Introduction
A cheap new camcorder has attracted the attention of a lot of people.
It is small, lightweight, easy-to-use digital camera that has been
configured to record up to 20 minutes of decent-quality video on to its
built-in memory. Consumers typically purchase the device for
$29.99 from the CVS drugstore, shoot
their video, and then return the single-use camera to the store (plus
another $12) to get it "developed" onto a DVD. In all, it's a
costly $2 per minute. Instead of relying on CVS for development,
I've taken apart my camera and figured out how to retrieve my videos
using just a normal computer and an easy-to-build USB cable.
Preliminary
Analysis
After shooting a few videos, the first thing I had to do was disassemble
it and take pictures.
Similar in construction to the
PV2, this unit is rugged and
can be
easily recycled. Without the case and batteries, the circuit board
inside is small enough to fit into a model airplane. I noticed a
blob of black goop, but since I don't live near a CVS store and didn't
want to damage my camera, I left it alone -- however, paperboy4828's
did an
excellent job documenting his goop. The older version of the camera
has
two 4-pin connectors hidden under blobs -- J4 on the FLASH side, and J6
on the button side. I suspect these connectors may be a serial port,
but I don't have any hard evidence yet. The newer version (which I
have) has a blob only on
the button side.
The disassembly revealed that the camera's main chip was a Zoran
ZR36451BGCF (part of their Coach line of products), and that there were
two memory chips -- a Samsung K4D551638F-TC50 for temporary storage,
and a Hynix HY27UA08161M for 128MB of permanent storage.
You can find out information about the camera's software by accessing
the special diagnostic screen. This is done by pressing the Record and
Delete buttons while
turning
on
the camera. Mine said:
FW-VERSION: 03.40 CAMERA
ID: 6B7051xxxxxx PCB
VER: B2
Once that page comes up, I couldn't get it into any other special test
modes -- all I could do was turn the camera off.
When connected to my computer (using the same USB cable as the previous
two cameras), the camera identified itself as a "Saturn" manufactured
by "Pure Digital Inc." As expected, the camera didn't do anything
-- it had been altered so that it would not work with any of my Mac's
built-in drivers (and, of course, Pure Digital wasn't about to give
away their drivers).
Removing the Memory Chip (or Downloading Videos the Hard Way) From looking at the parts in the
camera, it was obvious that the videos were stored on the large Hynix
FLASH-memory chip. There were claims that the videos were stored
in an encrypted proprietary format, so I wanted to verify that was the
case.
FLASH chips are commodity items that conform
to industry standards -- as such, they are very well documented.
I still had a
home-built flash memory reader that I put together to analyze the
previous PV2
camera, so I desoldered the chip from the camcorder and then
soldered it into my device. The only modification I had to make to the
program was for the increased memory size
of the new part. The reader is nothing special -- just a cheaper (and
slower) version of commercially available units.
A quick look at the data indicated that it conformed to two industry
standards -- Smart Media (used to make the chip error-tolerant) and FAT
(a method for organizing the chip into files). Among the
many files, I found the five
sample videos that I had recorded. Fortunately, they were stored in
an unencrypted industry standard video format. I could play my videos,
but each time I wanted to retrieve them, I would have to desolder the the
tiny chip without breaking any of its 48 microscopic
0.01-inch-thick legs.
I had proven the data was there in a usable format, but I had to find a
better way to get it out of the camera. If only I could convince the
on-board software to send the data over USB.
In-Depth Analysis
This is the section of the website where I get technical. Also, for
your convenience, this section has links to all my web pages on this
camera (except the disassembly).
The next stage of analysis is to analyze the program that runs on the
camera. This is a two-step process:
I wrote a program to disassemble the raw bytes of the firmware
into readable assembly language instructions. The disassembler also
attempts to automatically add comments wherever it can (for example, if
a register will always be a certain value at a certain place, it will
note this so I don't have to figure it out manually. If a string is
referenced, it looks it up and places a description near where it is
used - this is a tremendous help)
Then comes the fun part: I manually read through the program and
make guesses at what each section of code is doing. I start with known
strings and see which functions access them. Eventually I make enough
guesses to cross-check my work, and then I'm fairly certain its right.
Here's the information I've discovered about this camera:
The Camcorder's
flash
memory. Includes the file system and a few sample videos I have
recovered from my camera.
