I-Appliance BBS The Official Source for Internet Appliance Upgrades and Mods Click Here! BBS Main List | Sign In | Sign Up | Search | Help | Linux-Hacker.net Reply to Thread | Printer |

Home / MISC Areas / Cameras Hacking the RED Dakota PV2 (with LCD) The new red PureDigital Dakota with preview LCD are available and ready for the hacking

Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile The 150+ post Dakota thread seems full enough...how about we discuss the new red one here? Morcheeba's initial snooping is covered here: http://www.maushammer.com/systems/dakotadigital/DakotaDigital.html#lcd with pictures of teardown here: http://www.maushammer.com/systems/dakotadigital/pv2-disassembly.html The chip is made by SMaL of "Ultra Pocket" fame (really thin cameras): http://www.smalcamera.com/products.html Given the specs of the camera, the SMaL 'kit' used is the Ultra-Pocket 3. I've checked SMaL's whole web site and found no useful technical information of any kind...the best thing is the PDF for the kit, which just lists stats. Regarding the camera's design: as discussed earlier, it sports a totally new case and new internal design. This design is much smarter, in my opinion. The components appear to be of a high quality (an actual metal button instead of a piece of copper that slides back and forth for a power button). The battery compartment was frustrating until I re-read Morcheeba's teardown (stick a pin in the hole and slide the piece of plastic inside there). Taking the cover apart is quick once you find the screws. The main board includes the SMaL chip (which appears to do everything but control the LCD), the flash system (no more flash daughterboard), and so on. There is one perpendicular narrow daughterboard that includes the battery connection and the shutter button. The USB connector is the same. I had to dremel mine a bit wider (as I've done to my original Dakota) to make it fit my M100 connector. It does a double-beep on connect and disconnect. My SMaL chip is labeled: (SMaL) AIC0021B 02TWN503 C66051 00 Sadly, google has never heard of a "AIC0021B". Regarding the camera's operation: I like it. The flash seems to charge faster, the LCD is fairly decent, and the picture quality seems about the same (as far as I can tell from looking at the LCD). All the original Dakota features are here, just with an LCD. As found by Morcheeba, pressing all three buttons during power-on gives you some information. I got: FIRMWARE 6410 HARDWARE 06 TYPEID 27 ID DAA041940523 Once again, TYPEID is the USB Product ID 0x0027. Regarding actually getting the thing to work: the first place I went was gPhoto. As you'll find out, this wasn't fruitful. gPhoto supports some SMaL-based cameras, but looking at the source code, these appear to be the original Ultra-Pocket-based cameras, which have a max resolution of 640x480. I thought I'd try using it anyway, so I told gPhoto to use the Red Dakota's USB information. The vendor ID is the same (0x0DCA), but this camera's product ID is 0x0027. So I set USB_DEVICE_ID_ULTRAPOCKET to 0x0027 in camlibs/smal/smal.h, recompiled libgphoto2, and tried it out. It now detected that I had the Fuji Axia Eyeplate (which is the name of the entry I fiddled with), but it can't do anything at all to it (I get error -35, "Error writing to port"). Hence, this was a total bust; the interface just isn't compatible. When I bought the camera, I asked the clerk about the "developing" process. They do use the same machine to dump the new Dakota as the old one. However, they required a software upgrade to support it. "A lady came out" to upgrade the software on their equipment. So the good news is that the only change needed is in software, the bad news is that we have no idea what this is. Any ideas where to go from here? 05-31-2004 22:38:18

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile Incidentally, here is the listing for the camera from /proc/bus/usb/devices: T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 6 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 2 P: Vendor=0dca ProdID=0027 Rev= 0.01 S: Manufacturer=SMaL S: Product=Digital Camera C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=200mA I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms C: #Ifs= 1 Cfg#= 2 Atr=80 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms 05-31-2004 23:00:14

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Silver Profile I also picked up one of the new red PV2 cams today in Seattle. Doing a three-button power on gets me the following: FIRMWARE 6410 HARDWARE 06 TYPEID 27 ID DAA041901004 Looks to be a fun camera. I hope we can find a driver for it. Silver 06-01-2004 00:56:01

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) DrDootz Profile All, Just got a PV2 in South Florida at a Wolf camera store. Girl didn't know anything about processing. Preview LCD is pretty good quality of last picture taken. Tried Blue camera Dakota cable and Windows discovered new device Digital Camera looking for driver. Tried bunch of drivers from Asian web sites but none worked. Hopefully a software hack will be discovered as they become more plentiful. Regards, Dr. Dootz 06-01-2004 08:22:22

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) shiny_razor Profile Silver, where in Seattle did you find them? 06-01-2004 17:37:04

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) shiny_razor Profile I found out one of the vendors that made a cam using the Ultra-Pocket 3 kit: http://www.letsgodigital.org/en/news/articles/story_1209.html Of course they don't have the drivers for the Foxz1 on their webpage. I tried to write them and ask for it, but their feedback form geeked on me. I read on their parent site that they started selling these at Target... I'm contemplating buying one, copying the driver CD and then returning it. It would serve them right for not putting drivers on their site. That is just idiotic. 06-01-2004 18:21:56

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Silver Profile shiny_razor, I found them at Kits Camera in the Alderwood mall; $18.99. They were shown in the Kits ad in this Sunday's paper. They didn't even mention that I should bring the camera back for processing. I also found an old USB-PS2 adaptor that I'm going to sacrifice to make an interface cable. Next stop, Radio Shack. Silver 06-01-2004 22:07:31

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Kudzu Profile It would serve them right for not putting drivers on their site. That is just idiotic. They did have drivers available at one time, on their Japanese language site. http://www.che-ez.com/download/driver/che-ez!foxz/ They were supposed to have been introduced in March, so why they would take them down is anyone's guess. 06-02-2004 01:34:52

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) 02U2 Profile Alderwood mall you say... less than 15 minutes drive away! Naw, I'll let shiny razor buy it (them) I've got WAY to many cameras. 06-02-2004 09:07:59

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) 02U2 Profile BTW LOL, I'm sitting about 50'away from a small Kits camera BM right now while using the malls free WiFi internet access writing this! AWESOME download speeds! 06-02-2004 09:11:08

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile Regarding buying that Ultra-Pocket3-based camera: If you do buy it with intent to return, you should do more than just copy the driver CD. It would be much better if you took some pictures, ran a USB snooping program like USBSnoopy, and logged the dumping process. That way, we know the basic protocol the SMaL chipset uses and could start poking at the Dakota. It would be much harder to coax this information out of inert drivers we can't run (for lack of the camera). Does the firmware reside on the separate flash chip (the one under the LCD) or within the SMaL controller? If it is the former, we could dump the whole thing and step through it, as was done for the blue Dakota. If it's on the SMaL controller, it's unclear how we would dump the firmware given that we lack the pinout to the controller. 06-02-2004 12:39:45

RE:Hacking the RED Dakota PV2 (with LCD) (modified 1 times) rangita Profile Also, I've found it's possible to get some drivers to think they service a different USB device. USB drivers seem to only care about the Vendor ID (VID) and Product ID (PID), and will try to drive whatever matches the expected VID-PID values. The Creative CardCam (which is based on the Ultra-Pocket 1) has drivers that store this information in a few INFs, and once in plaintext hex within a binary file. The VID was the same (since it was still SMaL based), but the PID for the CardCam was 0x0002 instead of the Dakota's 0x0027. I replaced all the instances of the PID with 0x0027 and the drivers suddenly thought the Dakota was its baby. Of course, the drivers didn't work at all, but this technique could possibly work on these UltraPocket3 drivers. We probably couldn't get pictures straight-away with this method, but we may get our foot in the door. 06-02-2004 12:47:16

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) shiny_razor Profile Hehe. http://www.target.com/gp/detail.html/ref=br_1_5/601-4314602-2720932?%5Fencoding=UTF8&asin=B000216HQS coming soon to a hack near you! 06-02-2004 17:21:17

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Synlor Profile I found the foxz drivers, they were still on the japanese website. http://www.che-ez.com/jp/download/ scroll down till you find the foxz thing. The files are all encoded or something, but once you run setup go into Program Files\Che-ez! Foxz\driver you can edit the inf file, which is in plain english. I did what other people mentioned above, changing the pid to 0x0027 in every location in the file. Finally I plugged the camera in, the install new hardware thing came up, I pointed it to the afermentioned directory with the edited inf file. It found the drivers and isntalled just fine. So now when I plug my camera in it shows in my computer... but once I click inside no files are found. So the computer is recognizing the camera, but no go for reading from it. Either we need to do more than changing the inf file for these drivers, or they won't work. 06-03-2004 19:05:16

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) shiny_razor Profile Yeah, usually just hacking the inf doesn't give you complete access to the camera, but at least it's a start! Good find! 06-03-2004 19:14:51

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile I have found a thread that has a link to a generic photo transfer software on it. It might be useful in trying to get the pictures off the camera. I just got the new red one and the original blue one, but still waiting on the cables that I ordered off of e-bay (shipping takes too long). Anyways, here's the link from the thread: http://www.dps.uk.com/freeware_transferer.htm Another thing, if the computer detects the camera but can't find any pictures on it, I would think that when PureDigital said they "will shortly release a model that incorporates stronger security measures aimed at preventing this sort of hacking." The security measures they might be talking about is changing how the contents of the memory are written and read instead of changing the entire process of extracting the pictures out of the camera and into their processing machine and only having to upgrade software. Quoted from rangita: When I bought the camera, I asked the clerk about the "developing" process. They do use the same machine to dump the new Dakota as the old one. However, they required a software upgrade to support it. "A lady came out" to upgrade the software on their equipment. So the good news is that the only change needed is in software, the bad news is that we have no idea what this is. Any ideas where to go from here? Well, the "lady that came out" to upgrade the software on their equpiment could have patched the software to decrypt the contents of the extracted memory. Or instead of the memory being encrypted, the memory could have a certain part missing in it. Rendering it unreadable to a computer without the software that would add the certain missing part based on an algorithim or just the same "piece of data". Whether the missing piece is at the beginning of the entire contents, every picture, or sector. Something like when you delete a file on your hdd, it only removes the first part of the file, pointing to where the rest of the contents are. Or something to that extent. Another possibility is that they might use a different cable wiring that has a switch on it to be able to switch from the old cable layout to the new cable layout, still using usb port and the such. If you want to take the easy route out, you could always become REALLY good friends with one of the managers or employees and get a copy of the software Quote from rangita: The 150+ post Dakota thread seems full enough...how about we discuss the new red one here? Wonder how many total are going to be here when this project nears an end ? My brain hurts now after thinking for quite a while and having a rough day. If any of this doesn't make sense, or is grammatically incorrect, I am too tired to fix it, figure it out on your own... Good luck on the project and keep up the good work! 06-03-2004 23:09:11

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile BTW, the little sticker covering up the connection port on the camera says "Camera does not connect to home computers." on blue one and a similar saying on the red one. Wonder if the blue one that I just picked up has the "new security" in it? 06-03-2004 23:15:51

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) zbeth Profile The first/hackable blue one had the same (or similar) sticker. (Has anyone had success with the new blue?) 06-04-2004 11:36:38

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile What do you mean the "new blue"? From what I understand, there is only one blue make / model. What I mean by that is the electronics inside the old one is the same as in the new one with the same type case. If I'm not mistaken, of course. I wonder if they both got an upgrade, got a new case, but the processing machine still only needed a software upgrade. I have the original blue one with the chrome accents on the outside around the lense and where you put your fingrers in the front, not the one shown on the back of the Ritz catalog. The possibility doesn't surprise me. 06-04-2004 19:49:55

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile Found a site that has some USB developer tools on that could be of some help to you people out there until I get my cables. http://www.usbdeveloper.com It's got software as well as hardware tools that might be helpful. (not meant to be advertising) 06-04-2004 19:57:20

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) zbeth Profile Has anyone spotted a blue Dakota that looks like the catalog pic, marked PV2 and all? I just bought one (from a Ritz in MA that had the red PV2s in stock) that _looks_ like the old blue Dakota.. 06-04-2004 20:30:28

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Scapegoat Profile "you could always become REALLY good friends with one of the managers or employees and get a copy of the software" ...OR, has anyone considered trying to get a job at one of these places, working your way to the camera-reading machine itself, and then making like a corporate spy and running off with the software? The PC obviously has USB ports, A memory dongle would be all one might need, or perchance the install CD is even lying around the office. I've been thinking about doing this, unfortunately I don't know as much as you guys (as far as what I would need to get.) ...or is this wrong??? Is it even possible? Anybody have any suggestions about this, because I'm quite serious about the prospects of this path. 06-04-2004 20:45:08

