After spending an evening poking around the ver 1.01 firmware, I came up with a plan of action. It appears that the firmware has areas of strings that is human readable, areas of code that is not, areas of padding (i.e. repeated patterns that done seem mean much at first glance). We need a systematical way of analyzing the firmware files.

I once put together my own decoder for the X3F files and I recall that the file was broken down into sections. The sections were all labeled (i.e. FOVb, SECd, ect). Perhaps this file is the same. This seems to be in line with first observations that there are string sections and data sections. This also somewhat aligns with some other executable file formats.

My plan is to:

1. Dump the strings for a firmware version and look for hints.
2. Look for section identifiers in the firmware.
3. Attempt to break the firmware down into sections
4. Compare various firmware versions to each other based on sections.

The approach will use the first few versions of firmware for investigation/comparison. I’ll leave a couple versions, version 1.06 and the two 1.07s, uninvestigated as an unknown baseline to test my final product.

Categories: SD14 Firmware Hacking
No Comments »

 So, as I pointed out in the last post, you can find great things just by poking around the firmware with the hex editor looks at strings. I’m looking to find out what hardware the SD14 has in it. I’ve heard reports on DPreview and elsewhere that the SD14 has a Blackfin DSP. Lets see if I can corroborate that.

At Offset 0×093993 we find:

THe BF561 manual notes that a larger lock count may be necessary when changing the voltage significantly

Complete with typo and all. I thought those Sigma guys were Japanese, what are they doing typing their notes in English? Perhaps its easier. Perhaps there is another reason. That would be a reference to the Blackfin  BF 561 DSP. The DSP is a dual core chip with a “High data throughput tailored for the needs of imaging and consumer multimedia applications.” Looks like we found our chip.

The Blackfin site has links for all the technical documentation and even development evironments for the BF561. Get reading, this is the brains behind the camera. But is it the only chip?

Not quite. Looking near the end of the file (offset 0×0DFAC8), we see the following:

SDK for DSC: Copyright (c) 2003 MegaChips Corporation

Further down, we that perhaps this is called the DSC 131. You can also see references to an FPGA throughout the file. Neither of these chips are FPGAs, so there is at least another chip in there we don’t have an ID for.

Lets go Googling. This page from Planet Analog is interesting. It tells us that the SD14 has inside:

• Foveon X3 14.1 MPixel sensor
• ASDP BF651 Blackfin DSP
  
• Xilinx Spartan-3 XC3S200 FPGA
• Analog Devices AD9228 A2D converter
• 4 Samsung K4S511632D-UC75 (512Mb SDRAMs)
• MegaChips DSC-3H
• 2 Samsung K4S561632H-UC75 (256 Mb SDRAM)
• Toshiba TC58FVM6B5BTG65 (64 Mbit NOR flash)
• Casio LCD

A couple observations from this:

• The FPGA must be loaded with some sort of executable. Can they update this?
• This camera has 2.5Gb of RAM!
• What is run on the  MegaChips chip?
• Whats run on the  Blackfin?
• How is it all coordinated? I’d suspect that there is some form of OS on this camera.
• How is all of this “booted?”

At least the observations from the firmware are confirmed

Categories: SD14 Firmware Hacking
No Comments »

So, there will be a flurry of activity at first for this firmware hacking project of mine. Here are a couple of the first steps I took and a quick brain dump of my first thoughts on this.

Sigma has released 8 versions of the SD14 firmware so far Ver 1.01 -> ver1.07. Ver 1.07 actually has two versions with it, 1.07_0 and 1.07_1. Once upon a time you could download all of them from Sigma’s website, though it looks like the early ones are not available any more. Good thing I kept a copy laying around.

The first and easiest thing to do is to open them with a hex editor and see whats inside. Perhaps we’ll get lucky and something will be readable. I used Okteta or KHexEdit, depending on which machine I’m on (I use linux, Fedora usually)

Sure enough, the folks at Sigma were kind enough to leave much of the file readable. There is a wealth of debug information in the files, for example, s14v101.bin opens with the following text:

SIGMA.COSD14....1.01............1.00.0.008..........20070411....

