Resurrecting Pentax firmware hacking

Shodan · 02-24-2014, 02:39 PM - **2 Likes**

Quote:

For further work we would need to find some safe way (bootstrap) how to load a binary module from SD card. Maybe it could be done via firmware upgrading menu but for easier accessibility then it will need to patch the FW. Also there's still problem with checksum to be able to make some mod. A guy haute found how to bypass checksum on K-7, see here Pentax hack status - Personal View Talks but on K-30 the header looks different and probably it will not be so easy. Also it seems that decripting is not done in full range yet. You should ask Vitaliy personally for help on FRMCRYPT I think he has sources.

Agreed. I've been putting in a lot of work reverse engineering the firmware upgrade process. I'm also desperate to get my hands on the bootloader.

Quote:

I tried to save various data from debug menu to SD card but not all work for me. Eg. CPU data displayed "error..." and lens rom data didn't displayed error but no file was created. I was able to save this: BOOTBLK.BIN, KB524.ADJ, KB524CAM.LOG

I'd love to know what those files are

Quote:

[SW_DEBUG_MENU EN] - nothing happen

You need to open the menu and keep pressing right.

Quote:

[SCRIPT_EN_MODE EN] - works but it cannot be disabled.

[SCRIPT_EN_MODE DIS]

Quote:

I could help with some testing...

You don't happen to have a copy of IDA Pro?

Attached Images

jup · 02-24-2014, 03:32 PM

Originally posted by RayeR

[VLENS_CONTROL] - nothing happen

It's [VLENS_CTRL] but I don't think that's very useful. It displays SDM On, PZ On when you hold specific buttons.

Also:
[DSP_ROM_STORE] - will dump (unencrypted) DSP firmware
[NORMALLY_CLOSED_MODE EN] - no idea what this does but it changes the N-DIS flag in debug menu
[LIVE_VIEW_TEST_MODE EN] - same thing for LV_TEST flag

and bunch of others. They're easy to read from dump I got from [DSP_ROM_STORE] and (I guess), from unencrypted firmware (don't need IDA for that, which I don't have). There are also some interesting switches on K-3, but lets keep this to K-30 for now.

jup · 02-25-2014, 12:20 AM

Originally posted by Shodan

Agreed. I've been putting in a lot of work reverse engineering the firmware upgrade process. I'm also desperate to get my hands on the bootloader.

BTW, Shodan, K-30 will read unencrypted files from SD card - KB524.BIN, KB524C.BIN, KB524B.BIN and such. These should be DSP firmware, CPU firmware, both together. Unfortunately, I still get error when I try to put firmware dump there, but using these might be easier then breaking the encryption.

Edit: I think they also have some checksum/size check or probably both, since I either get "Card error" or "Firmware data error".

Shodan · 02-25-2014, 09:38 AM - **1 Like**

Reverse engineered the K30's checksum. What's really nice is that if you set the correct magic byte in the firmware then it isn't even checked...

[C#] Pentax K30 firmware checksum - Pastebin.com

Shodan · 02-25-2014, 11:07 AM - **1 Like**

Hmmmmm I've checked my checksum program against the ROM i'm decompiling. The DSP firmware is correct but the CPU firmware isn't. I suspect that the frmcrypt.exe tool isn't correctly dumping it out.

I think i've found the decryption function so I may have to write my own decryptor

aurele · 02-25-2014, 12:18 PM

it appear that you are making progress, that's cool, that's great !

RayeR · 02-25-2014, 03:04 PM - **1 Like**

Originally posted by Shodan

>[SW_DEBUG_MENU EN]
You need to open the menu and keep pressing right.

I tried again but I didn't see anything new. Does this option needs to be combined with [OPEN_DEBUG_MENU]?
BTW when I have [OPEN_DEBUG_MENU] and [DEBUG_MODE EN] then dev. menu opens on every turn on even with closed card doors. When CARDDOOR OPEN in enabled in menu, camera then allows operation with doors opened.

Originally posted by Shodan

[SCRIPT_EN_MODE DIS]

I tried this as I wrote in my previous post but I cannot disable script any other way than deleting script file. You can try it. I'm using latest FW 1.05.
BTW I wonder for what purposes the scripting language is there. If it cannot read from files and memory just only print some constants and variables on screen... It would be used for some automated testing and report generating if it have some more power commands...

