In all honesty i think thats quite a selfish request to make on jolly...Originally Posted by Atnas
He is obviously quite busy at the moment, so to assume he can give up (most likely) a couple of hours in the morning or afternoon is a bit inappropriate i feel.
In the UK? Then post here. You might need a hand in the future from a real person... HV20 (PAL)
I didn't mean to be selfish in any way. It was only based on my current understanding, that Jolly often works late on the hack anyways. But let's hear what Jolly and Bastegreve has to say.
Well if its possible to do without having to ship over stuff, i can get up early or stay up late, but i start at school tomorrow, so when im therei cant help much with it.
Guys, just thought i'd let you know, i'm helping Jolly again with his Flip hack work, so no need to worry yourself there.
On the experiments: there is no need to ship cameras to me, I can send my tools to whoever wants to help and then I can tell him/her what to do in real time on Skype/MSN. This is the way I worked with derkoi before, and he agreed to help me again, so no worries there.
On the flip hack: right now I am still working on understanding the osd, but as I have noticed some memory locations that seem to contain some data about the LCD switches, I might as well take a better look, unfortunately the camera I am using has broken switches, so I cannot do this by myself; derkoi agreed to help as soon as he has some time.
Misc.: I am looking for any clues for where anything related to aperture-shutter-gain controls are in the code, and I am getting somewhere. I found the routine that displays aperture and shutter speed when you play a video from the tape (MENU -> Display Setup -> Data Code -> CAMERA DATA), with some work I might be able to add displaying the gain to it, just to see if what I found make any sense...
I also think I found the routines that display aperture and shutter speed when the photo button gets pressed, so that is more data to analyze.
Tonight I will check a few of these memory locations with the real-time dumper to see how they vary when I move the camera or adjust some parameters.
Bit by bit...
Jolly
Another big thanks to Jolly and Derkoi...!
Bastegreve, thanks for the offer of help also. Out of interest, can we "keep your name on file" in case Derkoi isnt available to offer Jolly help in the future?
In the UK? Then post here. You might need a hand in the future from a real person... HV20 (PAL)
jolly - I love it that you're hacking in this - Assembly code must be pouring from your nose
You're brilliant dude - you're doing something so many of us wanted to tackle for Years - seriously, years.
<3 Keep up the good work :-)
Fantastic progress
Jolly, this is fantastic progress, you can almost feel the tension reading these threads that a breakthrough is bound to happen.
You are amazing, and if I see ANYTHING concrete come out of this hack, I have a donation ready (although I know you aren't motivated by money, maybe you could use some for wallpaper or something?)
In any case you have done amazing work and I hope / pray that the HV30 hack happens (although us in hv20 world would be out for a little while) It is still amazing to see the flip is even possible/close and the gain is the #1 request.
Congratulations and keep up the hard work!
IB
I've got an HV30 and would be happy to help if you still need it.
Goodo, more help is always useful!
In the UK? Then post here. You might need a hand in the future from a real person... HV20 (PAL)
For the HDMI capture maybe can be activate:
1).- HDMI.- maybe ca be released the 10 or 12 bits HDMI out, actually locked in 8 bits.
2).- Color Space.- maybe can be released the 4:4:4 or 4:2:2 color space in the hdmi out, actually locked in 4:2:0
3).- AUDIO.- maybe can be released the 16-bit, 20-bit, and 24-bit audio.
HDMI 1.3+ uses the CEA-861-D video standard.[15]
http://www.ce.org/Standards/CEA-861-E_FINAL_Preview.pdf
The CEA-861-D document defines the video timing requirements, discovery structures, and data transfer structure.[17] The color spaces that can be used by HDMI are ITU-R BT.601, ITU-R BT.709-5, and IEC 61966-2-4.[18] HDMI can encode the video in xvYCC 4:4:4 (8–16 bits per component), sRGB 4:4:4 (8–16 bits per component), YCbCr 4:4:4 (8–16 bits per component), or YCbCr 4:2:2 (8–12 bits per component).[18][19]
HDMI supports up to 8 channels of audio at sample sizes of 16-bit, 20-bit, and 24-bit, with sample rates of 32 kHz, 44.1 kHz, 48 kHz, 88.2 kHz, 96 kHz, 176.4 kHz, and 192 kHz.[20][21] HDMI also supports any IEC61937-compliant compressed audio stream, such as Dolby Digital and DTS, and up to 8 channels of one-bit DSD audio (used on Super Audio CDs) at rates up to four times that of Super Audio CD.[20] With version 1.3, HDMI supports lossless compressed audio streams Dolby TrueHD and DTS-HD Master Audio.[20]
Last edited by machinery; 2009 August 17th at 15:23.
This thread is starting to give me chills. Jolly If this flip hack indeed works, I'm willing to deliver a 24 of Molson Canadian to your door step...
