Tuesday, 7 October 2014

Hacking a ScoutGuard camera - part 4

The plan for the forth instalment in this series was to extract the firmware from the flash, hack it around to remove the logo and write it back. This was going to provide the opportunity to play with the TSOP clip I'd finally got around to ordering, as well as a few other bits and pieces required to read from the chip in circuit.

Unfortunately there was a bit of down time while waiting on the clip to arrive. This was sufficient reason to justify poking around with the PIC16F684 chip that is used to read the sensor data and take the photo. I had probed the pins with the scope and could see the data coming in from the PIR and the trigger control going high after a certain amount of time and this data alone could have been useful to start playing about with. The temptation to look at the data from the chip was too great however, and I preceded to hook up my PICKit in an attempt to see if I could get a dump of the code. I knew the likelihood of this was pretty small, but nothing ventured nothing gained.

The chip wasn't being detected in MPLab IPE and this was probably due to it being in circuit. The conclusion therefore was to desolder it and read it out of circuit.

PIC removed - note the quality "Koptan" or some other generic rip off Kapton tape :)
Once the chip was out, I was still having issues getting MPLab to work but pk2cmd worked fine and I was able to detect the chip and pull down basic information. At this stage it was also clear that code protection feature had been enabled, so I wasn't able to retrieve the code. No real surprise, and not a big issues as I could just resolder the chip and all would be good, right?

Wrong :(

It appears that probably during the removal stage too much heat was required to remove the chip. It was really not wanting to let go and I probably went overboard with a combination of the soldering iron and the hot air gun. After resoldering it back on, the camera doesn't work as expected any more.

So, has my trusty old ScoutGuard gone to visit the big motherboard in the sky? 

Hopefully not, although it doesn't look good. There are signs of life but it certainly isn't behaving like it used to, there are quite a few intermittent faults. One of the biggest indicators that something has been damaged is the blue LED which, according to the manual "is the low battery indicator and only comes on when the batteries need to be changed". Considering I'm using a bench power supply, this is quite unexpected and something that needs to be looked in to. 

Looking at the output from the UART gives some hope that the camera isn't completely destroyed. 

Loader NT96210 Start ...

Loader v1.0 02/02/2010 17:11:36

  Novatek NT96210 
  Copyright (c) 2004 Novatek Microelectronic Corp.
  Kernel      ver: 2.00.003, build: Aug 18 2009, 18:09:51
  Driver      ver: 2.00.002, build: Dec 09 2009, 20:31:03
  Application ver: 2.00.002, build: Jul 24 2009, 12:06:00
  Project     ver: 1.00.000, build: 20070511

> ERR: AVI: not open yet.
ERR: Usicd_Close
ERR: AVI: not open yet.
ERR: Usicd_Close
ERR: AVI: not open yet.
ERR: Usicd_Close
ERR: AVI: not open yet.
I mentioned the serial output in the first part of this series but I didn't show the pinout. For anyone who is interested, the 3.3V pins are ordered like this:

Since I've got the kit for dumping the flash now, the next post should finally be about that. Even though the camera might not be working as expected, and it will be difficult to prove the hack works without being able to take photo, it will still be an interesting exercise. 

Or I'll go for the firmware on the Sunluxy DVR instead.

No comments:

Post a Comment