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) zmoz Profile I think you're taking this a bit too far. The point here is to get a cheap camera and have fun hacking it. You could just go down and buy a camera that works out of the box you know...(gasp) 06-05-2004 00:36:01

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile Quote from Scapegoat: ...OR, has anyone considered trying to get a job at one of these places, working your way to the camera-reading machine itself, and then making like a corporate spy and running off with the software? The PC obviously has USB ports, A memory dongle would be all one might need, or perchance the install CD is even lying around the office. The problem with that is that is "stealing", but if you do manage to "run off with the software", if you distribute it, the Ritz or PureDigital people will try to sue you, put you in jail, and mangle you in any way they can legally... (or if nobody hears about it illegally) The alternative would be to "permanently borrow" or temporarily take the software, make a copy (using a laptop in your car or w/e), put it back and use the stuff that's in the software after de-compiling it to create your own program. Without using their code or telling anyone that you looked at the program, of course, which would be an infringement of the copyright laws. (or something like that if I'm not mistaken) But the problem with that is it takes all of the fun out of figuring it all out on your own. I'm really eager to get into this as soon as I get my freakin cables that I ordered from e-bay. Another thing, I'm downloading Linux (RedHat 2.1gb, Mandrake 2.1gb, and the College version 615mb) http://www.linuxiso.org and I was wondering if there is freeware out there that I could use to partition my hdd on the fly without using something like PartitionMagic. If anyone could offer some help, I would be much obliged. 06-05-2004 15:05:30

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile I have opened my PV2 up and I noticed that where the data port is, there only 7 out of 10 gold connectors actually connected to the circuitry. Here's how it is layed out if you look at it from the front with the connectors on your right side, just as if someone were taking a picture of you with it: 1: Connected 2: Connected 3: Connected 4: Connected 5: Connected 6: 7: Connected 8: 9: Connected 10: Also, there are some switches or something, that are missing there are 4 spaces for them under the SMaL chip, and one space is vacant. There are also some missing above the chip to the right of the silver capacitor (or at least I think that's what it is). Maybe if you connect them, they might do something like do a live preview or something to that extent (flashing the rom). When I was trying to undo the lcd panel from the back, I tried to move the insanely huge flash capacitor out of the way and I heard it crack. I unscrewed the panel and moved the capacitor back, put the batteries back in and turned it on. (with the cover off) It started up, I took a picture and deleted it, turned it off and picked it up again. When I turned it around to look at it, it shocked the crap out of my finger. Those little things can hold quite a charge. I put my screwdriver across the two solder points to try to get it to get rid of the charge, when the screwdriver got to about 2/16 of an inch away from the two solder points, ther was a huge spark that sounded like a cap gun. It MELTED THE SOLDER that was there and left two gouges where the sparks were on my screwdriver. Now there are black burn-like marks around the solder points on the camera as well as the screwdriver. I thought I just fryed my camera in style, but all it did was pop, leave burns on the camera and screwdriver and leave a funky smell in the air. Anyways, I'm going to e-mail PureDigital to see if I can get the specs for this little monster and / or anything else. 06-05-2004 19:17:43

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile Just got my hands on one of these at the Ritz in downtown Boston (Boylston st). Was going to try and interrogate the salesperson a bit about the reader device/software, but she was pretty busy. Haven't had time to play with it much yet, only immediately take it apart One disappointing thing I notice is the lack of a ROM. Unless the firmware is stored on the NAND flash (which I doubt, since this flash requires that funky bad-block-mapping stuff), there will likely be no way of getting at it. As madpyro mentions, a number of spaces left unpopulated - in particular, there are spaces for 2 extra pushbuttons, and of the others, the empty spaces for R4, R5, R7, R8 (leading to the SMaL chip) look the most interesting. When the camera is 'ready', shorting the contacts of SW1 causes the camera to beep 3 times, but I haven't noticed any other effect. (The camera still seems to work, so at least it wasn't a hacker trap - if I were a sufficiently malicious hardware designer, I'd leave an unpopulated switch just begging to be messed with, which would trigger a self-destruct.) To madpyro - I didn't manage to zap myself on the original Dakota, but to this day there are weld-marks on my pliers where I used them to discharge the flash capacitor. Sounded like a gunshot and produced a blinding flash, our cat nearly hit the ceiling, and (when my vision returned to normal) there was a nice little charring pattern across the board. This time I got smart and used the pliers to nudge a 1 M-ohm resistor across the cap leads (then a 100k, then pliers) to avoid scaring the crap out of myself again. 06-05-2004 23:11:48

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile I discussed the red Dakota problems with a friend of mine (a computer engineer), who looked at the camera and some related datasheets. He came to the following conclusions: - Regarding the firmware: The flash memory is byte-serial for both address and data, so the firmware couldn't be there. Thus, the firmware must be stored in an internal ROM within the SMaL chip. The SMaL chip is custom designed, and likely had to be flashed with the firmware after production. Since SMaL claims the chip can be programmed via USB, we may be able to read the firmware via USB (for verification). - Regarding the physical chip: The chip, though it's innards and firmware are custom, is almost certainly in a standard package. It may share a pinout with similar, known chips. If the chip contains programmable memory, then there probably exists a standard reader for this package. I think that if the USB-flashing is unavailable, the connector lines that aren't USB may be a firmware programmer connection of some sort, which could facilitate reading of the firmware. madpyro, if this is your first install of Linux, you probably want to do this on a scratch machine. Contrary to what the zealots say, installing Linux isn't usually a romp through Happy Always-Works Land, especially when resizing of existing partitions is involved (resizing partitions is always a crapshoot, in my opinion). As for partitioning software, there appears to be a free trial of Partition Magic which should do what you need. I wouldn't trust any freeware to do something like that. I'm going to try to figure out SUCR enough to write a command-line "USB Terminal" so we can try manually blathering incoherently to the camera. 06-06-2004 11:45:38

I just guessed the two "to be populated" switches are for "prev" and "past" buttons. (modified 0 times) newbee Profile When I saw those two empty spaces for switches, I instantly thought that they are for prev and past buttons because 1. I thought that it is possible from their ad. 2. the two buttons are placed right beside 'display' button, which makes them perfect candidates for "arrow" keys. Oh well, just a thought. 06-06-2004 13:06:26

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile Rangita, I have an old system (350mhz, 64mb ram, 10gb hdd) that I will connect to my computer via an ethernet cable to back up my "important files". But the problem with that is the old pc doesn't have an OS on it because I planned on re-installing it, but it just freezes up or restarts on its own when I am in the installation process. I hav found a Windows Pre-Installation invironment boot cd. http://www.nu2.nu/pebuilder/ created by a very smart windows programmer up in denmark, I think. After I copy the files to the hdd of the old pc, I will re-partition the hdd (using fdisk on the new one) and install Linux. I think the Partition Magic trial doesn't let you save any changes. And yes, this is my first install of Linux (yay!). I have also heard of a boot cd for Linux that runs off of the cd much like the pre-installation environment. Also, I think if you tried every one of the unpopulated spots, there might be one that either flashes the rom or the other memory, or it could give you a live lcd preview. About the switches, newbee, I kindof aggree with you about that but the problem is figuring out which solder points to connect to each other to do that (4 solder points) which would be 6 possibilities, I think. but I can only see two of the soldier poinst acctually connecting to the copper in the board. If I remember correctly, it is the very left two on both. That could be a possibility, though. I might try to write a prog that gives the camera some commands and "snoops" around or whatever, but since I know only a little bit of Visual Basic, I will mostly use the dll's and ocx's to get the job done. I might not even write the prog since I am going to be busy installing Linux and reinstalling XP after I repartition. Keep up the good work people! 06-06-2004 14:33:56

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile The dump-out from testlibusb, if it's of use to anyone: actually, forget it, this board totally messes up the formatting. I'll try to post something more legible (maybe SUCR commandline listing, if I can get one...perhaps a reboot is in order) a little later. One thing I notice is there doesn't seem to be the composite-device structure like with the classic Dakota. Consistently 'No Packets' in USBSnoopy, although Windows recognized it as a Digital Camera and asks for drivers (I put it on libusb). The camera doesn't seem to give any indication (for me, at least) that it's connected to a computer, unlike to classic. Unless I unplug it and plug it back in; then it beeps once and the LED comes on for about 10 seconds, then goes out again. 06-06-2004 16:56:53

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile Here we go... output of SUCR and testlibusb showing how the USB interface is laid out: http://cexx.org/dakota/pv2.htm (scroll down to 'USB info'). The usual Bulk In/Out interface, just like the classic Dakota, but lacking the Interrupt endpoint (hasn't been used, not by any hackers I know of anyway) and the Isochronous endpoints (Webcam data-out). Two possible configurations: one for 100mA of power from the USB port, one for 200mA...they seem identical otherwise. When one of the configurations is set, the camera emits a two-tone beep, and the Ready light comes on and stays on. However, writing any commands to the cam results in an error message from libusb-win32 (probably indirectly; it's most likely generated by the Windows USB subsystem) : LIBUSB_DLL error: error sending control message: win error: Data error (cyclic redundancy check) Control transfers in USB include a CRC at the end (5-bit or 16-bit, depending on packet type, according to USB-in-a-nutshell), which as far as I know is generated at a low level (libusb...or even Windows itself?), and "should be" correct. Maybe this is one of the "enhanced security measures", the camera expecting bogus/encrypted/DMCAed CRCs generated by custom/hacked USB driver on the Ritz download box? Or maybe I'm just talking out of my @ss, of course - can any USB experts shed some light on what would cause CRC errors? (Is the camera just taking the data as-is, and throwing back "Bad CRC" errors just to throw us off?) Rangita mentioned the following error while trying the camera under gPhoto: error -35, "Error writing to port". Is it documented anywhere what an error -35 is...is this also the CRC error? (Then at least I know it isn't just me 06-06-2004 18:50:26

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile I've tested Drmn4ea's button observations and am getting the same effect. SW1 results in 3 beeps, SW4 nothing. In addition, SW1 does its 3 beeps regardless of state, even while doing the tutorial screen at boot-up. I propose that when we are prodding it over USB, we take a moment to try pressing the mystery button and see if it effects the camera's responses. I have a (wild, unsubstantiated) example of why it may be related. I suspect designers implemented a "special state" the camera has to get into before allowing useful USB interaction. On the old Dakota (if I recall correctly), you had to "log in" with a four-byte code before it operated normally. It may be that the button puts the camera in this authorized state (in addition to the right USB action). This way, programmers could test the higher USB functions without having to "log in". I have no evidence for this idea whatsoever, and present it merely as an example of why the button may be related. madpyro, if you don't have any NTFS partitions, you may be able to use "fips.exe", which I found with SuSE Linux. According to the SuSE readme: "Use this tool to change the size of DOS partitions...Two versions are available: fips15 [for FAT16] and fips20 [for FAT32, new]." You can get it here: ftp://ftp.sunsite.utk.edu/pub/linux/suse/i386/9.1/dosutils/fips/ 06-06-2004 19:38:52

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile Drmn4ea, I have no idea what the root cause of the gphoto2 error -35 (known in libgphoto2 as GP_ERROR_IO_WRITE) was. Looking at the source for libgphoto2, it can only be caused when the libusb function usb_bulk_write() returns a values less than 0. The libusb documentation says that the function will "[Return the] number of bytes written on success or < 0 on error." Tearing open the libusb source, I find that a negative is returned if a ioctl() call returns a value less than 0, in which case it returns the negation of errno, the standard error number. This ioctl error number is what we need to confirm your hypothesis, but libgphoto2 throws it out. If one can tell libusb to be in some sort of debug mode (usb_debug >= 2), it will announce the ioctl error code. I'll see about making that happen. 06-06-2004 20:19:10

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile I have more information on the gphoto2 error. I tried it again after modified the libgphoto2 to announce the return values and call perror(). Last time I did it, I didn't notice that the FIRST time I try to talk to the camera, the write goes fine, but the expects a bulk read directly thereafter (which doesn't happen, of course). Thus, during this first run, I actually get an error -34, "Error reading...". Subsequent attempts result in the previously reported error -35 ("Error writing..."). The usb_bulk_write() call returns -1, and perror() prints "Broken pipe" in both cases. This could be the same thing as the CRC failure...I have no idea how to compare those apples to these oranges. 06-06-2004 22:37:34

