View Full Version: SDRAM Keyscan produces useless code

camerahacks >>HOWTOs and Methods >>SDRAM Keyscan produces useless code


<< Prev | Next >>

BeefWelington- 03-04-2006
SDRAM Keyscan produces useless code
First post here... Nice little site you've all got! Anyway, I've followed the tutorials for the Red CVS PV2 6550 firmware. I... downloaded libUSB 1.10.1 (filterbin and the actual libUSB) and PV2Tool 2.19 unscrewed the camera re-affixed the circuit board made my cable installed drivers correctly opened the camera in PV2Tool shorted the pins re-plugged and re-loaded in "2B mode" successfully Scanned the SDRAM for keys, got the pv2keys.txt file unplugged the camera plugged the camera in opened it again clicked "unlock" At this point PV2 Tool said: --------------------------------------------------------------------------------- Found the camera: SMaL Digital Camera, VID:0DCA PID:0027 Found camera. Connected to camera. Requesting challenge from camera Recieved challenge from camera Comparing Reset key to challenge Comparing Morcheeba's key to challenge Comparing Zeroed key to challenge Comparing BillW's key to challenge Comparing Codeknowbi's key to challenge Comparing Mpho01's key to challenge Comparing Mpho01-6520-2B-02 key to challenge Comparing RayM-6550-2b key to challenge Comparing Mpho01-6550-2B-03 key to challenge Comparing Mpho01-6550-2B-02 key to challenge Comparing WebcoW-6550-2B key to challenge Comparing Mattwhitt-6550-2B key to challenge Comparing Stupid key to challenge Comparing Stupid2 key to challenge Comparing YourNameHere.1 key to challenge Comparing YourNameHere.2 key to challenge Challenge matches YourNameHere.2 key Sending response Failed to unlock camera. Key failed for challenge 02 E2 B2 AB B1 42 53 C1 C9 25 62 AB 04 CC AB 5A 9D 50 71 50 1E E5 A9 04 30 5F 66 88 B2 F6 95 69 08 46 EA D7 B6 9A 1A 05 2D 69 4B D3 E4 21 C8 AB AB 24 FA A8 3D 10 94 FE 14 44 0D 96 81 A0 53 F8 FB 8B BE 6E B8 3B 42 66 7A 31 EA 19 AC 02 81 6A AD 5D 92 11 6C 4A 94 F8 35 B0 5E E5 CA 1A E1 5A B6 BA 15 BA DE AF 34 AC 59 83 27 C4 81 F8 3D 61 4A 04 23 D1 D3 1A 11 BC 3B AB 41 BF B6 ED A5 57 4C 61 4D 53 1D BA AB 1D 00 00 00 00 00 Could not unlock the camera with any of the known keys. ------------------------------------------------------------------------------ So then I repeated the process, with the same results. I then tried to click "unlock" while still in "2B mode" as opposed to "27 mode". This was the result: ------------------------------------------------------------------------------- Requesting challenge from camera Recieved challenge from camera Comparing Reset key to challenge Comparing Morcheeba's key to challenge Comparing Zeroed key to challenge Comparing BillW's key to challenge Comparing Codeknowbi's key to challenge Comparing Mpho01's key to challenge Comparing Mpho01-6520-2B-02 key to challenge Comparing RayM-6550-2b key to challenge Comparing Mpho01-6550-2B-03 key to challenge Comparing Mpho01-6550-2B-02 key to challenge Comparing WebcoW-6550-2B key to challenge Comparing Mattwhitt-6550-2B key to challenge Comparing Stupid key to challenge Comparing Stupid2 key to challenge Comparing YourNameHere.1 key to challenge Comparing YourNameHere.2 key to challenge Comparing YourNameHere.3 key to challenge Comparing YourNameHere.4 key to challenge Comparing YourNameHere.1 key to challenge Comparing YourNameHere.2 key to challenge Comparing YourNameHere.3 key to challenge Comparing YourNameHere.4 key to challenge Comparing YourNameHere.1 key to challenge Comparing YourNameHere.2 key to challenge Comparing YourNameHere.3 key to challenge Comparing YourNameHere.4 key to challenge Challenge not recognized E4 7D E5 37 E2 70 E3 05 28 42 99 03 43 91 05 D4 C4 BC 09 10 BC 3E 12 E8 E7 0E 98 04 40 C8 E7 0E E8 E7 0E 90 0F E0 02 C8 01 F0 6B E1 08 E8 00 F0 19 C8 00 F0 B9 E8 E7 0E 00 C8 E7 0E 28 C8 01 F0 5B E1 F7 E8 00 F0 21 C8 00 F0 B9 E8 E6 0E 00 C8 E6 0E E0 01 C8 02 F0 B9 E8 E6 0E 40 C8 E6 0E E8 E6 0E 90 03 C8 02 F0 B9 CB 3C 12 E9 CB 3C 98 05 D4 C4 41 90 FB B9 EC 3C E9 EC 3C 98 07 F2 C2 D4 Could not unlock the camera with any of the known keys. --------------------------------------------------------------------------- So I've tried time and again to unlock. Although both unlock attempts in the two different modes produce different results, both are complete failures. So, is there any advice? Or is my camera simply "stubborn" and therefore indefeatable? ...There might be one thing that's causing my camera to behave in this manner: I bought the camera with the intent to unlock it, but didn't know the specifics of doing it. Before settling down to unlock, I took pictures with the camera. I think I took about 8 pictures or so. Did this ruin the camera for unlocking? Or is the known unlock process simply imperfect and won't work for every attempt? Thanks in advance for any help you can provide.

