Is anyone going to work on 4.6.0

[skylarhays]

this is now listed as the alternative hack for the mstar cameras.... is there any work being done on ALL the 6fus cams??? a lot of us are waiting on this.

[roleoroleo]

I don’t have a 4.6.0 so i’m not working on it. I don’t know the difference between 4.5.0 and 4.6.0 but I think that 4.6.0 is not only an upgrade. Probably the platforms are a little bit different. If someone is confident with a welder and linux we can try together.

[skylarhays]

i can solder and I am ok with linux... i would gladly disassemble one of mine to try to get the ball rolling. what is needed a usb to serial ttl adapter? I have one if that is what is needed.

[roleoroleo]

Yes, for the 1st step is enough.

1. Open the cam
2. Find the 3 uart pads (normally labeled rx, tx and gnd)
3. Connect the ttl to rs232/usb adapter
4. Open putty with logging enabled
5. Switch on the cam
6. Wait for loading to complete
7. Check if we are lucky and a shell is available
8. Post the log (eventually cleaned up from your data, if present)

With the log we can investigate about the difference between 4.5.0 and 4.6.0. And we could find the name of the upgrade file on SD.

[skylarhays]

I will try to do this this weekend.

[skylarhays]

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.10.25 21:41:44 =~=~=~=~=~=~=~=~=~=~=~=

IPL gd156225 D-01.

HW Reset 64MB

BIST0_0001-OK

offset:00010000

size:7fc8 chks:5551a134 ok

IPL_CUST gbf16da4

MXP found at 0x00020000

decomp_size=0x000414d4

-----------------------U-Boot 2015.01 (Feb 26 2019 - 10:53:16)-----------------------

Version: I3g138a6f9 DEVINFO: 313E [WDT] Enalbe WATCHDOG 60s Watchdog enabled I2C: ready DRAM: 64 MiB WARNING: Caches not enabled MMC: MStar SD/MMC: 0 nor_flash_mxp allocated success!! Flash is detected (0x0B05, 0xC8, 0x40, 0x18) SF: Detected nor0 with total size 16 MiB MXP found at mxp_offset[1]=0x00020000, size=0x1000 env_offset=0x4F000 env_size=0x1000 Flash is detected (0x0B05, 0xC8, 0x40, 0x18) SF: Detected nor0 with total size 16 MiB In: serial Out: serial Err: serial Net: No ethernet found.

+++++++++++++++++++ check one.bin +++++++++++++++++++ ------>setenv filesize 0 ------>fatsize mmc 0 one.bin one.bin Not exist(fatsize err)

+++++++++++++++++++ check one_h201c +++++++++++++++++++ ------>setenv filesize 0 ------>fatsize mmc 0 one_h201c one_h201c Not exist(fatsize err)

+++++++++++++++++++ check uboot_h201c +++++++++++++++++++ ------>setenv filesize 0 ------>fatsize mmc 0 uboot_h201c uboot_h201c Not exist(fatsize err)

+++++++++++++++++++ check kernel_h201c +++++++++++++++++++ ------>setenv filesize 0 ------>fatsize mmc 0 kernel_h201c kernel_h201c Not exist(fatsize err)

+++++++++++++++++++ check sys_h201c +++++++++++++++++++ ------>setenv filesize 0 ------>fatsize mmc 0 sys_h201c sys_h201c Not exist(fatsize err)

+++++++++++++++++++ check home_h201c +++++++++++++++++++ ------>setenv filesize 0 ------>fatsize mmc 0 home_h201c home_h201c Not exist(fatsize err) [NetUpgrade] ts_1st=0x1f5 No ethernet found. [NetUpgrade] ==== NetLoop(NETUPGRADE) return fail ====! net_upgrade - do net update from the specified file that is in tftpserver

Usage: net_upgrade -

Flash is detected (0x0B05, 0xC8, 0x40, 0x18) SF: Detected nor0 with total size 16 MiB SF: 2162688 bytes @ 0x50000 Read: OK

Booting kernel from Legacy Image at 21000000 ...

Image Name: MVX2##I3gd96050eKL_LX318####[BR: Image Type: ARM Linux Kernel Image (lzma compressed) Data Size: 1445168 Bytes = 1.4 MiB Load Address: 20008000 Entry Point: 20008000 Verifying Checksum ... OK Uncompressing Kernel Image ... [XZ] !!!reserved 0x21000000 length=0x 1000000 for xz!! XZ: uncompressed size=0x3c5f60, ret=7 OK ERR: Can't find KIMG header and initrd address, 0x00000000 atags:0x20000000

Starting kernel ...

Booting Linux on physical CPU 0x0 Linux version 3.18.30 (zhengqianbin@XY-201) (gcc version 4.8.3 20140401 (prerelease) (crosstool-NG linaro-1.13.1-4.8-2014.04 - Linaro GCC 4.8-2014.04) ) #2 PREEMPT Tue Feb 26 14:28:47 CST 2019 CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache early_atags_to_fdt() success Machine model: INFINITY3 MSC000A-S03A-64M Reserved memory: created CMA memory pool at 0x22a00000, size 22 MiB Reserved memory: initialized node cma0, compatible id shared-dma-pool Memory policy: Data cache writeback Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 Kernel command line: console=ttyS0,115200n8r androidboot.console=ttyS0 root=/dev/mtdblock2 rw rootfstype=jffs2 noinitrd init=/init PID hash table entries: 256 (order: -2, 1024 bytes) Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) Memory: 38212K/65536K available (2625K kernel code, 223K rwdata, 896K rodata, 116K init, 114K bss, 27324K reserved) Virtual kernel memory layout: vector : 0xffff0000 - 0xffff1000 ( 4 kB) fixmap : 0xffc00000 - 0xffe00000 (2048 kB) vmalloc : 0xc4800000 - 0xff000000 ( 936 MB) lowmem : 0xc0000000 - 0xc4000000 ( 64 MB) modules : 0xbf000000 - 0xc0000000 ( 16 MB) .text : 0xc0008000 - 0xc0378880 (3523 kB) .init : 0xc0379000 - 0xc0396000 ( 116 kB) .data : 0xc0396000 - 0xc03cdf60 ( 224 kB) .bss : 0xc03cdf60 - 0xc03ea9f0 ( 115 kB) SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 Preemptible hierarchical RCU implementation. Dump stacks of tasks blocking RCU-preempt GP. NR_IRQS:16 nr_irqs:16 16 Find CLK_cpupll_clk, hook ms_cpuclk_ops [ms_cpuclk_init] get dvfs gpio vid_1 Architected cp15 timer(s) running at 6.00MHz (virt). sched_clock: 56 bits at 6MHz, resolution 166ns, wraps every 2863311527936ns Switching to timer-based delay loop, resolution 166ns console [ttyS0] enabled Calibrating delay loop (skipped), value calculated using timer frequency.. 12.00 BogoMIPS (lpj=60000) pid_max: default: 4096 minimum: 301 Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) CPU: Testing write buffer coherency: ok Setting up static identity map for 0x2027d1a0 - 0x2027d1d4 VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5 NET: Registered protocol family 16 DMA: preallocated 256 KiB pool for atomic coherent allocations

