Pure Digital PV2 NVRAM Analysis

PV2 NVRAM Analysis

Pure Digital's Ritz Camera Dakota PV2 LCD variant

NVRAM stands for non-volatile RAM and it is a section of memory that retains its contents even after power is lost. It can be implemented in a variety of ways -- it can be battery-backed RAM memory (like on PCs), or a EEPROM memory (Electronically Erasable Programable Read-Only Memory; typically low-density memory chips), or it can even be the FLASH memory used in memory cards.

NVRAM can store a variety of small items of information. All network cards have their own unique serial number, and they often keep this information in an EEPROM.

The PV2 uses a file named "NVRAM.DAT" to emulate a low-density NVRAM. It uses this store store, among other things, its serial number and the USB challenge/response packets. The file FIRMWARE.BIN has a backup copy of NVRAM.DAT that seems to be used in some cases. The format of these two areas are different.

The file NVRAM.DAT consists of two fixed-length fields and one variable-length data field.

content-ID	length	data
00 00	04 00	08 03 00 00
01 00	04 00	01 00 00 00
...	...	...

Note that the data is stored LSB-first.

The back-up data table stored in FIRMWARE.BIN seems to be capable of holding data objects of only 4 bytes -- anything longer than this is filled with zeros until it is the correct size. The data table in the version 6410 firmware starts at address $38cb:

content-ID	32-bit value	length
01 00	01 00 00 00	04
02 00	01 00 00 00	04
...	...	...

The data is not necessarily sorted by content-ID. I have sorted it in my table below to allow an easy comparison between tables. This is from a camera with firmware version 6410 which has taken only one picture (ever).

content-ID	length	NVRAM.DAT data	FIRMWARE.BIN data	Comment
0000	0004	same as firmware.bin	00000308
0001	0004	same as firmware.bin	00000001
0002	0004	same as firmware.bin	00000001
0003	0004	same as firmware.bin	00000000
0004	0004	same as firmware.bin	00000002
0005	0004	same as firmware.bin	00000003
0006	0004	same as firmware.bin	00000000
0007	0004	00000008	00000001
0008	0004	same as firmware.bin	00000000
0009	0004	same as firmware.bin	00000002
000A	0004	same as firmware.bin	00000007
000B	0004	same as firmware.bin	00000002
000C	0004	same as firmware.bin	00000005
000E	0004	00000004	00000000	Part of serial number?
000F	0004	30 41 41 44 ("0AAD")	53 4d 61 4c ("SMaL")	Part of serial number
0010	0004	3x 3x 3x 3x	4c 61 4d 53 ("LaMS")	Part of serial number
0011	0080	02 29 23 be 84 e1 6c d6 ae 52 90 49 f1 f1 bb e9 eb b3 a6 db 3c 87 0c 3e 99 24 5e 0d 1c 06 b7 47 de b3 12 4d c8 43 bb 8b a6 1f 03 5a 7d 09 38 25 1f 5d d4 cb fc 96 f5 45 3b 13 0d 89 0a 1c db ae 32 20 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22 f6 22 91 9d e1 8b 1f da b0 ca 99 02 b9 72 9d 49 2c 80 7e c5 99 d5 e9 80 b2 ea c9 cc 53 bf 67	67 45 23 01 and then filled out with 00's for a total of 128 bytes	USB authentication challenge
0012	0080	14 37 1d 0f ce 29 15 a2 7a d8 d2 40 0c e3 8a 9a 84 93 2d ae ef c1 99 ab 6c 85 ef f7 d9 4d a1 5e 2a 40 67 f2 0f ff be 46 2d 2f c5 c9 ed c0 0c fc 6e ec cc f8 e1 eb 2c 03 64 df 1d a3 b3 0b 42 fc 40 be 07 19 1c ac c4 e2 93 ed 3a 04 55 31 f3 92 23 f7 65 fb 59 7c e0 b6 97 d3 78 2f b1 70 b5 04 81 9a a2 79 75 e4 ba 12 0f 49 6b 21 09 4d aa c6 98 02 93 e9 aa 7c cb 24 a5 39 b0 8a 63 4c 4b 79	4c 61 4d 53 and then filled out with 00's for a total of 128 bytes	USB authentication response
0023	0004	00000018	----
0024	0004	00000001	00000100
0025	0004	same as firmware.bin	00000000
0026	0004	same as firmware.bin	00000000
0027	0004	same as firmware.bin	00000003
0028	0004	same as firmware.bin	000003c7
0029	0004	same as firmware.bin	00000000
002a	0004	same as firmware.bin	00000007
002b	0004	same as firmware.bin	000001e3
002c	0004	same as firmware.bin	0000000a
002d	0004	same as firmware.bin	00000001
002e	0004	same as firmware.bin	00000001
002f	0004	same as firmware.bin	00000001
0030	0004	same as firmware.bin	000000fe
0031	0004	same as firmware.bin	000000fe
0032	0004	same as firmware.bin	000002e2
0033	0004	same as firmware.bin	00000406
0036	0004	same as firmware.bin	00000000
0037	0004	3x 3x 3x 3x	00000000	Part of serial number?
0038	0004	same as firmware.bin	00000020
0039	0004	same as firmware.bin	00000003
003a	0004	same as firmware.bin	00000001
003b	0004	same as firmware.bin	0000001e
003c	0004	same as firmware.bin	00000005
003d	0004	same as firmware.bin	00000001
003e	0004	same as firmware.bin	00000000
003f	0004	00000002	00000000
0040	0004	same as firmware.bin	00000000
0041	0004	00000001	00000000
0042	0004	00000031	00000000
0043	0004	00000006	00000000
0044	0004	0000000c	00000000
0045	0004	00000005	00000000
0046	0004	same as firmware.bin	00000038
0047	0004	same as firmware.bin	0000000e
0048	0004	same as firmware.bin	00000007
0049	0004	same as firmware.bin	00000028
004a	0004	same as firmware.bin	00000019	equal to 25 decimal. Coincidence that this is the maximum number of pictures?
004b	0004	same as firmware.bin	00000040
004c	0004	00000002	----
004d	0004	00000005	----
004e	0004	0000001e	----
004f	0004	00000002	----
0050	0004	00000002	----
0051	0004	00000001	----
0053	0004	0000001e	----

My main PV2 analysis page
other systems I've played with
visit my homepage