Publié par Philippe le 11 Fév 2010 at 11:17
Tear down and hacking around gumpack camera
Update : The method and all the files needed to do it are available in the article : How to remove date and timestamp from gumpack camera
Update : datasheet of SPCA533A available !
Update : A software-only method have been made available ! Isoprop gathered all the needed steps in his tutorial. And it *is* working, without any soldering needed. Job done 😉 Thank him, and thank you dear readers for your grateful comments.
I recently bought a micro camera to put on my RC glider on ebay. I am happy with the quality, as it does video at 30fps and 720×480. You should look at my RC glider videos here. The issue with this camera is that it automatically inserts the date in the video, and that it is reset to 01-01-2008 each time it is powered on. After reading Chuck’s web site, I decided to open and try to hack my camera. Here is what I found.
The camera is often called « gumpack camera », due to its form factor. I have chosen this one as it would easily fit into my plane. It look’s like to have the same characteristics as the #3 camera. The image have the same size, and the timestamps inserted are the same. It uses a file « TAG.TXT » to set the date with a line starting with « [date] » .
TODO Photo camera plane
I didn’t manage to go into any system mode, and didn’t managed to get the webcam working. It’s always seen as a mass storage from the computer.
When plugged on my linux box, it shows theses VID/PID:
Bus 001 Device 010: ID 04fc:0171 Sunplus Technology Co., Ltd
It behaves as a mass storage device, and let you access the content of the flash card.
If you press the « record » button while in mass storage, it goes into webcam mode, and advertise itself as:
Bus 001 Device 012: ID 04fc:1528 Sunplus Technology Co., Ltd
To go in this mode, you should wait ~5 seconds after having plugged it. I haven’t tried the webcam drivers.
Electronics
So, what is inside ?
There is:
- LiPo 1 cell 270 mAh
- The camera sensor
- A 16Mbit (2MB) Flash SPI memory (cFeon F16-100HIP Q93H06A F921GDA, also called EN25F16). I managed to found the datasheet here : EN25F16.
- Some RAM : VT3664164T-6 (4Mx16bit SDRAM)
- And an ASIC : SPCA1527A
A reader (George S.) sent me the datasheet of the SPCA1528. Ok, to be more precise, it is more a « commercial sheet », that just show some example products. Thanks !
Another reader, Bob N, sent me a much more precise datasheet of a SPCA-533A. Thanks !
Here are some photos of the camera opened. Click on the images to get the full resolution.
T
he CMOS sensor seems a bit different than other models, as it is mounted on a small support. Here is a macro of it. It has 24 pins.
I can corroborate the Chuck’s assumption with the help of my oscilloscope. When the camera boots, there are lots of transfer from the flash SPI during one second or so. There is no traffic at all after, even when you start and stop a recording. When the camera is in « sleep » (all leds off but power button « on »), the flash chip is powered off. We can conclude that the SPI flash contains the firmware of the camera, and it is copied inside the RAM at boot time. So the code that inserts the date in the film is in !
I bought mine in November, 30th, 2009. On the PCB, it is written :
D004_V3090818
Villamany posted a comment with some photos of his own gumstick camera. The components seems to be the same (at least the chipset), but it looks a bit smaller. He bought it in December, 23rd, 2009. On his one, it is written:
D001_V7091114
The second line looks like a production date or something similar, in the format YYMMDD. I assume mine stays one month and a half in stock before being sold, and it is almost the same delta for him.
The second line seems to indicate a model and a version. According to the manual, I have a « DV D004 camera ».
Playing with crystals
Following the Spiners’s idea in the comments, I tried to remove the RTC crystal. When I switched on the camera, the green led lights, then the red one and that’s all. It doesn’t respond to button presses. It doesn’t show up on the USB port.
When I remove the main crystal (written 27MHz), NOTHING happens. No lights, no USB, no response to buttons. I then tried to underclock the main chip, and put a 18MHz crystal on it, just to see what happens 😉 A took a 15s video, counting the seconds. The funny thing is that the video is « accelerated ». It only last 8s. The sound is accelerated also and is treble. The probable explanation is that the avi file says it’s 30fps. But the chip didn’t output all the 30 frames during a second because it was underclocked. But at play back, the 30 frames were displayed, and looked like accelerated. The timestamp insertion was still there and stamped the video at the correct real time.
Battery and current
I made some current consumption measures:
- Switch « Off » : No current at all
- Switch « On », but in sleep : 0.02 mA (more than one year before battery down)
- Switch « On », with green led on : 115 mA (the current waveform shows a frequency around 15 KHz, hello RTC clock !)
- During recording, the camera consumes around 145 mA. There are some spikes at 220 mA every 64ms. It’s probably when the SD card is written.
I measured the battery capacity at 270mAh (discharge current of 200mA, down to 3.0V). So I expect it to be able to last a bit more that one hour.
