Publié par Philippe le 08 Avr 2010 at 10:04
How to remove date and timestamp from gumpack camera
This article concludes the experiment made with my camera in order to remove the timestamp. After one week of work, described here [teardown and hacking gumpack camera], I managed to get a solution to completely remove the insertion of the timestamp in theses 808 micro camera. The method described here requires you to have good (de-)soldering skills and appropriate tools. I use a home made circuit with a programmed Atmel AVR micro-controller to extract and reprogram the camera firmware. The standard disclaimer applies here. If you burn your camera, hurt yourself, or anything else : it’s not my fault! I applied this method to my camera, and put it here for you to take advantage of it. You are doing it at your own risk.
Procedure
In order to remove the timestamp from you camera, you have to follow theses steps:
- Desolder the flash chip from you camera
- Connect it to a spi reader-writer (this article explains how to build your own)
- Dump the firmware to your computer
- Hack the firmware to remove the font
- Flash the hacked firmware to the flash chip
- re-solder the flash chip on the camera
- Enjoy !
SPI reader-writer
I made my own tool to be able to dump the flash memory through it’s SPI port. I used a board I had on the table with a RS232 connection to my PC. Many AVR could suit your needs. It just need to have an hardware serial port and a few IOs to connect to the flash memory. Mine is a AT90S2313 (yes, an old one 🙂 ). The recent ones like ATMEGA88 will be perfect. I suppose you have some knowledge of AVR µC and you are able get a board. Maybe the Arduino could work, but I don’t have one to test.
You’ll have to connect the pins CLK/DI/DO/CS betw
een the flash memory and the AVR. Don’t forget to configure src/hardware.h to select the correct pins. Configure here also the CPU frequency and the UART baud rate. You should apply 3.3V to VCC, and the ground to VSS. The pin WP# should be high, and the pin HOLD# also. Be careful, the pin DO for the flash should be connected to DI of the AVR and vice-versa.
The AVR soft should be compiled with avr-gcc, or winavr. Edit the Makefile and set the variables at the top of the file to configure your target. The PC connects to the AVR with it’s serial port. Make sure the configuration of the pins are correct.
PC software
Hopefully you managed to build, flash and connect your AVR board to your computer. You should now launch the PC software and test if all is working. The soft is in tools/ and is called spi_reader_writer.py. It is written in python, and I only tested it on Linux, but should also work on Windows, provided you have installed the pyserial library. You can first check the size of the memory:
$ ./spi_reader_writer.py check_size
You can select the communication port with the option –port. Then dump the memory. The process last roughly 10 minutes, so be patient !
$ ./spi_reader_writer.py read my_camera_firmware.raw
Now you can use the tool that remove the font from the firmware. It produces a extract of the firmware is a file called [0x138000-0x13d000_no_font.raw]
$ ./hack_firmware.py my_camera_firmware.raw
Reprogram this part to the flash memory:
$ tools/spi_reader_writer.py write_at 0x138000 0x138000-0x13d000_no_font.raw
Here is the archive :
spi_reader-v0.2.1.tar.bz2 (34KB)
Please post a comment if it was useful for you 😉
14 avril 2010 à 19:47
I’m trying to port this to the mega16, but it doesn’t seem to work – The UART code is specific to the 2313.
My patch looks like this:
diff -u -r ../spi_reader-v0.1/lib_src/uart.h ./lib_src/uart.h
— ../spi_reader-v0.1/lib_src/uart.h 2010-04-08 20:56:25.000000000 +0100
+++ ./lib_src/uart.h 2010-04-14 18:33:12.298998686 +0100
@@ -65,13 +65,20 @@
#define UART_FRAMING_ERROR() (UCSR0A & _BV(FE0))
#define UART_DATA_REG_EMPTY_VECT USART_UDRE_vect
#define UART_DATA_RECEIVED_VECT USART_RX_vect
-#else
+#elseif defined(UDR)
#define UDRE_INT_CLEAR() (UCR &= ~(1<<UDRIE))
#define UDRE_INT_SET() (UCR |= (1<<UDRIE))
#define UART_DATA_REG UDR
#define UART_FRAMING_ERROR() (USR & _BV(FE))
#define UART_DATA_REG_EMPTY_VECT UART_UDRE_vect
#define UART_DATA_RECEIVED_VECT UART_RX_vect
+#else
+#define UDRE_INT_CLEAR() (UCSRA &= ~(1<<UDRIE))
+#define UDRE_INT_SET() (UCSRA |= (1<>8);
+ UBRRL = (uint8_t)UBBR_VAL;
#endif
// Enable transmistter and interrupt on end of transmission
@@ -140,8 +150,10 @@
#endif
;
-#else
+#elseif defined(UCR)
UCR = 0
+#else
+ UCSRB = 0
#ifdef UART_TX_ENABLE
| _BV(TXEN)
#endif
Only in ./lib_src: uart.h~
Only in ../spi_reader-v0.1/src: build
Only in ../spi_reader-v0.1/src: .deps
diff -u -r ../spi_reader-v0.1/src/hardware.h ./src/hardware.h
— ../spi_reader-v0.1/src/hardware.h 2010-04-08 20:56:25.000000000 +0100
+++ ./src/hardware.h 2010-04-14 18:33:48.658711031 +0100
@@ -35,9 +35,9 @@
// EDIT all the pins !
