[anemone]

pfwtool both are the same but different language so if it works with c=compiler it would work with java, but does it decrypt to make it readable- strings (this is the best test if strings become readable then it has worked, i will not get into pointers, pls post a screenshot of decrypted firmware

As I have K-3 I have the firmware and I threw it through the online decryption tool.

I get a lot of strings

Code:

$ strings decrypted-fwdc220b.bin| awk '{ print length, $0 }' | sort -n | cut -d" " -f2->strs.txt

That extracts strings, sorts them by line length and puts to strs.txt file.

Code:

[ASensor] VdTimeUs / HdTimeNs / Svr / Shr
[ASS] Retry AE Sensor LiveView Allocate. 
[ASS] Retry Pre Flash Exposure Allocate. 
[Calc] m_dwAeTarget256 / m_dwAeAverage256
                  CCCR                   
     Command Response Data               
     Command Response Status             
Copyright (C) RICOH IMAGING COMPANY, LTD.
Copyright (C) RICOH IMAGING COMPANY, LTD.
DSP Prefech Abort before PC-%08X LR-%08X!
                  FBR %d                 
[FDLS] AHFD ERROR: AHFD_DETECTOR is NULL 
          Function #%d  Capability       
           Function #%d  Status          
          General Information

And here is md5sum
What else is in the file decrypted file? I gave two shots of binwalk. First searching opcodes and then what it thinks the data is.

Code:

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
72              0x48            ARM function prologue
45840           0xB310          ARM function prologue
45980           0xB39C          ARM function epilogue
46112           0xB420          ARM function prologue
46252           0xB4AC          ARM function epilogue
46904           0xB738          ARM function prologue
47084           0xB7EC          ARM function epilogue

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
32415           0x7E9F          Ubicom firmware header, checksum: 0xFA3200B0, image size: -97386272
9852140         0x9654EC        LZMA compressed data, properties: 0x01, dictionary size: 33554432 bytes, uncompressed size: 50331649 bytes
9865723         0x9689FB        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: MD5 hash
14431139        0xDC33A3        TIFF image data, little-endian
14858270        0xE2B81E        TROC filesystem, 1448159232 file entries
15610721        0xEE3361        LZMA compressed data, properties: 0x03, dictionary size: 16777216 bytes, uncompressed size: 349 bytes

Code:

$ md5sum decrypted-fwdc220b.bin
69c8551d705119855e7782b6a7c84703  decrypted-fwdc220b.bin

Now what do you think my next course of action would be?
Reverse engineering compiled firmware isn't easy and a lot of depends on experience and intuition.

I'm not really working with K-3 firmware. Just poking around...

[uttam.hathi]

if (strncmp((char *)in + 0x24, "Copyright", 9) == 0) {
g_endian = ENDIAN_BIG;
deobfuscate(in, 0, 0, 0x100, 0x0a00000 - 0x100);
deobfuscate(in, 0x0a00000, 0, 0x100, 0x80000 - 0x100);
} else if(strncmp((char *)in + 0xf24, "Copyright", 9) == 0) {
g_endian = ENDIAN_BIG;
deobfuscate(in, 0, 0xf00, 0, 0xf00);
deobfuscate(in, 0, 0xf00, 0x1000, 0xc00000 - 0x1000);
deobfuscate(in, 0xc00000, 0x3ff80, 0, 0x3ff80);
} else if(strncmp((char *)in + 0x124, "Copyright", 9) == 0) {
g_endian = ENDIAN_LITTLE;
deobfuscate(in, 0, 0x100, 0, 0x100);
deobfuscate(in, 0, 0x100, 0x200, 0x1000000 - 0x200);
deobfuscate(in, 0x1000000, 0, 0x80, in_size - 0x1000000 - 0x80);
} else {
fprintf(stderr, "Unknown input file.\n");
return -1;

this the key but address lines are different for different firmware, dont think its common, thus the issue that its one fits all, thus the garbage output

[zosxavius]

The k3 dump looks interesting!!

*deep lurk mode reengaged*

[uttam.hathi]

From Pentax K-x firm

Code:

005cf7e0h: 00 00 00 00 10 35 38 0E 5A 4F 4F 4D 20 0A 00 00 ; .....58.ZOOM ...
005cf7f0h: 4C 56 20 53 54 41 52 54 20 0A 00 00 4C 56 20 53 ; LV START ...LV S
005cf800h: 54 4F 50 20 0A 00 00 00 4C 56 20 53 54 4F 50 20 ; TOP ....LV STOP 
005cf810h: 46 4F 52 20 52 45 4C 20 0A 00 00 00 4C 56 20 48 ; FOR REL ....LV H
005cf820h: 41 4C 54 20 0A 00 00 00 4C 56 20 52 45 53 55 4D ; ALT ....LV RESUM
005cf830h: 45 20 0A 00 4D 4F 56 45 20 43 41 46 20 41 52 45 ; E ..MOVE CAF ARE
005cf840h: 41 20 0A 00 4D 4F 56 49 45 20 53 54 41 52 54 20 ; A ..MOVIE START 
005cf850h: 0A 00 00 00 4D 4F 56 49 45 20 53 54 4F 50 20 0A ; ....MOVIE STOP .
005cf860h: 00 00 00 00 43 41 46 20 53 54 41 52 54 20 0A 00 ; ....CAF START ..
005cf870h: 43 41 46 20 53 54 4F 50 20 0A 00 00 53 54 4F 50 ; CAF STOP ...STOP
005cf880h: 20 44 4F 57 4E 20 4D 45 54 45 52 49 4E 47 20 0A ;  DOWN METERING .
005cf890h: 00 00 00 00 50 52 45 56 49 45 57 20 53 54 41 52 ; ....PREVIEW STAR
005cf8a0h: 54 20 0A 00 50 52 45 56 49 45 57 20 53 54 4F 50 ; T ..PREVIEW STOP
005cf8b0h: 20 0A 00 00 41 45 20 4C 4F 43 4B 20 44 73 70 20 ; ...AE LOCK Dsp 
005cf8c0h: 25 64 20 43 70 75 20 25 64 20 0A 00 41 45 20 55 ; %d Cpu %d ..AE U
005cf8d0h: 4E 4C 4F 43 4B 20 0A 00 41 45 20 4C 4F 43 4B 20 ; NLOCK ..AE LOCK 
005cf8e0h: 49 4E 49 54 49 41 4C 20 44 73 70 20 25 64 20 43 ; INITIAL Dsp %d C
005cf8f0h: 70 75 20 25 64 20 0A 00 46 4F 52 43 45 20 4D 4F ; pu %d ..FORCE MO
005cf900h: 56 49 45 20 45 4E 44 20 0A 00 00 00 4D 4F 56 49 ; VIE END ....MOVI
005cf910h: 45 20 52 45 43 4F 4D 4D 45 4E 44 20 41 56 0A 00 ; E RECOMMEND AV..
005cf920h: 4F 54 48 45 52 20 0A 00 01 04 00 00 00 00 00 12 ; OTHER ..........

So Svenpeter Tool works perfectly.

can u upload this deobfuscated file in gitshub

---------- Post added 01-16-2015 at 07:43 AM ----------

can u upload this deobfuscated file in gitshub

how do u get 9 character for k-m

---------- Post added 01-16-2015 at 07:44 AM ----------

how do u get 9 character address for k-m

[Wompa]

Im impressed guys! I dont understand jack shit about this!

I really hope that you guys can come to any conclution and make the K5 a bit more usable with better record functions like MagicLantern

[niceshot]

very nice

[uttam.hathi]

these r the first steps, and a major stumbling block, working reverse form modset is easy

[Shodan]

Its been a long time...too long.

I've had a lot going on recently, I've got a kid, and a new house which I've been renovating - not enough time for anything photography related

But I do have progress to report, and I can see that lots of things have been happening while I've been away. It is really good to see I'm not doing this alone. So what have I done?

• I have a much greater understanding of how the menu system works, it has taken a long time but I'm now starting to be able to say these functions/object are for say the video mode etc
• I've found the video mode, specifically the functions that start the camera recording and display the menu
• I have a third K30 - this is broken but will be useful for tear downs and hopefully creating a debugging rig

I haven't made any changes to the public code repository because it isn't ready yet. The next goal is control of the shutter.

I'm very interested in the fact the K30 and the K50 may indeed be the same body but with different software. Given that I now have two working and one broken K30 I'm probably in the best place to try an upgrade. What are peoples thoughts?

[jedie]

I've got a kid, and a new house

Gratulation!

I'm very interested in the fact the K30 and the K50 may indeed be the same body but with different software. Given that I now have two working and one broken K30 I'm probably in the best place to try an upgrade. What are peoples thoughts?

I think the best idea is to compare the existing firmware files. If the hardware is the same, the files can't be to differed, isn't it?

So just decompile last K-30 and K-50 firmwares and do a diff...

[jedie]

I used Pentax Firmware Decrypter and created decrypted files from k30v106 and k50v102 and compare them.

Seems that they are very similar. But there are some "offset" changes, so a binary compare doesn't have much significance.

I used "strings" on both files and create a "patch" file: [Diff] --- /media/servershare/Hacking/Pentax/Firmwares/k30v106_strings.txt +++ /media/ - Pastebin.com

Many string diffs aren't relevant.

It seems to me, that the main difference are the "EyeFiCard" support.
The question is, are they hardware changes needed, to support the EyeFiCard or is this just firmware changes?!?
So, is it possible to support the EyeFiCard on K-30 by just flash the K-50 firmware?

"EyeFiCard" related string changes are e.g.:

Code:

+tFailed to open device: %s+Failed to write into device: %s
+pREQM
+RSPC
+Failed to open RSPC device at: %s
+Failed to read RSPC device
+RSPM
+EyeFiCard_RecvResponse timed out...
+Failed to open RSPM device at: %s
+Failed to read from RSPM device...
+pREQC
+Failed to write to REQC device...
+Failed to open REQC device at: %s
+Failed to write to REQM device...
+Failed to open REQM device at: %s
+Failed to send the request...
+EyeFiCard_ProcessCommand timed out...
+EYEFI
+REQC
+REQM
+Drive path is not specified
+Failed to create "EYEFI" directory in the card. OS Error: %d
+Failed to initialize "REQM"
+Failed to initialize "REQC"
+RSPM
+Failed to initialize "RSPM"
+RSPC
+Failed to initialize "RSPC"
+Failed to process the command, Error Code: %d
+Invalid EyeFiCard parameter...
+Card is in failed mode, returning default value
+buffer is too small...
+0Failed to get EYEFI_CARD_TOKEN_MAC_ADDRESS...
+EYEFI

ISO diff:

Code:

 3200
 6400
 1600
+51200
 25600
 12800

Other interesting parts:

Code:

-C:\KB524C0.BIN
-C:\KB524C1.BIN
-C:\KB524.BIN
-C:\KB524C.BIN
-C:\KB524B.BIN
-C:\FWDC215B.BIN
+C:\KB545C0.BIN
+C:\KB545C1.BIN
+C:\KB545.BIN
+C:\KB545C.BIN
+C:\KB545B.BIN
+C:\FWDC222B.BIN
 C:\NOWAIT
 C:\KBCHG.BIN
...
+`NAND : H27U1G8F2B
+NAND : MX30LF1208AA
+NAND : S34ML01G1
+NAND : Unknown Device

interesting parts that are the same:

Code:

Video Image Stabilisation Filtering Library M6-M for Fujitsu v.1.0.6 - CONFIDENTIAL
Copyright (c) 2010, 2011 by FotoNation. All rights reserved. Confidential.
Feb 28 2011

[niceshot]

Hi I am not able to get is to work on my k-30 firmware 1.06 . Did they I mean Pentax disable it in this firmware1.06 or did they change the number from 00077650.524 to something else?

[uttam.hathi]

I used Pentax Firmware Decrypter and created decrypted files from k30v106 and k50v102 and compare them.

Seems that they are very similar. But there are some "offset" changes, so a binary compare doesn't have much significance.

I used "strings" on both files and create a "patch" file: [Diff] --- /media/servershare/Hacking/Pentax/Firmwares/k30v106_strings.txt +++ /media/ - Pastebin.com

Many string diffs aren't relevant.

It seems to me, that the main difference are the "EyeFiCard" support.
The question is, are they hardware changes needed, to support the EyeFiCard or is this just firmware changes?!?
So, is it possible to support the EyeFiCard on K-30 by just flash the K-50 firmware?

"EyeFiCard" related string changes are e.g.:

Code:

+tFailed to open device: %s+Failed to write into device: %s
+pREQM
+RSPC
+Failed to open RSPC device at: %s
+Failed to read RSPC device
+RSPM
+EyeFiCard_RecvResponse timed out...
+Failed to open RSPM device at: %s
+Failed to read from RSPM device...
+pREQC
+Failed to write to REQC device...
+Failed to open REQC device at: %s
+Failed to write to REQM device...
+Failed to open REQM device at: %s
+Failed to send the request...
+EyeFiCard_ProcessCommand timed out...
+EYEFI
+REQC
+REQM
+Drive path is not specified
+Failed to create "EYEFI" directory in the card. OS Error: %d
+Failed to initialize "REQM"
+Failed to initialize "REQC"
+RSPM
+Failed to initialize "RSPM"
+RSPC
+Failed to initialize "RSPC"
+Failed to process the command, Error Code: %d
+Invalid EyeFiCard parameter...
+Card is in failed mode, returning default value
+buffer is too small...
+0Failed to get EYEFI_CARD_TOKEN_MAC_ADDRESS...
+EYEFI

ISO diff:

Code:

 3200
 6400
 1600
+51200
 25600
 12800

Other interesting parts:

Code:

-C:\KB524C0.BIN
-C:\KB524C1.BIN
-C:\KB524.BIN
-C:\KB524C.BIN
-C:\KB524B.BIN
-C:\FWDC215B.BIN
+C:\KB545C0.BIN
+C:\KB545C1.BIN
+C:\KB545.BIN
+C:\KB545C.BIN
+C:\KB545B.BIN
+C:\FWDC222B.BIN
 C:\NOWAIT
 C:\KBCHG.BIN
...
+`NAND : H27U1G8F2B
+NAND : MX30LF1208AA
+NAND : S34ML01G1
+NAND : Unknown Device

interesting parts that are the same:

Code:

Video Image Stabilisation Filtering Library M6-M for Fujitsu v.1.0.6 - CONFIDENTIAL
Copyright (c) 2010, 2011 by FotoNation. All rights reserved. Confidential.
Feb 28 2011

ok for" So, is it possible to support the EyeFiCard on K-30 by just flash the K-50 firmware?" which line of code do u change and how!!!!!!!

[jedie]

It maybe work. But don't know...

As i sayed: The question is: Is the hardware around the SD-Card changed, to support the EyeFiCard?!?

[bootcoder]

As i sayed: The question is: Is the hardware around the SD-Card changed, to support the EyeFiCard?!?

EyeFi Card should work with any standard SD slot. It is only software that should be changed.
BTW M6-M is Milbeaut-6 library...

[jedie]

EyeFi Card should work with any standard SD slot. It is only software that should be changed.

Yes and no...

The EyeFi Card worked in K-30, too. Yes.

But the K-50 has some additional for it. e.g. detects the card and can turn WIFI on/off...
Don't know if this "communication" can be done with the K-30 hardware. Maybe the SD-Card slot must have some additionals?

But maybe the WIFI on/off works just like to store a file on SD-Card?

Just compare:

K-30:

When using an Eye-Fi card with the Pentax K-30, it is best to adjust the power settings so that the camera does not turn off before transferring has finished.

-> Pentax K-30: Camera WiFi Cards and Compatibility | Eye-Fi Support

K-50:

When used with an Eye-Fi card, the Pentax K-50 stays powered on until wireless media uploads are complete, has an onscreen icon, and offers the ability to enable/disable the Eye-Fi cards Wi-Fi via the camera menu.

-> Pentax K-50: Camera WiFi Cards and Compatibility | Eye-Fi Support