I recently came across a Wowme U300Q car camera on an auction at aukro.cz . At first glance, it seemed like a promising piece of tech, but after trying to use it, I quickly realized there was a major flaw—it didn’t rotate recorded files and it was not just an issue with my piece, also reviews confirmed it as a global problem. For anyone familiar with dash cams, this is a critical issue because, without rotating files, the camera quickly runs out of storage and stops recording.

The Initial Problem: A Broken Camera

When I first set up the Wowme U300Q, I was hopeful. The hardware looked solid, and the camera itself seemed well-built. However, after some time of recording, it would crash randomly. When I checked the files, I noticed it stopped recording a while ago – there were no recordings with recent timestamp. The camera would blink indicating recording, running recording timer, but no files would be saved.

Exploring the Device

After connecting it to my PC, I ran some basic diagnostics. I used the lsusb and found it is identifying as Google device:

$ lsusb
...
Bus 002 Device 007: ID 18d1:0002 Google Inc.
...

So I tried adb shell and voila!

$ adb shell
* daemon not running; starting now at tcp:5037
* daemon started successfully


BusyBox v1.27.2 () built-in shell (ash)

------run profile file-----
 _____  _              __     _
|_   _||_| ___  _ _   |  |   |_| ___  _ _  _ _
  | |   _ |   ||   |  |  |__ | ||   || | ||_'_|
  | |  | || | || _ |  |_____||_||_|_||___||_,_|
  |_|  |_||_|_||_|_|  Tina is Based on OpenWrt!
 ----------------------------------------------
 Tina Linux (Neptune, 5C1C9C53)
 ----------------------------------------------
root@tina:/# 

I poked around the device a bit and discovered that it was running on an Allwinner chipset—something that could be worked with.

root@tina:/# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00100000 00001000 "uboot"
mtd1: 002c0000 00001000 "boot"
mtd2: 00ae0000 00001000 "rootfs"
mtd3: 00080000 00001000 "overlay"
mtd4: 00020000 00001000 "env"
mtd5: 00020000 00001000 "bootlogo"
mtd6: 00010000 00001000 "private"
mtd7: 00090000 00001000 "UDISK"
root@tina:/# mount 
/dev/root on /squashfs type squashfs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,size=40552k,nr_inodes=10138,mode=755)
/proc on /proc type proc (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
sys on /sys type sysfs (rw,relatime)
/dev/root on /squashfs type squashfs (ro,relatime)
/dev/mtdblock3 on /overlay type jffs2 (rw,relatime)
overlay on / type overlay (rw,relatime,lowerdir=/squashfs,upperdir=/overlay/upperdir,workdir=/overlay/workdir)
tmpfs on /run type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
/dev/mtdblock7 on /mnt/UDISK type jffs2 (rw,relatime)
/dev/mmcblk0 on /mnt/extsd type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
/dev/pts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
none on /sys/kernel/config type configfs (rw,relatime)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
none on /sys/kernel/debug type debugfs (rw,relatime)
root@tina:/# cat /proc/cpuinfo 
processor	: 0
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 31.57
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

processor	: 1
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 31.57
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

Hardware	: sun8iw16
Revision	: 0000
Serial		: 0000000000000000

Firmware backup

To dive deeper into the device, I needed to back up the firmware for case when something went wrong. Fortunately, there was a useful method to back up Allwinner devices using a special SD card image. This process was outlined on the Linux Sunxi wiki: Boot into FEL mode and then backup over USB. All went smooth and I saved 4MB flash binary.

Main binary

Now I was ready to do some experiments. I have found out that the main process handling everything is called /usr/bin/sdvcam .

So to gather some logs which would persist over reboot, I run it like this:

root@tina:/# /usr/bin/sdvcam >/mnt/UDISK/app.out 2>/mnt/UDISK/app.err &

I let it run until it crashed. Then I started to inspect the logs.