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile A little more playing... finally looked at the GPhoto code for the "similar" SMaL, it doesn't seem to use the bulk control endpoint at all--just send a 16-byte command packet directly on the bulk out (to the camera) endpoint, and slurp data back in on the corresponding in (from camera) endpoint. Emulating this in sucr, the write to bulk out works exactly once; then, any subsequent reads OR writes to the appropriate endpoints result in the familiar CRC error. The data write seems to go "ok" up to a data length of 36 bytes. Attempting to write more than 36 bytes to the camera results in an error after the timeout period specified in usb_bulk_write: LIBUSB_DLL error: timeout error writing to bulk endpoint 0x1: win error: Overlap ped I/O operation is in progress. Once this happens, all reads and writes produce this until it's unplugged and plugged back in. In all of these cases, clearing a stall (usb_clear_halt) or resetting the endpoint (usb_resetep) has no effect. I brought the cam into work where we happened to use the exact same little surface-mount switches for a past project (can rustle up part # if anyone wants it), and populated SW1 and SW4. If SW1 is held down while attaching the USB, the 2-tone beep upon setting configuration is replaced by a single high-pitch beep. No other effect apparent, unfortunately. Holding down other buttons doesn't seem to do anything. To any USB gurus...is there anything magical about the number 36? Or is this likely to be a limit set by the camera? Next steps....whoever's first finding a way to quickly clear/reset this thing in software, so that more bytes can be sent to it without replugging, gets to try maybe a "brute force byte stuffing until the CRC error goes away" approach. Snowflake's chance of this actually working, of course Finally, I am wondering if a CRC error in Windows doesn't just mean that there was no response at all. 06-08-2004 23:19:43

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile When I took off the back of the camera, I noticed a little screw with this red, gooey crap on it. I messed around with it hoping it would do something, but all it does is adjust the brightness of the screen. But, there's an unpopulated spot next to it named VR1 while the one with the screw is VR2. I shocked my self twice yet again. First time, I didn't even touch the capacitor, which puzzles me, the second time, a spark reached out and bit my finger, leaving a blister that still burns 2 1/2 hours after it happened. I shorted out VR1 and all it did was turn the screen different colors. 06-09-2004 13:26:57

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile I too found the 36 byte limit. I modified the SMaL gphoto2 driver to allow me to specify command values via environment variables (a hack, but it was quick). I then left it cycling through the first & second bytes overnight - the rest of the bytes were zero. To get past the apparent locking up of the camera after the first write I unloaded and reloaded the UHCI module (usb-uhci). This seems to work, though not with 100% reliability. Didn't get a single response from the camera all the way up to 0x03 in the second byte (when I killed it), but I noticed at some point later on that my camera's ID number had changed to 'LAMSSMAL0000' - I guess one of those commands affected the camera's ID somehow, but I don't know how. I now have a small tool that I knocked up for Linux based on the libusb code in gphoto that allows me to send arbitrary strings of data to the camera's bulk endpoint. Thinking that I could try to set the ID back perhaps by writing a command followed by the string needed for the ID (thinking that perhaps LAMSSMAL0000 is what it does when the ID is nulled out), I tried to write the same commands. Haven't finished that yet, but so far I haven't had any luck here. I was actually thinking that a simple little relay circuit controlled by the parallel port or something might solve the reset problem more elegantly too - the module trick eventually seems to stop working. I would guess that pulling the power line on the USB would essentially reset the camera. Might have a go at this (unless anybody knows any way of getting a UHCI controller to power down specific connections). 06-10-2004 00:18:49

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile I think the error "Data error (cyclic redundancy check)" may be the Windows catch-all for IO weirdness. I've had it on every IO device on the system at some point or another (bad CDROM drive, prematurely ejected floppy disk, etc.). I'm thinking that it just means "general error" with respect to USB. Perhaps the device has a very dumb command buffer (for either laziness or security reasons). That is, once 36 bytes is passed, you should have sent all the commands you needed by now (HELLO, DUMP, DELETE, BYE), and the camera is going to clam up if you haven't. j94501, I agree with the parallel port relay idea: toggling USB power (possibly with the batteries out) should do the trick. Can you make available your USB poker? 06-10-2004 10:22:20

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) madpyro Profile Finally got my cable and got the camera working. I'm fixin to re-partition my hdd and install linux, cross my fingers and hope all goes well. I have looked all over for a program that will read the data comming from the camera in webcam mode, but I couldn't find one. When I get through installing, I might even write a prog for the pv2. Be back after installation. 06-11-2004 15:11:08

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile After some days of having the cam torn apart and batteryless, I ran it in "camera mode" today for the first time since all the USB-messing...and now my serial also reads LAMSSMAL0000. It might be the USB playing, but I didn't do *too* much of that...think it might have something to do with the mystery buttons - did you mess with them too? Some discoveries: Apparently it camera doesn't like to run with its flash capacitor removed - took it off to reduce the likelihood of nasty surprises, and the camera wouldn't come up. (Smaller couple-of-uF cap with bleeder resistor across it seems to do the trick...barely.) That done, I powered it up on a current-limiting supply (forgot that it was current limiting, and this limit was set ridiculously low). About a second after powerup, while displaying the Big Print logo, the camera draws a large amount of current, which tripped the limit and the voltage briefly dropped to 1.8 or so, causing the display to scramble up a bit (top 3/4 of screen ok, bottom 1/4 flickering in and out in an analog-looking way, you'd swear the connector to the LCD was just pulling out). On attempting to switch to the next screen, the display scrambled completely, resulting in what appeared to be the text "? ? ? ? ?" underneath a field of random pixels. This might be something to play with if all else fails - play with the voltages and see what happens. On a recent PIC-based project I worked on, a brief undervoltage or powercycle could cause the chip to start executing at an arbitrary code location, and e.g. start jabbering text strings to the serial port. (Hopefully, it wouldn't arrive at "Erase the firmware"...if the firmware in this one is indeed rewritable at all...) The unpopulated resistors around the SMaL chip are pullups for data-out lines...there's a bunch of repetitive data on each of these, from startup to just when the "Shutting off..." message appears. (Too much to 'scope, at least for me. Logic analyzer, anyone?) Might be for the LCD, but the continuous transmission (even when the LCD is 'off'), and no data while it's still showing an image makes me doubt this. Image sensor communications? Something completely different? Another engineer at my work is also very interested in this camera; we're planning to come in tomorrow and attack it with soldering irons (maybe attempt to pull and read the flash memory). Just had a thought - the cam has 2 configurations (100mA, 200mA) - think changing the active configuration would effectively reset its USB communications? Left it at work, so I can't test this myself tonight. BTW...has anybody figured out what image sensor is in this cam? 06-11-2004 21:59:46

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile I didn't try anything with the two missing buttons, so it must be the USB commands that changed something. I did try the control messages as well as the SMaL type bulk endpoint messages though. All I got back from my stream of read messages was the read content 'reflected' back at me though, so I just assumed that they were being ignored. What types of operation did you try on the USB? I will see if I can try the re-config option to reset the camera later tonight - I'm going to be up working so I might as well do that too I will also try to put the code for my little USB poking tool on a web page somewhere tonight or tomorrow morning. I was wondering whether the missing resistors might in fact be a console/serial port - I suspect it would be brought out to the edge connector, but only if certain resistors/links are fitted - I've seen this trick on other devices too. 06-12-2004 00:24:37

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile Basically, what I did at first is try sending read / write messages using libusb's usb_control_message(...), each containing an arbitrary control command (actually, copy-pasted right out of sucr for the old Dakota) and data length of 0 bytes. These all produced the CRC error mentioned above, so I tried reads and writes of various lengths (between 1 and 64 bytes) to the Bulk endpoints, with results as mentioned earlier (more CRC errors, etc). The data buffer used was uninitialized (garbage) at first, because I was just trying to check success/failure of the physical write (e.g. maximum length) and didn't figure any particular combination of data was more likely to be interesting than any other. Subsequently I started initializing the buffer to all 0x00s. Maybe 0s is what did it? Otherwise, the odds of us both hitting the same magic combination (your bruteforce on the first 3 bytes(?) vs. my whatever-crap-was-in-memory) seem slim. I don't know about serial; the signal on these pins was pretty darned fast ( >>100 KHz). The other end of the resistor seemed to just have Vcc on it. Hopefully by tomorrow night I'll have something more useful to report 06-12-2004 02:04:53

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile Regarding the LAMSSMALL id, my camera still has the regular ID. There are two things you've done that I haven't: 1. I haven't done any manual USB poking beyond gphoto2 yet 2. I never held the SW1 during hookup, but I have pressed both SW1 and SW4 during use I also noticed LCD oddities when I had it hooked up to a transformer. There was an odd banded flicker, perhaps the small AC component of the regulated power? Regarding those unimplemented lines, if the transmissions are slow enough, you could potentially build a logic analyzer using the input lines of the parallel port. Just have the system sample the lines at the clock rate you measure and dump to file. According to this page, you can potentially get up to 1MHz sampling rate ( http://www.xs4all.nl/~jwasys/old/diy2.html ). I've been meaning to build a dedicated machine for something like this forever... 06-12-2004 11:08:32

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rangita Profile I emailed SMaL with questions about the Ultra-Pocket 3 kit (who uses it, etc.). They took quite a while in responding. Here is the relevant part of the reply: "Thank you for your inquiry. A camera that leverages that Ultra-Pocket 3 kit (1.3-megapixel) is the Foxz1 by NHJ Limited (headquartered in Japan). They have also released a 2-megapixel product, the Foxz2, based on our Ultra-Pocket 4 kit." He went on to ask about my interests in developing a camera product. Too bad we pretty much already knew that. 06-12-2004 11:31:10

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile Hi everyone ... good to see so much hackin' going on! I looked at the mac drivers. First off, it's from Sep 2000 and it's a 428KB self-extracting file. The file that it extracts... hold on, here's the punchline you know is coming: 348KB. Ok, I'm expecting the driver to have some seriously good engineering It's copyrighted 2000 by "virtual fx". The driver internally refers to a DCA1 camera, which might be a ST chipset (it could be that virtual fx based the SMaL driver on the older one and didn't totally clean it up). There's lots of stuff in there, but nothing too useful-looking. madpyro - sorry you got zapped. This camera doesn't have to protective gob of glue that the old one did. That smell you smelt afterwards was ozone, which AFAIK, is named from the greek word "to smell sharply". Thanks for contributing to smog!! True story: I was actually offered a job at Ritz Camera about 10 years ago. They saw what a cool person I was and that I knew my stuff about cameras. If only I had stayed with them instead of persuing engineering... argh. Nah, just kidding. I want to hack this in a clean-room environment, just like the last one. Since I write software for a living and I'm an avid photographer, I respect copyrights. (although some of the platforms you'd need to run my software are pretty exotic, so I don't have that much to worry about). I haven't been sued (nor have I broken any laws), and I'd like to keep it that way. Unauthorized use of Ritz's printing machine (even if by an employee) would be wrong... 06-12-2004 11:53:04

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile I tried to see if I could get the camera to reset by simply setting a new configuration number, but so far I am not convinced that I have been able to even set the configuration successfully and then send commands - any time I set it, even to the default, the command fails immediately. Anyhow, I've dumped the source for the little tool I have on a page on my website: http://www.bluedonkey.org/cgi-bin/twiki/bin/preview/Linux/DakotaPv2Camera - feel free to hack on it and add more features etc. If anybody knows for sure how to get the config & alt setting working I'd love to see that added properly. The reason for my probing in the first three bytes was more from looking at the regular SMaL driver which seems to use 16 byte commands, with the first three bytes reserved for some kind of command information (for example, filenames always start in the fourth byte of the command). The third byte is always zero as far as I could see, which made me wonder if the format was something like this: 1 - command byte 2 - 16 bit argument 13 - 13 byte string The ID string shown by the camera, even once it has lost the real value, is 12 bytes long (13 bytes including a NULL terminator). Might be coincidence, but it all seemed to fit rather well. Finding a serial console for the device would be very handy, but as you say lines that can be pulled up are probably not the ones. Might try pulling mine apart again and see if I can find anything useful (a reset line would be kind of handy too - might be simpler to drive than switching the power on the USB). 06-12-2004 12:50:18

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile Just talked to our resident chip-pulling guru. Contrary to what I thought, pulling the chip off is a fairly easy process. Actually reading it will be the bitch; we don't have equipment here to just pop the chip into and suck the data out of it, so I'll have to build some kind of reader. Is there anyone out there who DOES have a reader? To j94501 (and anyone else whose camera ID is now reading LAMSSMAL0000) - were there any pictures on it? Are they still there? Regarding a reset line- if there is one, I'd start looking for it on the connection leading to the flash board (high-voltage zappy kind, not memory kind). Somehow the camera "knows" if there's a problem with the HV generator and refuses to start up. 06-12-2004 22:18:32