Originally posted by Jup

[VLENS_CTRL]

Yes, this works but seems nothing usefull. I pressed probably all buttons but all it can display is On for SDM and PZ (I have mounted a SDM lens)

Originally posted by Jup

[DSP_ROM_STORE]

Yes, this dumped file KB524DSP.BIN in size 12 582 912 B, almost as a whole firmware (FWDC215B.BIN 1.05 file is 12 845 056 B). It looks like decrypted FW file with different few kB at start of the file. At offset F00h both files seems to be same (some header "HOKKTKIYHTNTMU" string). I also tried [CPU_ROM_STORE] bot got only "ERROR ..." message, no file created. From file size it seems tkat CPU part is only 262 144 B.

Originally posted by Shodan

Hmmmmm I've checked my checksum program against the ROM i'm decompiling. The DSP firmware is correct but the CPU firmware isn't. I suspect that the frmcrypt.exe tool isn't correctly dumping it out.

Try to contact Vitaliy Kiselev, he knows that frmcrypt.exe is not perfect and there are still some undecrypted parts, he may give access to sources or some advices. He made update to support K-30, K-5 II...

Originally posted by Shodan

You don't happen to have a copy of IDA Pro?

Yes, I have ver. 5.5 but I use it ocassionally and mostly for x86 MZ or ROM code. I'm not IDA expert, it's very complex and feature rich tool and I still don't know all features - e.g. I don't know that it can make C code from DASM (if my ver. even supports it). I have only few fime at night for playing with it. Maybe it would be good idea that you wrote some quick tutorial into your 1st post how to load decr. FW file to IDA - offsets to important blocks, where is entry point, what is base address of code in CPU address space...
Or maybe better to start some wiki page to store knowledges in well arranged way.

SlicaR · 02-25-2014, 03:54 PM

Hi everyone!
Have you got any ideas how to get to the debug mode (AF test) i K-50 (fw. 1.01)? I've big problem with front focus.
Please help.

Shodan · 03-02-2014, 01:31 PM - **4 Likes**

RE'ing the firmware decryption routine turned out to be harder than I thought. So instead I ripped out the original decryption assembly, recompiled it and ran it on my RaspberryPi. After a little fiddling with the endian-ness I've got the firmware that the actual camera uses in the flash routines.

I've uploading the XOR key i'm using here:
Download xor.key from Sendspace.com - send big files the easy way

If you XOR the K-30 v1.5 firmware with this you'll get the correct firmware.

Now I've got a working decryptor I can properly debug it and write some nice C#. Then I'll probably release some firmware tools that allow you to decrypt and checksum the binary.

Shodan · 03-02-2014, 04:04 PM - **3 Likes**

Now I know how to decrypt the firmware and how to compute the checksum I can now make changes to the firmware.

I took a risk and tried changing one of the Debug menu titles. Looks like it worked.

LeFanch · 03-02-2014, 05:13 PM

Awesome!

mtux · 03-02-2014, 10:30 PM

Wow! well done.

seyfer · 03-03-2014, 01:51 AM

Great work! I can donate some money if can help.

Adam G · 03-03-2014, 02:50 AM

This makes me sad that all I can do is push the shutter button.

jedie · 03-03-2014, 03:15 AM

Great project!

What's about to collect all Information into a public Wiki?
Move information from pentax-hack.info into Wiki, too. (Because the page seems to be "unmaintained", isn't it?)

Maybe at wikia.com ? There is also Magic Lantern Firmware Wiki

02-25-2014, 12:20 AM	#63
jup Senior Member Join Date: Nov 2009 Location: San Jose, CA Posts: 103	Originally posted by Shodan Agreed. I've been putting in a lot of work reverse engineering the firmware upgrade process. I'm also desperate to get my hands on the bootloader. BTW, Shodan, K-30 will read unencrypted files from SD card - KB524.BIN, KB524C.BIN, KB524B.BIN and such. These should be DSP firmware, CPU firmware, both together. Unfortunately, I still get error when I try to put firmware dump there, but using these might be easier then breaking the encryption. Edit: I think they also have some checksum/size check or probably both, since I either get "Card error" or "Firmware data error". Last edited by jup; 02-25-2014 at 01:07 AM.

