Tuesday, August 15, 2017

A look inside the Samsung S7 camera implementation

This post is less of a guide and more of a collection of thoughts. It assumes some Java and camera operation knowledge.

My S7 has become my main camera since it handles low-light, uploading, water and time zones very well. It does have a few big weakness though, oversharpening being one of them and over-confidence the other. By over-confidence I mean it will gladly lower the shutter speed to 1/4s, thinking OIS will take care of the shake. It can't.

The Samsung camera app on Android Nougat has shed a lot of features in exchange of user-friendliness. Gone are the sharpness controls, OIS cannot be disabled, RAW mode is available only in the "Pro" camera mode. Quite a lot of artificial limitations which third-party apps don't seem to bring back.


To analyze the application we need to take a look at some binaries: SamsungCamera6.apk, semcamera.jar and seccamera.jar. There are some other binaries but they are written in native C (libcamera_client.so) or even for FPGA (e.g. fimc_is_fw2_2l1.bin).

For taking a look inside the jars I'm using dex-tools 2.1, jd-gui 1.4.0 and Eclipse. The classes.dex file is extracted from each app, sent to dex2jar, imported into jd-gui and saved as a zip collection of .java files, then imported into an Eclipse project. There's probably a better workflow for this.

From those various jar files a structure emerges: SemCamera is the bridge between the native camera binary and Android/Java.
FaceAreaManager seems to take care of face detection, HRMSensorFusion enables use of the HR sensor to take selfies.

The camera modes are defined inside the application, even though they need to be downloaded in order to be used:

Interestingly enough, there are a few camera modes which do not have an equivalent app in the Samsung App Store: Antifog, BurstPanorama, Night / NightScene, ProductSearch, ProLite, RichTone, TagShot.

Antifog might be targeted towards the Asian market, as a mode that reduces smog smear. Night might be a sub-mode for the Auto. ProLite might be a Pro implementation for phones with less features (Samsung A7). RichTone might be a sub-mode for Auto+HDR.

I find it both curious and disturbing that features are being hidden from the user at the cost of a "purchase". Not sure if the idea was to monetize camera modes or to simplify camera usage. A simple checkbox list would've sufficed.

Saturday, August 5, 2017

Failed project - WiFi to InfraRed to Coffee

In one of my most-viewed articles, from quite a few years ago, I've teared down a Saeco Talea Coffee machine and noticed a strange protrusion on top. I assumed it was an IrDa transceiver, then thought that maybe it was a coffee cup detector.

It indeed turned out to be an infrared port.

Armed with this knowledge - and some time to kill - I've decided to try and talk to the machine, wirelessly.
While it might sound easy, there are many steps involved: get hold of the service tool application, reverse engineer (RE) it, RE the service dongle, RE the machine protocol, write an IrDa implementation for Arduino, write the web app to serve the page - and coffee.

Step 1 - .NET reverse engineering

Ever since I've discovered JetBrains' DotPeek, my life has been changed. I don't know C#, in fact I barely know C, but I can pretend to be a .NET developer.
After getting hold of the SSC2 application (that's another topic in itself) we can try to see how it can talk to the machine.

The baud rate for talking to the serial tool is 19200, for my machine. Since the baud rate is different for other machines, I could make an educated guess and assume that the serial tool is just a transparent proxy between a USB to serial converter and either IR or RS232.
The serial protocol is 8N1 - 8 bits, no parity, 1 start and 1 stop bit - pretty standard.

Let's see what we can speak:

The program sends the "(MA)\r\n" command on a button press.
Let's see where Button17 is declared.

That button has a text called "BU up", which in slang means "Move brew unit to the upper position".

Similarly, we can find a pretty long list of commands that can be sent.

For convenience, here's a shortened version: (COMM), (MA), (MB), (GA), (TEST), (CONF), ERASE, S0, S1, (GB), (PA), (TA), (TB), (TC), (TD), (EXIT), (TEST).

