News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: Neo Coolcam Bricked, Need Help  (Read 7916 times)

  • No avatar
  • *
February 03, 2016, 08:00:38 pm
I bricked a Neo Coolcam, NIP-06OAM (outdoor), flashing a wrong firmware. I can not access the IP.

I need a help, to find the Jtag (serial) connections in the PCB.

I did some test, but without success to access the Bootloader. I used a USB to TTL converter, Putty terminal, Baud Rate : 115200, Data bits : 8, Stop bits : 1, Parity : None, Flow Control : None

Attached the PCB picture, I tried the points: J2, L3, Y2, and D1 (RX, TX, and ground)

I appreciate any help.

Thanks,

Marcos Lima

  • No avatar
  • *****
February 04, 2016, 02:37:08 am
AFAIR the serial Rx/Tx are the two unsused (free air) pins from the daughterboard.
gnd must be taken from obvious (bare copper "rectangle shaped strip" where shield should be soldered) gnd on daughterboard.

apart from J2 all points you tried were just unpopulated components
D=diode Y=crystal L=inductance
« Last Edit: February 04, 2016, 02:41:15 am by schufti »

  • No avatar
  • *
February 04, 2016, 01:25:44 pm
schufti,

Thank you very much for your reply, the daughterboard do not have unused pins. Under the Ralink processor board, don't have pins too.

The "D1" points, was the only place, my converter USB to TTL, the green led "DATA" stay ON.

I asked to Shenzhen support, for send me information, about the daughterboard, but they don't asnwer.

Regards,
Marcos Lima

  • No avatar
  • *
February 06, 2016, 10:04:53 pm
I found the mainboard specifications, and pinout details.

The mainboard number is TOP-AP01-38pin, see attached.

Regards,
Marcos Lima


  • No avatar
  • *****
February 08, 2016, 08:00:33 am
no, if you are able to count you'll see a difference of 4(2) pins.
The one in your document is called 38 pin (but only 36 are fitted).
Yours has 40 pins, whereas the base board only has 38 pins.
The two pins I reference are the ones at the end covered partly by the grey antenna cable.
additionaly the pcb in your document has different component layout...

but if your pcb has the two Rx/Tx points on the back too, lucky you!
« Last Edit: February 08, 2016, 08:35:45 am by schufti »

  • No avatar
  • *
February 09, 2016, 03:19:00 pm
schufti,

You are 100% right, thank you very much!

Finally I can connect the terminal to the PCB, but was different from some tutorial, I saw. I don't have the command "Esc" to access the bootloader, can you help me? See bellow what I had in the terminal:

U-Boot 1.1.3 (Dec 26 2012 - 17:31:39)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fb4000
sysctl:40200300
spi_wait_nsec: 42
spi device id: ef 40 17 0 0 (40170000)
find flash: W25Q64BV
raspi_read: from:30000 len:1000
.raspi_read: from:30000 len:1000
.============================================
Ralink UBoot Version: 3.5.3.0
--------------------------------------------
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping
DRAM_TYPE: SDRAM
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Dec 26 2012  Time:17:31:39
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

 ##### The CPU freq = 360 MHZ ####
 estimate memory size =32 Mbytes

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.
 0
   
3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40
.   Image Name:   Linux Kernel Image
   Created:      2012-11-21  14:21:50 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    4112320 Bytes =  3.9 MB
   Load Address: 80000000
   Entry Point:  802fb000
raspi_read: from:50040 len:3ebfc0
...............................................................   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802fb000) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 2.6.21 (root@mailzxh-desktop) (gcc version 3.4.2) #655 Wed Nov 21 22:21:46 CST 2012