The next thing to do is to dump the data 😉
Flash content
Once again, I had to make my own tools. You are never better served than by yourself ! At first, I would have preferred to not desolder completely the 8-pins flash, to not take too much risks. As this solution was not working, I removed it completely, and fit it on a standard 8-pin DIL package, with some wires. Although it is a bit dirty, this solution worked well ! I also added a small decoupling capacitor closer to the chip, as I noticed on the oscilloscope some spikes in the power lines. As you can see on the photo, I removed the LiPo battery. To be more precise, it removed itself, as the wires doesn’t bend easily and are very fragile. I suspect that some camera will die as the lipo can move inside the case and the wires will break.
Using an old AT90S2313 AVR micro-controller from Atmel, I made a SPI reader. The uC firmware was reading all the content off the memory and dump it by its UART to my computer. A python script was in charge of reading the data back, and write them to a « raw » file and a « intel hex » file. I should do another article on that …
The flash is 16Mbit, so it makes a 2MB file. It took me more than 7 minutes to transfer it through the AVR at 10MHz, and the UART at 57600 bauds. Around 400KB of the memory are « 0xff », which means unused space.
You can download the raw data and the ihex:
- gumpack_camera_flash.raw.bz2 (606K)
- gumpack_camera_flash.ihex.bz2 (1.1M)
Villamany managed to extract the firmware from both of his MD80 camera ! Here they are :
- MD80.bin.bz2 (622K)
- MD80bis.bin.bz2 (623K)
And Allan also sent me his camera firmware :
- allan-808-number3.bin.bz2 (624K)
Thank you for sharing them ! The firmware are mostly identical, but there are some differences. The strings are not always in the same order in the file, showing a new recompilation of the code. Some strings, like a date, are also different.
There are some interesting « strings » in the content. Here are only a few of them :
NAND RSVDCIM100MEDIASunplus SPCA1KCCurrent F/W version: %sD:\1528.BINISP.BINDRAMPARA.TXTBoot %s, %lu KBISPKEY.TXTFW.BIN1528.BIN=====AE Gid and Luma====="[date]Omnivision 3.1MSunplus CA1528fill [mem type] [+offset]dump [mem type] [start addr] [+offset] [end addr]adc s: Start adc testadc e: Stop adc testadc a: Start button testTask start successfulPress any key to start the test...No err has found in this test!Press 'r' to restart the test, other keys to exitTimeStyleMM/DD/YYYYDD/MM/YYYYwww.vividsound.com (206) 781-8498Adobe Photoshop CS2 Windows
Seeing this, I am happy to have dumped something without errors ! (I mean correct endianness, no bit inversion, no ciphering, no shift). They show some file names, such as 1528.BIN, or the well know TAG.TXT. The hexdump tool can also be used to « see » something:
00008af0 e4 9e fe e4 9d fd e4 9c fc 22 5b 64 61 74 65 5d |........."[date]|00008b00 00 25 62 78 2f 25 62 78 2f 25 62 78 2f 25 62 78 |.%bx/%bx/%bx/%bx|00008b10 2f 25 62 78 2f 25 62 78 0a 00 4e 6f 20 74 65 78 |/%bx/%bx..No tex|00008b20 74 20 66 69 6c 65 21 0a 00 44 3a 5c 44 43 49 4d |t file!..D:\DCIM|00008b30 5c 00 31 30 30 4d 45 44 49 41 00 25 73 28 25 6c |\.100MEDIA.%s(%l|00008b40 64 29 0a 00 73 70 69 5c 73 65 72 69 61 6c 5f 66 |d)..spi\serial_f|00008b50 6c 61 73 68 5f 53 54 2e 63 00 31 20 25 62 78 0a |lash_ST.c.1 %bx.|00008b60 00 30 78 32 35 30 30 20 25 62 78 0a 00 73 74 73 |.0x2500 %bx..sts|00008b70 20 66 61 69 6c 20 25 62 78 0a 00 0a 54 4b 20 42 | fail %bx...TK B|00008b80 20 00 46 2f 57 20 76 65 72 73 69 6f 6e 20 69 73 | .F/W version is|00008b90 20 25 73 0a 46 2f 57 20 63 6f 6d 70 69 6c 65 64 | %s.F/W compiled|00008ba0 20 40 20 25 73 2c 20 25 73 0a 0a 00 49 4f 54 72 | @ %s, %s...IOTr|00008bb0 61 70 20 25 62 78 0a 00 ef 64 0a 70 1c 30 98 11 |ap %bx...d.p.0..|00008bc0 e5 99 b4 13 0c c2 98 30 98 fd e5 99 b4 11 f6 c2 |.......0........|00008bd0 98 30 99 fd c2 99 75 99 0d 30 98 11 e5 99 b4 13 |.0....u..0......|00008be0 0c c2 98 30 98 fd e5 99 b4 11 f6 c2 98 30 99 fd |...0.........0..|
ARM Inside ?
Chuck supposed that the SPCA chip was powered by an ARM CPU, especially the 926EJS. I tried to run a ARM disassembler on the file and find out that no code is ARM. I know ARM processors quite well, and can confirm that it’s not ARM powered.
