Resurrecting Pentax firmware hacking

ForAlfie · 03-09-2014, 05:34 PM - **1 Like**

I've sent you £10.

Derwin · 03-10-2014, 01:39 AM - **1 Like**

A tenner also from me. You're making really quick progress Shodan and can only imagine that will become even easier once you have a dedicated K30 for testing. Hope a few more members can chip in and help you meet the funding goal.

RayeR · 03-10-2014, 03:04 AM

Originally posted by Shodan

You should be able to run the code under Mono or with Visual Studio express edition. I'm not rewriting it in C/C++. If you have a look at the source you'll see for encrypt/decrypt I currently only XOR with a key. You'll find that on GitHub.

Well, so you say that only thing to do is to load FW file, xor.key file and XOR byte by byte? It would be a few lines in ansi C, I'll try. For check, if I XOR the file 2-times it should give same result. Decrypter for canons worked like that (one pass decryption another pass encryption). But what if length of future FW update will change? We need new xor key and also for other camera models. Is the CPU part encrypted with different key that cause old frmcrypt failed?
It's cool that you managed to run the routines on R-pi, I also have one board

Shodan · 03-10-2014, 03:34 AM

Quote:

But what if length of future FW update will change?

I've reverse engineered the update process. The firmware is a fixed size so for now at least this shouldn't be an issue. The greater goal is to correctly RE the decrypt routines but this is low priority at the moment.

Quote:

Is the CPU part encrypted with different key that cause old frmcrypt failed?

Kind of, the decrypt/encrypt routines take an offset as a parameters. DSP, CPU etc have different offsets. This is used to compute the key to XOR with. FRMCRYPT.EXE works for the most part by the end of the binary is corrupted.

Quote:

It's cool that you managed to run the routines on R-pi, I also have one board

Are you able to reverse engineer code on it? If so I could give you my firmware decryptor code which uses the real camera logic to decrypt it.

jedie · 03-10-2014, 08:55 AM

Is there anything known about low level firmware flash methods?
for a bricked body... something like a software rescure flash mode or a hardware solution e.g. JTAG / UART hardware interface etc.

Shodan · 03-10-2014, 09:45 AM

Quote:

Is there anything known about low level firmware flash methods?
for a bricked body... something like a software rescure flash mode or a hardware solution e.g. JTAG / UART hardware interface etc.

There looks like there is a UART on it (from the software side). If I do end up bricking a donated camera I will crack it open and take it to my friends with a hardware lab. I suspect there will be a JTAG somewhere.

One of the first things i'm going to do with my custom firmware is a wide variety of ROM dumps. I'm hoping to find a bootloader at 0x00000000. That's pretty much how Canons work.

Shodan · 03-10-2014, 03:39 PM - **2 Likes**

Bit more of an impressive change.

Attached Images

Giklab · 03-10-2014, 10:19 PM

Hahaha victory!

seyfer · 03-11-2014, 01:16 AM

Originally posted by Shodan

Bit more of an impressive change.

Impressive!

Shodan · 03-11-2014, 06:34 AM

I've just checked the firmware CPU_ROM_STORE is not supported on the K-30. The functionality just doesn't exist.

aurele · 03-11-2014, 12:59 PM

Originally posted by Shodan

Bit more of an impressive change.

a small step for a hacker, a huge leap for the Pentax community

Giklab · 03-11-2014, 02:02 PM - **1 Like**

Originally posted by aurele

a ~~small step~~ huge leap for a hacker, a ~~huge leap~~ tectonic shift for the Pentax community

Fixed

RayeR · 03-11-2014, 06:49 PM

I made simple portable decrypter (binaries & src included) using Shodan's XOR.KEY file. Now I can see decrypted CPU block with a few strings that probably starts at offset 0xC00000. Some short blocks at beginning and end of original FW file seems to be not encrypted.
You can add my files to GIThub. Congrat. to chksum fix.

jedie · 03-12-2014, 02:01 AM

Another interesting question:

There exists a difference between camera body for the Japanese marked and for the rest of the world.
The existing translations on the japanese camera is only Japanese and English.
"Normal" bodys can select many translations.

But, the firmware files are 100% the same. So they must contain all translations. So, why are not all translations are selectable on Japanese bodys?

Pentax says the bodys are different. IMHO it's only a software thing. Maybe there are environment settings that activate a filter in the firmware for selectable languages.

Any idea?

Shodan · 03-12-2014, 02:30 AM

Originally posted by jedie

Another interesting question:

There exists a difference between camera body for the Japanese marked and for the rest of the world.
The existing translations on the japanese camera is only Japanese and English.
"Normal" bodys can select many translations.

But, the firmware files are 100% the same. So they must contain all translations. So, why are not all translations are selectable on Japanese bodys?

Pentax says the bodys are different. IMHO it's only a software thing. Maybe there are environment settings that activate a filter in the firmware for selectable languages.

Any idea?

There looks to be a region code set when the camera rolls of the production line. You can change it via debug commands

03-09-2014, 05:34 PM - 1 Like	#106
ForAlfie New Member Join Date: Mar 2014 Posts: 18	Keep up the good work! I've sent you £10.