W0905 21:17:46.511580  1781 main_recorder.cpp:610]          <InitRecorder> m_filename is /mnt/extsd/video/20240905_211746.mp4
E0905 21:17:46.512944  1781 main_recorder.cpp:630]          <InitRecorder> record time: 120000, bitrate: 10485760,file allocate size 173015040
E0905 21:17:46.514299  1781 recorder.cpp:831]               <allocRecorderFile> allocRecorderFile rename file name ,file name /mnt/extsd/video/20240905_211746.mp4
E0905 21:17:46.515655  1781 recorder.cpp:841]               <allocRecorderFile> ReNameFilelen 0,filenamelen 36
E0905 21:17:46.533033  1781 recorder.cpp:855]               <allocRecorderFile> fatal error! Failed to fallocate size 173015040, (No space left on device)
E0905 21:17:46.535569  1781 recorder.cpp:858]               <allocRecorderFile> allocate file success
E0905 21:17:46.541994  1781 VideoEnc_Component.c:4128]      <VideoEncSaveBSFile> user set the same SaveBSFile => filename:, enable:0, start_time:0, end_time:0
E0905 21:17:46.543442  1781 VideoEnc_Component.c:4163]      <VideoEncUpdateProcSet> user set the same VeProcSet => enable:1, freq:30, BTTime:1000, FRTime:1000
E0905 21:17:46.591112  1936 TextEnc_Component.c:46]         <TextComponentThread> TextEncoder TextEncComponentThread start run...
E0905 21:17:46.594789  1936 TextEnc_Component.c:396]        <TextComponentThread> TextEnc_Comp not ind StateExecuting
W0905 21:17:46.596601  1781 VideoEnc_Component.c:1824]      <CedarvVideoEncInit> user set invalid gopSize[0], use idr interval[30] as default.
W0905 21:17:46.618526  1781 preview_window.cpp:1307]        <Update> handle msg:20
W0905 21:17:46.619169  1802 EyeseeRecorder.cpp:1923]        <dataCallbackTimestamp> avsync_drp:-1-690215240-0-1920-1080
W0905 21:17:46.620746  1781 preview_window.cpp:1459]        <Update> [habo]--->start to record !!!!
W0905 21:17:46.623062  1781 preview_window.cpp:1215]        <RecordStatusTimeUi> ---RecordStatusTimeUi mstart = 1 
E0905 21:17:46.624222  1781 status_bar_window.cpp:467]      <RecordStatusTimeUi> mstart: 1
W0905 21:17:46.653061  1802 VideoEnc_Component.c:5101]      <VideoEncEmptyThisBuffer> avsync_first video frame pts[690254632]us,tm1[690255447]us, vSize[1920x1080]
W0905 21:17:46.664505  1781 newPreview.cpp:2158]            <TakePicforVideothumb> p_CamId: 0
W0905 21:17:46.667140  1781 camera.cpp:1544]                <TakePicture> do take picture chn: 1 main_enc_chn_:0 sub_enc_chn_:1
W0905 21:17:46.669394  1781 preview_window.cpp:1307]        <Update> handle msg:2314
E0905 21:17:46.678493  1781 osd_manager.cpp:1166]           <AttchCarIdRegion> record 0 region_id 1
E0905 21:17:46.693383  1781 newPreview.cpp:1037]            <HandleGUIMessage> PREVIEW_RECORD_BUTTON end
E0905 21:17:46.695008  1781 newPreview.cpp:1039]            <HandleGUIMessage> PREVIEW_RECORD_BUTTON msg status is done,set msg status false
E0905 21:17:46.713250  1781 promptBox.cpp:132]              <ShowPromptBox> strlen: 28
E0905 21:17:46.739377  1941 VideoEnc_Component.c:790]       <map_v4l2_colorspace_to_VENC_COLOR_SPACE> fatal error! unsupported v4l2 color space[0x0]!
W0905 21:17:46.760557  1941 VideoEnc_Component.c:5894]      <ComponentThread> wait Venc idleOutFrameList full:255-0-1-256
W0905 21:17:46.761505  1809 CallbackNotifier.cpp:1040]      <savePictureThread> Be careful! Free memory too small! bufsize=12KB, MemTotal=81268KB, MemFree=1728KB, Buffers=9700KB, Cached=31616KB
W0905 21:17:46.763778  1941 VideoEnc_Component.c:5896]      <ComponentThread> wait Venc idleOutFrameList full_done
W0905 21:17:46.763893  1799 camera.cpp:2493]                <onPictureTaken> pic_file_ is : /mnt/extsd/video/20240905_211746_ths.jpg
E0905 21:17:46.771696  1799 camera.cpp:2520]                <onPictureTaken> write data filed(No space left on device)
E0905 21:19:36.849349  1857 media_file_manager.cpp:818]     <GetLastFileFallocateSizeByType> get video fallocate size = 63242240
E0905 21:19:36.968855  1857 recorder.cpp:831]               <allocRecorderFile> allocRecorderFile rename file name ,file name /mnt/extsd/video/20240905_211936.mp4
E0905 21:19:36.970453  1857 recorder.cpp:841]               <allocRecorderFile> ReNameFilelen 0,filenamelen 36
E0905 21:19:36.975098  1857 recorder.cpp:855]               <allocRecorderFile> fatal error! Failed to fallocate size 173015040, (No space left on device)
E0905 21:19:36.977082  1857 recorder.cpp:858]               <allocRecorderFile> allocate file success
W0905 21:19:47.209141  1939 RecRenderSink.c:1583]           <RecSinkThread> avsync_rc_swfv:1920-120532-120534-120532-120000
W0905 21:19:47.210770  1939 RecRenderSink.c:743]            <RecSinkMuxerClose> avsync_muxer_close:120532-120534-120532-120534-1920
W0905 21:19:47.309959  1857 newPreview.cpp:1570]            <Update> revice MSG_RECORD_FILE_DONE event
W0905 21:19:47.311659  1857 preview_window.cpp:1307]        <Update> handle msg:22
E0905 21:19:47.311808  1939 cedarx_stream_file.c:678]       <cdx_write_fd_file> Stream[0xc26650] write error [-1]!=[36](No space left on device)
W0905 21:19:47.312944  1857 preview_window.cpp:1491]        <Update> [habo]--->record file done!!!!
E0905 21:19:47.314582  1939 cedarx_stream_file.c:694]       <cdx_write_fd_file> fatal error! write error is[28], writeNum[-1], don't write again.
W0905 21:19:47.317230  1857 status_bar_window.cpp:508]      <ResetRecordTime> mRecordTime: 120, need reset to 0
E0905 21:19:47.321061  1939 FsWriter.c:95]                  <fileWriter> Stream[0xc26650]fwrite error [0]!=[36](No space left on device)
W0905 21:19:47.327523  1857 newPreview.cpp:2158]            <TakePicforVideothumb> p_CamId: 0
E0905 21:19:47.331774  1939 cedarx_stream_file.c:678]       <cdx_write_fd_file> Stream[0xc26650] write error [-1]!=[65536](No space left on device)
W0905 21:19:47.331899  1857 camera.cpp:1544]                <TakePicture> do take picture chn: 1 main_enc_chn_:0 sub_enc_chn_:1
E0905 21:19:47.333247  1939 cedarx_stream_file.c:694]       <cdx_write_fd_file> fatal error! write error is[28], writeNum[-1], don't write again.
E0905 21:19:47.335939  1939 FsWriter.c:95]                  <fileWriter> Stream[0xc26650]fwrite error [0]!=[65536](No space left on device)
E0905 21:19:47.337778  1939 cedarx_stream_file.c:678]       <cdx_write_fd_file> Stream[0xc26650] write error [-1]!=[65536](No space left on device)
E0905 21:19:47.339397  1939 cedarx_stream_file.c:694]       <cdx_write_fd_file> fatal error! write error is[28], writeNum[-1], don't write again.
E0905 21:19:47.340636  1939 FsWriter.c:95]                  <fileWriter> Stream[0xc26650]fwrite error [0]!=[65536](No space left on device)
E0905 21:19:47.402639  1939 cedarx_stream_file.c:678]       <cdx_write_fd_file> Stream[0xc26650] write error [-1]!=[65536](No space left on device)
E0905 21:19:47.403070  2086 VideoEnc_Component.c:790]       <map_v4l2_colorspace_to_VENC_COLOR_SPACE> fatal error! unsupported v4l2 color space[0x0]!
E0905 21:19:47.404249  1939 cedarx_stream_file.c:694]       <cdx_write_fd_file> fatal error! write error is[28], writeNum[-1], don't write again.
E0905 21:19:47.407522  1939 FsWriter.c:95]                  <fileWriter> Stream[0xc26650]fwrite error [0]!=[65536](No space left on device)
W0905 21:19:47.410507  1809 CallbackNotifier.cpp:1040]      <savePictureThread> Be careful! Free memory too small! bufsize=11KB, MemTotal=81268KB, MemFree=1904KB, Buffers=3692KB, Cached=36572KB
W0905 21:19:47.410023  2086 VideoEnc_Component.c:5894]      <ComponentThread> wait Venc idleOutFrameList full:255-0-1-256
W0905 21:19:47.438671  1799 camera.cpp:2493]                <onPictureTaken> pic_file_ is : /mnt/extsd/video/20240905_211936_ths.jpg
E0905 21:19:47.444708  1799 camera.cpp:2520]                <onPictureTaken> write data filed(No space left on device)
W0905 21:19:47.439332  2086 VideoEnc_Component.c:5896]      <ComponentThread> wait Venc idleOutFrameList full_done
E0905 21:19:47.481510  1939 cedarx_stream_file.c:678]       <cdx_write_fd_file> Stream[0xc26650] write error [-1]!=[65536](No space left on device)
E0905 21:19:47.483206  1939 cedarx_stream_file.c:694]       <cdx_write_fd_file> fatal error! write error is[28], writeNum[-1], don't write again.
E0905 21:19:47.484477  1939 FsWriter.c:95]                  <fileWriter> Stream[0xc26650]fwrite error [0]!=[65536](No space left on device)
E0905 21:19:47.562337  1939 cedarx_stream_file.c:678]       <cdx_write_fd_file> Stream[0xc26650] write error [-1]!=[65536](No space left on device)
E0905 21:19:47.564474  1939 cedarx_stream_file.c:694]       <cdx_write_fd_file> fatal error! write error is[28], writeNum[-1], don't write again.
E0905 21:19:47.566025  1939 FsWriter.c:95]                  <fileWriter> Stream[0xc26650]fwrite error [0]!=[65536](No space left on device)

As you can see, it reports no space left. I tried to find some of these log strings on github and found one project: https://github.com/lindenis-org/lindenis-v536-softwinner and this was some find! I would guess at least 80% of the code is used in my device.

It took me some time to study the code and what is called from where to find out that there in fact is a mechanism to rotate files on low space condition. According to logs, it seemed to be called but it was not freeing any space.

