Dec 03

This is part 1 of my hacking adventures on the HT-A1. To see part 2, click here

After having tried to software-hack my old Flir E4 to get a higher resolution, and failed at that (some of them cannot be upgraded for unknown reasons), I was on the lookout for a better resolution device.

Having watched Julian Ilett’s video review of the device, steered me onto the cheap HTI (Dongguan Xintai Instrument Co.,Ltd.) HT-A1 thermal imager.

Almost all the other cheap off-brand imagers i have seen is pretty crap, but this one boasting a resolution of 220×160 pixels, that’s not half bad (compared to my old Flir E4, which was locked down at a measly 80×60 pixels.

Before  pushing the Order button, i went to do some more research and found this teardown video by Youtube user “The Equalizor“.

This reveals that the camera uses a sensor module from SEEK thermal and reveals some other nice details. Go see his video on how to get into the device.

It looked good, so i ordered one using the link on Julian’s video. After approx 3 weeks (whereas one week was it being stuck in customs) it finally arrived. I turned it on and checked that all worked, and then to continue to take it apart 😀

This is not a review, nor a teardown. This has been done before. I will look into what’s happening on the serial interface that is clearly evident on the board, and i will try to figure out what kind of communication protocol there is between the sensor and the mainboard.

The mainboard in all its gory details. All pictures are clickable for magnification.

Apparently the mainboard is a quite new revision (August 21, 2018), and not carrying a CPU-daughter board like on The Equalizor‘s camera.

Looking at the mainboard, trying to figure out how everything is wired together, it becomes apparent that there is a room for a module of some kind, denoted U5. Hmm, GPS-module for geotagging or WiFi-module? The traces going off to J1 with the antenna matching components screams WiFi to me. Who makes a WiFi-module in this approx. 12x12mm footprint? EDIT: I found it, using the right search words on AliExpress: “Tablet WiFi module” – It’s a module carrying the RTL8188CUS WiFi-chip.

What is interesting, when we follow the tracks from this missing U5 module, they go to a missing U7 chip. The data pair from the thermal module also goes here, but is jumpered by two 0Ω resistors (R28 & R29) … Hmm this smells a lot like USB! – What is U7 was a missing USB-hub? I’m thinking GL850G in SSOP-28 housing, a good old classic. A datasheet is available here: GL850G USB Hub 1.07.

So, we know that the thermal imager is running USB communication with the main Allwinner A33 CPU. No need to put the logic analyzer on these lines for hacking – we need to look at that serial port to see what’s happening on boot!

The cable between the sensor and the mainboard, Front and back view.

It carries GND, +3.3V and USB data.

The sensor module itself:

Front of the sensor has a removable lens, held in place with two daubs of what seemed to be hot-melt adhesive. It was easily removed with a scalpel. I am planning to design and 3D-print a tool that fits into the holes in the front to be able to set the focus.

The processor on the thermal module is the NXP LPC4330FET100, a Dual-core Cortex M4/M0 chip. More info here

The camera module is a sandwich of two boards – front board holding the directly bonded sensor (this is pure speculations)

Bottom side of main PCB with the NXP micro holds some support circuitry and a big SPI flash that holds the firmware that runs the module.

On top of the main board, in vicinity of the thermal module there is U100, it’s a bog-standard DS18B20 thermometer for local compensation of the camera’s own temperature. I guess the thermal module does not carry its own temp. sensor.

Some playing around with booting the board without thermal imager or visible camera modules revealed that with both unplugged it will hang indefinitely at the boot screen (but it will still switch off when you press the power button, so it’s not dead behind the scenes). Unplugging only one of the cameras/sensors will have the camera booting happily. Unplugging the visible camera makes all mixed image modes go black. Unplugging the thermal module makes all thermal readings go away, but you can still use the visible module just fine. I guess it was built this way to not die completely if one of the devices went bad, but instead would boot and the user could see what was missing, to go report the error and get the device off for repair.

