Sunluxy DVR mkII - quick firmware mod investigation

The last post in this series saw the firmware being dumped from the device. This post looks at the format of the data and some annoyances that were encountered while trying to write a modified image back to the device.

One of the first thing I tend to do whenever I'm investigating a file is to generate an entropy plot. This habit developed from years of reverse engineering malware samples where a simple entropy plot would give you a lot of information about the next steps you'd probably be taking. For instance, packed executables would look significantly different to non-packed samples and files with appended data (think self-extracting archives or tools such as AutoIT) would have the interesting functionality contained in appended data (data that resides outside of the section tables). These are just two basic examples, but I can't stress how useful these graphs can be.

Back to the task at hand, the dumped firmware. The entropy plot looks like this:

Reflashing an Intel Galileo

If you're the lucky owner of an Intel Galileo board then you'll probably know that the device has an 8MByte flash chip, which contains the BIOS and a Linux boot image (even the ones that MS shipped apparently). Sadly, it is possible to accidentally trash the contents of flash chip rendering the device unbootable. The good news is that it is possible to recover the device if you have hardware that talks SPI. That could be a BusPirate, a BusBlaster, a PICKit2 (Linux only) or one of the many FT2232 SPI or JTAG boards. 

(Ab)using CurrentCost dev boards - code

This is something that I've been meaning to do for a while. I put together a "framework" to deal with the common tasks with the CurrentCost digital development boards, such as transmitting and pairing. I've also provided an example of handling a DHT22 temperature and humidity sensor.

Hacking a ScoutGuard camera - part 4

The plan for the forth instalment in this series was to extract the firmware from the flash, hack it around to remove the logo and write it back. This was going to provide the opportunity to play with the TSOP clip I'd finally got around to ordering, as well as a few other bits and pieces required to read from the chip in circuit.

Unfortunately there was a bit of down time while waiting on the clip to arrive. This was sufficient reason to justify poking around with the PIC16F684 chip that is used to read the sensor data and take the photo. I had probed the pins with the scope and could see the data coming in from the PIR and the trigger control going high after a certain amount of time and this data alone could have been useful to start playing about with. The temptation to look at the data from the chip was too great however, and I preceded to hook up my PICKit in an attempt to see if I could get a dump of the code. I knew the likelihood of this was pretty small, but nothing ventured nothing gained.

Hacking a ScoutGuard camera - part 3

In the previous posts [1] [2] I mentioned that the ultimate goal was to load modified firmware on to the device and one possible route would be via JTAG. It was hoped that the test points in the bottom left corner would provide JTAG access:

Hacking a ScoutGuard camera - part 1

A while ago I picked up a ScoutGuard 550 wildlife camera with the grand plan of capturing interesting wildlife in local woods.

Fast forward a couple of years and with nothing but pigeon shots to show I decided to have a go at tackling one of the features always bugged me. Each photo has a logo in the bottom left corner. In reality this isn't a big deal but it did strike me as slightly annoying since I'd paid for the camera and I shouldn't have to advertise on their behalf.