Camcorder Firmware
Analysis
Pure Digital's Camcorder for
CVS
Overview
The camera's firmware is a stored near the beginning of FLASH memory.
Unlike the PV2, it is not a unique file, so no bootloader is needed to
traverse the file system and load the correct firmware into memory.
The firmware is about 1255 kB in size. So far, I have disassembled and
roughly
traced approximately 54% of the code - I still haven't commented
individual lines, but the disassembler I wrote does a good job of
automatically
adding some meaningful comments.
Camera Ingredients
The development of this camera relied on a lot of
code written by others. Some of this is commercial software, some is
open source.
Operating System
The camera contains a modified version of the
default firmware Zoran uses in its cameras:
Zoran Corporation
COACH
COACHWare 1.0
2002:01:13 12:06:00
|
This software is based on a standard real-time operating system from
Express Logic:
Copyright (c) 1996-2001 Express Logic
Inc. * ThreadX LX4180/Green
Hills Version G4.0.4.0 *
G-GB-GL-M-D-DL-KML-CMR-HMR-ML2-GZ-KH2-CM-RP-TC-NH-TD-AP-HA-GF-DD-AT-MF-MS-DW-USA-CA-SD-SDSU
Copyright (c) 1996-2004
Express Logic Inc. * FileX
LX4180/Green Hills Version G3.1a.3.1a *
|
Processor
Core
The Lexra LX4180 is a MIPS-I compatible
processor with an R3000
exception model and coprocessor support (EETimes
article). A simulator and a good set of resources is available here.
Video
Codec
The video encoding seems to be from a recent version of the open source
LGPL-licensed ffmpeg. It uses a
version that is newer than 0.4.8 (that version had a spelling error
that was corrected in later versions and it wasn't found in this
camera). The popular MPlayer
contains a lot of the same code base.
I'm not entirely sure how ffmpeg is used. It could be used for playback
only, or as a transcoder to scale the video into a smaller format. But,
it's probably the heart of the whole camera - my friends that have
dealt with Zoran say they like to do everything in software.
Fonts
This camera uses the "MS Sans Comic" font. I've got more info on
the flash analysis page since this isn't embedded directly into the
firmware.
Firmware Disassembly
If you're interested in the guts of what makes the program tick,
then see my Firmware Disassembly
page. The disassembly is where I've spent the bulk of my time,
and it was critical to figuring out how to interface to the camera.
Firmware Monitor
The camera contains a firmware monitor. A monitor is a small
program that typically allows users to read and write memory, and
execute code. This monitor is quite extensive and
allows an amazing amount of control over the camera. It can enable
on-screen debug information, start, stop and list operating system
threads, and read/write files or raw memory. It looks like the
recording bit rate can be set, allowing longer (lower-quality) videos
to be recorded.
There are 180 commands, many of which accept parameters. I
have listed all the commands here.
USB Interface
The USB interface is complex enough that I have described it on this page. That page also has a
description of the unlock code.
Operating System Objects
Besides threads, ThreadX supports Timers, Queues, Mutexes,
and
synchronization Events (pdf link).
Operating System Threads
Although symbols have been stripped from the firmware, I can still
associate sections of code with useful names because of the way threads
are started. (This is much easier than the PV2!)
These 7 threads seem to be system-level threads:
| SysCheck |
NotBlockingPrints |
StillServer |
Monitor |
AgentServer |
BrowseServer |
HCE |
HCE seems to be the main initialization/control
thread.
