Bricked Mio MiVue 518 dashcam restoring

Updated 19.04.2019.

Well known that Russia is a land of car dashcams. :) So we have plenty of them here. And sometimes they breaks for some reason. This time we have bricked Mio MiVue 518 dashcam whose was incidentally "upgraded" by SD_CarDV.bin firmware from a different model. Since dashcam software doesn't care about is that firmware suitable for this device model or not, the device is ultimately bricked after flashing.

To unbrick device we should unsolder internal flash memory and write appropriate firmware dump to it. But at first, flash memory dump should be extracted from firmware upgrade file SD_CarDV.bin.

Opening of SD_CarDV.bin in file viewer makes clear that file format should be simple - firmware internal strings are readable so data is uncompressed. We only need to find where is end of header and start of dump data. This time we will use Linux command-line utility cmp to get byte-to-byte comparison of firmware upgrade files for two different dashcam models of same vendor:

$ cmp -l -n 1024 SD_CarDV.bin SD_CarDV.bin.568 
   9 115   0
  10 111   0
  11 117   0
  12 105   0
  13  67   0
  14  61   0
  15  65   0
  16  70   0
  17 345 336
  18 332 236
  19  40  74
  20  22 372
  21 355 323
  22 313 326
  23 317 312
  24 251 260
  25 142 317
  26 314 172
  27 132 102
  28 373 340
  29 142 303
  30 110 333
  31 173 326
  32 305  57

We could see that only first 32 bytes are different in first 1 kB of upgrade file (cmp command output enumerates bytes from 1). Looks like these 32 bytes are related to header, so let's strip it using dd command:

dd bs=32 skip=1 if=SD_CarDV.bin of=SD_CarDV.rom

Let's look to first 128 bytes of result using hex viewer:

$ xxd -l 128 -c 16 -g 1 SD_CarDV.rom 
0000000: 06 00 00 ea fe ff ff ea fe ff ff ea fe ff ff ea  ................
0000010: fe ff ff ea fe ff ff ea 20 ff 1f e5 fe ff ff ea  ........ .......
0000020: d3 f0 21 e3 b0 10 9f e5 01 d0 a0 e1 d2 f0 21 e3  ..!...........!.
0000030: a8 10 9f e5 01 d0 a0 e1 d1 f0 21 e3 a0 10 9f e5  ..........!.....
0000040: 01 d0 a0 e1 d7 f0 21 e3 98 10 9f e5 01 d0 a0 e1  ......!.........
0000050: db f0 21 e3 90 10 9f e5 01 d0 a0 e1 df f0 21 e3  ..!...........!.
0000060: 88 10 9f e5 01 d0 a0 e1 d3 f0 21 e3 80 0a a0 e3  ..........!.....
0000070: 11 1f 19 ee 00 10 81 e1 01 10 81 e3 11 1f 09 ee  ................

We could check the result by disassembling first bytes of dump data. This device is AIT8427-based, but vendor site doesn't provide any info about CPU architecture except it's "Embedded 32-bit CPU / 500MHz". But we could quickly try some popular architectures using ODA Online Disassembler:

Disassembled dump start data

Aha, it's ARM and first instruction is unconditional jump to initialization routine. Well, we got firmware dump for writing to internal flash, so it's time to unsolder flash memory chip:

W25Q64FV flash chip position on device board

Flash memory chip is marked with red, it's W25Q64FV with SPI interface, 64Mb size (8MB). We need SPI programmer to write firmware dump, but instead I used Raspberry Pi SBC with SPI interface available on its 26-pin header. This configuration is supported by well-known FlashRom utility. Only we need before writing is truncate dump length to flash memory size:

$ truncate --size 8M SD_CarDV.rom

Now connect flash memory chip to Raspberry Pi and start programming:

sudo ./flashrom -w SD_CarDV.rom -p linux_spi:dev=/dev/spidev0.0

Flash memory will be erased, written and verified. Now we should solder flash memory chip back to dashcam's PCB, power on device and check - it's working! :)

Updated 19.04.2019

For some (new) Mio dashcams (like MiVue 733) the firmware file looks slightly different. Startup sequence 06 00 00 ea fe ff... is placed at 0x2020, and at 0x20 we have something like this:

$ xxd -l 64 -c 16 -g 1 SD_CarDV.bin
00000000: 41 49 54 53 30 30 33 31 32 44 2e 31 31 34 33 20  AITS00312D.1143 
00000010: ac ae 2f d1 48 c8 d1 70 05 17 cd d2 24 da ef 3d  ../.H..p....$..=
00000020: 4d 43 52 32 01 00 00 40 0c 00 00 00 09 00 00 00  MCR2...@........
00000030: 02 00 00 00 64 6c 00 00 00 e0 11 00 01 00 00 00  ....dl..........