On the back of the board there is a switch, S1. I tried pressing it while the unit is in operation, no response.

Holding it down while pressing power button yields a device that does not boot, but rather “locks up” – I’m pretty sure this button is to go into some bootloader flash mode. The firmware talks about a “fel button” – it’s for firmware flashing as far as i know for now.

Well this is getting interesting!

The small connector footprint J2 showed to contain no output at all, i scoped it and it’s dead as a dodo.

The three test pads over it on the other hand is alive and well with debug serial@115200 8N1 – YEAH!

Booting the camera with all devices connected will yield this nice bootlog:

HELLO! BOOT0 is starting!
boot0 version : 3.1.0
reg_addr 0x01f00100 =0x00000000
reg_addr 0x01f00104 =0x00000000
reg_addr 0x01f00108 =0x00000000
reg_addr 0x01f0010c =0x00000000
reg_addr 0x01f00110 =0x00000000
reg_addr 0x01f00114 =0x00000000
DRAM DRIVE INFO: V1.5
DRAM CLK =552 MHZ
DRAM simple test OK.
dram size =512
card boot number = 2
card no is 2
sdcard 2 line count 0
[mmc]: mmc driver ver 2014-07-07 16:54
[mmc]: ***Try SD card 2***
[mmc]: mmc 2 cmd 8 timeout, err 0x00000100
[mmc]: mmc 2 cmd 8 err 0x00000100
[mmc]: mmc 2 send if cond failed
[mmc]: mmc 2 cmd 55 timeout, err 0x00000100
[mmc]: mmc 2 cmd 55 err 0x00000100
[mmc]: mmc 2 send app cmd failed
[mmc]: ***Try MMC card 2***
[mmc]: MMC ver 4.5
[mmc]: SD/MMC Card: 4bit, capacity: 3728MB
[mmc]: vendor: Man 0x0090014a Snr 0x012084b9
[mmc]: product: H4G2a
[mmc]: revision: 1.1
[mmc]: ***SD/MMC 2 init OK!!!***
sdcard 2 init ok
The size of uboot is 0x000bc000.
sum=0x0ccccd69
src_sum=0x0ccccd69
set_mmc_para,sdly 50M 0
set_mmc_para,sdly 25M 0
Succeed in loading uboot from sdmmc flash.
Ready to disable icache.
Jump to secend Boot.
[ 0.335]

The rest is not shown here, open BOOT down here under to see the full bootlog.

Raw logs from boot can be found here – some of them is booting without imagers connected, just to see how it reacts:

BOOT

NOTHERMAL_BOOT

NOVISUAL_BOOT

NOTHERMAL+NOVISUAL_BOOT

System is running Busybox, and with some serial debug magic i managed to copy files from system folders to the /mnt/IMGS folder that is exposed over USB. I found all kind of good stuff there – in /boot/ i found logos for other manufacturers (different branding), the cheesy battery recharge-animation – even audio files though the system has no way of doing audio recording or playback 😀

    

Now, making a new boot logo/animation is next, i think!

Yep, it had to happen: Video of new bootlogo i made in a hurry

I took at backup of the system partitions, and you can get them here:

Data partitions

I decided to order in a WiFi-module and USB-Hub-chip so i can enable WiFi and SSH-access on this 🙂

— I will update this when the parts arrive.

Oct 16

While attending the 2017 edition of Mini Maker Faire at Aarhus central library (DOKK1) We (Labitat expedition) also went to the obligatory visit at OSAA (Open space Aarhus) and looted some stuff from their Limbo-shelves.

In between all the good stuff there, I found a Sony BDP-S360 BluRay-player. It went back home for exploring.

Upon powering-up it just sits there saying “Wait” on the VFD while making some mechanical noises.

As I have no interest in having a BD-player it was turned into parts. Nothing really useful was found inside. Bog-standard primary SMPS, 22 watts max output and mainboard with more or less single-chip-solution.

