[WheresWaldo]

How to turn build in script interpreter

1) You need to enable script mode (same as previous post, but use SCRIPT_EN_MODE EN) or use debug menu.

2) Make 'AUTORUN.xxx' file (xxx same as in MODSET file) with script inside,
available keywords :
END, EXIT, PAUSE, WAIT,
GOTO, IFGOTO, ALLCLR, CLS,
PRINT, LANGUAGE, COLOR, $ % ( for values )
GOSUB, IFGOSUB , RETURN, IF, ELSE, WHILE,
INTERVAL, CYCLE, FILEOUT, FSEARCH, TIMERON, TIMEROFF.

Looks like quite full functional BASIC :-)
You could try "hello world" first.
I don't have time to test all this, so volunteers are welcome.

I just tested this and it worked! Two files on the root of the SD card the first was MODSET.442 containing:

Code:

[DEBUG_MODE EN]
[SCRIPT_EN_MODE EN]

Second file AUTORUN.442:

Code:

PRINT "Hello World";
EXIT

It would not run with the door open, had to close door and start up with MENU button pressed, after displaying the firmware revision the words HELLO WORLD appears on the screen. Please note that I have a K20D and so the filename extension of .442 was required.

Additional note:

After HELLO WORLD disappears the Debug menu is added to the menu system. Press Menu move to the Set-Up Menu (Wrench) and move up once on the directional pad you will see three new items and Set-Up will change to TEST MODE. The three additional items are:

CAPTURE/SYSTEM TEST
AF TEST
STRINGS DISP TEST

I did not go further.

One more question, maybe I missed it but how do you get it out of Debug Mode? Nevermind, I think you have to spell out DISABLE to work.

---

Last edited by WheresWaldo; 08-06-2009 at 11:24 AM. Reason: Adding more information

[tr13]

I just tested this and it worked! Two files on the root of the SD card the first was MODSET.442 containing:

Code:

[DEBUG_MODE EN]
[SCRIPT_EN_MODE EN]

Second file AUTORUN.442:

Code:

PRINT "Hello World";
EXIT

It would not run with the door open, had to close door and start up with MENU button pressed, after displaying the firmware revision the words HELLO WORLD appears on the screen. Please note that I have a K20D and so the filename extension of .442 was required.

Additional note:

After HELLO WORLD disappears the Debug menu is added to the menu system. Press Menu move to the Set-Up Menu (Wrench) and move up once on the directional pad you will see three new items and Set-Up will change to TEST MODE. The three additional items are:

CAPTURE/SYSTEM TEST
AF TEST
STRINGS DISP TEST

One more question, maybe I missed it but how do you get it out of Debug Mode? Nevermind, I think you have to spell out DISABLE to work.

To disable anything use DIS instead of EN in MODSET file commands:-)

May be someone could make more complicated BASIC program to run? :-)
Try other commands.
Not very difficult modifications could allow to make very complicated interval shooting.

Good thing is that Pentax provided us almost ready foundation.
Canon hackers made this after about TWO years :-)

Special request:

Add these two commands to MODSET :
[CPU_ROM_STORE]
[DSP_ROM_STORE]

You must have two files on flash, send it to my email address, please.

[wolfier]

Hi tr13, are you suspecting there are some encrypted block that would be dumped in plain when issued this command even after the first layer of encryption? I wonder if there's any more loader-related tricks involved.

It seems like you're doing all the work here, I don't have a lot of spare time, but it's interesting to reverse engineer something once in a while - I have some experience in software reverse engineering, but only on 6502 and x86 CPUs. Wrote one of the many articles in Fravia's academy (those that help people to write cracks and get around protections) about 10 years ago.

I don't have my K-7 with me although it'd be interesting if someone can take a peek into the battery slot to see how many contacts from the body. The D-LI90 seems to have an unused slot for contacts, and since about 4 years ago, cell phone companies began to use special batteries to unlock features (like debug modes), so I wonder if anything similar happens here.

To disable anything use DIS instead of EN in MODSET file commands:-)

May be someone could make more complicated BASIC program to run? :-)
Try other commands.
Not very difficult modifications could allow to make very complicated interval shooting.

Good thing is that Pentax provided us almost ready fundament.
Canon hackers made this after about TWO years :-)

Special request:

Add these two commands to MODSET :
[CPU_ROM_STORE]
[DSP_ROM_STORE]

You must have two files on flash, send it to my email address, please.

[WheresWaldo]

To disable anything use DIS instead of EN in MODSET file commands:-)

May be someone could make more complicated BASIC program to run? :-)
Try other commands.
Not very difficult modifications could allow to make very complicated interval shooting.

Good thing is that Pentax provided us almost ready foundation.
Canon hackers made this after about TWO years :-)

Special request:

Add these two commands to MODSET :
[CPU_ROM_STORE]
[DSP_ROM_STORE]

You must have two files on flash, send it to my email address, please.

I only got one file. Upon startup you get a message that says WAIT... then a few seconds of card activity later COMPLETE..., at that point there is a file called KB422CPU.BIN on the root of the SD card. I will email it to you at the address on the Pentax Hack site. BTW, this command does work automagically with the door open or closed, at least on the K20D.

Added: Found out you cannot run these commands in the same MODSET file, I had to run once with CPU_ROM_STORE, then edit MODSET.422 to use DSP_ROM_STORE. Both files emailed.

---

Last edited by WheresWaldo; 08-06-2009 at 12:53 PM.