This space checking was confirmed when I found out that there is strace ! available on the device and I run it on the app:

root@tina:/# strace -ff -p 776 2>&1 | grep tmp
[pid   798] access("/tmp/stop_watchdog", F_OK <unfinished ...>
[pid   798] access("/tmp/stop_watchdog", F_OK) = -1 ENOENT (No such file or directory)
[pid   798] access("/tmp/stop_watchdog", F_OK) = -1 ENOENT (No such file or directory)
[pid  1018] open("/tmp/size_video_F.txt", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666 <unfinished ...>
[pid   798] access("/tmp/stop_watchdog", F_OK) = -1 ENOENT (No such file or directory)
[pid   776] open("/tmp/size_video_F.txt", O_RDONLY|O_LARGEFILE) = 35
[pid  1019] execve("/bin/sh", ["sh", "-c", "rm /tmp/size_video_F.txt -f"], [/* 22 vars */] <unfinished ...>
[pid  1020] execve("/bin/rm", ["rm", "/tmp/size_video_F.txt", "-f"], [/* 22 vars */] <unfinished ...>
[pid  1020] lstat64("/tmp/size_video_F.txt",  <unfinished ...>
[pid  1020] unlink("/tmp/size_video_F.txt" <unfinished ...>
[pid  1023] open("/tmp/size_event_F.txt", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666 <unfinished ...>
[pid   776] open("/tmp/size_event_F.txt", O_RDONLY|O_LARGEFILE) = 35
[pid  1024] execve("/bin/sh", ["sh", "-c", "rm /tmp/size_event_F.txt -f"], [/* 22 vars */] <unfinished ...>
[pid  1025] execve("/bin/rm", ["rm", "/tmp/size_event_F.txt", "-f"], [/* 22 vars */] <unfinished ...>
[pid  1025] lstat64("/tmp/size_event_F.txt",  <unfinished ...>
[pid  1025] unlink("/tmp/size_event_F.txt" <unfinished ...>
[pid   776] stat64("/tmp/sqlite/sunxi.db-journal",  <unfinished ...>
[pid   776] stat64("/tmp/sqlite/sunxi.db-wal", 0xbea54290) = -1 ENOENT (No such file or directory)
[pid  1028] open("/tmp/size_video_F.txt", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 1
[pid   776] open("/tmp/size_video_F.txt", O_RDONLY|O_LARGEFILE <unfinished ...>
[pid  1029] execve("/bin/sh", ["sh", "-c", "rm /tmp/size_video_F.txt -f"], [/* 22 vars */] <unfinished ...>
[pid  1030] execve("/bin/rm", ["rm", "/tmp/size_video_F.txt", "-f"], [/* 22 vars */]) = 0
[pid  1030] lstat64("/tmp/size_video_F.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
[pid  1030] unlink("/tmp/size_video_F.txt") = 0

After this, I needed to see if the contents of size_*.txt are correct but they were being deleted as you can see above. So I needed to patch the binary.

Ghidra has a very good support for Linux ELF so it was a natural choice. I loaded the binary and searched for the rm call. Then I patched the string and exported resulting binary as you can see below.

Next I uploaded the binary to the device:

danman@silverhorse:/storage/Projects/wowme$ adb push sdvcam.patched /mnt/extsd/
sdvcam.patched: 1 file pushed. 3.5 MB/s (4786960 bytes in 1.303s)

And run it:

root@tina:/# /mnt/extsd/sdvcam.patched >/mnt/UDISK/app.out 2>/mnt/UDISK/app.err

The result was that the temp file remained but empty:

root@tina:/mnt/extsd/video# cat /tmp/size_event_F.txt 
root@tina:/mnt/extsd/video#

Which meant the size check was failing.

Unfortunatelly, this part of code was not identical to the sources so I had to spend some time investigating in ghidra. Eventually, I made some sense out of it and I patched the path used for disk usage check:

Exported and tested the binary again and…

W0910 13:50:40.090088  3312 status_bar_window.cpp:508]      <ResetRecordTime> mRecordTime: 120, need reset to 0
W0910 13:50:40.095002  3312 newPreview.cpp:2158]            <TakePicforVideothumb> p_CamId: 0
W0910 13:50:40.096786  3312 camera.cpp:1544]                <TakePicture> do take picture chn: 1 main_enc_chn_:0 sub_enc_chn_:1
E0910 13:50:40.162842  1896 VideoEnc_Component.c:790]       <map_v4l2_colorspace_to_VENC_COLOR_SPACE> fatal error! unsupported v4l2 color space[0x0]!
W0910 13:50:40.173454  1896 VideoEnc_Component.c:5894]      <ComponentThread> wait Venc idleOutFrameList full:255-0-1-256
W0910 13:50:40.174084  3263 CallbackNotifier.cpp:1040]      <savePictureThread> Be careful! Free memory too small! bufsize=22KB, MemTotal=81268KB, MemFree=2008KB, Buffers=6668KB, Cached=33736KB
W0910 13:50:40.197017  3253 camera.cpp:2493]                <onPictureTaken> pic_file_ is : /mnt/extsd/video/20240910_135029_ths.jpg
W0910 13:50:40.197794  1896 VideoEnc_Component.c:5896]      <ComponentThread> wait Venc idleOutFrameList full_done
E0910 13:52:30.157230  3312 media_file_manager.cpp:818]     <GetLastFileFallocateSizeByType> get video fallocate size = 131203072
E0910 13:52:30.297047  3312 media_file_manager.cpp:982]     <DeleteFileByOrder> delete file name /mnt/extsd/video/20240905_212158.mp4
E0910 13:52:30.303483  3312 media_file_manager.cpp:1753]    <GetThumbPicName> thumb pic name:/mnt/extsd/video/20240905_212158_ths.jpg
E0910 13:52:30.436877  3312 recorder.cpp:831]               <allocRecorderFile> allocRecorderFile rename file name ,file name /mnt/extsd/video/20240910_135230.mp4
E0910 13:52:30.438905  3312 recorder.cpp:841]               <allocRecorderFile> ReNameFilelen 0,filenamelen 36
E0910 13:52:30.463142  3312 recorder.cpp:858]               <allocRecorderFile> allocate file success
W0910 13:52:39.960764  3396 RecRenderSink.c:1615]           <RecSinkThread> avsync_ch_a:4941786000-4941750582-1920
W0910 13:52:39.962682  3396 RecRenderSink.c:1653]           <RecSinkThread> avsync_cal:1920-4941817248--1-1
W0910 13:52:39.998631  3396 RecRenderSink.c:1653]           <RecSinkThread> avsync_cal:1920-4941850581-4941817248-2
W0910 13:52:40.038055  3396 RecRenderSink.c:1653]           <RecSinkThread> avsync_cal:1920-4941883914-4941817248-3

An old file got deleted! After some time, several more files got deleted which meant the problem was fixed:

root@tina:/# grep delete /mnt/UDISK/app.err 
W0910 12:30:09.813452  3340 media_file_manager.cpp:1525]    <DoDBUpdateByCamIdEx> some file would be delete or insert: ret:0 ret_db:31
W0910 12:30:09.836272  3340 media_file_manager.cpp:1525]    <DoDBUpdateByCamIdEx> some file would be delete or insert: ret:0 ret_db:31
W0910 12:30:09.842162  3340 media_file_manager.cpp:1525]    <DoDBUpdateByCamIdEx> some file would be delete or insert: ret:0 ret_db:31
E0910 13:52:30.297047  3312 media_file_manager.cpp:982]     <DeleteFileByOrder> delete file name /mnt/extsd/video/20240905_212158.mp4
E0910 13:54:30.781258  3312 media_file_manager.cpp:982]     <DeleteFileByOrder> delete file name /mnt/extsd/video/20240905_212348.mp4
E0910 13:54:30.917243  3312 media_file_manager.cpp:982]     <DeleteFileByOrder> delete file name /mnt/extsd/video/20240905_212549.mp4
E0910 13:56:31.356421  3312 media_file_manager.cpp:982]     <DeleteFileByOrder> delete file name /mnt/extsd/video/20240905_212749.mp4

What remained was to run the binary automatically. One way could be to patch the root squashfs and write it to the flash. I chose a simpler way to create a symlink to sdcard to point to patched binary stored on SD card.

root@tina:/# rm /usr/bin/sdvcam 
root@tina:/# ln -s /mnt/extsd/sdvcam.patched /usr/bin/sdvcam

Conclusion

By diving into the internals of the Wowme U300Q and tweaking the firmware, I was able to resolve the issue that made it essentially useless out of the box. If you have a similar camera or any other Allwinner-based devices, I hope this guide helps you get it working as intended. Feel free to share your experiences or ask questions in the comments below! I still have 2 extra pieces of this camera for sale for anyone willing to experiment. If you want one, feel free to contact me.

