GoPro HERO5 Tear Down and Software Study
Posted by Mark Kirschenbaum on
Well, it lasted a whole week, but I had to pop the hood on the new GoPro HERO5 (Australia - Streaky MP) and see what makes it tick. Let's start with the hardware
GoPro completely apart. Note the cover is on with tape, and ultrasonically welded around the LCD no need for that hole, but its tough. The lens just twists off.
Components
| Ambarella A9SE7 | Dual Core Cortex ARM A9 with 4k Image processor |
| SONY IMX117 | Same sensor as GoPro HERO4 |
| MICRON MT29UZ4B8DZZHGPB-107 | Combo 4Gb NAND Flash + 8Gb Mobile LPDDR3 |
| AMS AS3716 | Power Management IC |
| ublox UBX-M8030 | M8 concurrent GNSS chips (GPS) |
| FocalTech 3306DMB | Touchcontroller |
| Qualcomm QCA9377 | 802.11ac & Bluetooth 4.1 |
| CONEXANT CX20812 | ADC |
| TI TPD13S523RSVR | HDMI PHY |
| Bosch BMI160 | Gyro Sensor |
| Sitronix ST7796s | 320RGBx480 dot 256K Color Display Driver |
| Sitronix ST7570 | COG 128x129 Front Panel LCD |
| ATMEL SAM D21E16A | Encryption - Identify Friend or Foe, HEROBUS driver |
| ATMEL ATSHA204A | On accessories to ensure authentic (i2c). Most likely on batteries too via 1-wire. |
Bottom Side of the GoPro HERO5.
The hardware for the most part is understandable. Ambarella A9se7 Processor (800mhz), 4Gb NAND, 8Gb of DDR3 (600mhz), Qualcomm for wireless, ublox for GPS, and AMS again for power monitoring and charging. Mechanically this thing is tough. The face is on there tight and the heatsink / mounting face appears to be made out of magnesium. The body is injected molded plastic. There are 3 mics with waterproof channels, and a speaker. The GPS antenna is located above the lens.
GoPro HERO5 GNSS module with antenna on back side
Encryption / DRM
The surprise is the Atmel SAM D21E16 part (Australia MCU) which is used for Identify Friend or Foe Challenges and to offload some of the smarts talking to HEROBUS (GCCB Protocol) devices. It also coordinates all the USB-C PD (power delivery controller) and USBC pin muxing. When an accessory is detected by communications over CC1, authentication is done to a ATSHA204A over i2c on the TX+/TX- pins. Once authorized, D-/D+ pairs, become their appropriate functionality. VCONN also remains active. We've done a through-all analysis on this encryption, but will keep it internally.
The first devices that use the new HEROBUS are GoPro Karma, a Spherical Camera solution, a display port dongle for the Session, and the Gantry (Pro 3.5 mic adapter). The MCU's bootloader and "app" are encrypted and they've code protected the device. It appears Atmel's appnote was followed so perhaps they used the default keys of C0DE or GoProGoPro....
X-ray of the GoPro HERO5 Motherboard
Update None-the-less, circumvention is possible, but will take some work. The Atmel D21 datasheet specifically warns of VDDANA BOD-(brown out detect) being on and expect it possible to glitch the fetching of the code protect bits during power on reset. In fact, if a SWD probe is connected, this BOD test is disabled so it may be possible to boot the MCU without code protection. When a datasheet warns this much, you know there is a hole.
Sure the Chinese are on it right now after GoPro Inc. left a carrot out on the third party batteries then swiped it away with the v.1.55 firmware release. That's a lot of inventory they have to throw away and sure they are not happy.
Speaking of which, the battery is also polled for an authentication response. 1-Wire communication is going on between these two, but we haven't looked into the protocol yet. Right now I believe it's just a, "are you there?" Just FYI the 4 lines leading up to the battery are BATT+, BATT-, Thermistor, one-wire comm.
UPDATE - GoPro HERO5 BLACK version 1.55 does test for authentic batteries and locks customer's out if the identify friend or foe is incorrect. I don't have any HERO5 third party batteries to test out, but it appears this test is done within the Atmel MCU and probably to a ATSHA204 via 1-wire.
The "HEROBUS" is now over USB-C via the PD (CC1:2) channel. Once the device is determined, it can enable I2C, SPI, USB, I2S etc. The USB-C debug accessory is not enabled so communication to the RTOS or Linux needs to be done slyly. Kirkwood (GoPro KARMA) uses MTP over USB to control the camera once the PD determines the Kirkwood via the Sentinel is inserted. Find out more on our GoPro HERO5 Interfaces article.
Fun facts: The fly controller on the KARMA is called Sentinel and the WiFi remote, running Android, is called Buckhorn. Stabilizer is Coyote. Karma Grip is Slingshot.
Licensed Software
FluentSoft SDK v3.15.4 - Voice Recognition
Adobe XMP - Metadata organization
Code Names
It's always fun to uncover the hardware code names. Here they are
| GoPro HERO5 Black | Australia - Streaky? |
| GoPro HERO5 Silver (Not Released) | Squirrels |
| GoPro HERO5 Session | Margaret River |
| GoPro Fusion | Superbank or Popoyo |
| GoPro HERO6 | Chones |
Calibration
Man there is a lot of calibration done on these things at the factory. Bad Pixels, Vignette, Gyro, Audio, White Balance, and Communication. Calibration is done via the pogo pins and is not accessible without a firmware mod.
Wireless
You probably didn't realize, but BLE (Bluetooh low energy) stays on after the camera has been powered off. Luckily, BLE takes almost no energy but the GoPro will shut down BLE after 8 hours. This low power connection allows your phone and controllers such as the REMO (Code named Sniper) to power on the camera without the drain of Wifi. Gone is the blinking blue LED, because honestly it doesn't matter anymore. As a note, most BLE devices last a couple years with a coin cell battery. According to Abe Kislevitz, after 8 hours BLE shuts off and the battery only drains 2%.
Communication Protocols
We've taken a look at the protocols which exist in the GoPro HERO5. Take a look at our GoPro HERO5 Interfaces
Futures
The "Spherical Camera" and third party "wired" devices will shortly be released. GoPro does not release their full API even to official developers so feel they will keep the multi-camera solutions in house and only allow wired solutions for those select application they choose. BLE is a super nice interface and we expect a few aftermarket BLE GoPro devices to ship.
It's apparent, with the lack of 3rd party solutions, that GoPro did not give their Developer Program any forewarning about the HERO5. Sounds like they got GoPro HERO5s in early October too.
Closing Remarks
We're honestly ticked with the Developer Program. All I can say is stay tuned. Nothing illegal with releasing an API (Google vs Oracle / Lexmark vs. Static Control). For the meanwhile here is our github GoPro HERO5 repo with some of the linux dumps. Listen up GoPro Inc.!
On December 14th 2016 GoPro provided their open source libraries used in the GoPro HERO5. It is located here: GoPro HERO5 Linux and GPL Libraries
LEGAL: This product and/or service is not affiliated with, endorsed by, or in any way associated with GoPro Inc. or its products and services. GoPro, HERO, and their respective logos are trademarks or registered trademarks of GoPro, Inc. HEROBUS and BACPAC are trademarks of GoPro Inc.
Share this post
- Tags: hacks
