Still on the mystery SoC in the Chinese cam. I have no idea how to start figuring out the firmware on the SW side, so why not try on the HW side? Given that the flash is a standard 25c32-ish thing, why not stick a LA on it and see what the SOC reads? Turns out that is quite informative: the ROM in the thing loads the first 512 bytes, then two large chunks from other regions, presumably to run a CRC check on it. (If you corrupt the flash comms while reading that, the ROM will re-read a few times, then turn off the SoC.) Then it starts reading data in chunks of 4 bytes, like it's executing directly from uncached SPI. At some point, it presumably turns on cache, and most reads are 16 bytes at a time from then on. (Note that the trace mentions reads of 3 or 15 bytes at times, I need to check if that's a glitch in how I measure things or if the SoC actually does that.)
Trace here if you want to take a look:
#^http://meuk.spritesserver.nl/tmp/cam_boot_ok_flash_trace.csv
