I-Appliance BBS The Official Source for Internet Appliance Upgrades and Mods BBS Main List | Sign In | Sign Up | Search | Help | Linux-Hacker.net Reply to Thread | Printer |

Home / MISC Areas / Cameras 2 4 hex 8 - Firmware we Appreciate 2 4 hex 8 - Firmware we Appreciate

2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile Please just enter successful firmware changes, no failures or even comments on a success that does not work for all (those belong in failures). Please follow my example or if you have a better more detailed representation that is fine also. Unless you fully understand morcheeba's caution on buffer 30s let's avoid those for now. T28-6520: 6991 1->2, 6B2B D->C T27-6520: 6910 1->2, 6AAA D->C Both working with one Che-ez driverx.inf containing entries for 27 and 28. Vulcan nerve pinch for 27 gives 2B - an ignorable annoyance. 01-21-2005 12:14:52

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile Note above and below mod does not change checksums - and only mods 2 blocks; a more cautious approach that requires .inf PC driver changes. T28-6520: 6991 1->2, 6B2B D->C T27-6520: 6910 1->2, 6AAA D->C 01-21-2005 12:22:18

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) mike Profile | Email T28-6520 FLASH.IMG 22991[6991] 01->02 PID- 22B85[6B85] 28->29 22B2B[6B2B] 44->42 (D->B) T28-6520 FLASH.IMG " " " " --------------------- " " 44->43 (D->C) T27-6430 FIRMWARE.BIN [68F9} 01->02 --[6ADD]= 27->24----- [6A93] 44->46 (D->F) T27-6520 FLASH.IMG C6910[6910] 01->02 --------------------- C6AAA[6AAA] 44->43 (D->C) 01-21-2005 18:09:48

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) mike Profile | Email WHY ARE SPACES DELETED FROM ENTRIES 01-21-2005 18:12:31

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile mike, Spaces - try using preview first button, Stuttering - just slow down. I am becoming increasingly disappointed with all forum thread editing here, yahoo stock message boards, photo.net ... Anyone interested in a new project if I can get funding? Don't send email, don't answer directly, just add a line in your next post. Or maybe good forum thread software already exists - If so why aren't we using it? This thread is primarily intended as a source for ForkBoy future firmware update inclusion. Please read posts carefully and try to limit to just 3 that are the same. Do add until 3 are reached to provide a sense of confirmation and popularity. 01-21-2005 20:04:27

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) teslafreak Profile | Email success matched code and found unlock patch for 6510 model 410 use forkboys tool download firmware.bin to convienent location on computer use hex editor program change location 68F7 from 01 to 02 change location 6A91 from D to C (cigital) do not alter any other locations it will unlock mabye there are'nt many 6510's out there but i have 3 teslafreak 01-27-2005 17:50:17

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) teslafreak Profile | Email might make a difference im using windows xp hex editor 3.0 (beta) 01-27-2005 17:56:52

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile After frying one camera, I think we should include additional information. I am reposting my success with that additional info: T28-6520: 6991 1->2, 6B2B D->C, XP SP1, PV2Tool203, FIRMWARE.BIN file upload T27-6520: 6910 1->2, 6AAA D->C, XP SP1, PV2Tool203, FIRMWARE.BIN file upload Both working with one Che-ez driverx.inf containing entries for 27 and 28. 01-30-2005 17:47:28

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) tango Profile T27-6520: 0x6910 01->02, 0x6AF4 27->24, 0x6B30 30->32 Details, complete "howto" page at: http://vickers.homedns.org/PV2mods.htm 01-30-2005 21:34:40

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) chiusano Profile Would someone be kind enought to post a table of the successful firmware mods for each model/version? The (e.g., 6410/06/27 .... 6510/x/y..., 6520/a/b/.......) Alternatively, could this be built in as choices in pv2tool? 01-31-2005 05:48:10

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile As stated above in this thread, the intent is to post up to three successes for each model version combination. At some point it will be integrated into an application tool for easy usage. There is considerable risk and even though one follows a specific procedure exactly there can still be failures! I experienced one myself and documented it in Failures thread. Anyone with a web page (tango, morcheeba, binaryweaver, daBass, Drmn4ea, bluedonkey ...) may post the above successes - but they are certainly justified in holding back until there have been confirmations. A simple typo above could fry a camera. Patience Please. 01-31-2005 08:10:25

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) unclebill Profile CVS RED Type-27 FIRMWARE 6430 Hardware 06 0x68F9 01 to 02 0x6ADD 27 to 24 0x6A93 44 to 46 Modified with PV2.05 works with Che-ez and Irfanview 02-10-2005 12:21:21

