Do Not Use - See latest Sticky
-1. Load all necessary softare and add 27, 28, 2B, 2F, 30 to libusb.inf. 0. Start with a camera that has been powered off for several hours. (no need to remove batteries). 1. Take cover off, use 2 screws to secure board near cable connection. 2. Run PV2Tool. 3. Plug Camera into USB. 4. Click Open - should see PID 27 if using a red. 5. From bottom count up 6 pins on right side of LCD next to batteries. 6. Place pointed probe end of mutlimeter wire between pins 6 and 7. 7. Unplug and replug USB cable - wait - should hear 2 death beeps. 8. Remove probe. 9. Click Open - should see typeid from nerve pinch (mine was PID 2B). 10. Transfer Memory sdram start 0, length hex 50000. 11. Ignore failure message, Unplug camera. If camera had been powered off long before procedure there should just be one nvram at $45000 (or sometimes $44000, $46000 and maybe other offsets of $1000). Due to quick unplug replug there is no memory corruption in challenge response keys. I performed procedure 4 times revealing proper keys with no bit flips. One time I ended up with the 67452301 Reset challenge response for some unknown reason. So if one uses just a quick unplug replug to reload firmware with 6,7 pins shorted on SDRAM - it appears that only the firmware gets corrupted leaving a valid nvram in SDRAM. When all done with above procedure camera returns to its virgin state without any firmware modification. Use a hex editor to strip NVRAM.DAT ($390 bytes for 6550, $358 for 6520) from transfer memory download. A pv2keys.txt file can be created using nvramparser from utilities downloaded with PV2Tool. PV2Tool unlock can then be used followed by get raws, erase raws leaving camera firmware in its original unmodified state. Hopefully this may all be simplified when BillW releases PV2Tool 2.13 .

Forgive My ignorance,but what is the signifance of the "$ sign" in step 10 (length $200000)(length must be non zero)I get that far and recieve this message in PV2tool.12 (Failed at retrieving memory Read from camera memory returned errors. Saved file may not be valid) (It isn't) (edit, sorry, it is) I tried a sorta virgin 6550 2B (locked, reloaded with original firmware with known key) Thanks RayM

The $ is just short for hex - I do not like 0x200000 format. Even without the dollar sign you will get a failure message - just ignore the message it usually works anyway. The only time I've seen a success is after camera is unlocked. Did you get the 2 beeps of death? If so you were very close. If you know your key just open file with hex editor and search for first four bytes of key.

Well, I just tried and did not have success. Although I think I have conformation that I did the steps correctly. Interestingly, the first time I plugged in my camera it said PID 024? On the second plug in it came up with 027. Everything went as it should generated a key and put in pv2tools folder, but it can not unlock the camera (could not unlock with any known keys). So I tried loading my 6520 bin and then copied down the nvram.dat that way and ran nvramparser on that file and got the same key as generated before. So it looks like I generated a key correctly, am I doing something wrong when trying to use pv2tool to unlock it? BTW this camera is now at the bootloader with three beeps.

With release 2.12 of PV2Tool you need a line feed after last key in pv2keys.txt ! Try again after you resurrect your 3 beeps with a valid img file or if necessary firmware, nvram, and tfts.

line feed? Could you point me to some info on that? :oops:

If you edit and go to bottom in notepad just add a carriage return (hit enter button) and save file. Try unlock again. Carriage return = 0x13, Line feed = 0x10. Usually a CR is a CRLF.

WooT! Nothing like a carriage return making your day! 8) Thanks Brite_eye! I guess this would comfirm your method!

I think I can confirm your method .I was able to find My complete "Challenge" key @ 0x045180(starting at second position from left)and My "Response"key @0x045200(starting at 5th position from left) I hope this makes sence. Amazing Hack Brite_eye! Thanks RayM

NVRAM.DAT
I've done the procedure a few time but the data at and near $45000 is a pattern that repeats every 256 bytes ($100). How can I tell when I'm looking at the NVRAM.DAT data? My type ID (after the boot) is 30. While unplugged, the camera made a bunch of beeps. Does this mean it was unplugged too long? -R

Are you sure it is repeating every $100 and not $1000? What is firmware is on your pinch - 6520 or 6550? Inside nvram at offset 180 (45180) you should see: 11 00 80 00 67 45 23 01 00 00 00 00 00 00 Challenge key starts after 11008000 for a length of $80. And at offset 204 (45204): 12 00 80 00 4C 61 4D 53 00 00 00 00 00 00 Response key starts after 1200800 for a length of $80 Extracting $358 (6520) or $390 (6550) bytes from $45000 should give you a complete nvram.dat which can be processed using nvramparser. To be sure of uncorrupted data, I suggest waiting several hours and trying again being sure to plug in followed by shorting then quick unplug replug (while still shorting) and waiting till hearing 2 beeps before removing short. At that point a transfer memory dump should just have one copy of nvram.dat. While unplugged, the camera made a bunch of beeps. Does this mean it was unplugged too long? When unplugging you should simply pull cable barely out of USB port and replug immediately. This may be difficult if you only have one coordinated hand but really is quite simple with 2 good hands (you must maintain short before and after replug until you hear 2 beeps of death).

Success with my 2B camera
Brite_eye, I tried again with my other 6550 - 2B camera, and it worked. I needed to open the pv2keys.txt file and add the line feed AND restart PV2TOOLS. My 6550 - 30 camera makes a series of beeps during the unplug. The 2B camera did not. The HEX files for the two cameras are very different. The 2B's file looked structured right off the bat. The 30's hex file looks like corrupted data. I'll look into it more later on. Thanks for your help and a cool hack. -R

Is your 6550 30 still able to pinch and take pictures? The shorting procedure works the same on my 6520 2B and 6520 30. I actually haven't tried shorting on a original 6550 - only a 6520 loaded with 6550 firmware, but it appears that others have. RayM above and Knid from forumer.com/viewtopic.php?p=2258#2258" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?p=2258#2258 Where did you find R1 and R2 - they don't seem to be on any of my cameras with or without battery screws? My 6550 does not have a white wire from underside of strobe to contact on right. I do see a R1 on all my battery boards populated with a resistor. Note the only difference between a 2B and a 30 that I have seen is the size of imager (1.3mp vs 2.0mp). Currently pv2 firmware restricts pic size of 2mp to 1.3mp but when loaded with FF2 firmware and connected using pv2tool I can take 2mp pictures.