Lets take a look at the strings in the ver 1.01 SD14 firmware file.

We can dump the strings using the strings program:

$ strings s14v101.bin > s14v101.strings.txt

This dumps all the strings in the s14v101.bin file to the s14v101.strings.txt file. Open that text file. You see right near the top:

 Converted using Foveon CamXML2Bin 1.2.15.2924 Release (Mar 20 2007 16:31:42)

This is located at offset 0×00016C in the original file. Looks like they use some tool to take an XML file and convert it to a bin file. Googling this name does no good, it looks to be an internal proprietary tool.

Directly below that we see the text “CMbH”. In two more lines, we see “CMbT”, then “CMbM.” You can grep the strings file for all occurrences of CMb*

$ grep “^CMb.” s14v101.strings.txt > sections.txt

Taking a look at this, we can see that there are four unique CMb* sections:

• CMbT
• CMbH
• CMbM
• CMbP

I’m thinking that these are the section identifiers we are looking for. the next step would be to break the binary file up based on these sections and to collect some basic data on these sections. Spend some time looking into the strings, these sections may not be the only ones.

We can grep for all the 4 character stings that are on one line in the strings  file. Lets try this:

$ grep “^….$” s14v101.strings.txt > sections.txt

There are lots of mishits here. a quick glance makes me want to look into the following more closely:

• SETN
• SETH
• FBIN
• BINS
• SIFC
• SIFD
• MCMN
• MCBT
• EXEC

Also, of interest from the strings file:

• SECi
• SECp
• SECc
• FOVb

Hey, those are the sections in the X3F files And:

Update MCDSP bootstrap code from CF.
Update BFDSP bootstrap code from CF.
Reprogram FPGA code from CF.
Update CAMCPU firmware from CF. 

Looks like code for all the processors can be updated via the CF card! Awesome!

 Starting debug console.  (type HELP for help)

I want access to this debug console. The software fror it appears to be included in te firmware. There is lots you can do with this, just take a look at all he descriptions for the possible commands!

The next step will be to break down the firmware into sections based on the CMb* tags. I’ll also take a closer look at the other sections.

Categories: SD14 Firmware Hacking
No Comments »

After spending an evening poking around the ver 1.01 firmware, I came up with a plan of action. It appears that the firmware has areas of strings that is human readable, areas of code that is not, areas of padding (i.e. repeated patterns that done seem mean much at first glance). We need a systematical way of analyzing the firmware files.

I once put together my own decoder for the X3F files and I recall that the file was broken down into sections. The sections were all labeled (i.e. FOVb, SECd, ect). Perhaps this file is the same. This seems to be in line with first observations that there are string sections and data sections. This also somewhat aligns with some other executable file formats.

My plan is to:

1. Dump the strings for a firmware version and look for hints.
2. Look for section identifiers in the firmware.
3. Attempt to break the firmware down into sections
4. Compare various firmware versions to each other based on sections.

The approach will use the first few versions of firmware for investigation/comparison. I’ll leave a couple versions, version 1.06 and the two 1.07s, uninvestigated as an unknown baseline to test my final product.

Categories: SD14 Firmware Hacking
No Comments »

 So, as I pointed out in the last post, you can find great things just by poking around the firmware with the hex editor looks at strings. I’m looking to find out what hardware the SD14 has in it. I’ve heard reports on DPreview and elsewhere that the SD14 has a Blackfin DSP. Lets see if I can corroborate that.

At Offset 0×093993 we find:

THe BF561 manual notes that a larger lock count may be necessary when changing the voltage significantly

Complete with typo and all. I thought those Sigma guys were Japanese, what are they doing typing their notes in English? Perhaps its easier. Perhaps there is another reason. That would be a reference to the Blackfin  BF 561 DSP. The DSP is a dual core chip with a “High data throughput tailored for the needs of imaging and consumer multimedia applications.” Looks like we found our chip.

The Blackfin site has links for all the technical documentation and even development evironments for the BF561. Get reading, this is the brains behind the camera. But is it the only chip?

Not quite. Looking near the end of the file (offset 0×0DFAC8), we see the following:

SDK for DSC: Copyright (c) 2003 MegaChips Corporation

Further down, we that perhaps this is called the DSC 131. You can also see references to an FPGA throughout the file. Neither of these chips are FPGAs, so there is at least another chip in there we don’t have an ID for.