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile Success with morcheeba's pv2mod (ported to windows by Drmn4ea). IMO safest method because it only reads and writes necessary blocks and allows a verify of CRC - great work by morcheeba! My particular change modifies only one instruction for added safety from hardware errors/glitches. T28-6520: [6219] e101 --> e002, XP SP1, 11/18/04 Libusb, pv2mod T27-6520: [619E] e101 --> e002, XP SP1, 11/18/04 Libusb, pv2mod Both working with Irfan using Che-ez Foxz2 smalunhj.inf modified by changing 23 to 27 and 24 to 28 (3 places each). I removed all but libusb driver before making any firmware changes and only installed foxz2 afterwards. It is very important to unplug and replug after each execution of pv2mod (I have a fried blue because I tried to verify without unplugging). pv2mod scripts (commands placed here on one line just to compact - do not copy, semicolon inserts): CVS Red 27 - GetChallenge; PrintBuffer; VerifyBufferCRC 0x0ea3bb88; SetBuffer 0 4c614d530000000...zeros for length of 128; SendResponse; ResetChecksum; ReadFileBlock FIRMWARE.BIN 0x30; PrintBuffer; VerifyBufferCRC 0x8dab64e1; SetBuffer 0x19E e002; PrintBuffer; WriteFileBlock CVS Blue 28 - GetChallenge; PrintBuffer; VerifyBufferCRC 0x0ea3bb88; SetBuffer 0 4c614d530000000...zeros for length of 128; SendResponse; ResetChecksum; ReadFileBlock FIRMWARE.BIN 0x31; PrintBuffer; VerifyBufferCRC 0x7584eb5f; SetBuffer 0x19 e002; PrintBuffer; WriteFileBlock 02-10-2005 20:41:47

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile Minor omission from above - both cameras had somehow been reset to LaMSSMaL. If camera is new with orignal key then morcheeba's challenge response sequence will work (it worked fine for the blue 2F I fried). 02-10-2005 20:47:01

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile Sorry, 1 step ahead of myself - after testing above blue with che-ez it produces blue hue boo hoo photos. Flatfoto drivers work fine though. I had thought it was a 28 but pinch gives 2F, however it is recognized by libusb and other drivers as 28. I gave my 28 to my brother's ex wife. 02-10-2005 22:04:28

CVS 6520 Red with a Mac (modified 0 times) nilloc Profile I'd really like to use the camera with the mac, but i don't know enough about morcheeba's apps to adapt them to a CVS 6520 Red camera, i can run (without -write) it and it finds the camera but it stops because the firmware is different. does anyone have a CVS camera connecting to a mac? if so could you give me mod file instructions (copy and pastable since im a reeree)? even better, if you have a working OS X driver and/or modfile, you could send it to me at nilloc at paperclipped dot com. thanks for any help 02-18-2005 00:26:31

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile nilloc, you should be able to use my last firmware post 3 up for CVS Red 27. If you still have original serial then you will need to replace VerifyBufferCRC with the CRC from preceeding PrintBuffer and use the SetBuffer from morcheeba's disable-80 located just before SendResponse. Please try to create your own and run without -write then send log to borg12of48 at yahoo dot com. I will confirm or send back an updated modfile. It is very important that without the write you see E101 change to E002 as the only change. Does a vulcan nerve pinch (3 finger salute) show 27 or 2B? 02-18-2005 04:19:04

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) fooble Profile Confirming the early post wrt CVS Serial 6510: Address: 0x68F7: 01 -> 02 I used moorcheeba's PV2mod and the Che-ez drivers for MacOS X... Modifications: - = Moorcheba's disable-80 + = fooble's disable-80-cvs -VerifyBufferCRC 0xecfb4b60 +VerifyBufferCRC 0x633b084a -SetBuffer 0x113 02 +SetBuffer 0xF7 02 Not sure where the product id lives on these guys... I modified the Info.plist file (/System/Library/Image Capture/Devices/Che-ez Camera.app/Info.plist) to include the 0x27 product id and it works straight out with iPhoto... Thanks all! 02-20-2005 18:35:41

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) billw Profile camera is T30-6520 [6910] 01->02 [6AF4] 27->24 [6AAA] 44->46 (D->F) Done with PV2Tool2, works with Foxz2 02-23-2005 21:02:11

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) nilloc Profile Well after me being stupid for a while, then getting some help from brite_eyes and his firmware... It works... Blurry but the colors and noise seem to be pretty good, though that could be iPhoto's doing. modDetails and driver stuff for OS X are here, And photo's are here starring our hedgehog Baxter are there. Next up, focus and much much more... 02-26-2005 16:36:23

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile Great another Mac success - that makes 3 (morcheeba, fooble, and nilloc). I think it a bit odd that there are so many more Windows successes then Linux on this Linux board (and even odder that Mac has more than Linux). Please use extreme caution when modifying firmware - there are many different versions and some errors may exist in these threads. I am responsible for some misleading info - I have used T27 and T28 where it should be T2B and T2F). This is confusing since drivers require 27,28 even when camera pinches are 2B,2F. nillocs most recent one instruction change was the same as mine with a different offset. I verified several instructions before and after to gain confidence. That can be very difficult since the disassembler only works on an original 6410. I like ForkBoy's suggestion to supply md5sums and intend to do so when I have time. So far both pv2mod and PV2Tool depend heavily on user getting the offsets correct. T27-6520: [6185] e101 --> e002, Mac OSX, pv2mod T2B-6520: [619E] e101 --> e002, XP SP1, 11/18/04 Libusb, pv2mod 02-26-2005 21:54:27

