Post/Find new camera keys here

Using google I can find the first several bytes of Morcheeba's challenge key on the 'net in a few places. One is (I think) a key for use with satellite TV encryption systems. One was some sample data in some guy's blog about using a debugger. These were the best leads... and neither went anywhere in my opinion. I did some trials with the rand() function in Microsoft's CRT - I couldn't get it to produce any of the response keys, so that's not it. I have a pv2keys.txt file with all keys that have been posted in this thread. There might be a couple more sets in other threads, but I think the ones here are enough for any decipherment effort. My guess is that the first byte - 02 - is an indicator of the algorithm used to derive the response from the challenge. If we figure out the C/R-02 algorithm then I won't be surprised to see challenge keys starting with 03 (or something else) which don't follow the 02 algorithm. The "reset key" is a special case - the only one we've noticed so far. Taking away the algorithm ID byte, the challenge is 127 bytes and the response is 128 bytes. So... a byte-for-byte encryption algorithm comes up one byte short - which could be made up by a checksum or something. I continue to think that the response key is derived from the challenge key - not stored at each CVS. 255 bytes per pair is small enough that a bunch of them could be stored in a database. But the mechanism for distributing a multitude of key pairs opens up a range of possibilities for things to go wrong which can all be avoided if the response is just computed on the fly.

Firmware 6550 Hardware 06 Typeid 27 CMP Typeid 27 ID DA6043302227 RELM ID 20 S Buggsy3.2 C 02e93d44d8169cb613efb4c7187b7e5acb5c29b5e9af6988f734112b78afe428 C 638ea8f9d4cb7d1302146d23712a44976987a260a6434ef65138cd9d2f6534e8 C 19903a7bac2f9114418977cd1f19889bf033d61b72ea3b8e6f30ee21ef3f5573 C ac381a51c60a81c4b896f94d8b11f16f4aa9ec6eb56bd85739649b402006f0d1 R ee477fc5168a07163e8579839192ff2392e83c88836f76f96682a441b7615b09 R ac10e9cecbcd5bd2b53395a88c33ffc54f3492f235db034f405a516c7f13d2e2 R 4b3fe29c2fcfecffe64cebcb8c54ce72212e26e3b329e2288b66ed20883b7599 R e34349746b088be0ae3c2da291fec513c22e7f2b5f356e0a8f98ef909e5e934a

Sailpix - I am beginning to agree with you, Lister and radarman. First of all, I don’t think that the camera serial number can be the ‘seed’ for the calculation of the response. If I remember correctly, the only command the camera will respond to after it has been connected to the USB port, but before it is ‘unlocked’ is the command asking it to send the challenge. So, if this is true, the ‘processing’ computer at CVS can’t know the camera’s serial number when it calculates the response. (We know it, because we can ‘Nerve Pinch’ the camera and read it from the display, but the processing computer can’t do that!) Secondly, we have to remember that we are dealing with three different computers here: the ASIC in the camera, The ‘processing’ computer at the CVS stores and the ‘recycling’ computer/s at Pure Digital. (which probably carry most of the load.) Finally, there is the cost sensitivity of all of this to be considered. We suspect that PD was too cheap make a big effort to secure the firmware on the camera. If that decision was truly made for cost reasons, then they were probably equally cheap with the ‘processing’ computers at the CVS stores. I imagine that the ‘processing’ computers are imbedded PC-compatibles with just enough power to download the photos. After all, CVS has over 5,000 stores. (I checked!) Not all of them have a Photo department, of course, but that’s still a lot of equipment to buy. If I had been assigned to set up the ‘processing’ computer, I would use some very complex algorithm to calculate the response, rather than try a lookup scheme on millions of stored C/R pairs. After all, even a low-end Pentium is really fast at calculations, while sorting and look-up operations are slower and more memory (cost) intensive. Besides, maybe Pure Digital did this on the cheap, too. Maybe PD used some bit manipulating or something else simple on the challenge to generate the response. Maybe they were simply counting on the length of the C/R pair to discourage hackers. I remember seeing a post saying that the ‘processing’ computer doesn’t even bother to delete the photos from the camera! See what I mean by cheap? Topaze