Lets go Googling. This page from Planet Analog is interesting. It tells us that the SD14 has inside:

• Foveon X3 14.1 MPixel sensor
• ASDP BF651 Blackfin DSP
  
• Xilinx Spartan-3 XC3S200 FPGA
• Analog Devices AD9228 A2D converter
• 4 Samsung K4S511632D-UC75 (512Mb SDRAMs)
• MegaChips DSC-3H
• 2 Samsung K4S561632H-UC75 (256 Mb SDRAM)
• Toshiba TC58FVM6B5BTG65 (64 Mbit NOR flash)
• Casio LCD

A couple observations from this:

• The FPGA must be loaded with some sort of executable. Can they update this?
• This camera has 2.5Gb of RAM!
• What is run on the  MegaChips chip?
• Whats run on the  Blackfin?
• How is it all coordinated? I’d suspect that there is some form of OS on this camera.
• How is all of this “booted?”

At least the observations from the firmware are confirmed

Categories: SD14 Firmware Hacking
No Comments »

So, there will be a flurry of activity at first for this firmware hacking project of mine. Here are a couple of the first steps I took and a quick brain dump of my first thoughts on this.

Sigma has released 8 versions of the SD14 firmware so far Ver 1.01 -> ver1.07. Ver 1.07 actually has two versions with it, 1.07_0 and 1.07_1. Once upon a time you could download all of them from Sigma’s website, though it looks like the early ones are not available any more. Good thing I kept a copy laying around.

The first and easiest thing to do is to open them with a hex editor and see whats inside. Perhaps we’ll get lucky and something will be readable. I used Okteta or KHexEdit, depending on which machine I’m on (I use linux, Fedora usually)

Sure enough, the folks at Sigma were kind enough to leave much of the file readable. There is a wealth of debug information in the files, for example, s14v101.bin opens with the following text:

SIGMA.COSD14....1.01............1.00.0.008..........20070411....

Hm, looks like this is Sigma Co’s SD14 firmware version 1.01 made on 04-11-2007 Easy enough. Surprising, a lot of information can be gathered just by looking at the firmware like this. as I noted here, the firmware contains a lot of debug information, in particular I found this to be interesting:

Specify which steps to skip in the Image Processing pipeline. 

FLAGS: 

Skip AutoAdjust = 0x00000001 

Skip LinLUT = 0x00000002 

Skip ColumnFilter = 0x00000004 

Skip ColumnFilterSegCapacitance = 0x00000008 

Skip SpatialGain = 0x00000010 

Skip ISOGain = 0x00000020 

Skip DriftCorrection = 0x00000040 

Skip FlareCorrection = 0x00000080 

Skip SatDetect = 0x00000100 

Skip BadPix = 0x00000200 

Skip RedSharp = 0x00000400 

Skip NeutHilitePixel = 0x00000800 

Skip NeutHiliteNeighbors = 0x00001000 

Skip NeutHiliteSmoothNeighbors = 0x00002000 

Skip Despeckle = 0x00004000 

Skip SpatialDQ = 0x00008000 

Skip ChromaBlur = 0x00010000 

Skip ColorDQ = 0x00020000 

Skip CorrectionMatrix = 0x00040000 

Skip ToneGamma = 0x00080000 

Skip Sharpen = 0x00100000  

These appear to be the descrete steps in the image processing pipeline. You can find this at offset 0×0AA846 in s14101.bin. Boy, I wonder what algorithms are going on behind the scenes there

So, as I said, much can be learned just by opening up the firmware in a hex editor and poking around.Thats what I’ll start off with. Open the firmware and see if there is anything I can pick out.

Categories: SD14 Firmware Hacking
No Comments »

Sigma released their SD14 camera a while ago and as I have an SD10, I don’t see a very compelling reason to upgrade. The feeling I got from the camera was that it was underwhelming, the Photo Pro software original released was horrible, and then I started to see an endless release of firmware version after firmware version to correct bugs.

Now, of course many of these issues have been fixed, the Photo Pro software is now based off the excellent 2.x version as opposed to 3.0 (I’ve got some details on the company behind the 3.0 mess), and the firmware releases have seemed to subside. Perhaps they are now getting the bugs worked out of the camera.

The firmware however intrigued me, never before had sigma done this, released so many firmware versions for a camera. Recalling from memory, the SD9 had 1 update and the SD10 didn’t have any. If I have this wrong I’m sure someone will be so kind as to correct me. With all these versions of firmware sitting around out there, I got to thinking, I wonder whats in there.

It dawned on me that even though I have an engineering background, and at least some experience with embedded device programming (an old school project on a PPC 405GP) I really have no idea how to reverse engineer firmware.

