This is my account on hacking the 6550 firmware PV2.
For starters, I purchased a 6520 camera from CVS. The method I used to select a 6520 was to look at the bottom of each camera at the store, and find one without the two screws holding the battery door shut... I found one with a paperclip-slider thingie holding the battery door shut, bought it, took it home, did the "vulcan neck pinch", low and behold, it was a 6520. I used pv2tool to yank its flash, and winimage to yank out the firmware.bin.
I read up on the two methods available to hack the 6550 - One, the hardware hack, shorting pins on the flash. I initially tried that, but well, in the long run, my first attempt at creating an interface cable was wrong, so that wouldnt have worked anyway, at least at that time. I now have an interface created with a Palm III Hotsync cradle connector, and it works light years better then a hacked centronics connector. Anyway - I digress.
The method I used was to remove the battery door screws, and hold it shut - then, snap a picture, and let go of the door while the flash is being written. I did this several times. The time it worked, I released the battery door just a tiny fraction of a second after the display lit up to show me the preview. Just RIGHT after it lights up, I released the door to cut the power.
At that point, when I tried to close the battery door, I would see a totally white screen, sometimes with some scrambled lines. I opened and closed the door a few times, messing around with it, eventually, the camera would stop turning on automatically, and any attempt to power it up resulted in two low-pitched tones. which from what I have read so far, indicates bootloader mode.
When I attached the camera at this time, Windows reported "unknown device".
I loaded regedit.exe, and browsed to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
And I browsed through the keys for our vendor in question, "0DCA", and I noticed a new key. Aside from the original product ID of 0027, and the foxz2 ID of 0024, there is a new ID now! 002B!
I am guessing this is the ID of the bootloader code.
Before I continue further in describing my .INF file modifications, I want to let you know that my initial hacking of these cameras started with the information I learned at the following website: http://vickers.homedns.org/PV2mods.htm At this website, one of the downloads adds an INF file to the standard libusb 0.1.8.0 installation called C:\program Files\LibUsb-Win32-0.1.8.0\bin\libusb.inf
I opened this libusb.inf file, and under the header section "; Dakota PV2" I added the following line:
"Ritz PV2 Red bootloader mode, Version 02/15/2004, 0.1.8.0"=LIBUSB_COMP_IF, USB\VID_0DCA&PID_002B
With this line added, I pointed the windows driver installer to that .INF file, and now Windows recognizes the 6550 PV2 as a system device perfectly.
Now, having this done, I loaded up PV2Resurrector. This part was tricky. I had to copy the original, stock, FIRMWARE.BIN from my 6520 camera (the unmodded original FIRMWARE.BIN) to FIRMWARE.PV2 in the same directory. Using the hacked (hexedited) versions of this didnt seem to work.
Anyway, I followed the README.txt that came with PV2Resurrector, using the FIRMWARE.PV2 file that is described above, then once that was executed on the camera, I uploaded my hacked flash image (hacked with the 30 pic limit and unlocked 6520 firmware), and that camera was done. Successful hack.
I hope this helps. I would like to clarify this a bit. Please give me feedback and let me know where it needs clarification, I plan on purchasing more 6550s in order to make this document more perfect.
Cheers!
Phillip Partipilo
