CVS Camcorder Hacking Progress...

CVS Camcorder Hacking Progress...

Introduction

This page provides info on my hacking progress of the CVS camcorder. This is not an instruction
page with steps for others to reproduce. My plan is to modify a CVS camcorder by replacing the
installed NAND flash chip with an xD-Picture card. While this will allow me to remove my movies,
it is way too much work to repeat on multiple cameras. A camera modified in this way will be an
an excellent test-bed for firmware hacking. I will be able to test firmware modifications
without worrying about "killing" the camera. I can simply re-program the flash through my PC's
card reader with modified versions of firmware whenever needed.

The Plan

1. Unsolder NAND flash from camcorder (mine is a B3 with a Samsung flash chip)
2. Solder xD socket into camcorder using the NAND pads
3. Connect NAND flash to USB xD reader (will use the one that provided the socket)
4. Use Linux and 'dd' to dump the entire contents of the flash to my computer
5. Use Linux and 'dd' to write this image (or the important parts) to a 128MB xD card
6. Insert the card into the camcorder and it boots normally (hopefully)

Progress

1. I was able to unsolder the flash chip without too much difficulty. I work at a company
that builds surface mount boards, so I have access to hot-air tools to do this work.

2. I purchased a multiformat flash reader, xD to smartmedia adapter and a 128MB xD card.
I removed the xD socket from the adapter and after about 3 hours of very careful soldering
under the scope, I was able to mount the xD socket in my camcorder and wire it to the pads
of the removed flash chip.

NOTE: I revised the schematic after realizing that my adapter card did not route the GND signal
as I originially thought.

REVISED: Schematic of the wiring of the xD socket to flash (pads & chip)

Pictures...

xD to Smartmedia adapter with the xD socket removed. I will be attaching the Samsung flash
chip to the pads on this card as soon as my TSOP1 proto board from schmartboards arrives. I
should then be able to dump the contents of the flash to my Linux box.

Pics of the modified camera with the xD socket installed. Some are a little blurry, but you
get the idea.

These pics are extracted from a video clip shot through the soldering scope at the office.
A few of the pin numbers are marked in red to give a frame of reference. The clear stuff is silicone
adhesive to help keep the wires from lifting the solder pads.

Picture of the completed flash reader. This worked exactly as planned. I plugged this into
my multi-format card reader on my Linux box and dumped the entire 128MB with the command

dd if=/dev/sda of=flashchip.img bs=512 count=256000

Dumping the entire 128MB only took about 7-9 minutes. I then repeated this process to "flashchip2.img" and
used the diff command to compare the two files. The files were identical, which confirms that there were no
random bit flips. I removed the flash chip and inserted my xD card into the reader. I used the following command
to dump the chip image to my card:

    dd of=/dev/sda if=flashchip.img bs=512 count=256000

This took a bit longer (not sure how long, I went to pick up my daughter and came back and it was done).
I read the contents back and used diff to verify that it matched flashchip.img.

I have had some problems getting the camera running using the xD card. While I work that issue, here is
some additinal info on the flash image I downloaded:

I was able to mount the individual disk partitions from the image file on my linux box using the following commands:

     mount -o loop,offset=1819136 -t vfat flashchip.img /mnt/data              /* 0x1BC200 */
     mount -o loop,offset=1285120 -t vfat flashchip.img /mnt/resourceA       /* 0x139C00 */
     mount -o loop,offset=130482176 -t vfat flashchip.img /mnt/resourceB    /* 0x7C70000 */
     mount -o loop,offset=130547712 -t vfat flashchip.img /mnt/resourceC    /* 0x7C80000 */

Filesystem               1K-blocks    Used Available Use% Mounted on
/bd2/flash/flashchip.img    125616    5840    119776   5% /mnt/data
/bd2/flash/flashchip.img       506     150       356  30% /mnt/resourceA
/bd2/flash/flashchip.img        59       3        56   6% /mnt/resourceB
/bd2/flash/flashchip.img       506     438        68  87% /mnt/resourceC

You will notice that these offsets do not agree completely with morcheeba's map. This might be due to
the fact that my camera is a B3 version. I don't think I can mount the firmware partition as it does
not appear to be a real disk partition. I should still be able to modify it directly or extract it
from the overall image if needed.