-#define LED_PORT PORTB
-#define LED_DDR DDRB
-#define LED PB4
+#define LED_PORT PORTA
+#define LED_DDR DDRA
+#define LED PA0
#define led_on() (sbi(LED_PORT, LED))
#define led_off() (cbi(LED_PORT, LED))
diff -u -r ../spi_reader-v0.1/src/Makefile ./src/Makefile
— ../spi_reader-v0.1/src/Makefile 2010-04-08 20:56:25.000000000 +0100
+++ ./src/Makefile 2010-04-14 18:45:04.378686937 +0100
@@ -1,9 +1,10 @@
PRG = spi_reader
-#MCU_TARGET = atmega88
-MCU_TARGET = at90s2313 # EDIT THIS !!
-AVRDUDE_PROG = stk500v2 # EDIT THIS !!
+MCU_TARGET = atmega16
+#MCU_TARGET = at90s2313 # EDIT THIS !!
+AVRDUDE_PROG = avr911 # EDIT THIS !!
+AVRDUDE_PORT = /dev/ttyUSB1
#AVRDUDE_DEVICE = t45
-AVRDUDE_DEVICE = 2313
+AVRDUDE_DEVICE = m16
LFUSE=0xe2
HFUSE=0xdd
@@ -90,7 +91,7 @@
$(OBJCOPY) -j .text -j .data -O binary $< $@
prog : $(PRG).hex
– avrdude -y -c stk500v2 -p $(AVRDUDE_DEVICE) -U flash:w:$<
+ avrdude -y -c $(AVRDUDE_PROG) -P $(AVRDUDE_PORT) -p $(AVRDUDE_DEVICE) -U flash:w:$<
push : $(PRG).elf
cp $0; i–) {
led_on();
– _delay_ms(20);
+ _delay_ms(200);
led_off();
– _delay_ms(20);
+ _delay_ms(200);
}
+ uart_add_tx_buff_prgstr(PSTR(« SPI reader ready\n »));
+
flash_init();
14 avril 2010 à 19:48
I also forgot to say thanks a lot – This looks great! 🙂
15 avril 2010 à 19:02
Okay, feel free to delete the patch above – I couldn’t get it to work that way round. I’m sure someone more skilled would have more luck.
Instead, I have removed the UART functions and replaced them with what appears to be a more portable library. To do this, I split out the formatting sections of uart.c into their own file and then fixed up the calls so they use the new UART library.
I also fixed an issue in the python script – I’m guessing it is a different version here (Ubuntu 10.04) which doesn’t autodetect the base of the address.
Please feel free to use these as you want!
http://homepage.hispeed.ch/peterfleury/group__pfleury__uart.html – Source of the UART lib
http://dibblah.pwp.blueyonder.co.uk/mega16.diff.gz – Patch including all changes
(I have a successful dump, modify and write of the flash using the mega16 evaluation board from Sure Electronics)
Thanks again,
Allan.
6 mai 2010 à 02:42
Does one really need to remove the flash chip from the PCB in order to connect the AVR to its pins?
Because I do have an AVR here and a camera, but in don’t have the tools to desolder the chip off.
8 mai 2010 à 22:22
Hello GuySoft,
I have some trials without removing the chip, and it didn’t work. But it was at the beginning, and my firmware was faulty at this time… The issue is that when you power the chip, all the camera is powered, also driving the memory chip. You can try at your own risk 🙂 Regards
10 mai 2010 à 06:48
You don’t need any ‘special tools’ to remove the flash chip.
Bump up each side (4 pins) with a lot of solder, so there is a blob of solder covering all 4 pins on each side (obviously you have removed the battery before this).
Now heat up one side and with a small flat screwdriver, pry the chip up a tiny bit on this side, remove the heat and let the solder cool.
Switch to the other side, heat it up, pry the chip up a little bit on this side.
repeat switching sides until you slowly rock the chip up right off the pads (but still connected by solder), then you can run the soldering iron under the pins (between the pins and the pads) to disconnect the pins from the pads. you can use some solder wick to get rid of the excess.
once you have totally disconnected one side, just heat up the other side and push the chip and it will come off.
be careful though, and dont pry it too hard otherwise you will lift a pad and its game over.
