3.62 Only!! Hardware Method v3 - KILLS MODELS 3.7 AND UP!!

3.62 Only!! Hardware Method v3 - KILLS MODELS 3.7 AND UP!!
This method no longer works on new 3.7 or 33.04 cameras because both USP.BIN and FSP.BIN use the same unknown key. Added by brite_eye 2/17/06. Updated camcorder model and firmware versions on 7/18/06 by GotAnMP3. This method is based on work done by: Brite_Eye - who first suggested corrupting USP.BIN with a battery drop BillW - running with the idea, coming up with the forumer.com/viewtopic.php?t=1176>original hardware hack of shorting the I/O on the flash to corrupt USP.BIN Gyro - who realized a similar result could be had by forumer.com/viewtopic.php?p=12724#12724>shorting the Chip Enable to the battery + to disable the flash, and MUOTUC - who forumer.com/viewtopic.php?t=812&highlight=schematic>published the schematic that allowed me to trace pin 9 to an easier location on the board. carpespasm - who put all the software pieces together into the QuickInstaller that makes our lives easier. I'm just the gatherer of information... With this method, all you have to do is open the back of the CVS Camcorder, have a steady hand and a fair sense of timing (and probably some luck). Apparently, this is much safer than the 6-7 short, less chance of ending up with a dead camera, and any existing videos on the camera are recoverable. 0) First things first! <*>Download and install the QuickInstaller. This includes the USB library files, the camera driver files, and Ops that talks to the camera and allows you to download videos and change settings. <*>Do a Vulcan Nerve Pinch on the camera to see what version you have (hold down Record & Delete buttons, then press Power button): Model 200: 3.40 - Nice! Stop here. Simply plug your cam in and use Ops! 3.62 - Carry on... 3.70 - Carry on with patience... May take more short attempts to get the sweet spot. 23.82 - CAN NOT be hacked using this method. Model 220: 33.04 - No firmware versions of this camcorder are hackable using this method. 33.17 - " 33.19 - " Model 230: 53.05 - No firmware versions of this camcorder are hackable using this method. 1) Open the battery case by releasing the latch with a paperclip or whatever.

2) Slide the battery holder out of the case.

3) Lift the 4 corners of the sticker and unscrew the 4 silver fasteners.

4) GENTLY pry the case open. 2 catches at the bottom of the battery case, and 1 on either side in line with the screen.

5) Here's what you're looking at on an unhacked camera: The video preview screen shows the status text and time remaining.

6) Cut yourself about a 6" length of wire. On one end, strip as little insulation as you can. This will be the end you touch to the circuit board, so you don't want a lot of bare metal flapping around in there.

7) Pop the lower battery out, slide the long end of the wire behind the spring contact on the positive side (+) and pop the battery back in to secure it.

8) Now, your target is the tiny resistor R101 below the flexible cable of the LCD screen. It's not next to it's text, but closer to the top left corner of SW2. It will have "103" printed on top (if your eyes are that good). You want the side that's facing SW2. According to MUOTUC's schematic (and verified), this is connected directly to Pin 9 (CE) on the flash chip. You may need to clean the solder joint at the end of the resistor of the oxide layer (a thin, nonconductive film that forms over the solder that may prevent your wire end from touching metal). Use a pencil eraser (if you can get in there), or scuff it up with an Xacto (careful!).

9) Now the tricky motor skills vs. timing part. BE CAREFUL. When you press the power button (SW1), about 1/2 second later the unit will beep and the screen will light up with the CVS welcome. You want to touch the stubby end of the wire to the right side of the resistor RIGHT before the beep. It will probably take you several tries. <Update> There's some evidence that for 3.62's the sweet spot is right before the beep, and for 3.70's it's right after the beep. Either way, you don't need it on there for very long.

10) If you get it right, the preview screen will come up with no status or time text (looks black here because it's face down on the table. Will show video preview). If not, power off and try again. After 250 trys on a 3.70 and no video preview without status, Dino reports success by plugging in with dark gray/black screen. Also others have had better luck soldering wire to resistor and touching battery contact instead of trying to hit resistor each time. edited by b_e

At this point, I was able to connect the unit directly to the computer and use OPS 0.13 to Open and Unlock the camera (see forumer.com/viewtopic.php?t=556>Applications, Quickinstaller). Others have reported they had to power down first, then connect to the computer. Good luck and let me know if there are any corrections needed!