Here's a interesting one
      this.Button4.TabIndex = 11;
      this.Button4.Text = "make Espresso";
      this.Button4.UseVisualStyleBackColor = true;
It just sends "(EXIT)" :)

Tuesday, August 1, 2017

Aggregated updates August 2017

I haven't had much time to write full articles but I can go through a quick rundown until I tackle each subject:

CTC 3D Dual (Bizer) Printer

Will create a separate article about the mods and results.

I've re-tightened all the screws and tried to take out the backlash of the Z carrier. This has improved the jagged edges a bit and also reduced the noise.

I made a small DIY enclosure: A4 plastic sheet on one side, the glass from a picture frame in the front, the particle wood panel from that frame in the other side. The glass frame was affixed with some 3D printed clamps as well as a modified Tic-Tac box.
On the top of the printer I've cut some Ikea Schottis blinds (3$) that fold with the moving head. I found out afterwards that I'm not the first one to do this: https://ultimaker.com/en/community/9484-umo-dust-cover

I've cut a few pieces of 2.5-3mm glass to the bed dimensions. Rather, I've had a glass manufacturing company cut them for me (<10$). Then from the remains of another Tic-Tac box some springy corners were created that keep the glass in place. This allows the glass to be easily removed and replaced with great repeatability.

With the covers in place the printer gets warmer quicker and ABS can finally be printed, though still a bit fiddly. It also reduces dust a lot.

Some nice LED lights were also added, allowing to take better pictures of the things.

Lenovo Thinkpad Backlight control

I've partially reverse-engineered the Win10 app that controls the keyboard backlight and now I have a Macbook-like backlight behavior on my X230. Source code and binaries will be published as soon as I clean them up, there is already an alpha version available for testing. I've been using that for at least a month and it's been running great.

Saeco infrared port

The mystery part on my Saeco Saleo teardown article was indeed an IrDa transceiver. I thought that it was just a coffee cup sensor, to keep the cup warm. I've reverse engineered the Saeco Service Center tool (SSC) and figured out how to talk to the machine - in theory - including how the checksum is calculated.
I've seen a few pictures of the service unit and it looks to be just a USB to UART to IrDa converter. Hopefully.
The next step would be to build an ESP8266 Wifi-to-IrDa converter. I've read a bit on the IrDa SIR protocol and it looks manageable, even without interrupts, there are quire large tolerances specified.
I think that, with the ESP8266 build, the SSC tool should be able to directly talk to the coffee machine

Automotive-type projects

The DieselBooster is still in tests, the fuel savings are quite a lot lower than anticipated, but still tangible. I've had nobody contact me about publishing the latest sources, so I've delayed that.

I've designed a module that allows a 3S LiPo battery to be left in parallel with the lead-acid ones, especially for motorcycle use. It will boost the voltage on cranking, allow it to be recharged up to 12.4V and generally keep the LiPo safe from overcharge and discharge. I will still need to build the project and test it, but it looks fine so far.

I've built a module that interfaces with Hall speed sensors on motorcycle/scooter wheels. These become weak over time (either the transistors or the magnets, not sure), but it's basically a hysteretic comparator.

At least on my bike, the sensor and cable comes in a single piece and costs 140 EUR second-hand. The module above can be built for ~1$.


I've been meaning to do a test of low-cost batteries for a while now. But, for my German readers, the gist is: Varta, Eneloop, Energizer- they all have their rated capacities or more. Ja! - very close, for a quarter of the price. Lidl/Aldi - junk.
I read all these German reviews that the Lidl/Aldi batteries are being developed by Varta. They very well may be, but the capacity is less than half, shrinking to under a quarter under load (0.5A).
Haven't tested the IKEA batteries yet.
As a price breakdown: you can buy the 4-pack AA Energizer at Rewe for ~6E or more, the Ja! batteries are 1.59E. I've tested the Ja! AA batteries to provide at least 1800mAh under small load compared to 2500 for the Energizer.
Here's a snapshot from a work-in-progress: