Reversing HP M30x Camera Firmware

by Javantea
Oct 10, 2010 10:43 am

No files officially released yet. See below.

INTRODUCTION

Firmware hacking is an impressively difficult yet rewarding task. Most people are afraid of it because it depends on reversing binaries for embedded architectures that do not have good tools. Many tools that do exist are expensive and have a high learning curve even for experts in the field. Firmware hacking is actually a fun and simple process if you know what you're looking for. Projects for cell phones, video game consoles, and calculators are often out of the league of amateurs until the initial work is done. After the system has been successfully hacked, the code (if made available as open source) can be modified by anyone to improve the software.

Today I will be starting the initial steps of reversing HP M30x camera firmware. Please follow along through the Method, Data, Analysis, and Conclusion sections for detail on my process.

METHOD

Download HP M307 Firmware v1.1 (col9017a.exe) from HP's website. 


jvoss@ASLinWS01:~$ hachoir-subfile ~/programs/col9017a.exe 
[+] Start search on 1262368 bytes (1.2 MB)

[+] File at 0 size=290816 (284.0 KB): Microsoft Windows Portable Executable: Intel 80386, Windows GUI
[+] File at 296400 size=960273 (937.8 KB): Microsoft Cabinet archive

[+] End of search -- offset=1262368 (1.2 MB)
Total time: 262 ms -- global rate: 4.6 MB/sec

jvoss@ASLinWS01:~$ hachoir-subfile ~/programs/col9017a.exe ~/src/hpm307
[+] Start search on 1262368 bytes (1.2 MB)

[+] File at 0 size=290816 (284.0 KB): Microsoft Windows Portable Executable: Intel 80386, Windows GUI => /home/jvoss/src/hpm307/file-0001.exe
[+] File at 296400 size=960273 (937.8 KB): Microsoft Cabinet archive => /home/jvoss/src/hpm307/file-0002.cab

[+] End of search -- offset=1262368 (1.2 MB)
Total time: 309 ms -- global rate: 3.9 MB/sec

jvoss@ASLinWS01:~$ cabextract -l ~/src/hpm307/file-0002.cab
Viewing cabinet: /home/jvoss/src/hpm307/file-0002.cab
 File size | Date       Time     | Name
-----------+---------------------+-------------
   3244288 | 07.10.2004 12:15:14 | hp_m30x.hex
       748 | 27.09.2004 15:17:14 | images/capture.JPG
       698 | 27.09.2004 14:34:18 | images/flash.JPG
       768 | 27.09.2004 16:47:36 | images/lr_arrow.JPG
       758 | 27.09.2004 15:53:20 | images/playback.JPG
       693 | 27.09.2004 14:41:58 | images/r_arrow.JPG
      8350 | 29.09.2004 18:15:00 | images/service.JPG
       777 | 27.09.2004 15:16:58 | images/setup.JPG
       769 | 27.09.2004 16:41:52 | images/ud_arrow.JPG
      8736 | 30.11.2004 15:14:54 | leame.html
      8898 | 22.09.2005 12:22:06 | leesmij.html
      9060 | 30.11.2004 15:43:10 | leggimi.html
      9383 | 30.11.2004 15:43:10 | liesmich.html
      9597 | 30.11.2004 18:41:50 | lisezmoi.html
      8138 | 13.10.2004 10:49:06 | readme.html
      7292 | 30.11.2004 15:43:10 | readme_Kor.html
      6230 | 30.11.2004 15:43:10 | readme_Sch.html
      6172 | 30.11.2004 15:43:10 | readme_Tch.html

All done, no errors.

jvoss@ASLinWS01:~$ cd ~/src/hpm307

jvoss@ASLinWS01:~/src/hpm307$ cabextract /home/jvoss/src/hpm307/file-0002.cab
Extracting cabinet: /home/jvoss/src/hpm307/file-0002.cab
  extracting hp_m30x.hex
  extracting images/capture.JPG
  extracting images/flash.JPG
  extracting images/lr_arrow.JPG
  extracting images/playback.JPG
  extracting images/r_arrow.JPG
  extracting images/service.JPG
  extracting images/setup.JPG
  extracting images/ud_arrow.JPG
  extracting leame.html
  extracting leesmij.html
  extracting leggimi.html
  extracting liesmich.html
  extracting lisezmoi.html
  extracting readme.html
  extracting readme_Kor.html
  extracting readme_Sch.html
  extracting readme_Tch.html

All done, no errors.

jvoss@ASLinWS01:~/src/hpm307$ ls
file-0001.exe  hp_m30x.hex  leame.html    leggimi.html   lisezmoi.html  readme_Kor.html  readme_Tch.html
file-0002.cab  images       leesmij.html  liesmich.html  readme.html    readme_Sch.html

jvoss@ASLinWS01:~/src/hpm307$ ls -l ~/src/hpm307/hp_m30x.hex
-r--r--r-- 1 jvoss jvoss 3244288 Oct  7  2004 /home/jvoss/src/hpm307/hp_m30x.hex

jvoss@ASLinWS01:~/src/hpm307$ factor 3244288
3244288: 2 2 2 2 2 2 2 2 19 23 29

jvoss@ASLinWS01:~/src/hpm307$ bc -l
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'. 
3244288/256
12673.00000000000000000000

jvoss@ASLinWS01:~/src/hpm307$ rawtopgm 256 12673 hp_m30x.hex | pnmtopng > hp_m30x.png

jvoss@ASLinWS01:~/src/hpm307$ scp hp_m30x.* altsci.com:altsci/concepts/
Enter passphrase for key '/home/jvoss/.ssh/id_dsa': 
hp_m30x.hex                                                                                         100% 3168KB 243.7KB/s   00:13    
hp_m30x.png                                                                                         100%  947KB 946.5KB/s   00:00    

jvoss@ASLinWS01:~/src/hpm307$ python ~/scripts/histogram1.py hp_m30x.hex >hp_m30x_hist.txt

jvoss@ASLinWS01:~/src/hpm307$ gnuplot

        G N U P L O T
        Version 4.2 patchlevel 6  (Gentoo revision r0)
        last modified Sep 2009
        System: Linux 2.6.35.4

        Copyright (C) 1986 - 1993, 1998, 2004, 2007 - 2009
        Thomas Williams, Colin Kelley and many others

        Type `help` to access the on-line reference manual.
        The gnuplot FAQ is available from http://www.gnuplot.info/faq/

        Send bug reports and suggestions to 
        or to 


Terminal type set to 'x11'
gnuplot> plot 'hp_m30x_hist.txt'
gnuplot> set terminal png
Terminal type set to 'png'
Could not find/open font when opening font "arial", using internal non-scalable font
Options are 'nocrop medium '
gnuplot> set output 'hp_m30x_hist.png'
gnuplot> set style data lines
gnuplot> plot 'hp_m30x_hist.txt'
gnuplot> 

jvoss@ASLinWS01:~/src/hpm307$ hachoir-subfile hp_m30x.hex
[+] Start search on 3244288 bytes (3.1 MB)

[+] File at 1166992 size=1458 (1458 bytes): Microsoft WAVE audio
[+] File at 1202484: FAT12 filesystem
[+] File at 1356996: FAT16 filesystem

[+] End of search -- offset=3244288 (3.1 MB)
Total time: 691 ms -- global rate: 4.5 MB/sec

jvoss@ASLinWS01:~/src/hpm307$ hachoir-subfile hp_m30x.hex hex
[+] Start search on 3244288 bytes (3.1 MB)

[+] File at 1166992 size=1458 (1458 bytes): Microsoft WAVE audio => hex/file-0001.wav
[+] File at 1202484: FAT12 filesystem
[+] File at 1356996: FAT16 filesystem

[+] End of search -- offset=3244288 (3.1 MB)
Total time: 720 ms -- global rate: 4.3 MB/sec

jvoss@ASLinWS01:~$ strings src/hpm307/hp_m30x.hex |wc
  17659   21101  776088

jvoss@ASLinWS01:~$ strings src/hpm307/hp_m30x.hex | head -n 429 | tail -n 37
V3.7
===== Nobel/Otis Programming Tool V3.4 =====
 0: .BOO loaded and programmed.
F 1: .BO2 loaded and programmed.
F 2: .PRO loaded and programmed.
F 3: .UPG loaded and programmed.
F 4: .BIN loaded and programmed.
F 5: .ICO loaded and programmed.
F 9: Exit and run MAIN PROGRAM.
Please send .BOO with 1K-XMODEM.
1st block write OK!
1st block write FAIL!
2nd block write OK!
BOOT PROGRAM write FAIL!
Read OK.
Boot loader verify OK.
Boot loader verify FAIL.
Please send .BO2 with 1K-XMODEM.
block write OK!
block write FAIL!
bak block write OK!
bak block write FAIL!
Second Boot Loader verify OK.
Second Boot Loader FAIL.
Please send .PRO with 1K-XMODEM.
f ?I`"
Program Tool verify OK.
Program Tool verify FAIL.
Please send .UPG with 1K-XMODEM.
f `"
Upgrade Tool verify OK.
Upgrade Tool verify FAIL.
Please send .BIN code with 1K-XMODEM.
pIoH
09hF
MAIN PROGRAM write OK!
MAIN PROGRAM write FAIL!

DATA

Figure 1: HP M30x Firmware Visual Representation
HP M30x Firmware Visual Representation

Figure 2: HP M30x Firmware Histogram
HP M30x Firmware Histogram

ANALYSIS

In the above Method section I have successfully reversed enough information for a hacker to change the 'beep beep' sound of the camera and to attempt a disassembly of the firmware. The program hachoir-subfile was crucial to this process as well as general tools like rawtopgm and gnuplot. My own custom histogram script was useful but only worthwhile for formats that are difficult to decode. A few minor issues can be seen. Since hachoir-subfile must match many incredibly awful formats, it has a high false positive rate. It should be possible to modify the program to tell you the likelihood of the match. Also hachoir should automatically parse cab files using cabextract (if available) and common filesystems. This would save a bit of busywork especially for hackers who are up against CTF challenges (CTF quals I'm looking at you).

It is very likely that the architecture of the HP M30x is ARM. The GNU toolchain includes an ARM disassembler and IDA Pro is capable of reversing ARM. It is quite possible that Gumstix or a similar ARM platform* could be used to test some of the functionality of the firmware. Since the firmware is self-contained, it is possible that it could run partially on an ARM system such as the uCdimm (which runs uClinux). However differences in memory layout and optimizations would probably not allow it to run for long. A full system emulator for ARM would come in handy for reversing this firmware. QEMU has ARM emulation support but I am unsure of whether it is capable of emulating a system similar to the HP M30x.

* OpenWRT comes to mind because it was designed for low memory ARM platforms.

CONCLUSION

I am delighted to be able to spend less than an hour starting the reversal of firmware for a camera I own and have enjoyed the use of for years. After the success of using CHDK for a friend's project, I feel that I am compelled to hack on those things for which I am able to. I hope that this has been informative into the methods and psychology of a hacker. If I end up disassembling the firmware, I'll post and update. If you beat me to disassembling the firmware, send it along and I'll give you credit.

AFTERWORD

The methods here are obviously incomplete and I do not even attempt to disassemble the machine code into assembly. Most hackers would say that the start of reversing begins with getting a disassembly, but many projects are simple enough to need much less than that. Of course uploading the firmware may be as simple as a usb mass storage copy or as complex as a full protocol. There is a Windows installer, but I would prefer a Linux toolchain. It is quite unlikely that HP has signed the firmware because of limitations of the platform and the lack of interest in hacking a low quality camera in 2004.

I would like to take a minute to address copyright concern. The HP firmware is copyright HP 2004. I reproduce it in Figure 1 because it is essential to the task of reversing the firmware. Also, reversing firmware is an important part of ownership of a device. The common user of a camera has a few inputs to the camera and the designers of the camera made it as simple as point and shoot, but the designers had to design it based on realistic principles of hardware and software development. Those principles include hacking, reverse engineering, and modification whether they like it or not. The reason for this is key to the spirit of hacking and the very nature of engineering. Every hacker, programmer, scientist, and engineer knows that to complete even the most trivial of creative tasks, there must be the ability to debug and to understand the concepts upon which their world is able to exist. Robust and powerful systems are necessarily complex and have emergent properties such as crashes, vulnerabilities, and "features" that often will boggle the mind of users and hackers alike. Designing a system to be resistant to hacking by adding signatures or obfuscation reduces both robustness and the ability to debug systems and eventually either causes the downfall of the product or are hacked for the betterment of the product. Examples are far and wide and I don't need to name companies because they are all well known and many of them rely on my employer's expertise to improve their software and hardware. Allow me to state plainly: I am unwilling to compromise that DRM and hardware locking is unacceptable for any copyright, patent, trademark, or regulatory restriction. The only legitimate purpose for signing and cryptography are for security measures to ensure that malicious code is not run. I applaud companies like Amazon who embrace non-DRM music because although they are apt to not get everything right they are capable of selling me music. There are certain terms that we are capable of living with and there are certain terms that we are willing to live with and the design of software and hardware requires hacking in order to change the world into one that we want to live in.

If you are interested in a white hat hacking job that is fun and interesting, my employer has many opportunities currently available for hackers, reverse engineers, and especially hardware hackers.

Although I plug my employer, they are not responsible for any of the content on AltSci Concepts (in fact they are not involved with any of it) and I am solely responsible for all the content herein.

Permalink

Comments: 0

Leave a reply »

 
  • Leave a Reply
    Your gravatar
    Your Name