In my flat they have installed these new digital door phones running on two wires manufactured by Tesla:

I wanted to be notified when someone rings when we are not at home so I decided to reverse engineer it.

During idle, there is a voltage of about 23V which is there to power the phones as they don’t have any other power supply; during a call, the voltage drops to about 12,6V and current goes to 47mA. So I took my scope and started to measure the signal. In short, I have found, that there is some sort of digital signal and analog voice modulated on top of the DC component (timeframe of one call):

On first sight, it didn’t remind me of any common line encoding and my scope has a short buffer so I decided to convert it to logic levels and use a logic analyzer.

It also didn’t make more sense but then I played with zoom and suddenly saw it there:

The data is encoded using symbols consisting of 4 PWM pulses. There are 3 symbols – logical 0, logical 1 and stuffing (‘-‘). Each frame starts with several dozens of stuffing symbols. Then bit symbols are sent each one followed by one stuffing symbol. On the picture above, “A” marks the start of 1 then follows: -, 1, -, 0, -, 0, … Each frame consists of 48 bits where the last 8 bits are checksum. They are being sent in MSB first order. The checksum is computed using this formula.

Once I got the frames decoded, it was just a matter of watching the communication. I managed to decode following structure:

| dst address (16b) | src address (16b) | command (8b) | checksum (8b) |

Addressing

Some facts from installation manual:
– each phone has assigned “system number” (SN) in range 000-999
– only numbers 000-323 can be called from another phone (due to addressing scheme)
– there can be one “main phone” (MP) and up to 3 “secondary phones” (SP) for each SN
– there can be up to 8 “electronic gatekeepers” (GK)
– each phone has it’s own “intercom number” (IN) which can be computed like this:

IN1 = ((SN x 4 + X) / 216) + 1
IN2 = (((SN x 4 + X)mod 216) / 36) + 1
IN3 = (((SN x 4 + X)mod 36) / 6) + 1
IN4 = ((SN x 4 + X)mod 6) + 1
where X = 0 for MP and 1-3 for SP

Considering these facts, I was able to decode the address format:

000GSSSSSSSSSSXX – 16bits
– G – is_gk – if address belongs to GK it equals 0
– S – system number for MP/SP, zeroes for GK
– X – number of MP/SP or number of GK

Commands

There is 1 byte space for commands so theoretically there can be 256 commands. I was able to decode these ones.

The call from GK always starts with “ping” to check if the called MP exists, MP needs to respond with OK. Then GK sends “call_from_eg” and the MP starts ringing. When an user picks up, MP sends “accepted_call_from_eg”, GK responds with OK and voice communication is established. The you can also see open_lock and hangup commands with pretty clear meaning. Here is the whole communication between MP with SN 7 and GK 1:

src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:ping(64) cs:147
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:OK(0) cs:211
src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:call_from_eg(10) cs:201
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:OK(0) cs:211
…
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:accepted_call_from_eg(12) cs:199
src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:OK(0) cs:211
…
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:open_lock(14) cs:197
src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:OK(0) cs:211
…
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:hangup_from_eg(16) cs:195
src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:OK(0) cs:211

Hardware

I have used a transformer to isolate my device from the bus. The middle section is simple and is used for transmit. For receive, I was first using the bottom part but then I replaced it with the transistor behind the transformer. Audio is sent/received from pins 3,4 on the transformer.

Audio signal goes to integrated soundcard on OrangePI, digital signal from transistor is received by STM32F1, the pulse widths are measured and sent via virtual serial port over USB. The software then checks the pulse widths and counts and decodes into bits and frames. The transmit path also goes via the virtual COM, but it is sent as full frames and line encoded on the MCU. When the software detects incoming call to specified MP, it will start a SIP call to defined number in PSTN and the call can be normally answered, you can talk or open lock using DTMF.

You can find the complete software on https://github.com/danielkucera/tesla-2bus – there is both the control software and firmware for the STM32.

This project is still a work in progress, I am thinking about implementing it completely in an MCU and make the calls using SIM800 GSM module and power everything from the bus.

Feel free to ask in the comments if you have any questions.

I always search for this so I will write it down here.

Client

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
vi wg0.conf

[Interface]
PrivateKey = 
Address = 10.9.0.X/24

[Peer]
PublicKey = dg1cKCId81d6h5cWUQ61BMHksBbi0FdFnitjxDuOuno=
Endpoint = vpn.danman.eu:51820
AllowedIPs = 10.9.0.0/24
PersistentKeepalive = 25

wg-quick up /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl edit wg-quick@wg0.service

[Service]
Restart=on-failure
RestartSec=5s

Server

systemctl stop wg-quick@wg0.service
vi /etc/wireguard/wg0
systemctl start wg-quick@wg0.service

Reload

wg syncconf wg0 <(wg-quick strip wg0)

I have RNS315 radio/navigation/media system (I will call it unit) in my car. I bought it with maps from 2014 which are hugely outdated so I started to research how to update the maps.

The obvious way is to go to the dealer and buy map update but that costs some higher tens of Euros so I started researching other options.

The update comes on an SD card which is unreadable in PC – this is because the card is locked with CMD42 and most operating systems cannot deal with this lock. There is a very nice technical note where you can read about the mechanism.

The way how the map update works is, that first the unit checks if the card is locked and reads the SD card CID (unique card ID). If the card is not locked but contains updates, it will show that there is a card with updates but it is not genuine. If it is locked, the unit will generate a password based on the CID and try to unlock the card with CMD42. If it cannot unlock, it will show an error.

There are two ways how people deal with this problem:
– cards with changeable CIDs
– online password generators for your specific card CID

You can buy a very rare SD card with changeable CID (card ID) but these are really hard to get and their price is not worth it. If you have it, you change the CID and lock the card with a know public password.

Next option is to use an online password generator (e.g. this one) where you enter your cards CID and it will give you a password. But this also costs money so I started thinking about some other way.

The update data can be found on the Internet by searching “map update RNS315”. For Europe, there are two packages – Eastern Europe (EE) or Western Europe (WE). For the time of writing, the latest version is V12. You need to copy this data to your SD card before making any magic with locking.

Getting the password

As I was thinking about it, I thought there is actually no hashing or obfuscation mechanism in the unlocking sequence for CMD42 – the host will simply send the password “as is” so you should be able to capture it. So I just took a card, locked it with random password and put it in my unit with a logic analyzer attached (basic FT2232H and PulseView) .

You can see in the background displayed: “Error: SD card” because the card is locked with a different password.