My collegue Gillou ran a dissembler for the following CPU architectures : avr, mips, h8300, SH, z80, m68k. Neither of them give result. But a 8051 worked very well !
Here is some code example :
L0584: 1B64 EF MOV A, R7 1B65 7802 MOV R0, #2hL0586: 1B67 C3 CLR C 1B68 33 RLC A 1B69 CE XCH A, R6 1B6A 33 RLC A 1B6B CE XCH A, R6 1B6C D8F9 DJNZ R0, L0586 1B6E 128AD8 LCALL L0587 1B71 128B81 LCALL L0588 1B74 6461 XRL A, #61h 1B76 6003 JZ L0589 1B78 028468 LJMP L0590
L0589: 1B7B A3 INC DPTR 1B7C E0 MOVX A, @DPTR 1B7D 6476 XRL A, #76h 1B7F 6003 JZ L0591 1B81 028468 LJMP L0590
Given that the 8051 uses variable length instruction, it’s very unlikely that we have good dis-assembly with a wrong architecture.
What’s next ?
Knowing the CPU, it’s time to disassemble the code and find where is the code that inserts this f*ing date in the image. If a good software guy can modify the code, I will have to do a circuit able to write into this flash memory to try it. There is also the string 1528.BIN in the raw file. We can suppose that this is a way the reprogram the flash more easily. Please use and explore the binary files.
More discoveries on the dump
By looking more closely to the strings, I noticed « JFIF ». It is present in the header of the .jpg images. The jpg images starts by the magic number 0xffd8 and ends with 0xffd9. I have made a python script (again !) that extracts all the data from the dump that starts with 0xffd8 and terminate by 0xffd9. I found 16 images, and here they are, with there start and end address in the dump file :

- recup_0090__0x093d42-0x0952fd.jpg (5.4 KB)
- recup_0120__0x0a967a-0x0aa535.jpg (3.7 KB)
- recup_0295__0x0b7192-0x0b871a.jpg (5.4 KB)
- recup_0316__0x0b871c-0x0ba247.jpg (6.8 KB)
- recup_0336__0x0ba248-0x0bb103.jpg (3.7 KB)
- recup_0391__0x0fa558-0x104e07.jpg (42.2 KB)
- recup_0406__0x0fa6a0-0x0fb4ad.jpg (3.5 KB)
- recup_0423__0x0fba2a-0x0fcdb0.jpg (4.9 KB)
- recup_0441__0x104e08-0x110f0d.jpg (48.3 KB)
- recup_0453__0x104f50-0x105ee2.jpg (3.9 KB)
- recup_0467__0x10644b-0x107b8d.jpg (5.8 KB)
- recup_0480__0x110f0e-0x113c83.jpg (11.4 KB)
- recup_0493__0x113c84-0x11fc89.jpg (48.0 KB)
- recup_0501__0x113dcc-0x114fb7.jpg (4.5 KB)
- recup_0511__0x115520-0x116dd2.jpg (6.2 KB)
- recup_0529__0x19b21c-0x19c7d7.jpg (5.4 KB)
This represent 209KB of beautiful photos isn’t it ? I am sure that if these Chinese had made more effort, they could have used a 8Mbit flash memory only, and gain a few cents more on each camera !
And even sounds !
This time, it was the string « WAVEfmt » that kept my attention. I managed to extract 128.6 KB of wave files by modifying a bit my script. The files starts with:
00000000 52 49 46 46 .. .. .. .. 57 41 56 45 66 6d 74 20 |RIFF....WAVEfmt |
Here are the 4 files:
- recup_0010__0x0a3d42-0x0aa576.wav (26.1 KB)
- recup_0020__0x0ad4f0-0x0aff8c.wav (10.7 KB)
- recup_0025__0x0b021c-0x0b5cf6.wav (22.7 KB)
- recup_0035__0x0bb104-0x0cc59a.wav (69.1 KB)
Extracting the font from the dump
Spinner and Bill W. have posted comments and methods to display « something » with the raw dump. Bill W. managed to see this:
We can see the numbers from 0 to 9 and the « / » and « : » needed to display date and time. We don’t know yet the encoding, but it looks promising. We can even recognize some Chinese characters. His explanations are here.
Spinner went a bit further, publishing this image in the comments with explanations:
On this one, the font is even more precise. (link to the original)
That’s really great work starting from a good idea from Bill !
Here are the characters we are looking for, extracted from the video :

Each character here is 16×24 pixels. So it fits quite well in bytes.
Address mapping of theses « fonts »
Following Spinner work, I cut the dump in part where « something » appear. Here is the result. If you click on the address range, you will get the raw data.
- 0x120000-0x130000:

- 0x130000-0x138000:

- 0x138000-0x13d000:

- 0x13d000-0x140880:

- 0x140880-0x141880:

- 0x141880-0x142880:

- 0x142880-0x143880:

The idea behind all this is to be able to change the font in the firmware so that all characters appears « transparent ».