Version : MVX2##I3gd96050eKL_LX318####[BR:h201c_prj]#XVM

GPIO: probe end MSYS: INIT DONE. TICK=0x017EE675 Advanced Linux Sound Architecture Driver Initialized. Switched to clocksource arch_sys_counter NET: Registered protocol family 2 TCP established hash table entries: 1024 (order: 0, 4096 bytes) TCP bind hash table entries: 1024 (order: 2, 20480 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP: reno registered UDP hash table entries: 128 (order: 0, 6144 bytes) UDP-Lite hash table entries: 128 (order: 0, 6144 bytes) NET: Registered protocol family 1 futex hash table entries: 16 (order: -4, 448 bytes) jffs2: version 2.2. © 2001-2006 Red Hat, Inc. msgmni has been set to 118 io scheduler noop registered io scheduler deadline registered (default) i2c /dev entries driver [ms_uart_probe] uart port 0 use MUX_PM_UART 1f221000.uart0: ttyS0 at MMIO 0x0 (irq = 98, base_baud = 10750000) is a unknown [ms_uart_probe] uart port 1 use MUX_UART1 1f221200.uart1: ttyS1 at MMIO 0x0 (irq = 99, base_baud = 10750000) is a unknown URDMA rx_buf=0xC2A42000(phy:0x22A42000) tx_buf=0xC2A43000(phy:0x22A43000) size=0x1000 [ms_uart_probe] uart port 2 use MUX_UART0 1f220400.uart2: ttyS2 at MMIO 0x0 (irq = 112, base_baud = 10750000) is a unknown infinity-audio soc:sound: ASoC: CODEC DAI infinity-codec-dai-main not registered platform soc:sound: Driver infinity-audio requests probe deferral infinity-audio infinity-codec: ASoC: CODEC DAI infinity-codec-dai-main not registered platform infinity-codec: Driver infinity-audio requests probe deferral [HVSP]u32Dropmode on/n

[SCL] SCL init success mload_size = 35040 mload_virt_addr = c2a50000 mload_dma_addr = 0x22a50000 MSYS: DMEM request: [ISP_base]:0x0001B120 ShareData_Meminfo phyaddr:0x227bb400, viraddr:0xc27bb400, len:0x38 AE Base: virt=0xC2A60000 size=0xB400 AWB Base: virt=0xC2A6B400 size=0x8700 AF Base: virt=0xC2A73B00 size=0xF0 HISTO Base: virt=0xC2A73BF0 size=0x2F0 MOT Base: virt=0xC2A73EE0 size=0x6E40 RGBIR Base: virt=0xC2A7AD20 size=0x400 [ISP] register driver success [CSI] register driver successms_rtc 1f002400.rtc: rtc core: registered 1f002400.rtc as rtc0 [ms_rtc_probe]: rtc setup, frequency=12000000 [SAR] infinity_sar_probe MSYS: DMEM request: [BDMA_FSP_WBUFF]:0x00000100 [Ser flash] phys=0x22a48000, virt=0xc2a48000, bus=0x02a48000 [FSP] Flash is detected (0x0B05, 0xC8, 0x40, 0x18) ver1.1 [FSP] 1-2-2 2xIO_READ MODE mtd .name = NOR_FLASH, .size = 0x01000000 (16MiB) .erasesize = 0x00010000 .numeraseregions = 0 MXP_PARTS!! MXP found at mxp_offset[1]=0x00020000, size=0x1000 Creating 6 MTD partitions on "NOR_FLASH": 0x000000000000-0x000000050000 : "BOOT" 0x000000050000-0x0000001d0000 : "KERNEL" 0x0000001d0000-0x0000003b0000 : "ROOTFS" 0x0000003b0000-0x000000fe0000 : "HOME" 0x000000fe0000-0x000000ff0000 : "vd1" 0x000000ff0000-0x000001000000 : "conf" [ms_cpufreq_init] cpu current clk=796917760 ms_pwm->pad_ctrl[0]=69 ms_pwm->pad_ctrl[1]=17 ms_pwm->pad_ctrl[2]=255 ms_pwm->pad_ctrl[3]=255 ms_pwm->pad_ctrl[4]=53 ms_pwm->pad_ctrl[5]=255 ms_pwm->pad_ctrl[6]=255 ms_pwm->pad_ctrl[7]=56 mstar-i3pwm 1f003400.pwm: probe successful TCP: cubic registered NET: Registered protocol family 17 MSYS: DMEM request: [pcmC0D0p]:0x00018000 MSYS: DMEM request: [pcmC0D0c]:0x00014000 infinity-audio soc:sound: infinity-codec-dai-main <-> infinity-cpu-dai mapping ok ms_rtc 1f002400.rtc: setting system clock to 1970-01-01 00:00:00 UTC (0) ALSA device list:

0: infinity_snd_machine

VFS: Mounted root (jffs2 filesystem) on device 31:2. Freeing unused kernel memory: 116K (c0379000 - c0396000) init: SERVICE: ueventd init: SERVICE: rcs [FB]Set 68 [DRVHVSP]Drv_HVSP_SetFbManageConfig(645):8000 DNRR OFF [FB]Set 57 [DRVHVSP]Drv_HVSP_SetFbManageConfig(645):100 UNLOCK [JPE, JpeProbe] set base=0xfd264000 irq=93, nClockRate=288000000

[sdmmc] ms_sdmmc Driver Initializing... [sdmmc] ms_sdmmc_probe [sdmmc_0] Int CDZ use Ext GPIO IRQ: (151) [sdmmc_0] Probe Platform Devices...(Ret:0) [sdmmc_0] Get CD => (1) [sdmmc_0] Set IOS => Clk=48000000 (Real=48000000) mmc0: new high speed SDHC card at address aaaa mmcblk0: mmc0:aaaa SU04G 3.69 GiB mmcblk0: p1 FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck. cryptodev: driver aesdmadev loaded. MSYS: DMEM request: [AESDMA_ENG]:0x00001000 MSYS: DMEM request: [AESDMA_ENG1]:0x00001000 infinity_aes soc:aesdma: MSTAR AES engine enabled. usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb ehci_hcd: unknown parameter 'force_host' ignored ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Mstar_ehc_init version:20150512 Mstar-ehci-2 H.W init Titania3_series_start_ehc start enable USB function [USB] config miu select [1] [ef] [ef] ][ef] [USB] enable miu lower bound address subtraction [USB] worring.... no platform_data hcd->rsrc_start:0xfd286400 BC disable [USB] soc:Mstar-ehci-2 irq --> 119 soc:Mstar-ehci-2 soc:Mstar-ehci-2: EHCI Host Controller soc:Mstar-ehci-2 soc:Mstar-ehci-2: new USB bus registered, assigned bus number 1 soc:Mstar-ehci-2 soc:Mstar-ehci-2: irq 119, io mem 0xfd286400 hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected Mstar-ehci-1 H.W init CHIP_FUNCTION SET. ID=4, param=1 Can't get power-enable-pad from DTS, set default GPIO(1) [mstar_usb_vbus_control] Enable USB VBUS GPIO(81) Titania3_series_start_ehc start enable USB function [USB] config miu select [1] [ef] [ef] ][ef] [USB] enable miu lower bound address subtraction [USB] worring.... no platform_data hcd->rsrc_start:0xfd284800 BC disable [USB] soc:Mstar-ehci-1 irq --> 95 soc:Mstar-ehci-1 soc:Mstar-ehci-1: EHCI Host Controller soc:Mstar-ehci-1 soc:Mstar-ehci-1: new USB bus registered, assigned bus number 2 soc:Mstar-ehci-1 soc:Mstar-ehci-1: irq 95, io mem 0xfd284800 hub 2-0:1.0: USB hub found hub 2-0:1.0: 1 port detected hue, spi0_dev = 0xc22e8a00 init.sh (46): drop_caches: 3 ==20150512==> hub_port_init 1 #0 Plug in USB Port1 usb 2-1: new high-speed USB device number 2 using soc:Mstar-ehci-1 cfg80211: Calling CRDA to update world regulatory domain usbcore: registered new interface driver rtl8188fu hue, get pwm(1) [PWN] mstar_pwm_config duty_ns=0, period_ns=100000 reg=0x1F003490 clk=12000000, period=0x78 reg=0x1F003488 clk=12000000, u32Duty=0x0 [PWM] mstar_pwm_enable [PWM] mstar_pwm_disable [Mstar GPIO] gpio(83) to irq(166) hue, gpio_isr [CPLD_PERIPH] timer init ok. timer resolution:10 MHZ [CPLD_PERIPH] CPLD_PERIPH module inited [PWN] mstar_pwm_config duty_ns=0, period_ns=100000 reg=0x1F003490 clk=12000000, period=0x78 reg=0x1F003488 clk=12000000, u32Duty=0x0 ssp---hi_ssp_init [gpio] Disable SPI0 function ssp---hi_ssp_init ok! MSYS: DMEM request: [ISP_MLOAD]:0x000088E0 [HVSP1] Size must be align 16, Vsize=1080, Pitch=1920 [HVSP1] Buffer is single, Vsize=1080, Pitch=1920 MSYS: DMEM request: [SCL_MCNR_YC]:0x003FC000 MSYS: DMEM request: [SCL_MCNR_M]:0x000FF000 [HVSP1]: MCNR YC: Phy:22ae0000 Vir:c2ae0000 [HVSP1]: MCNR CIIR: Phy:0 Vir:0 [HVSP1]: MCNR M: Phy:22ee0000 Vir:c2ee0000 MSYS: DMEM [FGPALDCDMAP]@0x00000000 not found, skipping release... MSYS: DMEM request: [FGPALDCDMAP]:0x00020000 MSYS: DMEM request: [DLC_MEM]:0x00000400 [DRVSCLDMA] Double Buffer Status :0 [HVSP1] Size must be align 16, Vsize=1080, Pitch=1920 [HVSP1] Buffer is single, Vsize=1080, Pitch=1920 MSYS: DMEM request: [VSPL-I0P0B0]:0x0005A000 MSYS: DMEM request: [VSPL-I0P0B1]:0x0005A000 MSYS: DMEM request: [VSPL-I0P0B2]:0x0005A000 MSYS: DMEM request: [VSPL-I0P2B0]:0x0005A000 MSYS: DMEM request: [VSPL-I0P2B1]:0x0005A000 MSYS: DMEM request: [VSPL-I0P2B2]:0x0005A000 MSB2@v1.1-01:r&d analysis. MSYS: DMEM request: [MS-00]:0x00357000 MSYS: DMEM request: [MS-01]:0x00357000 MSYS: DMEM request: [MS-02]:0x00357000 MSYS: DMEM request: [VENC-32]:0x000FF000 mrqc_set_rqcf - skip set RQCT_CFG_SEQ mrqc_set_rqcf - skip set RQCT_CFG_SEQ MSYS: DMEM request: [S0:VENCDMOUT]:0x00006400 MSB2@v1.1-01:r&d analysis. MSYS: DMEM request: [VSPL-I0P1B0]:0x0005A000 MSYS: DMEM request: [VSPL-I0P1B1]:0x0005A000 MSYS: DMEM request: [VSPL-I0P1B2]:0x0005A000 MSYS: DMEM request: [VENC-48]:0x00025800 mrqc_set_rqcf - skip set RQCT_CFG_SEQ mrqc_set_rqcf - skip set RQCT_CFG_SEQ MSYS: DMEM request: [S1:VENCDMOUT]:0x00005600 MSYS: DMEM request: [S1:VENCDMP0]:0x00056400 MSYS: DMEM request: [S1:VENCDMP1]:0x00056400 MSYS: DMEM request: [VSPL-I0P3B0]:0x00016800 MSYS: DMEM request: [VSPL-I0P3B1]:0x00016800 MSYS: DMEM request: [VSPL-I0P3B2]:0x00016800