Here is a complete file listing of all the partitions I can mount:

/mnt/data:
total 32
drwxr-xr-x  3 root root 16384 May 25 11:09 dcim
-rwxr-xr-x  1 root root  1394 Jul 28 12:20 statfile.txt

/mnt/data/dcim:
total 16
drwxr-xr-x  2 root root 16384 Jul 28 11:43 100coach

/mnt/data/dcim/100coach:
total 5792
-rwxr-xr-x  1 root root 2842382 Jul 28 11:44 pict0001.avi
-rwxr-xr-x  1 root root  842406 Jul 28 12:18 pict0002.avi
-rwxr-xr-x  1 root root 2217742 Jul 28 12:20 pict0003.avi

/mnt/resourceA:
total 150
-rwxr-xr-x  1 root root   898 Jul 31  1971 adc.bin
-rwxr-xr-x  1 root root   220 Jul 31  1971 ae.bin
-rwxr-xr-x  1 root root   224 Jul 31  1971 aegain.bin
-rwxr-xr-x  1 root root    72 Jul 31  1971 af.bin
-rwxr-xr-x  1 root root   263 Jul 31  1971 agc1.bin
-rwxr-xr-x  1 root root   263 Jul 31  1971 agc.bin
-rwxr-xr-x  1 root root    13 Jul 31  1971 agccfg.bin
-rwxr-xr-x  1 root root    16 Jul 31  1971 AVIMODELSTR.BIN
-rwxr-xr-x  1 root root    38 Jul 31  1971 AVISTRLSTR.BIN
-rwxr-xr-x  1 root root    54 Jul 31  1971 awbcfg.bin
-rwxr-xr-x  1 root root    24 Jul 31  1971 AWBSETTINGS.BIN
-rwxr-xr-x  1 root root   128 Jul 31  1971 BASENLGF0.BIN
-rwxr-xr-x  1 root root  4592 Jul 31  1971 b.bin
-rwxr-xr-x  1 root root 17328 Jul 31  1971 COLORCHART.JPG
-rwxr-xr-x  1 root root 10460 Jul 31  1971 comic.bin
-rwxr-xr-x  1 root root  7844 Jul 31  1971 ctlut1.bin
-rwxr-xr-x  1 root root    64 Jul 31  1971 dlut.bin
-rwxr-xr-x  1 root root   124 Jul 31  1971 eps_gcp0.bin
-rwxr-xr-x  1 root root    64 Jul 31  1971 eps_xscl.bin
-rwxr-xr-x  1 root root   256 Jul 31  1971 GAMMADDE1.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT0.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT1.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT2.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT3.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT4.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT5.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT6.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT7.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT8.BIN
-rwxr-xr-x  1 root root   960 Jul 31  1971 GAMMALUT9.BIN
-rwxr-xr-x  1 root root  4252 Jul 31  1971 gpp.bin
-rwxr-xr-x  1 root root  2159 Jul 31  1971 GRAYCHART.JPG
-rwxr-xr-x  1 root root   928 Jul 31  1971 i.bin
-rwxr-xr-x  1 root root   512 Jul 31  1971 lclut0.bin
-rwxr-xr-x  1 root root    50 Jul 31  1971 MEDIAFORMAT.BIN
-rwxr-xr-x  1 root root 59268 Jul 31  1971 motofont.bin
-rwxr-xr-x  1 root root  3320 Jul 31  1971 p.bin
-rwxr-xr-x  1 root root   782 Jul 31  1971 tg1.bin
-rwxr-xr-x  1 root root   782 Jul 31  1971 tg.bin
-rwxr-xr-x  1 root root    12 Jul 31  1971 tgcfg.bin
-rwxr-xr-x  1 root root     6 Jul 31  1971 USBDEVDESC.BIN
-rwxr-xr-x  1 root root    36 Jul 31  1971 USBMODEDESC.BIN
-rwxr-xr-x  1 root root    28 Jul 31  1971 USBMSINQSTR.BIN
-rwxr-xr-x  1 root root    46 Jul 31  1971 USBSTRINGS.BIN
-rwxr-xr-x  1 root root    38 Jul 31  1971 vidsize.bin
-rwxr-xr-x  1 root root    44 Jul 31  1971 wavexif.bin
-rwxr-xr-x  1 root root    64 Jul 31  1971 ylut.bin

