Forgot Password
Pentax Camera Forums Home
 

Reply
Show Printable Version Search this Thread
10-15-2014, 08:08 PM   #361
Veteran Member




Join Date: Feb 2009
Photos: Albums
Posts: 452
QuoteOriginally posted by anemone Quote
The error report suggest, it's 32-bit software on 64-bit system and behaving bad.

I haven't catch the idea why you want to use frmcrypt in stead of pfwtool. Try pfwtool and if it doesn't work like it should, help to make it work. If I'm correct frmcrypt is propietary code from rather untrusted source.
yes its proprietary code and seems to have originated from pentax, its correct its a 32 bit programme,

---------- Post added 10-16-2014 at 08:49 AM ----------

QuoteOriginally posted by Shodan Quote
frmcrypt is crap
but shodan who wrote it

---------- Post added 10-16-2014 at 08:57 AM ----------

QuoteOriginally posted by bootcoder Quote
svenpeter:Thank you very much for source of your tool ! Finally I was able to deobfuscate and disassemble K-5 firmware. Thank you again!Note for people compiling source on Windows. You should change following lines:
Code:
fp = fopen(path, "r");
...
FILE *fp = fopen(argv[2], "wb");
to
Code:
fp = fopen(path, "rb");
...
FILE *fp = fopen(argv[2], "wb");
Otherwise tool is not working correctly.

---------- Post added 10-15-14 at 10:25 AM ----------

svenpeter:Thank you very much for source of your tool ! Finally I was able to deobfuscate and disassemble K-5 firmware. Thank you again!Note for people compiling source on Windows. You should change following lines:Code:
Code:
fp = fopen(path, "r");
...

FILE *fp = fopen(argv[2], "w");
toCode:
Code:
fp = fopen(path, "rb");
...

FILE *fp = fopen(argv[2], "wb");
Otherwise tool is not working correctly.
hi txs, can u give the step by step procedure u followed, not for me alone but creating a repository (it would be helpful to mee also before i start working on it

10-15-2014, 08:34 PM   #362
Forum Member
Shodan's Avatar

Join Date: Feb 2014
Posts: 92
Original Poster
QuoteQuote:
but shodan who wrote it
I certainly did not. It's closed source and doesn't decrypt correctly. Does this sound like something I would release?
10-15-2014, 10:56 PM - 5 Likes   #363
Forum Member
Shodan's Avatar

Join Date: Feb 2014
Posts: 92
Original Poster
So for the last few weeks I've been writing up what I'd like to think is the story so far for Pentax hacking. Hopefully someone will find this interesting.

Ugh, PDF was too big!
https://www.dropbox.com/s/ogez7sb4b0cw92g/hacking_pentax_k30.pdf
10-16-2014, 04:28 AM   #364
Senior Member




Join Date: Jun 2014
Posts: 144
I liked your document. It gave me some ideas how to proceed with one other device.

I know what to do when I buy next camera

BTW footnotes 1 and 2 to chdk are exactly same.

10-16-2014, 04:43 AM   #365
Pentaxian
JinDesu's Avatar

Join Date: Jun 2011
Location: New York City
Photos: Gallery
Posts: 5,624
QuoteOriginally posted by Shodan Quote
So for the last few weeks I've been writing up what I'd like to think is the story so far for Pentax hacking. Hopefully someone will find this interesting.

Ugh, PDF was too big!
https://www.dropbox.com/s/ogez7sb4b0cw92g/hacking_pentax_k30.pdf
I'll save this for reading later this weekend. Thank you for all your work, Shodan - can't wait to see where it goes next.
10-16-2014, 06:37 AM   #366
Veteran Member




Join Date: Feb 2009
Photos: Albums
Posts: 452
That was kind of Shodan to share his insights.
10-16-2014, 07:07 AM   #367
Forum Member




Join Date: Oct 2014
Posts: 75
QuoteOriginally posted by uttam.hathi Quote
hi txs, can u give the step by step procedure u followed, not for me alone but creating a repository (it would be helpful to mee also before i start working on it
I have just downloaded source fle (there is only one) with browser, changed 2 lines above and compiled it with GNU MinGW compiler under Windows.
10-16-2014, 08:18 AM   #368
Junior Member




Join Date: Feb 2014
Posts: 49
Hi, I have already compiled the Sven Peter's pfwtool, here's package with binary for win32 and dos/djgpp if someone needs:
http://rayer.g6.cz/hardware/pentax.k30/pfwtool.zip
In file mode access I suggest to use "rb" / "wb" - it shouldn't affect linux but it's necessary for windows so I always use it instead of "r" / "w".
I also needed to define off_t type - it should be present in new compilers.

Shodan, thanks for putting effort to write the document, I will read through...

10-16-2014, 02:51 PM   #369
Forum Member




Join Date: Oct 2014
Posts: 75
QuoteOriginally posted by RayeR Quote
I also needed to define off_t type - it should be present in new compilers.
LOL mingw 3.4.5 of year 2008 has it, how old is your compiler ???
10-16-2014, 07:20 PM   #370
Veteran Member




Join Date: Feb 2009
Photos: Albums
Posts: 452
@bootcoder
10-20-2014, 06:01 AM   #372
New Member




Join Date: Oct 2014
Posts: 9
QuoteOriginally posted by lister6520 Quote
I finally got to work on the O-GPS1 protocol but it turns out it was not as straightforward as I was hoping. The communication seems to work in the exact same way as the P-TTL communication in terms of the synchronisation pulses, the formatting of the bits and so on.

Here is just a preview of what I am seeing - but I haven;t understood much of it yet - it will need some more time.