Buggsy3, Which key worked ? (unlocks ID DA6043302227) Thanks, RayM

I remember seeing a post saying that the ‘processing’ computer doesn’t even bother to delete the photos from the camera! See what I mean by cheap? Topaze Topaze, I suspect that they leave the pictures on the camera in case something happens during processing (power outage, idiot operator, etc). The assumption is that the next step is the recycling center (by which time any irritated customers have been satisfied) where they will reimage the camera (probably the same way we do). That said, it's kind of scary - I've been given or offered 4 cameras by CVS employees. (I took two, left two - didn't want to be greedy since they weren't 2f's or 30's) Perhaps developing machines can't reprocess the pictures, but then it wouldn't make sense to leave them on the cameras. Of course, if you are of the "tin-foil" community, you might think that PD's recycling center goes through the pictures for the FBI - but then, only _real_ tin foil will do, won't it... ;)

Actually watching CVS PC while it processes is quite interesting. IIRC there are 4 parallel processes on a single screen with green bars advancing. I don't remember exact details but it was something like: First download raws, Second process pix, Third write to CD, Fourth print (no green bar activity on this one). The last one seems to have assumed a direct print machine hookup - but photo tech must wait in line at customer machine with CD to get prints. When one store failed on my last picture (probably because it came from an FF2), they were able to restart by selecting order without placing camera back in machine. So don't take pix to them that you don't want archived in another machine.

sailpix – Collected a bunch of C/R Keys from the forums and tried them on 3 ‘virgin’ CVS Reds. One camera opened with the ‘Reset Key’ and the other two failed. Found the camera: SMaL Digital Camera, VID:0DCA PID:0027 Found camera. Connected to camera. Requesting challenge from camera Recieved challenge from camera Comparing Reset key to challenge Comparing Morcheeba's key to challenge Comparing BillW's key to challenge Comparing Codeknowbi's key to challenge Comparing Mpho01's key to challenge Comparing key to challenge Comparing key to challenge Comparing mpho01-6520-2B-02 key to challenge Comparing key to challenge Comparing WebcoW-6550-2B key to challenge Comparing YourNameHere.1 key to challenge Comparing YourNameHere.2 key to challenge Comparing RayM key to challenge Comparing mpho01-6520-2B-02 key to challenge Comparing RayM-6550-2b key to challenge Comparing mpho01-6550-2B-03 key to challenge Comparing mpho01-6550-2B-02 key to challenge Comparing WebcoW-6550-2B key to challenge Comparing mattwhitt-6550-2b key to challenge Comparing Stupid key to challenge Comparing Stupid2 key to challenge Comparing mpho01-6550-2B-04 key to challenge Comparing Put_Your_Name_Here key to challenge Comparing From friends 6550 key to challenge Comparing Tobrew.1 key to challenge Comparing URAMetroid's db3051700773 key to challenge Comparing URAMetroid's db2044601542 key to challenge Comparing ellbee55.2 key to challenge Comparing Seth Common key to challenge Comparing Seth's Freebie 1 key to challenge Comparing Seth's Freebie 2 key to challenge Comparing RayM 6550 2B DB 605 220 2969 key to challenge Comparing Rocky's 6550-2b Camera key to challenge Comparing Rocky's 6550-30 Camera key to challenge Comparing YourNameHere.1 key to challenge Comparing RayM 6550 2B DB604 371 6803 key to challenge Comparing YourNameHere.1 key to challenge Comparing YourNameHere.2 key to challenge Comparing YourNameHere.1 key to challenge Comparing YourNameHere.2 key to challenge Comparing Lister key to challenge Comparing Put_Your_Name_Here key to challenge Challenge not recognized/r/n 02 B8 4C 76 BB 50 52 3B 29 12 2A 95 B0 FD 2B 93 F5 B4 B7 1B 12 76 63 82 DE 4F 58 5A 70 90 FA 8B DE 7E C7 A6 4A 47 81 75 20 3A 8F D7 99 36 A1 CA 84 63 93 CA 45 21 94 5A 1E 3E 87 E0 AD 6C A9 B5 B6 F2 74 7D 23 A1 C4 B4 49 0A 39 8A 6D EE DC F1 87 F6 05 F4 45 A4 7C 4A 53 8A DE 2B DA BA 42 62 47 7D 1D A4 4D 48 63 20 2D EB EF 57 35 0C 25 2E 86 D4 D6 41 1B E8 63 7B 07 9B 26 E4 FE 62 0D B9 Could not unlock the camera with any of the known keys. Topaze

Wow one that unlocked with a known key.. Extract the files... Particularily firmware.bin and do that recovery mode thing. I think its rename to firmware.pv2 short 6+7 open... wait for bootloader death beeps. Run the firmware and you can extract the nvram.dat files from the other cameras and extract the keys. :D Oh and go to the howto for that to make sure the steps are correct.

