Products > Thermal Imaging
Vevor SC240N / TopDon TC004 / InfiRay C200 / Hisilicon HI3516DV300
Manawyrm:
Hey,
after a recent video by Marco Reps, I grabbed one of those cheap InfiRay cameras.
They boot Linux on a Hisilicon SoC, which makes them a bit of an interesting target for tinkering.
I got the SC240N-variant, without the visible-light camera (and thus without video recording capability).
This camera also doesn't support USB/UVC webcam, although the seemingly identical TC004 does.
Marco has a teardown at the end of the video, so no real need for pictures here, I think.
First observations:
Serial port on the board, J16.
Actual RS232 levels, not a UART! With negative voltages, inverted signal level and everything!
--- Code: ---1 gnd
2 tx
3 rx
4 ??? probably also gnd
5 ???
6 ???
--- End code ---
Bootlog is attached.
U-Boot can be aborted and has a shell (pretty fully featured).
Parts of the env:
--- Code: ---bootargs=mem=256M console=ttyAMA0,115200 root=/dev/mmcblk0p3 rw rootfstype=ext4 rootwait blkdevparts=mmcblk0:1M(boot),4M(kernel),150M(rootfs)
bootcmd=mmc read 0x0 0x81000000 0x800 0x2000;mmc read 0x0 0x82000000 0x680 0x80;mmc read 0 0xb8300000 0x700 0x80;mmc read 0 0x83000000 0x780 0x80;decjpg 0;startvo 0 2048 42;startvl 0 0xb8100000 256 0 0 240 320;bootm 0x81000000
soc=hi3516dv300
stderr=serial
--- End code ---
Let's dump the firmware before we break anything. We sadly can't do the same trick with uboot as optotester did for his i.MX-based imagers, so let's boot into Linux and use dd:
--- Code: ---setenv bootargs init=/bin/sh mem=256M console=ttyAMA0,115200 root=/dev/mmcblk0p3 rw rootfstype=ext4 rootwait blkdevparts=mmcblk0:1M(boot),4M(kernel),150M(rootfs)
boot
--- End code ---
(same bootargs, just with init=/bin/sh)
this drops us into a shell.
I copied the firmware using
--- Code: ---dd if=/dev/mmcblk0 of=/dev/mmcblk1 bs=8M
--- End code ---
to the SD card (this wipes the SD card of course).
So, what can we learn for now?
- Linux 4.9.37
- Hisilicon HI3516DV300
- u-boot doesn't have SD support, only eMMC (or the device tree is misconfigured, etc. mmc list only shows the eMMC)
- 8 GiB eMMC, 256 MiB DRAM
- stock kernel has r8152, usb-storage and WiFi modules (8189fs.ko SDIO).
- lighttpd (webserver!) installed
- ext4 root FS is mounted read/write in operation. There's a good chance this device will kill itself over time with this.
- hostapd, etc. is also installed, maybe there's a chance to get this thing using network or even WiFi with USB-OTG.
So far I haven't seen a way "in" yet, without using a RS232 serial.
Cracked the root-Password:
--- Code: ---0SV1EYeeHloi.:iraytek
--- End code ---
Used the u-boot/bootargs trick again to edit the /etc/inittab with vi and added:
--- Code: ---::respawn:/sbin/getty 115200 ttyAMA0
--- End code ---
and was then greeted by a root shell:
8)
Fraser:
Interesting work. Thanks :-+
Fraser
nsa666:
Adding Video-Recording and UVC would be great. Can you launch another control app from sd?
Manawyrm:
Boot process
Some notes about the boot process, it starts with /etc/init.d, running all the scripts there.
The first really interesting one is /etc/init.d/S90start:
loads /iray_app/huamian (seems to be some kind of JPEG decoder)
loads a bunch of kernel modules
optionally configures the USB UVC webcam mode
then runs /hisi_ko/load3516dv300 (bash script), which loads a bunch more kernel modules.
on my camera (without visible light camera), the commandline
--- Code: ---./load3516dv300 -i -senor0 gc2145 -sensor1 rtd2121w -osmem 256 -yuv0 3
--- End code ---
is used.
Notice the typo in "-senor0" at the visible light camera. Very strange.
It will then run /iray_app/iray-hisi-camera (in the background), which is the actual QT camera application.
UVC webcam mode
I have enabled
--- Code: ---export uvc_sd=1
--- End code ---
on my camera, which actually leads to a UVC device being enumerated.
Unfortunately, connecting to it using OBS, VLC, etc. will result in a single frame of video and then stops.
I have played around with the YUV, MJPEG and H264 settings, buffer sizes, etc. but nothing changes the behaviour.
--- Code: ---/iray_app/uvc_app.conf
--- End code ---
also has a bunch of configuration parameters related to the webcam mode, but again, wasn't able to get a properly working config there.
Camera settings / video recording
The camera seems to store it's settings in
--- Code: ---/iray_ko/iray_m.ini
--- End code ---
, which has a bunch of the user-defined configuration parameters (like the palettes, image auto-save, emissivity, etc.).