Files FSP and USPNEW! control
the recording
quality.
The Camcorder's firmware
A general overview with lots of internal information.
Firmware - My disassemblyNEW! (where
the hacking magic is done!)
Firmware - Source file names
used
to generate. (not the actual source files!)
Firmware - 180 monitor
utility commands
Firmware - USB commandsUPDATED
(includes the unlock sequence and how to download videos!)
I am in the middle of writing an improved disassembler based on the
standard GNU utility objdump.
So far I've used it to trace 54% of the code, and luckily that included
the code that handles USB communication. After a month of evenings
spent poking at the code in Boulder-area
coffee shops, I found the routine that blocked communications on the
USB port.
When the disassembler is good enough, I'll release it so that others
can look at the code in their cameras. I wrote a great disassembler
for the PV2 camera, but this one isn't as good. The processor
powering this camera is a lot more powerful than the one in the PV2, so
it didn't have to use as many tricks. As a result, the code was easy to
follow by hand and I didn't need to use a really good disassembler.
There is more information to be gleaned about this camera, so I'll
expand this section as the discoveries are made.
Downloading Videos The camera uses
the same USB cable as previous Pure Digital cameras. Here is my older general information, and a
much easier-to-follow
description from Make Magazine.
Next comes the software. If you're using a Mac, download the CVS Camcorder Reader
version 0.0.3 (screenshot)
and you should be golden. Cory Stargel recently added the delete
function. Loren B did 99% of the GUI, and I wrote the underlying USB
functions.
The "Refresh" button lists the files on the camera (along with size and
recording date/time). Double-clinking on a file downloads only that
file and the "Download All" will get all the videos. A button at the
bottom will delete all the videos. Files are downloaded
to the desktop and any previously
existing files will be overwritten, so please move videos off
the desktop as soon as you download them. The program uses different
names thna listed when
actually downloading (it's not a big problem). This program has almost
no
error checking. Please email me if you
have problems with it.
I can play videos with sound in MPlayer.
With Quicktime, I get video but no sound (I'm not sure which plug-ins I
installed to do that).
If you're using windows, you'll have to use someone else's program.
(Windows has a really ugly USB interface that requires you to install
drivers - on the Mac, drivers are optional). A couple of people are
writing these programs - the best place to check is the Applications
Section of camera hacking forums.
To Do I'd like to modify the
firmware so that the camera can operate without any drivers. There is
evidence that this camera can support the USB standard for Mass
Storage, so it will operate like a standard USB Flash drive.
There is also a chance that Pure Digital will alter the way it enables
USB communication, so I may have to reverse-engineer that section of
code again.
Also, probably more pressingly, is that Pure Digital has reacted to
this hack and fixed the security hole Resources
The most current discussion that I follow is on the Camera Hacking
message board. There is also an older discussion on Dakota
PV2 discussion board.
Paperboy4828 did a great disassembly
job and is attempting to connect the flash chip to a memory reader. Media
My
original flash removal & video recovery was covered in slashdot,
and then the USB hack was covered in a followup.
I was interviewed about this project by Phillip Torrone of Make
Magazine -- 14
minute mp3 here. My prediction for an easy-to-use download came
true much sooner than I expected!
My friends at Make Magazine have covered, not only this story,
but also
lots of creative applications for the camera -- see the Makezine Blog.
I spoke at The
Sixth Hope this summer. I described the
whole hacking process, using this camera as an real-world example. I'll
cover everything, from
physical disassembly to reading the FLASH memory, to basic software
disassembly, to really fancy software disassembly. Download my presentation here.
The video and audio will be released soon.
About Me
Contrary to what some people say, I'm not some nameless hacker working
for the Maushammer.com website. Sure it's a cool website name and
I'd like to think that I was part of the whole Maushammer.com empire,
but the truth is that it's just my last name. And my first name is
John. I'm an electrical engineer who likes to take things apart
and improve them to suit my needs. While I am a former rocket scientist
(actually, embedded
design engineer for satellites, but that doesn't sound nearly as
sexy), this isn't rocket-scientist level work. It's just for fun.
contact me: my email address is my first name (john) at my last name
(maushammer) dot com.
![[PureDigital CVS camcorder]](camcorder-icon.jpg){kind=icon}