RayM Just verified the second one. S Buggsy3 ID DA6043302227 C 02e93d44d8169cb613efb4c7187b7e5acb5c29b5e9af6988f734112b78afe428 C 638ea8f9d4cb7d1302146d23712a44976987a260a6434ef65138cd9d2f6534e8 C 19903a7bac2f9114418977cd1f19889bf033d61b72ea3b8e6f30ee21ef3f5573 C ac381a51c60a81c4b896f94d8b11f16f4aa9ec6eb56bd85739649b402006f0d1 R ee477fc5168a07163e8579839192ff2392e83c88836f76f96682a441b7615b09 R ac10e9cecbcd5bd2b53395a88c33ffc54f3492f235db034f405a516c7f13d2e2 R 4b3fe29c2fcfecffe64cebcb8c54ce72212e26e3b329e2288b66ed20883b7599 R e34349746b088be0ae3c2da291fec513c22e7f2b5f356e0a8f98ef909e5e934a I took a bunch of pictures tonight. The camera is randomly shutting off and re-starting about every 4th or 5th time. At the moment of pressing the top button to take the pictures no flash, just a blank screen and the ready light would turn off. Then with out touching any thing it would restart by its self. Any reports of this and perhaps a fix suggestion? Thanks Buggsy3

awdark, The reset key is one of the originals and not a new key being used on new cameras - although it seems it may still magically appear. Topaze - Please post a link to your recently built full set of keys. After finding the same serial/ID with different keys and following Topaze's explanation that for an unlocked camera only challenge would be available to CVS machine, I am now 99% convinced sailpix's suggestion of a direct algorithm applied to challenge to get response is the most likely possibility. As to same serial/Id with different keys - on new 6550 cameras that have been recylced the firmware starts at $C000 and has what is probably a previous copy of nvram.dat following in unused portion of cluster at end of firmware. Oddly serial/Id matches valid nvram.dat file but older keys are different. I am just guessing about $C000 being a recycled board with $C0000 meaning a brand new camera - perhaps some others can confirm looking at virgin img files. I used 99% above due to a possibility that use of other pins on connector by CVS machine (they don't use a standard USB port) might be able to return same info (and even more) than what a vulcan pinch provides.

I am now 99% convinced sailpix's suggestion of a direct algorithm applied to challenge to get response is the most likely possibility. I thought thats what we were collecting the keys for now... As in isnt the keys we have now the response? And the challenge from the Nvram? Can we capture the challenge?

awdark, Originally we were collecting keys because we thought they had switched from the original Morcheeba key to some new but limited set of keys. We figured if we can collect them all we can easily unlock any camera. However, that original quest is now declared "futile" since it seems that each camera has it's own, unique key. At this point the c/r key pairs are interesting for anyone who is working to figure out the algorithm that is used to derive the 128-byte response from the 128-byte challenge. There are - for our purposes - two "special" key pairs: - the Morcheeba key pair which was, at one point, used by all cameras - the "Reset" key pair which is used when a camera has been "reset" All other key pairs are unique to a single camera only. We have never seen a key pair from one camera work to unlock any other camera. The current data being posting have both the challenge key (lines starting with 'C') and the response key (lines starting with 'R'). Our current unlock logic goes like this: -- PV2Tool sends the "request challenge" command to locked camera. -- Camera responds with 128-byte challenge key -- PV2Tool looks through list of keys for matching challenge -- If PV2Tool finds matching challenge, it sends response key to the camera. Now the camera is unlocked. -- If PV2Tool does NOT find matching challenge, it displays an error message saying no keys could be found to unlock the camera. Also, PV2Tool dumps the (unmatched) challenge bytes at this point. Yes, we can get the 128-byte challenge key from any locked camera. However, we currently have no idea how to compute the 128-byte response from the challenge. So... we can't unlock any particular camera until we go thorough various hardware hacks to shift the camera into bootloader mode. Once in bootloader mode we can download flash memory with the camera's unique c/r key pair.

