Forgot Password
Pentax Camera Forums Home
 

Reply
Show Printable Version Search this Thread
07-26-2009, 06:01 PM   #1
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Pentax Firmware Hack site

Hello!

Being an owner of GX20 I want to improve some things, especially related to manual lenses handling (like more accurate metering, same handling of M and A lenses, precise adjusting via config files of exposure and SR parameters for each lens).
I have some expirience with reversing and hacking camera firmware, but quite long time ago.
So, I decided to set up special site were I collected all available information that I found and my own information about decryption of GX20/K20D firmware.

Currently I am seeking help from software developers.

Input from ordinary users will be also useful, as being software GUI designer more then hacker I know how important it is.

Note, that I also collected all available firmware images, new and old for K10D/GX10/G20/K20D and they are available for easy and fast download.

Progress report

1) Decryption of encrypted images - done!
2) Disassembed image base - found DSP-0x10000000, CPU- 0xC0000 !
3) Disassembling firmware starting from :
3.1) Interrupt vector table - done!
3.2) Script interpreter - in progress. First results obtained.
3.3) ModSet routines - in progress. Good progress.
3.4) CPU Interrup vector table functions - done!
3.5) Suspected extra commands - not found yet.
3.6) Status screen - in progress.
3.7) Checksum calculation - in progress.
3.8) SHooting parameters references - some found. in progress.
4) Processor module modifications, in progress. First public version released.

Current progress report page

http://www.pentax-hack.info/documents/blog.php

It have all current information about progress.

Site address

www.pentax-hack.info

Recommended Tools

Hex Viewers:
1) http://www.hhdsoftware.com/Products/home/hex-editor-free.html
2) BVIEW - http://biew.sourceforge.net

Disassembler
Ida Pro 4.9 Free - http://www.hex-rays.com/idapro/idadownfreeware.htm
FR processor module specially made for Pentax project is available on my blog page.
Our working database is in IDA 4.9 format.
I am still looking for synchronization tool.

Development help

If you know C/C++ well, you could add FR disassembler to BVIEW .
BVIEW - http://biew.sourceforge.net
Source of FR disassembler - http://www.pentax-hack.info/firmware/fujitsu/dfr-103.zip

Necessary improvements of IDA

1) Handing of jump tables. This is very frequently used feature.

2) Script to handle offset tables (many of them are present), so pressing two keys automatically changes all to offsets
(until it is proper address and stops as soon as it is not) add xref and start analizing procedures.

3) Many parameters are passed by registers. If we could track them somehow and allow to quickly define this in function definition, so comments can be seen right after commands before call (ala pc.w32).

4) References for interrupt commands (mainly for int 0x40, of course)

5) Automatic creation of segments upon firmware loading (same as interrupts table that is working now).

If you have even small time try to work with IDA writing IDC scripts and/or plugins and modules, welcome aboard!

IDA Synchronization tool

Allow multiple people work with IDA database.
C++ or Delphi application that tracks all necessary mouse moves and keypresses (with some screen recognition :-) ) and converts them to special IDC script after each session (if you run this script it makes all changes made from last public version).
Uploads this IDC script on FTP site.
Executes all collected scripts at predefined periods.
Upload new database release.
BTW, tool could be converted to commercial application later :-).

Donations

1) Donations are donations, no promises of specific features. I'll have wishlist and priority list, but no guarantee.
2) We need to find someone trusted with full paypal account to place button on site.
3) Money will go to software licenses mostly, so onyone will know how they are spent.

3.1) If you want to help in little -
buy either http://www.hhdsoftware.com/Products/home/hex-editor-ultimate.html license ($30) (we'll need it also)
Hiew - bought, thanks falconeye for $64 donation.
Contact me for another possible software products we need (all sub $100 donation).

3.2) If you want to help big - provide malfunctioning body or find information about M4 and M5 Fujitsu LSI chips.

P.S. You could find my email for this project on this site or PM me.