The mechanics had the old venerable KES-410-optical pickup (known from the ‘PS3 fat‘)

As I have a special interest in VFD’s (Vacuum Fluorescent Displays) (amongst other older display technologies) I took a closer look.

BDP-S360 VFD Front panel

It has all the power supply circuitry onboard directly – usually the Filament-drive and VEE-supply is built-in in the main SMPS, but Sony apparently went for the simpler approach here. I like that!

2 minutes on Google yielded the service manual with nice schematics and pictures of the front panel-board foil and silkscreen.

Looking at the schematic for the power supply for the VFD it’s pretty bog standard-kinda-deal here.

Transformers have always been an interesting item – for most a “black box”. I would like to know the number of windings etc. So i took out the transformer, put it into Acetone for a minute and opened the core (the outer ring lifts off, revealing the windings.)

BDP-S360 VFD Transformer pinout

BDP-S360 VFD Transformer opened up BDP-S360 VFD Transformer bottom view

I documented my findings here, in case that it might come in handy for someone else hacking with VF-Displays

 

T701:
Circular core, 10 pins.
Primary, pins 2,3,4
Feedback, pins 5,6
Secondary, VEE 1,10
Secondary, Filament 7,8,9
Tested at 160kHz
Primary inductance (end-to-end)    70 uH
Feedback inductance 2.2nH
Secondary, VEE 140uH
Secondary, filament 3uH
Winding order:
15+15 Windings 2-3-4 0.1mm
3+3 Windings 7-8-9 0.1mm
44 Windings, 10-1 0.1mm
5 Windings, 5-6 0.1mm
Voltages measured:
VEE is -18V
Filament supply is 5.4Vpp running on a -13.7V bias
Switching circuit runs at 216 KHz
The VFD-glass itself seems to be custom-part with special symbols for BD-player. I couldn’t find anything online on it.
The controller on board is the old and venerable PT6315. It uses a 3-wire interface and is very easy to interface with.
I will keep the board and parts for some more fun another day.
Update:
For kicks i tried making my own transformer on a EP-7 core with PC40-material.
Same number of turns, 0.1mm airgap (2 layers of Kapton tape)
Slightly higher output voltages, same switching frequency.
Jul 27

arduino-yun-front

The newest addition to my swarm of never ending pile of interesting electronics is the Arduino Yún.

As I was getting some parts from Newark Canada, I just thought, well i’ll get myself an Yún to play with as well.

Yún means Cloud in Mandarin, so it’s quite obvious it is an Arduino meant to be connected to the cloud (Internet of Things).

 

As I usually do, I hack into the deeper workings of devices, and in the case of the Yún, there will be no difference.

 

I will dig deeper into it’s internals – have You ever seen the “Black magic” hiding under the shield? I haven’t.

Also, later I will look into how much power this unit takes, and to see if there is any way to tweak the power usage.

 

 

Setting up the Yún was a breeeze – I followed the instructions over at http://arduino.cc/en/Guide/ArduinoYun

Quickly I had it connected to my own WiFi-network, and programming it over Wifi with Arduino 1.5.7 (Beta at the moment) worked quite nicely.

 

Well, let’s get to the point, what exactly is hiding under that EMI-shield?

A quick desolder job with the Solder-wick (Chemtronics 10-100L, the best money can buy!) and the cover was off.

Yun uncovered - overview

Yun uncovered – overview

 

Aha! – three chips – that ain’t much.

On the left we have a Winbond W9751G6KB-25 – 16 Bit DDR2-RAM – this is the main memory for the DD-WRT linux-environment that the Yún runs.

In the center there is the Atheros  AR9331-AL1A Wireless SOC – This is where all the magic happens.

And on the Right, once again from Winbond, a 25Q128FVSG – a 128 MegaBit Boot-flash, using SPI-interface.

 

So, now you know what hides under the shield, and you do not need to void the Warranty on your Yún to find out 😀

– Due to time constraints, I will leave the power-measurements to the next blog-post, as I need some time to gather readings, and present them in a usable manner.