Boot processSome notes about the boot process, it starts with /etc/init.d, running all the scripts there.
The first really interesting one is /etc/init.d/S90start:
loads /iray_app/huamian (seems to be some kind of JPEG decoder)
loads a bunch of kernel modules
optionally configures the USB UVC webcam mode
then runs /hisi_ko/load3516dv300 (bash script), which loads a bunch more kernel modules.
on my camera (without visible light camera), the commandline
./load3516dv300 -i -senor0 gc2145 -sensor1 rtd2121w -osmem 256 -yuv0 3
is used.
Notice the typo in "-senor0" at the visible light camera. Very strange.
It will then run /iray_app/iray-hisi-camera (in the background), which is the actual QT camera application.
UVC webcam modeI have enabled
export uvc_sd=1
on my camera, which actually leads to a UVC device being enumerated.
Unfortunately, connecting to it using OBS, VLC, etc. will result in a single frame of video and then stops.
I have played around with the YUV, MJPEG and H264 settings, buffer sizes, etc. but nothing changes the behaviour.
/iray_app/uvc_app.conf
also has a bunch of configuration parameters related to the webcam mode, but again, wasn't able to get a properly working config there.
Camera settings / video recordingThe camera seems to store it's settings in
/iray_ko/iray_m.ini
, which has a bunch of the user-defined configuration parameters (like the palettes, image auto-save, emissivity, etc.).
Sadly, I didn't yet find the flag responsible for allowing video recording.
Kernel hackingI've also extracted the device-tree from /proc/device-tree (just to take a look at settings like the USB dwc3 mode, which is currently set to peripheral), so no easy way to connect USB devices (like a WiFi dongle or NIC) to the USB-C port.
I chroot'ed into a ArchLinux ARM userland on an SD card:
I found the repo
https://github.com/cijliu/linux, which is the same 4.9.37 kernel used on the camera, with the fitting HiSilicon board support.
After fixing some -fcommon bugs (due to my modern host toolchain), I was able to compile that kernel using
https://releases.linaro.org/components/toolchain/binaries/6.3-2017.05/arm-linux-gnueabi/ .
I wasn't able to boot my custom kernel (most likely due to differences in the device tree or configs), but I was able to load modules from my kernel, which is very nice:
insmod u_ether.ko
insmod u_serial.ko
insmod usb_f_acm.ko
insmod usb_f_ecm.ko
insmod usb_f_ecm_subset.ko
insmod usb_f_mass_storage.ko
insmod usb_f_obex.ko
insmod usb_f_rndis.ko
insmod usb_f_serial.ko
insmod usb_f_uvc.ko
mount -t configfs none /sys/kernel/config/
CONFIGFS_HOME=/sys/kernel/config
GADGET_NAME="l4t"
VID="0x0955"
PID="0x7020"
SERIAL="no-serial"
MANUF="RR"
PRODUCT="RR gadget"
mkdir -p "$CONFIGFS_HOME/usb_gadget/$GADGET_NAME"
cd "$CONFIGFS_HOME/usb_gadget/$GADGET_NAME"
echo "$VID" > idVendor
echo "$PID" > idProduct
mkdir strings/0x409
echo "$SERIAL" > strings/0x409/serialnumber
echo "$MANUF" > strings/0x409/manufacturer
echo "$PRODUCT" > strings/0x409/product
CFG="c.1"
CFG_STR="ECM"
mkdir -p "configs/$CFG"
FUNC_NAME="ecm"
INSTANCE_NAME="usb0"
FUNC="functions/$FUNC_NAME.$INSTANCE_NAME"
mkdir -p "$FUNC"
mac_ecm_h="7a:68:46:2f:bd:aa"
mac_ecm_d="7a:68:46:2f:bd:ab"
echo "$mac_ecm_h" > "$FUNC/host_addr"
echo "$mac_ecm_d" > "$FUNC/dev_addr"
ln -sf "$FUNC" "configs/$CFG"
mkdir -p "configs/$CFG/strings/0x409"
echo "$CFG_STR" > "configs/$CFG/strings/0x409/configuration"
UDC_DEV=`ls /sys/class/udc`
echo "$UDC_DEV" > UDC
ip link set usb0 up
ip addr add 172.16.0.2/24 dev usb0
ip route add 0.0.0.0/0 via 172.16.0.1
echo "nameserver 8.8.8.8" > /etc/resolv.conf
and then we expose a new usb0 network interface over to the computer and we have internet connectivity on the camera (provided that the attached computer does NAT/routing).
I was able to start the (already installed) lighttpd webserver, there's a start script for it in /iray_sh/http.sh, but it also tries to setup WiFi and stuff.
I ran
lighttpd -f /lighthttp/config/lighttpd.conf
:
(this exposes the partition with all the images on the SD card, pretty useful)
Modding the device tree and either adding an SDIO card with a WiFi chipset or switching the USB dwc3 controller mode to host would probably allow us to have network connectivity permanently, which would be very nice.
FramebufferSomeone mentioned DOOM, so I've had a quick look, /dev/fb0 seems to be magically overlayed/mixed with the hardware video signal.
It contains RGBA8888 data and the alpha channel is actually used. I dumped /dev/fb0 into a file and opened it using GIMP:
So the fb0 just contains the overlay/GUI, no video data for us to extract sadly.
Modding without the serial portI was actively looking for some backdoor / other method of getting into the device without soldering a RS232 serial to it.
Sadly, so far I didn't find anything super simple in any of the scripts.
One of the binaries (ELF/Linux/armv7) contains references to an update .zip file and has some paths related to that.
My binary reverse engineering skills aren't sufficient to try and understand how to give it a useful "update", I think, but there might be a way in.