Personal View site logo
Pentax hack status
  • 62 Replies sorted by
  • @ohnice

    Just to be clear. I am not working on "Pentax hack".

    All I did recently is updated decryption/encryption tool to support modern cameras

    http://www.personal-view.com/faqs/pentax-tool

    Otherwise it requires interested people.

  • I have a K5 which is great for stills but even if it was hacked for video (manual mode/higher bitrate etc) I would still have reservations about its use for serious video work. I used both the K5 and GH2 a while back to shoot a live music performance and even tricking the K5 into manual mode the sensor overheats within a few minutes which also seems to degrade the video quality quite badly. In the end most of the K5's footage was unusable and when comparing it to the GH2 the GH2 won hands down... no contest!

  • Thanks Vitaliy, I'm new to Pentax scene, I just bought K-30 few weeks ago. In the past I had a lot of fun with Canon cams. (old PowerShots running Datalight ROMDOS for that I programmed various extensions, also done language translation, etc.) So I was looking what can be done with Pentax. I found quite promissing website http://www.pentax-hack.info/ but unfortunatelly it's abandoned for 3 years. New Pentax cams has different firmware so this tricks doesn't work. Seems it's still on the beginning. So I was looking for firmware decryptor (I remember like canons was aslo encrypted by some XOR key) and foud your older version of FRMCRYPT.EXE but it didn't recognized K-30 file. I was pointed to this forum and see you made recent update. I tried it with FW 1.04 and it seems decrypted OK, many readable strings inside. Just a question about decomrpession range. In the original file there's readable text footer (128B): "Copyright (C) PENTAX RICOH IMAGING COMPANY,LTD.PENTAX K30" after decrypting I found it at offset 0xF24 and some random bytes ant end. Should it be decrypted entie file or leave the footer? Or does it mean that during decription the whole FW is flipped low address to high address? Then do you kow if it's "safe" to modify such decrypted file or is it protected by some checksum that has to be fixed?

    BTW about debug mode - this can be entered via PK_Teether tool. Then it appears as another page in settings menu where you can browse all strings and images or jou can do AF fine tune in 100um steps (common for all lenses)

    Martin

  • More recent update is at http://www.personal-view.com/faqs/_media/frmcrypt.zip

    I think you already used it.

  • Yes I used this version.

  • BTW do you think it would be on possible Pentax K-30 to extend RAW bit depth from 12 to 14 bits like on K5? I know they have the same CCD but dunno if differs in ADC.

  • @RayeR

    I have no answer to your question. I think no.

  • Hm, seems it's not possible by FW. As I was digging info K-30 use Prime M processor that is optimized for 12bit (faster for movies and live view) processing while K-5 II use Prime II which is 14-bit (slower but HQ).

  • Do you know what operating system Pentax/Ricoh use for their new cams? I cannot find any string that could give me a hint. Even I cannot find any strings releated to C compiler like functions and library names, section names etc. I'm not sure if the new decripter works OK on K-30 and can decrypt entire image.

  • @RayeR

    Pentax has very few strings.

    They use REALOS - hre is some old info http://pentax-hack.info/documents/downloads.html

  • I looked there and got some realos kernel trial package. There was some binaries/examples and really they didn't contained any readable strings. I wonder if its so well stripped or encrypted some way... I found one string in K-30 FW referencing Fujitsu company (they should making prime M processor for pentax) "Video Image Stabilisation Filtering Library M6-M for Fujitsu v.1.0.6 - CONFIDENTIAL" That site is unfortunatelly abandoned for 3 years and last they mention is M-5 processor running Softune REALOS/FR Ver. 4.0. Also in trial kernel binaries I found that all begins with signature "RP.." (52 50 00 1E) and I found one occurence in K-30 FW but maybe just a coincidence. They also might migrated to different OS (like canon used vxworx, dryos and then something else)...

  • That site is unfortunatelly abandoned for 3 years and last they mention is M-5 processor

    It is my site.

    They also might migrated to different OS (like canon used vxworx, dryos and then something else)...

    Probability of this is very low.

  • hi good day i am pentax k-01 user currently running on 1.03 firmware version. i notice big differences from 1.00 to 1.01 in auto focus and now 1.03 it seem "scene mode" are missing i tried all and stuff from lcd monitor setting to dedicated "scene mode" in dial nothing happens. i wonder if someone is familliar with 1.03 firmware. and if there is possible hack in this camera?

  • Did someone tried to run a script on K-30, K-5 or similar newer camera? According to googled older info I creaded file AUTORUN.524 in rootdir of SD card with content: PRINT "Hello World"; FILEOUT "TEST"; EXIT In decrypted FW I found a reference to C:\AUTORUN.%03ld and C:\CHKDAT.%03ld There's no reference to MODSET file The magic number 524 I took from firmware name KB524B.BIN and similar also from decr. FW. I also checked there are strings that belongs to script keywords. But I'm unable to run the script, I tried pressing menu button during power on an also do it in debug mode (I used pkteether to enable it - is there other way to enter debug via some file on SD?). Any Idea what else to try? Am I right that on old camera my steps would work?