I will try to write this into the firmware, and see what happens. ![]()
If the « 2 » has gone, it rocks ! I believe it is the same idea as Spinner, but I cannot access the file(rapidshare overloaded 🙂 )
Work done ! The « 2 » is out !
I made the soft to program the flash SPI, and program it with the tentative font with the « 2 » removed. Here is the result :
I removed all the other numbers, like the file submitted by spinner, and as expected, all timestamps have disappeared !
We still don’t really know the encoding of the font, when the firmware only show the following image, there is no timestamp:
The firmware change is only between 0x138000-0x13d000. Here is the corresponding part of the firmware with the transparent font:
0x138000-0x13d000_no_font.raw (20 KB)
So, work done, the timestamp is completely removed from my gumpack camera. Thanks to Chuck, Spinner, Bill W. and other people that posted great ideas in the comments. It took me a bit more that one week to achieve this.
Here is the final result :
Next thing to do is make this « easier » so that other people can use this information.
Update 10 march 2010
Villamany managed to remove the timestamp from his md80 camera too ! Here is his success : on this water rocket forum Congratulations !
Happy Hacking !


13 février 2010 à 02:42
Great work!!!. I am villamany from Spain. I have a fake AEE MD80 camera. that is similar (model #3). I have a interface. Is also valid for dump the memory content?.
http://i146.photobucket.com/albums/r247/villamany/CamMD80/IMG_5107a.jpg
http://i146.photobucket.com/albums/r247/villamany/CamMD80/IMG_5112a.jpg
The USB-Serial interface:
http://cgi.ebay.es/CP2102-USB-TTL-RS232-Serial-Port-Converter-Transceiver_W0QQitemZ350315867160QQcmdZViewItemQQptZUK_Computing_NetworkingCables_RL?hash=item519073ec18
thanks…
13 février 2010 à 15:30
Hi! Great work. It seems that everyone wants to get rid of this … timestamp.
How about a hardware-hack to achieve that. e.g. there must be a crystal for the RTC. What if we make this crystal fail to work (e.g. by removing it)?
Even if the clock would only stop ticking it would be an advantage (easier for the DELOGO-filter to remove the timestamp).
If the RTC is in a separated chip, then what about cutting the one or the other leg of that chip (after looking into the chip-manual)?
Also I noticed that duplicate frames do not get the timestamp implanted. Maybe we could use that to our advantage somehow.
Also there is a firmware of Cam#1 (http://www.chucklohr.com/808/#100103-1-update) in which it is possible to inactivate the timestamp. Maybe you could flash this firmware to your gum-cam. Or one could compare the differences between those 2 firmwares and copy the essential part(s)…
Also there are cams where you can disable the timestamp by adding the letter N after the time in the time.txt. If we could extract the firmware from such a cam and flash it to the gum-cam the problem could probably be solved.
13 février 2010 à 17:06
Hello Villamany,
Your interface cannot work directly to dump the flash using SPI protocol. It might be possible to use the sideband signals like DTR, CTS, DSR and others to emulate the SPI protocol, but it will take hours to dump the memory. It also needs to be 3.3V, because 5V will burn the component.
13 février 2010 à 17:58
Hello Spinner,
You had a brilliant idea in removing the crystal, I just did it and updated the article. The RTC function seems to be inside the main ASIC, as there is no other chip than the ones already identified.
I had a look at the #1 firmware, and it is ARM code inside. My own camera doesn’t seem to have an ARM cpu inside. I don’t think we can exchange the firmware that easily, provided the main chip is very different.
Thanks.
13 février 2010 à 18:36
Hi,Yes I bought my camera at 23/12/09 (dd/mm/yy) on Ebay. This printed label can be the production date.
Thanks for the info, i had read datasheet, and my interface have a 3.3v ttl, but only +3.3, 0v, TX, RX pins and for SPI i need a bidirectional I/O. I am going to serarch info about read the flash memory with my Pickit2 programer.
13 février 2010 à 18:41
>removing the crystal, I just did it
And nothing happend??? The videos were still ok? You mean, the RTC runs without crystal? That’s bad news. I hoped it would stop to run if it gets no more impulse from the crystal. Could we replace the crystal with something that sends only veeeeery few impulses or only one? That would (eventually) make the RTC stop practicly. Then we could set the time to 2011:11:11 11:11 und create a delogo filter for those small numbers « 1 » instead of blurring the whole timestamp-area.
>I had a look at the #1 firmware, and it is ARM code inside.
Yes you are right. My fault. Only Cam3 and GumCam seem to have the same ASIC (SPCA1527A). The Cam1-hack seems to work like this: replace the font-file with a new font-file which consists basicly of ZEROS. Some portion of your extracted firmware should hold a font as well. If we could find this section and replace it with BLANK, it could work as well as for Cam1. (Checksums could be a problem though.)
>RTC function seems to be inside the main ASIC
I still wonder why and have no clue why duplicated frames do not get a stimestamp (causing the timestamp-flickering).