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile The camera did not have any photos on it at the time I was playing with it, but I can still take and delete a photo even though the ID is not what it used to be. It doesn't appear to have affected the camera's behaviour in any way apart from changing the displayed ID. It would be interesting to know if any pictures would have been lost too. Might try leaving one photo on there for the rest of my USB hacking. 06-13-2004 00:11:49

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile Here's an updated url for j94501's wiki: http://www.bluedonkey.org/cgi-bin/twiki/bin/view/Linux/DakotaPv2Camera -- looks like a good start! 06-13-2004 09:40:38

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) KalSeth Profile The Weekend Paper with all the flyers in it has a Ritz/Wolf camera flyer. There is a coupon good for $2 off the PV2 with LCD, putting the price at $16.99. Expires June 19th. Got mine in the San Francisco Chronicle. 06-13-2004 13:57:27

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile I completed a full scan of all 65536 index values for all 256 request values in control pipe reads. All the camera did for every one was echo back 8 bytes containing the control message it had been sent. Nothing else. Next I want to try reading some of the descriptors (to see if there are any hidden ones in there), but I'm not going to have much time this week. Many thanks to morcheeba for correcting the link to my twiki page. I will try to update the USB tool there as well as I now have control reads and maybe writes working (haven't played much with those, but they seemed to be doing something). After that, I suspect it is time to come up with a reset circuit for the camera so it can be autonomously probed. That said, with all the possible combinations in a 36 byte message this will take an eternity 06-14-2004 23:34:54

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Accelleron Profile Since the reading unit and the pinout of the old and new cams are the same, there's a snowflake's chance in hell that the same USB output for 'reset' is used (i.e. the coders for Ritz didn't bother re-coding one or more of the signals). I have a PV2 on hand, but I cannot try this because I made my USB cable and my blue Dakota Digital talk via a piece of an IDE cable from an old hard drive I had on hand. There are only two truly infinite things, the universe and stupidity. And I am unsure of the former. 06-15-2004 21:32:31

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Havien Profile Ok, I've noticed everyone making custom connectors for the dakota digitals... The best way I found (requires no opening of the case at all, except the little sticker over the port) What you need is: a peice of plexiglass or lexan 3/16" thick (clear is the cheapest for me,) a few inches of ethernet wire, and a spare usb cable. The plexiglass I used can be cut with a hacksaw to the right size. Use sand paper if necessary. To mark where the wires go I used a ball point pen (a sharpy would work better as long as its a fine tip) with the plexiglass inside the port. Remove the plexi and take a peice of the ethernet wire (one strand) and strip off enough to wrap from one side of the plexi (about the center) to the top side. To bond the wire with the plexi just use a standard soldering iron and heat it up while pressing it against the plexi at the end of the wire untill it sinks in a bit. Then wrap the wire around the end of the plexi and back twards the other side. then attach the 4 wires spaced at the right distances to your usb cable. Now you have a custom connector thats plug and play with no tampering required. If you have issues making one please post and I can send a picture of the one I have made. 06-19-2004 03:36:19

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Steveo Profile I like to see youre conector. do you have a link? 06-20-2004 19:49:59

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) mako Profile I made a cable much like Havien's ... except it uses cardboard =P. Cut a piece of cardboard to fit into the Dakota's slot, and use a pen to mark the connections. Then strip some wire and superglue/tape it down in the right places. It works, but you'll probably have to wedge it in place when in use. For me it was a temporary measure. I got a USB-B connector as soon as I could (out of a broken printer) and fitted it under the lens assembly. It's the best way to do things, IMO, because you no longer need to rely on proprietary connectors. If you want to show a friend what's on your camera, for example, s/he just downloads SUCR and chooses a random USB peripheral to borrow a cable from. 06-20-2004 23:52:38

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) redwood Profile hello, I just got 2 cameras from Wolf/Ritz cameras, in the Bay Area.. one, the red one, with the LCD display screen, _is the PV2 model, its printed on it, and, from reading, and reading.. here, seems, it is NOT Yet hackable.. but, the other one I got, a blue one does NOT have "PV2" printed anywhere on it, so, my Question, is my blue one "a Classic" that I can make the adaptor, load the software, and have my way with it? :) I sure Hope so! In other words, do the "newer" blue ones, have "PV2" printed on them? (the un-hacked ones) ?? Thanks! 06-21-2004 14:17:23

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) redwood Profile Whoopie! I think I _FOUND my answer! .. its a Classic! .. well, I wanted some Success here.. I will make an adpt, and wait for you Experts to crack the "PV2"s :) Thanks for all this great info... sometimes, TOO Great! 06-21-2004 14:58:07

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Hondaman900 Profile Hoping for any updates/success in hacking the red PV2. Looking at it here on my kitchen table, wondering what to do next with it. Any news yet? Hondaman900 www.MediaQ.net 06-26-2004 01:19:48

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Hondaman900 Profile Actually, I was hoping to find out here if the PV2 was ahcked yet and if I could interface it with my PC. Reading through it doesn't seem to work with the older blue camera software. Is this correct? I'm thinking of holding my red pV2 until the hack is developed, and in the meantime buy a blue one. My local Ritz doesn't carry them, but a nearby Mall Ritz did. Looking at the posted pics looks like the non-LCD preview version is the older (hackable) blue version. While I'm a proficient VB programmer, this low-level stuff is beyond me. Let me know if anyone needs help developing a user-friendly interface though. :) SMaL site has drivers for the Creative Labs Card Cam and Oregon Scientific's version. Has anyone tried these to see if they'd work? Stephen 06-26-2004 18:59:27

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) redwood Profile hondaman, there are pics online, of the 'old' blue, and, the 'new' blue with the red one.. the blue/red pic shows PV2 on the front... I managed to get a red PV2, and, the older blue one, But: I, along with a couple of recent posters to the other thread are having Problems... my guess is, the Actual software was removed for fear of being sued...(maybe I'm wrong?) If you happen to get the Old blue, and have success, Please post for us! my GUESS is, the libusb-win32 needs to be modified (" Rename and edit the sample inf-file 'libusb.inf' to match your device(s) (modify the vendor and product IDs, strings etc.). Create different inf-files to install different types of devices (devices with different IDs)" well, I'm NOT smart enough for this stuff, but, I'm _usually good at following instructions... sooooooo, if you can look at _that part of this, perhaps we can get this working! 06-27-2004 09:00:59

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Hondaman900 Profile Redwood, Did you get the SUCR application from http://cexx.org/dakota/sucr.htm? This would seem to be the best source. There's a guy on eBay selling the camera and cable kit for this purpose. His link to the software is to this page. What exactly were the problems you found that prevented you from getting the older version working? My wife is going to Reno today and will stop by the Ritz there and see if she can get me a "non-PV2" blue version. Once I get the older version working I'll start playing with the red one. The cool thing is that these devices are cheap enough to play with. No one is doing this to "cheat" Ritz, it would be cheaper to buy a 1.3MP digital cameran incl. software and cable from Pep Boys (<$50). It's just a lot of fun to play around with these. I read the packaging, and found no user agreement or license details that would indicate that this was a "rental" and the ownership of the product remains with Ritz. Therefore once bought I believe it's ours to do with as we please. Stephen 06-27-2004 11:12:00

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) redwood Profile hondaman: yes, I got the files from there... sucr.exe seems to run fine... its the libusb.inf file that I believe is the problem... "Method That Worked For Me ------------------------ Don't plug in the camera just yet. (If you already did; make sure Windows doesn't try to install any drivers for it yet. If it did, remove them, then unplug the camera.) Find "libusb.inf" in the directory you unzipped sucr.exe to. Right-click on it and choose "Install", wait for installation to complete. Now REBOOT THE COMPUTER." that was from the instructions... but, when _I right click, I don't really get the installer.. but, I do, when I install libusb-win32 from http://libusb-win32.sourceforge.net/ I _DO get a full install.. but, I think, the file, "libusb.inf" is customized for this camera, and, libusb-win32 is just a general driver that needs to be customized.. hope you get an 'old-blue' so you can try this out... Good Luck! 06-27-2004 21:34:47

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) coolnetdude Profile Hey guys, I'm new to the thread. I'm just a 16yr student VB programmer (medium skill). My experience with digital electronics is light to medium (I've done some microcontroller/serial(usb and RS32) interfacing). So, maybe I might help. But most of all, I just want to be a part of this and watch people better at this at work. So here's my scope of things: 1)New versions are now out of Dakota called the PV2, available in blue (no LCD) or red (w/ LCD) chipset based on SMal 2)Red is preferable for the feature of LCD 3)Commands can be sent but only up to 36 bytes b/f a timeout, after which the camera must be reset by i/o the pwr (I assume through a make shift USB connection probably on Linux written apps) 4)The camera most likely needs to "unlocked" before we can send real commands to it. As far as the "unlocking" goes I'm not quite sure where to go. Except one thing hit me. I bet it turns out to be nothing, but it's worth a try. Someone said: "you had to "log in" with a four-byte code before it operated normally." when talking about the "old" blue camera. Perhaps, you must do the same on the new PV2 reds. I think I heard that that code was the USBprodID or something. But, if these new ones are increased security, then it's probably not that easy. Then I noticed many saying that their device ID was originally DAA04190nnnn but then after fiddling with USB stuff it changed to LAMSSMAL0000. This leads, obviously, to questions. Maybe "nnnn" is some type of unlock code like the old versions? Perhaps this is an indication of a memory flash. The firmware obviously isn't flashed b/c the camera still works. But what about the other memory. There's three memory modules: 128kb, 8mb, and 16mb. One for pic storage, one for firmware, and another probably for like scratch pad RAM-- or setting storage seperate from the firmware. If this was possible, then that means this device ID reset could mean you flashed one of the mem modules just not the firmware. I'm not sure if the pic storage is flashed when this ocurrs though. Because the SMal processor looks for info like device ID after being flashed and doesn't find it so it gives a defualt of LAMSSMAL0000. If so, it's possible that this could render device interface impossible. Has anyone fooled around with the nnnn? Just a guess, I'm probably in way above my head and just wrote a bunch of crap so just let me know if I did. This is just my immediate pondering. Keep up the good work. 06-29-2004 20:26:31

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile To redwood: Don't worry, SUCR hasn't been DMCAed. But Windows does seem to make things unnecessarily confusing and nondeterministic, both for the end-user and the software developer :) In the instructions there are two different installation methods - which did you use? And did you try the other one? It seems that for different people, Windows (even the same version, etc.) will decide that it likes one method but not the other. I tested various versions of SUCR on Windows 98/98SE, 2000, and XP, and it "worked for me" in each case, but I have heard plenty of cases where it didn't work for someone else. :( (If some drivers are installed or partly-installed already, they may have to be removed first, e.g. remove the libUSB-win32 "filter driver" that comes from libusb-win32.sourceforge.net and has a nice GUI installer (SUCR doesn't require or use this). There are instructions in the SUCR documentation to completely uninstall existing libusb-win32 drivers and/or phantom devices, but this involves Registry editing, not recommended for novices. I recommend doing this only under the supervision of your neighborhood guru.) When you right-click on the .inf file and "Install", you won't see anything to indicate that it's actually been installed--e.g. there's no installation screen or any message that pops up. If you're lucky, you'll might see your mouse cursor turn into an hourglass for a moment. To test if the libUSB stuff is installed properly, run testlibusb*.exe included with the package. You should see the device IDs of your USB devices listed along with a long page of garbage describing their interfaces, power requirements, etc. You can also check the About > LibUSB Version... menu in SUCR to see if both libUSB files can be accessed by it (and the version of each). You should see "0.1.8.0" or similar there; negative numbers will indicate an error. Good luck! 06-30-2004 21:18:16

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile To coolnetdude: I wondered something simiar-ish when I saw LAMSSMAL0000 - it seems like a strange thing to re-initialize the ID to. Why not SMAL00000000 or simply 000000000000? (Note from Captain Obvious: LAMS is SMAL spelled backwards) Although again a snowflake's chance, it would be really nice if this turns out to be a hint placed in the firmware by a sympathetic PV2 developer, which is "triggered" by ham-handed hacking attempts like those a few of us have tried already. For example (since the similar SMAL cameras take a "command" of always 16 bytes, and the PV2 takes 36 bytes)...16-byte command backwards + 16-byte command forward + 4 zeros (or perhaps a 4-byte checksum) = 36 bytes? I haven't tried it yet since my PV2 is still torn apart in the EE lab where I work, awaiting a FLASH-ectomy. I'll wear a dress^H^H^H^H^H tie to work if it turns out to be that easy, though. 06-30-2004 21:34:18

