updates for morcheeba's pages,
Extremely minor discovery. Memory location $f706 is a countdown timer. This is used for the seconds ticks in the "Self-Timer" countdown function. This is a byproduct of making some good headway through the disassembly. I've figured out a major "camera state" variable and have some good guesses at a few other related variables. I've pretty well got Self-Timer documented 100%. I can increase the timer value up to 15 seconds, but no more currently because that variable is dual-purposed. (the lower 4 bits take care of the timer, the 5th bit is used as a flag)

Ok, after a long break recovering from disassembly burnout, I'm back in the game... A small update after a *long* session: $f72e - bit 0 controls power to the flash-capacitor. Still don't know how to monitor if the cap is fully charged or not yet, but I am deciphering that code now. I was able to make the flash charge and pop programatically through a user program, though I could only do so once per program-run (no, I didn't charge the cap up manually between runs. ;) ) Oh yeah, cap-charging requires batteries in the pv2. I've also managed to clean/prove-out some comments in the disassembly which helped to follow some of the higher level "take a picture" and state-variable flow.

An update for USB page, http://www.maushammer.com/systems/dakotadigital/lcd-usb.html , concerning $5E command... $5E can be used to read the fields you find stored in NVRAM.DAT, with byte 17 being the index to which field you're trying to access. These fields include challenge and response keys, the components of the nerve-pinch ID, last-picture count, etc. Put another way, the camera uses NVRAM.DAT to store some of the ram-based values referenced by the $5E command. You can also write with command $5E, but since it's only ram based, the changes don't make it back into NVRAM.DAT and only survive until the camera is rebooted.

I don't suppose command 0x5E works when the camera is locked... :roll:

:) Both reads and writes of $5E fail when the camera is locked.

Any chance it works in bootloader mode? I am thinking once in bootloader if any command (80, 5E, ??) can force a fresh read of NVRAM.DAT we will be garanteed a valid key unless bootloader just reads it into sram instead of sdram.

BillW - I didn’t quite know where to put this, so I decided to post it here and let you decide where it should go! Flash Board Circuit Analysis I have continued my destructive analysis of the CVS cameras and I have some updated info. The Photo-Flash system used by the CVS cameras is an IGBT-based system using a Fairchild SGR20N40L IGBT to control the flash tube. For an application note about this type of flash unit, look here: http://www.fairchildsemi.com/an/AN/AN-9006.pdf It seems to me that the flash circuit used in the CVS cameras is a pretty close implementation of the circuit described in this App Note. Based on that, and tracing the circuits on Flash Boards from both ‘Red’ and ‘Blue’ cameras, I have the following information to share: 8-pin connector pin-out and functions The Flash Board is connected to the Main Board by an 8-pin right-angle header. As far as I can tell, the flash boards for both the ‘Red’ and ‘Blue’ cameras are identical in function, with some minor differences in parts placement for the versions I have looked at. Looking down at the top of the Flash Board with the shutter release button on the left, and numbering the header pins 1 thru 8: (from left to right) Pin 1 - (The pin with the square pad that is closest to the shutter release button.) This pin is Ground or the Battery Negative terminal. Pin 2 - This pin is a square-wave output from the SMaL processor to the Flash Unit - if you cut this trace, the flash capacitor won’t charge and the camera ‘hangs’. The signal on this pin goes to Q1 on the Flash Board. Q1 controls the primary of the fly-back transformer which keeps the flash capacitor charged to about 320 volts through the diode D1. Pin 3 - This is the ‘flash’ output from the SMaL processor. It appears to be a square-wave pulse which controls exposure by controlling the duration of the flash; the longer the pulse the longer the flash. This same pin is also used to generate the initial ‘Red-eye Reduction’ flash. This pin goes to U2, Q3 and Q4 to control the gate of the IGBT and provide the trigger pulse to the flash tube. Pin 4 - This pin is also Ground; it is tied directly to Pin 1. Pin 5 - This pin is the voltage sense input to the SMaL processor. Resistors R3 and R4 on the Flash Board form a voltage divider circuit to proportionally reduce the voltage on the flash capacitor to a level that can be used by the SMaL processor without damage. Pin 6 - This is the shutter release input to the SMaL processor; it is bypassed by C14 on the Main Board. Pin 7 - This is the 3.0 VDC supply to the Main Board - so far I’ve traced this to the Imager and Mechanical Shutter circuit. It probably provides power to the SMaL processor, as well. It is generated by U2 and the 2.0V zener diode D2 on the Flash Board. Pin 8 - This is the Battery Plus terminal. It also goes to Pin 4 of the 10-pin interface/USB connector on the Main Board. General Notes: Since the SMaL processor is a dedicated camera control chip it probably has a built-in pulse-width modulator to control the charging of the flash capacitor, using the voltage sense from Pin 5 as an input and producing the square-wave that goes to Pin 2 as an output. (This internal modulator is probably controlled by a register in the SMaL chip, which I think BillW has already found!) I don’t have a complete schematic yet, because I have been unable to locate any information on Q1 or U2. I am assuming that Q1 is a ‘switch’ IC of some kind and U2 is probably a 5V boost converter IC, but I don’t know yet what the specific parts are. Sorry about the size of this post! Topaze

