CVS 6600 Chalenge problem
Hi, I have managed to connect to my 6600 with a homemade USB cable (Checked connections with multimeter all seems OK). Fired up PV2Tool 2.19, opened the camera. Clicked unlock got this chalenge code: 08 FA 7A 7F 92 E3 81 62 3F 17 77 12 BC 3D 71 1D EB FC 8E FA FB 1B 88 4A 96 E6 88 5D 5C D4 3F F8 91 68 32 56 12 55 55 6C 8E E5 DC 72 F2 9B 4E 9E 25 18 DB 33 F6 3B EF BA 53 8C 07 8F BB DB C4 A0 F5 24 3D 72 03 B6 9A 65 52 94 DF 38 33 1C 05 CF 8F E6 4F 34 D5 EF DB DD 38 F7 78 2D 18 27 B7 3C BD F7 45 DB 4B 4F 77 D3 F2 EC 27 6E 66 06 BF 39 8F 30 93 07 81 7F 74 39 AE EE 81 3D 5A 01 41 55 Edited it to this: S -*test*-('").1 C 08FA7A7F92E381623F177712BC3D711DEBFC8EFAFB1B884A96E6885D5CD43FF8 C 916832561255556C8EE5DC72F29B4E9E2518DB33F63BEFBA538C078FBBDBC4A0 C F5243D7203B69A655294DF38331C05CF8FE64F34D5EFDBDD38F7782D1827B73C C BDF745DB4B4F77D3F2EC276E6606BF398F309307817F7439AEEE813D5A014155 Pasted it back in cronus but the key it returns has the chalenge start by 04 :shock: : S CronusKey C 04ae4ce7e6e79a4913a5d194a2e78068c5e49254dc4f803d46dac50477f99163 C 4be8c1189aef0f460de5861830f33aa7c89a351e66f7b41c3c46945930a6078d C 2f1b8b8dc4d91db7e9c0a9911d23c6adb6cda0d0794635526852c5c8dbbb83e1 C d250918e8a2e2b664e3e234890ff8d423886bbb13cc36caa71054099a1c06f28 R 9772c00e6aeb8b60eaa95a623fb17ef74ac0d38447b7fb145f5d79c92a83c68d R f4cbc14c1c18216a8e3e8da3b7ab9f1a065140a0507f831937b957628995f237 R 978a48c4f310e31b27864a1d582021adbcc8febece2057e3950280324fd00542 R 2281fa09869b30b5a21f5e59acb2d17b153a11266f5fa72ce8a5c5604825ae20 I tried the C2R method as well but C2R tells me the chalenge is invalid. Have you guys had the same problem. Am I doing something wrong? Any help would me much appreciated. :wink:

You have a new 08 challenge key that uses updated logic which has yet to be hacked. Currently successes at obtaining response keys have been via either extended power or keycatch at a Pure Digital processing station. I expect eventually someone will succeed at a large-block flash method similar to brandonu's hardware method.

surely the 6-7 short bootloader method still works, no?

Yes the old short method should still work (IIRC someone already claimed success): forumer.com/viewtopic.php?t=339" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?t=339

Yes it work I have already posted my sucess forumer.com/viewtopic.php?t=5694&highlight=" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?t=5694&highlight= forumer.com/viewtopic.php?t=339&start=0&postdays=0&postorder=asc&highlight=>Still Works For the new cameras with 08 challenge DEBUG External key file, pv2keys.txt was found and will be loaded PV2Tool 2.19 Use this software at your own risk. The author takes no responsibility if you damage your camera. Found the camera: SMaL Digital Camera, VID:0DCA PID:0027 Found camera. Connected to camera. Requesting challenge from camera Recieved challenge from camera Comparing Reset key to challenge Comparing Morcheeba's key to challenge Comparing Zeroed key to challenge Comparing BillW's key to challenge Comparing Codeknowbi's key to challenge Comparing Mpho01's key to challenge Comparing Mpho01-6520-2B-02 key to challenge Comparing RayM-6550-2b key to challenge Comparing Mpho01-6550-2B-03 key to challenge Comparing Mpho01-6550-2B-02 key to challenge Comparing WebcoW-6550-2B key to challenge Comparing Mattwhitt-6550-2B key to challenge Comparing Stupid key to challenge Comparing Stupid2 key to challenge Comparing C2R_05-29-2007_17:17:15 key to challenge Comparing YourNameHere.1 key to challenge Comparing YourNameHere.2 key to challenge Challenge matches YourNameHere.2 key Sending response Succeeded at unlocking camera. ***This key has not been reused before!! Please report this to camerahacking.com!! Camera USB device closed. Key S YourNameHere.2 C 0880053e29d1115763dc0b5eb0078a1a12642f3ac93ee58bbbf2666e1900028a C 40629cbedd1df55955152d8e64258622046f6c6890f1b26f295a1f7a591b29b0 C f6c000154981ceb970143d3001c63b41f0cafae2b3d13a65a3dbcaeca64c4c22 C 0b423a2db52626de7c81462bd0112fe09f1de191790504d3f31d71ac49bbf447 R 4071240e0c2ec03193c14eee6642f9e9e1c439835cc5abbeebc6118c91dd7fd0 R 5dc07ddb1ae2577981dc7cf4ef60361152a7b2dbcdaa217dd2dc0d5961d4ec7d R f2c8baf35511291fec17e25027f0e1165e8c1b30421273c7ff8b5da383ef5f61 R 0fd0cc1cc50525e5ee2e72e2daf1330ba6d4d6d87bdbf71726ddda2ec7e8fb8d For shits and giggles someone please try this in there 08 challenge Camera.

Thanks for your replies guys, I'll try nerve pinching I guess. I'll keep you posted on the outcome :wink: . ZAC, no-go on that chalenge/key...

Use this how to forumer.com/viewtopic.php?t=339" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?t=339

OK, Tried the nerve pinch folowing Brite_Eye's method, but was unsuccessfull. When I place the probe of the multimeter between pin 2 & 3, disconnect wait 10 secs, reconnect, I hear 3 short beeps :shock: and when I click open camera I get found camera but could not open it. BTW I updated the inf file and reinstalled it .... Don't know if this is a driver issue or if shorting pins 2 & 3 doesn't work anymore. Any sugestions? Thanks

Use this forumer.com/viewtopic.php?t=56&start=0&postdays=0&postorder=asc&highlight=" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?t=56&start=0&postdays=0&postorder=asc&highlight= Next you will be asking Where do i get an unlocked version of the firmware...You have to unlock one to get one.

Enough is known about the firmware and hardware registers that someone could write a pv2 program that could be run instead of running an unlocked copy of the firmware to accomplish an unlock of the cameras with 08 keys. Several possibilities exist. 1) The response could be changed to a known value. 2) The unlock patch could be applied to the firmware present on the camera. 3) The response could be read from the camera and output several ways: ...a) bit-banged serial to LED or other ...b) as a series of beeps, the frequency representing hex value ...c) as a series of pauses (between beeps) whose length gives hex value ...d) series of beeps of one tone counted to give value, values separated by tone of different frequency ...e) displayed on the screen ...f) using the I2C interface This would extend legal unlock method to those who don't already have a legal copy of unlocked firmware.

The method of output I thought of, but didn't post was counting the number of jolts given by discharge of flash cap separated by a beep. That one would certainly zap you wrong. Point of previous post is that once bootloadered, John or Jane noob wouldn't have to beg an illegal copy of firmware, but they could run a pv2 program to help them unlock.