Slashdot Mirror
Ritz Disposable Digital Camera Hacked
morgue-ann writes "The $10.99 Dakota reusable digital camera announced in July was usefully hacked on November 6. First attempts to extract picture data took 10 hours to read out 16MB, but new code for Linux and Mac and Windows lets you get pictures quickly over USB and view or print them without Ritz's help (and with fewer of your $$)."
The last time I checked, $15 for a (film) disposable + $10 processing vs. $11 digital camera + $11 "processing". $25 film vs. $22 digital. I'd still go with the film just because of the better quality of photos. They're going to have to lower the price more or make the quality better before I would use their product.
There is no spoon or sig.
Dakota Digital Camera (Note to self: Make this page so that ordinary users, who double-click on this page, can't edit this page...)
:-)
(please try and keep this document readable at large)
(if it grows further, it needs to be organized into separate pages)
Usably hacked! Download your pictures the fast, easy way with the bulk-transfer software for Mac, Unix and Windows. Download your pictures (actually, entire flash memory contents) the raw, 10-hour way with flashdump.c, flashdump2iso.c, and optionally chewfat.cpp.
This is a very cheap ($12) "disposable" digital camera sold at select Ritz/Wolf Camera stores. Note that this is NOT the same as the one sold at Walgreens. Normally the camera must be returned to the store (negating a big feature of digital cameras), another $12 is paid for processing, and you get prints, an index print, and a CD (they try to call this a "free" cd, but of course its not, don't be fooled, you paid for it). Build quality seems variable - these sample pictures suck these pictures are ok (aside from the content
The camera has a Flash, a delete button, and a 10 second self timer, but no LCD for picture review. It claims a 2 megapixel resolution, but it seems its an up-scale from 1.3 megapixels. The focus is calibrated at the factory, and the lens glued in place with a drop of epoxy. It uses a cheaper CMOS sensor, instead of a CCD sensor, which is what most cameras over $150 use. For comparison, Ritz's sells a $99 two megapixel camera with an LCD.
Camera review/disection: http://frutsel.terrainhost.com/frutselapp/dump/dak ota/index.htm
Nice professional dissection at EE Times by the guys at Portelligent: http://pavleck.com/ritz/www.eetimes.com/
Hardware
there is preliminary evidence that there are two different version of a disposable digital camera. One by Ritz/Wolf Camera, the other by 'Walgreens'
Pinout:
1. : R57, not stuffed
2. : GND (battery neg)
3. : R18-via-r68-r47-left switch inner contact and delete button
4. : r25 not stuffed
5. : r5 (1K ohm) to sunplus pin 33
6. : 5v in (from USB) (red usb wire)
7. : GND
8. : USB data (green wire)
9. : USB data (white wire)
10. : GND (black usb wire)
Pins are marked on the printed circuit board - pin 1 is nearest the shutter release and pin 10 is at the bottom of the camera.
This camera is based on the Sunplus SPCA504B camera chip, in use in many cheap webcams and still d-cams.
8051-compatible microprocessor (code is not using '251 extensions)
In-circuit programming (not sure how to do this if it's ROM)
audio in/out, but not pinned out in 128-pin package
128KB x 8 program memory, SST part number SST39VF010
8MB picture memory (25 pictures), Samsung part number K9F2808UOC-YCBO
8MB (4M x 16) SDRAM, TMTECH part number T436416A
HOLTEK 1621 LCD driver (why they didn't use the smaller package baffles me!)
HCT373 octal latch de-muxes address and data for the SST flash memory.
Hardware connections:
Pin Name I/O Description
30 P1.0 in Shutter button, active low
31 P1.1 in photo flash connector pin 9
32 P1.2 out photo flash connector pin 10 (through D5, anode at pin 32, cathode on connector)
33 P1.3 out J3.5 through R5 (1K)
34 P1.4 out photo flash connector pin 6
35 P1.5 out SST A16
36 P1.6 out photo flash connector pin 5
37 P1.7 in Seems to be Power Button, active low. This is pulled up by R51, and down by the collector of Q2, which is fed through a divider network from the power switch.
38 P3.0 in pulled low by R40 (100K). Goes somewhere, but unknown!
39 P3.1 in Timer button (S2), active low
40 P3.4 in Delete button (S1), active low
104 GPIO15 out Holtek CS*
105 GPIO16 out Holtek WR*
66 ???? ??? Holtek DATA
The HCT373 acts as an address de-multiplexor for the processor. Port0? connects to the SST flash's data lines and to the D inputs of the '373. The '373's Q outputs connect to A0-7. P2 of the processor connects to A8-A15 (
is available here.
If they did use public key encryption (which seems pretty unlikely given who this is) it seems like you would have access to the cameras private key and ritzs public key. Which seems pretty dubiously secure to me if I recall my crypto. And lord knows you can always hack the firmware / hardware to just skip all that crap, since the data is obviously unencrypted and digital at somepoint.
I send my pictures to Walmart.com - they're 26 cents each. They print them on real photo paper, and they always look better than what I can do on my high-end inkjet printer.
It usually takes about 3 days to get them back.
I just sent 70 pictures there a few weeks ago, cost me less than $20.
Also, doing it this way you get to decide which pictures to print- so I ended up with 70 'good ones'.
No reason to lie.
Vary the keys. Give each camera a serial number when it is manufactured and after each processing, store the private key in a massive database (storage isn't that expensive, and I doubt this would be *that* widespread), then load that up when it's sent back in. When a camera is sent in for processing, read its key then deactivate the key so it can never be read again.
