EEVblog Electronics Community Forum
Products => Thermal Imaging => Topic started by: elektropaul on December 16, 2020, 11:30:08 am
-
Hey there,
recently i got a thermal camera from ebay. According to my research it was made by BAE although i am not sure about the exact model of the sensor. The sad thing is, that it is out of focus and i don't know the serial protocol to set the focus. So i tried a few like VISCA and Pelco-D with different baudrates but without success. Also on the internet i found some other protocols specific to thermal cameras from BAE but i didn't succeed using them. It would be really interesting to understand the protocol that it is speaking. I thought the best to do would be to read the firmware out of the flash memory and analyze it. So i traced the RS-422 connection to an converter IC and i found the Microcontroller and the Flash memory. However its surfacemounted with the pins on the bottom. It has a lot of test points on the board however i wasn't able yet to find out which ones are responsible for the memory. Also there is a 2x6 Header with Power, Ground and kind of a clock signal on it. Somehow the manufacturer must have uploaded the firmware too, so my current best guess is to look at this header and understand what it is doing.
So the Mircoprocessor is a NEC VR4131 and the flash memory is labeled 128J3F75. Because i am new to this kind of thing but i want to learn more about reverse engineering i wanted to ask you if somebody has some experience with his stuff. What protocol should i expect between the memory and the Microprocessor? And can i grab it directly with my usb-logic analyzer or do i need amplification of some kind?
I will attach a screenshot of the clock signal and some photographs of the PCB.
To understand the 6-pin header i disconnected the board from everything else powered it with 3.3V and attached my USB-Logic Analyser to every pin of the header. Although only on one pin there is a clock-like signal the other pins don't give anything, but i was expecting watching it accessing it's memory, which doesn't seem to be the case. Also the signal that i interpret as a clock is pausing with a frequency of about 15Hz. Does that make sense?
-
Debug pins could be jtag....
If you're interested in hardware hacking then this would be a great tool: http://www.grandideastudio.com/jtagulator/ (http://www.grandideastudio.com/jtagulator/)
EDIT:
Search for JTAG in this document: http://datasheets.chipdb.org/NEC/Vr-Series/Vr43xx/U10504EJ7V0UMJ1.pdf (http://datasheets.chipdb.org/NEC/Vr-Series/Vr43xx/U10504EJ7V0UMJ1.pdf)
-
And did you see this: https://www.eevblog.com/forum/thermal-imaging/help-cloning-flash-memory/ (https://www.eevblog.com/forum/thermal-imaging/help-cloning-flash-memory/)
-
From memory that appears to be a BAE SCC500 QVGA core.
You are correct, it does not use common camera control commands. These cores are controlled via RS422 or RS485 using their own unique command strings. The instruction set is ‘in the wild’ but I doubt that it will be found on any public sites as it is part of a controlled document set.
Extracting the commands from the cores firmware may be possible but would likely be quite a task. What is it that you are trying to control or change in the core please ? Before you say “everything” you should know that it is unlikely that anyone can share the complete command set for this core.
Fraser
-
good luck. I got the complete instruction set documentation for the cores I have (thermoteknix MIRICLE) from a forum member. However the serial read is bridged to ground somehwere and doesn't read my commands. I do see the welcome and version of the camera tho, as well as a message when I set the wrong baud rate. It's the biggest roadblock for me and I have given up on it a while ago -hoping to eventually get the chance to solve the issue and unlock full digital access to my cameras.
-
Elekropaul,
What was the core originally used in ? Was it remote controlled or part of a self contained product such as a fire fighting camera ? If it was a remote controlled product such as a Security camera it is sometimes possible to extract part of the cores instruction set from the hosts firmware/software or by monitoring commands coming from the host PCB/embedded computer/Computer.
Fraser
-
It was used as a security camera before, but sadly i only have the camera itself and not any other components of the system it was used in before. I am just interested in zooming and focusing basically. Just the standards maybe adjusting the exposure, shuttering, nothing too fancy. I will proceed looking into JTAG and see if i can get a connection running. Probably need to guess the pinout. Is there any recommendable software for checking a jtag connection on Linux?
-
Zoom(if any) and focussing are usually just functions of the lens. Which very rarely gets driven by the camera core. what does the lens assembly look like for this camera core?
-
Thank you all for your fast answers!
@ Vipitis So there is a separate board to control focus and zoom. The serial port on the camera is directly connected to the camera core. There is no direct connection to the zooming/focusing board. In fact the board is connected over serial TTL connection on pin 1,2 of the small 10-Pin connector of the camera core that is labeled J1.