Menu
Cart

GoPro HERO5 Tear Down and Software Study

Posted by Mark Kirschenbaum on

Well, it lasted a whole week, but I had to pop the hood on the new GoPro HERO5 (Australia - Streaky MP) and see what makes it tick. Let's start with the hardware

GoPro HERO5 Hack
GoPro completely apart. Note the cover is on with tape, and ultrasonically welded around the LCD no need for that hole, but its tough. The lens just twists off.

Components

Ambarella A9SE7 Dual Core Cortex ARM A9 with 4k Image processor
SONY IMX117 Same sensor as GoPro HERO4
MICRON MT29UZ4B8DZZHGPB-107 Combo 4Gb NAND Flash + 8Gb Mobile LPDDR3
AMS AS3716 Power Management IC
ublox UBX-M8030 M8 concurrent GNSS chips (GPS)
FocalTech 3306DMB  Touchcontroller
Qualcomm QCA9377 802.11ac & Bluetooth 4.1
CONEXANT CX20812 ADC
TI TPD13S523RSVR HDMI PHY
Bosch BMI160 Gyro Sensor
Sitronix ST7796s 320RGBx480 dot 256K Color Display Driver
Sitronix ST7570 COG 128x129 Front Panel LCD
ATMEL SAM D21E16A Encryption - Identify Friend or Foe, HEROBUS driver
ATMEL ATSHA204A On accessories to ensure authentic (i2c). Most likely on batteries too via 1-wire. 

 

GoPro HERO5 Teardown
Bottom Side of the GoPro HERO5.

The hardware for the most part is understandable. Ambarella A9se7 Processor (800mhz), 4Gb NAND, 8Gb of DDR3 (600mhz), Qualcomm for wireless, ublox for GPS, and AMS again for power monitoring and charging. Mechanically this thing is tough. The face is on there tight and the heatsink / mounting face appears to be made out of magnesium. The body is injected molded plastic. There are 3 mics with waterproof channels, and a speaker. The GPS antenna is located above the lens. 

GoPro HERO5 GPS Antenna
GoPro HERO5 GNSS module with antenna on back side 

Encryption / DRM

The surprise is the Atmel SAM D21E16 part (Australia MCU) which is used for Identify Friend or Foe Challenges and to offload some of the smarts talking to HEROBUS (GCCB Protocol) devices. It also coordinates all the USB-C PD (power delivery controller) and USBC pin muxing. When an accessory is detected by communications over CC1, authentication is done to a ATSHA204A over i2c on the TX+/TX- pins. Once authorized, D-/D+ pairs, become their appropriate functionality. VCONN also remains active. We've done a through-all analysis on  this encryption, but will keep it internally.  

The first devices that use the new HEROBUS are GoPro Karma, a Spherical Camera solution, a display port dongle for the Session, and the Gantry (Pro 3.5 mic adapter). The MCU's bootloader and "app" are encrypted and they've code protected the device. It appears Atmel's appnote was followed so perhaps they used the default keys of C0DE or GoProGoPro....

GoPro HERO5 Xray
X-ray of the GoPro HERO5 Motherboard

Update None-the-less, circumvention is possible, but will take some work. The Atmel D21 datasheet specifically warns of VDDANA BOD-(brown out detect) being on and expect it possible to glitch the fetching of the code protect bits during power on reset. In fact, if a SWD probe is connected, this BOD test is disabled so it may be possible to boot the MCU without code protection. When a datasheet warns this much, you know there is a hole. 

Sure the Chinese are on it right now after GoPro Inc. left a carrot out on the third party batteries then swiped it away with the v.1.55 firmware release. That's a lot of inventory they have to throw away and sure they are not happy.

GoPro HERO5 Circuit Board

Speaking of which, the battery is also polled for an authentication response. 1-Wire communication is going on between these two, but we haven't looked into the protocol yet. Right now I believe it's just a, "are you there?" Just FYI the 4 lines leading up to the battery are BATT+, BATT-, Thermistor, one-wire comm.

UPDATE - GoPro HERO5 BLACK version 1.55 does test for authentic batteries and locks customer's out if the identify friend or foe is incorrect. I don't have any HERO5 third party batteries to test out, but it appears this test is done within the Atmel MCU and probably to a ATSHA204 via 1-wire.  

HERO5 USBC connector pinout

The "HEROBUS" is now over USB-C via the PD (CC1:2) channel. Once the device is determined, it can enable I2C, SPI, USB, I2S etc. The USB-C debug accessory is not enabled so communication to the RTOS or Linux needs to be done slyly. Kirkwood (GoPro KARMA) uses MTP over USB to control the camera once the PD determines the Kirkwood via the Sentinel is inserted. Find out more on our GoPro HERO5 Interfaces article.

Fun facts: The fly controller on the KARMA is called Sentinel and the WiFi remote, running Android, is called Buckhorn. Stabilizer is Coyote.

Licensed Software

FluentSoft SDK v3.15.4 - Voice Recognition
Adobe XMP - Metadata organization

Code Names

It's always fun to uncover the hardware code names. Here they are 

GoPro HERO5 Black Australia - Streaky?
GoPro HERO5 Silver (Not Released) Squirrels
GoPro HERO5 Session Margaret River
GoPro HERO5 Superbank (Not Released) Superbank 


Calibration

Man there is a lot of calibration done on these things at the factory. Bad Pixels, Vignette, Gyro, Audio, White Balance, and Communication. Calibration is done via the pogo pins and is not accessible without a firmware mod. 

Wireless

You probably didn't realize, but BLE (Bluetooh low energy) stays on after the camera has been powered off. Luckily, BLE takes almost no energy but the GoPro will shut down BLE after 8 hours. This low power connection allows your phone and controllers such as the REMO (Code named Sniper) to power on the camera without the drain of Wifi. Gone is the blinking blue LED, because honestly it doesn't matter anymore. As a note, most BLE devices last a couple years with a coin cell battery. According to Abe Kislevitz, after 8 hours BLE shuts off and the battery only drains 2%. 

Communication Protocols

We've taken a look at the protocols which exist in the GoPro HERO5. Take a look at our GoPro HERO5 Interfaces

Futures

The "Spherical Camera" and third party "wired" devices will shortly be released. GoPro does not release their full API even to official developers so feel they will keep the multi-camera solutions in house and only allow wired solutions for those select application they choose. BLE is a super nice interface and we expect a few aftermarket BLE GoPro devices to ship.

It's apparent, with the lack of 3rd party solutions, that GoPro did not give their Developer Program any forewarning about the HERO5. Sounds like they got GoPro HERO5s in early October too. 

Closing Remarks

We're honestly ticked with the Developer Program. All I can say is stay tuned. Nothing illegal with releasing an API (Google vs Oracle / Lexmark vs. Static Control). For the meanwhile here is our github GoPro HERO5 repo with some of the linux dumps. Listen up GoPro Inc.!

On December 14th 2016 GoPro provided their open source libraries used in the GoPro HERO5. It is located here: GoPro HERO5 Linux and GPL Libraries

LEGAL: This product and/or service is not affiliated with, endorsed by, or in any way associated with GoPro Inc. or its products and services. GoPro, HERO, and their respective logos are trademarks or registered trademarks of GoPro, Inc. HEROBUS and BACPAC are trademarks of GoPro Inc.

Hypoxic Products


Share this post



← Older Post Newer Post →