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) nilloc Profile I was wondering actually, how is the 0x185, or 0x19E (or 0xF7 in the case of fooble) calculated?(referred to as the offset?) I've got a new CVS Blue 28, 6510 (the red ones aren't on sale anymore...), and the modfile is working up to the delta checksum, i get -31 for 0x185 and -118 from 0x19E, i could keep trying different ones but that doesn't seem practical since there could be over 500 to test. Plus I'd like a method that I can recreate without outside support, which we'd all like I guess... If it's based on a md5sum from a number(s) in the log is it hard to calculate? Or if this will take too much time to explain, then I understand, and I can check back in a month or two... no hurry. 02-27-2005 23:35:22

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile Note that fooble's change also required including checksum updates from morcheeba's modfile (2 more blocks to change). As to offsets, the only sure way is to disassemble an original 6410 and visually look for same code sequences. My change from E101 to E002 is located at 131a5 in original listing. This changes a LDI R1,#$01 to a LDI R0,#$02 leaving checksum the same. For all my cameras string containing 2 bytes before E101 and one byte after is unique. Once you are confident you have located same sequence then you need to compute a new block and offset - using a hex editor (I use XVI32) an offset of 0x6185 becomes block 0x30 (half of 61 [512 byte blocks]) with an offset of 185. A future mod tool could automatically search verify uniqueness and change just one block to permanently unlock any existing camera, but code sequences could be intentionally changed by manufacturer to cause more fried cameras. I am hesitant in offering the above explanation since if needed you would be well advised to avoid attempts at changing firmware. Perhaps morcheeba can comment on legal issues - I do not know how much firmware code can be revealed in hacking instructions or used in a mod tool. I assume single isolated instructions are OK and if not someone (especially those watching from companies that may become legally involved) should post issues in our "Legal - 1 2 many 4 all" thread. I also fear we may face increasing crack downs with what used to be legal becoming illegal as governing authorities all over planet Earth assert their power over individual freedom. 02-28-2005 04:14:34

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) billw Profile brite_eye, regarding revealing firmware instructions. I would like to think that a single instruction wouldn't hold up as copyright infringement in court. However, I personally wouldn't want to test the legal waters. About a week ago I wrote a dynamic-patcher that looks for a particular CRC sum from 4 bytes and patches based on that. Since forkboy was going to release patching in pv2tool, and also since we have pv2mod, I didn't want to release yet a third patching tool. But it sounds like we could use a tool that would merely flag locations in firmwares based on local CRC. if that's true, I could easily mod my dynapatcher to do that... 02-28-2005 06:02:29

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) tweak Profile Got a 6410, after trying to hack the firmware, I get three low beeps when trying to turn on the camera, or when connected to usb. Running the PV2Mod util when I connect I get one beep, but no light... I am unable to unlock... Any suggestions on how I can fix this? Also, what changes need to be made on the 6410 27 firmware.bin file? 03-03-2005 09:20:07

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) tracex Profile I am getting so confused about all this stuff.. is there a simple site showing a list of firmware and how to fix each one? i have firmware 6430. I have already made a usb port on the camera, and i have downloaded lots of drivers and software, but i cant figure it out. please help me out. 06-04-2005 19:53:31

RE:2 4 hex 8 - Firmware we Appreciate (modified 0 times) brite_eye Profile Try camerahacking.com "How to forum". 06-10-2005 22:12:29

Reply to Thread | Printer | All times are PST Powered by UltraBoard v1.62

I-Appliance BBS General - NEWS, Breaking NEWS - linux-hacker.net BBS on CD Questions - User Groups in Your Town - E-Bay, Yahoo Auction LINKS ONLY (MODERATED) - Jokes & Humor - usdtv box I-Opener Areas - I-Opener General Posts - I-Opener Technical Stuff - I-Opener Technical Info Reference (MODERATED) WebSurfer Areas - WebSurfer General Posts - WebSurfer Technical Stuff - WebSurfer Technical Info Reference (MODERATED) Other I-Appliances - Virgin Webplayer - WebPal - MailStation - 3Com Audrey - ThinkNIC / Oracle NIC - Gateway/AOL Connected Touch Pad - Philips/AOL-TV - ACER NT-150 STB - MSN Companion - Compaq IA - Emachines IA - IBM NetVista IA - Intel dot.station - MSNTV2 Network Computers - Fujitsu-Siemens Scovery Linux Net Computers - GallantWeb Server Consoles - Dreamcast - xbox hacking Web Pads - Epods One General Post - Panasonic CF-01 - Fujitsu Stylistic 1200 - Cybiko Thin Clients - Thin Clients DigitalVideoRecorders - DTV Recorders, Replay, TiVo, Etc... - Tivo Hacks Linux - Midori Linux General Board - ITX MotherBoards Single Board Computers - Earth Computers mARMalade Elite Member Area MISC Areas - The Swap Meet WE TAKE NO RESPONSIBILITY FOR ANY TRANSACTION HERE AND NO COMMERCIAL POST PERIOD !!! - Wireless Net - Cameras - Robotics - Routers/Gateways - Mattel JuiceBox