Dec 03

 

After having tried to software-hack my old Flir E4 to get a higher resolution, and failed at that (some of them cannot be upgraded for unknown reasons), I was on the lookout for a better resolution device.

Having watched Julian Ilett’s video review of the device, steered me onto the cheap HTI (Dongguan Xintai Instrument Co.,Ltd.) HT-A1 thermal imager.

Almost all the other cheap off-brand imagers i have seen is pretty crap, but this one boasting a resolution of 220×160 pixels, that’s not half bad (compared to my old Flir E4, which was locked down at a measly 80×60 pixels.

Before  pushing the Order button, i went to do some more research and found this teardown video by Youtube user “The Equalizor“.

This reveals that the camera uses a sensor module from SEEK thermal and reveals some other nice details. Go see his video on how to get into the device.

It looked good, so i ordered one using the link on Julian’s video. After approx 3 weeks (whereas one week was it being stuck in customs) it finally arrived. I turned it on and checked that all worked, and then to continue to take it apart 😀

This is not a review, nor a teardown. This has been done before. I will look into what’s happening on the serial interface that is clearly evident on the board, and i will try to figure out what kind of communication protocol there is between the sensor and the mainboard.

 

The mainboard in all its gory details. All pictures are clickable for magnification.

 

Apparently the mainboard is a quite new revision (August 21, 2018), and not carrying a CPU-daughter board like on The Equalizor‘s camera.

Looking at the mainboard, trying to figure out how everything is wired together, it becomes apparent that there is a room for a module of some kind, denoted U5. Hmm, GPS-module for geotagging or WiFi-module? The traces going off to J1 with the antenna matching components screams WiFi to me. Who makes a WiFi-module in this approx. 12x12mm footprint? EDIT: I found it, using the right search words on AliExpress: “Tablet WiFi module” – It’s a module carrying the RTL8188CUS WiFi-chip.

What is interesting, when we follow the tracks from this missing U5 module, they go to a missing U7 chip. The data pair from the thermal module also goes here, but is jumpered by two 0Ω resistors (R28 & R29) … Hmm this smells a lot like USB! – What is U7 was a missing USB-hub? I’m thinking GL850G in SSOP-28 housing, a good old classic. A datasheet is available here: GL850G USB Hub 1.07.

So, we know that the thermal imager is running USB communication with the main Allwinner A33 CPU. No need to put the logic analyzer on these lines for hacking – we need to look at that serial port to see what’s happening on boot!

The cable between the sensor and the mainboard, Front and back view.

It carries GND, +3.3V and USB data.

 

The sensor module itself:

Front of the sensor has a removable lens, held in place with two daubs of what seemed to be hot-melt adhesive. It was easily removed with a scalpel. I am planning to design and 3D-print a tool that fits into the holes in the front to be able to set the focus.

The processor on the thermal module is the NXP LPC4330FET100, a Dual-core Cortex M4/M0 chip. More info here

The camera module is a sandwich of two boards – front board holding the directly bonded sensor (this is pure speculations)

Bottom side of main PCB with the NXP micro holds some support circuitry and a big SPI flash that holds the firmware that runs the module.

On top of the main board, in vicinity of the thermal module there is U100, it’s a bog-standard DS18B20 thermometer for local compensation of the camera’s own temperature. I guess the thermal module does not carry its own temp. sensor.

Some playing around with booting the board without thermal imager or visible camera modules revealed that with both unplugged it will hang indefinitely at the boot screen (but it will still switch off when you press the power button, so it’s not dead behind the scenes). Unplugging only one of the cameras/sensors will have the camera booting happily. Unplugging the visible camera makes all mixed image modes go black. Unplugging the thermal module makes all thermal readings go away, but you can still use the visible module just fine. I guess it was built this way to not die completely if one of the devices went bad, but instead would boot and the user could see what was missing, to go report the error and get the device off for repair.

On the back of the board there is a switch, S1. I tried pressing it while the unit is in operation, no response.

Holding it down while pressing power button yields a device that does not boot, but rather “locks up” – I’m pretty sure this button is to go into some bootloader flash mode. The firmware talks about a “fel button” – it’s for firmware flashing as far as i know for now.

Well this is getting interesting!

