Forgot Password
Pentax Camera Forums Home
 

Reply
Show Printable Version Search this Thread
08-12-2009, 03:26 AM   #256
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
QuoteOriginally posted by darky_mtp Quote
Debug mode allready activated : Power on without SD Card prints "Debug Mode" on screen.
SD card have both SYSPARAM.442 and SYSPARAM.TXT with [STOREAE] 1@ (tried with and without CR).
Tried to power-on with card door open and close, with and without pressing menu button.
No new file on card.
I have a K20D 1.03.
Read posts carefully, please.
You need to shot picture to get something :-)

08-12-2009, 03:28 AM   #257
New Member




Join Date: Aug 2009
Location: Sofia
Posts: 22
QuoteOriginally posted by darky_mtp Quote
Debug mode allready activated : Power on without SD Card prints "Debug Mode" on screen.
SD card have both SYSPARAM.442 and SYSPARAM.TXT with [STOREAE] 1@ (tried with and without CR).
Tried to power-on with card door open and close, with and without pressing menu button.
No new file on card.
I have a K20D 1.03.
Sorry about the stupid question, but did you press the shutter? All STORE* command generated files are relevant to each frame taken - from raw sensor dump to parameter listings.
08-12-2009, 03:33 AM   #258
New Member




Join Date: Mar 2008
Posts: 19
Using

[STOREAE] 1@[STOREPREBAYER] 1@[STOREBAYER] 1@[STOREPREDARK] 1@[STOREGEN] 1@[STORECPU] 1@[STOREAF] 1@[STOREWD] 1@[STOREIQWD] 1@[STOREDP] 1@[STOREDEFECTPIXELDATA] 1@

and taking one shot I now have PREBAYER.RAW and PREDARK.RAW files.
08-12-2009, 03:46 AM   #259
Pentaxian
falconeye's Avatar

Join Date: Jan 2008
Location: Munich, Alps, Germany
Photos: Gallery
Posts: 6,863
QuoteOriginally posted by zezo Quote
BTW I've in fact tried to modify the K100D firmware to allow some FA functionality with A lenses (auto/selectable focus points) - that was the reason for generating those tif files.
So, did you manage to compute the new firmware checksum? How is it computed? Or is the K100D firmware w/o checksum which would be strange, though?

08-12-2009, 03:53 AM   #260
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
QuoteOriginally posted by falconeye Quote
So, did you manage to compute the new firmware checksum? How is it computed? Or is the K100D firmware w/o checksum which would be strange, though?
I really suspected checksum to be 4 bytes prior encrypted parts. It is not sum or CRC32. Checksum can also be present in header.
Normally all firmware flashers check some kind of checksum, otherwise any damaged SD card will result in bricked body.
08-12-2009, 04:07 AM   #261
Pentaxian
falconeye's Avatar

Join Date: Jan 2008
Location: Munich, Alps, Germany
Photos: Gallery
Posts: 6,863
QuoteOriginally posted by tr13 Quote
I really suspected checksum to be 4 bytes prior encrypted parts. It is not sum or CRC32. Checksum can also be present in header.
Normally all firmware flashers check some kind of checksum, otherwise any damaged SD card will result in bricked body.
I did too.
But zezo must be the only person who managed to flash a modified fw image back into his camera (w/o breacking it...)! Bravo! So, I guess he somehow solved the checksum hurdle.
08-12-2009, 04:08 AM   #262
New Member




Join Date: Aug 2009
Location: Sofia
Posts: 22
QuoteOriginally posted by falconeye Quote
So, did you manage to compute the new firmware checksum? How is it computed? Or is the K100D firmware w/o checksum which would be strange, though?
That was 3 years ago and I don't remember all the details, but I think there was some standard checksum like crc32 that you could calculate using HexWorkshop. I also used modified firmware dump (kb393dsp.bin) instead of normal firmware file. The boot loader/flasher is simple self-contained piece of code, and relatively easy to reverse. I'll take a look at the annotated IDB files now and see if the checksum routine is commented somewhere.

Edit: Or maybe the loading of kb393dsp.bin bypassed the checksum. I started with something safe and simple like replacing one letter in a menu item. Will have to try again.

Last edited by zezo; 08-12-2009 at 04:22 AM.
08-12-2009, 04:48 AM   #263
New Member




Join Date: Aug 2009
Location: Sofia
Posts: 22
Just tried it on the K10D. Save DSP firmware dump via modset.txt, rename it to kb421.bin and put the card back in the camera. Amazingly it says DETECTED DSP F/W FILE ... UPDATING even before switching the power on, but then red FIRMWARE DATA ERROR appears. If the file is named kb421b.bin it's determined to be BOTH F/W FILE and kb421c.bin is CPU F/W FILE. Something like that worked on the K100D so there has to be a way.

