Hi, thank you all for the precious informations found in this thread, I’ve learned such a lot 
!
Does anyone know if the camera shown by AkaSJY75 (I own the same) can be unplugged from the board and then used with a raspberry pi for example, or any other SBC. Thank U
Has anyone managed to set the access point using a9-v720 on firmware version 202305091627.
I don’t see it attempting to connect after the reboot. Does it use WPA2?
I got two of these A9 cameras from temu.com for 3.7e per pop.
These are dated 20230829.
A9_B
V1.9_230615
BK7252. SPI flash chip is gone. TCK, TMS, TDI, VIO, CEN, VUSB. Also U1 TX and RX and U2 TX RX. According to the datasheet this chip has two UARTs. I do not see TDO. Perhaps they programmed this thing at factory using TCK, TMS and TDI
hi, please does anyone know how to download (backup) the firmware from the a9-mini-wi-fi-camera via UART, there is some software around, thanks
Beken BK72xx - LibreTiny looks like a start.
I found some sort of terminal at UART 2 at 115200 baud rate but it does not recognize any sensible commands, looks very stripped down probably because of limited flash. So UART1 seems for flashing UART2 debug terminal.
I think the way forward is to backup flash and just use the SDK. BTW, it is probably a good idea to remove the battery when testing so you do not short circuit too much stuff - these little batteries could catch fire if shorted. It seems to boot fine powering USB.
I used 0.3mm enameled solder-able copper wire for UART and epoxy to hold in place.
I was able to backup firmware with
bk7231tools read_flash original.bin -d /dev/ttyUSB0
Flash with app partition with
bk7231tools write_flash -s 0x11000 project/rtthread.bin -d /dev/ttyUSB0
But I get
[E/OTA] (ota_main:290) App verify failed! Need to recovery factory firmware.
To get the original firmware back in business I had to first
bk7231tools write_flash -S 0x11000 -s 0x11000 original.bin -d /dev/ttyUSB0
Then hold power button down(and keep pressing it) and toggle CEN down, then it starts flashing.
I guess the next question is why does not the rtthread.bin work at 0x11000 and is it a good idea to flash at 0x0 where the bootloader is. I can see the bootloader at 0x11000 in hexdump.
I obtained an A9 mini camera which has a chip that I have not seen mentioned here yet: TXW806-840
I wasn’t able to find a datasheet for this chip.
This chip is from TaiXin Semiconductor. taixin-semi com
Downloads are passwd protected:
https://www.taixin-semi.com/Product?prouctSubClass=50
I got that camera from here:
https://www.aliexpress.com/item/1005003801159363.html
The App that is mentioned to use is YsxLite
In AP mode the SSID I see is: BATC-503023-XLUXU
Some one pictures from the inside:
I also tried to connect a serial connection, but wasn’t able to get any response from the camera.
In my initial post I was only allowed one picture and two links.
So adding a few more here.
Chip information:
https://www.taixin-semi.com/Product/ProductDetail?productId=285
Also found this presentation of the product launch on 2022-05-23 with specifications of this chip (but seems to timeout now):
https://inf.news/ne/digital/59149f439b11a6b23ec779bab7208890.html
A picture of the PCB camera side:
1 Like
I bricked my doing
bk7231tools write_flash -B -s 0x0 bootloader_7252_2M_uart1_log_20190828.bin -d /dev/ttyUSB0
Writing 49784 bytes to 0x0
Erasing and writing at 0x200000 (0.00%)
Traceback (most recent call last):
...
Is there a way to unbrick/flash boot loader?
Try this sh*t: https://images.tuyacn.com/smart/Hardware_Developer/BekenHIDTool.zip
in chip type try to choose bk7221u.
It does not show up as USB device but reading documents and BK7252 section 8.10 in particular it states that programming mode is selected using JTAG_TCK, JTAG_TMS, JTAG_TDI and JTAG_TDO. I will try and see if poking these pins high/low at system start do something interesting.
I’ll hope you luck! But also in documents were “using of some SPI programmer”… and some “wi-fi programmer” at “SparrowOne”… We need “some initial” bootloader for this board or smth like this… for for load app layer of RTOS or RT-Thread or some… I am not a programmer, but its seems… sorry for bad Eng. Its not my first language…
I try what people have already done here. I own a camera with WF-A9-V3 on the PCB
I used TX-RX-GND with a USB serial adapter, but when I connect with tio it seems “buggy”, and without doing anything I get:
\ | /
- RT - Thread Operating System
/ | \ 3.1.0 build Aug 31 2021
2006 - 2018 Copyright by rt-thread team
sd check init-----
sd_check_init ok!
msh />y: command not found.
msh />msh />msh />msh />msh />sd: command not found.
msh />msh />msh />sd_check_init: command not found.
msh />msh />msh />msh />msh />msh />msh />msh />msh />ssid:7231u-test key:12345678
msh />msh />msh />
Does someone know what’s happening ? I cannot type any commands. Maybe I have done bad welding ?
Also, what are the purpose of pin D0, CEN, VIO ?