The small connector footprint J2 showed to contain no output at all, i scoped it and it’s dead as a dodo.

The three test pads over it on the other hand is alive and well with debug serial@115200 8N1 – YEAH!

Booting the camera with all devices connected will yield this nice bootlog:

HELLO! BOOT0 is starting!
boot0 version : 3.1.0
reg_addr 0x01f00100 =0x00000000
reg_addr 0x01f00104 =0x00000000
reg_addr 0x01f00108 =0x00000000
reg_addr 0x01f0010c =0x00000000
reg_addr 0x01f00110 =0x00000000
reg_addr 0x01f00114 =0x00000000
DRAM DRIVE INFO: V1.5
DRAM CLK =552 MHZ
DRAM simple test OK.
dram size =512
card boot number = 2
card no is 2
sdcard 2 line count 0
[mmc]: mmc driver ver 2014-07-07 16:54
[mmc]: ***Try SD card 2***
[mmc]: mmc 2 cmd 8 timeout, err 0x00000100
[mmc]: mmc 2 cmd 8 err 0x00000100
[mmc]: mmc 2 send if cond failed
[mmc]: mmc 2 cmd 55 timeout, err 0x00000100
[mmc]: mmc 2 cmd 55 err 0x00000100
[mmc]: mmc 2 send app cmd failed
[mmc]: ***Try MMC card 2***
[mmc]: MMC ver 4.5
[mmc]: SD/MMC Card: 4bit, capacity: 3728MB
[mmc]: vendor: Man 0x0090014a Snr 0x012084b9
[mmc]: product: H4G2a
[mmc]: revision: 1.1
[mmc]: ***SD/MMC 2 init OK!!!***
sdcard 2 init ok
The size of uboot is 0x000bc000.
sum=0x0ccccd69
src_sum=0x0ccccd69
set_mmc_para,sdly 50M 0
set_mmc_para,sdly 25M 0
Succeed in loading uboot from sdmmc flash.
Ready to disable icache.
Jump to secend Boot.
[ 0.335]

The rest is not shown here, open BOOT down here under to see the full bootlog.

Raw logs from boot can be found here – some of them is booting without imagers connected, just to see how it reacts:

BOOT

NOTHERMAL_BOOT

NOVISUAL_BOOT

NOTHERMAL+NOVISUAL_BOOT

 

System is running Busybox, and with some serial debug magic i managed to copy files from system folders to the /mnt/IMGS folder that is exposed over USB. I found all kind of good stuff there – in /boot/ i found logos for other manufacturers (different branding), the cheesy battery recharge-animation – even audio files though the system has no way of doing audio recording or playback 😀

 

    

Now, making a new boot logo/animation is next, i think!

Yep, it had to happen: Video of new bootlogo i made in a hurry

 

I took at backup of the system partitions, and you can get them here:

Data partitions

 

I decided to order in a WiFi-module and USB-Hub-chip so i can enable WiFi and SSH-access on this 🙂

— I will update this when the parts arrive.

22 Responses to “Hacking the HTI HT-A1 Thermal imager”

  1. Preamp Says:

    Hi there Zapro,
    just stumbled upon your hacks, nice work! I’ve seen The Equalizor’s video featured on Hackaday and ordered an A1 the same day; it arrived just yesterday. I’m probably not going to take mine apart too soon, because I have good use for it in working condition in the workshop. But there’s one question that immediately came to my mind when I read that the Thermal Module is connected via USB: Did you try to connect the module directly to a USB host like a Raspberry Pi or a PC? I’m wondering whether the Module spits out only raw data and all the other stuff (like color grading, spot readings, min-max readings) is done in the A33. Or is it all done in the Module itself?
    Best regards from just behind the border to Germany! preamp.org

  2. Per Jensen Says:

    Hi.
    I didn’t try to plug it into a different host for a number of reasons.
    1: We don’t have any driver for it, and without that, no use for it.
    2: LSUSB on the device doesn’t look like it’s a generic UVC video source or similar.
    3: It’s not not “video” from the sensor, also temperature etc -calibration is also done in the driver etc.
    4: I might try to plug it into a desktop mashine at some point, but i’m 100% sure it will be pointless. No drivers = no fun.
    I have dumped all the data partitions to .img files – i will post these soon on the blog for you to look into.

