So I find myself needing some more el-cheapo pan-and-tilt webcams. The last time I did this, I bought the cheapest thing I could from eBay and was pleasantly surprised to find that pretty much all the devices ran a small embedded linux, had a perfectly usable web interface and had a connector on the rear that could be used to trigger the sending of a email with captured pictures. Buoyed by past experience I ordered some more: in this case the cheapest on ebay which had the connector on the rear: the KK Moon Model 801 TP-C516.
They duly arrived and I connected one to a test network. It dhcp’d an address, and began trying to talk to a server in LA. There was no web interface, and the only interesting thing nmap(1) could find was telnet. After some fettling I managed to log in with the username and password of root and anni2013. A quick look around confirmed it was running Linux. I spent an hour or so trying to find more conventional firmware without success, so I then had a look at the CPU. The camera is built around a Ralink RT5350 wifi SoC. I’ve previously ported gcc and openwrt to a similar ralink CPU, and it was a Sunday morning so I thought I might have a shot.
The camera has 32M of SDRAM and 8Mb of SPI flash in an mx25l6406e (or rather a clone). So I took the chip off and read it. The bootloader was, predictably at the beginning of the rom, and appeared to have a serial output, so the next step was to find where that came out on the hardware. A little bit of judicious hunting found two test-points next to the SPI rom.
Connecting those up and knowing from the dump of the rom that it was expecting 57600 baud gave the following:
U-Boot 1.1.3 (Oct 31 2012 - 23:46:19) Board: Ralink APSoC DRAM: 32 MB relocate_code Pointer at: 81fb4000 sysctl:40200300 spi_wait_nsec: 42 spi device id: c2 20 17 c2 20 (2017c220) find flash: MX25L6405D raspi_read: from:30000 len:1000 .raspi_read: from:30000 len:1000 .============================================ Ralink UBoot Version: 220.127.116.11 -------------------------------------------- ASIC 5350_MP (Port5<->None) DRAM_CONF_FROM: Boot-Strapping DRAM_TYPE: SDRAM DRAM_SIZE: 256 Mbits DRAM_WIDTH: 16 bits DRAM_TOTAL_WIDTH: 16 bits TOTAL_MEMORY_SIZE: 32 MBytes Flash component: SPI Flash Date:Oct 31 2012 Time:23:46:19 ============================================ icache: sets:256, ways:4, linesz:32 ,total:32768 dcache: sets:128, ways:4, linesz:32 ,total:16384 ##### The CPU freq = 360 MHZ #### estimate memory size =32 Mbytes Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 7: Load Boot Loader code then write to Flash via Serial. 9: Load Boot Loader code then write to Flash via TFTP. 0 3: System Boot system code via Flash. ## Booting image at bc050000 ... raspi_read: from:50000 len:40 . Image Name: Linux Kernel Image Created: 2014-10-30 1:46:36 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 3044465 Bytes = 2.9 MB Load Address: 80000000 Entry Point: 8041b000 raspi_read: from:50040 len:2e7471 ............................................... Verifying Checksum ... OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 8041b000) ... ## Giving linux memsize in MB, 32 Starting kernel ... LINUX started... THIS IS ASIC Linux version 2.6.21 (root@sky) (gcc version 3.4.2) #1071 Thu Oct 30 09:46:24 CST 2014 Initrd not found or empty - disabling initrd Kernel command line: console=ttyS1,57600n8 root=/dev/ram0
So I next had a look at the openwrt side. Pleasantly openwrt trunk already had support for a non-PTZ camera based on the RT5350 (The WansView NCS601W).
Building that and feeding it to the bootloader’s option 2 via TFTP got me up and running almost immediately. Building mjpg-streamer (after fixing a bug which caused gcc’s stack canary to trip) gave me an, albeit upside-down, streamed image. Success, and all before breakfast! The next task was figuring out how to move the turret.