These 65 threads seem to be more transient:
| AppBoot |
Z2c Writer |
Mount |
IPP Update |
StatAe |
Browse Audio |
| AvAudio Decoder |
HCE Uart Write |
HCE Uart Read |
MenuPIP |
AppMotorWaitEvent |
Usb Hub |
| Store |
AppSensorWaitEvent |
UartAgent |
FocusSearch |
ZoomMotor |
Sensor |
| OpenLens |
Capture DRAM |
Capture Sequence |
FileOperation |
Aaa |
AaaAf |
| Movie Reader |
Movie Decode |
Movie Scaler |
StillMpeg4Main |
StreamEncoder |
Image |
| PlaybackPIP |
Calibration |
FileCreator |
StreamAudio |
MipsTest |
BrowseMpeg4Main |
| AudioStreamWriter |
VideoStreamWriter |
VideoStreamWriter |
cntl thread |
bulk thread |
MassStorage |
| C2c-Shutter |
C2c-Sensor |
C2c-Swap |
C2c-Converter |
C2c-Compressor |
C2c-Writer |
| C2c-Display |
Stream |
vendor thread |
CmdDispatcher |
UsbAgent |
StreamRaw |
| Led blink |
Message |
Statistics |
StatisticsAf |
JpegDetect |
AudioCodecPlay |
| AudioProc |
Audio |
Convertor |
|
ApsEditMovieFragmenterMainPreviewMode
|
Operating System Timers
These 11 functions are timer-driven:
| Buttons |
HCEInt |
HCECapInt |
HCE |
| VideoTimer |
AudioTimer |
FCU General |
FCU Bursts |
| JpegOverflow |
UsbSetAddress |
UsbWrite |
|
Operating System Queues
| ProcessedFramesQueue |
EmptyFramesQueue |
CompressedFramesQueue |
AudioCodecReadyQ |
| AudioCodecHandledQ |
Usb ports queue |
Frame buffers for display
queue |
Free frame buffers queue |
| Grab buffers queue |
Data buffers queue |
Free buffers queue |
StatReady |
| AfmsReady |
AwbReady |
AudioQueue |
HandledAudioQueue |
| AvAudEncReadyBuff |
AvAudEmptyBuff |
Debug |
HCE |
| Pipe Receive |
Pipe Send |
Browse AVI jpegs |
empty frames |
| full frames |
ProcessedFramesQueue |
C2C-RawFrames |
C2C-SwapFrames |
| C2C-YuvFrames |
C2C-CodeFrames |
C2C-DisplayFrames |
UsbCamCmd |
| Message |
|
|
|
Operating System Mutexes
| UartWriteInfo_mutex |
UartReadInfo_mutex |
GetThread_mutex |
MallocInfo_mutex |
| IPP Update_mutex |
Z2C_mutex |
GpioFcuMutex_mutex |
PwmInfo_mutex |
| Debug Blocking_mutex |
Free Params_mutex |
StillImage_mutex |
PendingImagesInfo_mutex |
| BrowseImage_mutex |
VideoMutex_mutex |
Image_mutex |
FCU Mutex_mutex |
| TIFF DATABASE_mutex |
ConvertMutex |
JpegMutex |
LrmeMutex |
| PathParamMutex |
DpofSetGet_mutex |
|
|
Operating System Semaphores
| StatPattern Sem |
Zoom Sem |
TL Semaphore |
FileX Media Semaphore |
Operating System Events
| Free Mem_event |
Free Mem2_event |
Display_event |
SensorEvent_event |
| DmaEvents_event |
Z2c_event |
AudioEvent_event |
Motor_event |
| AvAudioEvent_event |
FragmenterEvents_event |
Confrim Store Event_event |
GetImage_event |
| Zoom Events_event |
BMEvent_event* |
VideoEvents_event |
C2c-Events_event |
| PlayerEvents_event |
FragmenterEvents_event |
FilterEvents_event |
Recorder_event |
| FcuEvents_event |
Rtc_event |
PathEvent_event |
Adc_event |
| UsbDevice_event |
UsbHost_event |
UsbPipe_event |
|
*Note: BM = browse movie,
not bowel movement.
back to my analysis of the flash memory
My main CVS Camcorder analysis page
Info
on the PV2 still
disposable digital camera (also with LCD screen)
other systems
I've played with
visit my homepage
![[camcorder pic]](camcorder-icon.jpg){kind=icon}