>doesn’t seem to have an ARM cpu inside
In Cam4 the timestamp can be disabled in the time.txt. I’ve not seen whether Cam4 uses the same ASIC (SPCA1527A) as Cam3/GumCam… Maybe…
13 février 2010 à 18:55
@spinner: When one the the crystal is removed, the camera cannot record any video. So the RTC is not working, as the camera. It works « accelerated » when the main crystal have a lower frequency crystal.
If we could find the font in the extracted dump and make it blank it should work ! Personally I cut the bottom part of the video that include the timestamp, which have the drawback to decrease even more the resolution…
13 février 2010 à 19:32
Spinner said « I’ve not seen whether Cam4 uses the same ASIC (SPCA1527A) as Cam3/GumCam »
The #4 camera is probably the STK1262BLQG processor.
The tear down photo of the #4 camera is here and the CPU is potted, so you can’t see the part number. http://chucklohr.com/808/#hd-no4-camera
But, I have a gumpack camera, that is functionally identical to the #4 camera, except the video is 640×480. My gumpack uses the STK1262BLQG processor and a 25L4005AMC 0.5 megabyte SPI flash chip. I will be posting some photos.
My gumpack and the #4 camera use the same webcam driver. Hardware VID PID is 5E1 B01.
— Chuck from chucklohr.com/808
14 février 2010 à 11:13
Great work getting the SPI chip downloaded!
Your efforts have enabled me to bring you great news… I have confirmed that the fonts are embedded in the binary data of your raw binary. I have not determined the exact format of the embedded fonts but I have managed to convert your binary into a properly arranged bitmap image such that the fonts are clearly visible when viewed.
Sadly, the fonts do not appear to be simple 8-bit binary data, but a rather complex coding scheme may have been used. It is not a mystery anymore why nobody has found the fonts because they are very obscurely embedded in the file.
It’s a rather large file, so I uploaded the image to this Water Rocket forum where we have been discussing these cameras for some time because the WRA2 competitions require a camera onboard and this camera is so inexpensive and small it’s perfect for water rocketry:
http://www.waterrocketforum.com/viewtopic.php?p=7755#p7755
I hope you can make use of this info to rid us of that awful timestamp!
Kind Regards,
Bill W.
14 février 2010 à 15:23
Thanks to Bill W.! I just around a little bit with « gumpack_camera_flash.raw » and IrfanView:
http://www.abload.de/image.php?img=gumpack_cam3_flashlookb0kg.png
It’s still a bit distorted. But what bothers me: There seem to be included a big and a small font. Because the big font has to many pixels for my taste! The timestamp-font in the videos is as far as I can see only consisting of very few pixels.
My conclusion would be that there is a small font included as well as a big one. You can see the small font in my posted picture right under the big font.
We should care about the small one, I guess?! Also the ZERO in the big font is more a rounded one, while the ZEROS that I see in the videos seems not so much rounded to me… What do you all think?
14 février 2010 à 16:56
Great work Bill and Spinner. I updated the article accordingly. It seems that we should concentrate on the small font has you say. I will try to make a script that extracts the font more precisely. Thanks a lot for this progress.
14 février 2010 à 17:05
Me again :O)
Just played some more:
http://www.abload.de/image.php?img=gumpack_cam3_flashtry6zpcq.png
I identify 4 different font-sizes there. I think the second smallest could eventually be the one used in the videos?!
14 février 2010 à 17:19
Happy to see you again !
Great ! I understand why we see some « repetition » with same size fonts ! It just depends on the « line period », where you change 1024 to 512. I believe that you will see something else with 256 ?! Let’s me script this !
14 février 2010 à 18:24
Yes you are right, the font you have choosen seems to be the right one. I just compared all fonts known by now. (I should mention here that I don’t have such a camera (yet).)
http://www.abload.de/image.php?img=timestamp_font_compare3p2u.png
About the repetitions: Yes. What I did when I was «playing around» was just changing the linefeed and bitrate randomly and hoping to find something new…
14 février 2010 à 18:33
Your image is a good confirmation. Lets attack the font 3. 😉
14 février 2010 à 19:27
What about changing portion 3 to this:
http://rapidshare.com/files/350585577/img_extract_03_0x138000-0x13d000_new.zip.html
(Can be downloaded 10 times)
I am not certain about this. It is just a wild guess…
14 février 2010 à 20:06
>If the «2» has gone, it rocks ! I believe it is the same idea as Spinner
My approach was more drastic. I deleted every single letter… :O)
Uploaded to depostifiles:
http://depositfiles.com/files/mlhc30x37
14 février 2010 à 23:27
Here is the conclusion, thanks to all. The timestamp has gone by writing in the firmware the file posted by spinner 😉 So no checksum protection here !
15 février 2010 à 05:14
Great work you guys! I was hoping to finish deleting the font by figuring out the format and deleting the font from the file but you guys were able to get it to work in short time. I’m glad to have contributed and thank you for the help!