Last edited by tr13; 08-20-2009 at 03:24 PM.
07-26-2009, 07:52 PM   #2
Pentaxian




Join Date: Jun 2009
Location: GMT +10
Photos: Albums
Posts: 11,780
What a great idea. Best of luck with the project.
07-26-2009, 09:27 PM   #3
Veteran Member
ytterbium's Avatar

Join Date: Jan 2008
Posts: 1,076
Good start. I was always wondering that such project should appear.
Is it planned in future to be extended to more cameras like k200d?
07-27-2009, 12:12 AM   #4
Veteran Member
ytterbium's Avatar

Join Date: Jan 2008
Posts: 1,076
P.S. This HEX editor seems to have pretty usefull capabilities:
Hex Editor Features: unlimited undo, macros, background search, calculator, huge files

07-27-2009, 12:15 AM   #5
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
Main idea is to find talanted programmers.
As today I need fresh eyes in encryption or dumping stage.
Main problem with such projects is that most people say "perfect idea" and wait magic to happen :-). Most of the time nothing happens at all.

As for K200D I need hardware details.
I am pretty sure that hack must be almost the same for K10D/K20D and most probably K7.
It is not easy to write parts in RISC assembler, especially because I worked only with ARM up to this time.
Feel free to contact me.
07-27-2009, 12:35 AM   #6
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
QuoteOriginally posted by ytterbium Quote
P.S. This HEX editor seems to have pretty usefull capabilities:
Hex Editor Features: unlimited undo, macros, background search, calculator, huge files
Yes I know about it.
But it is not very useful in this field.
Special fast and optimized viewers are available.
I'll try to post this impormation on corresponding pages.
Unfortunately I don't know any with build-in Fujitsu disassembler.
ARM is quite common now.
May be we'll be forced to add module to one of open source viewers.
07-27-2009, 04:57 AM   #7
Veteran Member




Join Date: Jun 2009
Photos: Albums
Posts: 1,674
Love the idea...never got into system level development but think this is a GREAT way to extend the useful life of many perfectly good bodies.

One thing I would suggest, and I do realize you are in the very preliminary stages at this point. But once you get something out is that is a user has a body still under warranty and they brick their body, likely nobody is gonna unbrick it or it might be impossible to unbrick the body. I suspect you know this already but I've run across many a firmware hack site that fails to emphasize this fact of life when dealing with non-oem firmware. Most companies seem not to like people hacking or reverse engineering their firmware because often the hacked firmware is so good that people can put off hardware upgrades for many, many years.

Also, some companies will not even service the hardware if non-OEM firmware is on the device. But if you can re-flash back to the last OEM firmware therefore sending the hardware in for service (calibration, shutter replacement, etc...) then it's a non-issue.

Just some small details which are putting the cart before the horse for sure, but considering them now can help many users who don't really understand that this project entails or the collateral implications.

As the project gains momentum it might be worth seeing if HoyaTax is willing (or even unwilling...best to know from the start) to work with the group. If done right, it can actually reduce the maker's support overhead. Look at all the great firmware out there for the Linksys routers as an example of firmware hacks done right. And look at the horrid issues with more proprietary companies such as apPlE and the iPhone firmware/hardware hacks where aPpLe went so far as to attempt to prevent users from even accessing the phone network or worse if running 3rd party firmware. In fact as I recall Apple sorta went directly after those who hacked their firmware rather than writing their own from scratch. Have you scoured the firmware EULA to see what it states in regard to restrictions. Some folks in other countries might be subject to legal issues for even installing it. Not sure if HoyaTax is like this but given their Minimum Advertised Pricing agreement retailers MUST agree to or risk losing the ability to buy and sell Hoya filters, I would not be surprised if they could be a PITA about 3rd party firmware, especially if it is based on the OEM firmware. I would bet they consider it software piracy or theft in countries with such laws on the books.

Anyway, just some observations from the cheap seats that might be worthy of consideration.
07-27-2009, 05:08 AM   #8
Veteran Member
ytterbium's Avatar

Join Date: Jan 2008
Posts: 1,076
Good points. I think a very good and safe approach is temporary loadable firmware. Something like boot loader code that redirect further execution from SD card and can be enabled like debug mode.

