Jump to content
kidzrevil

Petition for Samsung NX1 hack

Recommended Posts

EOSHD Pro Color for Sony cameras EOSHD Pro LOG for Sony CamerasEOSHD C-LOG and Film Profiles for All Canon DSLRs

Hi,

A nice breakthrough in hacking NX500 (and possibly NX1 - could someone try and report back?).

So, TLDR version first: I'm able to run a shell script off the SD card without hacking the firmware (and some other stuff). This is just a very modest start, now we need to do everything else. That said, this is a useful start as we can now play around without bricking cameras.

That was the moderately good news, the moderately bad news is that I'm absolutely swamped by work related stuff next few weeks.

Now for longer version:

First a small "hack": If you want to take a screenshot of your camera screen put a file named save_screen_enable.txt in the SD card root and every time you press EV+OK a file named OSD####.jpg will be saved to SD card root. save_screen_enable.txt will contain the integer of next image id (as bytes, not text).

Another small "hack": If you want to see how all the popups and notices look in all the languages (for any reson) put a file named qa.txt in the root of the SD card. When you power the camera on you will see a popup menu that enables you to access all the popups, etc, in camera (press up and down to change them, left and right to change the language). It's meant for quality assurance staff, but here it is.

If you like scrolling through the popups - that's fine. Even better is that the camera app crashes on popup 188 (of 189, go figure) and produces a lot of detailed logs on the SD card. These logs are named timestamp_{log,a7_log,a9_crash,a9_dlog,a9_dmesg}.info

If you take your sweet time analyzing these logs you will find that NX500 does not boot all that often - it hibernates and then wakes up when you power the camera on - cute - that's how it starts up in one second :)

Also, some RAM information: Total RAM is 512MB, reserved (buffer?) is 380MB. It fits nicely with known buffer limitations. It also means it's very very difficult to extend it to anything larger (maybe by eliminating allshare app or similar but that would give us a frame or two in RAW at best - hardly worth it).

How to run a shell script file:
1. Put file named "info.tg" on the SD card root with contents "nx_cs.adj" and a newline
2. Put file named "nx_cs.adj" (can use something else really) on the SD card root and put "shell script /mnt/mmc/test.sh" and a newline in it
3. Put file named "test.sh" (or whatever you put up there) on SD card root and put whatever bash shell commands you want to in it. Word of caution - it's easy to make a mistake - start small and work carefully
4. Put SD card in camera
5. Camera to AUTO mode (IIRC it works in any mode but whatever, it's in AUTO in the Service Manual)
6. Power on the camera and wait a bit (or a lot, it seems it's quite lazy with closing files and syncing, might do it for it by calling "sync" at the end)
7. Power the camera off (and wait for blinking light to stop blinking if it's blinking)

For example, if you put following in test.sh

st > /mnt/mmc/test

This is what you get on the output:

usage: st [command] [param]
Supported bult-in commands
    help        readl        writel        dump    
    gpio        hdmi        log        lcd    
    cap        pmu        clk        thread    
    key        firmware    util        app    
    leak        devman        stlcd        bat    
    rtc        tbm        micom        misc    
    oic        dvfs        adc    

I put a "ls -laR / > /mnt/mmc/test" and it did list the whole filesystem including /proc /sys /dev etc. And /etc ;) tar also works.

I can see for example that every time process id 247 is given to /usr/apps/com.samsung.di-camera-app/bin/di-camera-app and it runs under root (almost everything does), dfmsd (that's the deamon that interprets commands in nx_cs.adj file that are read and sent by dfmstool - I will have to see what else I can do with it), /usr/apps/com.samsung.ap-setting-app/bin/ap-setting-app running with some access keys or hashed caller PIDs, etc, the works.

Only two modules are loaded (exfat_fs and exfat_core) but I guess we could compile anything we need and enable it in the future (usb audio anybody?).

That's it for now (and some time).

Oh, yeah, the touch screen does not work with info.tg or info.tgw present on the SD card.

Cheers,
Otto

Share this post


Link to post
Share on other sites

OK, an update:

If you want to experiment with your device but don't want to be constantly reinserting the SD card - here's the solution.

First, unfortunately, NX500/NX1 do not use busybox but toybox that does not contain telnetd. However, there is nothing stopping you from extracting it from NX300 open source packages (available at Samsung Open Source repo) and copying it to SD card (and naming it "telnetd") and runnig it from there. Just remember that you need to give yourself some time to turn the wifi on after powering the camera. Login is "root" and there is no password. So, after the camera boots and telnetd starts, you do

telnet 192.168.1.44
Trying 192.168.1.44...
Connected to 192.168.1.44.
Escape character is '^]'.


