Hacking the Hannah Montana Photocube – Almost!

Written on February 10, 2009 – 6:11 am | by bluehash |

hannah_montana_photocubeThings with LCDs are very interesting. I found a Hannah Montana Digital Photocube on sale and decided to look what’s inside it. Good for a day of hacking :)

First a description:

  • Storage capacity: 8 M bit (Up to 70 photos) Resolution: 128×128 dpi
  • Display: 1.5-inch color LCD
  • Supported File Format: JPG (JPEG),BMP, GIF, PNG, & TIF
  • Power: 2 xAAA batteries (not included)
  • USB Ports: Mini-USB 1.1 interface

Searching around the net produced a lot of work done by Sprite. He and a couple of guys maintain a wiki containg information about hacked lcd keychains. Most of the keychains that have been hacked contain a ST2205U Microcontroller. With this information I proceeded ripping apart my photocube. This was what was inside:

hack_photo_cube_a29l800_flash_chiphack_photo_cube_pcb_2hack_photo_cube_pcbhack_photo_frame_lcdhack_open_photo_cube

A 1Mb A29L800( datasheet ) flash chip and a micrcontroller hidden behind a big black blob along with the LCD, buttons, USB port and an on-off switch. With some reading on Sprite’s blog and modifyng his script a little, I was able to verify that the microcontroller was indeed a ST2205U. If you browse through main.c, a function is_photoframe checks if the controller is a ST2205U. So I inserted a printf(“Response : %s\n”,buff) to verify if the chip gave back the correct string, which it did.

/*
Checks if the device is a photo frame by reading the first 512 bytes and
comparing against the known string that's there
*/
int is_photoframe(int f) {
int y,res;
char id[]="SITRONIX CORP.";
char *buff;
buff=malloc_aligned(0x200);
lseek(f,0x0,SEEK_SET);
y=read(f,buff,0x200);
buff[15]=0;
printf("Response : %s\n",buff);
// fprintf(stderr,"ID=%s\n",buff);
res=strcmp(buff,id)==0?1:0;
free_aligned(buff,0x200);
return res;
}

I’ll try documenting my steps going further. It’s in Linux( RedHat ) since I work on it, and you could do the same using a linux live cd.

1. Unpack Sprite’s hack from here. You will need to install libgd if you don’t have it. As root install gd-devel. Please read the README file in the unpacked directory. It’s written for a reason.

yum install gd-devel

2. Then as a user type “make” in the unpacked directory. This will compile the hack to give you the “phack” binary.
make_hackfw

3. Now connect the photocube and turn it on. You will see “USB Connect” displayed on the screen. Open a terminal on your linux machine and type

dmesg | tail

This will give you any hardware information that occurred last. You will see the following:
dmesg_hannah_montana_photocube

If you see something like:

4096 512-byte hdwr sectors (2 MB)

then your close. Also note where your cube is mounted so you can access it. If you look at the pic above it says “Attached scsi removable disk sdg”, which means that the cube is mounted at /dev/sdg

4. Now to hack the firmware.
WARNING : Anything you do after this is at your own risk.

Type the following as root in your terminal, using the mount point which you got from step 3.

./hackfw.sh /dev/sdg

You will see the following as checks are made and eventually an error:
hack_st2205tool_error

Sprite’s script makes a backup of the firmware and an image of the memory. It however says that “The hack won’t work for my Firmware.” When I looked into the script, it looks if my cube’s firmware is same as Sprite’s when he hacked his keychain, which is an entirely different product.

dd if=fwimage.bin bs=256 skip=58 count=2 of=fwbit 2>/dev/null
#check for all FFs Md5sum may not be _the_ tool for that, but it works OK.
if ! md5sum fwbit | grep -q de03fe65a6765caa8c91343acc62cffc; then
echo "No room at the location we want to place the hack!"
echo "This specific hack won't work for this particular firmware, I'm sorry."
exit 1;
fi

I did not have anything to loose, so I commented it out to bypass the check. Just put a “#” to comment out code.

