Menu
Cart

GoPro HERO7 Silver & GoPro HERO7 White Research

Posted by Mark Kirschenbaum on

The GoPro HERO7 White & Silver are completely different beasts from previous GoPro cameras. Based upon yet another image processor, Qualcomm Snapdragon 624, the architecture is a Qualcomm Snapdragon reference design with the GoPro application layer. Here is a quick psuedo-teardown of the GoPro HERO7 White & Silver. 

Hardware Name Tasmania perhaps originally named Popoyo

 Product name Code Name Cam ID
GoPro HERO7 White Boomer H18.02
GoPro HERO7 Silver Badger H18.03


Design Wins

Processor

Qualcomm APQ8053 Snapdragon 624: Octa-Core, 8x ARM Cortex A53 Up To 1.80 GHz. 

APQ8053-Lite GoPro HERO7 White = Vision Intelligence 100
APQ8053-Pro GoPro HERO7 Silver = Vision Intelligence 200

Qualcomm Press Release

Sensor Sony IMX458
OS Linux/arm 3.18.71 Android
Audio Qualcomm WCD9310
Gyro Bosch BMI160160 (Silver Only?)
GNSS Ublox_M8030 (Silver Only?)
PMIC Qulacomm PM8953
Connectivity

Built In: Bluetooth 4.2 + BLE, 802.11a/b/g/n/ac (2.4/5 GHz) Wi-Fi

Memory LPDDR3
eMMC Size & vendor unknown
Apple MFI Connectivity to Apple devices

Takeaways

  1. Completely Linux Android based code. The software that used to run on the RTOS is now a binary that runs in linux called gpcam.
  2. Silver and White revisions run the same code base. There is a single resistor value read that determines the camera model. I'm unsure if the GPS Antenna & module are installed on the White revision. 

Further Testing

Conversion

Theoretical: Hard code "drv_get_prod_id" to return '0' for a White revision to work as a Silver. Seems White version has a "lite" processor so perhaps this will not work. With that said, since GoPro is worried about inventory, they possibly have the same motherboard for both cameras. In the future, dependent upon sales, they could cost reduce the white to the "slower" processor. It's doubtful, but a possibility. 

Root Access

gpcam looks for test commands on /tmp/t_cmd_sock. Luckily a test app at /usr/bin/t interfaces to this socket. Using one of the numerous shell vulnerabilities* that remain from previous GoPro revisions, a user can do something like this to enable ADB over USB:

/usr/bin/t 't frw usb set_usb_class' 

Not sure if the second t is needed yet but debugging can still be done to the alias /tmp/fuse_d  or /mnt/sdcard 

With that said /mnt/gopro has many nifty possible keys. 

ADB over USB should give you root access to the camera where you can test what happens with a modified gpcam binary. gpcam logs to the ADB logging subsystem. 

More Information

Hypoxic HERO7 Github Repo
*
 There is no contact to disclose vulnerabilities to GoPro. 


Share this post



← Older Post

Hypoxic Products