9 juillet 2010 à 05:05
Is the hack_firmware.py python2 or python 3?
I’ve got the exact same camera as you do, I’ve read the flash memory with a parallel port interface I’ve made, but with python 2.6 your hack_firmware program refuses to do anything.
9 juillet 2010 à 05:21
Ok, seems like your program needs a file limited to just the 0x138000-0x13d000 and can’t handle a full 2048 kb file like my programmer extracts/reads 🙁
9 juillet 2010 à 05:58
Never mind, I quited to try to understand Python and modify the program.
I just opened my Hex Editor and manually overwrited everything from 0×138000 to 0×13d000 with « 00 00 80 80 80 80 80 80 80 80 00 00 00 00 00 00 »
9 juillet 2010 à 22:01
@RJSC: The code is python2, tested with 2.6.5. Normaly, the « hack_firmware.py » works on the full 2MB firmware, but only output the 0x138000 to 0x13d000 range.
And « spi_reader_writer.py » have the option « write at » to decrease the time to write the firmware back into the camera.
Your manual modification of the firmware is good !
Indeed, I released a 0.2.1 where « hack_firmware.py » also write the full 2MB image of the hacked firmware.
In the end, does the modification worked for you ?
Cheers,
10 juillet 2010 à 02:08
I don’t know yet, but I suppose it works since I manually replaced the fonts.
I’ve destroyed my EN25F16 because when I was going to flash the patched firmware, I accidentally powered the flash with 5V instead of 3.3V. Now it seems to be writing but when I verify it, 3 locations always fail.
I’ve searched the web for a replacement EN25F16 but the only one I found was 6,5€ + shipping, and a new cam cost me 11€ including shipping, so I opted to buy a new cam.
I really can’t understand this « market logic ». A full cam containing an EN25F16 plus everything else for 11€ and a single EN25F16 costing almost the same.
Do you know any website where to order an EN25F16 for a reasonable price so that I can make my fist cam work again?
10 juillet 2010 à 22:46
Good news!
The chip wasn’t damaged!
The programmer I’ve made on a breadboard was failing due to poor contacts.
I’ve made a Printed Circuit Board and redone the parallel programmer and was able to reprogram an verify the chip.
As expected, my manual hack worked.
The firmware backup I’ve downloaded from my camera was bad, due to the bad programmer. I had to use your firmware dump to make my camera work again, the I patched it manually.
I can say it is safe for you to post the cracked binary firmware file here for other people to flash on the same D004 camera.
Now if only we could make the upgrade without desoldering, it would be viable to so many other people…
18 juillet 2010 à 14:43
@RJSC: Hello, thanks for the news ! So can we conclude that the EN25F16 is tolerant to 5V ?
I didn’t a good source for this chip, but it seems that the EEPROM like this are pretty standard and all have the same command interface. But the EN25F16 is rather fast.
We would need more information and/or more reverse engineering work to make the firmware programmable only but software.
Cheers,
21 juillet 2010 à 11:35
Hi!
I’m hesitant to start soldering because I’m a spaz, but I would be very interested in a copy of someones firmware; maybe I can find a buffer overflow or something, and find a way to ‘softhack’ the timestamp out…
Does anyone know of a firmware backup somewhere?
Thanks, G.
23 juillet 2010 à 13:19
@Gilimanjaro SoftHacks are way harder :p You can’t see what your doing.
@Philippe The datasheet states a voltage range from 2.7 V to 3.6 V. Maybe I just got lucky with mine!
Anyway, what I think is that was something similar to what happens when you can overclock a CPU: The manufacturer can warrant that a part will work within the parameters defined on the datasheet (be it voltage or frequency, in case of overclocking), but many times the users find that some of those parts work above specifications and others don’t. When they are manufactured, the manufacturer must define parameters that suit all of the part out of the production line, the worst and the best, and not just half of them.
I wouldn’t be surprised if someone else’s EN25F16 survived a brief 5V operation and somebody else’s got damaged. Working outside specifications there is no certainty, you can get lucky, or it can burn.
29 septembre 2010 à 09:43
Hello again,
My camera seems to be dead. It will not switch on, and when I plug it for charging the red light stays in steady.
It will also not get recognised as a memory card. I see no physical or elecrical damage.
Is it dead? Or is there a way to fix this?
Guy
6 mars 2011 à 08:07
Hello, guys. I am going the other way to add more information like atmosphereic pressure, etc. But I do not know how to softhack (biginner). Could you please tell me….
Is there any way to change the position of the timestamp?
Or add more fonts (numbers) of additional measurement devises on the file?
8 avril 2011 à 19:25
Hi, first of all wanted to say tnx for intresting articles! I have a question for u, do u know is that possible to change video resolution to lower by changing the firmware? or bitrate, or framerate? the thing is that video takes too much space, and i want to lower it in any possible way.