Hacking the #16 HD Key cam

Some days ago I got a #16 HD Key  camera from eBay.

Today I took it apart while just being curious about the electronic inside. There was nothing new which I had not already seen on pictures. But some pads, obviously for testing caught my interest because they were labeled TX & RX next to a pad GND.

I couldn’t resist and took a quick measurement with an oscilloscope and there was data traffic during power up on the TX pad. Next I hooked up a TTL-to-RS232 converter connected to a PC with running terminal. Settings revealed as 115200Baud 8N1.

Key Cam #16 Serial Port

There seems to be a serial console available through this pads which is not only one way but also accepts commands. Some random input generated the message “bad command or invalid parameters” followed by a ‘>’ command prompt.

Following commands are found so far:

h   : display help message
?   : display help message
r 0xHex_Address [0xHex_Length]: read contents of memory
w 0xHex_Address 0xHex_Data : write data to memory
l [will not result in bad command respond, but has no output]
p [will not result in bad command respond, but has no output]
t [will not result in bad command respond, but has no output]

The ‘r’ command can be used to dump the memory content. It’s exploitable by buffer overflow, so do not read beyond address 0x001A4AC0. 🙄

The following output was seen during power up, short movie record followed by a power down.

NT
Part2OK
Loader AMBA Start ...
R
UnCompress
PL
R
AMBALoader SPI Loader v1.1S 01/06/2012 11:18:47
ERR: Define fixed memory pool 6 (tbl[2]) error [-33]
ERR: Define fixed memory pool 12 (tbl[8]) error [-33]
ERR: Flash Size = 0x200000
ERR: SysInit_GetPStoreSize: PStore size = 0x0004B000
LENS_M: Lens_Module_Init
ERR: CopyPartTwo: remain FW is compress part 1 size = 0x28000
ERR: compressed data size=1008972
ERR: decompressing...ERR: OK!
ERR: KeyADC_Init
ERR: 
ERR: GX buf=005e1860, size=307200;
ERR: GX win.w=320, win.h=240;
ERR: OSD1 buf=005bc060, size=00012c00
ERR: OSD1 buf.w=320, buf.h=240;
ERR: OSD1 win.w=320, win.h=240;
ERR: VDO2 buf=00652060, size=00025800
ERR: VDO2 buf.w=320, buf.h=240;
ERR: VDO2 win.w=320, win.h=240;
PS: PSO SYSP 
PS: PSC SYSP 
- SensorMode enter
ERR: Only support IPL_MODE_PREVIEW|IPL_MODE_VIDEO!
OnExe_MovieSize,uhSelect=0
ERR: MediaRecorder is not open, changing parameter fails...
ERR: MediaRecorder is not open, changing parameter fails...
ERR: MediaRecorder is not open, changing parameter fails...
ERR: MediaRecorder is not open, changing parameter fails...
ERR: MediaRecorder is not open, changing parameter fails...
- SensorMode enter
ERR: Only support IPL_MODE_PREVIEW|IPL_MODE_VIDEO!
ERR: MediaRecorder is not open, changing parameter fails...
ERR: OnExe_MovieCyclicRecTime: uiSelect 3
ERR: MediaRecorder is not open, changing parameter fails...
OnExe_MovieIRLed,uhSelect=1
ERR: motion uiSelect = 0
ERR: Movie Sound uiSelect = 0
ERR: OnExe_MovieGolfShot: uiSelect 0
ERR: OnExe_MovieFlashRec: uiSelect 0
PS: PSO CALD 
ERR: norps_ReadByBytes:Data Length error
PS: PSC CALD 
AAA_Adjust : 0,0 0
ERR: CAL_PassAdjustData
cal data : 0 0 0
ERR: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
ERR: Bootloader Info
ERR: BL Name     : LDMICDVR.BIN
ERR: FW Name     : FWMICDVR.BIN
ERR: BL Ver      : v1.1S
ERR: BL Date     : 01/06/2012
ERR: BL Time     : 11:18:47
ERR: DRAM Type   : DDRII
ERR: DRAM Size   : SIZE_64MB
ERR: Storage Int : SPIFlash
ERR: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=============================================================
  Novatek NT96630
  Copyright (c) 2010 Novatek Microelectronic Corp.
  Kernel      ver: 2.01.002, build: Mar 08 2010, 20:09:42
  Driver      ver: 2.00.002, build: Nov 17 2011, 10:54:54
  Application ver: 2.00.002, build: Nov 17 2011, 10:53:03
  Project     ver: 1.00.000, build: 20090824
-------------------------------------------------------------
  Firmware    ver: MicroDVR mov 2012/01/17  v0.18
  Firmware  build: Jan 17 2012 19:56:28
=============================================================
> ERR: [SetFSStatus]0
ERR: Storage Card inserted!
ERR: AppInit_Close +++
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Usicd_Close
ERR: AppInit_Close ---
ERR: 
 error_code = 0ERR: 
 TestProtection : 0ERR: 
 error_code = 0ERR: 
 TestProtection : 0ERR: AppInit_Open(6) +++
FST_STA_OK!
ERR: [SetFSStatus]1
ERR: videoMax=0x43E0E, audioMax=0x6C9C
- Set2Preview enter
ERR: FlowPhoto_ImageCB: ALGMSG_PREVIEW
gImageAlgInfo.Vid_Resolution= 4
