HF10 & HV30 (Digic DV II) decrypted!

  • 212 Replies
  • 64893 Views
  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #140 on: 01 / January / 2009, 12:38:00 »
    Advertisements
    This is brilliant, we need to make sure the HV30 decoder is updated accordingly too.

    I think most of what I found in the first section of the HV30 firmware should be also valid for the HF10, so it would be good to begin inspecting that piece of MIPS32 code/data to decide some places to start injecting custom code.

    Yes I can verify that the first section of the hf10 fw is mips32 code as well.

  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #141 on: 01 / January / 2009, 13:46:12 »
    Hi peeps,

    I have a hf100 and am willing to test new firmware, I asume it would be able to run hf11 24mbps ;-)
    Don't know much about checksum programming but do want to test and help if needed.

    Cheers

    Rob

  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #142 on: 01 / January / 2009, 13:49:38 »
    This is brilliant, we need to make sure the HV30 decoder is updated accordingly too.

    I think most of what I found in the first section of the HV30 firmware should be also valid for the HF10, so it would be good to begin inspecting that piece of MIPS32 code/data to decide some places to start injecting custom code.

    Yes I can verify that the first section of the hf10 fw is mips32 code as well.

    Wiesel, we should really start cross-referencing our research rather than pressing on in parallel directions, that way I think we can be more effective.

    Cheers,

    Jollyroger

  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #143 on: 01 / January / 2009, 17:14:11 »
    From looking at the photos of the PCB that Sprawler posted a couple of things stand out.  I can't make out the value of the canned CMOS clock OSC but the MCU closest to it will most likely be the core.  From a PCB designers view, you want the traces between the MCU and the OSC as short as possible to keep parasitic capacitance to a minimum.  It's difficult to say if it's the MB87Q1211 next to it, or another part on the adjacent side of the PCB.

    The 24.576Mhz xtal reference (sawtooth gen) is most likely used for graphic encoding/decoding.  So the smaller MB8 here is probably a dedicated co-processor.  The orientation also infers that both Fujitsu parts have their clock input lines close to pin 1.

    The MB87Q1211 is probably the main MPU.  There will probably be blocks of the firmware that are to be loaded into other co-processors on the board.  With this in mind care should be taken to identify the code blocks and disassemble them independently or keep the co-processor binaries intact.  Even though theses 2 parts are Fujitsu MB87 series even a slight change in the mapping of each parts internal peripherals will result in confusion.

    kage
    « Last Edit: 01 / January / 2009, 17:24:40 by kage »



  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #145 on: 02 / January / 2009, 03:00:54 »
    Hi Laoyang,

    The CPU/DSP section of the datasheet lists ARM9, ARM7TDM.  I'm assuming that you can read the datasheet, as it is not in my native english.  Are you sure that the core is not synthesized ?  If so scratch what I said previously.

    K

  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #146 on: 02 / January / 2009, 06:30:48 »
    Right now it looks pretty clear that at least one of the cores is a MIPS derivative, as one part of the FW update containing the USB and SD/MMC drivers seems to be MIPS32 code.
    Another core (on the HV30) is a Fujitsu FR71, which seems to be the one that controls the main camera functionality.

    As for the other parts, there could be additional code/data spread in the FW that is to be directed to other processors/DSPs on the board, we haven't seen it yet, but it could well be in there somewhere, in the data sections that haven't been mapped/recognised yet...

    Obviously the various parts need separate disassembly/analysis to avoid compromising the functionality.

    Jollyroger
    « Last Edit: 02 / January / 2009, 06:32:19 by Jollyrogerxp »

  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #147 on: 02 / January / 2009, 06:57:12 »
    This is brilliant, we need to make sure the HV30 decoder is updated accordingly too.

    Here's my "universial decrypter", it detects the camera model and crypts the file accordingly... there are also options to split the file into sections and calculate a new checksum.


  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #148 on: 02 / January / 2009, 09:11:20 »
    Superb! Now I just need a HV30 to play with :-)

    We should try to start dumping the area above 0xBFDC0000 of the MIPS32 core, as that part contains all of the OS specific code for that core, so we can see how we can load some code up and run it more easily.
    Also it could give us some hints on how to run something on an unmodified camera, as we don't have any FW for the HV20 for example...

    Please let me know when you have some time for a MSN chat!

    Jollyroger
    « Last Edit: 02 / January / 2009, 09:25:34 by Jollyrogerxp »

  • Publish
    Re: HF10 & HV30 (Digic DV II) decrypted!
    « Reply #149 on: 02 / January / 2009, 14:19:31 »
    Pardon my ignorance as far as using IDA and disassembling this.  The processor is a Mitsubishi M32R right?  Which variation of the processor did you use?  You also said the code starts at offset 0x04000000, but the firmware binary isn't that large.  Are you mapping the sections to different addresses?

     

    Related Topics