I started to analyze the captured data. PulseView has a SD card protocol decoder so it was quite easy and I was able to find CMD42 quickly:

You can see I captured it with 10Mhz sample rate and it was enough. It probably switches to higher speeds (20MHz?) only after initializing the card (I didn’t check this). You can also see there is data only on single DAT line. This is probably also the reason why copying the data from card may take up to 2hours (16GB / 20MHz 1-bit SD mode = 6872sec)

PulseView doesn’t have data decoding for SD card in SD mode so I had to improvise to get the password data. I have used SPI decoder, and since we don’t have chip-select signal here to properly align bits into bytes, I extended it with an option to skip bits on start. So I was able to get the password bytes decoded:

I have aligned it in a way, that the first 1 belongs to the previous byte 0xFE (it’s start bit) and then it continues with 0x00 0x10 which for the CMD42 means unlock command with password length 0x10 (16 bytes). Next 16 bytes (0xBB, 0x37, 0x3D,…) are the password followed by a checksum. So we have the password now!

Locking/unlocking the card

In previous paragraph I skipped the way how to lock/unlock the card. When you insert a locked card into PC, it won’t be able to read it:

To get control of the card, I used Arduino on ESP32 with SD library which I modified to work with ESP32 and applied a mod to support CMD42. The complete project is here. It can initialize card, list files, display CID, detect locked card, lock/unlock with CMD42 and delete devid file.

Short Howto

1. Copy navigation data to card
2. Lock the card with any password
3. Capture the password using logic analyzer
4. Unlock the card with original password
5. Lock the card with correct password
6. …
7. Profit

When you insert the card you will be asked to assign the card with the unit.

Once you do this, it will create a file called devid with following contents (probably some serial number of the unit):

$ hd deviceid
00000000 9a 04 8b 6b 13 02 61 f8 00 00 ff bf ff ff fe ff |…k..a………|
00000010

But since we know the password, we can always delete it. Either after unlocking in a computer or using my esp32 firmware (function delete_devid()). After this, it can be used in another car.

Next, you are asked what to do with the update – install or use the maps from the card:

This really takes more than a hour, so do this during a long journey or with your car connected to a battery charger. After this, you are ready to use the updated maps.

For the purpose of sniffing I created a microSD card sniffer. If you want one, you can buy it in my e-shop at Lectronz.

I also wonder if the online password generation services know the password algorithm or they communicate with some unit and emulate a card with your CID to capture the password. I was also thinking about building such system but decided it’s not worth the investment but it is definitely doable.

And that’s it, if you have any questions or comments, feel free to comment.

As I am dealing with flashing SPI NANDs in WSON-8 package, I wanted to make my life easier by using a socket. You can buy one for about $6 on ali but I also wanted to try a different approach with pogo pins.

So I designed some PCBs. They came today:

You can see there are three types of boards in the panel. First (topmost) – adapter with WSON8 on one side, 1.27mm pin header on the other.

And the rest two for assembling the pogo pin adapter:

The base:

The top:

Assembled with a 3D printed clip. The chip goes inside to the cavity.

It is a bit loose because I was too generous with the tolerances but for a first test design of this kind I can call it success.

PCBs were kindly sponsored by pcbway.com and they came 10 days after ordering without any quality issues.

TL;DR: the problem is usually in corrupted data in SPI NAND flash, you need to download the original config data and flash back working modem firmware.

I noticed there is quite a lot of offers with used not working 4G router TL-MR100 in aukro.cz . I bought one with hope I can easily fix and use it. But the fix turned out to be not that easy.

The router boots, shows WiFi network, you can connect to it but the problem is that the web management doesn’t work. I’ve found out that the device consists of two interconnected systems:
– MT7628AN SoC providing WiFi and Ethernet
– some “NezhaC” 4G modem providing web management and mobile connectivity via USB interface

The first one was working fine but its logs were showing problems to communicate with the modem and indeed – the modem was not booting. I de-soldered the flash dedicated to the modem and tried to dump it but there were ECC errors and the data was damaged. So I obtained another working device to get a working flash contents and it worked: I dumped the whole flash, flashed to my broken one and I’ve got a clone of the working one (including IMEI which is quite a problem).

From the logs I discovered, that there is only a short block (0x20000 – 0x60000) containing device specific data (IMEI, calibration, configuration,…) so I copied the block from my broken device over to the working image and… Great success!

I also found (J10: 115200, 1-Tx, 2-Rx, 3-GND) an UART interface of the modem (I had to buy 1.8V compatible USB-TTL adapter) and I could see the modem booting:

0x00000000
PMIC ID: 
0x00000013
Cold power up
switch clk to XO
NO Production Mode
GuiLin Buck1 active voltage Reg: 
0x00000098
GuiLin Buck1 active voltage Reg: 
0x0000009c
cpcore -> 624M
AXI -> 208M
DDR -> 1066M
FlashNumber: 
0x0000001a
Bus clock: 13MHz QSPI_CLK_RES_CTRL: 0x5b
tx_desc: 0x7c188e0
use_intr=1 en_tx_dma=1 use_xip=1
SPI-NAND: GD5F1GQ4RBxIG is found in table
SPI-NAND type mfr_id: c8, dev_id: c1
Set rx_pins: 4 tx_pins: 4
AHB data transfer size: 512
XIP Read mode enabled
Fixed LUT bit-map: 0x3fc
block_size=0x20000 page_size=0x800 bitflip_threshold=6
Bus clock: 78MHz QSPI_CLK_RES_CTRL: 0x19b
pFlashP->NumBlocks: 1020
Tr069 Config Init Done
BoardType: 
0x00000000
PlatformCI2Ready
PlatformCI2Ready end
Wait for USB ready
USB Enum timeout
Allow to boot up
LTG_LWG_Version_Flag: 
0xffffffff
No need to upgrade
TR069 return
0x00000001
LWG/LTG switch flag
0xffffffff
Select to 3Mnde LWG
CRC check OK with flash address
0x00020000
MRD FlashAddress Passed to CP:
0x00020000
CRC check OK with flash address
0x00040000
LWG uboot
Primary/Backup MRD are both OK
cpcore -> 208M
DDR -> 533M
end...
0 buadrate=0

UART Boot Completed
0 GPIOPhase2Init:[zc]---Before set ICU GPIO_INT 30
0 FPIOPhase2Init:[zc]---After set ICU GPIO_INT 3f
0 UsimDetectTaskEntry:enter
1 GPIOPhase2Init:[zc]---Usim_Detect_Gpio default level =0
2 Board Type: NezhaC MIFI DKB
2 Project Type: Nezha PCIE Dongle
3 PMIC Type: 88PM801/Ustica
4 Mode Type: LWG Only
4 BSP board type: 0x0
4 Software version: NEZHAC_CP_1.064.004 Jan 17 2021 15:26:46
5 Compilation date: Jan 17 2021 and time: 15:26:46
6 Last time is not silent reset
7 Sildnt Reset Magic =f55555d5 55155d5d
8 ======= CIU register =======
8 0xd4282d00: 0x2
9 0xd4282d04: 0x100
9 0xd4282d08: 0x0
9 0xd4282d38: 0x0
a 0xd4282d3c: 0x0
a 0xd4282d40: 0x0
a 0xd4282d44: 0x100
b 0xd4282d48: 0x80010
b 0xd4282d4c: 0x20000
b OBM set Flash type: SPI Nand
c Manufacture ID: 0xc8, Device ID: 0xc1
d SPINAND is already unprotected, protection 0x0
e sn_feature: 0x11
e Flash Type: 8, NumBlocks: 1020, BlkSize: 131072, PageSize: 2048
10 FlashManager_Init:Version= 30400
11 [BBT: 0]

