Firmware extracted successfully from the SPI chip using a TNM5000 flash programmer, and also using a CH341 clone. Chip was also successfully re-written using the TNM5000 (after a config change with the Android App rendered the device inoperable).
It is noted that the SPI flash chip is rated at 3.3v, but running the chip reader at 3.3v provides adequate power to activate the SOC. It was found (by accident) that applying 1.8v is adequate to read/write the SPI with the SOC remaining inactive.
The Nantronics N25S80 profile in Linux flashrom was found to be adequate to read the chip with the CH341 (although required the –force parameter to override parameter checking, hence programming is not possible).$ flashrom –programmer ch341a_spi -c N25S80 -r firmwarefile.bin -f
Flash appears to have three blocks – the first two have remained static across reads/testing, the third appears to contain config. Blocks are padded with repeating 0xFF.
| Start Address | End Address | Content Guess? |
| 0x00000 | 0x416E | Kernel/Bootloader? Has an ASCII string near the start (AC791N_STORY) (that corresponds to a SOC with the same physical characteristics and manufacturer as the SOC onboard) The block appears to end with a list of hardware parameters (in ASCII).  |
| 0x5000 | 0xC29C6 | Unclear – no obvious ASCII Strings – Suspect Main Program code |
| 0xC5000 then later 0xC3000 | Variable | Config block with identifiable parameters in ASCII including known passwords in clear textWifi SSID (Video0_ZT953K) |
Config Block
The base addresses shifted (0xC5000 initially, 0xC3000 later) after setting a device password using the mobile app.
It is also observed that “Saving” config sometimes appends a new section, rather than overwriting – hence the user set password (fixthispass1) was still observed after resetting it to default – highlighted section is the block below is the config following resetting the password using the mobile ap – also note at 0xC3F42 the ss1 after the default password which appears to be the over-run of the custom password (suggesting fixed buffers allocated and over-written in RAM, then copied to flash).
SOC identification
Searching for the string AC791BN_STORY provides links to the JieliTech github site which details their AC79 series IoT chips (although much of the documentation is in Chinese – google translate works to a degree).
- Data sheet http://www.zh-jieli.com/upload/202204/AC791XN-datasheet/AC7911B_Datasheet_V1.1.pdf
- SDK Github https://github.com/Jieli-Tech/fw-AC79_AIoT_SDK
- SDK Docs https://doc.zh-jieli.com/AC79/zh-cn/master/
Referring to this data sheet, and following circuit traces shows reasonable correlation between the pinout and connected devices (inc. USB, Antenna, VCC/GND, Mic) with the AC7911B data sheet linked above. Company Logo also matches the logo screen-printed on the chip (although printed chip ID doesn’t match datasheet).