08-12-2009, 05:05 AM   #264
Veteran Member
ytterbium's Avatar

Join Date: Jan 2008
Posts: 1,076
Do you know which chips contain what information (FLASH/EEPROM/PROM, are they serial/paralell)?
I guess you need a non fuctioning camera to take it apart and find out those things.
Then it might be fairly easy to see from datasheets which chips have matching size and capabilities to house various things.
So in case you brick the camera and are unable to update it trough software ways you could flash the hardware directly with some LPT->I2C or similar interface.
08-12-2009, 05:11 AM   #265
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
QuoteOriginally posted by ytterbium Quote
Do you know which chips contain what information (FLASH/EEPROM/PROM, are they serial/paralell)?
I guess you need a non fuctioning camera to take it apart and find out those things.
Then it might be fairly easy to see from datasheets which chips have matching size and capabilities to house various things.
So in case you brick the camera and are unable to update it trough software ways you could flash the hardware directly with some LPT->I2C or similar interface.
Looks like a dream :-)
Main goal is not to brick camera.
We know chips, and they have no publically available datasheets :-)
And flash memory is just external flash memory, without any I2C, etc
08-12-2009, 05:14 AM   #266
New Member




Join Date: Aug 2009
Location: Sofia
Posts: 22
The flash is definitely parallel so not easy to reprogram. You have to rely on the boot loader (CPU firmware) for recovery if something goes wrong. The EEPROM is in fact area within the same flash chip - you can see the shutter counter increasing in different ROM dumps.
08-12-2009, 05:30 AM   #267
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
This is how it looks at GX20 firmware.

Second shot is very interesting, as you could find eZZe appearing multiple times accross firmware. Some type as separator between blocks.
Attached Images
   
08-12-2009, 07:17 AM   #268
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
Btw. Samsung GX20 firmware v1.03 is out :-)
https://www.pentaxforums.com/forums/samsung-dslr-forum/69707-samsung-gx-20-1-...tml#post702460
Decryption works ok.
Worse part is that I need to move all database to this version :-).
08-12-2009, 04:56 PM   #269
Pentaxian
Class A's Avatar

Join Date: Aug 2008
Location: Wellington, New Zealand
Posts: 9,175
QuoteOriginally posted by tr13 Quote
Second shot is very interesting, as you could find eZZe appearing multiple times accross firmware. Some type as separator between blocks.
Yes, the code checks whether r6 has reached the end of a block that terminates with "eZZe".

EDIT: It puzzled me that I saw three LDI statements which appeared to have the same hex codes but were disassembled differently. I now figured out that "+" behind the hex codes means that some of the data isn't shown. That explains why the addresses are different.

Last edited by Class A; 08-12-2009 at 05:06 PM.
08-12-2009, 11:26 PM   #270
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
Here is how CPU firmware dumping looks
Attached Images
 
Reply

Bookmarks
  • Submit Thread to Facebook Facebook
  • Submit Thread to Twitter Twitter
  • Submit Thread to Digg Digg
Tags - Make this thread easier to find by adding keywords to it!
camera, check, dslr, firmware, fr, ida, information, k-x, pentax, photography, pm, post, progress, script, site, software, update, ver, version
Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
DFS hack eccentricphotography Pentax DSLR Discussion 24 10-12-2010 11:08 AM
Yet another hack job -- OM to PK ?? RioRico Pentax SLR Lens Discussion 15 10-07-2010 07:49 AM
K20D Firmware Ver - Pentax Web Site Ver? ChipB Pentax DSLR Discussion 2 02-23-2010 04:14 PM
Teleconverter hack? Raptorman Pentax SLR Lens Discussion 4 01-20-2010 03:51 AM
News Site News and Site Suggestions hidden from guests Adam Site Suggestions and Help 0 11-30-2009 12:38 AM



All times are GMT -7. The time now is 06:28 AM. | See also: NikonForums.com, CanonForums.com part of our network of photo forums!
  • Red (Default)
  • Green
  • Gray
  • Dark
  • Dark Yellow
  • Dark Blue
  • Old Red
  • Old Green
  • Old Gray
  • Dial-Up Style
Hello! It's great to see you back on the forum! Have you considered joining the community?
register
Creating a FREE ACCOUNT takes under a minute, removes ads, and lets you post! [Dismiss]
Top