Hacking the Hannah Montana Photocube – Almost!

Tuesday, February 10th, 2009

hannah_montana_photocubeThings with LCDs are very interesting. I found a Hannah Montana Digital Photocube on sale and decided to look what’s inside it. Good for a day of hacking :)

First a description:

  • Storage capacity: 8 M bit (Up to 70 photos) Resolution: 128×128 dpi
  • Display: 1.5-inch color LCD
  • Supported File Format: JPG (JPEG),BMP, GIF, PNG, & TIF
  • Power: 2 xAAA batteries (not included)
  • USB Ports: Mini-USB 1.1 interface

Searching around the net produced a lot of work done by Sprite. He and a couple of guys maintain a wiki containg information about hacked lcd keychains. Most of the keychains that have been hacked contain a ST2205U Microcontroller. With this information I proceeded ripping apart my photocube. This was what was inside:

hack_photo_cube_a29l800_flash_chiphack_photo_cube_pcb_2hack_photo_cube_pcbhack_photo_frame_lcdhack_open_photo_cube

A 1Mb A29L800( datasheet ) flash chip and a micrcontroller hidden behind a big black blob along with the LCD, buttons, USB port and an on-off switch. With some reading on Sprite’s blog and modifyng his script a little, I was able to verify that the microcontroller was indeed a ST2205U. If you browse through main.c, a function is_photoframe checks if the controller is a ST2205U. So I inserted a printf(“Response : %s\n”,buff) to verify if the chip gave back the correct string, which it did.

/*
Checks if the device is a photo frame by reading the first 512 bytes and
comparing against the known string that's there
*/
int is_photoframe(int f) {
int y,res;
char id[]="SITRONIX CORP.";
char *buff;
buff=malloc_aligned(0x200);
lseek(f,0x0,SEEK_SET);
y=read(f,buff,0x200);
buff[15]=0;
printf("Response : %s\n",buff);
// fprintf(stderr,"ID=%s\n",buff);
res=strcmp(buff,id)==0?1:0;
free_aligned(buff,0x200);
return res;
}

I’ll try documenting my steps going further. It’s in Linux( RedHat ) since I work on it, and you could do the same using a linux live cd.

1. Unpack Sprite’s hack from here. You will need to install libgd if you don’t have it. As root install gd-devel. Please read the README file in the unpacked directory. It’s written for a reason.

yum install gd-devel

2. Then as a user type “make” in the unpacked directory. This will compile the hack to give you the “phack” binary.
make_hackfw

3. Now connect the photocube and turn it on. You will see “USB Connect” displayed on the screen. Open a terminal on your linux machine and type

dmesg | tail

This will give you any hardware information that occurred last. You will see the following:
dmesg_hannah_montana_photocube

If you see something like:

4096 512-byte hdwr sectors (2 MB)

then your close. Also note where your cube is mounted so you can access it. If you look at the pic above it says “Attached scsi removable disk sdg”, which means that the cube is mounted at /dev/sdg

4. Now to hack the firmware.
WARNING : Anything you do after this is at your own risk.

Type the following as root in your terminal, using the mount point which you got from step 3.

./hackfw.sh /dev/sdg

You will see the following as checks are made and eventually an error:
hack_st2205tool_error

Sprite’s script makes a backup of the firmware and an image of the memory. It however says that “The hack won’t work for my Firmware.” When I looked into the script, it looks if my cube’s firmware is same as Sprite’s when he hacked his keychain, which is an entirely different product.

dd if=fwimage.bin bs=256 skip=58 count=2 of=fwbit 2>/dev/null
#check for all FFs Md5sum may not be _the_ tool for that, but it works OK.
if ! md5sum fwbit | grep -q de03fe65a6765caa8c91343acc62cffc; then
echo "No room at the location we want to place the hack!"
echo "This specific hack won't work for this particular firmware, I'm sorry."
exit 1;
fi

I did not have anything to loose, so I commented it out to bypass the check. Just put a “#” to comment out code.

5. I ran the script again (run as root), this time it went through the whole flashing process, till I rebooted

hack_st2205tool_success

6. The script ends with “No Photoframe found here”. Turn off, Disconnect, Turn On and the Connect the photoframe. Get the mount point as in step 3. Type the following as root.
hack_st2205tool_hi_lcd

You should see the following on the LCD
hack_photo_cube_lcd_debug

The script allows a maximum of 10 characters. Another example
hack_photo_cube_lcd_debug_2


I was however unsuccessful in getting PNGs or JPEGs uploaded to the device. That’s when I bricked my cube trying different memory addresses. It doesn’t even turn on now. I’ll update when I get my hands on another one. If you have any questions or comments, you could enter them below. Thanks for reading and don’t forget to Subscribe for more followups and hacks.

Posted in Hackable Toys, Tutorials, hacks | 9 Comments »

Me

Welcome to my place on the web. I note down anything interesting most of them relating to my experiences, Tech, To-dos, How-tos and various hacks. Most of my time is spent in tinkering around with hardware, building robots and working with DSPs.More

Want to subscribe?

 Subscribe in a reader Or, subscribe via Email

Add to Technorati Favorites
Find entries :