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) redwood Profile Great Googaly Moogaly!!!!!!!!!!!! I have a Working Camera!!!!!!!!!! thanks Drmn4ea, you helped PUSH me into un/re/un/re/un/re-installing.. untill I had Success!!!!! Thanks to Hondaman, for keeping me on track... Thanks to all those who have contributed to this hack! Thanks to T.R.Gipson, for writing sucr !! Thanks to John Maushammer for the Driver !! and, forgive my Wild posts while I was Frustrated!! :) 07-01-2004 12:21:11

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) coolnetdude Profile WAIT!? Redwood: Are you saying that you have finished the hack for the red PV2? If so, leave the instructions for us. And, if possible, leave source code to see it (or just explain). Thanks! 07-01-2004 15:54:50

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Hi guys I'm new here, I've been reading your thread with great interest and I'm currently awaiting delivery of 2 PV2 cameras with LCD. You can order them off Ritz Cameras website now. Unfortunatly they only have the red PV2. Considering the price of these babies they're perfect for risky things like kite fotography, hobby rockets and homemade underwater cases. Plus I can't resist a good hacker challenge :) @coolnetdude You mention a 128kB memory. I haven't seen any references to that anywhere else. Are you sure? and if so where on the PCB is it located. This memory would obviously be the program memory which is of great interest. @all The limited documentation available suggests that the firmware is USB upgrade-able, this is significant since it means the firmware is stored in flash somewhere. The documentation doesn't mention anything about internal flash for program storage so hopefully we can find the code on the external flash memory. Hmm, is there any firmware update for the fuji axia eyeplate? It would be interesting to see what happened if you tried to upload it to the PV2 Regards 07-01-2004 15:59:01

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Daskins Profile i am also reading this thread with excitement beacuse maybe someon found a hack for it :) umm sorry to ask this dumb question but, how in the heck do u turn of the flash on this camera lol i did not save the instructions booklet or antyhing 07-01-2004 16:02:46

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) coolnetdude Profile LOL! I just realized this. Hondaman900 said the following: "it would be cheaper to buy a 1.3MP digital cameran incl. software and cable from Pep Boys (<$50). " Pep Boys? I'd like to see anyone go into Pep Boys and ask for a digital camera. HA! That's a car repair shop! Unless you're talking about a local place! HAHA! 07-01-2004 16:13:46

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) coolnetdude Profile I must correct myself when I stated that there was a 128k memory IC. I could have sworn I saw that somewhere, but now I can't seem to find it. Thus, I must have just been stupid. But that still doesn't remove the quite highly possible idea that the SMal chip has internal program memory. Too bad this is a custom SMal or else we would know from specs. I don't know what everyone's jobs are but maybe someone has access to equiptment to open the SMal IC and scope it out with a high-power microscope. Maybe that's farfetched, but I believe it is possible. We could definately learn a little from that. 07-01-2004 16:27:10

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) redwood Profile I got my 'Old Blue' camera working.... 07-02-2004 07:49:15

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) klothga Profile While waiting for iron to heat up, I took a look at the power supply board. The largish 'chip' under the big capacitor is a TDK transformer, http://www.component.tdk.com/SRW10EPC-U01H003.pdf The component under the flash unit is a IGBT from Fairchild, http://www.fairchildsemi.com/pf/SG/SGU20N40L.html U2 is a Nc7s04 inverter, also from fairchild. http://www.fairchildsemi.com/ds/NC/NC7S04.pdf#page=1 07-02-2004 12:43:15

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Ha! just got my shipment of PV2 cameras. I must say the quality of the LCD is a lot better then I expected. Now, where did I put that screwdriver.... 07-02-2004 17:28:18

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Just talking to myself here... One of my cameras lists the following info firmware 6410 hardware 06 typeID 27 ID daa041942128 Tazlibog is written on the PCB, probably the guy who tested it. The flash capacitor tickles nicely, but it hardly compares to the 90kV capacitor bank I play with at work. 07-02-2004 18:03:06

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) klothga Profile Grr.. well, my attempt to play with the flash failed. I probably could get a decent connection 'dead-bug' style, but soldering to the existing connections, I'd need finer wire and tips for my iron. It's like trying to carve fretwork with a chisel and sledgehammer. The part placement is off a fair bit, and there seems to be quite a bit of solder for a modern PCB.. wonder what their yield is. Anyone else manage a flash dump? 07-02-2004 19:07:59

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile @klothga I'm going to attempt it sometime next week. I just need to solder up a 3.3 volt interface first. The IO ports on the flash won't handle 5v logic. I have some new solder tips at work, I hope they're small enough. 07-02-2004 20:12:42

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Interesting development here. I just took apart mu 128Mb USB drive, it contains a small controller and a Samsung NAND flash chip with identical pinout to the one used in the PV2 camera. http://www.samsung.com/Products/Semiconductor/Flash/NAND/1Gbit/K9K1G08U0M/K9K1G08U0M.PDF With a little bit of luck I'll be able to transfer the flash from the camera to the USB drive and read out the content. This ofcourse depends on wether the content of the camera flash is written in the same format as the USB flash controller expects, probably FAT12. If not it might still be possible to bitbang out the content, does anyone have any info on accessing the raw data on a USB drive? The controller is a LEXAR media FC1610-TC-AJ MH28F-LX714AJ 0341 07-03-2004 14:05:40

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile hoppsan - cool idea. What brand usb memory stick do you have? it sounds like it would be easier to solder to a board rather than deadbug. Only half the pins are used; I wish they had used every other pin so that I could be messy with the solder -- but, instead, it's just the pins near the corners that aren't used. I've got an I/O board to bitbang with; I need to do the 5->3.3v conversion *while* deadbugging.. I may need an adapter PCB so that it doesn't fall apart into a million shorted pieces. hopefully, someone will get a firmware suck! That should settle the question where the firmware is. (I didn't see any activity one either memory chip while waiting for a shutter-press; there could be lots of reasons for this.) 07-03-2004 15:11:20

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile It's a simpletech USB 2.0 flash drive. I got it from PC club a while back. It's still listed on their homepage. The USB board has convenient VIAs on every connection from the flash chip so it looks like it will make the job a little easier if interfacing the flash directly becomes nescesary. They're still pretty tiny though. 07-03-2004 19:12:12

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) klothga Profile Ah, for me the 3.3V interface is easy.. I just flip a jumper on the AVR devkit. I may break down and dead bug, but I was trying to avoid desoldering the sucker, as reconnecting it will be a pain. I also just got some samples in of Analog's iCouplers to play with. Supposed to make 3/5v level shifting easy. 07-03-2004 20:15:13

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Come to think of it. It's easy enough to verify if the firmware resides on the external flash or not. If it does it certainly wouldn't execute from the flash due to the crappy random access times. The firmware would therefor have to be copied from external flash to internal ram when the camera comes on. If there's no activity on the flash when the camera starts up the firmware resides internally. I don't have a scope at home so I'll have to wait till tuesday, can anyone else check before then? 07-03-2004 23:50:12

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Well, bad news. I transfered the flash to the usb drive and nothing happens when I plug it in to the computer. Hopefully I didn't toast the flash when I removed it. The camera gives off 4 beeps when I try to turn it on without flash, so at least it looks for a flash for some reason. 07-06-2004 14:00:34

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Scratch that, it was just a bad connection somewhere. I poked around a little bit with the soldering iron and now the computer recognizes the USB drive as a Jumpdrive and asks for drivers. I'm running on win2000 so no drivers should be needed. I presume the data on the camera flash isn't stored in the right way. 07-06-2004 15:15:54

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) DeadMan Profile Thanks for the hint hoppsan... :) My pv2 gave 4 beeps after i removed and reinstalled the flash. (might have erased the flash or changed the checksum?) I am thinking about buying a usb pen drive and try hooking up the usb-drive to the pv2 with the flash installed and see if that works. If this works then i would use the pen-drive usb port to get the pictures. I need to get a fresh flash image or buy another camera to continue. Anybody know if there are swapped around address/data/control pins on the uC <--> flash? 07-06-2004 19:24:57

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile Anybody got any information about the power management controls for USB? I was playing with the USBIO tool from Thesycon - http://www.thesycon.de/eng/index.htm - and I found on the "Other" tab that there was a mechanism for setting the power management level on the device. Setting it to anything other than D0 caused the camera's ready light to go out. I scanned for info on the web, but couldn't find much. The only thing I found suggested that the power management levels were set using a Feature Set message to the interface. I tried this from Linux (having updated my little tool to support more message types) but just got broken pipe errors back. Since there were no power mgmt descriptors, this is perhaps not a big surprise, but I wonder how Windows did it... If anybody has a decent USB sniffer setup I'd love to see what happens when the USBIO power levels settings are used on the bus - then perhaps I can replicate it in my tool. I'm hoping that it is enough of a power-down to reset the camera (allowing me to do more automated probing of the camera). I also checked all the string descriptors - nothing there that wasn't expected except, perhaps, for the 'OK' string associated with the configurations. Why have that when they could just have it set to zero if they didn't want to have a real description for the configuration? 07-08-2004 22:07:24

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile The camera gives off 4 beeps when I try to turn it on without flash, so at least it looks for a flash for some reason.[/i Argh! hoppsan and deadman, you realize what that means? There is at least a bootloader in the ASIC. It might do some sort of crypto decode of the firmware from the flash, but I'd guess that it won't be that tricky (I doubt SMaL would have any other customers that want that level of security). Then again, it might be easy for SMaL to change the bootloader to include that feature. This, of course, lends itself to a wonderful opportunity. The bootloader should be able to support a firmware upload... if it isn't PureDigital-specific, then it'll probably be compatible with SMaL's other cameras. It may work through USB, or it may work through some serial port that we haven't noticed yet. It would be interesting to see what the USB port reports without a flash memory, and if it is more accepting of commands. Of course, it could be that all the firmware is in the ASIC and that it's just complaining because it can't get to the start-up-screen picture data (that most likely is stored along with the other pictures). Any chance of anyone taking detailed close-up pictures of the board with the flash removed? I'd like to know which vias go where so it's easier to probe up and watch during normal operation. If no one else does, I'll probably post some pics next week when my TSOP adapter arrives and becomes the new home for my memory chip. The USB drive option looks especially good now. Could you get a part number off of the Simpletech control chip (chips) so I can see if it's accessible at a low level (I'd like to read the ECC data. And the code, which probably isn't stored in the filesystem). good work! 07-09-2004 19:18:22

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile @Morcheeba http://pulsedpower.usc.edu/newpage/images/IMG_0921.JPG Some form of firmware does indeed recide internally, only question is how much. It would indeed be most interesting to probe the USB port without flash and see what happens. The only info I have on the USB controller is what I posted 10 posts up. I haven't been able to find any documentation on the chip. There must be some standard way to read out the raw data though, for file recovery etc. Sadly I'm not an expert on USB protocolls. @Deadman Make sure your solder joints are good, prod them a little bit with a tiny tipped soldering iron. It's very hard to accidentally erase a flash chip. You're more likely to have a bad connection or perhaps you fried the flash with some static discharge. Has anyone else noticed that there are several test points on the back of the PCB (see picture). They look like large vias with exposed copper. There are especially two groups of testpoints that are interesting. One is located close to the upper left corner of the flash and one is located at the lower left corner. They are groups of 5 and 6 test points. I'd bet good money that at least one of these groups make up a JTAG interface. Currently my bet is on the lower left group as the testpoints connect directly to the SMal chip and they seem to have pullups on them. 07-10-2004 11:46:46

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Hondaman900 Profile Bought an old blue model, "installed" a 4-pin connector from the audio link off a dead CD-ROM drive. Built a cable - worked first time brilliantly. I'm saving my Red PV2 for that eventual hack. See other "Dakota $10.98" forum for details of my free hacked connector. BTW, Ritz in Sacramento (Arden Fair Mall) has loads of old blues. Reno Ritz is sold out. Stephen 07-10-2004 12:20:38

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Hondaman900 Profile Forgot to mention that Pep Boys do actually sell cheap digital cameras in this area - I wasn't wisecracking in my previous post :) 07-10-2004 12:22:04

