
How to Hack an Expensive Camera - pi-rat
https://alexhude.github.io/2019/01/24/hacking-leica-m240.html
======
ggm
Excellent work. Almost forty years ago my first paid job on graduating was
clean room reverse engineering a spec of a binary dump of somebody's code. You
put me in awe of how well you did this.

As a former chdk user on canon and a Fuji x20 owner I hope somebody carries on
your amazing work!

------
getorix
Heh, I feel like I need to clarify something. Don't get me wrong, it was not
24/7\. Instead it was occasional work with huge several month long gaps :)

~~~
syntaxing
If you don't mind me asking, what do you do for a living? Your expertise in
this is seriously impressive.

~~~
CamelCaseName
He has 15 years of experience as an embedded software dev/security researcher.

Looks like he's worked on a lot of really cool, low level, stuff.

~~~
getorix
Correct, and I have also spent 7 years making Cinema Cameras in Blackmagic
Design. This helped a lot with Leica research.

~~~
contingencies
You seem to be in Melbourne. Any relation to Felix Hude of Mr. Pumpy fame? I
believe he used to teach at RMIT.
[http://www.mrpumpy.net/](http://www.mrpumpy.net/)

------
ndnxhs
I am absolutely blown away by the dedication of this person. I can't imagine
spending so long working on this.

Somewhat unrelated but I wonder if we will make the move to open hardware like
we have done with software. Having access to schematics and firmware source
does wonders for the reparability and upgradability of hardware.

------
ackbar03
This is crazy, how on earth do you have the patience and persistence to work
on something like this??? It took five - six years?

~~~
sho
This comment is kinda snarky and borderline facetious but man, I can't help
but agree. After 10 years hanging around this site if there's anything I've
learned it's that I am nowhere fucking near "max geekiness". I couldn't stick
with a project like this for 6 hours, let alone 6 years. And yet literally in
the last week I've been (gently) ribbed for being nerdy enough to think
reading books for pleasure is an acceptable leisure activity.

This is orders of magnitude of geekiness beyond anything I could possibly
accomplish, and I mean that in the best possible way. Kudos to the author and
thank god for the real nerds.

~~~
ackbar03
Dude it wasn't meant to be snarky at all. It was literally like wtf how is
this even possible.

~~~
sho
Sorry snarky was the wrong word. But I'm on the same boat!

------
ComputerGuru
Amazing work, clearly a labor of love. You never know how standardized of an
approach embedded developers take depending on the constraints on developers
and hardware, I’m glad he lucked out with a lot of the binary resources. I’ve
bookmarked this, it’s such a delightful resource.

------
dharma1
This is why we need open source cameras - so people don't need to spend 6
years reverse engineering and still not getting much out of it

~~~
ndnxhs
This is part of the reason I can't get in to reverse engineering. It takes an
incredible amount of time to get a little done when in the same time you
probably could have written your own camera firmware. I do remember seeing an
open source camera but it was a really high end one and very expensive.

~~~
gntheprogrammer
> I do remember seeing an open source camera but it was a really high end one
> and very expensive.

Might be AXIOM from the Apertus project:
[https://www.apertus.org/axiom](https://www.apertus.org/axiom)

~~~
dharma1
I really like what they are doing, but they have been working on it for 4
years and have no users. The camera costs 6000 euros and has no internal
recording capability.

------
bicubic
Would you consider doing this for sony cameras? Shit, open a kickstarter for
it and you'll get funded in a few days if the word gets out.

There were some initial promising efforts to build the equivalent of Magic
Lantern for sony alpha cameras, but it seems to have quietly died.

~~~
mschuster91
Oh yes. I've got an A7S2 and while I'm pretty satisfied with it in general
(especially after jailbreaking it and killing that annoying 29 minute video
limit), there are some things that I really miss, mostly related to
networking.

Oh and while one can get a full service manual including block diagrams and
wiring specs for it on the Internet, if someone knows how to access its
bootloader (probably uboot, it runs Linux in any way, with an Android layer on
top for the "apps") so that one can experiment without risking a $2000 brick,
that would be really really nice ;)

------
jimmaswell
"My wife and I always wanted a Leica camera and suddenly we realized that if
we didn’t buy it now, we will not be able to for a while."

Is this the mindset of "better buy the expensive thing before we can't afford
it"? I've seen this expressed before and it's not sound reasoning. If you
wouldn't be able to keep that money in a savings account because you know
you'd later find other uses of the money to provide better value then you
shouldn't be comfortable spending it on a depreciating asset immediately. The
only way it makes sense is if you trust your future self's reasoning less than
you trust your present self's.

~~~
bestham
I don’t think that this is about not having the money at a later stage, but
about spending that kind of money when you have other responsibilities (kids)
being irresponsible.

~~~
sokoloff
Right, but it's not like money has an expiration date on it.

If it's going to be irresponsible _then_ , it's probably just as irresponsible
_now_ , perhaps not as obviously. ("Better hurry up and make that mistake...")

------
zhovner
Unfortunately many other vendors encrypts firmware updates, like Panasonic do.
I dream to hack Panasonic GH5 and G80 cameras firmware to tune some options.

There is a tool to binary patching Pansonic GH4 and GH2 firmware called Ptool.
[https://www.personal-view.com/faqs/ptool/ptool-faq](https://www.personal-
view.com/faqs/ptool/ptool-faq) It decrypts encrypted firmware, patch binary
and then encrypt again. So you can update firmware via default process.