************************************************************
*                 SAMSUNG LINUX PLATFORM                   *
************************************************************


drime5 login: root

[[email protected] ~]# ps aux
USER      PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        1  0.4  0.2   4684  1452 ?        Ss   23:15   0:01 /sbin/init
root        2  0.0  0.0      0     0 ?        S    23:15   0:00 [kthreadd]
root        3  0.0  0.0      0     0 ?        S    23:15   0:00 [ksoftirqd/0]

...

root      363  0.1  0.0      0     0 ?        S    23:15   0:00 [ksdioirqd/mmc1]
root      399  0.0  0.0   4696   380 ?        S<s  23:16   0:00 /mnt/mmc/telnetd
root      402  0.0  0.2   2704  1352 pts/0    S<s  23:16   0:00 -sh
root      469  3.0  0.1   2664   904 pts/0    R<+  23:20   0:00 ps aux

Yippie - we have remote root!

The fun stuff is the command st. It's swiss army knife - it contains everything. For example, you want to take a "smart" shot?

st cap capt smart

Work with aperture?

st cap capt iris drive 7.1

Shoot in RAW?

st cap capt quality raw

Help works in most things, just add help (e.g. st cap capt help).

You want to push an OK button?

st key click ok

You can also push/release it in two steps.

How about jog dials?

st key jog jog1_cw or jog1_ccw

You want to touch the screen in exact coordinates?

st key touch push/release/click 400 300

There is so many things available, just explore st app nx capture (for stills) or st app nx record (for video)...

Share this post


Link to post
Share on other sites

240fps iz just a value in a table describing parameters, there is no guarantee it can actually work on nx500 (for example, I tried enabling external audio - via USB - but all I'm getting are app crashes). 

Share this post


Link to post
Share on other sites
15 hours ago, Otto K said:

OK, an update:

If you want to experiment with your device but don't want to be constantly reinserting the SD card - here's the solution.

First, unfortunately, NX500/NX1 do not use busybox but toybox that does not contain telnetd. However, there is nothing stopping you from extracting it from NX300 open source packages (available at Samsung Open Source repo) and copying it to SD card (and naming it "telnetd") and runnig it from there. Just remember that you need to give yourself some time to turn the wifi on after powering the camera. Login is "root" and there is no password. So, after the camera boots and telnetd starts, you do

telnet 192.168.1.44
Trying 192.168.1.44...
Connected to 192.168.1.44.
Escape character is '^]'.


************************************************************
*                 SAMSUNG LINUX PLATFORM                   *
************************************************************


drime5 login: root

[[email protected] ~]# ps aux
USER      PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        1  0.4  0.2   4684  1452 ?        Ss   23:15   0:01 /sbin/init
root        2  0.0  0.0      0     0 ?        S    23:15   0:00 [kthreadd]
root        3  0.0  0.0      0     0 ?        S    23:15   0:00 [ksoftirqd/0]

...

root      363  0.1  0.0      0     0 ?        S    23:15   0:00 [ksdioirqd/mmc1]
root      399  0.0  0.0   4696   380 ?        S<s  23:16   0:00 /mnt/mmc/telnetd
root      402  0.0  0.2   2704  1352 pts/0    S<s  23:16   0:00 -sh
root      469  3.0  0.1   2664   904 pts/0    R<+  23:20   0:00 ps aux

Yippie - we have remote root!

The fun stuff is the command st. It's swiss army knife - it contains everything. For example, you want to take a "smart" shot?

st cap capt smart

Work with aperture?

st cap capt iris drive 7.1

Shoot in RAW?

st cap capt quality raw

Help works in most things, just add help (e.g. st cap capt help).

You want to push an OK button?

st key click ok

You can also push/release it in two steps.

How about jog dials?

st key jog jog1_cw or jog1_ccw

You want to touch the screen in exact coordinates?

st key touch push/release/click 400 300

There is so many things available, just explore st app nx capture (for stills) or st app nx record (for video)...

Very interesting. I would like to test this, could you please upload telnetd since the samsung site takes forever to download?

 

Share this post


Link to post
Share on other sites
7 hours ago, sandro said:

Very interesting. I would like to test this, could you please upload telnetd since the samsung site takes forever to download?

 

This is a generic busybox binary, it's not samsung specific, just compiled for ARM cpus. It can be a lot of things, like "less" if you name it that.

busybox

Share this post


Link to post
Share on other sites

Argh! I typed a silly long post and then hit backspace outside of this box and ... poof ... it's gone :(

OK, shorter version:

If you start telnet server as described and connect to camera you can do following:

killall dfmsd; sleep 2; dfmsd -p &

This will kill original dfms daemon and start a new instance that we can now use by dfmstool command that sends commands to daemon like this:

dfmstool -s "this is a command"

Be careful, as soon as it encounters an invalid command it stops processing all other commands :( so we need to do killall... to restart it (it does not affect the camera state).

The command we want is sys_param movie size 2560_1440_30p. Yup, it's still in the firmware, it has no crop and it supports peaking. Why they removed it from the menu I have no idea. It's labelled as MJPEG on screen but it records HEVC as others and is limited to 29:59.

dfmstool -s "sys_param movie size 2560_1440_30p"

Here's what ffmpeg has to say (I have to find a way to set the quality as well):

Stream #0:1(eng): Video: none (hvc1 / 0x31637668), 2560x1440, 11280 kb/s, 29.97 fps, 29.97 tbr, 120k tbn, 120k tbc

Oh, yeah, remember how there is no 1080p at 120fps in NX500? Think again:

dfmstool -s "sys_param movie size 1920_1080_120p"

And output of ffmpeg:

Stream #0:0(eng): Video: none (hvc1 / 0x31637668), 1920x1080, 38589 kb/s, 119.88 fps, 119.88 tbr, 120k tbn, 120k tbc

If you really want to you can put just the command in the nx_cs.adj file and call it a day (dfmsd will parse it and finish) or put a small script in test.sh that will do it for you (there is no touchscreen available while dfmsd is running). You could have SD cards for special video modes to simplify it.

For NX500 full list of modes is

4096_2160_24p
3840_2160_30p
2560_1440_30p
1920_1080_120p
1920_1080_60p
1920_1080_30p
1920_1080_24p
1920_1080_15p
1280_720_120p
1280_720_60p
1280_720_30p
640_480_60p
640_480_30p

For NX1, full list of modes is (yeah fractional ones too, don't know whether they are just for show or are there really differences between 24 and 23.98 when recorded)

4096_2160_24p
3840_2160_30p
3840_2160_24p
3840_2160_23_98p
1920_1080_120p
1920_1080_60p
1920_1080_30p
1920_1080_24p
1920_1080_23_98p
1920_1080_15p
1280_720_60p
1280_720_30p
640_480_60p
640_480_30p

Well, that's it for now, have fun :)

Share this post


Link to post
Share on other sites

The NX1 is already a very advanced camera, and, sadly enough, there won't be successor the hacks can be ported to.

IMHO Pentax is a more worthwhile target. They have a FF sensor for the price of a NX1. They use the same processors Nikon uses, so raw video seems to be a possibility. Add the fact that their higher end cameras feature 2 SD slots, dramatically increasing write speed...? And that they have a very efficient SR system that just needs to be enabled during video? And lets not forget the headphone jack. There's plenty of potential for massive improvements that could turn their cameras into serious tools. Plus they will continue to release cameras based on these processors, so it isn't a dead end. And there are many beautiful primes for the system.

Though I must admit the NX1 looks like it is pretty easy to hack. wow. Now THAT is user friendly :D

Share this post


Link to post
Share on other sites

Nice work Otto!

Looks like I was missing some major components when I was investigating the camera app. I was focusing on libmmf-camcorder, since di-camera-app definitely passes parameters like bitrate, resolution, time limit, etc. to that library. However after reading your posts on the dfmstool, I took a look at the strings in di-camera-app again, and it definitely includes the dfmsd commands and arguments. I'm rather confused as to how the two interact. I'll take a look at where those strings are used in the binary when I have the time.

Hopefully there will be some way to add the 1440p mode back into the GUI. The simplest way might be to replace one of the existing video modes in the menu with the 1440p mode. To do so someone will have to figure out exactly how the camera app calls dfms and mmf-camcorder in order to figure out the right constants and strings to change. That seems to be beyond me at least for the moment.

Otto K: are you planning on trying to install a modified firmware?

Share this post


Link to post
Share on other sites

@Syme dfmsd is not needed by camera app, o it is used to control the camera remotely (either by scripts or by ptp over usb - have to check this out as well). For direct control from command line one should use st command (it's just it's easier for me to use dfmstool add I can also monitor the output from dfmsd log file). 

It seems that all heavy lifting and low level stuff is actually done by libudd5.so that configures all the things I don't see in command lines (like 3dlut and similar). Just have to see how to do it... 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...