You hear about it all the time, these l33t h4×0r$ reverse engineering DVD encryption, great work has been done hacking the low end Canon Powershots, and even phones getting a workover.

How do these people do it? How is the firmware decoded, how do they reverse engineer it? What does the firmware even look like? I decided that since the nice folks at Sigma gave us so many firmware versions, and even an excellent changelog between them, I figure that will a little time and effort, I could probably at least figure out what the firmware looks like, how to decode it, and hopefully how to change it and re-encode it. This would motivate me to buy an SD14!

Why? Because I’m curious. I like to make my own things. I like to understand how something works from the ground up. There are some features I want, and I don’t particularly think that Sigma is going to listen to me much (I tried once - didn’t happen) . I also think there is a good chance that I can actually do a better job.

So, what I’m going to do here is chronicle my adventure in attempting to become some elite firmware hacker. I’ll tell you all I know, and maybe, if anyone is paying attention, someone else might find it interesting.

Matt

Categories: SD14 Firmware Hacking
1 Comment »

Took the scanner camera down to Pikes market during one of their festivals. This was the first time I had the camera outside, and the results were encouraging. You can see all the pics here:

A couple things to note:

I turn off course, fine, light and dark calibration. I use the alt calibration option. I think the per-pixel calibration that is stored in DRAM during the alt calibration is a bit off for the pixles near the top of the image. for example, see this image:

You can see the light band of pixels at the top of the image. This gets significantly better when stiwching from grayscale to color images. The color images come out very very grey. There are two things that I want to look into further:

• Better understanding/knowledge of the calibration. I think this will significantly improve image quality.
• Ensure that I’m operating the scanner ship in 14 bit mode, and that I’m getting out all 14 bits. If the chip is in 14 bit mode then there is no calibration data stored in DRAM (the space is used for pixel data.

Matt

Categories: Scanner Camera
6 Comments »

I’ve finally gotten the first version of the scanner camera working. I’ve married an 8×10 cambo monorail camera with a Canon Canoscan scanner. The results are truly remarkable.

13589

I got the idea from here.

I’ve got a cambo 8×10 monorail and I’m using an unknown Schneider lens. It has an f stop range of 5.6-11, though its physically stopped from going beyond f8. I have a feeling this is either a reproduction lens or a lens from some sort of aerial photography. At any rate, its very wide and covers more than 8×10.

The scanner I chose was from the Canon Canoscan family. The scanner is small, contains a full length sensor (no mirror box) and is powered from USB, making it rather portable. After hacking the scanner apart, I removed the pinhole lens array (the Schneider lens will do just fine) and widened the slot where the sensor array is exposed. I also removed the plastic light bar. I did not remove the LEDs

I’m using linux and have modified the sane plustek backend for the scanner driver. The bulk of modifications made to the driver were to make sure the lamp (led lights inside the scanner) remained off. I’ll probably make more modifications as I read the datasheet for the sensor.

In the meantime, feel free to check out the scanner camera gallery I’m starting:

13574

Categories: Scanner Camera
3 Comments »

Well, I was hoping that Apple’s new release of iPhone firmware 1.1.3 would support Nike+iPod. No luck, the Nike dongle is still “an unsupported accessory” on the iPhone. There were reports of the 1.1.3 firmware containing references to com.apple.mobile.nike but it looks like the 1.1.3 firmware does not support the Nike adapter. Common Apple I want to run with this phone and I’m not buying a Nano to do so. The other option would be to jailbreak my phone and figure out how to hack it to work. I don’t think Apple wants that.

Categories: Uncategorized
No Comments »

I’ve tagged some photos of the family, you can now get dynamic galleries of photos containing a specific person. Click the “tag cloud” item on the left hand side of the screen, it will take you to the tag cloud.

For example, check out the photos tagged with Ben.

-Matt

Categories: Gallery
No Comments »

Want to save a lot of pictures or even whole albums? Want to get them professionally printed online?

You can download or print entire Albums, or individually chosen pictures from my gallery. All you need to do is add albums or pictures to your cart, then chose to download your cart as a zip file or print with Shutterfly.com.

Adding items to your cart is easy - just click the “add to cart” button under each item. You can view your cart by clicking view cart in the “Your Cart” section on the left had side of the page.

Clicking view cart takes you to your cart page which contains all the pictures and albums you’ve selected. The drop down menu in the upper right lets you either download a zip file of all the pictures, or you can print them at shutterfly!

Browse the Gallery here:

http://www.mattmerry.com/gallery

-Matt

Categories: Gallery
No Comments »