~~~
getorix
Honestly speaking, encryption never stopped me. Doesn't matter if it is
something simple like M9 xor described in this story or fancy AES/HMAC from
Canon or Sony. It just makes reversing more complicated and invasive. You have
to open body, rip off flash or solder wires somewhere to sniff comms. Unlike
Apple, camera vendors are not that paranoid and try to keep firmware
unencrypted on flash to reduce the boot time. In other words this is the part
when your wife can kill you for bricking the camera :)

------
masonic
This is insanely well-written.

~~~
nocturo
I couldn't agree more! Even tho I understood the point, a lot of stuff was so
foreign but the aricle just drives you and it needs some love not just on
techinal part, but also on the writting!

------
arcaster
Still curious as to what his motivation to reverse engineer this camera was?
Extra features? Custom features?

Genuinely curious - seemed missing from the blog post.

~~~
getorix
Actually it is genuine curiosity about how stuff works and constant challenge
if I can run my own code on it :D

~~~
arcaster
Fair enough! I can relate with plenty of my own side-projects, thanks for
sharing yours.

------
mjkpl
Out of curiosity - from a legal perspective, is it fine to publish outcome of
reverse engineering? I'm always sceptical before doing so myself.

------
dfox
One thing that I learned about reverse engineering is that you can often get
very far by just recognizing/guessing what formats and libraries were used by
original authors. The article seems to at least partialy confirm this view.

On vocational school we could elect to do long term project instead of
practical graduation exam. In my case this involved reverse engineering
management protovol used by Merlin Legend PBX in order to port its DOS-based
configuration utility (which was in fact emulator of MLX-20L operator phone)
to something more modern (and multi-user). One of first things we did was
running the binary through strings and ndisasm (I probably still have the
hackedup tool to convert MZ EXE to pseudo-COM that could then be read by
ndisasm, which was motivated by fact that for various reasons we could not use
IDA). What we found out was that it used some weird Unix on DOS emulation
layer from AT&T which included Unix-style ncurses and terminal emulation
layer.

We tried both to analyze the binary and sniff the communication. At first we
thought that disassembling the code would be faster as we had only limited
access to the PBX itself and were somehow afraid of bricking the thing. Oneday
I just gave up and spent few hours hacking up a way to actually look at the
UART data (there were two issues with that: the PBX was somewhat picky about
accepted RS232 levels and then slight logistical issue of having preferrably a
laptop with two serial ports in early 00's). After we had this ugly mess of
wires with four DE9 connectors and active RS232 buffer (powered from
adjustable bench supply, needless to say that our advisor was not too thrilled
that we decided to connect this thing between somewhat irreplacable PC and
still considerably expensive PBX) we found out quite quickly that the actual
configuration protocol consisted of XModem for backup/restore, straight ANSI
terminal emulation for initial session establishment (and in theory for weird
"use PBX as outgoing modem" feature), essentially binary block oriented
terminal protocol (think contents of PC text mode framebuffer with one
attribute byte for not every character, but block of 8, always sent as whole
line) wrapped in weird HDLC subset for the actual interactive configuration
and weird handshake reminiscent of OBDII serial protocol to switch between
these modes (which probably took the majority of time to reverse engineer).

Interesting aside is that the above mentioned binary block protocol was also
used for the UI of almost-ISDN phones that went with the PBX in question. We
had access to ISDN protocol analyzer which worked perfectly for normal call
flows, but reliably crashed (and not with any kind of meaningful error
message, it just overwrote half of its display with random pixels, started
ignoring its keypad or otherwise started behaving weirdly in somewhat random
manner) any time we did anything more complex. Somehow I think that finding
signal that reliably crashes firmware on test equipment which is explicitly
designed to debug problems on such interface is achievement in itself :)

------
adetrest
Very neat, and impressive skills from the author! I wish I could do that
myself... I started learning C so there is hope.

------
sm4rk0
I was expecting to find the debug mode key combo here in comments, but seems
like 8h is not enough time.

------
brokenmachine
Amazing writeup, well done!

------
sealthedeal
Love this!

------
omeid2
A little of topic but the reference as a huge list at the bottom is forgivable
for print media, but for interactive media, there is no reason for such
inefficient method that requires one to click on the reference only to find
yourself skimming through a list trying to remember what the number was and
once you have found it, great, now you have to find your way back to where you
were reading!

Wikipedia's recent reference links are a great of example of how to do
reference right.

~~~
codetrotter
In Safari on iOS you can use the back button of the browser to jump back to
where you were on the page before you clicked the link to the reference. You
should see if the browser you are using does that as well.

~~~
avhon1
This also works in pretty much every other browser I know of.

~~~
codetrotter
Absolutely :) Named anchors in a page have been around for a long time and I
recall that going back from a page internal link would bring you to the place
in the page that you were for as long as I can remember.

Would be interesting to know which browser was the first to keep track of
scroll position for history entries.

Mosaic was before my time but I wouldn’t be completely surprised to learn that
even it would store scroll position.

