Pentax hack status

Huckster

@Vitaliy_Kiselev, any thoughts or future plans regarding a Pentax DSLR hack? I'm aware there was some research being done on the Pentax K-5, and now with the K-01 and K-30 (and the GH2 hack drawing close to maximum potential with the most recent patches), perhaps this may be an interesting topic to revisit?

Thank you for everything.

Vitaliy_Kiselev

No one is doing any research as far as I am aware.

lolodigital

perhaps focussing on Nikon hack research would be better ...

as we know, Nikon D3200 has the same electronic than D800, it would be fantastic to let HDMI free on the D3200 the same way than D800 ;-).

Vitaliy_Kiselev

as we know, Nikon D3200 has the same electronic than D800

Where you got this?

lolodigital

Sure it was an expectation from myself...

both platfoms share Image-processing engine EXPEED 3 and same accessories (wi-fi connexion). Hoping they share big part of the firmware... that's all :-)

haute

Hello, I wanted to revive the forum with the intention to progress more in the Hack of the pentax.

All this came the need of a friend downgrade a firmware 1.13 to 1.12 In a Pentax K-5 by problems in focus with tungsten light.

I did some research with a Pentax K-7 and its firmware and discovered several things. But the most important and which I think is the cause of the hack of the pentax has not been made possible, I have managed to introduce several ways firmware modified. I'm pretty sure that works in K-5, K-x and K-r as well, but I dare say that in older models and new models too like K-30

I want people who have contributed much in this thread, . to renew their illusions. Publish their progress.

The first thing you would need is a good disassembly of any of these models (very similar), but my knowledge of assembler are rather poor and I can not get to disassemble the code well.

If I can today, will try to test this in a K-5.

I leave you a snapshot of a small text change in the firmware of a K-7, which is the model that has left me a friend.

A great

Vitaliy_Kiselev

@haute

I do not understand most of the things you wrote.

But only valuable stuff here could be only firmware checksums.

IF you know how they are calculated, just publish it.

haute

I dont know how calculate the checksum (because we have not any good code disassembled) but i know how bypass it, and two forms to load any firmware moded (encrypted and decrypted). sorry for my english. I do not understand how there is more information about the hack pentax cameras. In theory are similar to the Panasonic.

haute

***** Update firmware (cold) ***** For K-7 other models other names.

KB474.bin for DSP only (no encripted). KB474C.bin for CPU only (no encripted). KB474B.bin for both, DSP and CPU (no encripted).

Howto: put any file in SD card c:\ . with card tape open, the machine On or off it is equal. Insert the SD.Then remove the SDcard for updating. Note: can not use the extracted files with the command StoreCpu, StoreDSP of debug menu, because these files contain parts as kb474.adj, kb474cam.log, kb474cpu.adj ... and breaks the firmware check (it is possible to bypass). You can only use the original firmwares files are not modified.

***** Update firmware (hot) ***** For K-7 other models other names. This method you know it all, is the normal firmware update.

FWDC204D.bin for DSP only (encripted). FWDC204C.bin for CPU only (encripted). FWDC204B.bin for both, DSP and CPU (encripted).

Note: can not use the extracted files with the command StoreCpu, StoreDSP of debug menu, because these files contain parts as kb474.adj, kb474cam.log, kb474cpu.adj ... and breaks the firmware check (it is possible to bypass). You can only use the original firmwares files are not modified.

***** Bypassing the check of firmware in hot and cold update. *****

You only need modiffy the headers, DSP and CPU.

Example: This is the DSP header of firmware 1.12 of Pentax K-7

00000000   48 4F 4B 4B 54 4B 49 59  48 54 4E 54 4D 55 20 00  00 00 01 DA 00 01 2D B8  00 00 00 00 01 0C 16 1C   HOKKTKIYHTNTMU     Ú  -¸        
00000020   00 00 00 00 43 6F 70 79  72 69 67 68 74 20 28 43  29 20 48 4F 59 41 20 43  4F 52 50 4F 52 41 54 49       Copyright (C) HOYA CORPORATI
00000040   4F 4E 20 20 00 50 45 4E  54 41 58 20 4B 2D 37 00  56 65 72 73 69 6F 6E 20  31 2E 31 32 20 20 20 20   ON   PENTAX K-7 Version 1.12    
00000060   20 20 00 00 06 00 0A 17  00 DE 00 DF 50 45 4E 54  41 58 00 50 45 4E 54 41  58 00 4B 2D 37 00 44 53            Þ ßPENTAX PENTAX K-7 DS
00000080   43 5F 4B 2D 37 00 01 00  50 45 4E 54 58 00 49 4D  47 50 00 5F 49 47 50 00  50 45 4E 54 41 58   20 4B   C_K-7   PENTX IMGP _IGP PENTAX K
000000A0   2D 37 00 FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   -7 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000C0   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000E0   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF 98 EA 26 3D   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ˜ê&=

The check of the firmware is the last 4 bytes, 98 EA 26 3D, only need to replace the 4 bytes per FF FF FF FF.