From what I can see the camera still starts off sending and expecting data to/from the flash but the flash return is just empty (because the flash isn't there) whereas the camera then proceeds anyway to send the ISO, focal length, aperture and such details to the non existent flash a few time but after a few tries just sends all zeros in that slot.

What changes with the GPS is that after conclusion of that sequence the exchange between the GPS and camera then takes place. It is still early for me to figure out what exactly is going on at this point. There is no obvious NMEA encoded as ASCII in the bit sequences but I haven;t ruled out it being buried in there somewhere.

Just to get an idea, this is a typical sequence I get from my decoder with the P-TTL flash in place:
<-+_-+-+_014411380D0C_-+_-+_08638750004_-+-+-+-+-+_E8D0_-+4C50_00-+>
The first sequence being the data the flash sends to the camera and the second one is from thecamera to the flash. The third one I can;t quite remember what it was but I think it has something to do with AF


Whereas this is a typical sequence with the GPS:
<-+_-+-+_00000000_-+_-+_000000000_-+4C50_C0-+-+4C14_C036FF007F-+>
Here we see the first two sequences being all zeros, as there is n othing to communicate between the flash and the camera, but it seems that slot is still reserved for that. Then there is the same 4C50 as with the flash, which I think is the closing sequence of the flash communication, but now instead of being followed by a final 00 we get a C0, presumably signalling the start of GPS communication. The main content of the message being the C036FF007F in this example. A few of these messages are sent every second, with the C036 being always present and the remaining characters changing between one message and the next.

In addition there is occasionally a longer ,essage such as this one:
<000000300000000000000000000000036FF30DF800000000000018060FF8000007F80E6FFC07F80CC7F9980F9FFFFE07F800000F7-+-+4C14_C036FF006D-+>
I'm not sure how often it occurs but it seems somewhat irregular.


On another note I think I figured out why the extension cables cause problems and also why some third party flashes can be unreliable. It is just a silly 'mechanical' problem regarding the way the ground terminal connects and black paint on the camera hotshoe bracket. It seems the way grounding is achieved is not so standardised and where some accessories put the ground terminal coincides with where Pentax puts black paint and where Pentax puts the metal contact the accessoriy has plastic or anodised aluminium.

I do not have the gps and gps compatible body so I cannot recreate the experiment, so I am working with your numbers. However, I am missing some information on what this numbers could be, like your location at the time when the logs were created (like what was recorded into exif when you pressed the shutter). Did you fire shutter away anyway, maybe only then the location is sent to camera? Also, I believe the time from the GPS unit is also transfered to the camera body, so also time of the experiment (at least to the nearest minute) would be great. Probably you didn't record that at that time.

Could you do another simple tests with this information included? It would make cracking the numbers much easier

Great thread by the way and great findings by all. I like the RE spirit!
10-21-2014, 05:27 AM   #373
Forum Member




Join Date: Oct 2014
Posts: 75
K-5 firmware is extremly C++, even tasks are derived from CTask class by overriding default virtual method. It is a big difficult puzzle to trace calls through virtual tables.

EDIT: IDA Pro is no help on FR80 C++ generated code, so it needs a custom analyser for class/object calls.
EDIT2: All operating system calls are identified: it is RealOS mITRON4.0 kernel described in http://www.spansion.com/fjdocuments/fj/MANUAL/MANUALp/en-pdf/CM81-00312-2E.pdf. RealOS service call is done by putting function address into R12 instead of function number, like stated in ITRON specification. This puzzles for some time...

Last edited by bootcoder; 10-27-2014 at 06:21 PM.
11-26-2014, 01:53 PM   #374
Veteran Member
patarok's Avatar

Join Date: Jul 2013
Posts: 351
I know this is all about DSLRs.

But did anybody hack the WG-1 already? Or is there a way to save files in RAW-format through debug mode?
11-26-2014, 05:18 PM   #375
Forum Member




Join Date: Oct 2014
Posts: 75
QuoteOriginally posted by patarok Quote
But did anybody hack the WG-1 already? Or is there a way to save files in RAW-format through debug mode?
The problem is that there was no firmware update for this camera. So I guess analyse today is not possible. Unless somebody will make jailbreak.
Reply

Bookmarks
  • Submit Thread to Facebook Facebook
  • Submit Thread to Twitter Twitter
  • Submit Thread to Digg Digg
Tags - Make this thread easier to find by adding keywords to it!
bit, camera, card, chdk, code, data, debug, dslr, file, firmware, flash, fp, gps, instruction, k-30, k-50, k30, love, magic, module, notes, pentax, photography, pin, pins, sd, text
Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
NY area SDM Hacking dappercorpmonkey Troubleshooting and Beginner Help 11 07-26-2013 04:15 PM
Nature Resurrecting some old images - Angry Birds! Julie Post Your Photos! 4 03-07-2013 10:41 AM
k-5 firmware hacking anyone? secateurs Pentax K-5 33 10-05-2012 03:05 PM
Hacking lens' memory plis Visitors' Center 6 11-28-2011 10:58 PM
Resurrecting a MX and Super ME LiMPiNg Pentax Film SLR Discussion 4 09-27-2011 02:55 PM



All times are GMT -7. The time now is 10:48 AM. | See also: NikonForums.com, CanonForums.com part of our network of photo forums!
  • Red (Default)
  • Green
  • Gray
  • Dark
  • Dark Yellow
  • Dark Blue
  • Old Red
  • Old Green
  • Old Gray
  • Dial-Up Style
Hello! It's great to see you back on the forum! Have you considered joining the community?
register
Creating a FREE ACCOUNT takes under a minute, removes ads, and lets you post! [Dismiss]
Top