Okay, there's a problem if someone gets their hands on the database, but that would be much harder to do. And remember, this is what a college sophmore thought up in the ten minutes it took to read though the other replies.
Yes, clearly you don't. With public key encryption only the public key need be in the camera, the private key would be in the processing centers. If encryption was used, then you could extract the encrypted photos... but cracking the public key would be much much harder.
They *should* have used PKI. It is well known and easy to deploy.
The DMCA is vague on that point. It says that it is illegal to circumvent the technological measures used to protect a copyrighted work. It seems to be assumed that you do not own the copyright to the work in question, but this isn't explicitly stated from what I remember.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
DVD players have Macrovision signal generators, but they only add the signal if a flag is set on the DVD.
DVD producers are only allowed to set that flag on the DVDs they produce if they have paid a fee to Macrovision.
Any DVD you produce at home, will not have the flag set and will not have Macrovision added to the output signal when played on a DVD player.
With VCRs, the Macrovision signal is on the tape itself, it is not generated by the VCR.
- The camera itself is shit. Take a look at these stunning examples of just how terrible the image quality is. It uses a CMOS sensor (not a CCD) and a hella-cheap fixed-at-infinity plastic lens.
- It's a 1.3 megapixel sensor scaling up to 2 megapixels, as though the image weren't bad enough already.
- The busniess model is not necessarily fundamentally broken just because a bunch of unwashed
/. hackers buy these $10 cameras and never return them. Most dickhead consumers are lemmings, and they do what they're supposed to do. If those consumers wish their single-use cameras were digital so they could share their photos with their Internet pals, which is ostensibly one of the reasons to make this camera in the first place, then I expect that people will do just that if the price is right. That's the factor that could kill this product, not a bunch of freakish /.ers cutting up USB cables.
_______________________Sigs are insignificant.
Validation in public key crypto is a little different than what you are thinking.
There is ever only one key involved on each end, and they both have to be part of the same pair. In encryption you encrypt with the recipient's public key and they decrypt with their private key(*)
In validation (or digital signature) you take a hash of the message (usually SHA1) and encrypt that with your private key. Thus the only key capable of decrypting it is your public key (which everyone has). Remember with key-pairs what you do with one you can only undo with the other.
Anyway, the recipient creates their own hash of the message, decrypts your "signature" (which is an encrypted hash) and if the two match up, then they know it was signed by you and that it was not tampered with.
(*) Actually, public key crypto is painfully slow. What REALLY happens is a random symmetric key is chosen to encrypt the message, then the public key is used to encrypt the symmetric key. Decryption is the reverse, you decrypt the symmetric key with your private key, then use it to decrypt the message. This actually ends up being a lot faster than doing the whole thing with public key crypto. I left this out above to make it a little simpler.
Finkployd
Found this on a messageboard... Camera autopsy / dissection
I had a sucky sig.
Actually, some of these points are not in the articles, and (not surprisingly) seem to be causing some confusion based on some of the comments I have seen above.
1) The cameras are purchased, just like any ordinary (non-digital) disposable camera. There is no rental agreement, nothing to sign, no deposit, etc. Some previous comments have asked about this. Also, the camera IS cheap; the hardware itself costs probably no more than $25-50 to manufacture, and likely pay for themselves in 1 or 2 processings. The big draw is that you can use them in potentially hazardous environments, and if it gets destroyed or stolen, this only sets you back $11 + a few minutes to solder a new connector into a new camera.
2) The batteries are changeable by the user - they are ordinary AA alkalines. They will last much longer than 1 25-picture cycle (I haven't yet managed to exhaust a set), but when they do run down, just open the battery cover and pop in fresh ones.
3) The sensor is actually 1.3 megapixels, not 2MP as claimed on the package.
4) The picture quality is mediocre - but not nearly as bad as these samples would have you believe (I don't know what happened to that guy's cam). Try the samples here and here (middle of page) for other samples. The biggest problem seems to be motion blurs from not holding the camera steady enough (the "shutter speed" is pretty slow). The other problem is that the lens is adjusted to be in-focus at some specific point probably between 4-12 feet from the camera. In practice, your subject will usually not be exactly at the in-focus distance. While you've got the camera open to solder in a little USB socket (or whatever), you can rotate the lens to adjust it for other distances, up to within an inch of the lens.
5) Concerns that this hack will be singlehandedly responsible for driving the cameras off the market, driving Ritz out of business, etc., seem largely unfounded. They will probably go off the market anyway - last time I was in Wolf Camera, the sales associates were actually warning people away from these cameras, saying that they would get slightly better image quality from the film disposables (for less $$, and 27 vs. 25 pictures - it's a no-brainer, come to think of it...)
Caveat Emptor is not a business model.
2 AA's - you change them by (surprisingly enough) opening the battery cover on the bottom and letting them fall out, then popping 2 fresh ones in their place. In practice though, you can take a lot of pictures on 1 set of batteries (especially since this cam lacks power-hungry CCD image sensors, backlit color LCD screens, etc.)
Caveat Emptor is not a business model.
Actually, this one is better than the logitech because the Pocket Digital don't have a flash. I have one of these and the pictures SUCK. I used it for 10 minutes.
Huh? No need to open the case at all - for reading out pics I used the connector from an old Palm III dock and it works nicely. The batteries are standard AAs, exchangeable by a normal battery hatch - no need to unscrew anything.