000000A0   2D 37 00 FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   -7 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000C0   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000000E0   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

I hope this discovery reactivate the hack of Pentax cameras.

haute

Important: The update in cold mode , the entire record in the rom file, sector by sector, this implies that many of the settings of the machine, files *. Adj and *. Log to be written up and lose our settings.

I have experimented with several changes to the firmware, and it seems difficult to bricking the machine by incorrect use of the firmware.

really sorry for my English arrghh....

Vitaliy_Kiselev

Thanks.

But it is best to understand how this 4 bytes (CRC) is calculated.

haute

If it would be better to find the routine to calculate the check. Supposedly this is routine in the DSP code. I have no good disassembly of the DSP code. To try to look better this routine. Someone could post a DSP disassembly of a Pentax K-5 or K-7?

thanks

Vitaliy_Kiselev

Someone could post a DSP disassembly of a Pentax K-5 or K-7?

Just for note. You can't publically post disassembly :-)

haute

To downgrade K5 v1.13 to other firmware, use this V1.13 patched firmware. It is confirmed. https://docs.google.com/open?id=0B8SoIuKX9p5SRE5ZLXpvRGpIcFk

maniacsteve

Today a firmware update for the K-30 was released (V1.01 FWDC215B.BIN) - comparing it with the firmware update for the K-01 (V1.01 FWDC214B.BIN) shows that about 25% of the two files are identical :) Assuming that the firmware for the new Pentax Prime M processor (is it the Fujitsu Milbeaut MB91696AM?) is encrypted with a dynamic XOR key like for the older Pentax models and that this key is identical for the K-01 and K-30 this might help a lot in getting the encryption key. Lunch break is over so more to dive into over the weekend... :)

Vitaliy_Kiselev

@maniacsteve

I'll try to look into this and add support to new cameras decryption, if you want towork on them.

cyclone3d

I would like the K-01 firmware to be decrypted. Working on some things and having the firmware decrypted would help a lot.

maniacsteve

Hello :)

I finally found time over the holidays to look into the encryption and it seems that there is again a dynamic 2048 bit key :). I haven't succeeded though in decoding the firmware, I assume that I do start at the wrong places in the file - does someone know the layout of the older .BIN Pentax files and where to start with the decryption?

I attached the Python source code how I tried to derive the basic 2048 bit XOR key and the dynamic change pattern.

userage

If we can get some donations together from Pentax users is there anyway we could kick this thing going? There are many of us who would like a better video mode, and I don't really want to switch brand.

Plus the price of the K-01 has dropped so low, if we could make improve the video it would be a great cheap camera for low budget productions.

Vitaliy_Kiselev

@userage

Do not worry, I bought K-01 already :-)

userage

Are you working on trying to hack the Pentaxs'? Or should I start looking at a GH2 :p

AlexWhiter

Hi there,

I think I've managed to decrypt the main part of the firmware 1.03 for K-30. I've uploaded it here: http://www.sendspace.com/file/cwayir

Judging from the string in the file, there really is a debug menu, but I haven't found any mentions of MODSET.xxx, it seems that now AUTORUN.xxx is used instead.

Vitaliy_Kiselev

@AlexWhiter

Modset is dynamically generated, as I remember.

Otherwise I need to add modern cameras support to my decrypter. I'll try to do it soon.

ohnicne

Hello, would it be possible to modify the video bitrate compression if the firmware is hacked? would this allow the camera to record higher quality footage? I'd be completely amazed about this...

Vitaliy_Kiselev

@ohnicne

Right now I have no idea.

ohnicne

I just can thank you so much if you are working on a Pentax hack. I really hope there may me something for the K5 and sisters some day...

Howdy, Stranger!

Categories

Tags in Topic

Top Posters