Access to bootloader

[Epictek]

Possibly useful resource to get access to boot loader, This camera uses the same processor but a different flash chip but the method seems universal across most SOCs

https://github.com/OpenIPC/device-mjsxj03hl/blob/master/Manual_en.md#get-access-to-the-bootloader

[Epictek]

And we have access!

[Epictek]

isvp_t31# printenv
baudrate=115200
bootargs=console=ttyS1,115200n8 mem=45M@0x0 rmem=19M@0x2d00000 root=/dev/mtdblock6 rootfstype=squashfs noinitrd init=/etc/preinit
bootcmd=sf probe;sf read 0x80700000 0x80200 0x175000; bootm 0x80700000
ethaddr=00:d0:d0:00:95:27
gatewayip=193.169.4.1
ipaddr=193.169.4.81
loads_echo=1
netmask=255.255.255.0
serverip=193.169.4.2
stderr=serial
stdin=serial
stdout=serial

Environment size: 407/16380 bytes

[Epictek]

Managed to get OpenIPC installed! Will document the steps later

[probonopd]

@Epictek very interesting. Could you please share your insights?

[Epictek]

@probonopd

I used these instructions to flash the the image https://github.com/OpenIPC/wiki/blob/master/en/help-uboot.md#flashing-full-image-via-serial-connection but I found the support from openipc on Ingenic devices to be lacking (could not get a clear video output) and had much better luck with thingino which specifically designed for Ingenic devices and their community is a lot more helpful (highly recommend joining their discord).

Currently SD card is not working as we need to find the GPIO pin used to enable it and have not been able to test motor support as I've accidentally semi-bricked my camera after trying to revert to the original firmware to do reverse engineering to get SD card support working. It should be straightforward to restore it just haven't gotten around to it

Here a is a link to a "working" image. Minus the SD card and motors. https://github.com/themactep/thingino-firmware/releases/download/module/thingino-t31l_sc2336_rtl8188ftv.bin

[Epictek]

https://github.com/themactep/thingino-firmware/wiki

Also has a lot of useful resources

[probonopd]

This is what I could find regarding GPIOs:

grep -r "_GPIO *=" .
./squashfs-root-0/data/cfg/buildroot_cfg.ini:CONFIG_RESET_GPIO=62
./squashfs-root-0/data/cfg/buildroot_cfg.ini:CONFIG_LED_GREEN_GPIO=42
./squashfs-root-0/data/cfg/buildroot_cfg.ini:CONFIG_LED_RED_GPIO=43
./squashfs-root-0/data/cfg/buildroot_cfg.ini:CONFIG_AUDIO_SPEAKER_ENABLE_GPIO=63
./squashfs-root-0/data/cfg/buildroot_cfg.ini:CONFIG_WIFI_ENABLE_GPIO=51
./squashfs-root-0/data/cfg/buildroot_cfg.ini:;CONFIG_MOTOR_SWITCH_GPIO=128
./squashfs-root-0/data/cfg/isp_default_cfg.ini:IR_CUT_CTRL_GPIO = 52
./squashfs-root-0/data/cfg/isp_default_cfg.ini:IR_LED_CTRL_GPIO = 49
./squashfs-root-0/data/cfg/isp_default_cfg.ini:WL_LED_CTRL_GPIO = 50
./squashfs-root-0/data/cfg/isp_default_cfg.ini:IR_ADC_VOLTAGE_GPIO = 2

./squashfs-root-0/data/cfg/loadSensor:insmod audio.ko spk_gpio=-1
./squashfs-root-0/data/cfg/loadSensor:insmod sensor_sc2336_t31.ko reset_gpio=16

So if there is a GPIO for SD select it is probably not one of the above...

[RX309Electronics]

Thank you thank for the information! I am now trying to add my own TPLink-TapoC200V3 configuration files for the uboot uenv and the camera config to hopefully get the motors and the led working and the speaker and sound! I found the buildroot config describing every gpio pin in squashfs-root-0 in /data/cfg/buildroot.config which has all pins described and i will now add them into the project hopefully. I am also hoping this way i can contribute to that project. I will update you when i find more or have it completed

[RX309Electronics]

Succes!!! After some tweaking of the uboot environment variables i managed to make the motors at least turn. Both h and v motor work! I also specified the led gpio which is also working (via cli commands. 'led red' turns on red. 'led green' turns on green and so on! I am still working on getting the speaker working. I use audioplay but it just says volume 0 while i tried manually specifying volume but that did not work yet. I am now going to make my own TPLink-Tapo-C200V3.uenv.txt file and my own TPLink-Tapo-C200V3 camera configuration. I might post the files tomorrow!

[RX309Electronics]

Update: Sound also works! The only thing is that there seems to be a weird filter or something because the camera output looks purplish and colors are really saturated. I am working on resolving that and getting the IR filter to work! Ptz, Audio and Leds are working. I am grateful that this project exists so i don't have to do everything from scratch myself.