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile Hoppsan, I had been wondering about the liklihood of a JTAG interface too. I was also wondering whether it might be brought out to the external connector, but I just buzzed out all the test points around the flash chip and none seem to be appearing on the edge connector. I also tried quickly shorting each of them to ground & Vcc to see whether that would have any effect (looking primarily for the #TRST signal line that should be in the JTAG collection). None of the lines had the desired effect of resetting the camera. In fact, only one had any effect at all. On the photo at http://pulsedpower.usc.edu/newpage/images/IMG_0921.JPG it is the right hand one of the two closest to the top edge of the flash chip. On the subject of bootloader code, I strongly suspect that there is something of that nature as only the first block is guaranteed to be error free - that wouldn't leave a lot of space for code, so I guess that there is a loader in there to transfer the code from the "file system" that is in the remainder of the flash. 07-13-2004 22:42:45

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile A few more discoveries, and thoughts... Oregon Scientific's DS6628 camera contains a description for SMaL vendor/product pair 0dca/0013 called "Oregon Scientific DS6628 (BTLDR)". When I modify this .inf file to include the 0dca/0027 pair the driver will open the camera device (the LED illuminates which only happens when a configuration is selected). The device status is not read though, and when I tried to get images I was informed that the operation was not valid in bootloader mode (notice the BTLDR in the description string). So, I went searching online some more and found the drivers for the Che-ez Foxz2 camera (driver download at http://www.che-ez.com/download/driver/foxz2/Foxz2.zip for anybody interested in playing). Inside the .inf for that one were the IDs 0dca/0023 (Foxz) and 0dca/0024 (Foxz2). Once again I added the PV2 ID pair to this file and the driver managed to initialise the camera. Once again though I was presented with the "operation not permitted in bootloader mode" error message and while the TWAIN module started, it did not allow me to do anything (and all the counters etc were zero). I am now wondering whether there is in fact no USB software on the cameras. Instead, it is downloaded using whatever this bootloader mode is in the store. That might explain why they were so confident that this one would be harder to hack If anybody has access to a USB analyser, I would love to see what happens between the Foxz2 driver and the camera (once the PV2 ID line has been added to the .inf so it will recognise it). I wonder how it detects that the camera is in bootloader mode... and I wonder what commands need to be issued to download code to it. Also, if anybody has a camera that still has its original ID (mine has the LAMSSMAL0000 ID now) I'd like to know if the same message appears for you (just in case the bootloader mode is something the camera drops into when that ID is not set - like it might need to when being setup in the factory for the first time). 07-14-2004 01:43:36

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Locosmotion Profile Hi all, first post here and sorry if its not up to everyones level as I am just starting my study to become a EE. I plugged in my pristine pv2 camera (Still shows DAA... under the firmware page). I modified the .inf file to reflect the pv2 vendor/product id. The camera took the driver and initialized (LED lights up)however, when I try to initialize the TWAIN I get an error occured while retrieving pictures (could be the image editor giving this error rather than the TWAIN) then if you try again it "gives operation not permitted in bootloader mode". After I did this I checked the serial on the firmware page and it still reads DAA... I hope this helps some. 07-14-2004 19:56:34

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) j94501 Profile Locosmotion, thanks for that confirmation. I would like to find out if any of the other cameras based on SMaL chipsets have shipped firmware upgrades. I couldn't find one for either of the two I downloaded drivers for, but perhaps there are some out there. Also, if anybody has a USB bus analyser and can capture the trace of one of these drivers during startup and when you try to download photos, I'd love to know what it is doing to determine that the thing is in bootloader mode. I seem to remember that there was a software USB bus analyser available for Windows, so when I get a chance to play some more I will try to find that and install it. 07-14-2004 23:44:46

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) billwiley Profile Has anybody considered the possibility that Ritz is using 2 firmwares for the camera? Maybe there's one limited firmware that is on the camera when you purchase it - it has all of the code for regular picture taking operations and firmware updates, but no bulkload facility. Then when Ritz gets the camera, their software updates the firmware in the camera to a version that contains bulk download code. It does the bult download, and finally restores the limited firmware back to the camera again. To hack such a version you'd either need to write your own bulkload routines and update the firmware with them - a huge chore, especially compared to the original Dakota hack. I don't really have the skills to follow up on analysing the existing firmware, but I thought I'd throw this out there as something to keep in mind. 07-16-2004 10:52:26

RE:Hacking the RED Dakota PV2 (with LCD) (modified 1 times) mako Profile I found this USB snooper through Google: http://benoit.papillault.free.fr/usbsnoop/doc.en.php 07-16-2004 14:48:15

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) sarain Profile I haven't purchased one of them yet but has anyone tryed to look up FCC info on it. If someone could post an FCC id (if it has one on it) ill go check it out. Ive found schematics, manuals, and other valuble info for products, accessable from the FCC site. Who knows, they might have sliped up and forgot to request that some of that info be kept confidential. Time travel is real, unfortionatly my reverse is broken and im stuck in 1st gear. 07-20-2004 03:36:16

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile hi there! i don't have a PV2 and i'm not planning to get one. probably the people at SMaL did or at least helped with security, and i think it's fair to say that if they can design a cam, they must be able to implement some simple security right. it's really easy to make the cam "unhackable". the NSA could have the whole firmware listing and there would be no chance in hell they'd be able to download the pics if security was done well (that is, just by writing software on a PC, without resorting to supply voltage spikes, signal injections, etc...). and you don't need getting into public key criptography for that, SIMPLE code would do (i'm not giving more details just in case they didn't bother to implement security right, and they still don't know how to --we should be so lucky!). what will probably happen is this, someone will pull the flash out and read it, and find no firmware there. or else he'll find it encrypted. to do this you can try a smartmedia usb controller and use some hidden raw commands that should exist, as some people have suggested. but the "do it today" method is simpler: breadboard, 3v source, voltage converters, some surface mount test board where you can put the flash, and connect the whole thing to the paralell port. crude but simple. an even simpler way would be to just stuff the flash into a dakota an read it through the usb. the firmware would have to be patched in the 2 or 3 places where the flash is written, so as to do nothing and return an OK status (i'm familiar with these routines so i could do this). still, like i said, i think you'll find nothing there. somewhat more promising would be a snoop of the cam talking to the developing station. however if security is done right the cam should be defended correctly against playback attacks and this wouldn't be useful either (the sure thing would be to get the station software of course, how about THAT for a brainstorm!) what i mean is, if security was done right we're gonna need inside info or we're busted. otherwise we'll be stuck with the unatractive option of a hardware hack to access the flash ourselves, which maybe someone will like but i don't. as a side note: if the firmware is indeed downloaded form the flash it wouldn't make much sense to have some "big" internal ram to place it for execution (except for security reasons, but remember this is probably not a custom "single-use" chip and it wasn't designed with security as a first priority). a better option would be to use the dram, which has enough bandwidth for this purpose. so if the code is encrypted in the flash, maybe it's decrypted when copied to the dram. (but again, even while having the firmware listing with nice comments and all, the cam may be impossible to hack.) but here's a downer: as i said, the controller is probably not a custom chip. it's probably designed to use standard interchangable smartmedias that don't have any firmwares on them. chances it's there on the PV2 are slim. even so, the design could have an internal short bootstrap that normally loads from an external dedicated code flash, and that was changed for the PV2 to download from the picture flash. that's a reasonable change. but think of it, if you have a code flash why bootstrap from it in the first place? why not just run from there? sorry guys, it seems higly probable you'll find nothing in the flash. but there's only one way to be absolutely sure.... meanwhile i'm saving my money for a proyect with better prospects :) -R 07-20-2004 04:14:38

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile I disagree. DVDs were supposed to be un-hackable, now you can deCSS a dvd with 6 lines of obfuscated perl code. This is a simple device, and we'll hack it. Remember its not the money, I'll invest $6000 worth of engineering time to get what amounts to a $75 digital camera. Its a hobby. Which brings me to my next idea: Lets get organized. We've got a lot of people messing around with this thing, lets not all reinvent the wheel. I can see a lot of what's done earlier in the thread, what can we do next? If nobody has any other advice, I'm going to try to dig up the datasheet for the SmaL Asic. It looks like our best chance of success is to reprogram the Asic to do what we tell it to do. The hardware is simple (and standard) enough, and from my poking around, it looks like any encryption must be software based. If we can get a datasheet for the Asic, we're well on our way to a useable camera. Now, some manufacturers (especially cellphone-type devices) require an NDA before they release a datasheet. If this is the case, we're outta luck. I bought one of these things 2 days ago at a local CVS. If I can't hack it, well, the LCD is nice, and will become part of a hobby project someday. 07-20-2004 07:04:50

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) DrDootz Profile All, From reading the thread, the bootloader term is interesting to me. Working with uP's in bootloader mode, you had to load a "talker" before the unit would communicate over the RS232. Maybe this camera requieres a USB talker to be loader before it can communicate over the USB. It could be that the first thing it looks for in the bootloader mode is the USB talker. If it doesn't get it then it hangs until the camera is reset again. Once the talker is installed, the camera would accept standard USB commands from the PC to download the pictures. Just an idea, DrDootz 07-20-2004 11:59:50

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile No luck. SmAL will not even send you purchase information or datasheets for the development kit unless you're a current customer and have an intended volume of 10k or more. Any ideas on what to do next? Would be nice if somebody had a usb sniffer between the camera shop's equipment and the camera. Otherwise I'm going to take a few pictures and try downloading a flash image manually. 07-20-2004 12:09:25

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile when you decide how you'll try to physically extract the data from the flash, please tell us, i'd like to know. (BTW, i think CSS was "hacked" after you could download a software DVD player to you PC and reverse engineer it. otherwise, the CSS must have been ill designed. (i understand both are true, software players were available, and CSS wasn't well designed.) by analogy, if we had the developing station software we wouldn't have any troubles... :) ) 07-20-2004 15:53:33

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) sarain Profile Could someone please post the FCC ID# found on the device (assuming there that it is there). 07-20-2004 19:35:26

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile Lanchon: I'm soldering on about 22 leads (its a 48 pin package, but most are NC) and I'm going to read it through a breadboarded PIC microcontroller, and feed the results serially to a PC through a level translator. I'm hoping that I can discern something that looks like a .jpg when I start slicing up the data dump that I get, but basically I'm looking for jpg headers. I'm going to lift the vcc lines and solder onto the chip while its on board. With any luck I won't backpower the asic through the data lines or this will be harder. Sarain: No FCC ID on the device, just a label that claims it complies with FCC part 15. It probably does, I think the crystal on board is pretty slow. It only needs an FCC ID if it connects to the telephone network, or if its an intentional radiator (like a radio transmitter). 07-21-2004 07:27:18

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile Update: I'm still soldering at the moment. Its slow going because 1- I've got family in town and 2- I almost sliced the last 2 fingers off of my left hand cutting onions 2 nights ago. On the other hand, I've got a friend of mine (a firmware engineer) interested in the project and he's going to be writing the uprocessor code to read the flash and feed data to the PC. Incidently, does anybody have a good tool to read a hex data dump that's poured into a PC serial port? It would save us some effort. 07-22-2004 07:09:47

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile Drmn4ea, you mentioned that you had access to sm soldering/unsoldering equipment. would it be possible to solder the flash in an "old blue" dakota in order to read it? the flash of both cameras are same package type? (i don't have a PV2) 07-22-2004 09:43:02

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile Great idea. I've got the equipment here, as well. Anybody have an 'Old Blue' camera in the Atlanta area? If so, look for K9F2808U0C YCB0 or similar. 07-22-2004 11:00:54

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) mycroftxxx Profile @piles_of_spam how do you intend to make use of the LCD display? I'm having trouble with the .PDF, is it fairly easy to interface with? 07-22-2004 21:29:08

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile Some thoughts... DVD's have a different security model from this camera. With DVDs, the customer must be able to view the decrypted data, so ya' gotta give them the key. If you do that, it's security-by-obscurity, so it's only a matter of time. With this camera, the customer doesn't need access to their data, so you don't need to give a key. The exception is the preview of the last picture; you can save that at low-resolution and save only the last one, making it pretty much useless. old blue camera to read flash = good idea! BTW, I got a cheap PNY 128MB USB key, and it uses a 16-bit wide flash. The controller chip is the latest one (T4) and probably capable of reading it, but I couldn't find any documentation on it. Hopefully I'll get access to some good soldering equipment in the next week. I got my TSOP-to-DIP adapter, so it should go easy. The blue-camera-flash-read might have been easier; I might still try that. PoS - right on. It's a hobby, not a financial deal. So far, I've spent $125 in materials on the PV2. I've tried to explain it to future employers as something like a crossword puzzle... I can got back an plod through the firmware and annotate a little more and eventually start putting pieces together. Lanchon - an alternative to big internal memory for a copy of the executable code is just a cache. As this is cost-sensitive, I'd bet SMaL has a small TLB to allow easy execution from a flash memory with bad blocks. A logic analyzer at bootup should answer some questions... 07-23-2004 11:50:43