Hmm.. it seems there is too little 100% sure information to have a solid basis for further development. But error and trial has always worked. It would be very advantegous to get some hints from um "pentax". Something like that debug mode firmware dump or some detailed datasheets .

If sigma could hack the mount, why shouldnt it be possible with firmware .
I guesss having a look at that dll file could be a good place to start.
Does it have any documentation?


Last edited by ytterbium; 07-27-2009 at 05:13 AM.
07-27-2009, 05:19 AM   #9
Veteran Member




Join Date: Jun 2009
Photos: Albums
Posts: 1,674
a bootloader would be GREAT as a way to begin...see, I never even thought if that safety net since I, to be perfectly honest, kept as far aware from hardware level code as possible...hehehehe...let someone else deal with the assembly code. hehehe...yeah, makes me a coward, I knoooow...

It will be interesting to see if this project can gain and sustain momentum. I feel it migth be worth while. I also have the sense that you could even add video to the K10D/K20D with just a firmware hack.
07-27-2009, 06:01 AM   #10
Veteran Member
ytterbium's Avatar

Join Date: Jan 2008
Posts: 1,076
Video would not be possible. It MUST be supported by image sensor.
Most likely the readout procedures are hardcoded/wired logic in some factory programmable/locked PROM/ROM. You can always replace it with EEPROM of course. Even if you could write your own routines and force continuous image readout with open shutter, you'd get psychedelic smeared lines wich would add to the pixels being shifter out of CCD.

But reading that service manual makes me scared. AF adjustment for example states you have to turn 3 separate screws simultaneously without any feedback or methodology until some mystical box becomes green.
Or the one where you have to use 35-80 or you can use 18-55@55 instead, but the software for calibration states specifically lens @ 80mm. I don't doubt that "it does the trick", BUT...eh

Seems that they have retained the SLR part from film era and just added digital and stabilization part. Is the shutter FF as well (guess not if they redesigned mirror box)?

I think the first success would be doing minor changes in the original binary file, like changing strings, fooling firmware version and being able to feed this firmware to the camera and restore original one back. I believe this would require to generate correct check sum.
Do pentax cameras allow firmware downgrade, if you e.g. insert FW1.0 in F1.1 camera to undo such changes?
07-27-2009, 06:07 AM   #11
Veteran Member




Join Date: Jun 2008
Location: Borås, Sweden
Photos: Gallery
Posts: 3,169
QuoteOriginally posted by ytterbium Quote
Video would not be possible. It MUST be supported by image sensor.
Think about Live View in case of the K20D. Somebody hacked a 40D to output video.
07-27-2009, 06:21 AM   #12
Veteran Member
ytterbium's Avatar

Join Date: Jan 2008
Posts: 1,076
Ah then yess, since they support such readout, but is not known to what extent - maybe the best they are capable of for prolonged periods is as much as the LCD can display, and even then by gulping enormous resources - memory, battery and processing that may not leave any spare for compression or fast memory writes.

Continued reading of that manual continues to surprise me - fixing lens position with tape.
Aren't there more sophisticated and "cleaner" test methods. Anyway it is really interesting reading.
"Attach the lens (50M, F1.4) to the camera. Set the lens to F1.5." (F1.4 circled in illustration).
Page 143. explains a lot... 144. just kicks ass. This as swell makes me think that the histogram shouldn't be JPEG based an pretty accurately matches captured RAW data, if you can measure millimeters on LCD.
But i think it is ok to have few mistakes in such an extensive document, because those who wrote it probably focus all their efforts on development.

Last edited by ytterbium; 07-27-2009 at 06:29 AM.
07-27-2009, 07:47 AM   #13
Veteran Member




Join Date: Jun 2009
Photos: Albums
Posts: 1,674
QuoteOriginally posted by pingflood Quote
Think about Live View in case of the K20D. Somebody hacked a 40D to output video.
exactly what I based my comment on...the sensor will support it...if you play around with the timed shooting setting you can get some pretty decent frame rates already...so it's is seems reasonable that enabling a video mode is a case of moding the FW to just sting them together into some sort of video file. Certainly a non-trivial and would likely not be HD but then again if could be. But this sort of software wizardry (at least to us old developer dinosaurs who were around long before multimedia apps were but for the select few, like movie studios and such...it is like magic)
07-27-2009, 07:51 AM   #14
Veteran Member




