HF10 & HV30 (Digic DV II) decrypted! - page 17 - General Discussion and Assistance - CHDK Forum

HF10 & HV30 (Digic DV II) decrypted!

  • 215 Replies
  • 150730 Views
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #160 on: 26 / February / 2009, 19:35:40 »
Advertisements
The FW I am working on is the HV30, I cannot test on any other cameras, thanks for offering though...

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #161 on: 15 / March / 2009, 19:26:50 »
I recently got a broken HF100 from fellow HV20 forums member Rumple... here's shots of the mainboard and the i/o board. I just made a quick google research and could identify many of the chips in there, but not all of them... what I'm specifically missing is the mips core...

Btw. there's also a (debug?) port attached to the mainboard, it is hidden in the battery compartment unter that little rectangular plastic cover beside the serial number sticker... I can't believe nobody has seen it before. You can see the white plug on the bottom left of the mainboard.

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #162 on: 15 / March / 2009, 19:27:46 »
i/o board picture...

*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #163 on: 07 / April / 2009, 01:01:52 »
Wiesel, I've seen a similar plug on my HV10. Its also accessible from under battery area, but hidden with plastic.
I'm not quite good in hardware, but this could be anything from serial port to jtag port or some custom proprietary link.

BTW, since you have Flash chips, there is a chance they could be read with a ROM reader ;-)

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #164 on: 23 / April / 2009, 10:58:44 »
BTW, since you have Flash chips, there is a chance they could be read with a ROM reader ;-)

Do you have access to such a ROM reader? I don't :/

Another note... I have identified nearly all the chips in the cam and have saved it somewhere but can't find it anymore, but I just remembered that the H264 encoder is limited to 20mbps. That's why the 24mbps hack failed, and also the reason why the information that someone supposedly got from Canon, that HF11 firmware (if ever released) works on the HF10(0) with 24mbps as well, is probably bulls**t. So this is the proof that the HF10(0) and HF11 hardware are not the same.

edit: I found my notes and have updated the wiki: http://chdk.wikia.com/wiki/HF10/HF100
« Last Edit: 24 / April / 2009, 11:44:05 by Wiesel »

*

Offline cail

  • *
  • 49
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #165 on: 30 / April / 2009, 01:09:51 »
I think the cost is quite small for this piece of hardware, more important is that without hardware experience it'll be quite a tricky task. Finding some hardware guy with the ROM reader could really help us.

Here: http://www.willem.org/cgi-bin/yabb22/YaBB.pl?num=1178306714 it is stated, that at least willem eprom programmer kit is able to read our ROM chip (SST39VF1601)

Another funny hardware hack I've heard people apply, is finding an existing USB flash drive with exactly the same chip (that could be quite possible), then replace the chip on a board and just plugging it into USB ;)

*

Offline gl

  • *
  • 3
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #166 on: 12 / May / 2009, 18:47:00 »
Hi everyone,

I'm in charge of supporting the HV firmware hack over on HV20.com.  I'm an HV20 user (I actually shoot in 3D with an attachment) and also a longtime C++ programmer.

We've been gathering a fund to help make the hack happen (for full details see the 1st post in our thread).  Recently a member there has donated an NTSC HV30 to jollyrogerxp, and he's just had some great success:

1) The PAL firmware you've been working on successfully flashed onto the NTSC model, but kept it an NTSC cam - so the firmware will work on either (but doesn't convert between them).

2) jolly also defeated the version check and was able to flash the same firmware twice!

I'll let him fill in the details, but it's looking good.  We'd now love to find a way to dump the cam's firmware, and of course we'd love a way to boot mods from the SD card (as happens in the CHDK firmware) so that we can eliminate the bricking risk and get more people trying stuff.  And getting the HV20 firmware read out would be great, so people like me can take a crack at it.

Everyone on HV20.com is really enthusiastic about making this happen, we'll try to help if we can.  And feel free to drop in and say hello  :).
« Last Edit: 12 / May / 2009, 18:50:11 by gl »

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #167 on: 13 / May / 2009, 00:22:03 »
Update: I injected my very first routine written from scratch into an unused area of the FW, and by running it as a callback of an unused PTP command I have managed to dump the upper 2MB of firmware that the MIPS core uses to a file on the SD card.

At a first glance the upper part seems to contain some general purpose (libc) routines like file strings and memory operations, file open, read, write, close, etc.
This should make it easier to analyze the whole MIPS firmware, which in turn could give us more chances of finding some exploitable routines.

Cheers,

Jolly

Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #168 on: 13 / May / 2009, 01:20:42 »
Great work dude - Great work

Keep it up <3

*

Offline gl

  • *
  • 3
Re: HF10 & HV30 (Digic DV II) decrypted!
« Reply #169 on: 14 / May / 2009, 16:00:59 »
Just a thought re. the PAL firmware working on the NTSC cam... it's of course possible that the patch doesn't contain any code specific to the frame format, so it might just be lucky that it works on the NTSC cam (or that it doesn't convert it!).

And it also makes sense that any libc style routines aren't included in the patch as any bugs are more likely in Canon's main code.

jolly, how did you manage to create the dump file on the SD card?

 

Related Topics


SimplePortal © 2008-2014, SimplePortal