MAKE pal John Maushammer sent us some great news! The CVS Disposable Camcorder (mentioned about a month ago) has now been usably hacked so that videos can be downloaded over USB – no need to desolder the flash memory. Finally, some healthy free-market competition to CVS’s expensive development service, just like in the analog world. Here are the details!…A lot of progress on the CVS camcorder this last week. This weekend I figured out how to unlock the camera, and then daBass found a USB command that downloaded the most recently recorded video. By deleting that video after saving it, you can download all the videos. Lots of other people filled in with code to combine our discoveries. It’s been an amazing group effort — I’ve tried to summarize it–
The CVS Disposable Camcorder (mentioned about a month ago) has now been usably hacked so that videos can be downloaded over USB – no need to desolder the flash memory. Finally, some healthy free-market competition to CVS’s expensive development service, just like in the analog world. Last week, dakotamod and mconsidine were able to coax mystery responses back from the camera. I found what looked like a set of challenge & response packets stored in memory, and then traced the firmware until I found where they was accessed. I thought I had found a locking mechanism, but wasn’t sure until I realized that it only allowed the commands dakotamod & mconsidine had found were accessible… we were on to something! I figured out what the commands did and how to use them to how to unlock the camera. The community took it from there… daBass figured out the USB command to download the most recent video, and CorscariaBillW quickly released tools. When unlocked, it seems that many standard windows drivers can be used with slight tweaks, including enabling full VGA resolution recording @ reduced frame rate (as opposed to the 1/4 VGA default). There are now a lot more sample videos. And, lastly, this removable memory hack is awesome.
Interestingly, there seems to be a flaw in the code Pure Digital wrote. You can request the 128-byte challenge by sending a specific USB command with an index number of 0-127. But, if you send an index number between 128 and 255, you’ll get back the secret response it is looking for that’s needed to unlock. It looks like the firmware tried to prevent this by performing an “AND” operation with the value 0xFFFFFEFF, but that doesn’t do it — a value of 0xFFFFFF7F would be needed. Or, maybe it was on purpose we’ll see if (or how fast) Pure Digital closes that door.
I’m still trying to document the protocol, and my plans are to see if I can unlock the Mass Storage mode so that it can be accessed like an external flash drive. If I can make the change permanent it would simplify things greatly and I’d consider the hack done.
Software app here.