Hm, looks like this is Sigma Co’s SD14 firmware version 1.01 made on 04-11-2007 Easy enough. Surprising, a lot of information can be gathered just by looking at the firmware like this. as I noted here, the firmware contains a lot of debug information, in particular I found this to be interesting:

Specify which steps to skip in the Image Processing pipeline. 

FLAGS: 

Skip AutoAdjust = 0x00000001 

Skip LinLUT = 0x00000002 

Skip ColumnFilter = 0x00000004 

Skip ColumnFilterSegCapacitance = 0x00000008 

Skip SpatialGain = 0x00000010 

Skip ISOGain = 0x00000020 

Skip DriftCorrection = 0x00000040 

Skip FlareCorrection = 0x00000080 

Skip SatDetect = 0x00000100 

Skip BadPix = 0x00000200 

Skip RedSharp = 0x00000400 

Skip NeutHilitePixel = 0x00000800 

Skip NeutHiliteNeighbors = 0x00001000 

Skip NeutHiliteSmoothNeighbors = 0x00002000 

Skip Despeckle = 0x00004000 

Skip SpatialDQ = 0x00008000 

Skip ChromaBlur = 0x00010000 

Skip ColorDQ = 0x00020000 

Skip CorrectionMatrix = 0x00040000 

Skip ToneGamma = 0x00080000 

Skip Sharpen = 0x00100000  

These appear to be the descrete steps in the image processing pipeline. You can find this at offset 0×0AA846 in s14101.bin. Boy, I wonder what algorithms are going on behind the scenes there

So, as I said, much can be learned just by opening up the firmware in a hex editor and poking around.Thats what I’ll start off with. Open the firmware and see if there is anything I can pick out.

Categories: SD14 Firmware Hacking
No Comments »

Sigma released their SD14 camera a while ago and as I have an SD10, I don’t see a very compelling reason to upgrade. The feeling I got from the camera was that it was underwhelming, the Photo Pro software original released was horrible, and then I started to see an endless release of firmware version after firmware version to correct bugs.

Now, of course many of these issues have been fixed, the Photo Pro software is now based off the excellent 2.x version as opposed to 3.0 (I’ve got some details on the company behind the 3.0 mess), and the firmware releases have seemed to subside. Perhaps they are now getting the bugs worked out of the camera.

The firmware however intrigued me, never before had sigma done this, released so many firmware versions for a camera. Recalling from memory, the SD9 had 1 update and the SD10 didn’t have any. If I have this wrong I’m sure someone will be so kind as to correct me. With all these versions of firmware sitting around out there, I got to thinking, I wonder whats in there.

It dawned on me that even though I have an engineering background, and at least some experience with embedded device programming (an old school project on a PPC 405GP) I really have no idea how to reverse engineer firmware.

You hear about it all the time, these l33t h4×0r$ reverse engineering DVD encryption, great work has been done hacking the low end Canon Powershots, and even phones getting a workover.

How do these people do it? How is the firmware decoded, how do they reverse engineer it? What does the firmware even look like? I decided that since the nice folks at Sigma gave us so many firmware versions, and even an excellent changelog between them, I figure that will a little time and effort, I could probably at least figure out what the firmware looks like, how to decode it, and hopefully how to change it and re-encode it. This would motivate me to buy an SD14!

Why? Because I’m curious. I like to make my own things. I like to understand how something works from the ground up. There are some features I want, and I don’t particularly think that Sigma is going to listen to me much (I tried once - didn’t happen) . I also think there is a good chance that I can actually do a better job.

So, what I’m going to do here is chronicle my adventure in attempting to become some elite firmware hacker. I’ll tell you all I know, and maybe, if anyone is paying attention, someone else might find it interesting.

Matt

Categories: SD14 Firmware Hacking
1 Comment »