03-11-2014, 02:02 PM - 1 Like	#117
Giklab Veteran Member Join Date: Jan 2012 Location: Slovenia Photos: Gallery Posts: 2,182	Originally posted by aurele a ~~small step~~ huge leap for a hacker, a ~~huge leap~~ tectonic shift for the Pentax community Fixed Last edited by Giklab; 03-11-2014 at 02:08 PM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
NY area SDM Hacking	dappercorpmonkey	Troubleshooting and Beginner Help	11	07-26-2013 04:15 PM
Nature Resurrecting some old images - Angry Birds!	Julie	Post Your Photos!	4	03-07-2013 10:41 AM
k-5 firmware hacking anyone?	secateurs	Pentax K-5 & K-5 II	33	10-05-2012 03:05 PM
Hacking lens' memory	plis	Visitors' Center	6	11-28-2011 10:58 PM
Resurrecting a MX and Super ME	LiMPiNg	Film SLRs and Compact Film Cameras	4	09-27-2011 02:55 PM

03-10-2014, 01:39 AM - 1 Like	#107
Derwin Junior Member Join Date: Mar 2013 Posts: 44	A tenner also from me. You're making really quick progress Shodan and can only imagine that will become even easier once you have a dedicated K30 for testing. Hope a few more members can chip in and help you meet the funding goal.

03-10-2014, 03:04 AM	#108
RayeR Forum Member Join Date: Feb 2014 Posts: 86	Originally posted by Shodan You should be able to run the code under Mono or with Visual Studio express edition. I'm not rewriting it in C/C++. If you have a look at the source you'll see for encrypt/decrypt I currently only XOR with a key. You'll find that on GitHub. Well, so you say that only thing to do is to load FW file, xor.key file and XOR byte by byte? It would be a few lines in ansi C, I'll try. For check, if I XOR the file 2-times it should give same result. Decrypter for canons worked like that (one pass decryption another pass encryption). But what if length of future FW update will change? We need new xor key and also for other camera models. Is the CPU part encrypted with different key that cause old frmcrypt failed? It's cool that you managed to run the routines on R-pi, I also have one board

03-10-2014, 03:34 AM	#109
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Quote: But what if length of future FW update will change? I've reverse engineered the update process. The firmware is a fixed size so for now at least this shouldn't be an issue. The greater goal is to correctly RE the decrypt routines but this is low priority at the moment. Quote: Is the CPU part encrypted with different key that cause old frmcrypt failed? Kind of, the decrypt/encrypt routines take an offset as a parameters. DSP, CPU etc have different offsets. This is used to compute the key to XOR with. FRMCRYPT.EXE works for the most part by the end of the binary is corrupted. Quote: It's cool that you managed to run the routines on R-pi, I also have one board Are you able to reverse engineer code on it? If so I could give you my firmware decryptor code which uses the real camera logic to decrypt it.

03-10-2014, 08:55 AM	#110
jedie Junior Member Join Date: Mar 2011 Location: Germany Posts: 46	Is there anything known about low level firmware flash methods? for a bricked body... something like a software rescure flash mode or a hardware solution e.g. JTAG / UART hardware interface etc.

03-10-2014, 09:45 AM	#111
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Quote: Is there anything known about low level firmware flash methods? for a bricked body... something like a software rescure flash mode or a hardware solution e.g. JTAG / UART hardware interface etc. There looks like there is a UART on it (from the software side). If I do end up bricking a donated camera I will crack it open and take it to my friends with a hardware lab. I suspect there will be a JTAG somewhere. One of the first things i'm going to do with my custom firmware is a wide variety of ROM dumps. I'm hoping to find a bootloader at 0x00000000. That's pretty much how Canons work.

03-10-2014, 03:39 PM - 2 Likes	#112
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Bit more of an impressive change. Attached Images

03-10-2014, 10:19 PM	#113
Giklab Veteran Member Join Date: Jan 2012 Location: Slovenia Photos: Gallery Posts: 2,182	Hahaha victory!

03-11-2014, 01:16 AM	#114
seyfer Junior Member Join Date: Oct 2011 Posts: 31	Originally posted by Shodan Bit more of an impressive change. Impressive!

03-11-2014, 06:34 AM	#115
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	I've just checked the firmware CPU_ROM_STORE is not supported on the K-30. The functionality just doesn't exist.

03-11-2014, 12:59 PM	#116
aurele Veteran Member Join Date: Jan 2011 Location: Paris, France Photos: Albums Posts: 3,217	Originally posted by Shodan Bit more of an impressive change. a small step for a hacker, a huge leap for the Pentax community

03-12-2014, 02:01 AM	#119
jedie Junior Member Join Date: Mar 2011 Location: Germany Posts: 46	Another interesting question: There exists a difference between camera body for the Japanese marked and for the rest of the world. The existing translations on the japanese camera is only Japanese and English. "Normal" bodys can select many translations. But, the firmware files are 100% the same. So they must contain all translations. So, why are not all translations are selectable on Japanese bodys? Pentax says the bodys are different. IMHO it's only a software thing. Maybe there are environment settings that activate a filter in the firmware for selectable languages. Any idea?

03-12-2014, 02:30 AM	#120
Shodan Forum Member Join Date: Feb 2014 Posts: 92 Original Poster	Originally posted by jedie Another interesting question: There exists a difference between camera body for the Japanese marked and for the rest of the world. The existing translations on the japanese camera is only Japanese and English. "Normal" bodys can select many translations. But, the firmware files are 100% the same. So they must contain all translations. So, why are not all translations are selectable on Japanese bodys? Pentax says the bodys are different. IMHO it's only a software thing. Maybe there are environment settings that activate a filter in the firmware for selectable languages. Any idea? There looks to be a region code set when the camera rolls of the production line. You can change it via debug commands