Products > Thermal Imaging

Autoliv NV3 unlock

<< < (2/2)

mzg2000:
Got the flash ROM from the nv3, then using python cpu_rec.py nv3.bin, it tells that:
nv3.bin           full(0x800000) None           chunk(0xbc800;377)  6502

why 6502, i guess that should be nios or nios2.
then what is the next step?

boywai:
I know someone who made his password public

tmbinc:
a.) The password can be found on this forum. In fact, it can be found in this very thread if you look carefully and connect the dots.

b.) The (what I assume is) NIOS code is encrypted in flash. It can likely be dumped via the debug commands, but as mentioned, I accidentally hit a "erase flash" command so I'm unwilling to retry this at the moment. If you do - backup your SPI flash before.

BertoldVdb:
Interesting, note that the serial protocol you have identified is the same one as used in (amongst others) the FLIR Tau2. Maybe other Tau2 commands work as-is, after unlock? Command 0xD4 would be erase flash. Also 0x65 matches 'return serial number'.

tmbinc:

--- Quote from: BertoldVdb on September 02, 2023, 03:30:49 pm ---Interesting, note that the serial protocol you have identified is the same one as used in (amongst others) the FLIR Tau2. Maybe other Tau2 commands work as-is, after unlock? Command 0xD4 would be erase flash. Also 0x65 matches 'return serial number'.

--- End quote ---
Oooh, what a nice find!

This was the list of commands that I found to exist, annotated with what they are from the Tau 2 IDD:


00 0001 // NO_OP
02 // CAMERA_RESET
05 // GET_REVISION, returns 0e0b002f0a02005e
0a // GAIN_MODE
0b // FEC_MODE_SELECT
0c 0001 // DO_FCC
11 // VIDEO_ORIENTATION
12 // DIGITAL_OUTPUT_MODE
1e // LENS_NUMBER
20 fffc // READ_SENSOR
25 // TEST_PATTERN
29 // ??
2e fffe // ?? returns fffe
3c // FFC_WARN_TIME
3d 0001 // ??
41 // ?? returns deaddeaddeaddeaddead
42 // (we know it's GET_SEED)
60 // ?? 53439333234303136430000000000000000000000000000000000000000000000
65 // SERIAL_NUMBER
66 // CAMERA_PART, returns 3439333234303136430000000000000000000000000000000000000000000000
74 // ??
79 0001 // SHUTTER_POSITION
82 // TRANSFER_FRAME
85 // ??
87 // ??
a8 // ??
b1 // CORRECTION_MASK
b2 // ??
c0 // ??
c3 // ??
c4 // MEMORY_STATUS
d2 // READ_MEMORY
d3 // ??
d4 // ERASE_MEMORY_BLOCK (oops)
d5 01fe000000010000 // GET_NV_MEMORY_SIZE


This now makes me think about the NV2 again. Any idea which "off-the-shelf" camera that resembles? I vaguely remember the NV2 also having a serial protocol that I never used (because I used CAN).

Navigation

[0] Message Index

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod