Hacking a Camera Through the UART Port

Why would a UART connector be labelled "URAT1"?

To confuse hackers.

http://www.google.com/aclk?sa=l&ai=CV_mt3WrkT4DCGYaV8AOVy61bq87MvQKTzYu9J7OE6CQIABACIMr4rBYoA1DQlpzSBmDHtf6NhCagAcW3iugDyAEByAMbqgQhT9BZ0UX7OuNstITCWqFomOid616cefe78h_D7hjqyIlp&sig=AOD64_3CUKBkKyGyMuyUQiNaqYG39nHwrg&adurl=http://performersoft.com/dr.php%3Fbrand%3DPC-Camera&nb=0&res_url=http%3A%2F%2Fen.kioskea.net%2Fs%2FHcl%2Bec2%2Bdriver%2Bdownload&rurl=http%3A%2F%2Fen.kioskea.net%2Fforum%2Faffich-538651-drivers-for-hcl-ec2-model&nm=24&is=623x199&clkt=97&nx=17&ny=11

That link is irrelevant.

You need a dedicated firmware update driver to low-level update the bootloader. Product firmware is normally updated directly through USB, and bootloader is not changed. The chipset or device manufacturer usually will NOT provide either, that type of product lifecycle doesn't need it anyway, so the hardware USB to UART won't help alone. You might find a sniff-cloned basic functionality utility to do it, but the firmware is possibly locked-unreadable from outside and you can only update it, not read it, unless you give special undocumented commands. Even if it's not locked, you'd still have to disassemble the code part. Real "hacking" is what starts after that. S.M.

You need to do a little more reverse engineering before you decide that some ink on the board that says " URAT1" is a serial port .

Pull the thing apart some more and get the numbers off the chips , get the data sheets ( unless they are house marked chips ... then good luck with THAT .)

Check the data sheets to see if there IS some kind of usable port on there ...

FAILING that , LOOK at the layout of the board / chips , try to GUESS at their functions , probe around in there with a scope / meter ...

Just deciding that something is a serial port, then hooking it to a serial/usb adapter and hoping for the best sounds like a REALLY good way to destroy both the camera and the adapter.

I got my serial adaptor and am using it with Hyperterminal. I have connected it to the port on the camera where the noises were coming out. I switched the camera on, but noting came up in Hyperterminal. It may be to do with the data rate and data type settings.

It seems that the pinout on my serial adaptor was wrong. I swapped the tx and rx around and now garbage comes up on screen when I switch it on.

Here is another update. I set the bits per second to 115200 and now sensible data comes out. Here is what I got:

IROM

Test Mode01
JL2180 Chip_ID & Bond_ID =>
37
05
SerialNorFlash Load EBoot to IMem
Serial Flash MID & DID =>
8C
2014

IROM Enter EBoot

Enter EBoot
By SF
SDRAM Clk(Mhz) = 162
Jump to ICache

Initial Clk: PLL_MUL = 27, PLL_DIV = 2, Main = 4, SDRAM = 1, Peri = 4, Misc = 6
Clock_SetMainClockDivisor: index = 0
G Init
Main_Clk_Div = 3
==> Firmware Running
Start JL2108A RS232 Debug 2008/10/21 13:40...
G5
decode_thumbnail_flag= 0
enable_RdDB_Mode_flag= 0
w=384
h=160
G_REVERT
CFG Table Init. From SF
Serial Flash MID 8c & DID 2014
CFG_SDRAM_ADDR = 0x136000
Max Block Num = 2
Pages/Block Num = 16
CFG Load From Flash To Buffer
CFG Find Last Table
Block Idx = 0, Page Idx = 9
CFG Load From Flash To Buffer
IsoMode = 0
backIsoMode = 0
SharpMode = 0
iq_result = 7
Detect_Card_Events
Using_SDRAM_As_Storage=1
Sdram_Storage type=1
Init_sdram_finish
NO KEEP_SDRAM_STORAGE_DATA_AFTER_POWER_OFF
Format type= 5
Card Capacity = 1579 sectors
fs_type = 0, sectors_prior_fat = 2, fat_sectors = 12
sectors_prior_root = 26, sectors_prior_data = 58, cluster_sectors = 2
find_all_file called: Card_Type = 5
Clock_SetMainClockDivisor: index = 10
Main_Clk_Div = 2
Search_Remain_Cluster => remain_cluster = 759
remain_KBytes = 759