I'm pretty sure the HV HDMI out is 4:2:2, that's what you can capture with an Intensity HDMI capture card. I've also got a hunch 12bits are available, but I might be wrong. I actually have an Intensity card, but it isn't currently installed (I haven't needed it yet).
Ex-Firmware HackDictator (check out my own firmware <cough> 'hack' - scamtastic).
Cam: HV20 PAL | DIY: glLight(LED light) The Ski-balizer (steadicam) glKey (reflective chromakey)
Just a quick note to say that there is going to be another major roadblock ahead for us.
As I explained before most of all the code that manages the camera and the internal parameters (but not the display and firewire) is in the TX19A core.
Thing is, the update file that Canon released contains only HALF of the TX19A firmware (the first 2MB), and in order to decode everything the core does I had to dump the other half myself from the camera.
I have dumped the second half a long time ago and now I am looking mostly at it, as it seems to contain a lot of the code and parameters we are interested in (gain, aperture, shutter controls).
The problem is: while it is easy to patch the update file and flash it to a HV30, I have no idea whatsoever how to send a modified second half of the TX19A code to the camera, as it is not part of the update file...
So we might need to understand extremely well how the FW update process works and create a custom, larger update file that contains all the 4MB of TX19A firmware, it's going to take some effort to do this unless we find an easy way to achieve this goal.
Jolly
Ah yes, hadn't considered that at all.
Where is the code that actually does the reading/flashing? Is it in the patch, or in the camera? Is it available to study? Seems to me that just as the encryption etc. was cracked, this shouldn't be impossible, especially if Wiesel or some of the other CHDK'ers get involved again.
Are you still around Wiesel?
Ex-Firmware Hack
Cam: HV20 PAL | DIY: glLight
At least part of the code that performs the FW update process is in the "low" part of the firmware, but even if it spans into the "high" part we can still analyze it as I have dumped it and I have the full disassembly.
The problem is mostly that it is A LOT of code, more than 3.5MB of code and data (not just the FW update piece, the whole TX19A FW).
I am pretty sure that eventually we can figure out whether it is easy to flash the "high" part of the firmware or not by analyzing the update process, but it's going to take time.
Jolly
woah wait hold on, as much as i have been holding my breath on this thread and to your amazemet, if i am correct, did u fully dump the firmware off the HV30???
I believe I have dumped most of it, yes, that was the very first step to understanding how the HV30 works, in particular the MIPS (Toshiba TX19A) core.
The TX19A core has 4MB of firmware, of which the first 2MB are contained in the FW update file; I managed to dump the remaining 2MB.
The FR71 core seems to also have 4MB of firmware (even though there are some pieces of code of still unknown origin...), those 4MB are completely contained in the FW update file.
Jolly
Just another quick update: analyzing the firmware update code and cross-referencing the subroutines calls I found some procedures that which task seems to be updating the firmware starting from a non-encrypted file.
These routines seem to be four:
1) Update the TX19A low 2MB and the FR71 4MB from an unencrypted file (essentially the same as a normal update, but using an unencrypted file)
2) Update only the FR71 4MB firmware from an unencrypted file
3) Update only the TX19A low 2MB firmware from an unencrypted file
4) Update only the TX19A full 4MB firmware from an unencrypted file
I am still not 100% sure of all this, but if this is the case then perhaps we can harness routine number 4 and reflash the entire 4MB of the TX19A firmware... stay tuned.
Jolly
It's official - jolly is unstoppable. Don't even try. Fists of Fury and all that.
I guess at some point you have to try it jolly. One final big brick risk, well worth taking. We got your back
Ex-Firmware Hack
Cam: HV20 PAL | DIY: glLight
There is no point at flashing HV30 at this stadium. There should some kind of service menu in case of bricked camera. It's too risky without that.
Jolly has flashed the camera plenty of times already (see the 1st post of this thread for full details of where we're at).
Of course a service menu would be great (anyone have the service manual?), but isn't that likely included in the firmware, and so might get trashed too?
Ex-Firmware Hack
Cam: HV20 PAL | DIY: glLight
This is amazing
This is amazing progress! Jolly you are literally tearing the roof of this whole thing. Congratulations and More More voodoo power to you in this effort.
I only wish my skills weren't so limited so I can help. If you need ANYTHING that isn't related to tech skills (which of course we need, but I don't have) please post here so we all know.
Good luck and I wish you the absolute best in the current road block! (although it appears we might have a solution option #4, so just take the praise and keep going!)
I think with a Hack, we could probably get enough donations to send you and your wife/family on a cruise somewhere. (if you are into that sorta thing!)
Good luck!
IB
Can everyone update their forum signature (User CP->Edit Signature) to show what camera they have? This will make it easier to see who's got what (and request help if jolly needs it).
I've done mine \/.
Last edited by _gl; 2009 August 21st at 11:34.
Ex-Firmware Hack
Cam: HV20 PAL | DIY: glLight
Ok!
HV 30 Pal
Reply With Quote