  3. Preamp Says:

    Meh, damn drivers… I’d like to have an option to set a fixed temp scale, like 0°C…100°C instead of autorange. Maybe there’s a suitable option built-in already; looking forward to your .img-files.

  4. Andyelectric2000 Says:

    Driver ….the App from the Ht-101 ?

    http://www.hti-meter.com/EN/html/product_view_278.html

    https://www.alphaomega-electronics.com/es/index.php?controller=attachment&id_attachment=1552

  5. Per Jensen Says:

    I looked into that. There is a “thermalviewer_hti” application in the Google appstore, but it crashes immediately on my phone (Oneplus 6 running Android 9.0)
    Getting it to work on iPhone, forget about it. You need a special ID-chip in the game for the iPhone to acknowledge it.

  6. Per Jensen Says:

    .img-files are up now 🙂

  7. Preamp Says:

    Had a look at the .img-files. Seems like I have to up my linux-fu a notch…

    Couldn’t resist any longer to take that thing apart though. The front glass came off pretty easy, even without using any extra heat. Now I’m trying to locate the serial port on my ”old” V1.1 board.

  8. Per Jensen Says:

    Most of the .img-files are ext3-format, so you need to mount them as such.
    Can you share some pics of your V1.1-board?
    It could be interesting to compare differences in hardware and software.

  9. Preamp Says:

    I used TestDisk to copy the files out of the images. Can’t make much sense of those .ELF-files though.

    My board looks exactly like the one in the video. Just took a quick snap to show where I found the UART. Added a small three-pin header and then put the thing back together.
    http://preamp.org/dinge/hta1_v1-1_uart.jpg

    Do you care to share how you got access to the file system? I can look around the files via terminal, but how would I exchange things like the boot logo? Did you make the whole file system accessible via the USB port?

  10. Per Jensen Says:

    I’m no linux geek either – i got help from a friend in the local hackerspace. We mounted the partitions read-only and then did a dd of them to /mnt/IMGS so the .img-files could be accessed over USB and pulled out.
    You should use a serial terminal emulator that supports colors, otherwise it will be a bit hard to figure out what’s happening since the color commands are sent as extra characters. To edit the boot logo is quite simple:
    1 from serial port, you have access to a local console on the camera. A ‘ls’ command will list files/folders.
    Do a cd /boot/ to go to the boot folder. In here you will find bootlogo_20.bmp up to bootlogo_100.bmp.
    Do a ‘cp bootlogo_20.bmp /mnt/IMGS/’ for all the files. Now they will be accessible over usb. Modify these, make sure they are in the same format as the old ones. Put them back on the USB share, then do a ‘cd /mnt/IMGS/’ and then ‘cp bootlogo_20.bmp /mnt/boot/’ etc.

  11. Preamp Says:

    Hmm, easy enough. Didn’t think of that ;).

    Works like a charm. In case you want to replace the battery charging bitmaps, you have to replace them in /boot/bat/ and also /boot/bat/80×166/ simultaneously. Change only one of them and there won’t be no charging animation anymore.

    Here’s what my UART port looks like:
    http://preamp.org/dinge/hta1_uart_access.jpg

    Easy access for later ”updates” without having to open up that thing again. Not exactly weather proof anymore, but hey, something’s got to give…

  12. Per Jensen Says:

    I tried replacing the battery charging symbols but i kept bricking it by doing that. So you say if you replace both places it works? That’s unusual …

    I am waiting for my WiFi-module so i can enable permanent SSH-access 😀

  13. Preamp Says:

    Yes, I’ve replaced them both and now it works like a charm! Wondered why there was no animation at all anymore when I just replaced a single file in a single folder. Replaced that same file in the other directory, too, and it worked again. Now I have replaced all the files (in both dirs) with my own version.

    Good luck with that one! My board revision doesn’t have that option.

  14. Preamp Says:

    Here’s what I’ve found out about the software so far.

    The main program is called /work/app/ht-a1 and seems to contain everything compiled into that single file. The menu settings are stored in a file called /work/paras as simple hex values. The file is only 44 bytes long and I deciphered all the settings that you can choose with the menu and the arrow keys. While trying to find out what the other values do, I noticed that when some of them are set from 0x00 to 0x01 the software won’t load anymore. Deleting the paras file lets the software create a new one, so no problems here. Also it seems that some of the numerical values actually take up two or four bytes in the file, although a single byte would have been sufficient.