16 février 2010 à 07:14
Just picked up one of these cams today and immediately got frustrated with the time stamp; stumbled across this site and have a quick question for you guys:
How do I do it?
Apologies for the simplistic question 🙂
Merci Beaucoup
Thanks!!!!!!!
16 février 2010 à 20:37
Hello Toothman,
There is no user-friendly solution yet. To do it, you will have to:
– Open the camera (with a very small screwdriver)
– unsolder the memory chip (with a very thin iron)
– reprogram it with the hacked firmware (either you have a SPI reader/write, either you need to build/buy your own)
– re-solder the chip.
I will publish another article that describe my own SPI programmer I made for this intent.
16 février 2010 à 17:15
[…] […]
17 février 2010 à 20:30
Hi Philipe.
This posting might not be interesting fo many people,but I could not find an e-mail adress to ask you directly.
Ijust wonder where you managed to byt a gum pack camera that can produce 30 fps? And how much did you have to pay? I have bought one but it is a #1 camera, with 25 fps and lots of duplicate frames. So I am still loking for a better quality camera.
I am doing a project with my cat. Here is the first test: http://www.youtube.com/watch#playnext=1&playnext_from=TL&videos=lLSX1klyWAE&v=4Cd-PubR5-Y
Best regards.
Lars Midboe
17 février 2010 à 21:03
In fact, my email is hidden here : my email 😉
I bought mine on ebay from a seller called « china.gadgets ». He is selling some more, for example here (a bit different from mine indeed) : http://cgi.ebay.com/4GB-Gum-Spy-Video-Recorder-Camera-Stick-DV-640-480_W0QQitemZ320484658946QQcmdZViewItemQQptZLH_DefaultDomain_0
Even if the framerate is a bit slow on your video, the resolution is very descent.
Regards,
20 février 2010 à 20:14
Hi,
I´ve found this string in your hex-dump:
Do ISP ??? Press any key to do ISP !! ISP… OK !!! FW %s, %lu KB
ISP.BIN DRAMPARA.TXT OK..
Boot %s, %lu KB
ISPKEY.TXT FW.BIN 1528.BIN OXOXOXOX.XOX Del ISPKey ***nrSects=%lu > 2GB? or < 2.2MB?***
FAT16 FAT12 FAT32 fat=%bd
SUNP_DSC NO NAME
Maybe this is a hint for an userfriendly way removing the time stamp? It seems like there is a way for firmware-updating using the SD card.
21 février 2010 à 12:15
Hello Atomphil, I already found theses strings in the dump and tried to put a file with this name on the SD card. But no one seamed to trigger any programming mode 🙁
22 février 2010 à 15:10
Hi,
ISP.BIN seem to the bootloader and DRAMPARA.TXT is the file with the address settings of flash where the firmware will be written .
ISPKEY.TXT seems to be the firmware update mode trigger file .
FW.BIN and 1528.BIN firmware files .
We just need at least the first 3 files 🙂
Regards
22 février 2010 à 23:28
Hello Angelo,
May I ask you how you know theses informations ? Do you have any idea of the format of theses files ? I can try if you have some ideas. Even if the flash goes wrong, I can still reprogram manually the memory.
Thanks,
23 février 2010 à 05:23
Good work on removing the time stamps guys …i know i migth be able to do it too the thing is i dont have the equipment and dont want to pay extra money for that..
My only problem is i got a turnigy 800 camera that seem to be the same and exact cam as in the gumpack one. The thing is even if i make the TAG.TXT file and put it in my dcim folder on my sd reboot the cam but it never change…??
I know it isnt really related to way your saying in there but still if someone could give me an hint i would appreciate.
Thanks
David
23 février 2010 à 15:13
Hi,
It´s what it seems to me, i do not have sure.
It´s what my knowledge and experience in GSM field for 15 years tell me.
ISP , stands for In-System Programmable.
I´ll try to find something more about SPCA1527A MCU
Regards
23 février 2010 à 17:42
Hello,
Before attacking my camera with the findings of your excellent work, I have a more « critical » need: my LiPo battery is dead.
Do you (or anyone) know where to buy a cheap battery replacement? I have found some e-shops but too expensives, specially if we add the delivery costs to europe.
Anyone can help me?
Thanks in advance.
23 février 2010 à 20:39
@sybex: The tag.txt should be in the root folder, not in DCIM/ 🙂
@Angelo: I would really appreciate if you can get more informations about the SPCA chip. Without knowing the registers, we cannot really progress. Thanks.
@Perrete: You can have a look here for a replacement battery for your camera : http://www.hobbycity.com/hobbyking/store/uh_viewItem.asp?idProduct=7568 But it is out of stock … Otherwise, it might be less expensive to buy a new camera …
24 février 2010 à 00:39
Re: That battery… I walked downstairs to check in my LIPO storage and I already own two of them. 🙂 I walked down because I wanted to check that these batteries are not larger than the whole keychain camera that I have, but I misrememberd this. The batery looks as if it would fit inside my camera.
