Gk7205V300: locked bootloader

[multiple1]

Hello! I tried to flash a Gk7205V300 + imx335 cam, but uboot is locked and asks for a Password: after the startup is stopped with Strg+c. Is this password already leaked?

I already dumped the raw flash. uboot is compressed, I extracted uboot.bin and hopefully there is a hardcoded password somewhere.

Otherwise the only way is to replace the original uboot? Erasing the whole flash and program this binary? https://github.com/OpenIPC/coupler#gk7205v300--imx335

[dimerr]

Hi, unfortunately vendor decided to password protect uboot and unlike some 1-day brands password isnt stored in cleartext. Theres a hash and hashing functions inside...

You can change uboot to ours, it should be possible from within openipc. like

flashcp -v /dev/mtd0 u-boot.bin

[multiple1]

Thanks for the info. I flashed the cam via the ipcam webinterface using the provided openipc binary. It is strange that they lock the bootloader but allow unsigned binary updates...

[TimelessNL]

Hi @multiple1,

Seems I'm in the same boat, I've bought this camera with 5MP sensor which is based upon the GK7205V300 + Sony IMX335 as well. With PCB markings BLK16EV3.

I did find a possible matching firmware for these cameras here (github link) , yet when I binwalk the u-boot.env.img its version is reported as ver=U-Boot 2016.11 (Oct 29 2018 - 16:06:3 while my camera reports U-Boot 2016.11-g4bd9c94-dirty (Apr 22 2022 - 21:25:43 +0800)gk7205v300 so that's a dead end 😢.

I tried to backup the flash with it still soldered to the board, but unfortunately even without supplying 3.3v to the board by the CH341a and the camera powered over POE the flash chip could not be detected. As this failed I'm hesitant to use coupler as I have no backup.

• If I understand correctly, you had no problems while/after flashing OpenIPC using the webbased upgrade?
• What binary did you flash?
  • Ah I see, you used: 000699H7

[TimelessNL]

Ok I took the gamble and updated using coupler, and to my pleasant surprise it worked flawlessly. Thanks for the hard work on this 🙏.

@dimerr You mentioned overwriting u-boot using flashcp -v /dev/mtd0 u-boot.bin my question is does this also overwrite the u-boot env and therefor the mac adres and such?

After flashing u-boot I do need to configure the flash size correct? Using run setnor16m in the bootloader? As my device came with a 16MB flash chip.

Also I noticed the coupler image is a 8MB variant, can I just flash the 16MB variant from within OpenIPC after replacing u-boot or do I need to preform a TFTP flash?

Thanks in advance!

EDIT: Never mind, I should have done some more reading. I used burn to temporary load a new u-boot in DRAM create a backup using the instructions and flashed the lite image. Everything worked out as it should and u-boot has been replaced.