[Class A]

May be someone could make more complicated BASIC program to run? :-)
Try other commands.
Not very difficult modifications could allow to make very complicated interval shooting.

I guess your list of BASIC keywords is incomplete?
Unless there are further commands like PEEK, POKE, SYS, I don't see how you want to do even simple things like releasing the shutter programmatically.

[rparmar]

Some nice progress here, and fast too! I can only sit on the sidelines and cheer you all on!

[ytterbium]

As i said before i could'nt find that extension number for my k200d explictly stated in serv. manual.
Then i did this:
ff=fopen('flist.bat','wt');
for n=0:1:999,
fprintf(ff,'copy source MODSET.%03i\n',n);
end;
fclose(ff);
And executed generated flist.bat on SD card, with "source" containing [CPU_ROM_STORE].
I dont know why, but it stopped copying at 508. Anyway i deleted the *BAT and "source" files and gave it a go...

What do you know . Doors open and a WAIT.. appears, so i have an KB445CPU.BIN on my SD. Will move to DSP and then mail them to you .
So the XXX is 445 on k200d. FW 1.0.

Mailed both CPU and DSP, just in case some firmware changes or you need to test another camera the *.BAT file has been included too.
Surprisingly the "WAIT.." was very fast for the 8Mb DSP dump, less than a second i think. Interesting.

Hello world AUTORUN and debug mode works as well (SD door closed)!

---

Last edited by ytterbium; 08-06-2009 at 02:43 PM.

[Transit]

Some nice progress here, and fast too! I can only sit on the sidelines and cheer you all on!

Me too
maybe a hack appreciation thread

[Arpe]

Ok, fair enough.

But my comment was referring to the string:

===LENS CPU F/W UPDATE===

So, there is a lens cpu with a firmware which can be updated via the body. Something I wouldn't have expected.

As esp., it may imply that your lens may see a permanent change after having been mount to another body ...

I believe Olympus (?) have released a firmware update for one of their lenses.

Me too
maybe a hack appreciation thread

Me too, this is all wayyyyyy over my head.

Go tr13!!

[tr13]

Hi tr13, are you suspecting there are some encrypted block that would be dumped in plain when issued this command even after the first layer of encryption? I wonder if there's any more loader-related tricks involved.

It seems like you're doing all the work here, I don't have a lot of spare time, but it's interesting to reverse engineer something once in a while - I have some experience in software reverse engineering, but only on 6502 and x86 CPUs. Wrote one of the many articles in Fravia's academy (those that help people to write cracks and get around protections) about 10 years ago.

I don't have my K-7 with me although it'd be interesting if someone can take a peek into the battery slot to see how many contacts from the body. The D-LI90 seems to have an unused slot for contacts, and since about 4 years ago, cell phone companies began to use special batteries to unlock features (like debug modes), so I wonder if anything similar happens here.

I don't think that we need any battery tricks here. And I don't write cracks or anything similar :-)
You can help by writing image research tool to find all bitmaps and fonts inside firmware. Search my early posts for this matter.

[tr13]

I guess your list of BASIC keywords is incomplete?
Unless there are further commands like PEEK, POKE, SYS, I don't see how you want to do even simple things like releasing the shutter programmatically.

:-)
May be you missed my words about foundation :-)
We have foundation and we could have extra commands also.
I just didn't have time to find them.
Don't you find that interpreter is a good start?

[tr13]

What do you know . Doors open and a WAIT.. appears, so i have an KB445CPU.BIN on my SD. Will move to DSP and then mail them to you .
So the XXX is 445 on k200d. FW 1.0.

Mailed both CPU and DSP, just in case some firmware changes or you need to test another camera the *.BAT file has been included too.
Surprisingly the "WAIT.." was very fast for the 8Mb DSP dump, less than a second i think. Interesting.
Hello world AUTORUN and debug mode works as well (SD door closed)!

Thanks for smart approach!
I got your files, firmware looks very similar to K10D/K20D ones. Very similar.
So, I'll try to extent my research on this as soon as time allows.

[tr13]

I also added special blog page to my site -
Blog

It have all current information about progress.
Also added proper extension numbers for more cameras.

SDM lens owners :

Try to use
[VLENS_CTRL] inside MODSET file,
it looks like menu could exists with "SDM On" function.
This is raw information.

[Class A]

May be you missed my words about foundation :-)

I thought that referred to Pentax providing a BASIC interpreter (and assumed you were presenting a closed, complete list of commands).

Do you think that some code in the firmware is written in BASIC? Seems overkill to include a BASIC interpreter just for files on the card, i.e., for service. Although, coming to think of it, there are CPUs with an on-chip BASIC interpreter. Which would make it all the more likely that some code (e.g., GUI stuff) might be written in BASIC.

We have foundation and we could have extra commands also.
I just didn't have time to find them.

How did you find the ones you've got?

Don't you find that interpreter is a good start?

Excellent start!

[dlacouture]

Me too, this is all wayyyyyy over my head.
Go tr13!!

Well, for all the happy and expectant (but otherwise rather useless) viewers here (I'm in this category myself!), maybe we could participate by donating money to tr13 for camera purchases???

I mean, I'd be glad to donate 10 or 20$ (or even 50$!) if this can lead to a cool firmware for my K20 solving the 2 or 3 annoying quirks (namely: crippled P mode, handling of non-A lenses, RAW histogram, RAW button customization, etc).

If we spread the word about, I'm sure that some serious money can be raised...