Resurrecting Pentax firmware hacking

**niceshot** · 04-02-2015, 02:19 AM

Has any one been able to do anything beneficial with all of this?

anemone · 04-02-2015, 04:44 AM

End-user beneficial: No. shodan's work is most ready work there is and others just poke around and see what there is.

Hacker beneficial: Yes

These small bits of information give possibility to hackers get on hacking easier as not everyone needs to do all the same steps multiple times.

Giklab · 04-02-2015, 05:41 AM

Originally posted by niceshot

Has any one been able to do anything beneficial with all of this?

Like @anemone said, there is currently nothing useful being done for you. But this work -> hackers -> users.

**jbondo** · 04-02-2015, 06:37 AM

I don't have time to help with the project at present, but I wanted to take a moment to thank all you you who are and for posting your findings here. Way to go y'all.

bootcoder · 04-02-2015, 06:46 AM - **1 Like**

Well it is a good news in fact. Having 2 cores and complete hardware H.264 Codec in K-30 (I suppose 2nd core control codec), brings a chance of unlocking birate. But a lot of things to reverse and I do not have K-30 camera.

bootcoder · 04-12-2015, 12:44 PM

Left is K-30 code (ARM processor), right K-5 (FR80). As you see, very similar logic.

marabella · 04-15-2015, 07:53 AM

Firmware for K-S1 is not recognized by both pfwtool and frmcrypt.

Now available: A (new) downloadable firmware for the K-S1 and K-S2

Quote:

Latest K-S1 Firmware Update : Software Downloads | RICOH IMAGING

I have tried to access the debug menu on my K-S1 (see #383) with files from 00077850.400 to 00077850.900. No luck.
My hope was to find the corresponding correct number with one of the decrypting tools when a new firmware would be available.
But now both tools give me an error like: "unknown firmware"

My guess still is that Pentax has closed this well known backdoor.

May I ask one experienced user/decrypter/coder to check this? Would be nice.

uttam.hathi · 04-16-2015, 07:39 AM

Originally posted by Giklab

Like @anemone said, there is currently nothing useful being done for you. But this work -> hackers -> users.

as i see its irrelevant. if one cannot tweak and work with it on the camera its useless. need to see one example, save the case of 4 bits changed in k-7 thats it.

ofer4 · 04-16-2015, 08:36 AM - **1 Like**

Originally posted by uttam.hathi

as i see its irrelevant. if one cannot tweak and work with it on the camera its useless. need to see one example, save the case of 4 bits changed in k-7 thats it.

Then, Uttam, please provide your own solution. We'd all love to see it. Otherwise, please stop cluttering this thread and let the big boys work without having to address your complaints.

bootcoder · 04-16-2015, 02:32 PM

Originally posted by marabella

Firmware for K-S1 is not recognized by both pfwtool and frmcrypt.

K-S1 firmware is not obfuscated at all. It is only compressed. It is a kind of LZ compression operating on bytes with sliding window of 4K. Not LZMA, not LZ4. I have identified 2 control codes, but 2 others still unknown.
(I am not compression expert)

uttam.hathi · 04-16-2015, 06:52 PM

if i can figure the pointers of the loader it will be a small step, viz play around loading any /similar set of similiar range of pentax.-[ k-x k-m -kr,] [k10, k20][k-7,k-5], the firmware also functins the control buttons thus it has to be similar set,
and mainly upgrading and downgrading knowingly, not an ability to flash into a version but not able to reverse.
this is the first step else nothing is relevant, one cannot flash a same version, this ability too would be relevant if changes are made.
NEED TO SEE THIS.

marabella · 04-17-2015, 06:57 AM

Originally posted by bootcoder

K-S1 firmware is not obfuscated at all. It is only compressed. It is a kind of LZ compression operating on bytes with sliding window of 4K. Not LZMA, not LZ4. I have identified 2 control codes, but 2 others still unknown.
(I am not compression expert)

Thanks for the hint. I did want to try "binwalk" but now I'm firstly looking for a similar software which is Windows based.
I'm neither a coder nor a Linux guy. Just a curious user with sketchy programming skills.

