Rocky - I leave all my camera's pids set at original values and just change inf files. I directly patch firmware using my single instruction zap - but that isn't the popular way. Sorry I can't help more with pv2tool's patch - I've never used it.
radarman- 06-30-2005
Ok, I'm beginning to get the feeling I'm not the sharpest tool in the shed after trying this for a few hours. :oops:
I have a good USB connection that I can unplug/replug very quickly (definitely less than 5 seconds, more like 1 second), I am successful in getting the "beeps of death", and connect as type 2B. I extracted the image, and cut the data from $45000 to $45390 and the parser seemed to work - except that the pv2keys.txt challenge didn't match the challenge PV2tool returned (and I didn't get the unlock)
I was getting a fairly consistent SDRAM image everytime, so I figured I would wait a few hours before trying again. The last time, the image was substantially different, with repeating blocks of F7 FF, etc. When I followed the instructions and cut the data from $45000 to $45390, the parser claimed that it wasn't in the right format!
I also tried searching in the data for my challenge key, and then manually created a pv2keys.txt file - no go. (I did this by manually searching for the challenge, then took the subsequent data as the response)
Is there something obvious I am missing?
brite_eye- 06-30-2005
Radar, Did you edit pv2keys.txt as described above adding a line feed to last line of response?
If the parser didn't complain the first time - you may have just been missing line feed.
Rocky- 06-30-2005
That sort of sounds like my '30 camera (which BTW I still haven't gotten the key for). Does the camera beep while unplugged?
When I did this to my '2B camera the data was VERY formatted with readable text strings and the obvious keys at $45180. If all you see is "garbage" you may have the same issue as one of my cameras.
-R
radarman- 07-01-2005
Radar, Did you edit pv2keys.txt as described above adding a line feed to last line of response?
If the parser didn't complain the first time - you may have just been missing line feed.
I tried adding a CRLF, and then just a LF to both the pv2keys.txt and NVRAM.DAT - no go on the parser. Also, when the parser didn't complain, it was because I ran it against the entire dump file (didn't quite get the trim instructions the first time around) When I tried to trim the data - THEN it started to complain.
Just to clarify, you delete everything from 0x0 to 0x44FFF, keep 0x45000 to 0x4538F and delete everything from 0x45390 to 0x4FFFF - right? (or, alternately, cut everything from 0x45000 to 0x4538F to a new file)
Oh, my camera shows 2B when I do the pinch - but shows up in PV2Tool as 27. Not sure if that is "normal" or not. I do get the two beeps of death when I do the procedure on it, though (which I understand the 27's aren't supposed to do). Not sure what happens after you unplug the USB - I don't have any batteries in the camera (the circuit board isn't in the case - it's on my desk)
Do I need batteries in the camera for this hack to work?
Thanks!
-radarman
brite_eye- 07-01-2005
radarman, I dunno. You may be on to a discovery! Please post results after trying with batteries. Note after 2 beeps following a replug you need to click open again and should see 2B instead of 27. To be or not to be - that is the question (Shakespeare 2B or not 2B ?).
radarman- 07-01-2005
Yep - I made a discovery all right ;)
I think I trashed my 6550. All I get now is three beeps - whether I plug it into the USB port, or try to power it up normally. PV2Tool shows it as a 2B, and the challenge looks like random data. This happened when the batteries were out, but I could unplug and replug - and the camera returned to normal (27)
I'm going to leave the batteries out all day, hoping that this will clear the RAM enough that it will be able to recover on its own.
