Pure Digital PV2

PV2Mod - a program to modifying PV2 files

for Pure Digital's Ritz Camera Dakota PV2 LCD variant

PV2Mod is a simple program I wrote to modify files stored on a PV2 camera. It is currently only a Mac command-line program (since OS X, macs have become the choice of many geeks, and I've found USB programming for Mac to be very easy).

While PV2 can modify any file in the camera's root directory, there are three of particular interest:

FIRMWARE.BIN allows modification as to how the camera operates. If you mess this file up, though, you might make the camera unusable.

LANG-EN.DAT contains all the text shown on the camera.

the .TFT files contain images used during the operation of the camera. This includes the splash-screen upon power up, the screens describing how to take a picture, and basically everything else that is not in the black-and-white font used for the work "REMAINING". If you wanted to, you could make a "hello kitty" themed camera.

PV2Mod basically does low-level reads and writes to the FLASH memory, but it also contains a lot of code to make this easy:

It traverses the FAT12 file system so that data can be referenced with filenames and addresses relative to the start of the file, instead of an absolute flash addresses.
It has verification code that allows a script to make sure the attached camera has the expected data before it modifies it -- without that, unintended modifications could be disastrous. The verification is CRC-based, which means a full copy of the expected block does not have to be included in the modfile -- this helps respect the copyright on the files to be modified.
And, for FIRMWARE.BIN, there are special functions to make sure the embedded checksum is correct.

Download PV2Mod & Modfiles

You can download my initial release of PV2Mod and a preliminary set of modfiles from this 7-1-05 release. I'm naming this the 上田駅 (Ueda Station) release - for a picture, I've got a 1.5MB uncompressed png and a 76K smaller JPEG. If you don't have access to a mac, try Drmn4ea's windows port of pv2 mod.

Mod files are specific to the firmware version and the challenge/response code.

They are very flexible so you can make them do anything, but so far I've come up with three useful files. All of these expect a firmware version of 6410 and the not-LaMSSMaL0000 response code. It would be trivial to modify these files for a different challenge/response (assuming you knew the correct response, of course) and it carries almost no risk. It should be pretty easy to modify these files for a different firmware version, too, but there is a slight risk you'll mess up your camera -- just search for the context of the patch (listed in each modfile) in the new FIRMWARE.BIN, modify the address, and it should work.

So far, I've got four mods files, and three of them are included in the above release. They are:

1. A modification of LANG-EN.DAT that replaces the word "REMAINING" (which is referring to the number of pictures remaining) with "HAX0RED!". [I'm delaying a bit on publishing this one. I've run it with two cameras, but I'm not sure which of the 3 copies of the word must be modified. It seems like it is majority rule, but the software didn't seem to do that. I'll investigate more...]

2. Remove the $80-command-controlled flag. This just sets the default mode to communications-enabled. The reverse mod to restore the regular operation of the camera is also included.

3. Test to see if the $80-command-flag is necessary. This just tries to read a block of memory without first sending the $80 command. It would be best to try this after powering down the camera for a little bit.

4. Change the camera's USB product ID from $0027 to $0024. I've provided a reverse mod for this, but you'll probably have to run pv2mod with the -vid=0x0024 argument.

To make the camera compatible with the Foxz2 driver, you need to perform mods 2 and 4.

Using PV2Mod

Pv2mod can be executed with the following command line:

pv2mod [-write] [-verbose] [-pid=0x0027] [-vid=0x0dca] modfile

I usually use -verbose; using it more than one time will make the program print out even more verbose information.

If the camera has been modified to use a different USB Vendor ID or Product ID, then you'll need the -vid and/or -pid flag.

I strongly suggest that you initially run pv2mod without the "-write" parameter so that you can ensure that the modfile script will operate properly and with no errors. If so, then it should be safe to use the -write command to actually write the modification. If the write of FIRMWARE.BIN fails partially through, you could be left with a dead camera -- the only recovery would be to manually create a new modfile that undoes the most recent changes and run this before disconnecting the PV2 from the USB port.

Writing Mod files - the Script Language

I'll describe this section better when I get a chance. Just follow the examples provided. Make sure everything is right in the verbose mode. And, if you're modifying FIRMWARE.BIN, be sure to cut and paste the two sections I have in my examples that set the two checksums. They should be in that order. Unless you really know what you're doing, please don't try to modify FIRMWARE.BIN and a different file from within the same modfile -- the checksum deltas must be handled carefully & reset.

// Commands that are supported in the modfile:
//
//   GetChallenge -- Gets the camera's challenge into a memory buffer
//   SendResponse -- Sends the current buffer back to the camera as a response
//   PrintBuffer    -- prints the buffer memory & CRC (used mainly for debugging)
//   VerifyBufferCRC {CRC_VALUE} -- Verifies buffer CRC
//   SetBuffer {START_ADDR} {BYTES} -- poke data into the current buffer
//   ReadFileBlock {Filename} {block} -- reads a particular 512-byte block of a file
//   WriteFileBlock -- Writes back the most recently read block to the original location
//                     Must be enabled by the "-write" command line parameter!
//   SetBufferChecksum -- sets bytes in buffer to make a correct checksum.
//   ResetChecksum -- resets checksum - use when you've modified a non-FIRMWARE.BIN
//                     file and now you want to modify FIRMWARE.BIN

My main PV2 analysis page
other systems I've played with
visit my homepage