Q1 is probably a single transistor. Qx labels are traditional for transistors... Ux is traditional for integrated circuits, but I'd have to take a look at the thing to be sure. With any component, try finding numbers on it and looking those up on the 'net.

My original post about the flash circuitry on the CVS cameras made this conclusion about Pin 7 on the header connector: “This is the 3.0 VDC supply to the Main Board - so far I’ve traced this to the Imager and Mechanical Shutter circuit. It probably provides power to the SMaL processor, as well. It is generated by U2 and the 2.0V zener diode D2 on the Flash Board.” Now I am not so sure about either the source of the voltage on this pin, or it’s purpose. It appears that there are many voltages used by the camera, all of which appear to be separate, sharing only a common ‘ground’ connection. There is a supply for the memory, 2 different supplies for the imager, one for the TFT backlight and maybe some others that I haven’t found yet! Some poking around on the web indicates that CMOS imagers can have as many as 3 power supply voltages. They are typically labeled Core, Analog and I/O, or something similar, and they may or may not be the same voltage or come from the same supply. After taking a closer look at the imager wiring on both the CVS ‘Red’ and ‘Blue’ cameras, I now think that the 3 volt supply that appears on pin 7 of the header connector (and Pin 1 of the imager) is used as the ‘I/O’ supply for the imager. I consider this a reasonable assumption, because the 100K resistors that appear on some of the I/O pins are connected to this voltage, making them ‘pull-up’ resistors. See Drmn4ea’s imager info: http://cexx.org/dakota/pv2cmos.htm (If pin 1 on the imager is the ‘I/O’ supply, this would imply that pins 17 and 24 are probably the ‘Analog’ and ‘Core’ supplies, or vice-versa.) While thinking about those pull-up resistors, I had the following thought: 100K is probably way too high a value to be effective as a ‘pull-up’ resistor, especially for an output; 10 to 20K would be more typical. And, besides if they are pull-up resistors why aren’t they on ALL of the data lines? Looking at the main board of the ‘Blue’ camera that I am destructively analyzing I noted resistors on R4 and R6, only. Lessee… If R1 = D0, R2 = D1... then R4 + R6 corresponds to 28 Hex. Hmm, that sure looks familiar… After a flurry of ‘Nerve Pinching’ and camera disassembling, I can confirm (at least, for my cameras) that the resistor pull-ups on the imager data lines encode the Type ID! This obviously has lots of implications, and should be fairly easy to spot in the firmware. For example, this should point to code used in the initialization of variables; code which might give some indications of the operation of the imager; and/or other code relating to the operation of the camera. Software guys, go to it! Topaze