11 FlashManager_Init done
11 BlockCacheCount 3, FlashBlockSize 131072
22 BMT0 Version 0x73

32 BMT1 Version 0x72

32 [Version 0x73] The next update partition 1
42 FATTable1=2, FATTable2=25, FATsecs=23, MaxClusters=6140
43 RootSector=32, SecPerClust=16, UserData=82, RootDirectory=48
44 Read guard sector 80
55 psm header size:0x20, buffer addr:0x79b0014
56 flash addr:0x40e0000
5e flash addr:0x40e0000, ddr addr:0x7138680
5e magic num:0x5a5a5a5a,0xefefefef
5f flash addr:0x4100000
67 flash addr:0x4100000, ddr addr:0x71386e0
68 blk_num:1,len:0x0
68 flash addr:0x4120000
70 flash addr:0x4120000, ddr addr:0x7138740
71 blk_num:2,len:0x0
71 flash addr:0x4140000
79 flash addr:0x4140000, ddr addr:0x71387a0
7a blk_num:3,len:0x45b
7a psm file is not NULL
7a psm_block_init, file_num is 0,blk1 is 3
7b psm_block_init psm_fdi_info[0] is 3
7c psm_block_init, file_num is 1,blk1 is 1
7d psm_block_init psm_fdi_info[1] is 1
7d psm_block_init, file_num is 2,blk1 is 2
7e psm_block_init psm_fdi_info[2] is 2
ab BOOTING COMPLETED

There is also list of supported SPI NANDs in the firmware:
GD5F1GQ4RBxIG – this is ours
GD5F2GQ4RBxIG
W25N01GWxxIx
W25N02GWxxIx
DS35M1GAxx
ZD35M1GAxx
PN26Q01AWSIUG
F50D1G41LB
MT29F1G01ABBFD

How to fix your device

Download my repo with tools: https://github.com/danielkucera/tl-mr100-fix

Remove the top cover of your device – I haven’t found a way to open it without breaking tabs, maybe you will have more luck than me:

De-solder the flash – I use a hot plate because there is a huge GND pad on the bottom side of the flash:

I use 1.27mm pin headers to conveniently plug/unplug the flash to my programmer so I always solder an adapter board and the connector. I started using a self-made WSON8 adapter board with pogo-pins. The flash is supposed to work with 1.8V VCC but it happily works on 3.3V too.

Next, it’s time to dump the original NAND contents:

You can use SNANDer to dump the NAND. By default, you will probably see this message because your flash is corrupted:

$ ~/Apps/SNANDer/src/SNANDer -r nand-230104.bin

SNANDer - Serial Nor/nAND/Eeprom programmeR v.1.7.5 by McMCC <mcmcc@mail.ru>

Found programmer device: WinChipHead (WCH) - CH341A
Device revision is 3.0.4
spi_nand_probe: mfr_id = 0xc8, dev_id = 0xc1, dev_id_2 = 0xc8
Get Status Register 1: 0x00
Get Status Register 2: 0x01
Using Flash ECC.
Detected SPI NAND Flash: GIGADEVICE GD5F1GQ4UA, Flash Size: 128 MB
READ:
Read addr = 0x0000000000000000, len = 0x0000000008000000
[spinand_ecc_fail_check] : ECC cannot recover detected !, page = 0x31
spi_nand_read_page: Bad Block, ECC cannot recovery detecte, page = 0x31
Status: BAD(-1)

To overcome this, you can specify -d parameter and the program will happily dump your flash:

$ ~/Apps/SNANDer/src/SNANDer -d -r nand-230104.bin

SNANDer - Serial Nor/nAND/Eeprom programmeR v.1.7.5 by McMCC <mcmcc@mail.ru>

Found programmer device: WinChipHead (WCH) - CH341A
Device revision is 3.0.4
spi_nand_probe: mfr_id = 0xc8, dev_id = 0xc1, dev_id_2 = 0xc8
Get Status Register 1: 0x00
Get Status Register 2: 0x11
Disable Flash ECC.
Detected SPI NAND Flash: GIGADEVICE GD5F1GQ4UA, Flash Size: 128 MB
READ:
Read addr = 0x0000000000000000, len = 0x0000000008400000
Read 100% [138412032] of [138412032] bytes      
Elapsed time: 1118 seconds
Status: OK

The interface is slow so it will take several minutes. Now you need to truncate the ECC bytes which are appended after each block with:

python3 cut-ecc.py nand-230104.bin

This will create nand-230104.bin.noecc file. Now you can dump the config block:

dd if=nand-230104.bin.noecc bs=1 skip=$((0x20000)) count=$((0x40000)) of=config-230104.bin

There are actually two config blocks there: 0x20000 and 0x40000 with the same contents for redundancy. You can compare and review them using Meld with following script and try to fix potential corruptions:

./compare.sh config-230104.bin

If you are happy with the contents, you can now assemble the final firmware file, erase flash and write the file to it using a script:

$ ./mkfix.sh 230104
262144+0 records in
262144+0 records out
262144 bytes (262 kB, 256 KiB) copied, 0,622619 s, 421 kB/s

SNANDer - Serial Nor/nAND/Eeprom programmeR v.1.7.5 by McMCC <mcmcc@mail.ru>

Found programmer device: WinChipHead (WCH) - CH341A
Device revision is 3.0.4
spi_nand_probe: mfr_id = 0xc8, dev_id = 0xc1, dev_id_2 = 0xc8
Get Status Register 1: 0x00
Get Status Register 2: 0x01
Using Flash ECC.
Detected SPI NAND Flash: GIGADEVICE GD5F1GQ4UA, Flash Size: 128 MB
ERASE:
Set full erase chip!
Erase addr = 0x0000000000000000, len = 0x0000000008000000
spi_nand_erase_block : erase block fail, block = 0x3ff, status = 0x4
spi_nand_erase_internal : Erase Fail at addr = 0x7fe0000, len = 0x8000000, block_idx = 0x3ff
Erase 100% [134217728] of [134217728] bytes      
Status: BAD(-1)

SNANDer - Serial Nor/nAND/Eeprom programmeR v.1.7.5 by McMCC <mcmcc@mail.ru>

Found programmer device: WinChipHead (WCH) - CH341A
Device revision is 3.0.4
spi_nand_probe: mfr_id = 0xc8, dev_id = 0xc1, dev_id_2 = 0xc8
Get Status Register 1: 0x00
Get Status Register 2: 0x11
Using Flash ECC.
Detected SPI NAND Flash: GIGADEVICE GD5F1GQ4UA, Flash Size: 128 MB
WRITE:
Write addr = 0x0000000000000000, len = 0x0000000008000000
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc0, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc1, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc2, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc3, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc4, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc5, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc6, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc7, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc8, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffc9, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffca, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffcb, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffcc, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffcd, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffce, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffcf, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd0, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd1, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd2, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd3, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd4, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd5, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd6, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd7, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd8, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffd9, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffda, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffdb, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffdc, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffdd, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffde, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffdf, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe0, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe1, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe2, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe3, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe4, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe5, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe6, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe7, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe8, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffe9, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffea, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffeb, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffec, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffed, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffee, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffef, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff0, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff1, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff2, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff3, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff4, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff5, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff6, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff7, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff8, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfff9, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfffa, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfffb, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfffc, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfffd, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xfffe, status = 0xc
spi_nand_write_page : Program Fail at addr_offset = 0x0, page_number = 0xffff, status = 0xc
Written 100% [134217728] of [134217728] bytes      
Status: BAD(-1)

You can ignore the errors at the end, it will work just fine. Now you can insert or solder the flash back to board and after boot, you should be able to access the web configuration.