CamCam- 03-04-2006

Every digi cam (blue and red) to date can be hacked. Do you have a cam that you have already unlocked? If so you can bypass the keyscan and just run a unlocked firmare.bin as pv2 code. Then you just replace the nvram.dat with a zero byte file (with the batteries out). If not keep repeating the steps, you may have a stubborn cam. It will eventually unlock. I know because I have done about 20+ of them.

BeefWelington- 03-05-2006

Every digi cam (blue and red) to date can be hacked. Do you have a cam that you have already unlocked? If so you can bypass the keyscan and just run a unlocked firmare.bin as pv2 code. Then you just replace the nvram.dat with a zero byte file (with the batteries out). If not keep repeating the steps, you may have a stubborn cam. It will eventually unlock. I know because I have done about 20+ of them. No, haven't unlocked any camera before. You didn't directly address this one point, but does the fact that there are a few pictures already taken affect the ability to unlock it? Could you or somebody else just possibly send the firmware.bin file to me? And what steps should I be repeating over and over? Do I have to keep getting new SDRAM keyscans, or do I just have to keep trying to push "unlock"?

CamCam- 03-05-2006

The fact that it has pictures on it has on effect on it's hackability. I have unlocked brand new ones and recycled ones and even full ones that haven't been developed yet. It is against this forum's rules to hand out the firmware. Just don't give up, keep trying the steps to unlock. If you prefer you can use this walkthrough instead. It is the one that I used on my first cam. http://home.comcast.net/~jshamlet/firmware.html

brite_eye- 03-05-2006

You didn't directly address this one point, but does the fact that there are a few pictures already taken affect the ability to unlock it? ... And what steps should I be repeating over and over? Do I have to keep getting new SDRAM keyscans, or do I just have to keep trying to push "unlock"? Please follow my procedure that is posted here - it was the first legal hack for unknown keys and is the most up to date (if it isn't someone needs to recommend a change). forumer.com/viewtopic.php?t=339" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?t=339 Older pictures on camera do not matter, but recent ones create copies of nvram.dat in memory and if camera is not left idle for serveral hours may produce corrupted keys. Your output indicates the second of 4 copies of nvram keys matched your challenge but not your response. That usually indicates memory decay or a bad cable. Did you wait several hours each time before repeating procedure to eliminate decayed copies in memory? And during short you must not disconnect for more tha 2-3 seconds or else memory can also decay. Did you take 2 pictures, delete 1 and plug camera in while still "hot" with display on - if not you can end up with bit flipped keys. Take a closer look at the 4 keys that sdram keyscan found - you may be able to create a valid challenge response pair by combining bytes that are the same in at least 2 of the 4. You can also use the following non shorting procedure to obtain your challenge and the last 124 bytes of a valid response (to combine with first 4 bytes obtained above). forumer.com/viewtopic.php?t=298" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?t=298 "And what steps should I be repeating over and over? " All starting with 0 and ending with 11.