You need to program the bootloader BK7231 programming via SPI in flash memory mode - Python and Banana Pi and GitHub - openshwprojects/BK7231_SPI_Flasher: Simple command line BK7231 flashing tool for SPI mode (not UART) so that we can flash the app area with own code and it will run. There is no other way unless by some chance you have some dumb bootloader that accepts running any code at 0x11000 which I doubt you will. As far as I have understood there is no way to flash bootloader using UART1, there is no bootrom on BK7252 so if you try that like I did it will crash because it is overwriting the code it is running. As far as I have understood this is the way they initially program these chips at factory so the required pins to do this should be exposed on the PCB without needing to start soldering/pogo pinning pins at the BK7252.
msh terminal is useless if you look at beken7252-opencam/docs just a bunch of useless commands.
msh terminal not useless, many things can be done from it - from datasheet of RT-Tread - you can set up your own local OTA server and flash firmware from it. But our dear chineese programmers lock commands of msh (or hide them to scripts) so even “exit” command didn`t work.
Oh yeah! I finally brick it. In msh I run command “w_b exit” and it done… All stucks at boot.
I have no SPI or JTAG programmer, so I`m think it is final for me…
Orange Pi Zero 3 and Zero 2 W can be had for around 25 euro shipped and are suitable for running Home Assistant in supervised mode I believe also wink wink. I have had HA supervised on RK3318 H96 MAX tv box for a year now.
I tried to SPI program the thing using my Orange pi PC but I could not get /dev/spi* to appear - it looks like I have to upgrade OS on it to something more recent.
RT-Thread OS OTA upgrade has encryption features and signing. If the system is locked there is no way to get in without the authorization keys. Perhaps the keys are at the end of flash area where I saw my wifi password. That would mean it is feasible to run own code by flashing using UART but not OTA. Anyway, if you have to solder wires to get into the system, then why not just use orange pi and SPI instead of UART?
I don’t have any SPI or JTAG programmer, I am newbee and “repeater” (this is my hobby to do smthing with chips). And it is hard for me to get any Orange Pi to my location. I am only have USB-to-TTL on ft232rl. But thanks anyway. Also, maybe I try to rebuild ft232 to SPI to get some results…
I just found out that I have ftdi232rl in my collection of adapters. bk7231_spi_flasher.py is only 200 lines of code and it creation has been documented. Here is exchange I had with GPT https://chat.openai.com/c/a60720aa-02f0-4a84-9963-011c804743cb . Basically what is left to be done is merge these code blocks with bk7231_spi_flasher.py .
I always though aliexpress shipped globally at a flat rate. I hope you have access to a Linux system I could not imagine trying to hack into anything using windows just waste of time.
EDIT:
Actually GPT is making quite a bit of mistakes. Also ftdi232rl has no MPSSE so you cannot use any library. I am trying to figure out from the datasheet if this chip is usable or not. We need MISO as input MOSI as output, SCK as output, CS as output and yet another output to reset the chip. FT232H would be a much better choice but not so common.
EDIT2:
Here is code I came up so far: beken spi ftdi232rl - Pastebin.com
I could not find enough output pins on ftdi232rl so the only option is to either tie CS high or low from VIO or GND. I do not know if it is active high or low. For now it does not seem to be working I get somewhat random output from it but with CS tied low there is some consistency in the output. Who knows what the cause is at this early point.
I am happy to let you know that I have been able to set the chip to spi mode, check the flash id and read data from 0x11000 app area and the data I get from it matches what I know is there. First page of bootloader is gone, I have checked that. bk7252 ftdi232rl spi flash - Pastebin.com . This is still very finicky have to re-plug power and start my program like 10 times before it works. I am not sure yet if it is possible to make this more reliable.
@Bluscream I believe you and I have the same, or a very similar, camera. My UID starts with DGOD.
I have had some success using the script found here GitHub - datenstau/A9_PPPP: HDWiFiCam Pro (DGOA WiFi Prefix) JS-Api which was created by @datajam and posted to this forum about a year ago. (I just arrived here and have been trying to read through all posts to get up to speed).
The “speaker” module did not work on my mac, so I had to remove it from package.json. But then I got my device detected, and the video output stream properly presented on http://localhost:3000/.
If you’re like me a bit of a node.js noob, you can get this started by running npm install to install dependencies, and then node run.js.
As far as I can tell, the “A9 V720 Naxclow” repo that’s been doing the rounds in the posts for the last few months is not applicable to these cameras. The Naxclow cameras seem to have a simpler API that you can access if you can fool the cameras to access your computer instead of naxclow.com. Our cameras only use the “PPPP” or cs2_P2P protocol.
My camera uses an app called “vi365”. I downloaded the APK and started dissecting it. I found some interesting leads on how the camera is controlled from the app, using HTTP-like requests, apparently sent as PPPP packets. I’ll try to write down a gist with my findings at least, when I have cleaned them up enough so that I can understand them myself. 
Then I think basically all pieces are in place for actually making something that works with Home Assistant.
And, oh, also, see the recommendation about blocking the outgoing UDP port 32100 in your firewall from https://hacked.camera/.