Reverse engineering of a Philips PTA317 SmartTV Skype Camera Part 1

Some time ago I bought a camera to use Skype in my Philips SmartTV. The SmartTV is crap, as well as Skype on it. Later Skype for SmartTVs was discontinued anyway, and I throw the camera in the junk box.

The camera looks to be actually good. It is a PTA317 model.

Now, with the home office policy in my job, and the increased need to remote meetings, I looked at the junk bin and decided to give a try to this camera, in my Windows PC. To my surprise, it didn't work "out of the box".

The device is recognized by the SO, as USB VID and PID 0471:2127, Device Class 0xFF.

The camera stays with the activity led always on.

I decided to open the camera to see what's inside. It is powered by a (Geo Semiconductor or Maxim) MAX64380 chipset. Internet search showed this is a dedicated chip for h264 video encoding, and should appear as a UVC video device.

My first guess was that the tv embedded system somehow send a command for the camera so it turns itself into a UVC device. I took a Saleae logic analyzer to sniff in the USB bus while I connect the camera in the TV usb. I had to plug it through a 1.1 USB hub, so Saleae Software would be able to decode the USB protocol. Indeed, after exchanging some data, the camera resets itself and appears again as a proper UVC video device, with VID and PID 0471:2128. Also, the led turns off after some seconds. Bingo!

After analysing the traffic, it became clear that it was not only a single command. For the amount of data transferred from the TV to the Camera, my current hypothesis is that the camera does not have a firmware at all, and it is transferred when the camera is connected to the TV. I took two USB dumps to compare and make sure the TV always send the same data.

Since the dump also captures the handshakings, it was not easy to compare them, because sometimes a USB packet is NAKed and the host must retransmit it.

To make my life easy, and first compare both dumps to make sure the same data is sent, and after that be able to write a driver or application to "activate" the camera on my PC, I wrote a small program to interpret the dump and recreate the USB packets in a standard way. The code for this application will be available at my GitHub in the near future. You can also find there all the dumps and processed files from there.

Running both dumps through the application showed two identical data. This sounds like a success, at least for now.

Next step is to write some kind of program or driver to send the exact same packets to the camera, and hope that it resets itself in a webcam in Windows (or maybe Linux?).