Sailpix - I am beginning to agree with you, Lister and radarman. No offense, Top, but actually we're on opposite sides here. You said... If I had been assigned to set up the ‘processing’ computer, I would use some very complex algorithm to calculate the response, rather than try a lookup scheme on millions of stored C/R pairs. After all, even a low-end Pentium is really fast at calculations, while sorting and look-up operations are slower and more memory (cost) intensive. ...and it was I who came up with the "lookup table" idea. If you go back and look at my post carefully, I pretty much concluded, and still maintain, that a rom full of C/R tables is the simplest method to achieve what we are seeing. It's also secure. As for the lookup scheme, I covered that, too. I believe all the challenges have 4 bytes which are sequential throughout the table (I originally said 5, which is incorrect). All the processor has to do when it receives the challenge is to extract the bytes (a single dword), move them to the address register, select the rom, read in the datum and send it back to the camera as a response. No binary search algorithm would be needed. Since the original rom table would be randomly generated, no keygen (read: mathematically calculated response) is possible. Since a single rom can hold hundreds of thousands of C/R tables, table reconstruction from samples of hundreds or even thousands of cameras is, welll, "futile"... ;-) As I said in my original post, and after thinking on this issue six ways from sunday, I still believe that the concept is robust enough that I would bet money that that's what they are doing. Sadly, I think we are ultimately left with breaking the software to get into the camera. Happily, we at least have a way to do that, which is certainly better than having no way. The best system going so far is the pin-short method. I personally think we should focus on this and develop it further into a foolproof electronic Heimlich maneuver that can get the camera to cough up its code every time.

Good Key Challenge and Response
S Good-Key.4 C 026bdbe1ff82110e4d60697605a393587d249ae4323517a1a427a50c68109482 C 78cae25fcd3f666830e44f664d84cd14093f0e3b15d26c1cc319e50e19d2cb68 C 25a3bca18f5fd5b6758523cc72095a170057cafa01968e70982907aa3d7c89fa C 11fd53ef6e68c5c2c348cdf09fbba3290b75b6691d07e665ca61f328fc9635fe R 61bbc89c08f00dce5cd1d2cc6dad2a212635f6198194ed13a1f137af9e438c39 R c883b053b0c550f63aa654a44a2f64423c8279d03fb551bee170c9eecac156e2 R bc9877dcf5b197b3a486c2943b63e75b299a779b3416fd78c8523d45a2408e6c R 8ea6f7df1cc6c2b1b88b94f758f2d4d697784110a372c6b232a79c4e3f4d4c5e My PV2 Red: Pure Digital Technology 410 PV2 FIRMWARE 6550 HARDWARE 06 TYPEID 2B CMP TYPEID 2B ID DB5051700359 Realm ID 20 With the help of bright_eye I got a good C/R Key I had a good Challenge but some bit-flips in the Response section: It clicked in my mind what the meaning of the "C" and "R" were in the first column. My grasp of the obvious is at times questionable. Anyway, I did a analysis of the 26 pv2keys I had collected from my camera via the 5/6 & 6/7 pin short. I found the 6 good challenge sets were the same challenge. Thus, I had a good challenge but my response was not. Thinking that one of those (20) Response sets must be good I cut-n-paste the "R" section till on the forth try: Comparing Good-Key.4 key to challenge Challenge matches Good-Key.4 key Sending response Succeeded at unlocking camera. ***This key has not been reused before!! Please report this to camerahacking.com!! My point is: Keep your keys

Probably a waste of time, but here is the key from my recently aquired 6520/2F: S Seth's Blue 6520 C 025d966247ac6ec792997a67a4d5b6216be0b50c332835bbd675f7bf2c84ce6e C c9f2f5e3e85da546a2c5e74e6438a8039fae0bc9c132039a65422093c679a9b2 C 7a6becde5dd1d227cbe6b6501210778a26c3cc8397a2d89fc1e8ff854307f7de C b28f22598e501bf374c38f7596a64e3e69e7a1429dc3df53522f3ba08977e07b R 8c1b89c156189af96aba1983415d9c337411843e8ca04a47aec5012ca40ce195 R 59dbb373fa5309be22c00871d32bfcf5b9fbc365169a59c9f1980dbd099d5945 R 42a31fe4bcaa847d8240a2469c5bf03285ba3ab0fbedd6be5281f6287c6ef4e8 R 029e5be1a999aa6379f6de5342236bd84a9409526c3a1c7f234d46207aaf9e8c

View Full Version: Post/Find new camera keys here