Captain Obvious, Great photos. None of that appears obvious to me. I stickied your how to and changed it to version 3. 8) That looks so easy, why should anyone even bother looking into OldGuru's RSA hint on decrypting all keys.

Thanks, I tried this last night for a while and I was on the wrong resistor. This morning after reading your how-to, first try I got it to go blank then unlock with OPS. couldn't have been easier. Now to have some fun

I'm in agreement with brite_eye, Captain Obvious. The new short location is totally worth a version bump and a hack-author status for yourself. Kudos on this excellent detective work, and thanks for all of the attributions! (You should co-attribute the flash short method to brite_eye, as it was his suggestion that we might corrupt USP.BIN with a hardware short.)

sweetness, this looks much nicer than the 6-7 short. is the chance of bricking the cam reduced by this method?

I really don't know the true risks of corrupting too much and frying the cam, but according to Gyro's analysis and Brite Eye's assesment, it's merely disabling the flash chip during a write and much safer. Big benefits here are that any existing video you've got on the cam is still there.

Thats a pretty good howto, nicely detailed and seems easier than the other methods.

would be help if you soldered a wire off this pad and then touched the wires together outside the case? Thinking it would reduce missing the pad and having to try again. waldo

All of you guys are heroes...
Thank you! I got my cam after lurking around this forum for a day or so - but I completely missed the threads about 3.62. It was my 9 yr. old's birthday and he has been wanting make his own movies for a year now. No way can I afford to give him a real cam (I certainly don't have one)and frankly, he's a great kid, but it will get lost/broken/stolen, etc. He was super hyped when he got it and I was sort of struggling with a centronics cable build (big fat fingers) but I finally got it hooked up and boy was I dissapointed when it didn't unlock. That's when I started reading this forum more closely and following all of your progress. Anyway, I just didn't want to risk the 6 & 7 short with my fingers, so this was a great save. I will say I didn't quite get the timing right a couple of times so when I finally got it to work the old videos were gone. Kind of sucks, but he'll get over it and now on to produce his first "indie" :D. Thanks again!

Success! May the deities of hacking bless you amply! Thanks, now I need not fear the 3.62! I used a 4 inch piece of leadfree solder, and got close maybe five times (losing text, but no unlock) before it took. About 40 attempts in all. That's versus 120 tries and no wins with the 6&7 method. Yippee, and thanks again! (Note to self: Send 50,000 influence to Cpt. Obv.)

one more step
docwebhead wrote: I used a 4 inch piece of leadfree solder, and got close maybe five times (losing text, but no unlock) before it took. About 40 attempts in all. For all who wants to use this method - clean first the resistor connection by using eraser or scalpel from oxidized film on solder.

Heh. Good call. There may even be a conformal coating to breach. My connection was pretty ...polished... by the first few attempts (with stranded wire). I switched to solder cause I figured it wouldn't do as much damage. As a side effect, it turned out to have a great consistency for the job: I was able to form it into an approximate shape and then just press it slightly to make contact. It was springy enough to make trying a good bit easier once I noticed it.

Well that figures... ;) I am (was) days away from having my keyscan FPGA up and running. I pretty much have the FPGA board and design done, I just had the front end buffer board left to do. Now, it appears I can scrap the design. Well, at least now we don't have to worry about the 3.62's anymore - I can divert my FPGA board to other tasks... (On a positive note - I did refresh my memory on all the oddities of the board, and discovered that you CAN make Quartus II compile for obsolete parts if you know the exact part number -> Flex 10K100GC503-3 )

I wouldn't scrap it just yet Radarman. Unlike the hardware hack on the PV2, there are ways they can guard against this attack with changes to the firmware. Also, it sounds like you may have a fairly general purpose approach. That could be handy when Pure Digital comes out with a one-time-use holographic cam. :)

Agreed, having a brute-force toolkit that doesn't depend on the behavior of the camera's firmware is still a worthwhile venture, IMHO. Personally, I'd still want a way to just sniff out the keys. Call me a purist, I just don't like the idea of losing original data and falling back to a default key. Who knows, maybe firmware 3.8 will cripple the camera if it detects the Reset Keys are being used in USP.BIN. If I were working at PD, that's exactly what I'd consider doing. Besides, I was looking forward to getting my feet wet in Xilinx programming.. something I've always wanted to do, but never had a Real-World reason to invest in the hardware. :-D

View Full Version: 3.62 Only!! Hardware Method v3 - KILLS MODELS 3.7 AND UP!!