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile microftxxx - the lcd is fairly easy to interface to: CLK, VSYNC, HSYNC, and 6 parallel data bits. As for controlling with a microcontroller, the hardest part I'd think would be finding one with enough memory to form a picture -- the display is 280x220 (each dot is one of 3 primary colors, unlike how most computers define their screens), so it's about 60kB of information displayed. 07-24-2004 08:59:12

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile @Lanchon: A great freeware serial-port-to-disk utility: Hercules Setup - http://www.hwgroup.cz/products/hercules/index_en.html . Used this extensively while debugging some micro-to-CompactFlash stuff at work. The Flash memories used in the old vs. new Dakotas look identical, as far as I can tell ("only" difference is one letter in the partnumber, K9F2808U0B-YCBO vs. K9F2808U0C-YCBO for the Old Blue). Only trouble here is that the classic Dakota expects to find blocks of configuration data at certain places in the memory; transplanting a new one could prevent the camera from coming up, or worse, it could try to overwrite data and corrupt whatever's on the chip before it can be read. (Someone experimenting with Rodrigo's firmware-writing utils [http://www.balerdi.com.ar/dakota/ ] tried flashing his Dakota with a newer revision, but when it got to the point of reading the (incompatible) config block formatted for the old version, it would do nothing but beep repeatedly. Wasn't completely hung--they could still reflash the old firmware.) It sounds like piles_of_spam is already close to being able to read out the PV2 Flash. My super-duper-PIC-board (microcontroller, RS232 level converter and interface plug, and rows of .100" headers for all the I/O ports, on a 2" by 2" PCB) is still vaporware at the moment, it'll be some weeks yet before the boards get made (depending when the next 'official' project has boards made, and how much space is left on their layout). If the chip is still unread by that time, I'll try to rip the one off my PV2 and read it (all original data, no pictures taken yet). On a totally unrelated note - anyone know what CMOS sensor is in the PV2, or at least how to identify it? Is it the same (Micron MI-1300?) as in the old camera? 07-24-2004 21:51:01

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile no idea on the sensor. I tried to photograph it, but I'd need a real microscope -- my bellows aren't enough. Chips are naturally hard to photograph to get good contrast, and the color filter in front of it doesn't help at all. I'd be stoked to find the resolution (*REAL RESOLUTION* not what puredigital will up-scale it to) or see a sample image. 07-25-2004 00:31:42

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile Drmn4ea, regarding the two problems with reading the flash in the old blue... as i said in my first post, i know the 2 or 3 places in the firmware where the flash gets written, so it'd be easy for me to patch the firmware to do nothing and return OK. an even safer trick would be to write-protect the flash using the WP pin. not absolutely guaranteed to work, but at least it wont corrupt the flash. and it's true, maybe the dakota hangs if it doesn't find the configuration areas in the flash. patching the firmware to avoid this can be harder. but precisely because of the story told by the guy who used my tools to flash an improper version of the firmware and got the "Er" message, i think the dakota enters a mode in which it continues to respond to usb commands and that i guess would include the basic "read/write to external mem" commands needed to read the flash, otherwise he couldn't have reflash the cam back to its proper version. to test the "read/write to external mem" commands, one would start with an old version firmware, flash the new and get the "Er" message, now test the commands (get a firmware dump, for instance), and flash back to the old firmware. again, the camera may hang with the flash replaced, but i would'nt corrupt the flash. morcheeba, there are a lot of reasons why a cache would be a poor design choice. it'd be expensive, complex and slow. the page size (0x200) is way too large, and there should be full suport for all flash operations in hardware (otherwise, what if during a flash access op there's a cache miss?). and most of all, not all cams have flash, and most of those that do can't have the firmware in the flash. it would be hardware with no use most of the time. and besides, dram is better suited and must always be there and you don't need to cope with defects and contents need not conform to a particular standard. there's probably no such cache. if code is in the flash in this cam, it sure is copied/decrypted to somewhere else. people, i thought of a way to hack this damn thing. it's easy, low tech, and could really work. but for reasons that'll become obvious i don't wanna post it here. those interested post your mangled emails here. or if you are concerned about doing that mail me at lanchon at hotmail (but how will i know it's really you?) 07-25-2004 13:26:24

pull-up resistors for data-outs could be configuration inputs for SMaL chip. (modified 0 times) newbee Profile It is a standard practice in industry to use those pull-up resistors for data-outs as configuration inputs. Not sure if that is somebody's patent or not but I have seen a lot. 07-25-2004 14:11:00

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) anikin_sniper Profile | Email anyone ever thought about just switching the two chips....we know the old blue was designed to be more than what it was...perhaps it could be easy patched to handle the lcd...if you cant figure one chip out but have one very similar perhaps the switch and mod the old firmware? Just throwing ideas out there...my soiderwork is too inconsistant for work like this 07-28-2004 02:19:26

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile Gonna take longer than I thought- the asic seems to be back-powering from the data lines and it tries to take over. I'll need to lift the data lines and re-attach wires as well, if I haven't killed the chip- I think first I'll solder it back down and take another snapshot. I'm having trouble reading the pdf for the lcd- morcheeba, where did you find a readable spec? Looks easy enough. In addition to the lines you have listed, I think there is also an analog brightness and contrast. This is just a shot in the dark, but has anyone taken all 25 pictures and tried to talk to it? 07-28-2004 11:43:23

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Hi again guys. I've been very busy at work lately so I haven't had time for the PV2 hacking. I did find some time today to do some probing. Using a very fine tipped probe and a tektronics scope i was able to look at the flash activity one pin at a time. When starting up there's about 5 seconds worth of activity on the flash data pins and control pins. Most of the activity seemed to be read operations. The WE pin on the flash went active occasionally but not very often and for very short periods of time. I would guess this minimal activity was due to commands being latced into the flash and no actual writing of the flash took place. There was quite a bit of activity on the R/B pin as well as the CE pin. When turning the camera off there was a lot more activity on the WE pin indication that some data was being written back to the chip. Probably number of pics taken or something. This activity lasted for less than a second. There was no activity while the camera was idle, There was some activity everytime a button was pressed. The status screens are probably stored in the flash. Taking a picture resulted in 5-10 seconds worth of activity as expected. The datapins operate at roughly 1.25 MHz. There is a very sharp spike of 25ns preceding each bit, possibly caused by bad logic design. This might be important if you intend to hook it up to a logic analyzer. Trace showing activity on IO pin 0 http://pulsedpower.usc.edu/newpage/bit0.bmp 07-28-2004 14:24:42

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile regarding reading the flash in the old blue, some have concerns about the cam not starting cause it cant find config data, and also about the cam corrupting the flash. both are legitimate, but this takes care of them: first, test that the cam will start up to a point of permitting flash dumps without the proper flash. add a switch to override flash CS to disable. or just constantly disable CS. plug the cam with CS disable. even if the cam shows "Er" or whatever, if you can dump the firmware in this condition then you could dump the flash. then proceed to read the PV2 flash. now we need the switch, a full CS disable won't do. transplant the chip. and watch it: before turning the cam on or off BE SURE TO DISABLE CS!!! it may write to the flash during startup and shutdown (but not while idle), and would corrupt the PV2 flash (also be shure to disable CS before shutting down even before transplanting, for the same reason). now plug the cam with CS disabled (it must start now because you tested it would). after startup, flip the switch to CS enabled. now dump the firmware. and before turning off switch back to CS disabled. (to be totally sure, you could configure your bios so that the PC stays off after a power interruption. otherwise, it would powerup the cam with the switch set to CS enabled and could screw the flash.) hoppsan, the initial activity you saw probably was the firmware reading the flash out-of-band (spare) data in order to build the relocation table of the FTL. earlier i said i thought of a way to hack the cam. i'm reluctant to post it here cause ritz or smal or whoever could be monitoring this thread (conspiracy theory; if i die my lawyer has an envelope). noone posted their mails, but some have mailed me. i don't know if they are who they say they are. they probably are. i could just trust, but instead i'm gonna ask some of you to post silly things so i can check. for the rest that haven't participated in the discussions, i'm sorry, i'll guess you'll have to wait till this attempt fails or succeeds. but think of it this way, do you want the camera hacked? 07-28-2004 17:17:02

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile Lanchon Lightbulb! ;) Yeah, the initial activity could very well be just FTL data. There is no way to know without a decent logic analyzer. Come to think of it, the 25ns spikes I see on the datapins could be the effect of the flash dataport switching from read to write mode, again we need a decent logic analyzer to really know what's going on. Perhaps it's finally time for me to build one. 07-28-2004 18:38:08

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile K9F2808U0B-YCBO vs. K9F2808U0C-YCBO the difference apears to be a generation change: B : 3rd Generation C : 4th Generation Part Org Voltage Temp Speed(ns) Package Simulation Production Comments K9F2808U0C 16Mx8 2.7~3.6 C,I 50 48TSOP1,48WSOP1 VHDL,Soma Mass Production 0.12um K9F2808U0B 16Mx8 2.7~3.6 C,I 50 48TSOP1,48WSOP1,63TBGA VHDL,Verilog,Soma EOL(Feb,'04) 0.15um i guess they should be totally compatible 07-29-2004 00:32:00

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile piles_of_spam: >the asic seems to be back-powering from the data lines and it tries to take over. I'll need to lift the data lines and re-attach wires as well, if I haven't killed the chip- I think first I'll solder it back down and take another snapshot. i hope you haven't done that yet! there's one thing you could try first. instead of letting the asic backpower through its I/O protection you could fully power it but killing the oscilators. these chips tend to be highly configurable hardware-wise and there is quite a chance that the I/O pins are sort of dual/general purpose, and so they could wake up in high-z.... if the asic still lives. hope i'm still in time... 07-29-2004 00:46:39

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) chiusano Profile Has anyone had luck with transferring the chip to the old Dakota and reading it? Rodrigo - rifle chiusano@yahoo.com 07-29-2004 05:47:02

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) lunaraspirations Profile Lanchon: burritos..... :?) 07-29-2004 06:53:08

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) drider Profile Lanchon, I really hope you can help because I need another cheapo camera for my other vehicle. I keep them in my "ashtray" for just-in-case. Thanks. D. 07-29-2004 09:37:43

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Locosmotion Profile Lanchon...."Thermos" Has anyone tried what Piles_of_span said yet, filling the camera with pictures then talking to it? 07-29-2004 11:43:02

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) wakebrdpunk Profile | Email Hey Lanchon, Ive been in and out of the house lately so ive been playing catchup with the forums. I am totally willing to try anything out with my pv2... I only got one problem, I am not very good at soldiering. So if you got anything that isint too hard with soldiering im willing to try it out! wakebrdpunk@hotmail.com 07-29-2004 12:28:11

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile Hey Lanchon- "bananas" Clever! Soldered the flash back down and it still works. I had a decent amount of resistance between the pic and the flash, so I didn't expect to have killed it, but now I'm back at square 1. I'll try disconnecting the oscillator- good idea. 07-29-2004 12:44:38

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile piles 'o spam - are you using this lcd pdf? Works fine for me -- what viewer are you using? If you send me an email, I can send you some screenshots from it, or re-print it with the Apple pdf generator. 07-29-2004 12:49:26

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Appl4U Profile Perhaps the Serial Number reset is some sort of self-disabling mechanism. Has anyone who had the serial number reset taken it into Ritz to see if they can still download the pictures? 07-29-2004 22:47:59

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) vthornheart Profile Hmm... okay, so I'm not the best solderer ever. =) Red went fine into pin 6, green into pin 8, black into pin 2... but when I went to put white into pin 9, my hand shook at just the wrong time and though pin 9 is in the right position, the solder that is holding it in has spread over to pin 10. I plugged it in, and I'm getting the two beeps that turn it on, and the USB icon pops up in the taskbar, but it doesn't try to find it. I went through the manual USB installation process (both methods that are explained in the readme file) and it still couldn't detect it. Suckfest! I've got to find a desoldering tube or something... ugh. Or since pin 10 isn't really used for anything, should it matter that the white cable connects to it and to pin 9 via the solder? -Vendal Thornheart 07-29-2004 23:40:49

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) toddtmw Profile I just picked one of these up. Doesn anyone know if there is a way to delete more than the last picture (Or all the pictures...)? This would be a great toy for my six-year-old if she could use it to take pictures and see them on the screen and then delete them and take more. I didn't realize you could only delete the last picture...that seems kind of uncool... -Todd 07-30-2004 11:56:20