[PID_LIST] pid_list_init ok, [ ver=Feb 26 2019, 14:28:36 ] usbcore: deregistering interface driver rtl8188fu ==20150512==> hub_port_init 1 #0 Plug in USB Port1 usb 2-1: reset high-speed USB device number 2 using soc:Mstar-ehci-1 usbcore: registered new interface driver rtl8188fu cfg80211: Calling CRDA to update world regulatory domain MSYS: DMEM request: [VENC-49]:0x00007800

[skylarhays]

there is a shell too!

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.10.25 21:48:09 =~=~=~=~=~=~=~=~=~=~=~=

U-Boot 2015.01 (Feb 26 2019 - 10:53:16) arm-linux-gnueabihf-gcc (crosstool-NG linaro-1.13.1-4.8-2014.04 - Linaro GCC 4.8-2014.04) 4.8.3 20140401 (prerelease) GNU ld (crosstool-NG linaro-1.13.1-4.8-2014.04 - Linaro GCC 4.8-2014.04) 2.24.0.20140311 Linaro 2014.03 MStar #

U-Boot 2015.01 (Feb 26 2019 - 10:53:16) arm-linux-gnueabihf-gcc (crosstool-NG linaro-1.13.1-4.8-2014.04 - Linaro GCC 4.8-2014.04) 4.8.3 20140401 (prerelease) GNU ld (crosstool-NG linaro-1.13.1-4.8-2014.04 - Linaro GCC 4.8-2014.04) 2.24.0.20140311 Linaro 2014.03 MStar # help ? - alias for 'help' base - print or set address offset bootm - boot application image from memory bootp - boot image via network using BOOTP/TFTP protocol cmp - memory compare cp - memory copy crc32 - checksum calculation dbg - set debug message level. Default level is INFO dcache - enable or disable data cache debug - Disable uart rx via PAD_DDCA to use debug tool dhcp - boot image via network using DHCP/TFTP protocol dstar - script via SD/MMC eeprom - EEPROM sub-system env - environment handling commands estar - script via network estart - EMAC start fatinfo - print information about filesystem fatload - load binary file from a dos filesystem fatls - list files in a directory (default /) fatread - FAT fatread with FSTART fatsize - determine a file's size go - start application at address 'addr' gpio - Config gpio port help - print command description/usage i2c - I2C sub-system icache - enable or disable instruction cache initDbgLevel- Initial varaible 'dbgLevel' loop - infinite loop on address range macaddr - setup EMAC MAC addr md - memory display mm - memory modify (auto-incrementing address) mmc - MMC sub system mmcinfo - display MMC info mssdmmc - Mstar SD/MMC IP Verification System mstar - script via TFTP mw - memory write (fill) mxp - MXP function for Mstar MXP partition net_upgrade- do net update from the specified file that is in tftpserver

nm - memory modify (constant address) ping - send ICMP ECHO_REQUEST to network host printenv- print environment variables reset - Perform RESET of the CPU riu - riu - riu command

run - run commands in an environment variable saveenv - save environment variables to persistent storage sdupgrade- do SD card auto upgrade - one.bin

setenv - set environment variables sf - SPI flash sub-system sfbin - for uploading sf image to a server(via network using TFTP protocol) srcfg - sensor pin and mclk configuration. tftpboot- boot image via network using TFTP protocol version - print monitor, compiler and linker version MStar # version

U-Boot 2015.01 (Feb 26 2019 - 10:53:16) arm-linux-gnueabihf-gcc (crosstool-NG linaro-1.13.1-4.8-2014.04 - Linaro GCC 4.8-2014.04) 4.8.3 20140401 (prerelease) GNU ld (crosstool-NG linaro-1.13.1-4.8-2014.04 - Linaro GCC 4.8-2014.04) 2.24.0.20140311 Linaro 2014.03 MStar #

[skylarhays]

let me know what steps to take next.

[roleoroleo]

It's very very similar.

• Same flash size
• Same toolchain
• Same kernel version
• Same partition schema
• Different file suffix: h201c instead of y203c

Now we should extract sys (rootfs) and home partition from uboot. With these files we are able to reconstruct new files to load from SD. Try to follow this guide as a suggestion: https://reverseengineering.stackexchange.com/questions/6300/extracting-a-firmware-image-via-u-boot But there are a lot of examples if you google "dump spi flash from uboot". The problem is that we don't have an ethernet port and the list of available commands is short.

