The
Samsung WB2000 (known as TL350 in the USA) is a compact and well-built camera which has a number of interesting features. However, no matter how much Samsung tries they will never be able to create firmware which fits everybody's wants and (supposed) needs. Inspired by the CHDK project I'll try to open the way for modifying the firmware used in the WB2000. As the firmware (and the hardware) for this camera seems to be closely related to that for the EX1, and probably other members of the WB/TL series.
The progress of this analysis can be followed on the
WB2000 project wiki (if you want to help, let me know and I'll create an account).
For such a project to succeed we'll (as in 'anyone else who is willing and able to hack the firmware for this camera') need quite a bit of information as well as some tooling. Let's start with the basic facts. The thing is built around a 'DRIMeIII' ASIC which contains an ARM926E core. It runs VXWorks 6.6. There is plenty of debugging info in the firmware image, as well as a strong indication to the presence of the vxworks command shell. As to how this shell can be accessed I don't know yet - the proprietary Samsung io-connector seems a good candidate though (pin 15: UART RX, pin 16: UART TX, pin 1: D-GND - careful, I have not tried connecting anything yet!). It seems to be able to boot from the SD card so if the firmware in the camera memory (512 MB of Samsung OneNAND according to what I found in the DSP firmware strings) is hosed it should be possible to revive the thing. If not, the schematic diagram (which can be found floating around the 'net) clearly shows JTAG connections so it should be possible to avoid bricking it.
A WB2000 firmware update contains 5 files: an update script, two OneNAND boot loader files, a DSP firmware image and a user interface image file. The latter consists of a simple ROMfs image for which I made an extraction program (inspired by a similar program for an IP camera). As far as I can tell, none of these files are obfuscated. More details can be found on the
WB2000 project wiki.
The DSP firmware file is a simple binary dump, prepended with the version number as a null-terminated string. Loading it with an offset of 0x7 makes it possible to disassemble the dump. I have yet to figure out the load address. it probably lies around 0xb?000000 given the references from the secondary boot loader to this area - but I might be completely mistaken.
I'd like to do as much work as possible using the downloaded firmware image file before hooking up the camera to get the vxworks shell up and running. If anyone knows a source for those S20-pin connectors Samsung likes to use, let me know as well. I want one to make a debug cable, so it should have connections on at least pin 1 (gnd), 15 (uart rx) and 16 (uart tx).
I know there are others who have expressed the wish for hackable firmware for these Samsung cameras. If you read this and feel you can help, reply here or send me a PM. With their ARM-based ASICs and VXWorks OS it should be possible to get (something like) CHDK running on these cameras. Given the ease with which the user interface in these cameras seems to be modifiable it might even be possible to integrate a firmware hack in a more streamlined way. Who knows, Samsung might just have created the ideal hackable camera platform - and might see increased sales because of this.
Are you reading this, Samsung? If so, please send me some documentation on the firmware file format so I don't have to search for it myself.If you have any information which can help further this project, please do not hesitate to let me know. Reply to this topic or via PM.