Join Date: Jun 2009
Photos: Albums
Posts: 1,674
QuoteOriginally posted by ytterbium Quote
Video would not be possible. It MUST be supported by image sensor.
Most likely the readout procedures are hardcoded/wired logic in some factory programmable/locked PROM/ROM. You can always replace it with EEPROM of course. Even if you could write your own routines and force continuous image readout with open shutter, you'd get psychedelic smeared lines wich would add to the pixels being shifter out of CCD.

But reading that service manual makes me scared. AF adjustment for example states you have to turn 3 separate screws simultaneously without any feedback or methodology until some mystical box becomes green.
Or the one where you have to use 35-80 or you can use 18-55@55 instead, but the software for calibration states specifically lens @ 80mm. I don't doubt that "it does the trick", BUT...eh

Seems that they have retained the SLR part from film era and just added digital and stabilization part. Is the shutter FF as well (guess not if they redesigned mirror box)?

I think the first success would be doing minor changes in the original binary file, like changing strings, fooling firmware version and being able to feed this firmware to the camera and restore original one back. I believe this would require to generate correct check sum.
Do pentax cameras allow firmware downgrade, if you e.g. insert FW1.0 in F1.1 camera to undo such changes?
I can confirm I was able to reflash from 1.03 back to 1.01 and back again. Not sure I would want to do it on a regular basis but it worked for me when a few of us were checking something that we though might have changed in 1.03...
07-27-2009, 01:31 PM   #15
Veteran Member




Join Date: Jul 2009
Location: Russia
Posts: 343
Original Poster
Thanks for respons guys.

1) Bricking body with firmware is possible for developer only. If you don't touch loader that searches for firmware files on SD upon bootup and allows you to reflash you are not bricked. This point perfectly illustrates that most firmware is developed by incompetent students (as soon as you read "use fully charged battery" you must know they are near :-) ) Loader must not be touched upon firmware flashing, and yes, it is quite easy to do.
By the way, K10D/GX10 firmware have BASIC like batch language interpreter build in. Not much commands, but something like in batch files.

2) As for video - no at this point. I believe that guys at dxuser pretty good dissected K20 sensor. It is absolutly useless. And as it is DSP related things it'll be extremely hard.

3) Guys, you have good body, but small improvements are possible. And I want to concentrate on small foto improvements.

4) As for Pentax. If they are smart, they'll help. If not, they'll be silent. Sucessfull hack is the most cheap and useful way to great buzz arount your products.
Reply

Bookmarks
  • Submit Thread to Facebook Facebook
  • Submit Thread to Twitter Twitter
  • Submit Thread to Digg Digg
Tags - Make this thread easier to find by adding keywords to it!
camera, check, dslr, firmware, fr, ida, information, k-x, pentax, photography, pm, post, progress, script, site, software, update, ver, version
Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
DFS hack eccentricphotography Pentax DSLR Discussion 24 10-12-2010 11:08 AM
Yet another hack job -- OM to PK ?? RioRico Pentax SLR Lens Discussion 15 10-07-2010 07:49 AM
K20D Firmware Ver - Pentax Web Site Ver? ChipB Pentax DSLR Discussion 2 02-23-2010 04:14 PM
Teleconverter hack? Raptorman Pentax SLR Lens Discussion 4 01-20-2010 03:51 AM
News Site News and Site Suggestions hidden from guests Adam Site Suggestions and Help 0 11-30-2009 12:38 AM



All times are GMT -7. The time now is 10:40 AM. | See also: NikonForums.com, CanonForums.com part of our network of photo forums!
  • Red (Default)
  • Green
  • Gray
  • Dark
  • Dark Yellow
  • Dark Blue
  • Old Red
  • Old Green
  • Old Gray
  • Dial-Up Style
Hello! It's great to see you back on the forum! Have you considered joining the community?
register
Creating a FREE ACCOUNT takes under a minute, removes ads, and lets you post! [Dismiss]
Top