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) macisaint Profile Anyone wanna try opening a PV2, putting a USB bridge inside, going to ritz, getting your camera developed with your laptop, linked to a fresh PV2 connected via USB and forward the data back and forth? 07-30-2004 15:13:36

RE:Hacking the RED Dakota PV2 (with LCD) (modified 1 times) Kudzu Profile Anyone wanna try opening a PV2, putting a USB bridge inside, going to ritz, getting your camera developed with your laptop, linked to a fresh PV2 connected via USB and forward the data back and forth? Nice try, but .. They keep the camera, and they won't allow you to hook anything up to the camera while they process it. 08-01-2004 02:14:03

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) klothga Profile Nice try, but .. They keep the camera, and they won't allow you to hook anything up to the camera while they process it. Yeah.. there's plenty of room for a USB capable micro and a small flash in the case, but the chances of getting the camera back after developing are between slim and none... 08-01-2004 13:30:28

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) jorwex Profile so...is this basically a lost cause? i read about these dakota's once and was near a ritz yesterday so i grabbed one, not knowing that the PV2 had yet to be hacked. should i just return it? i havent opened it. thanks! 08-02-2004 13:22:46

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile Nope- not a lost cause- I've not been able to spend much time on it due to an exploding toilet (got a mess of water damage to fix). HOWEVER- looks like the best chance of hack right now is to put a USB sniffer between the camera and the downloader. So how do we do that? Well, if anyone knows a Ritz, wolf, or willing CVS pharmacy employee that would help. Also, maybe anybody with a good usb sniffer could take up a collection here and slip the clerk $20 to give it a shot. Morcheeba- thanks- turns out I was having problems because I was still using vers. 5 of acrobat. Looks like an easy interface- Hsync, Vsync, then data in RGBRGBRGB. I'll probably end up using it in a remote-control project. 08-03-2004 08:14:42

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile @Piles_of_spam You really need to cut down on the chili dude ;) Has anyone heard from Lanchon, I'm still waiting for news on his devious scheeme? Also, about USB snooper. The best option would perhaps be to use a usb sniffer with a wireless transmitter. Does anyone know if they develop the camera while you wait? 08-03-2004 10:25:28

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) klothga Profile @hoppsan There's room in the case, but not enough for a 802.11 card and antenna :) Maybe a mini-pci? Still going to be a _lot_ of work interfacing it with the micro doing the USB sniffing. And not too many other wireless devices that can handle USB bitrates. If you're going to try to bribe a clerk (not something I recommend) you'd be better off putting initials and drawings on it and saying your daughter wants it back.. can you buy another one and put that in for recycling or something.. 'Course it would presuppose the afore mentioned internal sniffer. (Not that that is something easy to whip up, either..) 08-04-2004 11:04:59

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) hoppsan Profile There are wireless com chips significantly smaller than 802.11, granted not fast enough to relay the info in realtime but that doesn't matter. The micro could buffer the first couple of kB and retransmitt it at a slower speed. Hell, even just the first 36 bytes could be very helpful. Ofcourse the "my kid wants the camera back" solution is a lot better ;) 08-04-2004 18:34:13

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) oldman Profile | Email Hoppsan, etc; How about assembling a data recorder that saves to compact flash. Put it in a PV2 case. Take it to Ritz to get your pictures . When their machine cannot communicate with the camera, ask for the camera back back since you got no pictures. Take out the compact flash and read what commands their machine sent to the camera. Write code to do the same commands. Presto! Have fun, oldman 08-04-2004 20:05:39

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile serial transmitter: 6 pin SIP, 1.5 x 2 cm 100 meter range 3.3 V 10 Kbps (darn thing needs buffering) U$S 15 http://www.usbdeveloper.com/RFKit/USBDeveloper.RFKit.html#RF%20Communications%20Modules (too nice to give it away to pure digital :) ) 08-05-2004 03:08:21

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Lanchon Profile oldman, that could work to get just the first private command. but it's not that easy, you'd have to play as another peripheral in usb. this could be done using an old blue hardware (and case), but someone would have to write the firmware. (i can't... perhaps morcheeba??? :) ) a snooper-on-a-chip using a usb-enabled controller and storing a limited snoop in internal ram (kept on by batteries) seems like a much simplier approach. however a snoop is probably worthless. i guess these guys went from sunplus to smal for security reasons. do you think they did it wrong again? nahhh.... 08-05-2004 03:24:37

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) 02U2 Profile Lanchon, Thanks for the link on the serial transmitter. Off topic and not camera related, but I got a bunch of small battery powered pir sensors that I'm planning in using for wireless perimeter intrusion detection. 08-05-2004 10:27:15

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) piles_of_spam Profile OK- toilet's fixed, dishwasher's installed, and my fingers are more or less healed. Back to hacking- wife's outta town this weekend so I might have a flash dump soon. Also- I think you guys may have misunderstood me. I don't care if I get the camera back, because the idea of slipping the clerk a $20 is to LET me listen to what's going on in between. Basically, I'll have a shoebox with custom made cables in between the camera and the reader. Something like this: http://www.saelig.com/tracker.htm So- here's a plan. We get a flash dump of a camera with a full set of 25 pictures (I'm on my way). At CVS Pharmacy, (CVS in particular since these cameras aren't anywhere near their primary business, and the kids that work there would most likely be thrilled to stave off the boredom on a slow night) somebody (or me if somebody wants to loan me the USB tracker) gets a full sniff of the full download. THEN we've got something to work with. Anybody know anybody with a usb tracker/sniffer? 08-06-2004 11:35:56

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) jorwex Profile this probably won't do any good cuz its not a Ritz, but my friend works at Motophoto. Is there ANYTHING i could ask em to do that'd be worthwhile to this? THanks 08-06-2004 22:27:58

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) amall Profile Hey guys Im new here and i dont no much about hacking this, so my help will be minor. Anyway, I found this forum of ritz employees and i figured you could ask them there. I didn't post anything there yet because i wanted to leave it to you experts. Here it is http://www.retailworker.com/index.php?name=PNphpBB2&file=viewforum&f=24 08-09-2004 11:49:30

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) amall Profile Oh yea, I made u guys a username 2: Username: atokadder Password: reddakota If u dont want it u can make ur own but im trying to help as much as i can :) 08-09-2004 11:54:35

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Drmn4ea Profile I think it'll be best to keep it "clean-room" (i.e. not swiping/sniffing a downloader from Ritz), at least until all other options have been exhausted. Right now I'd like to find out 1) what's on the FLASH chip, and if it gives any insights into picture extraction methods; 2) more about the 'Bootloader' drivers of similar SMaL cams. Slipping $20 to a Ritz employee to look the other way while a USB-sniffer runs, or snagging a copy of the download software, etc. may end up being the only options, but could also open legal worm-cans of various sizes. 08-15-2004 20:50:37

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile Drmn4ea- agreed; I'd prefer the cleanroom. There are sympathetic Ritz workers who'll let you do anything with the equipment, but that's no fun. I've got the parts & software to do the download, I just have to built the cable and move the chip onto my adapter (soldered in). The rom dump will happen; too bad my new company doesn't have the correct reader. 08-17-2004 19:22:34

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile I got the imager under a microscope and the part number looks like "SCT-M033F". No luck googling, though. I could barely make out the color lenses that cover each pixel, but I didn't have a size reference to determine the resolution. We've got a much, much, MUCH better microscope, but I'll have to learn how to use it without breaking it 08-18-2004 21:55:54

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Agent5 Profile | Email hey d00ds, Just bought myself the PV2 and me and my Dad were playing around with it. I popped it open at the resturaunt we were at and I told him what i knew so far and asked for his opinion on the board and such. He used to do R&D for Texas Instruments back in the day and he knows his way around a board pretty well. When i told him that you only needed to solder four pins to USB connection. He seemed to think that was kinda funky because every engineer he knew and every board he made himself they only made pins that were necessary for the board to work correctly in connection with something or for it to work when they add or remove chips from the board in later models. Now back when I hacking i didn't have a computer so I settled for playing around with everything else. Mostly motorolla fones. Now before they got all freaky with their encryption and stupid default passwords, if you wanted to do stuff with the fone you just had to SHORT one pin to another pin and it woke up the programing that was TESTMODE. Maybe we gotta short somethin to make this puppy work. 08-19-2004 08:48:40

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Maladroit Profile Agent5: supposedly the only modification to the Pure Digital reader was a software upgrade. Maybe the reader already jumpered some pins and the old cameras didn't use it, but the new ones require it? I suppose that's possible, but not so likely. I think that a highly effective security system for this camera would be very easy to implement, and is probably the most logical answer. Look at the fact that the camera could possibly require a *36-byte* security code on startup, maybe within a few seconds of being powered. Even if thousands of geeks hooked up their cameras and computers to an Internet-based distributed brute-force key attack, and even if they were on the right path, it would take forever to find the key since it takes so long to restart the camera and try another key. Years, with a lot of luck and widespread participation. If someone successfully got the key, odds would be very high that the reader itself was compromised, and then they have legal recourse. Even if it took a month to find a key, Pure Digital could *easily* start flashing refurbished cameras with new security keys, and upgrade the software at the remote locations. And then who's to say there isn't some sort of challenge-response verification? I think a simple long key would already be enough security, but Pure Digital has reason to be paranoid. Now that they have moved away from "security by obscurity," and are now trying "security by security" I think that hacking this device will be next to impossible, short of developing your own firmware assuming that firmware on the camera can be replaced. At the very least, this problem cannot be solved by pumping bytes into a black box and hoping something recognizable comes out. 08-19-2004 13:18:20

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) billwiley Profile We won't be able to say with any certainty exactly how "impossible" hacking this camera will be until someone dumps the firmware. (probably by desoldering, hooking up to a reader, etc) If the camera is waiting for a 32-bit integer, a firmware dump would reveal that fact and what the integer is, and we'd be in business without ever having to bother with the Pure Digital reader. A near-impossible system would take advantage of a public key encryption scheme... the camera would first be sent a public encryption key, with which it would encrypt all pictures it stored in it's flash filesystem. Then, the Pure Digital reader would dump the pictures and decrypt them using their matching private key. Another scenario, which I outlined in a previous post, is that they don't even have code on the camera that allows dumping - they might update the firmware with "dump code" to read the pictures, and then update the firmware a second time to remove the "dump code". In either case, there's little point to assume the worst - even if either of the above cases are true, we will likely still be able to either patch the existing firmware or start an "open firmware" project. 08-19-2004 14:04:31

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) GWIZAH Profile | Email Wow, it's been awhile since I was here last. Im going to stop by a local wolf/ritz camera and see if I can "socially engineer" some more info on these while picking one up. 08-19-2004 15:05:29

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile right on bill. Maladroit - there are side-channel attacks (i.e. reading the firmware) that don't require walking in the front door. The last camera was a simple challenge-response & I figured it out the algorithm disassembling the firmware. Good thinking, though. 08-19-2004 16:56:51

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) Agent5 Profile | Email It's too bad that we don't know if those developing computers have a network connection out. If it did we could just slap a trojan or a key logger on there and have it tell us everything we need to know. Hmmm...I just thought of something... What if we wiped these PV2's and put a totally new firmware on there. I think i remember reading something that someone said they were real similar to another camera. Maybe a different firmware would support that camera. Even if it didn't we could just get something close and mod it to work to our needs. If someone ever get s a dump of the memory on that thing we can then write a new software that doesn't require security and put that on there instead. eh....just a thought..... 08-20-2004 12:06:33

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) rgarito Profile Just a though--I've been contemplating getting one of these cameras to play with.... Is it possible that the 36 bytes the camera is looking for is actually 8032 code? (assuming it's an 8032 CPU core--I thought I read somewhere that it was). Some CPUs such as the 68HC11 will download a small bootloader program when started up in bootstrap mode. This program is loaded into internal RAM and then executed. In the case of the HC11 series, this code is usually a loader that in turn, downloads the actual operating code from the serial port. (in most cases, the loader program is used to re-flash the cpu). That being the case, I wonder if the register mapping on the PV2 unit is similar to the original--anyone think they can write a small bootloader program into 36 bytes of code? 08-21-2004 14:17:28

RE:Hacking the RED Dakota PV2 (with LCD) (modified 0 times) morcheeba Profile I've got an analysis of the flash memory. Seems to be that the bootloader in the ASIC reads a file called FIRMWARE.BIN from the flash, and presumably executes it. The pictures don't have JPEG/JFIF headers and are ~550KB each. Enjoy. 08-21-2004 21:34:26