layout for flashrom is here: https://github.com/Dafang-Hacks/spiflasher/blob/master/rom.layout

The commands should be similar to those spiflasher instructions. Basically you need to resize your dump-mtd0.bin image file to the size of the flash chip (16MB in the example). That's what the dd command does. Then when using flashrom specify the --layout and --image boot options and it will only write the boot portion.

Obviously keep a backup of the original dump-mtd0.bin. You might have to play with flashrom to see which chip you actually have and its size. If the size isn't 16MB then the partition map won't be correct. Make a full dump/read backup of the chip before writing to it too. Keep all this so if something goes wrong you can put it back.

Another way to do it is to make a full copy of the chip to a file then write your bootloader to the front of that image (eg. dd if=dump-mtd0.bin of=fulldump.bin conv=notrunc) then write that whole modified fulldump.bin image back to the chip and you won't need the layout or --image options.

Make sure to use the proper voltage for your particular flash chip. Most are only 3.3V while Arduino's tend to be 5V. Most Arduino's can run at 3.3V otherwise you need to level convert all the I/O between 5V and 3.3V.

[cablesky]

@c--- hello c!

I want to say a big thank you to you! With your help I was finally able to save the camera! I sat on it for several hours - but it worked! What have I done? Desoldered the nand ram and connected the nand chip to an Arduino Mini Pro as described in the following instructions (https://www.flashrom.org/Arduino_flasher_3.3v). Of course, I flashed the Arduino Mini Pro with frser-duino beforehand. Then, as you described, I first read out the chip completely. I still had the backup of mtd0. I put the mtd0 backup in the bin file of the whole chip with the command from Dir (dd if=dump-mtd0.bin of=fulldump.bin conv=notrunc). Then soldered the chip back in (I tore off a solder pad, which I repaired with enameled copper wire). Then turned on the camera - and cheered! She runs! Performed a hard reset and installed Fang Hack. Now she's going again. And I learned a lot in the process! Thanks again for your help! TOP!!

[c---]

Really great to see you figured it out and saved more electronics from the landfill. :)