 The CPU feqenuce set to 360 MHz
CPU revision is: 0001964c
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock5
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = 40808000, status = 11000000
PID hash table entries: 128 (order: 7, 512 bytes)
calculating r4koff... 00057e40(360000)
CPU frequency 360.00 MHz
Using 180.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 29212k/32768k available (2646k kernel code, 3556k reserved, 402k data, 124k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
deice id : ef 40 17 0 0 (40170000)
W25Q64BV(ef 40170000) (8192 Kbytes)
mtd .name = raspi, .size = 0x00800000 (8M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 8 MTD partitions on "raspi":
0x00000000-0x00800000 : "ALL"
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Config"
0x00040000-0x00050000 : "Factory"
0x00050000-0x00150000 : "Kernel"
0x00150000-0x00480000 : "RootFS"
0x00480000-0x00780000 : "sys"
0x00780000-0x00800000 : "param"
Load Ralink DFS Timer Module
RT3xxx EHCI/OHCI init.
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
gpiomode:404055 addr:b0000000 by zqh
gpiomode:404059 by zqh1
Ralink gpio driver initialized
Enable Ralink GDMA Controller Module
GDMA IP Version=2
i2cdrv_major = 218
HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096
N_HDLC line discipline registered.
Ralink APSoC Hardware Watchdog Timer
Serial: 8250/16550 driver $Revision: 1.7 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
loop: loaded (max 8 devices)
rdm_major = 254
Ralink APSoC Ethernet Driver Initilization. v2.1  256 rx/tx descriptors allocated, mtu = 1500!
NAPI enable, weight = 32, Tx Ring = 256, Rx Ring = 256
MAC_ADRH -- : 0x00004433
MAC_ADRL -- : 0x4ca0fd8a
PROC INIT OK!
PPP generic driver version 2.4.2
PPP BSD Compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V0.17
PPTP driver version 0.8.1
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Linux video capture interface: v2.00
 === SONiX UVC Like Driver(H264) Initial ===
usbcore: registered new interface driver uvcvideo
USB Video Class driver (v0.1.0_SONiX_v2.6.24.03)
block2mtd: version $Revision: 1.1.1.1 $
usbmon: debugfs is not available
rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usb 1-1: new high speed USB device using rt3xxx-ehci and address 2
usb 1-1: configuration #1 chosen from 1 choice
uvcvideo: Found UVC 1.00 device USB 2.0 PC Camera (058f:3861)
uvcvideo: Failed to query (1) UVC control 1 (unit 4) : -145 (exp. 4).
uvcvideo: Failed to query (1) UVC control 1 (unit 3) : -32 (exp. 4).
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
Advanced Linux Sound Architecture Driver Version 1.0.14rc3 (Wed Mar 14 07:25:50 2007 UTC).
ALSA device list:
  No soundcards found.
nf_conntrack version 0.5.0 (256 buckets, 131072 max)
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 124k freed
init started: BusyBox v1.12.1 (2012-11-21 22:17:05 CST)
starting pid 16, tty '': '/etc_ro/rcS'
Algorithmics/MIPS FPU Emulator v1.5
devpts: called with bogus options
mount: mounting none on /proc/bus/usb failed: No such file or directory
Welcome to
     _______  _______  ___     __  ____   _  _   ___
    |  ___  \|   __  ||   |   |__||    \ | || | /  /
    | |___| ||  |__| ||   |__  __ |     \| || |/  /
    |   _   /|   _   ||      ||  || |\     ||     \
    |__| \__\|__| |__||______||__||_| \____||_|\___\

                =System Architecture Department=

gpio open
ralink gpio release by zqh
clr gpio
/system/init/ipcam.sh: line 4: /system/system/bin/daemon.v5.12: Permission denied
starting pid 32, tty '/dev/ttyS1': '/bin/sh'


BusyBox v1.12.1 (2012-11-21 22:17:05 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# zqh socket fd=3
zqh bind(6666) address successful!
ie param ppid 35
zqh socket fd=3
zqh bind(6666) address successful!
ie param ppid 39


  • No avatar
  • *****
February 10, 2016, 03:15:56 am
Hi,
I think you just have to press "4" to access the bootloader commandline.

but I would try to access the running system frist. There should be a command shell open on the serial, so you should be able to check the network configuration ...

  • No avatar
  • *
February 10, 2016, 05:06:33 am
Hi,

I can access the boot command line pressing 4, bellow the help print:

4: System Enter Boot Command Line Interface.