If it doesn't, am I SOL, or is there another method to try? (I can probably afford to try one more red - so if I'm truly buggered, I can pick up another one tomorrow)
-radarman
cmstar- 07-01-2005
S Put_Your_Name_Here
C 025a342506b5650c2324fecb8857812dde21063d167b2c67ffcc55db18681332
C a356dd54fa5607992622f12eaef57ebbad4ac74227e6114b9d18fd3edf40ff10
C 228e1121520ca965aadfe8c381ca14ba67f3484a70ea6a12d0e75eb6a8537983
C 208a3956b6e033b9d6e24c50aade2c7433a5f01d998f1f05bfc0e00a1baa6ad4
R 6f9f9a13c6acf35a4cb5fd180b25897bda3a9ba780d395228f4bac9efa574f4c
R 4b99478d5f10a2994841fe775b2cc585e19e571169b22dda6ff68cace913aaba
R 12beca8fc06be45b51efeef776d8e3e195bea24fba6c72193ec7d50ffdb827a7
R ef9c14ac8120a84ea17231437d85a8a580edf7f5c6e66e910bcc4fdbd6aa5445
Was my key for
Firmware 6550
Hardware 06
Type ID 2B
CMP ID 2B
RealmID 20
ID DB1045036647
Perhaps if we collect enough we can create a universal database.
Would this work? Are the challenge and response keys reusable, or are they tied to the ID?
My camera is the same as yours except for ID = DB3052200731
BillW- 07-01-2005
It likely won't recover - 3 beeps = flash filesystem corruption on camera.
You're not buggered - it can be fixed, but you first need a good flash image. To get that you'll probably need to pick up another camera and hack it successfully. After you have the flash image downloaded from the good camera, see the Resurrection Method in the HOWTO section.
BTW, in my experience the batteries are required to "finish" a flash update after bootloader mode. I don't know why exactly , but that's how it's worked for me.
awdark- 07-01-2005
^Cmstar well thats one way we can figure out if its tied to the ID dump the key into the pv2keys.txt and see if that would unlock your camera.
radarman- 07-01-2005
It likely won't recover - 3 beeps = flash filesystem corruption on camera.
You're not buggered - it can be fixed, but you first need a good flash image. To get that you'll probably need to pick up another camera and hack it successfully. After you have the flash image downloaded from the good camera, see the Resurrection Method in the HOWTO section.
BTW, in my experience the batteries are required to "finish" a flash update after bootloader mode. I don't know why exactly , but that's how it's worked for me.
Well, I suppose I can pony up for another red - though my wife will probably put her foot down after that. Does it matter what the subtype is, or will any 6550 FW work?
(for that matter, will 6520 FW work on a 6550 - in case I "get lucky") I saw another post around here somewhere where a guy got his 6550 working - sorta, but I never saw a conclusion.
Thanks,
-radarman
brite_eye- 07-01-2005
radarman, 6520 should at least allow you to run a firmware_6520.pv2 from pv2tool while in bootloader mode on 6550. At that point you may be able to dump flash and find a valid 6550 firmware at $C000 for a length of $1f200 (several others including myself have even though start of flash is corrupted).
RayM- 07-01-2005
radarman If you are refering to My "sorta" virgin 6550. (It's KEY was previously extracted with BillW's flash shorting method, but I reloaded the origional locked firmware to try this hack.) This hack worked perfectly it did help that I knew the KEY. (They all appear to start with 02.)
Good Luck
RayM
radarman- 07-01-2005
Ok, this is getting ridiculous... ;)
I bought a new 6550/2B at CVS, and successfully got my FW image (the whole shebang) and saved my first 6550/2B. As a bonus, the first 6550/2B now reports the default/reset ID when pinched.
So, with a good .img file - I extracted the NVRAM.DAT file, and ran the parser on it. Got a good pv2keys.txt file - save the fact that it STILL doesn't unlock the camera!
PV2Tools does indicate that the challenge matches what is in my file, but the unlock fails.
What gives?
(BTW - I may try to use the "hardware" method to salvage the camera - but I will keep the NVRAM.DAT to extract the keys)
brite_eye- 07-01-2005
Did you add the line feed to pv2keys.txt? Are you reading all posts before asking questions? It is frustrating to re answer the same question.
Forumer™ is Voted #1 Free Forum Hosting provider
Build your own community today with the largest message board hosting company.