It’s been 24 years since I last programmed 8051 CPUs… 🙁
Indeed the 8051 architecture is not yet dead. For example, Cypress sells USB2 chips that run off a 8051 CPU inside. Actually… my camera runs at USB2 speeds, so maybe they borrowed the IP from Cypress for the USB2 interface and the CPU?
Anyway, an 8051 is NOT fast enough to encode video streams at modern pixel-sizes. But that’s done more efficiently in an asic. So I think they have an encoder-unit on the chip. The 8051 is then perfectly capable of booting, providing settings for the CCD chip and writing the SD card using SPI. (it’s using I2C for the CCD chip, I’m guessing. I saw SPI code in the binary which I’m guessing is for the SD, and that leaves the I2C code talking to the CCD chip.)
24 février 2010 à 00:43
Where did you guys find 8051 code in the flash image? I get almost nothing, I can’t find an entry point. IIRC the reset vector is at 0, so my disassembler should follow it and find more pieces of code. However it always finds three or four jumps and then nothing.
The 8051 can access only 64k of memory, so I don’t know how that would be implemented, and which part of the 2M flash image is actually the code for the 8051.
24 février 2010 à 10:40
@Philippe:
Merci beaucoup pour l’info, but referred battery does not fit in gumpack camera. This battery is 20mm height and gumpack one is <16mm). On the same web we can find this another model that fits:
http://www.hobbycity.com/hobbyking/store/uh_viewItem.asp?idProduct=8864
But only 138mAh.
Thanks anyway.
@rewolff
Should you sell me one of your two batteries in stock? If affirmative, please contact me at
alvaro_rb (at) yahoo.es
Thanks.
24 février 2010 à 12:45
Perrette,
I opened up my camera, and it has a 200 mAh cell, of exactly the dimensions of my 240mAh cell from HK.
http://prive.bitwizard.nl/DSC_3657_small.JPG
or fullsize: http://prive.bitwizard.nl/DSC_3657.JPG
But I may have a different camera than you do….
24 février 2010 à 22:48
@rewolff: I didn’t do too much work on 8051, as I am too young to have ever worked with one 😉 I have just seen that some method have a clear entry and exit point. But I didn’t find the reset vector. As you said, the 8051 is not used to do real image processing. It should only push some configuration register to pilot the whole ASIC. Thanks
27 février 2010 à 00:31
Hey, has anybody made any progress with reverse engineering the dump?
I’ve put quite some time in it but I can’t seem to get the references right. Maybe parts of the code are copied to different locations during runtime? I have no experience with 8051 whatsoever, so maybe I just lack the basic memory organization stuff.
It looks like there is some kind of debug mode, maybe there is a way to hook up a console to the hw during runtime?
@Philippe: In case that dumping process isn’t too complex maybe you could dump the flash one more time (after having used the cam)? It might be written to during runtime and have small, maybe informative differences. Differences like the last set date for example!
27 février 2010 à 08:06
Wow! What a great read! Thanks for posting your hard work!
Would it be possible to change the camera so that its settings could be programmed by software? Something like Canon CHDK « light »?
3 mars 2010 à 15:24
MD80 camera firmware dump: http://prlxlg.blu.livefilestore.com/y1puJeJXskFmLIHHVQb7ADgKZnQH9fnT1ViF_tko-FBs9eriyuQlI_7S6w8H6iu3i_9GMpoL4Mx6iVNNOxmDslgrxMd0Iy_rVfK/md80.raw?download
I tried sniffing the traffic between the flash and processor, but my device buffer overflow occurs.
The first thing is to ask the processor memory model and then starts reading bytes from 0x000200 ofset then i get a buffer overflow in my busPirate interface.
5 mars 2010 à 01:19
Has anyone seen one of these behave as follows:
– Turn it on and start filming a video.
– The blue and green lights are on during this time.
– After 4 – 5 minutes the orange light starts flashing and the camera no longer responds to pressing any buttons.
– Turning it off results in a 0 byte AVI file
Really odd. I would send it back but the vendor I bought it from is crap, I had one that wouldn’t charge and sent it back and they sent me the same one back again. Sent it in again and two months later I get this.
Ideas on what I can do besides throwing it in the trash bin?
6 mars 2010 à 00:56
Great work!
Different issue- the reduction in frame rate that is mentioned in the « Playing with crystals » section sounds great to me- I want to use my « Lohr type 3 » md80 clone/gumstick cam as a timelapse camera (with a larger battery of course). It was not clear to me which crystal was changed to reduce the frame rate. Mine has two crystals without any markings on them. Could anyone help me out?
6 mars 2010 à 13:14
Alors, ça, c’est la meilleure !
Tu écris maintenant tes textes en anglais !
Non seulement je suis loin de tout comprendre, mais je ne peux même plus corriger les fautes …. d’anglais, langue dans laquelle tu sembles très bien te débrouiller.
D’ailleurs, pour la technique, tu es peut-être encore plus à l’aise en anglais qu’en français !