/mnt/resourceB:
total 3
-rwxr-xr-x  1 root root 2052 Jul 28 12:21 usp.bin

/mnt/resourceC:
total 116
-rwxr-xr-x  1 root root   764 Nov 28  2037 DEFECTIVEPIXEL0.BIN
-rwxr-xr-x  1 root root  2052 Jul 31  1971 fsp.bin
-rwxr-xr-x  1 root root 14705 May 25 11:09 logo.jpg
-rwxr-xr-x  1 root root  7994 Jul 31  1971 playback.wav
-rwxr-xr-x  1 root root 24552 Jul 31  1971 PROCESSED.JPG
-rwxr-xr-x  1 root root 18274 May 25 11:09 shutdown.jpg
-rwxr-xr-x  1 root root   998 Jul 31  1971 sound0.wav
-rwxr-xr-x  1 root root  3186 Jul 31  1971 sound1.wav
-rwxr-xr-x  1 root root  7994 Jul 31  1971 sound2.wav
-rwxr-xr-x  1 root root  3508 Jul 31  1971 sound8.wav
-rwxr-xr-x  1 root root 24634 May 25 11:09 splash.jpg
drwxr-xr-x  2 root root  5120 Jul 31  1971 zbm

/mnt/resourceC/zbm:
total 322
-rwxr-xr-x  1 root root  1056 Jul 31  1971 BATTLEVEL0.ZBM
-rwxr-xr-x  1 root root  1056 Jul 31  1971 BATTLEVEL1.ZBM
-rwxr-xr-x  1 root root  1056 Jul 31  1971 BATTLEVEL2.ZBM
-rwxr-xr-x  1 root root  1056 Jul 31  1971 BATTLEVEL3.ZBM
-rwxr-xr-x  1 root root  1056 Jul 31  1971 BATTLEVELE.ZBM
-rwxr-xr-x  1 root root 30832 Jul 31  1971 blank.zbm
-rwxr-xr-x  1 root root 30832 Jul 31  1971 camempty.zbm
-rwxr-xr-x  1 root root 30832 Jul 31  1971 camfull.zbm
-rwxr-xr-x  1 root root 38432 Jul 31  1971 camproce.zbm
-rwxr-xr-x  1 root root  4128 Jul 31  1971 clear.zbm
-rwxr-xr-x  1 root root   544 Jul 31  1971 colon.zbm
-rwxr-xr-x  1 root root 30832 Jul 31  1971 deleted.zbm
-rwxr-xr-x  1 root root  7200 Jul 31  1971 DELETE-VIDEO.ZBM
-rwxr-xr-x  1 root root  6176 Jul 31  1971 NOTDELETED.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-0.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-1.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-2.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-3.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-4.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-5.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-6.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-7.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-8.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-9.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 PLAYTIMER-COLON.ZBM
-rwxr-xr-x  1 root root  4128 Jul 31  1971 play.zbm
-rwxr-xr-x  1 root root 30832 Jul 31  1971 PROCESSED.ZBM
-rwxr-xr-x  1 root root 30832 Jul 31  1971 ready.zbm
-rwxr-xr-x  1 root root  4128 Jul 31  1971 rec0000.zbm
-rwxr-xr-x  1 root root  4128 Jul 31  1971 record.zbm
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-0.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-1.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-2.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-3.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-4.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-5.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-6.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-7.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-8.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-9.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 REC-TIMER-COLON.ZBM
-rwxr-xr-x  1 root root   544 Jul 31  1971 redcolon.zbm
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-0.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-1.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-2.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-3.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-4.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-5.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-6.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-7.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-8.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-9.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-COLON.ZBM
-rwxr-xr-x  1 root root   288 Jul 31  1971 STATTIMER-E.ZBM
-rwxr-xr-x  1 root root  4640 Jul 31  1971 STATUSBARTEXT.ZBM
-rwxr-xr-x  1 root root  3104 Jul 31  1971 VIDEO-LENGTH.ZBM
-rwxr-xr-x  1 root root  3104 Jul 31  1971 VIDEO-NUMBER.ZBM
-rwxr-xr-x  1 root root  3104 Jul 31  1971 VIDEOS-SAVED.ZBM

Questions or comments? Send me an email, or better yet, post it to the camcorder forum at
www.camerahacking.com.

Tom Vickers, Last updated 08/06/2005
Send comments to vickers_tom@yahoo.com