5. I ran the script again (run as root), this time it went through the whole flashing process, till I rebooted

hack_st2205tool_success

6. The script ends with “No Photoframe found here”. Turn off, Disconnect, Turn On and the Connect the photoframe. Get the mount point as in step 3. Type the following as root.
hack_st2205tool_hi_lcd

You should see the following on the LCD
hack_photo_cube_lcd_debug

The script allows a maximum of 10 characters. Another example
hack_photo_cube_lcd_debug_2


I was however unsuccessful in getting PNGs or JPEGs uploaded to the device. That’s when I bricked my cube trying different memory addresses. It doesn’t even turn on now. I’ll update when I get my hands on another one. If you have any questions or comments, you could enter them below. Thanks for reading and don’t forget to Subscribe for more followups and hacks.

Related Posts

10 Responses to “Hacking the Hannah Montana Photocube – Almost!”

  1. AT says:

    Hack went ok.
    I can write on device by phack
    I cannot however display/upload pictures (setpic).
    I execute the command as root but I get the following error: Unable to get parm_block – Open failed!

    Please help!
    Thanks

  2. lambda says:

    I believe this is a vu-me device. They also have the “normal” office version, which is an identical case except with different colour/appearance–brown, black, etc.

    There is also a christmas ornament version. Who cares, right? Well Black’s here in Canada is selling the christmas ball units for $4.99; it is June after all. Thought I’d mention it in case anyone else wants to play with one.

  3. bluehash says:

    @AT, I was stuck there too. Sorry about that. I tried banging the devices at different addresses, but eventually bricked the device.

    @lamda, Yes this is a vu-me device. Good to know that they are back at that price. I’ll try to get a hold of some.

  4. lambda says:

    Ok, correction: the units are $2.99. Not bad, even if you only want the lcd. No battery though.

  5. lambda says:

    Hmm, I am not sure about what the phack -d option does. It dumps the memory, (2M of it) but what memory, picture memory?

    I am wondering if this thing can be used without the “hack”. I am already trying to switch power on my usb devices with a pcf8574 io expander hooked up to my laptops i2c bus. Disconnect the usb to the vu-me, and it appears to drop back to photo display mode. So I could reconnect to write the photo, it would just show the connection prompt messages on the screen while the image changed.

    2M is 2 * 1000 * 1000, so 2M / ((128^2) * 70 photos) is ~ 13.9 bits per pixel. I think this link means the display can do 444 or 12 bits per pixel: http://www.sitronix.com.tw/sitronix/product.nsf/Doc/ST7637?OpenDocument

    So that would leave a little over 1000 bytes to give the images some packing room (magic strings, whatever).

  6. bluehash says:

    the -d option is used to make a copy of the original firmware on the VU-ME to the PC. Look at line 21 of hackfw.sh script. You can write to the lcd without the hack, but not transfer images.

    I’ll look into your other comment once I get hold of one.

  7. mod2HTPC says:

    Does anyone know, how to hack a DPF with cheertek CT952A chipset to use it via USB as a secound display? Pls mail me :)

  8. Sri says:

    Nice blog Shetty.
    You are from Mangalore right..
    In Mangalore where is your actual place..?
    Me staying in Mangalore..
    EC student and robotic hobbyist…

  9. chai2332 says:

    Hi,mod2HTPC, have u got the hacking firmware for the CT952a ? i’m having the same 7″ model too, appreciate that u can sent me the link via chai2332@ hotmail.com . Thanks

Me

Welcome to my place on the web. I note down anything interesting most of them relating to my experiences, Tech, To-dos, How-tos and various hacks. Most of my time is spent in tinkering around with hardware, building robots and working with DSPs.More

Want to subscribe?

 Subscribe in a reader Or, subscribe via Email

Add to Technorati Favorites
Find entries :