FAT_Create_File(0, 0), fs_type = 0, filename => DCIM.
Parent_Dir_Sector = 26

FAT_Create_File(2, 0), fs_type = 0, filename => 100JLCAM.
Parent_Dir_Sector = 58
dir_count = 1, file_count = 0, dir_index = 1, file_index = 0
Clock_SetMainClockDivisor: index = 16
G Init
Main_Clk_Div = 3
find_all_file done!
Format OK!
SDRAM_Initial_Settings_UI
check SD exist
check_if_sdcard_inserted: SysMode = 0, Insert=0
SD not Ready
check_sd_result = 3
System_Mode_Init
Enter Main Loop ...
DSC_Mode_Init()
Timer_Start_Power_On
Audio_Init
Audio_Set_Filter_Parameters !
Check_Enough_Power 1 ms
BUZZER_POWER_ON
Initial_Display
DispTG_ExitHD !!
G5
decode_thumbnail_flag= 0
enable_RdDB_Mode_flag= 0
w=480
h=240
G_REVERT
Set_Display_Mode 240
Set_Display_Mode to LCD
G2
WM_F4823V4_7FLWA_480x234_Power_On
OSD_LCD_Init
Disable_OSD_Blend
Set_OSD_Blend_CFG
[INF] FDFrame: _panelW = 480, _panelH = 234

[INF] FDFrame: _cutX = 0, _cutY = 0, _zrW = 480, _zrH = 312, calW = 480, calH =
234

-- Menus_syncWithModeVars Begin
var[0]=0
backIsoMode=0
old IsoMode=0
backIsoMode=0
old IsoMode=0
backIsoMode=0
old IsoMode=0
backIsoMode=0
old IsoMode=0
backIsoMode=0
old IsoMode=0
backIsoMode=0
old IsoMode=0
backIsoMode=0
old IsoMode=0
var[1]=6
var[2]=0
var[3]=0
var[4]=1
var[5]=8
var[6]=0
var[7]=0
var[8]=0
Func_setPhotoIso-1 backIsoMode = 0
Func_setPhotoIso0 backIsoMode = 1
Func_setPhotoIso-1 backIsoMode = 1
Func_setPhotoIso0 backIsoMode = 2
Func_setPhotoIso-1 backIsoMode = 2
Func_setPhotoIso0 backIsoMode = 3
Func_setPhotoIso-1 backIsoMode = 3
Func_setPhotoIso0 backIsoMode = 0
var[9]=3
var[10]=0
var[11]=0
var[12]=0
var[13]=255
var[14]=0
var[15]=0
var[16]=2
var[17]=0
var[18]=0
var[19]=0
var[20]=0
var[21]=4
backIsoMode=0
old IsoMode=0
new IsoMode=0
SceneMode != SCENE_HighSensitivity
final IsoMode=0
-- Menus_syncWithModeVars End
Battery Voltage Boundaries: empty <= 3.61V < low <= 3.69V < normal <= 4.00V < fu
ll
Battery Detected Voltage: 3.97V
UI_init (end)
[INF] FDFrame: _panelW = 480, _panelH = 234

[INF] FDFrame: _cutX = 0, _cutY = 0, _zrW = 480, _zrH = 312, calW = 480, calH =
234

Set_Blank_Mode 0
FW Version: 150DTJMH3300F04SA09
Enable_OSD_Blend
Check_Power_On
Sensor_FE_Initial
i2c access OK
0:DB6A
IP_Init
AWB_Init
Check_Card_File_System ...
C_S_IS_GOOD
DSC_Mode_Change = 1
Photo_Cap_Init_Preview_Mode
done 1
Clock_SetMainClockDivisor: index = 1
Main_Clk_Div = 4
G4
G6
G7
Sensor_FE_Enable_Sensor_TG_SW();
PreviewMode=0
!!
MI5130_Set_JL2008B_Array_Size:0
MI5130_Set_Sensor_Array_Size:0
Preview_SetHW
Disable_OSD_Blend
Init_Preview_Mode_UI CaptureMode = 0
G3
G_REVERT
Flash_Stop_Charge();
Set_EV_Value=8
Preview: Frame Lost
Preview: Frame Lost
0:B3E7
Enable_OSD_Blend
0:CBDC
4:F07B
6:8D6A
0:8F14
0:AD7A
KEY_Power
CFG Load From Flash To Buffer
ResolutionMode,backup = 6,13
saved IsoMode = 0
0:D388
ReadBack CFG Compare Before Saving
CFG Load From Flash To Buffer
Read Back CFG Compare
CFG Load From Flash To Buffer
CFG Save OK => Count = 74
save_block_index = 0
save_pages_index = 10
BUZZER_POWER_OFF
0:0C63
ClearOSD
WM_F4823V4_7FLWA_480x234_Power_Off
G0

I really didn't think you'd get that far. Pretty cool, you have the debug output port data!

Whether it responds to commands on the same port remains to be seen.

And know this: the wrong command into that serial port could "brick" the unit. In other words, anything that modifies the firmware can render it brain dead, and no amount of rebooting will bring it back.

Then you need another way to program the flash, if available.

or buy another unit.

I have tried sending commands to it, but it does nothing. I think this one only gives out debug information.

There are blogs and websites for just this sort of thing, I got this one by Googling on "Hacking one time use digital camera":

http://cexx.org/dakota/pv2.htm

There are plenty of others, just find one that has a camera such as yours.