03-02-2014, 01:31 PM - 4 Likes	#69
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Successful decryption RE'ing the firmware decryption routine turned out to be harder than I thought. So instead I ripped out the original decryption assembly, recompiled it and ran it on my RaspberryPi. After a little fiddling with the endian-ness I've got the firmware that the actual camera uses in the flash routines. I've uploading the XOR key i'm using here: Download xor.key from Sendspace.com - send big files the easy way If you XOR the K-30 v1.5 firmware with this you'll get the correct firmware. Now I've got a working decryptor I can properly debug it and write some nice C#. Then I'll probably release some firmware tools that allow you to decrypt and checksum the binary.

03-02-2014, 04:04 PM - 3 Likes	#70
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Now I know how to decrypt the firmware and how to compute the checksum I can now make changes to the firmware. I took a risk and tried changing one of the Debug menu titles. Looks like it worked. Attached Images

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
NY area SDM Hacking	dappercorpmonkey	Troubleshooting and Beginner Help	11	07-26-2013 04:15 PM
Nature Resurrecting some old images - Angry Birds!	Julie	Post Your Photos!	4	03-07-2013 10:41 AM
k-5 firmware hacking anyone?	secateurs	Pentax K-5 & K-5 II	33	10-05-2012 03:05 PM
Hacking lens' memory	plis	Visitors' Center	6	11-28-2011 10:58 PM
Resurrecting a MX and Super ME	LiMPiNg	Film SLRs and Compact Film Cameras	4	09-27-2011 02:55 PM

02-24-2014, 02:39 PM - 2 Likes	#61
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Quote: For further work we would need to find some safe way (bootstrap) how to load a binary module from SD card. Maybe it could be done via firmware upgrading menu but for easier accessibility then it will need to patch the FW. Also there's still problem with checksum to be able to make some mod. A guy haute found how to bypass checksum on K-7, see here Pentax hack status - Personal View Talks but on K-30 the header looks different and probably it will not be so easy. Also it seems that decripting is not done in full range yet. You should ask Vitaliy personally for help on FRMCRYPT I think he has sources. Agreed. I've been putting in a lot of work reverse engineering the firmware upgrade process. I'm also desperate to get my hands on the bootloader. Quote: I tried to save various data from debug menu to SD card but not all work for me. Eg. CPU data displayed "error..." and lens rom data didn't displayed error but no file was created. I was able to save this: BOOTBLK.BIN, KB524.ADJ, KB524CAM.LOG I'd love to know what those files are Quote: [SW_DEBUG_MENU EN] - nothing happen You need to open the menu and keep pressing right. Quote: [SCRIPT_EN_MODE EN] - works but it cannot be disabled. [SCRIPT_EN_MODE DIS] Quote: I could help with some testing... You don't happen to have a copy of IDA Pro? Attached Images

02-24-2014, 03:32 PM	#62
jup Senior Member Join Date: Nov 2009 Location: San Jose, CA Posts: 103	Originally posted by RayeR [VLENS_CONTROL] - nothing happen It's [VLENS_CTRL] but I don't think that's very useful. It displays SDM On, PZ On when you hold specific buttons. Also: [DSP_ROM_STORE] - will dump (unencrypted) DSP firmware [NORMALLY_CLOSED_MODE EN] - no idea what this does but it changes the N-DIS flag in debug menu [LIVE_VIEW_TEST_MODE EN] - same thing for LV_TEST flag and bunch of others. They're easy to read from dump I got from [DSP_ROM_STORE] and (I guess), from unencrypted firmware (don't need IDA for that, which I don't have). There are also some interesting switches on K-3, but lets keep this to K-30 for now.

02-25-2014, 09:38 AM - 1 Like	#64
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Reverse engineered the K30's checksum. What's really nice is that if you set the correct magic byte in the firmware then it isn't even checked... [C#] Pentax K30 firmware checksum - Pastebin.com

02-25-2014, 11:07 AM - 1 Like	#65
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Hmmmmm I've checked my checksum program against the ROM i'm decompiling. The DSP firmware is correct but the CPU firmware isn't. I suspect that the frmcrypt.exe tool isn't correctly dumping it out. I think i've found the decryption function so I may have to write my own decryptor

02-25-2014, 12:18 PM	#66
aurele Veteran Member Join Date: Jan 2011 Location: Paris, France Photos: Albums Posts: 3,217	it appear that you are making progress, that's cool, that's great !