BeefWelington- 03-05-2006

You didn't directly address this one point, but does the fact that there are a few pictures already taken affect the ability to unlock it? ... And what steps should I be repeating over and over? Do I have to keep getting new SDRAM keyscans, or do I just have to keep trying to push "unlock"? Please follow my procedure that is posted here - it was the first legal hack for unknown keys and is the most up to date (if it isn't someone needs to recommend a change). forumer.com/viewtopic.php?t=339" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?t=339 Older pictures on camera do not matter, but recent ones create copies of nvram.dat in memory and if camera is not left idle for serveral hours may produce corrupted keys. Your output indicates the second of 4 copies of nvram keys matched your challenge but not your response. That usually indicates memory decay or a bad cable. Did you wait several hours each time before repeating procedure to eliminate decayed copies in memory? And during short you must not disconnect for more tha 2-3 seconds or else memory can also decay. Did you take 2 pictures, delete 1 and plug camera in while still "hot" with display on - if not you can end up with bit flipped keys. Take a closer look at the 4 keys that sdram keyscan found - you may be able to create a valid challenge response pair by combining bytes that are the same in at least 2 of the 4. You can also use the following non shorting procedure to obtain your challenge and the last 124 bytes of a valid response (to combine with first 4 bytes obtained above). forumer.com/viewtopic.php?t=298" target="_blank">http://camerahacks.10.forumer.com/viewtopic.php?t=298 "And what steps should I be repeating over and over? " All starting with 0 and ending with 11. Thanks for the help, perhaps eventually I'll get it to work. But you know, this has made me wonder... It seems that pv2tool can -*test*-('") keys at a relatively quick rate. I went over to the thread where everybody had added their own keys to the big list, and took a few down in my pv2keys.txt. Although it hasn't helped, it has given me an idea. You say that it might be helpful to combine various bytes of my keys into one "superkey", in effect, but this seems like quite a shot in the dark, and pv2tool could probably do that much quicker than I. I only have java programming experience, but if they're anything similar, I cannot imagine it would be too hard to basically use a brute force method of combining the existing keys' bytes and -*test*-('") them all quickly. Or am I missing something about the process of the challenge/response from the camera? Based on the output file from pv2tool, it would suggest that you could keep trying keys until the cows come home, so why not take advantage of our computers to do the brunt work for us? Also, it might be a good idea to contact the creator of pv2tool and have him add the "big list" in his next version of the program, if he hasn't done that already. After typing this it has occured to me that people have probably already thought of this, so if I'm preaching to the choir then just ignore me :)

brite_eye- 03-05-2006

For camera you need to unplug and replug for each response try. Pv2tool is only asking for challenge once from camera and comparing looking for a match in pv2keys.txt. If it finds a match it gets one chance to try a response key. For just the first 4 bytes there are over 4 billion possibilities. Even with Ops on camcorder a brute force loop for full 128 bytes of response key would not finish in a life time.

BeefWelington- 03-06-2006

For camera you need to unplug and replug for each response try. Pv2tool is only asking for challenge once from camera and comparing looking for a match in pv2keys.txt. If it finds a match it gets one chance to try a response key. For just the first 4 bytes there are over 4 billion possibilities. Even with Ops on camcorder a brute force loop for full 128 bytes of response key would not finish in a life time. I didn't mean for each individual byte, I just meant doing automatically what I have to be doing by hand. Like, not trying ten billion but rather taking the various lines (there are what, like 8?) and combining them. Or rather, now that you explained the process, it wouldn't be looking for a perfect match, just ones with the commonly-confused lines re-arranged as well as the "correct" ones. Of course the fact that you only get one shot convolutes that, but there are ways to get around it.

Forumer™ is Voted #1 Free Forum Hosting provider
Build your own community today with the largest message board hosting company.