If your main SoC firmware is not 1.4, you also need to upgrade v1.4. Copy included tp_recovery.bin to a tftp server, connect with the router, set server IP to 192.168.0.225 and start the router while holding reset button. Release the button when you see all LEDs flash. This is what you should see on the UART if you are watching:

U-Boot 1.1.3 (Mar  2 2020 - 13:55:27)

Board: Ralink APSoC DRAM:  32 MB
gpiomode1 55054404.
gpiomode2 05550555.
######GPIO CTRL 1 for GPIO 32~64 OUTPUT tmp(0x00005f90)#####
######GPIO CTRL 1 for GPIO 32~64 INPUT tmp(0x00005f90)#####
flash manufacture id: 1c, device id 70 16
find flash: EN25QH32B
============================================ 
Ralink UBoot Version: 4.3.0.0
-------------------------------------------- 
ASIC 7628_MP (Port5<->None)
DRAM component: 256 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 32 MBytes
Flash component: SPI Flash
Date:Mar  2 2020  Time:13:55:27
============================================ 
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 580 MHZ #### 
 estimate memory size =32 Mbytes
RESET MT7628 PHY!!!!!!..................................................
starting recovery...
TODO, Read MAC Address from Flash


 netboot_common, argc= 3 

 KSEG1ADDR(NetTxPacket) = 0xA1FE7380 

 NetLoop,call eth_halt ! 

 NetLoop,call eth_init ! 

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!! 
TFTP from server 192.168.0.225; our IP address is 192.168.0.2
Filename 'tp_recovery.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80060000
Loading: T Got ARP REPLY, set server/gtwy eth addr (50:7b:9d:6a:42:ba)
Got it
#################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ###########################Got ARP REQUEST, return our IP
######################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #
done
Bytes transferred = 17641990 (10d3206 hex)
NetBootFileXferSize= 010d3206

 Erase flash !!
From 0x10000 length 0x3D0000
.............................................................

 Copy 0x80080000 to 0x00010000, count 0x3D0000.... 
.............................................................

You are welcome

Recently, I was looking for an affordable LoRaWAN gateway with 3G/LTE connectivity. I like Mikrotik products because they are easy to use and have many features (e.g. Wireguard VPN ) . I found RBwAPR-2nD which has a miniPCI-e slot which can be fitted with R11e-LR8 LoRaWAN gateway module or a card for mobile network connectivity (e.g. R11e-4G). The problem is you cannot have both because there is only one slot. Or can you?

As soon as I verified that LR8 use only USB connectivity through miniPCIe I’ve got an idea why couldn’t we fit in a USB hub to connect both LoRa and a modem?

This was working fine but the problem was following:

Standard USB modems didn’t fit into the case and I wanted to have everything nicely under “one roof”.

So I’ve bought the R11e-4G card and did some measurements. I also tested a convenient USB hub chip with a minimum of external components and USB 2.0 High-speed support. We only have 3.3V rail on miniPCI-e so it had to work with that voltage only:

USB high-speed hub on breadboard? Why not! Works even without 5V supply, with 3V3 on VDD33 pin. Minimum of external components.
Thanks @sad_electronics for a tip on SL2.1A. pic.twitter.com/yZaILnVeCh

— Daniel Kučera (@danmaneu) November 29, 2022

I designed a PCB with the hub and two miniPCI-e card slots – one for modem, one for LoRa. In just 7 days, during Christmas season (21. 12 – 28. 12), PCBWay was able to deliver these beautiful ENIG gold plated boards together with a stencil for an easy assembly (as a sponsorship for free).

So I assembled the boards:

I also designed and 3D printed a clip to hold the boards – it took only 3 iterations to get them right:

And the final assembly:

Now I have an outdoor LoRa gateway with 4G connectivity in one compact device for the fraction of price of other professional devices.

You can also use the extender just to break out two additional USB ports (on the sides) and one or two USB cards in other devices than Mikrotik too. If you are interested, you can buy the extender in my Lectronz shop.

And that’s it, feel free to add your comments or questions.

It is a very simple device for about $15. The main SoC is GX6605S. There is some limited info about this chip on C-SKY page and some technical docs at their tools repo. It communicates with a Bluetooth module TLSR8266 using UART. There is also 4MB SPI flash holding the whole bootloader called GxLoader, Linux kernel and filesystem with the main app. The last important chip is RDA5815M which handles the RF to I/Q conversion. In the future I plan to add an USB-to-Ethernet adapter and repurpose it as an cheap opensource SAT>IP server.

It is quite simple device. The main chip is Vango V9821S – a single-phase energy metering SoC chip, then there is one EEPROM 24C04, optical isolation for S0, display and power supply circuitry and a display. There is no serial interface so no way how to get more data out of the device, only JTAG for programming.

Seed Studio offered me a sample device (see specs) for exchange for an article on my blog and I accepted. The device came a few weeks ago so I am fulfilling my part.

When it came, I went to their page and searched for some example code to test and I picked GitHub Stats example. The documentation is pretty good but it describes the usage with original Arduino IDE which is not my weapon of choice. Some time ago I noticed PlatformIO added support for this device so I wanted to use it.

I started by creating a new project.

Then I pasted the source code in but it ended up with an error:

src/main.cpp:2:10: fatal error: WiFiClientSecure.h: No such file or directory

This led mi to following page: https://wiki.seeedstudio.com/Wio-Terminal-Network-Overview/. To use WiFi you need to install several libraries to Arduino. In PIO, you do this by adding following code to your platformio.ini :

lib_deps = 
    https://github.com/Seeed-Studio/Seeed_Arduino_atWiFi
    https://github.com/Seeed-Studio/Seeed_Arduino_FreeRTOS
    https://github.com/Seeed-Studio/Seeed_Arduino_atUnified
    https://github.com/Seeed-Studio/esp-at-lib
    https://github.com/Seeed-Studio/Seeed_Arduino_mbedtls
    https://github.com/Seeed-Studio/Seeed_Arduino_atWiFiClientSecure.git

After doing this, I’ve got a new error:

.pio/libdeps/seeed_wio_terminal/Seeed-Arduino-FreeRTOS/src/FreeRTOSConfig.h:54:3: error: #error architecture not support!
#error architecture not support!

After some investigation I found out I’m missing a build flag:

build_flags =
    -DARDUINO_ARCH_SAMD

Next error was:

src/main.cpp:3:10: fatal error: ArduinoJson.h: No such file or directory

This again means a missing library but this one is specific for the example: https://wiki.seeedstudio.com/Wio-Terminal-Reading-Github/#arduino-libraries-needed so the final lib_deps is following:

lib_deps = 
    https://github.com/Seeed-Studio/Seeed_Arduino_atWiFi
    https://github.com/Seeed-Studio/Seeed_Arduino_FreeRTOS
    https://github.com/Seeed-Studio/Seeed_Arduino_atUnified
    https://github.com/Seeed-Studio/esp-at-lib
    https://github.com/Seeed-Studio/Seeed_Arduino_mbedtls
    https://github.com/Seeed-Studio/Seeed_Arduino_atWiFiClientSecure.git
    https://github.com/Seeed-Studio/Seeed_Arduino_LCD
    https://github.com/bblanchon/ArduinoJson

I also needed to download Free_Fonts.h and put it to src/ directory as described here.