uttam.hathi · 04-17-2015, 06:20 PM

Originally posted by marabella

Thanks for the hint. I did want to try "binwalk" but now I'm firstly looking for a similar software which is Windows based.
I'm neither a coder nor a Linux guy. Just a curious user with sketchy programming skills.

welcome to the world of curosity, once u enter u will see many a fallacy

BorisAngelis · 04-19-2015, 08:55 AM

I don't wanna read all 30 pages to find out what it is and where i can get it.
And I would love to help somehow if I can (don't know how but still).
Also: Does the K-3 have the same kinda firmware as the K-30? And or: Does the hack work on K-3?

anemone · 04-19-2015, 03:51 PM - **1 Like**

One part is Shodan's PHDK
Another is Svenpeters Chrome decrypter.

I have some notes somewhere home about K-3 FW. I spent something like one night with so nothing much. K-3 and K-30 are different beasts.

So as always, start with other work and study what Shodan did. The pdf is great thing to read. Then start appyling IDA and your mind to FW and find something useful from FW and document it.

And so yes, you need to read first 20 pages of this to understand Shodan's work (it is really interesting stuff) and last ten to see how we are arguing boring stuff

04-02-2015, 06:46 AM - 1 Like	#455
bootcoder Banned Join Date: Oct 2014 Posts: 93	Well it is a good news in fact. Having 2 cores and complete hardware H.264 Codec in K-30 (I suppose 2nd core control codec), brings a chance of unlocking birate. But a lot of things to reverse and I do not have K-30 camera. Last edited by bootcoder; 04-02-2015 at 06:56 AM.

04-12-2015, 12:44 PM	#456
bootcoder Banned Join Date: Oct 2014 Posts: 93	Left is K-30 code (ARM processor), right K-5 (FR80). As you see, very similar logic. Attached Images

04-16-2015, 02:32 PM	#460
bootcoder Banned Join Date: Oct 2014 Posts: 93	Originally posted by marabella Firmware for K-S1 is not recognized by both pfwtool and frmcrypt. K-S1 firmware is not obfuscated at all. It is only compressed. It is a kind of LZ compression operating on bytes with sliding window of 4K. Not LZMA, not LZ4. I have identified 2 control codes, but 2 others still unknown. (I am not compression expert) Last edited by bootcoder; 04-17-2015 at 06:03 AM.

04-19-2015, 08:55 AM	#464
BorisAngelis New Member Join Date: Apr 2014 Posts: 3	what is this and where can I get it? I don't wanna read all 30 pages to find out what it is and where i can get it. And I would love to help somehow if I can (don't know how but still). Also: Does the K-3 have the same kinda firmware as the K-30? And or: Does the hack work on K-3?

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
NY area SDM Hacking	dappercorpmonkey	Troubleshooting and Beginner Help	11	07-26-2013 04:15 PM
Nature Resurrecting some old images - Angry Birds!	Julie	Post Your Photos!	4	03-07-2013 10:41 AM
k-5 firmware hacking anyone?	secateurs	Pentax K-5 & K-5 II	33	10-05-2012 03:05 PM
Hacking lens' memory	plis	Visitors' Center	6	11-28-2011 10:58 PM
Resurrecting a MX and Super ME	LiMPiNg	Film SLRs and Compact Film Cameras	4	09-27-2011 02:55 PM

04-02-2015, 02:19 AM	#451
niceshot Site Supporter Join Date: Mar 2014 Location: NY Photos: Gallery Posts: 1,564	Has any one been able to do anything beneficial with all of this?

04-02-2015, 04:44 AM	#452
anemone Senior Member Join Date: Jun 2014 Posts: 165	End-user beneficial: No. shodan's work is most ready work there is and others just poke around and see what there is. Hacker beneficial: Yes These small bits of information give possibility to hackers get on hacking easier as not everyone needs to do all the same steps multiple times.

04-02-2015, 05:41 AM	#453
Giklab Veteran Member Join Date: Jan 2012 Location: Slovenia Photos: Gallery Posts: 2,182	Originally posted by niceshot Has any one been able to do anything beneficial with all of this? Like @anemone said, there is currently nothing useful being done for you. But this work -> hackers -> users.

