Products > Thermal Imaging
Autoliv NV3 unlock
mzg2000:
Got the flash ROM from the nv3, then using python cpu_rec.py nv3.bin, it tells that:
nv3.bin full(0x800000) None chunk(0xbc800;377) 6502
why 6502, i guess that should be nios or nios2.
then what is the next step?
boywai:
I know someone who made his password public
tmbinc:
a.) The password can be found on this forum. In fact, it can be found in this very thread if you look carefully and connect the dots.
b.) The (what I assume is) NIOS code is encrypted in flash. It can likely be dumped via the debug commands, but as mentioned, I accidentally hit a "erase flash" command so I'm unwilling to retry this at the moment. If you do - backup your SPI flash before.
BertoldVdb:
Interesting, note that the serial protocol you have identified is the same one as used in (amongst others) the FLIR Tau2. Maybe other Tau2 commands work as-is, after unlock? Command 0xD4 would be erase flash. Also 0x65 matches 'return serial number'.
tmbinc:
--- Quote from: BertoldVdb on September 02, 2023, 03:30:49 pm ---Interesting, note that the serial protocol you have identified is the same one as used in (amongst others) the FLIR Tau2. Maybe other Tau2 commands work as-is, after unlock? Command 0xD4 would be erase flash. Also 0x65 matches 'return serial number'.
--- End quote ---
Oooh, what a nice find!
This was the list of commands that I found to exist, annotated with what they are from the Tau 2 IDD:
00 0001 // NO_OP
02 // CAMERA_RESET
05 // GET_REVISION, returns 0e0b002f0a02005e
0a // GAIN_MODE
0b // FEC_MODE_SELECT
0c 0001 // DO_FCC
11 // VIDEO_ORIENTATION
12 // DIGITAL_OUTPUT_MODE
1e // LENS_NUMBER
20 fffc // READ_SENSOR
25 // TEST_PATTERN
29 // ??
2e fffe // ?? returns fffe
3c // FFC_WARN_TIME
3d 0001 // ??
41 // ?? returns deaddeaddeaddeaddead
42 // (we know it's GET_SEED)
60 // ?? 53439333234303136430000000000000000000000000000000000000000000000
65 // SERIAL_NUMBER
66 // CAMERA_PART, returns 3439333234303136430000000000000000000000000000000000000000000000
74 // ??
79 0001 // SHUTTER_POSITION
82 // TRANSFER_FRAME
85 // ??
87 // ??
a8 // ??
b1 // CORRECTION_MASK
b2 // ??
c0 // ??
c3 // ??
c4 // MEMORY_STATUS
d2 // READ_MEMORY
d3 // ??
d4 // ERASE_MEMORY_BLOCK (oops)
d5 01fe000000010000 // GET_NV_MEMORY_SIZE
This now makes me think about the NV2 again. Any idea which "off-the-shelf" camera that resembles? I vaguely remember the NV2 also having a serial protocol that I never used (because I used CAN).
Navigation
[0] Message Index
[*] Previous page
Go to full version