It should be something like that: sf probe to init spi bus sf read to copy spi content to memory md to dump memory (this command is very slow!!!)

We miss the SPI NOR offset, could you post a printenv from uboot?

Sorry but I can't help you using my camera because I broke uart pads and I can no longer reconnect to it.

[skylarhays]

sure i will do printenv now. and i will start trying to dump the uboot, do i need a sd card inserted for this?

[skylarhays]

MStar # printenv baudrate=115200 bootcmd=sf probe 0;sf read 0x21000000 0x50000 0x00210000;bootm 0x21000000 bootdelay=0 cpu_part_start=143b0000 filesize=0 home_h201c_crc32=0xa64f6eb9 home_h307_crc32=0xaae53d57 kernel_h307_crc32=0x3ab2362d one.bin_crc32=0x119a2697 sf_kernel_size=180000 sf_kernel_start=50000 sf_part_size=c30000 sf_part_start=3b0000 stderr=serial stdin=serial stdout=serial sys_h307_crc32=0x8c04e1c9 uboot_h307_crc32=0x80065c93

Environment size: 463/4092 bytes

[skylarhays]

sf read and sf probe both work

MStar # sf probe Flash is detected (0x0B05, 0xC8, 0x40, 0x18) SF: Detected nor0 with total size 16 MiB

[roleoroleo]

No you have to capture bytes from the screen... Yes, it's very boring. Enable logging and dump the memory. I think you'll have to do it in "little" pieces (probably 65536 is enough).

Reading your bootlog the command should be:

sf probe
sf read 0x21000000 0x1d0000 0x1e0000
md 0x21000000 65536
md 0x21010000 65536
md 0x21020000 65536
....
md 0x211d0000 65536

for rootfs and

sf probe
sf read 0x21000000 0x3b0000 0xc30000
md 0x21000000 65536
md 0x21010000 65536
md 0x21020000 65536
....
md 0x21c20000 65536

for home partition.

[roleoroleo]

Or you could write a little python program that does this for you.

[skylarhays]

i am doing it manually now and saving the logs bootlog and rootfs. What next?

[roleoroleo]

Send me the logs. rootfs and home partitions do not contain personal data. I will recreate partitions and start the hack.

[skylarhays]

awesome! how do i directly e-mail or msg you?

[roleoroleo]

You can use a dropbox/googledrive or other cloud system to share your files.

[skylarhays]

https://drive.google.com/open?id=1bH6RbMOJXzbvz5BMOHiosRVdMP7ytIZe

The bootlog worked without issue. the rootfs reboots before it completes on several of the commands. do i need to dump it in shorter segments? the bootlog is in the google drive folder and i will put the rootfs there when i get it dumped correctly.

[roleoroleo]

Unfortunately there are some problems in the file ... For example:

21000d90: 01fcf7e8 81556c2d 73fe9a42 698be625    ....-lU.B..s%..i
21000da0: 56151443 2b660e23 baef5ad4 480bf420    C..V#.f+.Z.. ..H
21000db0: d4794f79 d4e0fc3c ff6878ff 11cf27b9    yOy.<....xh..'..
21000dc0: 81a8abfa d4f37de6 2eedb40505c 121efd00 ffffff32    .N.F\.......2...
21001050: e0011985 0000002b 7d266ee6 00000001    ....+....n&}....
21001060: 00000009 0000000b 5c7c9e90 00000403    ..........|\....
21001070: cd46c044 564ee2de ff62696c e0021985    D.F...NVlib.....

or

210019f0: 0000a1ff 03e903e9 00000007 5c7c9e90    ..............|\
21001a00: 5c7c9e90 5c7c9e90 00000000 00000007    ..|\..|\........
21001a10: 00000007 00000000 186b259f 636a09d3    .........%k...jc
21001a20: 79737562 ff786f62 e0011985 0000002a    busyb
21001ca0: 7ce0e2f1 9a7f06c6 247e0112 01ccb49a    ...|......~$....
21001cb0: 30635d52 420d3325 9abcd2b2 fdc6d838    R]c0%3.B....8...
21001cc0: 9b025929 5da7ea84 5d50e153 25372188    )Y.....]S.P].!7%

Something was wrong during the dump.

[roleoroleo]

Probably the serial port without flow is too slow.

[skylarhays]

im going to try again on my desktop now. was doing it on the couch in the living room.... Should i try different settings in putty?

[roleoroleo]

There are no particular settings. If it doesn't work we need to write a little python program that uses very short blocks (about 256 or 512 bytes).

[roleoroleo]

https://github.com/IonAgorria/u-dump/blob/master/main.py https://github.com/gmbnomis/uboot-mdb-dump

--- EDIT ---

The first link is a great solution. I suggest you tu use it.

[skylarhays]

sure. do I run it on the camera?

[roleoroleo]

No, on your pc. You have to use putty to stop the boot. Execute sf probe command and sf read command. Then, close putty and run the script. Probably you need python 3 installed.

[skylarhays]

Ok I will do this when I get home anything specific I plug in?

Sent from my iPhone

On Oct 26, 2019, at 3:20 PM, roleo notifications@github.com wrote:

No, on your pc. You have to use putty to stop the boot. Then, close putty and run the script. Probably you need python 3 installed.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[skylarhays]

py main.py File "main.py", line 7 <!DOCTYPE html> ^ SyntaxError: invalid syntax

This is what im getting when i try to run it. i have installed python 3.8.0

[roleoroleo]

With python 3.6 it works.