04-02-2015, 06:37 AM	#454
jbondo Loyal Site Supportaxian Join Date: Sep 2013 Location: Texas Photos: Albums Posts: 503	I don't have time to help with the project at present, but I wanted to take a moment to thank all you you who are and for posting your findings here. Way to go y'all.

04-15-2015, 07:53 AM	#457
marabella Forum Member Join Date: Jan 2015 Posts: 58	Firmware for K-S1 is not recognized by both pfwtool and frmcrypt. Now available: A (new) downloadable firmware for the K-S1 and K-S2 Quote: Latest K-S1 Firmware Update : Software Downloads \| RICOH IMAGING I have tried to access the debug menu on my K-S1 (see #383) with files from 00077850.400 to 00077850.900. No luck. My hope was to find the corresponding correct number with one of the decrypting tools when a new firmware would be available. But now both tools give me an error like: "unknown firmware" My guess still is that Pentax has closed this well known backdoor. May I ask one experienced user/decrypter/coder to check this? Would be nice.

04-16-2015, 07:39 AM	#458
uttam.hathi Veteran Member Join Date: Feb 2009 Photos: Albums Posts: 621	Originally posted by Giklab Like @anemone said, there is currently nothing useful being done for you. But this work -> hackers -> users. as i see its irrelevant. if one cannot tweak and work with it on the camera its useless. need to see one example, save the case of 4 bits changed in k-7 thats it.

04-16-2015, 08:36 AM - 1 Like	#459
ofer4 Veteran Member Join Date: Jun 2011 Location: Utah Posts: 428	Originally posted by uttam.hathi as i see its irrelevant. if one cannot tweak and work with it on the camera its useless. need to see one example, save the case of 4 bits changed in k-7 thats it. Then, Uttam, please provide your own solution. We'd all love to see it. Otherwise, please stop cluttering this thread and let the big boys work without having to address your complaints.

04-16-2015, 06:52 PM	#461
uttam.hathi Veteran Member Join Date: Feb 2009 Photos: Albums Posts: 621	if i can figure the pointers of the loader it will be a small step, viz play around loading any /similar set of similiar range of pentax.-[ k-x k-m -kr,] [k10, k20][k-7,k-5], the firmware also functins the control buttons thus it has to be similar set, and mainly upgrading and downgrading knowingly, not an ability to flash into a version but not able to reverse. this is the first step else nothing is relevant, one cannot flash a same version, this ability too would be relevant if changes are made. NEED TO SEE THIS.

04-17-2015, 06:57 AM	#462
marabella Forum Member Join Date: Jan 2015 Posts: 58	Originally posted by bootcoder K-S1 firmware is not obfuscated at all. It is only compressed. It is a kind of LZ compression operating on bytes with sliding window of 4K. Not LZMA, not LZ4. I have identified 2 control codes, but 2 others still unknown. (I am not compression expert) Thanks for the hint. I did want to try "binwalk" but now I'm firstly looking for a similar software which is Windows based. I'm neither a coder nor a Linux guy. Just a curious user with sketchy programming skills.

04-17-2015, 06:20 PM	#463
uttam.hathi Veteran Member Join Date: Feb 2009 Photos: Albums Posts: 621	Originally posted by marabella Thanks for the hint. I did want to try "binwalk" but now I'm firstly looking for a similar software which is Windows based. I'm neither a coder nor a Linux guy. Just a curious user with sketchy programming skills. welcome to the world of curosity, once u enter u will see many a fallacy

Thread Tools	Search this Thread
	Search this Thread: Advanced Search

04-19-2015, 03:51 PM - 1 Like	#465
anemone Senior Member Join Date: Jun 2014 Posts: 165	One part is Shodan's PHDK Another is Svenpeters Chrome decrypter. I have some notes somewhere home about K-3 FW. I spent something like one night with so nothing much. K-3 and K-30 are different beasts. So as always, start with other work and study what Shodan did. The pdf is great thing to read. Then start appyling IDA and your mind to FW and find something useful from FW and document it. And so yes, you need to read first 20 pages of this to understand Shodan's work (it is really interesting stuff) and last ten to see how we are arguing boring stuff