Next error was:

src/main.cpp:120:5: error: 'getData' was not declared in this scope
getData();

So I moved setup() and loop() functions to the end of the file, after getData().

After that, the code compiled and uploaded successfully:

> Executing task in folder wio-github: platformio run --target upload --target monitor <
Processing seeed_wio_terminal (platform: atmelsam; board: seeed_wio_terminal; framework: arduino)
Verbose mode can be enabled via -v, --verbose option
CONFIGURATION: https://docs.platformio.org/page/boards/atmelsam/seeed_wio_terminal.html
PLATFORM: Atmel SAM 4.4.0 > Seeeduino Wio Terminal
HARDWARE: SAMD51P19A 120MHz, 192KB RAM, 496KB Flash
DEBUG: Current (atmel-ice) External (atmel-ice, blackmagic, jlink)
PACKAGES:
framework-arduino-samd-seeed 1.7.6
framework-cmsis 1.40500.0 (4.5.0)
framework-cmsis-atmel 1.2.0
tool-bossac 1.10900.0 (1.9.0)
toolchain-gccarmnoneeabi 1.70201.0 (7.2.1)
LDF: Library Dependency Finder -> http://bit.ly/configure-pio-ldf
LDF Modes: Finder ~ chain, Compatibility ~ soft
Found 41 compatible libraries
Scanning dependencies…
Dependency Graph
|-- <Seeed_Arduino_atWiFi> 1.0 #5576591
| |-- <Seeed_Arduino_atUnifed> 1.0 #c4ae417
| | |-- <esp-at-lib> 1.0 #8c3ecc5
| | | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| | | |-- <SPI> 1.0
| | | | |-- <Adafruit Zero DMA Library> 1.0.4
| | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
|-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
|-- <Seeed_Arduino_atUnifed> 1.0 #c4ae417
| |-- <esp-at-lib> 1.0 #8c3ecc5
| | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| | |-- <SPI> 1.0
| | | |-- <Adafruit Zero DMA Library> 1.0.4
| |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
|-- <esp-at-lib> 1.0 #8c3ecc5
| |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| |-- <SPI> 1.0
| | |-- <Adafruit Zero DMA Library> 1.0.4
|-- <Seeed_Arduino_mbedtls> 1.0 #4e74341
| |-- <Seeed_Arduino_atUnifed> 1.0 #c4ae417
| | |-- <esp-at-lib> 1.0 #8c3ecc5
| | | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| | | |-- <SPI> 1.0
| | | | |-- <Adafruit Zero DMA Library> 1.0.4
| | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
|-- <Seeed_Arduino_atWiFiClientSecure> 1.0 #952bf0b
| |-- <Seeed_Arduino_atUnifed> 1.0 #c4ae417
| | |-- <esp-at-lib> 1.0 #8c3ecc5
| | | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| | | |-- <SPI> 1.0
| | | | |-- <Adafruit Zero DMA Library> 1.0.4
| | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| |-- <Seeed_Arduino_mbedtls> 1.0 #4e74341
| | |-- <Seeed_Arduino_atUnifed> 1.0 #c4ae417
| | | |-- <esp-at-lib> 1.0 #8c3ecc5
| | | | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| | | | |-- <SPI> 1.0
| | | | | |-- <Adafruit Zero DMA Library> 1.0.4
| | | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| |-- <Seeed_Arduino_atWiFi> 1.0 #5576591
| | |-- <Seeed_Arduino_atUnifed> 1.0 #c4ae417
| | | |-- <esp-at-lib> 1.0 #8c3ecc5
| | | | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
| | | | |-- <SPI> 1.0
| | | | | |-- <Adafruit Zero DMA Library> 1.0.4
| | | |-- <Seeed-Arduino-FreeRTOS> 1.0.0 #687b036
|-- <Seeed_Arduino_LCD> 1.6.0 #a9341f1
| |-- <SPI> 1.0
| | |-- <Adafruit Zero DMA Library> 1.0.4
|-- <ArduinoJson> 6.15.2 #7e58347
Building in release mode
Checking size .pio/build/seeed_wio_terminal/firmware.elf
Advanced Memory Usage is available via "PlatformIO Home > Project Inspect"
RAM: [===== ] 48.2% (used 94724 bytes from 196608 bytes)
Flash: [===== ] 47.9% (used 243168 bytes from 507904 bytes)
Configuring upload protocol…
AVAILABLE: atmel-ice, blackmagic, jlink, sam-ba
CURRENT: upload_protocol = sam-ba
Looking for upload port…
Warning! Your /etc/udev/rules.d/99-platformio-udev.rules are outdated. Please update or reinstall them.
Mode details: https://docs.platformio.org/en/latest/faq.html#platformio-udev-rules
Auto-detected: /dev/ttyACM0
Forcing reset using 1200bps open/close on port /dev/ttyACM0
Waiting for the new upload port…
Uploading .pio/build/seeed_wio_terminal/firmware.bin
Write 243168 bytes to flash (475 pages)
[==============================] 100% (475/475 pages)
Done in 2.738 seconds
Verify 243168 bytes of flash
[==============================] 100% (475/475 pages)
Verify successful
Done in 1.506 seconds
======================================================================== [SUCCESS] Took 12.44 seconds ========================================================================
--- Available filters and text transformations: colorize, debug, default, direct, hexlify, log2file, nocontrol, printable, send_on_enter, time
--- More details at http://bit.ly/pio-monitor-filters
--- Miniterm on /dev/ttyACM0 9600,8,N,1 ---
--- Quit: Ctrl+C | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H ---
No ACK, R00
Device reset detected!
ESP-AT Lib initialized!
Attempting to connect to SSID: yourNetworkName
…………

Finally the code was working! So I quickly created file wifi_pass.hwith contents:

#define WIFI_SSID "ssid"
#define WIFI_PASS "password"

and included it in main.cpp like this:

#include "wifi_pass.h"
const char* ssid     = WIFI_SSID;
const char* password = WIFI_PASS;

After this, I got the code to work:

--- Available filters and text transformations: colorize, debug, default, direct, hexlify, log2file, nocontrol, printable, send_on_enter, time
--- More details at http://bit.ly/pio-monitor-filters
--- Miniterm on /dev/ttyACM0 9600,8,N,1 ---
--- Quit: Ctrl+C | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H ---
No ACK, R00
No ACK, R00
Device reset detected!
ESP-AT Lib initialized!
Attempting to connect to SSID: homestead5
………Connected to homestead5
Starting connection to server…
Connected to server!
headers received
closing connection
3
1
17

You can see the result screen here:

You can find my project in this repo: https://github.com/danielkucera/wio-github-stats

One negative note though, to use the WiFi, I had to upgrade it’s firmware as described here. The problem is, that the utility works under Windows only so I spent some time installing Windows. But the guide mentions Linux version coming soon so hopefully it will come soon.

To conclude, I like the device, it’s nice big display and that it works with 5GHz WiFi. It’s ideal for displaying some quick info downloaded from the Internet or smart home data.

Recently I saw an interesting video about chip decapping using only hot air.

It looked quite easy so I gave it a try and indeed I managed to extract three dies without breaking them or any other problems so it was 100% successful on first try.

You can see die pictures below. From left to right: GD32F103C8T6 main die, it’s flash and MAX7219

For comparison, you can see professionally decapped GD32 by zeptobars here.

Next time I plan to use some chemical method to uncover the flash without damaging the chip and try to probe the signals while running.