Python 3.6.0 (v3.6.0:41df79263a11, Dec 23 2016, 08:06:12) [MSC v.1900 64 bit (AMD64)] on win32
Type "copyright", "credits" or "license()" for more information.
>>> 
=============== RESTART: C:\Users\user\Desktop\main.py ===============
usage: main.py [-h] [--step STEP] [--size SIZE] [--timeout TIMEOUT]
               [--previous PREVIOUS] [--ignore-log] [--debug] [--reset]
               port baud start end
main.py: error: the following arguments are required: port, baud, start, end
>>> 

[skylarhays]

py main.py com4 115200 0x21000000 0x211d0000

This is the syntax im trying and im getting

C:\mstar>py main.py com4 115200 0x21000000 0x211d0000 Traceback (most recent call last): File "main.py", line 264, in main() File "main.py", line 244, in main log = open(name + ".log", "w") OSError: [Errno 22] Invalid argument: '2019-10-27T04:16:23 0x21000000 0x211d0000.log'

I had to install pyserial as well... i think i just have the syntax wrong.

[skylarhays]

I also tried this

C:\mstar>py main.py --debug com4 115200 0x1d0000 0x1e0000 Debug mode enabled Traceback (most recent call last): File "main.py", line 264, in main() File "main.py", line 244, in main log = open(name + ".log", "w") OSError: [Errno 22] Invalid argument: '2019-10-27T04:30:52 0x1d0000 0x1e0000.log'

[roleoroleo]

Ok, try to change line 240 from name = datetime.fromtimestamp(time()).strftime("%Y-%m-%dT%H:%M:%S") + " " + hex(opts.start) + " " + hex(opts.end) to name = datetime.fromtimestamp(time()).strftime("%Y-%m-%dT%H%M%S") + "_" + hex(opts.start) + "_" + hex(opts.end)

Remove ':' and ' ' from the file name. Tomorrow I will try the script on another device.

[skylarhays]

changed that line out and now i get this after i first boot into putty and run sf probe and sf read 0x21000000 0x1d0000 0x1e0000 then close putty and run main.py.

C:\mstar>py main.py com4 115200 0x1d0000 0x1e0000 Traceback (most recent call last): File "main.py", line 264, in main() File "main.py", line 248, in main raise e File "main.py", line 246, in main data = dump(serial, opts, log) File "main.py", line 155, in dump addr, line_data, text = parse_line(line, opts.size) File "main.py", line 16, in parse_line raise Exception("Line size %s doesn't match %s: %s" % (len(line), size, visible(line))) Exception: Line size 21 doesn't match 67: 001d0000:data abort

C:\mstar>py main.py com4 115200 0x21000000 0x211d0000 Traceback (most recent call last): File "main.py", line 264, in main() File "main.py", line 248, in main raise e File "main.py", line 246, in main data = dump(serial, opts, log) File "main.py", line 136, in dump assert len(chunk) > 0 AssertionError

[roleoroleo]

Ok. I need to test the script.

[roleoroleo]

Try this:

#!/usr/bin/env python3
__author__ = 'Ion Agorria'
import argparse
from datetime import datetime
from time import time
from serial import Serial

def visible(text):
    text.replace("\n", "\\n")
    text.replace("\r", "\\r")
    return text

def parse_line(line, size):
    # Break down each part
    if len(line) != size:
        raise Exception("Line size %s doesn't match %s: %s" % (len(line), size, visible(line)))
    i = 0
    addr = line[i:i + 8]
    i += 8
    assert line[i:i + 2] == ": "
    i += 2
    hex_data = line[i:i + 8]
    i += 8
    assert line[i:i + 1] == " "
    i += 1
    hex_data += line[i:i + 8]
    i += 8
    assert line[i:i + 1] == " "
    i += 1
    hex_data += line[i:i + 8]
    i += 8
    assert line[i:i + 1] == " "
    i += 1
    hex_data += line[i:i + 8]
    i += 8
    assert line[i:i + 4] == "    "
    i += 4
    text = line[i:i + 16]
    i += 16
    assert line[i:i + 2] == "\r\n"

    #Convert hex string into actual data
    data = []
    for i in range(0, len(hex_data), 2):
        piece = hex_data[i:i + 2]
        data.append(int(piece, 16))

    #For redundancy check if data matches text, but only for printable characters (non dot)
#    for i, piece in enumerate(data):
#        if text[i] != ".":
#            assert chr(piece) == text[i]

    return int(addr, 16), data, text

def write(serial, opts, data):
    if opts.debug:
        print("Debug write: " + visible(data))
    data = bytes(data, "ascii")
    serial.write(data)

def dump(serial, opts, log):
    data = []
    finish = False
    start_addr = opts.start
    last_addr = start_addr - 0x10
    do_reset = False

    # Restore the previous dump
    if opts.previous:
        loaded = False
        last_percentage = 0
        print("Info: loading from " + opts.previous)
        with open(opts.previous, 'r') as previous:
            lines = previous.readlines()
            count = len(lines)
            i = 0
            for line in lines:
                #Fix lines with only \n
                if line[-2:] != "\r\n":
                    line = line[:-1] + "\r\n"

                addr, line_data, text = parse_line(line, opts.size)

                #Check if we skipped some line
                if last_addr != addr - 0x10:
                    raise Exception("Possible skip or repetition, last address 0x%x doesn't match with previous address 0x%x" % (last_addr, addr - 0x10))
                last_addr = addr

                #Check if we reach end
                if addr > opts.end:
                    print("Info: Reached specified end address")
                    finish = True
                    break

                #Discard if not start
                if addr < opts.start:
                    print("Warning: address %s is lower than start address! discarding" % addr)
                    continue

                #Store line data and log
                data.append(bytes(line_data))
                if not opts.ignore_log:
                    log.write(line)
                    log.flush()

                #Print percentage
                i += 1
                percentage = int(round(i / count * 100))
                if last_percentage != percentage:
                    print("Info: (%i%%) %i/%i " % (percentage, count, i))
                last_percentage = percentage

