The Deliverator – Wannabee

So open minded, my thoughts fell out…

CVS Video Cameras – Software Unlockable Once Again!

Posted by Deliverator on July 24th, 2006

I have written about the $30 “One Time Use” video cameras sold by the CVS chain of drugstores on a number of occasions. I’ve had a lot of fun with my two CVS video cameras, using them in all sorts of situations where one wouldn’t want to risk a $400 camcorder, such as strapping them to the front of a hundred and twenty pound robot. I’ve been wanting to pick up maybe a dozen of these cameras to hand out to TRC members, so they can easily document their robotics experience throughout the year. The problem has been that recent versions of the video cameras have not been as easy to unlock (to download the videos) as early versions. The earliest versions (v3.40) could be unlocked with a simple software application, while the later versions (3.62, 3.70+) required a hardware attack that could sometimes fail and turn one’s camera into a nice plastic brick. Still later versions of the player (model 220 series) have been utterly impossible to unlock through any reasonable means. All that has suddenly changed…

I saw on Hack a Day that some member of the CameraHacking forum discovered that Pure Digital Technologies, makers of many of the “One Time Use” cameras sold in the US, had a public ftp server. Many businesses maintain ftp servers to offer clients an easy way to download files. The ftp server was configured to allow anonymous (non-passworded) access to anyone that wanted to connect. Apparently, at no time in the connection process was there any notice that the server was for private use only, or that the software downloadable from the server was licensed under a specific agreement/license, etc. One of the files on the server contained a sample application, complete with sourcecode for doing some rather uninteresting thing with one of the company’s line of digital still cameras. The interesting bit it that the sample application has to unlock the camera to do whatever uninteresting thing it does. The member found some code relating to the challenge/response system for unlocking the camera. He took this code and described the challenge respones algorithm to a 3rd party (who has never seen the original code), obeying strict “clean” reverse engineering principles. It is important to note that no laws were broken in the creation of this tool The result is a program called CronusKey, which can be used to calculate the response to a camera’s challenge. It is important to note that no laws were broken in the creation of this program, and that using this or other tools like Ops on your camera is not a violation either.

The CronusKey application works with many of the still cameras made by Pure Digital and it has been discovered that it works with many of the CVS Video Cameras as well. Already, the proper responses for all cameras whose challenge begins with a “04” have been found. An effort is underway to crack the remaining cameras, whose challenges begin with “03.” From what I can tell, about half of the keyspace has been exhausted and at the current rate, the correct response should be found in a few days at most. If you can’t wait that long, you can help out by grabbing the distributed key finding application and processing an untested range in the keyspace. Within a few days, it should be easy for a casual home user to download video off their camera without needing to pay CVS an additional fee for “processing.” As a friend of mine is fond of saying “It is not my job to support your broken business model.”