  • @RayeR

    You can make small script that will put big amount of AUTORUN.xxx files, were xxx is from 000 to 999 on SD card, and later use binary search to find proper one.

  • From further search it seems that the problem is bigger. Someone suspects from comparing FWs, that file previously named "MODSET.xxx" now became "yyyyyyyy.xxx" on newer K-5, K30, etc. according to format string "C:\%08ld.%03ld" and nobody knows what number is yyyyyyyy. xxx should be 524. As the file is placed in rootdir there's no enough entries to try out all billions of file names. Maybe it would be easier to modify the "C:\%08ld.%03ld" string in firmware. I looked at haute's post describing chksum bypass but my K-30 FW looks different from his hexdump. He has quite clear line: 000000E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 98 EA 26 3D

    but I have similar on farther offset with more numbers after FFFFFFFFFFFFF

    00000F60: 00 56 65 72 73 69 6F 6E 20 31 2E 30 35 20 20 20  │.Version 1.05
    00000F70: 20 20 20 00 00 07 25 FB 01 32 01 33 50 45 4E 54  │   ..•%ű☺2☺3PENT
    00000F80: 41 58 00 50 45 4E 54 41 58 00 4B 2D 33 30 00 44  │AX.PENTAX.K-30.D
    00000F90: 53 43 5F 4B 2D 33 30 00 01 00 50 45 4E 54 58 00  │SC_K-30.☺.PENTX.
    00000FA0: 49 4D 47 50 00 5F 49 47 50 00 50 45 4E 54 41 58  │IMGP._IGP.PENTAX
    00000FB0: 20 4B 2D 33 30 00 00 1C FF FF FF FF FF FF FF FF  │ K-30..∟        
    00000FC0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  │                
    00000FD0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  │                
    00000FE0: FF FF FF FF FF FF FF FF 00 00 00 1C A5 5A 5A A5  │        ...∟ąZZą
    00000FF0: 15 55 ED C1 FF FF FF FF 02 0C 02 0C A5 5A 5A A5  │§UÝ┴    ☻♀☻♀ąZZą
    00001000: B7 B5 C7 BF 4F 45 64 A2 48 54 3E 53 41 59 11 F1  │ĚÁă┐OEdóHT>SAY◄˝
    
  • Wow, it looks that fun has begun! Just found a short time ago when I registered at pentaxforums.com and was directed to this new fascinating thread: http://www.pentaxforums.com/forums/6-pentax-dslr-discussion/250555-resurrecting-pentax-firmware-hacking-2.html

  • @RayeR

    You can invite guys here.

    We need also to add latest cameras to pentax tool, I think they are not present, as I did it last time for K-01 and cameras present one year ago. Also we need to complete decryption of small starting part and fixing all checksums.

  • Yes, looks like I did.

    I've RE the checksum routines and got a decrypted firmware dump. For fun I changed a string in the debug mode.

    Next up I'll write a program to fix the checksum on the binary and then write some custom code.

  • BTW did someone investigated communication protocol between pentax body and O-GPS1 module? It's connected via flash hot-shoe connector. Is there a better description of signal than this? http://www.pentaxforums.com/forums/attachments/125-flashes-lighting-studio/199956d1388264180-manual-flash-puzzle-hot-shoe.gif I found that some communication geos via pins Digital (initiator) and Mode. When camera is powered on, pin Digital goes high for about 10-20s awaiting response on Mode pin. If nothing it fall back low. If I make loopback from Digital to Mode a communication starts and GPS navigation menu in camera become available. I'm going to look on DSO. But I don't have any flash or other device to communicate with. My goal is to attach own cheap GPS module.

  • Hi,

    I'm work on K-r, ( 2 K-r)

    Debug mode is Okay on K-r1,

    Firmware of K-r 2 is partially failed ,

    K-r 1 is full operational) , I had saved firmware in SD (backup of DSP & CPU) .

    Now I need to boot on loader for K-r 2 ( but back screen is not operationnal )

    Is there an idea ...

    Kr Debug mode Menu 3 _DxO.jpg
    1024 x 768 - 174K
  • I advance .. a little bit

    For K10D is 76830 number of folder for initial data set , is there a number for Kr ?

    Service manual for K10D is excellent document to catch how désassemble/assemble ... solder for ..

    Is there a service manual fo Kr ?

    Kind regards

  • Nothing to add to this, but emotional support for anyone who hacks Pentax cameras. I still like their rendition of shadows better than anything else I have used.

  • hi can someone pls tell me how to use frmcrypt.exe on a windows platform, it loads as attached

    frmcryptscshot.png
    1366 x 768 - 295K