02-25-2014, 03:04 PM - 1 Like	#67
RayeR Forum Member Join Date: Feb 2014 Posts: 86	Originally posted by Shodan >[SW_DEBUG_MENU EN] You need to open the menu and keep pressing right. I tried again but I didn't see anything new. Does this option needs to be combined with [OPEN_DEBUG_MENU]? BTW when I have [OPEN_DEBUG_MENU] and [DEBUG_MODE EN] then dev. menu opens on every turn on even with closed card doors. When CARDDOOR OPEN in enabled in menu, camera then allows operation with doors opened. Originally posted by Shodan [SCRIPT_EN_MODE DIS] I tried this as I wrote in my previous post but I cannot disable script any other way than deleting script file. You can try it. I'm using latest FW 1.05. BTW I wonder for what purposes the scripting language is there. If it cannot read from files and memory just only print some constants and variables on screen... It would be used for some automated testing and report generating if it have some more power commands... Originally posted by Jup [VLENS_CTRL] Yes, this works but seems nothing usefull. I pressed probably all buttons but all it can display is On for SDM and PZ (I have mounted a SDM lens) Originally posted by Jup [DSP_ROM_STORE] Yes, this dumped file KB524DSP.BIN in size 12 582 912 B, almost as a whole firmware (FWDC215B.BIN 1.05 file is 12 845 056 B). It looks like decrypted FW file with different few kB at start of the file. At offset F00h both files seems to be same (some header "HOKKTKIYHTNTMU" string). I also tried [CPU_ROM_STORE] bot got only "ERROR ..." message, no file created. From file size it seems tkat CPU part is only 262 144 B. Originally posted by Shodan Hmmmmm I've checked my checksum program against the ROM i'm decompiling. The DSP firmware is correct but the CPU firmware isn't. I suspect that the frmcrypt.exe tool isn't correctly dumping it out. Try to contact Vitaliy Kiselev, he knows that frmcrypt.exe is not perfect and there are still some undecrypted parts, he may give access to sources or some advices. He made update to support K-30, K-5 II... Originally posted by Shodan You don't happen to have a copy of IDA Pro? Yes, I have ver. 5.5 but I use it ocassionally and mostly for x86 MZ or ROM code. I'm not IDA expert, it's very complex and feature rich tool and I still don't know all features - e.g. I don't know that it can make C code from DASM (if my ver. even supports it). I have only few fime at night for playing with it. Maybe it would be good idea that you wrote some quick tutorial into your 1st post how to load decr. FW file to IDA - offsets to important blocks, where is entry point, what is base address of code in CPU address space... Or maybe better to start some wiki page to store knowledges in well arranged way.

02-25-2014, 03:54 PM	#68
SlicaR New Member Join Date: Feb 2014 Posts: 1	Hi everyone! Have you got any ideas how to get to the debug mode (AF test) i K-50 (fw. 1.01)? I've big problem with front focus. Please help.

03-02-2014, 05:13 PM	#71
LeFanch Senior Member Join Date: Dec 2007 Location: Working in Norway, Bordeaux area when on time-off Posts: 123	Awesome!

03-02-2014, 10:30 PM	#72
mtux Veteran Member Join Date: Apr 2013 Location: the Netherlands Photos: Gallery \| Albums Posts: 2,444	Wow! well done.

03-03-2014, 01:51 AM	#73
seyfer Junior Member Join Date: Oct 2011 Posts: 31	Great work! I can donate some money if can help.

Thread Tools	Search this Thread
	Search this Thread: Advanced Search

03-03-2014, 02:50 AM	#74
Adam G Senior Member Join Date: May 2012 Photos: Gallery Posts: 143	This makes me sad that all I can do is push the shutter button.

03-03-2014, 03:15 AM	#75
jedie Junior Member Join Date: Mar 2011 Location: Germany Posts: 46	Great project! What's about to collect all Information into a public Wiki? Move information from pentax-hack.info into Wiki, too. (Because the page seems to be "unmaintained", isn't it?) Maybe at wikia.com ? There is also Magic Lantern Firmware Wiki