I had some interesting results after removing several components from the flash board on a 6550/2B camera (Red PV2) I removed the coil/transformer attached to the flash trigger, flash tube (and associated wiring) and capacitor. The 8-pin inductor pack is still on the board, as is the IGBT, and other SMT components. The thing is, the into screen still waits just as long as ever to switch to the ready screen. The LED, however, comes on almost immediate after the shutter opens. Clearly, without the large cap, the voltage hits max almost immediately. I assume since the camera still functions that the 8-pin package is the part responsible for the cap charging voltage. I'm going to try removing the resistors, and simply tying the sense line high through a resistor to 3V. That *should* fool the camera into thinking the flash board is functioning. I really want to remove all of the HV parts, so that I can safely (from a parts standpoint) experiment with the flash related I/O. For one, I am trying to trace down the controls to the flash output, to see if it is just a digital output, or if you just control some dedicated chunk of logic, which generates the square wave. (I'm hoping for straight digital I/O) I'm also curious to know if the voltage sense line is a comparator style input, or an actual A/D input (I suspect a comparator - since it really isn't important to know the exact voltage) - but I haven't found the code that checks the charge on the capacitor yet. If it is an 8-bit A/D, that would rock! Of course, a digital input would be nice too - but not as nice as an A/D converter.

Ok, I have a decent schematic of the PV2's high-voltage board, and I now know what each of the pins do. (sort of) The actual capacitor charging & flash circuit is identical to the circuit in the app note. The square wave creates a 3V AC signal, which the transformer simply multiplies up to 320V. The large diode is a half-wave rectifier, which is adequate for creating the DC source needed to charge the flash capacitor. I still do not know what the purpose of the 1M resistor parallel to the flash tube is. Perhaps it limits the current through the flash tube, or perhaps it acts as a ballast? It is also in the app note, though. The only divergence in the HV section from the app note involves the HV detection output. Instead of using a neon bulb, this circuit uses a resistor divider network. I don't know about the AC component (I would expect to see a roughly sinusoidal wave approximately the same frequency as the square wave output from the ASIC), but the DC component is about 1.25V after the divider network. The original divider is comprised of a 10M ohm R2, and a 39k R1. (This matches the expected output of the voltage divider equation; Vo = Vi*(R1 / (R1+R2)) perfectly.) I was able to fool the ASIC into thinking HV was present by connecting a 1M ohm R2 and a 680k ohm R1 between board Vcc and ground, and taking my sense voltage in the middle. The actual output is about 1.15V DC, but this is close enough for the detection circuit (probably a comparator). I used the ANODE of the diode supplying current to the 7S04 inverter for my divider, instead of the battery supply, as I believe the camera can turn off that supply when the power is turned off. The trigger logic, however, is pretty different from the app note. The input goes to a 7S04 TTL inverter, which drives the gate of the IGBT (which triggers the flash). The transistor circuit appears to implement the "red-eye" reduction by driving the power rail on the inverter to ground. Although it appears strange, it seems that it uses an RC constant to do this. The strange little circuit involving the two transistors near the inverter is a bit unclear. The inverters VCC line is tied to the collectors of both transistors through a capacitor and resistor in parallel. (the resistor is a 33k ohm resistor). There is a 100k ohm bias resistor between the base and emitter of one of the transistors. Based on the part number of one of the components (702), it appears to be a small signal PNP transistor (either that or a darlington transistor) Pin out: Pin1 - Ground Pin2 - Square wave for AC generation pin3 - Trigger for flash circuit (goes to 7S04 inverter, and odd transistor circuit) pin4 - Ground pin5 - HV sense line. Typically 1.25Vdc - will allow firmware to continue with as low as 1.15Vdc. pin6 - Shutter button. (button shorts to ground) pin7 - Camera Vcc for 7S04 inverter, and odd transistor circuit. Connected to one of the onboard DC-DC converters. pin8 - VBatt. Directly connected to the battery terminal. Bypassed to ground with a substantial capacitor on the flash board.

It would be interesting to take some flash pictures while measuring the flash values with your scope and then see if any of the flash values in the RAW file header match up to what you measure and/or saw in registers. I was able to label RAW header fields based on some text in the device drivers, but knowing what the field values mean is a totally different ball game...