Sadly, I didn't yet find the flag responsible for allowing video recording.
Kernel hacking
I've also extracted the device-tree from /proc/device-tree (just to take a look at settings like the USB dwc3 mode, which is currently set to peripheral), so no easy way to connect USB devices (like a WiFi dongle or NIC) to the USB-C port.
I chroot'ed into a ArchLinux ARM userland on an SD card:
I found the repo https://github.com/cijliu/linux, which is the same 4.9.37 kernel used on the camera, with the fitting HiSilicon board support.
After fixing some -fcommon bugs (due to my modern host toolchain), I was able to compile that kernel using https://releases.linaro.org/components/toolchain/binaries/6.3-2017.05/arm-linux-gnueabi/ .
I wasn't able to boot my custom kernel (most likely due to differences in the device tree or configs), but I was able to load modules from my kernel, which is very nice:
--- Code: ---insmod u_ether.ko
insmod u_serial.ko
insmod usb_f_acm.ko
insmod usb_f_ecm.ko
insmod usb_f_ecm_subset.ko
insmod usb_f_mass_storage.ko
insmod usb_f_obex.ko
insmod usb_f_rndis.ko
insmod usb_f_serial.ko
insmod usb_f_uvc.ko
mount -t configfs none /sys/kernel/config/
CONFIGFS_HOME=/sys/kernel/config
GADGET_NAME="l4t"
VID="0x0955"
PID="0x7020"
SERIAL="no-serial"
MANUF="RR"
PRODUCT="RR gadget"
mkdir -p "$CONFIGFS_HOME/usb_gadget/$GADGET_NAME"
cd "$CONFIGFS_HOME/usb_gadget/$GADGET_NAME"
echo "$VID" > idVendor
echo "$PID" > idProduct
mkdir strings/0x409
echo "$SERIAL" > strings/0x409/serialnumber
echo "$MANUF" > strings/0x409/manufacturer
echo "$PRODUCT" > strings/0x409/product
CFG="c.1"
CFG_STR="ECM"
mkdir -p "configs/$CFG"
FUNC_NAME="ecm"
INSTANCE_NAME="usb0"
FUNC="functions/$FUNC_NAME.$INSTANCE_NAME"
mkdir -p "$FUNC"
mac_ecm_h="7a:68:46:2f:bd:aa"
mac_ecm_d="7a:68:46:2f:bd:ab"
echo "$mac_ecm_h" > "$FUNC/host_addr"
echo "$mac_ecm_d" > "$FUNC/dev_addr"
ln -sf "$FUNC" "configs/$CFG"
mkdir -p "configs/$CFG/strings/0x409"
echo "$CFG_STR" > "configs/$CFG/strings/0x409/configuration"
UDC_DEV=`ls /sys/class/udc`
echo "$UDC_DEV" > UDC
ip link set usb0 up
ip addr add 172.16.0.2/24 dev usb0
ip route add 0.0.0.0/0 via 172.16.0.1
echo "nameserver 8.8.8.8" > /etc/resolv.conf
--- End code ---
and then we expose a new usb0 network interface over to the computer and we have internet connectivity on the camera (provided that the attached computer does NAT/routing).
I was able to start the (already installed) lighttpd webserver, there's a start script for it in /iray_sh/http.sh, but it also tries to setup WiFi and stuff.
I ran
--- Code: ---lighttpd -f /lighthttp/config/lighttpd.conf
--- End code ---
:
(this exposes the partition with all the images on the SD card, pretty useful)
Modding the device tree and either adding an SDIO card with a WiFi chipset or switching the USB dwc3 controller mode to host would probably allow us to have network connectivity permanently, which would be very nice.
Framebuffer
Someone mentioned DOOM, so I've had a quick look, /dev/fb0 seems to be magically overlayed/mixed with the hardware video signal.
It contains RGBA8888 data and the alpha channel is actually used. I dumped /dev/fb0 into a file and opened it using GIMP:
So the fb0 just contains the overlay/GUI, no video data for us to extract sadly.
Modding without the serial port
I was actively looking for some backdoor / other method of getting into the device without soldering a RS232 serial to it.
Sadly, so far I didn't find anything super simple in any of the scripts.
One of the binaries (ELF/Linux/armv7) contains references to an update .zip file and has some paths related to that.
My binary reverse engineering skills aren't sufficient to try and understand how to give it a useful "update", I think, but there might be a way in.
Manawyrm:
--- Quote from: nsa666 on May 18, 2023, 01:54:27 pm ---Can you launch another control app from sd?
--- End quote ---
You can do pretty much anything, yes. Not sure how/where you'd find a compatible control app to run on this device, though.
Getting a firmware dump from a SC240M (with video recording, etc.) would probably be pretty interesting, but they're out of stock unfortunately.
Navigation
[0] Message Index
[#] Next page
Go to full version