Et tu as recueilli de nombreux interlocuteurs.
Bravo,
A plus.
7 mars 2010 à 21:32
Hello Philippe and ALL,
Thank you for good article.
I just found out that my gumpack camera that looks exactly like yours has the same PID as #3 camera, webcam driver from #3 works fine for me. I’am quite happy with timestamp but it gets refreshed to 1980 each time i switch off the camera. Don’t you know the cure yet?
Regards,
Alexey
8 mars 2010 à 00:01
@Martin: I dumped several time the flash content during the process, and they are all identical. I don’t believe that « normal » usage of the camera will change the flash.
@michaeldallas: In order to change the parameters like CHDK, it would need a huge amount of work, to understand and modify the current firmware. We are just at the beginning, and we don’t have any docs … If it is not impossible, it is at least very hard.
@Mike: I had the orange light flashing when the battery level was too low. Try to charge it. I also noticed that the battery will not charge if the camera have the power switch to « on ». It only charges when it is « off ». If you really want to throw it, send it to me instead of the bin 😉
@AvdM: Only of the the crystal have a mark (27000). It was only visible when unsoldered, because it was on the bottom side. You could bend the pins to try to see something. For a time-lapse camera, you would need a very slow crystal, and I not convinced that the chip will work with a very low frequency, so you have to give it a try ! For your time-lapse hack, I would suggest that you put the camera on the « photo » mode, and make some electronic or mechanic that periodical press the shutter button. Let us know 😉
@Alexey: The time is reset when the camera is put in power off. You can keep the time running if you let the power switch always to « on » position. The camera puts itself into sleep mode, and consume very little power (several month of autonomy). I consider now the « power » button more like a reset, and always keep it « on ».
Thanks you all for your comments and encouragement.
9 mars 2010 à 09:43
hello,
i have the MD80 CLONE (will be arriving in a few days) and i wanted to know if there is a way of flashing the device by adding the bin file to the drive it self… like with the tag.txt file?
and what about the N letter in the end of the command in the txt file? any one tried it?
thanks
9 mars 2010 à 14:26
@villamany: Unfortunately, I can’t get your link to work.
@chen: If there was a known way, you’d find it in this article (read: no way known yet).
9 mars 2010 à 22:52
try this link http://www.megaupload.com/?d=PK4WBY7J
I have two MD80 cameras, the zip file contains the firmware dump of both cameras.
[edit by Philippe : I have put the files in the article in direct download. Thanks !]
11 mars 2010 à 06:34
@Philippe – It doesn’t seem to be low battery as it will continue blinking orange for over an hour and not shut itself off.
For everyone’s benefit stay away from ePathChina, rip off.
I had a previous one that wouldn’t charge off any cable or computer and would die after seconds. Lights would flicker and go out. Sent it back and they sent the same one back to me. Sent it back again and I think they sent me someone elses defective return.
Not sure what to do here. Might try to flash it but need to read up on it.
11 mars 2010 à 07:01
Interesting test. I put a flash card in it and it will work fine recording longer videos. There must be something wrong with the internal memory that it cannot save a larger file.
It’s ok, this one isn’t as good of video quality as the key chain one I got off eBay for $13.99 shipped, far smoother and better quality. It didn’t have built in memory though.
11 mars 2010 à 18:19
Excellent work! I’ve been using a #3 version of this camera for about 6 months and would like to do the same work on this. I have an ATMega88 development board and would like to dump my own code. Do you have any code/wiring details to dump the code using the spi bus? This is so that I can experiment with disassembling the code and rewriting to include an option to turn on and off the datestamp. I’m assuming that there must be some bootloader code to read the binary file from disk.
11 mars 2010 à 22:56
@Buck: Hello,
I plan to publish another article with all the howto wiring and code I used to achieve this. Stay tuned 😉 Thanks,
22 mars 2010 à 07:06
Philippe, looking forward to the tutorial, thanks for the useful info so far 🙂 In the mean time i’m wondering if I can do anything with the Arduino board I have. A quick search reveals they can talk SPI, though they run at 5v so will need voltage dividing resistors etc. I guess it might be slow as well but i’m not so bothered by that. If I manage to get anything working i’ll post back.
Regards,
Jono
22 mars 2010 à 22:56
Folks I took a quick look at the NAND flash dump content. There is a way to disassemble the flash dump. See this site: http://spmp305x.spritesserver.nl/wiki/index.php/NAND_Flash
By looking at the headers we can tell there are 0x12f (303) user blocks. There are also memory mapping entries starting at address 0x200. Some of the user blocks should be FAT file systems according to the site.
The page size is 512 for this flash chip. The block size seems to be 4096.
I am going with the info in the following source code to disassemble the flash dump:
http://libspmp3050.googlecode.com/svn-history/r149/trunk/src/prex/dev/arm/spmp/nand.c
http://lxr.free-electrons.com/source/drivers/mtd/nand/nand_ids.c?v=2.6.33