            #If we reach here everything went fine
            loaded = True

        if not loaded:
            raise Exception("Dump was not restored completely, something went wrong")

        start_addr = last_addr + 0x10
        last_addr = start_addr - 0x10
        print("Info: finished loading previous")

    if not finish:
        # Send the initial command
        write(serial, opts, "md %s %s\n" % (hex(start_addr), hex(opts.step * 4)))
        do_reset = opts.reset

    while not finish:
        #Read response
        chunk = serial.readlines()
        if opts.debug:
            print("Debug read: " + str(chunk))

        assert len(chunk) > 0

        #Remove first one, its the command that we sent
        chunk = chunk[1:]

        #Iterate each line in chunk
        for line in chunk:
            line = line.decode("ascii")

            if opts.debug:
                print("line: " + str(line))

            #Adquire new chunk by sending newline
            if line == 'MStar # ':
                if opts.debug:
                    print("Debug: detected prompt, sending newline")
                write(serial, opts, "\n")
                continue

            addr, line_data, text = parse_line(line, opts.size)

            #Check if we skipped some line
            if last_addr != addr - 0x10:
                raise Exception("Possible skip or repetition, last address 0x%x doesn't match with previous address 0x%x" % (last_addr, addr - 0x10))
            last_addr = addr

            #Check if we reach end
            if addr > opts.end:
                print("Info: Reached specified end address")
                finish = True
                break

            #Discard if not start
            if addr < opts.start:
                print("Warning: address %s is lower than start address! discarding" % addr)
                continue

            #Print current line
            hex_addr = hex(addr).upper()[2:]
            while not len(hex_addr) == 8:
                hex_addr = "0" + hex_addr
            hex_data = ""
            for line_byte in line_data:
                line_byte = hex(line_byte).upper()[2:]
                if len(line_byte) == 1:
                    line_byte = "0" + line_byte
                hex_data += " " + line_byte
            print("0x%s %s |%s|" % (hex_addr, hex_data, text))

            #Store line data and log
            data.append(bytes(line_data))
            log.write(line)
            log.flush()

        if do_reset:
            print("Info: sending reset as requested")
            write(serial, opts, "reset\n")

    return data

def main():
    # Args parse
    parser = argparse.ArgumentParser()
    parser.add_argument("port", help="Serial port of device")
    parser.add_argument("baud", type=int, help="Serial baud rate")
    parser.add_argument("start",  help="Start address in dec or hex (with 0x), must be multiple of 16")
    parser.add_argument("end", help="End address in dec or hex (with 0x), must be multiple of 16")
    parser.add_argument("--step", type=int, default=256, help="Number of lines per dump chunk")
    parser.add_argument("--size", type=int, default=67, help="Total size of each line including spaces and newlines")
    parser.add_argument("--timeout", type=float, default=0.1, help="Timeout in secs for serial")
    parser.add_argument("--previous", help="Previous log to continue from")
    parser.add_argument("--ignore-log", action='store_true', help="Previous log is not saved on new log")
    parser.add_argument('--debug', action='store_true', help='Enables debug mode')
    parser.add_argument('--reset', action='store_true', help='Sends "reset" after finishing')
    opts = parser.parse_args()

    # Args conversion
    if opts.start[0:2] == "0x":
        opts.start = int(opts.start, 16)
    else:
        opts.start = int(opts.start)
    if opts.end[0:2] == "0x":
        opts.end = int(opts.end, 16)
    else:
        opts.end = int(opts.end)

    # Args check
    if opts.start % 16 != 0:
        raise Exception("start argument is not multiple of 16")
    if opts.start < 0:
        raise Exception("start argument is too low")
    if opts.end % 16 != 0:
        raise Exception("end argument is not multiple of 16")
    if opts.end <= opts.start:
        raise Exception("end argument is too low")
    if opts.step <= 0:
        raise Exception("step argument is too low")
    if opts.size <= 0:
        raise Exception("size argument is too low")
    if opts.timeout <= 0:
        raise Exception("timeout argument is too low")
    if opts.debug:
        print("Debug mode enabled")
    name = datetime.fromtimestamp(time()).strftime("%Y-%m-%dT%H%M%S") + "_" + hex(opts.start) + "_" + hex(opts.end)

    #Prepare to dump
    serial = Serial(port=opts.port, baudrate=opts.baud, timeout=opts.timeout)
    log = open(name + ".log", "w")
    try:
        data = dump(serial, opts, log)
    except Exception as e:
        raise e
    finally:
        serial.close()
        log.close()

    #Write to file
    file = open(name + ".img", "wb")
    try:
        for line in data:
            file.write(line)
    except Exception as e:
        raise e
    finally:
        file.close()

main()

with timeout=1 and step=64 Pay attention: the 2nd parameter is not the length but the end address. So the arguments will be: 0x1d0000 0x3b0000 and 0x3b0000 0xfe0000

[skylarhays]

ok. much more progress this time but something is not quite right... it takes about 3 seconds before it errors out and the camera reboots.

C:\mstar>py here.py --timeout 1 --step 64 com4 115200 0x1d0000 0x3b0000 Traceback (most recent call last): File "here.py", line 264, in main() File "here.py", line 248, in main raise e File "here.py", line 246, in main data = dump(serial, opts, log) File "here.py", line 155, in dump addr, line_data, text = parse_line(line, opts.size) File "here.py", line 16, in parse_line raise Exception("Line size %s doesn't match %s: %s" % (len(line), size, visible(line))) Exception: Line size 21 doesn't match 67: 001d0000:data abort

[roleoroleo]

Sorry, I didn't read correctly your message. You have to execute the command with the base address where you copied the data with sf read command. So if the sf read is: sf read 0x21000000 0x1d0000 0x1e0000 the python program will be: py here.py --timeout 1 --step 64 com4 115200 0x21000000 0x211e0000

If the sf read is: sf read 0x21000000 0x3b0000 0xc30000 the python program will be: py here.py --timeout 1 --step 64 com4 115200 0x21000000 0x21c30000

[skylarhays]

It appears to be running successfully now. I will share files as soon as it is complete.

[skylarhays]

so use this sys_h201c with what other file?