    This is what I’ve got so far:
    http://preamp.org/dinge/hta1_paras_file.png

    I wasn’t able to locate the menu icons or the color maps inside of the software file yet, gonna have to dig a little deeper. I ran across the english menu texts though, and they seem to be easily changed, as long as the original length stays the same. I have successfully changed the text “Power off” to “Geht aus.” for example. Another interesting thing I found were translations for the menu in Italian and German, but I was not able to set them with the according byte in the paras file.

  15. Per Jensen Says:

    Wow! – That’s so cool. I haven’t had the time (or interest) in digging in deeper yet, so amazing that you are doing that.
    Can you confirm if you have the same software version on your camera as mine? Mine is 2.1.13 – if not, we could compare boot log and see if they changed something.
    Geht aus!
    // Per.

  16. Preamp Says:

    Hehe, funny thing :). My software is 2.1.7, so a little older than yours. Turns out that I have found the German and Italian text in YOUR software – and in the menu there, too. I have now updated my software, thanks to your image files ;). And there’s actually another menu option to align the IR and VIS images on the screen, which was missing in my version altogether. Those settings are now saved in four additional bytes of the paras file, which makes it 48 bytes big.

    Looks like there’s not much more to discover here. I was able to find some references for several ”icon_xyz.c” in the sources, but I have no clue what kind of files that may be. A search for popular image file headers (bmp, png, jpg, gif, ico) found nothing. There are some bytes that look like a black-to-white color palette (0x01 0x01 0x01 0x00 0x02 0x02 0x02 0x00 0x03 0x03 0x03 0x00 and so on) but I could not find the ‘Iron’ and ‘Spectrum’ counterparts, so I guess that’s not for the IR images.
    Disassembly is not exactly my thing, but maybe it’s possible to utilize some of the other (driver?) files to make something from scratch…?
    Why didn’t they just write that thing in python? Or at least leave the sources somewhere on the device xD!

  17. Preamp Says:

    Not done yet!
    I have changed that color palette a little, it made no visible difference anywhere. But it seems I have actually found the icons, more by accident than anything else though. Maybe I’ll change the spot markers to something a little more unobtrusive…? Photographic proof will follow if I’m successful.

  18. Per Jensen Says:

    Cool!
    Please do a detailed writeup on how to do this. I’m not enough of a software hacker to figure this out myself at the moment 😀

  19. Preamp Says:

    Currently I’m trying to figure out in what file format those icons are stored. There’s some header information (including size of i.e. 24×24 pixels), a 4-bit palette for 16 colors and the raw pixel data, but it doesn’t fit bmp, pcx, ico, tga, … I even shifted that data around and fed every combination into ImageJ, but it didn’t like it.
    I’m too lazy to whip up my own converter, although that should be pretty straightforward.

  20. Preamp Says:

    Damn. The spot markers are drawn somewhere else, there’s only the spot marker icon from the menu. Not overly exciting, the menu doesn’t look too bad.
    I’d like to remove some of the clutter from the main display area, like the center spot temp reading, which is also displayed in the upper left corner. Seems that’s all text and lines hidden in the binary somewhere though :(.

  21. Preamp Says:

    Had a closer look at the color palettes in the output images to get a clue where to locate them in the software binary. Turns out that the slim palette bar graph displayed on the right edge is not a truthful representation of the colors used in the rest of the image! It’s not even full scale, especially around the hot end. The Black palette for example ranges from 0 to 255 in the actual image, while the bar graph only ranges from 8 to 223! That’s utter crap if you want to use an image manipulation program afterwards to determine the temperature of any given pixel – no problem with the grayscale palette, but impossible with the better looking spectra and iron palettes!

    Guess that’s where the cheap price comes from o_0 … I remember having used a Fluke once, which included the complete temperature map inside the EXIF of the output JPEG image file.

  22. Per Jensen Says:

    It would be awesome if the software could be modified to save two pictures at once – one in color and one in b/w – or save visual/thermal seperate like the Flir cameras do.

Leave a Reply