Despite it, a flash dump extraction steps remain the same - we just cut the first 32 bytes and flash the rest aligned to flash size. This difference probably caused by some changes in dashcam startup sequence with initial jump changed to 0x2000 instead of 0x0000.

Jan. 27, 2015

Categories: Electronics, How-To

Like! 301

Tags: Linux, Raspberry Pi, Hacking, Firmware

Comments

Feb. 15, 2017, 12:28 a.m.

Adrian

Hello, Could you send me (radek396@o2.pl)that .rom file to mail becuase I have the same problem. Please help !!!!
Feb. 15, 2017, 11:16 a.m.

avm

Hello Adrian, I sent you link to Mio MiVue 518 Europe version .rom archive, check your mailbox.
Feb. 15, 2017, 11:40 a.m.

Adrian

Hello Victor, Could you create te same rom for Mio MiVue 568 ??
Feb. 15, 2017, 11:42 a.m.

Adrian

Hello Victor, Could you create te same rom for Mio MiVue 568 Touch??
Feb. 15, 2017, 11:50 a.m.

Adrian

I have MiVue 568 Touch and I wanted unbrick it and I saw your site and I want to try the same method.
Feb. 15, 2017, 12:02 p.m.

avm

Adrian, for 568 please check this link: https://dl.dropboxusercontent.com/u/55396344/mio/568.01.09.14/SD_CarDV.rom Please note this is ROM image converted from russian 568 firmware, so it could probably start in Russian. :) Anyway, it could be updated to appropriate region using regular firmware update instructions from Mio support website.
Feb. 15, 2017, 12:33 p.m.

Adrian

Thanks a lot !!! If I will unbrick I will write. It is doesn't matter that is Russian rom.
Feb. 15, 2017, 5:17 p.m.

Pyzhov

Hello Adrian, I sent to your e-mail working dump Mio MiVue 568 Russian version
Feb. 20, 2017, 5:10 p.m.

Adrian

Ok, I dont have the same ARM curcuite. I have a diffirentt which I cant unsolder but I saw when I press reset and plug in USB cable Windows detect two device: SPI programmer and SD card reader. Do You know any tool for flash under Windows becuase I cant find it.
Feb. 20, 2017, 7:02 p.m.

Pyzhov

To Adrian. You can use the program Colibri for CH341A. The link in the post above.
March 8, 2017, 8:29 a.m.

игорь капранов

adrian/ Glad to help
Aug. 28, 2017, 1:43 a.m.

Pyzhov

pyzhov007@list.ru
Jan. 14, 2019, 5:33 p.m.

kamil_pl

someone has this file for mio 568 (it can be Russian) because the link above does not work. I am asking for help. if anyone has it, send it to life199@op.pl thanks!
Jan. 20, 2019, 9:43 p.m.

Rafael

Hello everyone. Please tell me form where I can download working OS update for mio 518.
Jan. 20, 2019, 9:46 p.m.

Rafael

Hello everyone. Please tell me form where I can download working OS update for mio 518.
Jan. 21, 2019, 12:58 a.m.

Pyzhov

Myo 518 is not the device that should be restored
Jan. 21, 2019, 1:02 a.m.

Pyzhov

The meaning of recover is Mio 536 and higher.
Jan. 24, 2019, 9:30 p.m.

kamil_pl

I've uploaded BIN to W25W128 but I have an English language, updated from the manufacturer (software update by SD) and still have English language. What to do to have a Polish language.
Sept. 5, 2019, 12:38 a.m.

bvj

http://4pda.ru/forum/index.php?showtopic=903345&st=0#entry87559528

Antonovich.me

Bricked Mio MiVue 518 dashcam restoring

Updated 19.04.2019

Comments