U-Boot 1.1.3 (Dec 26 2012 - 17:31:39)
RT5350 # help
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase SPI FLASH memory
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
RT5350 #

Thanks

  • No avatar
  • *
February 10, 2016, 05:17:04 am
Hi,

If I live the systen to start, and send the command ifconfig, I can see the IP address.

# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

#

  • No avatar
  • *****
February 11, 2016, 02:53:58 am
hmmm, from the bootlog I would say that the ethernet is initialized but it is missing from the ifconfig listing. Did you have an ethernet cable attached during boot?

you'll have to search the forum for "ralink" to see if there is some info on how to flash firmware via bootloader on these models. I don't have firmware or info for them, just in general on embedded linux and hw.

  • No avatar
  • *
February 11, 2016, 05:17:42 am
Hi,
No I don't havê a eth cable during the boot. I will put a cable, and post here.
I have a equal câmara working, maybe I can copy, and past some parte of the firmware.
Thanks

  • No avatar
  • *
February 12, 2016, 10:37:55 am
Hi,

I received the firmware 81.2.0.157.bin, from Neo Coolcam, and flash it to the camera with TFTP transfer (Operation 2), but whem it restart, have a error Bad Magic Number,77696669, see bellow all the process.

Any idea, thanks.

2: System Load Linux Kernel then write to Flash via TFTP.
 Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)
 Please Input new ones /or Ctrl-C to discard
        Input device IP (192.168.1.165) ==:192.168.1.165
        Input server IP (192.168.1.xxx) ==:192.168.1.xxx
        Input Linux Kernel filename (81.2.0.157.bin) ==:81.2.0.157.bin

 netboot_common, argc= 3

 NetTxPacket = 0x81FE5980

 KSEG1ADDR(NetTxPacket) = 0xA1FE5980

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 Header Payload scatter function is Disable !!

 ETH_STATE_ACTIVE!!
Using Eth0 (10/100-M) device
TFTP from server 192.168.1.xxx; our IP address is 192.168.1.165
Filename '81.2.0.157.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: *
ArpTimeoutCheck
T T T T Got ARP REPLY, set server/gtwy eth addr (50:b7:c3:6e:e5:ad)
Got it
#################################################################
         #######
done
Bytes transferred = 367412 (59b34 hex)
NetBootFileXferSize= 00059b34
raspi_erase_write: offs:50000, count:59b34
raspi_erase: offs:50000 len:50000
.....
raspi_write: to:50000 len:50000
.....
raspi_read: from:50000 len:10000
.raspi_read: from:60000 len:10000
.raspi_read: from:70000 len:10000
.raspi_read: from:80000 len:10000
.raspi_read: from:90000 len:10000
.raspi_read: from:a0000 len:10000
.raspi_erase: offs:a0000 len:10000
.
raspi_write: to:a0000 len:10000
.
raspi_read: from:a0000 len:10000
.Done!
## Booting image at bc050000 ...
raspi_read: from:50000 len:40
.Bad Magic Number,77696669


U-Boot 1.1.3 (Dec 26 2012 - 17:31:39)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fb4000
sysctl:40200300
spi_wait_nsec: 42
spi device id: ef 40 17 0 0 (40170000)
find flash: W25Q64BV
raspi_read: from:30000 len:1000
.raspi_read: from:30000 len:1000
.============================================
Ralink UBoot Version: 3.5.3.0
--------------------------------------------
ASIC 5350_MP (Port5<->None)
DRAM_CONF_FROM: Boot-Strapping
DRAM_TYPE: SDRAM
DRAM_SIZE: 256 Mbits
DRAM_WIDTH: 16 bits
DRAM_TOTAL_WIDTH: 16 bits
TOTAL_MEMORY_SIZE: 32 MBytes
Flash component: SPI Flash
Date:Dec 26 2012  Time:17:31:39
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

 ##### The CPU freq = 360 MHZ ####
 estimate memory size =32 Mbytes

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.                     0

3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40
.Bad Magic Number,77696669