[probonopd]

My bet is on IR_CUT_CTRL_GPIO = 52

[RX309Electronics]

My bet is on IR_CUT_CTRL_GPIO = 52

Sadly That seems to be the wrong gpio because when using the gpio command nothing changes... Here are my fies i have come up with TPLink-Tapo-C200V3.uenv.txt TPLink-Tapo-C200V3.txt

the TPLink-Tapo-C200V3.uenv.txt file i put in thingino-firmware/environment. And the TPLink-Tapo-C200V3.txt (which i had to attach a .txt extension to because github did not support the file so when using this file remove the .txt extension but not on the .uenv file) should be put in thingino-firmware/configs/cameras. This is my progress so far!

[probonopd]

Maybe the people in their discord have an idea...?

[RX309Electronics]

Here is the updated uenv file. The white led and ir led also works now and i tried to order it a bit more. Still working on getting the ir cut function working because i think its 2 gpios because nothing changes when i use the gpio command in the shell TPLink-Tapo-C200V3.uenv.txt

[probonopd]

@RX309Electronics can you summarize or point us to point-for-point instructions how to get access to the bootloader on our specific device model (e.g., what to type when to access the bootloader - or do we have to short the flash chip pins to force loading the bootloader from microSD?), and how to use that uenv.txt file?

Do you know whether the microSD card is functional from the uBoot environment? (Can you dump the flash contents onto microSD?)

[RX309Electronics]

Sure! I suspect you have a TPLink Tapo c200 with hardware version 3?! If thats the case you can hook up uart to the pins mentioned in my github page and you also have to short the tiny contacts i mentioned to activate the uart port. You can enter Uart by immediately typing 'slp' into the shell before Linux starts. If you succeed you can enter the uboot bootloader shell and can change some things but not much.

(Warning long text!)

Rather what i did is i made my own firmware using the thingino project and by using the (idk if its called like this) 'module T31l sc2336 rtl8188' defconfig when selecting a device by running the user-menu.sh script the github repo contains which allows customising and building the firmware for your device. The thingino project had no support for the Tapo c200 but i made my own config file and uenv file. Once you downloaded the project you can download the files i left somewhere in this 'issues page'. If you cant find them i can send you the files.

What you do is copy TPLink-Tapo-C200V3.uenv.txt into the environment folder in the thingino folder. After that copy TPLink-Tapo-C200V3.txt to the configs/cameras/ folder in the thingino folder and remove the .txt extension. After that you should be done. Now run 'user-menu.sh'. Then select 'Guided Compilation", then select 'select device' and in this menu you should see "TPLink-Tapo-C200V3" or something along those lines. That is my config that you copied showing up in the menu now. Simply select that and then proceed by selecting 'Make firmware' which will build the firmware and create a binary file which you can instantly flash on the camera via flashrom/imsprog on Linux and neoprogrammer on windows via a ch341 + soic8 clip and 1.8volt converter. If the binary is ready simply clip on the soic8 clip and plug it into the 1.8volt converter module, then plug that module into the ch341. Plug the ch341 into the pc and use imsprog or neoprogrammer. In the software gui select 'detect' to see if it has recognised the flash chip. If it has it should come up with a list or a number starting with xx25xxxx. The 25 standing for the series of SPI flash chips (24 series are eeproms and not flash storage). Then simply click on 'open' or 'import' which should allow you to select a binary file. Then navigate to a directory named /home/{yourusername}/output which should contain a folder which name is similar to the config file. Go into that and select the file that does not have the '-update' in the name. Also make sure it ends with .bin which is the file that contains the custom firmware + bootloader + everything else needed for the camera to work. Flash it on the camera by selecting 'erase' after it has erased select 'write' after it has written the binary to the flash select 'verify' and your firmware should now be on the camera. IT IS WISE TO MAKE A BACKUP OF THE FIRMWARE SO TO DO THIS FIRST SELECT READ IN THE GUI TO READ EVERYTHING ON THE CHIP BEFORE ERASING AND WRITING ON IT!!

If that has succeeded just boot the camera and it should now be booting into the custom firmware and should soe up as an access point where you can configure the wifi credentials and some more features, after configuring click save and wait for it to reboot. Then just search for the device on your network and go to the ip the device is listed as on your network which should launch the thingino webpage. Simply put in the user as root and the password you set up when configuring it in Ap mode. In this jnterface you can do a lot and it also runs locally so no cloud involved :)

Please note that this replaces the firmware completely so make a backup and only do this if you feel confident. Also i am still working on the uenv file which is the uboot environment file and does not have to be tweaked/messed with. Unless i upload a new TPLink-Tapo-C200V3.uenv.text file you dont have to do anything with a .uenv file. If i upload a updated file you can rename it to uEnv.txt and put it on a fat 32 formatted sd card and insert it into your camera and it should update the uboot environment variables which configure things such as GPIO pins (which i am working on. I am trying to find the gpio pins for the ir filter which i'll add to the uboot environment variables which the software can work with. White led, ir leds, speaker, motors already work and are configured correctly in the uenv file) and some other non important stuff.

[probonopd]

Thank you very much for the detailed description @RX309Electronics, this is really very helpful. I have a a ch341 + soic8 clip, but can you give a link to a "1.8volt converter" that works? Didn't know such a thing existed...

[snoopomsk]

for u-boot password did you tried HI2105CHIP ?

[probonopd]

This camera is not HiSilicon based, so unlikely to work here, but it can never hurt to try.