Background story is that during firmware update of a generic IP Camera, with great wisdom, I managed to wipe part of the embedded Linux files, and in order to recover it, I need to access the bootloader through serial.
The PCB has no special identification, except for the strings "MP-3.4" and "1238" on the board itself.
Top view:
Bottom view:
First I looked for the J2 label, which from my understanding usually means JTAG or Serial port with this kind of generic camera.
My first suspicion laid upon the 4 connections at the top left corner of the top view:
I measures 3.3v between the two adjacent right pins, but the two to the left did not provide any output, and the Serial to USB adapter I am using remained silent.
I can identify all the chips on the board, as someone else with the same board described here, but could not find any schematics for it that would direct me to the Serial pins.
Do I have a better option other than brute forcing every pin that looks like it's not connected to any component? Is there some kind of best practice to follow when reversing such board? Anyone has any experience with this board?..
Best Answer
Well I'd start with the datasheet for the ralink. He's clearly the controller in this system. You could look at its pin list, find the location of serial or jtag pins, and then search that corner of the chip on the board. It will take a lot of poking and measuring but maybe you'll get lucky and their boot loader puts a message out at startup and you can see that on a scope.
Reverse engineering is an exercise in patience and trial and error, followed by more trial and error.
On the other hand the Linux files are not stored in the ralink but rather externally in a little flash part. The datasheet suggests it supports boot from spi-flash, so look up the other part numbers on the chips on your board and see if one is a spi-flash. You could then just pull it off and program it with a little programmer (they're not that expensive). That might be an easier path if you know what needs to be programmed in. Even better if you have another camera and you could just clone its flash.
It does mention nand flash support but I didn't see boot from nand flash.