 9, 0, 10, 30 
ERR: _Prv_B_Status=(66)0 ,_Prv_W_Status=(65)0sensor init...
sensor init finished...
ERR: FlowPhoto_ImageCB: ALGMSG_PREVIEWSTABLE
- Set2Preview end
ERR: IPL chg mode from 0 to 3
ERR: B: 130>124gImageAlgInfo.FlashMode = 1
ERR: set Cutsec = 4200, realcutsec = 1800!
OnExe_MovieSize,uhSelect=0
- SensorMode enter
SensorMode CHG(VID) , from 4 to 4 
sensor mode and ratio are same with previous
ERR: FlowPhoto_ImageCB: ALGMSG_PREVIEWSTABLE
OnExe_MovieIRLed,uhSelect=1
ERR: motion uiSelect = 0
ERR: Movie Sound uiSelect = 0
ERR: Audio driver is not opened
ERR: OnExe_MovieGolfShot: uiSelect 0
ERR: OnExe_MovieFlashRec: uiSelect 0
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: UIFlowWndMovie_OnKeyShutter2
ERR: KEYSCAN RELEASED KEY SHUTTER2
ERR: UIFlowWndMovie_CheckRec 0,0
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: FlowPhoto_ImageCB: ALGMSG_VIDEO_RECORDING
ERR: IPL chg mode from 3 to 4
ERR: IME width = 1280, height = 720
aud = 0!!
MOV type NOT SUPPORT !!
MOV type NOT SUPPORT !!
MOV type NOT SUPPORT !!
TargetBitRate = 819200 Bps!
RCV1_I16P2
DD 1!
ERR: TIMER1SEC!
ERR: video 30 1SOK 30 !
ERR: VIDEO1Sok
DEE 0!
ERR: [30][30]sec = 1!
ERR: continueW ok 0xb0000, 412 ms!
ERR: continueW ok 0x10000, 145 ms!
DD 1!
ERR: TIMER1SEC!
ERR: video 60 1SOK 30 !
ERR: VIDEO1Sok
DEE 0!
ERR: [60][30]sec = 2!
ERR: continueW ok 0xc8000, 195 ms!
ERR: continueW ok 0x10000, 23 ms!
DD 1!
ERR: TIMER1SEC!
ERR: video 90 1SOK 30 !
ERR: VIDEO1Sok
DEE 0!
ERR: [90][30]sec = 3!
ERR: continueW ok 0xd0000, 206 ms!
ERR: continueW ok 0x10000, 23 ms!
DD 1!
ERR: TIMER1SEC!
ERR: video 120 1SOK 30 !
ERR: VIDEO1Sok
DEE 0!
ERR: [120][30]sec = 4!
ERR: continueW ok 0xd8000, 212 ms!
ERR: continueW ok 0x10000, 36 ms!
DD 1!
ERR: TIMER1SEC!
ERR: video 150 1SOK 30 !
ERR: VIDEO1Sok
DEE 0!
ERR: [150][30]sec = 5!
ERR: continueW ok 0xd0000, 204 ms!
ERR: continueW ok 0x10000, 24 ms!
DD 1!
ERR: TIMER1SEC!
ERR: video 180 1SOK 30 !
ERR: VIDEO1Sok
DEE 0!
ERR: [180][30]sec = 6!
ERR: continueW ok 0xd0000, 201 ms!
ERR: continueW ok 0x10000, 27 ms!
ERR: UIFlowWndMovie_OnKeyShutter2
ERR: KEYSCAN RELEASED KEY SHUTTER2
ERR: UIFlowWndMovie_CheckRec 1,6
ERR: Stop Rec Avi, Save Avi File
ERR: media stop 
ERR: fs idle 
ERR: video STOP addr =0x3a988f4!!! 
FS ENDFILE!
FSCmd ENDfile!
update hdr vid=180!
ERR: 1=0x34196a0
ERR: 2=0x2389660
ERR: 3=0x26b7f08
ERR: headerLen=0xa69
ERR: mdatSize = 550028 
ERR: upHDR ok 643 ms!
ERR: MediaFS cmdok!
ERR: FS_CMDOK111!!
ERR: Change to preview!!
ERR: FlowPhoto_ImageCB: ALGMSG_PREVIEW
 9, 0, 10, 30 
ERR: ime_stateMachine check operation error!
ERR: ime_stateMachine : Status 2, Op 0!
ERR: IPL chg mode from 4 to 3
ERR: PreviewOK!!
ERR: Call Stop callback 1
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: [GetFSStatus]1
ERR: Stop Rec-Avi Done 4200,1 cycle
ERR: *********KeyScan_PoweroffFlow 6,0
ERR: [GetFSStatus]1
ERR: AppInit_Close +++
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Ux_CloseWindow() WindowNumber 0
ERR: Usicd_Close
ERR: AppInit_Close ---
PS: PSO SYSP 
PS: PSC SYSP 
PS: PSO SYSP 
PS: PSC SYSP 
ERR: *…

10 thoughts on “Hacking the #16 HD Key cam

  1. Hello!
    Thanks for research!
    Could you please read memory from 005bc060 with size=00012c00?

    PS could you also send the result file to my email leprud@mail.ru
    Thanks in advance!

    • Ok I see:
      ERR: OSD1 buf=005bc060, size=00012c00
      ERR: OSD1 buf.w=320, buf.h=240;
      ERR: OSD1 win.w=320, win.h=240;

  2. Great work. Curious, did you see an analog video line (not the video out) from camera components? Would love to hack one into a dvr with a composite video input.

  3. Hi Michael! I am looking for a way to add a timer functionality to my 808 #16.

    For example the cam would start recording after 5 minutes from pushing the record button. Or other possibility – it would start recording 5 minutes after connecting the external power (808 #16 v3 has a functionality of record start after connecting usb power).

    Do you think this is doable with reverse engineering the firmware (downloadable here http://www.mytempfiles.info/nr16/).

    I am not a programmer nor am I an engineer, but I would really need this functionality.

    Thank you

    George

    • I don’t think so. Without ability to modify and compile a new firmware you cannot add any new features.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments will be moderated! Spam deleted immediately!
Before you submit form:
Human test by Not Captcha