The modification
With the yak shave suddenly ending with the realisation the yak was wearing a wig all along, I could get back to the main task: making the camera boot into camera mode directly. For this I needed some more data, however: while the majority of the code lives in flash, some is located in RAM or perhaps ROM and I didn't know its contents. Rewriting some code to dump it over the debug UART was not an option either. However, I already had found the code that writes JPEG data to disk when you make a photo, and there was this one routine which writes a structure containing the EXIF information... Well, some well-placed modifications made that write a random block of memory instead. All I needed to do was flash the modified firmware back, take a picture, and the memory contents I wanted would be attached to the picture I took.
With that, I could locate where the camera firmware decides to go on power-up. This was not trivial as the firmware uses some weird scheduler and event system that store pointers to functions in tables in flash: as Ghidra doesn't see a clear entry point to those functions, it won't automatically decode them and as such I needed to figure out the format and location of those tables before the entire system became clear.
A hack like this tends to be a lot of work for a really minimal tweak that gets you where you want. The firmware has a bunch of different modes (main menu, take photo, take video, display photo, play mp3, play game) and the current mode is stored in a global variable in memory. On startup, this variable was initialized to the 'main menu' mode. Change this to the 'take photo' mode and the firmware will boot up in that mode. Making the one byte fix is a matter of seconds, finding out what byte to change into what a lot longer. Still, there were some interesting other things I found out while trying to make sense of all the code.
For one, there were some things 'left on the cutting room floor'; for instance this seems to be a version of an earlier menu. All but the first two items are defaced, perhaps someone changed their mind and expressed that in Paint?
Also, there was another game on the camera: Tetris. The code was there, but not hooked up to anything; hooking it up showed that the game was only partially functional. Parts of that could be explained because it was targeted at different hardware (the game seems to expect a 220x176 pixel display while the one on my camera is 320x240) but I'm not sure if that is the full story. Perhaps work on the game started, but was cancelled since you still need a license to legally be able to include Tetris.
As kind-of expected with these kinds of things, the marketing on this thing does not seem to be beyond exaggerating the technical capabilities here. Even the most conservative sale page I can find states that the camera has a 2 megapixel sensor. In fact, while I cannot say for sure what camera module actually is used, none of the modules supported by the firmware have a resolution higher than 720P, which would be less than one megapixel, and the majority of supported modules are only 640x480 or 0.3 megapixel.
Finally, I decided to look at the firmware update format this thing used: at this point the only way to tweak the firmware I had, was to desolder the flash chip and reprogram it. As the camera that belonged to my kid still was intact, it would be really nice if I could upgrade it without opening it.
Turns out the firmware upgrade format is fairly trivial. The logic looks for a file on the SD-card called 'hx330x_sdk.bin' and if it exists, it checks some fields in the header for validity. Then it takes one field containing a timestamp, and if the timestamp on the file is newer than that in flash, it simply copies the upgrade file integrally into flash. That means I would just have to take a flash dump, trim it so it only includes the firmware, make any modifications I want, then save it to hx330x_sdk.bin. Then to make the camera accept it, I would need to increment the timestamp field past the one the firmware currently has, put the file on a SD-card and the camera updates from it.