On Mon, Oct 28, 2019 at 11:03 AM roleo notifications@github.com wrote:

Ok, the rootfs is pretty much the same. Try this: ............ You shuold have telnet enabled.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/roleoroleo/yi-hack-6FUS_4.5.0/issues/10?email_source=notifications&email_token=ANHY6TUDYJZB3QCFMB55AELQQ4EOXA5CNFSM4JC5ZIK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECNNLUQ#issuecomment-547018194, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANHY6TUBXLW2XNXUVVRKKHDQQ4EOXANCNFSM4JC5ZIKQ .

[roleoroleo]

Only sys_h201c. At the moment the home partition is not modified.

[skylarhays]

so just put this on a sd card and put it in camera and power up? im not certain how to enable telnet?

On Mon, Oct 28, 2019 at 11:25 AM roleo notifications@github.com wrote:

Only sys_h201c. At the moment the home partition is not modified.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/roleoroleo/yi-hack-6FUS_4.5.0/issues/10?email_source=notifications&email_token=ANHY6TWGK5K5ZYUU2TGLPHLQQ4HBNA5CNFSM4JC5ZIK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECNP4BA#issuecomment-547028484, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANHY6TXCT5MBCTXPUQJKQRTQQ4HBNANCNFSM4JC5ZIKQ .

[skylarhays]

The rest of the rootfs is still dumping. I started where the file stops in 2.log. will you need that? I will stick it in the google share folder as soon as it completes... it looks like there are a lot of FFs near the end.

On Mon, Oct 28, 2019 at 11:25 AM roleo notifications@github.com wrote:

Only sys_h201c. At the moment the home partition is not modified.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/roleoroleo/yi-hack-6FUS_4.5.0/issues/10?email_source=notifications&email_token=ANHY6TWGK5K5ZYUU2TGLPHLQQ4HBNA5CNFSM4JC5ZIK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECNP4BA#issuecomment-547028484, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANHY6TXCT5MBCTXPUQJKQRTQQ4HBNANCNFSM4JC5ZIKQ .

[roleoroleo]

Put the file on sd and power up. Then use putty to connect to the cam using telnet (not ssh). This operation is dangerous and the chamber may no longer start. I did my best but I can't assure you that it works.

Yes I need the 2nd dump because contains the home partition: the most important part of the system.

--- EDIT ---

Or... if telnet works we can dump the flash from the shell.

[skylarhays]

ok the last part of the rootfs is in the google drive folder. I will try to flash the camera later tonight when I get home.

[roleoroleo]

I prepared home partition also. Let me know if sys will load correctly. After this, i will send the full hack.

[skylarhays]

Ok will do. Hopefully my cam doesnt get bricked. It will be later this evening before i can try. I will post an update tonight.

On Mon, Oct 28, 2019 at 3:04 PM roleo notifications@github.com wrote:

I prepared home partition also. Let me know if sys will load correctly. After this, i will send the full hack.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/roleoroleo/yi-hack-6FUS_4.5.0/issues/10?email_source=notifications&email_token=ANHY6TSRRFH4B2UPHK36ZETQQ5AWDA5CNFSM4JC5ZIK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECOGYII#issuecomment-547122209, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANHY6TRWOCNCV2T4RFEGU7DQQ5AWDANCNFSM4JC5ZIKQ .

[skylarhays]

It successfully flashed the sys_h201c i watched it over serial with putty. what ip do i connect to with telnet?

[skylarhays]

telnet is working! i have a login prompt! login info?

[roleoroleo]

User is root without password. Before trying the new files, make a backup copy of the entire flash. Insert a SD card and execute dd:

dd if=/dev/mtd0 of=/tmp/sd/mtd0.bin
dd if=/dev/mtd1 of=/tmp/sd/mtd1.bin
dd if=/dev/mtd2 of=/tmp/sd/mtd2.bin
dd if=/dev/mtd3 of=/tmp/sd/mtd3.bin
dd if=/dev/mtd4 of=/tmp/sd/mtd4.bin
dd if=/dev/mtd5 of=/tmp/sd/mtd5.bin

[skylarhays]

dd doesnt seem to work i get this

MStar # dd if=/dev/mtd0 of=/tmp/sd/mtd0.bin Unknown command 'dd' - try 'help'

I have 3 of these cameras I will get a dump from one of them before flashing. I went ahead and flashed. IT WORKS! telnet,ssh, and web access. Thanks so much for putting in the effort of making this happen on a camera you don't own. There will be quite a few people happy this is going to finally be available. If you know what im doing wrong with DD let me know so i can get a full backup of one of these cameras before i flash my other

2. Thanks again!

On Tue, Oct 29, 2019 at 2:29 AM roleo notifications@github.com wrote:

Before trying the new files, make a backup copy of the entire flash. Insert a SD card and execute dd:

dd if=/dev/mtd0 of=/tmp/sd/mtd0.bin dd if=/dev/mtd1 of=/tmp/sd/mtd1.bin dd if=/dev/mtd2 of=/tmp/sd/mtd2.bin dd if=/dev/mtd3 of=/tmp/sd/mtd3.bin dd if=/dev/mtd4 of=/tmp/sd/mtd4.bin dd if=/dev/mtd5 of=/tmp/sd/mtd5.bin

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/roleoroleo/yi-hack-6FUS_4.5.0/issues/10?email_source=notifications&email_token=ANHY6TVBUKPRE27ICDA6DJDQQ7Q5RA5CNFSM4JC5ZIK2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECPQGVY#issuecomment-547291991, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANHY6TSEYWIAHO7TKYPILF3QQ7Q5RANCNFSM4JC5ZIKQ .

[roleoroleo]

You have to run dd on a linux shell and not on uboot shell.

1. Load the 1st sys_h201c that I sent you (only sys, not home)
2. Login with telnet
3. Execute dd

But you must use another camera to have a "real" backup.