Reverse Engineering

A while ago in coverity while fixing FFmpeg bugs there was a some kind of Nominate a bug, win a prize thing, i didnt ever nominate one but this was when i learned about the existence of tile which would have been the prize one could win. A BLE device that can be attached to something valuable and that can then be searched and found with a recent android or iPhone, or the other way around using the device to find your phone.
This seemed potentially useful to me, though i personally have never lost my keys or phone for more than a few seconds, i know someone who does have that problem. So i thought buy a tile or 2 they might come in handy for something but then i saw the price, non replaceable, non rechargable battery and thought ok, didnt expect someone would be that lame. I guess one should not expect any company not to attempt to rip its customers off to the maximum extend possible.

Lucky there are many similar devices, so the goal was to find the cheapest that works and is not just tied to a ridiculous business model. So i bought some of the cheapest i could find (they of course all have user replaceable batteries …)
First is something that identifies itself as

ITAG

IMG_0383-1280IMG_0384-1280
The above one is one example of these, they come in many different shapes, cost less than 5$ with free shipping. The first i got had a different shape and came with a dead battery and also ate a new battery within a day. The second i got is the one pictured above, which worked more or less.
When Off, A long press on its large surface switches it on with 2 beeps.
When On or connected a long press switches it off with a long beep (this renders it useless as its easy to press by mistake)
When on but not connected its led also continuously blinks, draining the battery but making finding easier, it also at least once hanged and required the battery to be disconnected for a moment to function again.
On the BT protocol side setting immedeate alert to 2 results in 30 beeps and led blinks, setting link loss to 0 or 2 has no effect, the device always beeps on unintentional connection losses as far as i could figure out. pressing the button results in a notify with value 0x01 on 0000ffe0-0000-1000-8000-00805f9b34fb / 0000ffe1-0000-1000-8000-00805f9b34fb.
To make the itag only blink and not beep on immedeate alert, 0000fff0-0000-1000-8000-00805f9b34fb/0000fff1-0000-1000-8000-00805f9b34fb can be set to 0x00, this is remembered over disconnects but not over switching the tag off. All other values seem to cause blinking and beeping.
To identify it this may be helpfull:

  • 0x2A29: CEVA
  • 0x2A24: BT 4.0
  • 0x2A25: 12x07x2012
  • 0x2A27: SM-1
  • 0x2A50: Bluetooth SIG Company: Ceva, Inc. (formerly Parthus Technologies, Inc.)
    Product Id:13330
    Product Version: 26369

Smart Finder

IMG_0380-1280IMG_0386-1280
The above is another sub 5$ tag, which appears identical (minus the logos) to tags on amazon from chirotronix and ikee.
The official software for android (“small lovely”) has a rather long list of unneeded permissions like for the previous tag (“iTracing”) but for this theres also no inofficial sw i could find for android which supports these tags, which is why i reverse engeneered the protocol
When off a long press switches it on with a long beep, to switch it off again 5 rapid short presses are needed (resulting in 3 beeps).
When in On mode pressing the button results in 2 beeps this also causes the “#255 Manufacturer Specific Data” to change from 0x58,0x48,0x52 to 0x58,0x48,0xFF for a few seconds, apparently to identify which of potential several devices one wants to connect to. Switching the device off also seems not possible while it is connected. On connect and disconnect its led flashes once.
Protocol wise neither “link loss” nor “immedeate alert” have any effect that i could identify. To make the device beep and blink a command must be written to 0000fff0-0000-1000-8000-00805f9b34fb / 0000fff1-0000-1000-8000-00805f9b34fb. A single 0xAA results in some short beeps and blinking. Its also possible to write a 5 byte command 0xAA 0x03 count duration1 duration2. The count is the number of beeps, the 2 durations are the beep and non beep durations in milli seconds, i dont know what the 0x03 does or if there are other interesting commands.
To detect button presses the device can send notifies on 0000fff0-0000-1000-8000-00805f9b34fb / 0000fff1-0000-1000-8000-00805f9b34fb with a 3 byte value, it is either (0x01 xx 0x00) xx = number of short button presses or (0x02 0x00 xx) xx = number of seconds button is hold
To identify it this may be helpfull:

  • 0x2A29: SIGNAL
  • 0x2A24: BT A8105
  • 0x2A25: 00001
  • 0x2A26: F4F5V02
  • 0x2A27: A8105F4
  • 0x2A28: 1030627

The name of teh device is “AMIYJ_5B68”, i dont know if this is true for all these devices, google seemed not to have any hits on that.
It seems using a A8105, (the ITAG seems using a BK3431) datasheets can be found with google.
Interestingly theres also a entry for “Heart rate” on the bluetooth level, so i guess this shares some code with some other devices.

IMG_0382-1280

Hope something above is useful to someone

Update: 2015-11-09: corrected itags link loss behavior
Update: 2015-11-10: Added names of the official apps
Update: 2015-11-14: Added itag blink only info (found by and thanks to Joachim Schäfer)

A few years ago i bought a 24mm f/2 vivitar lens for something like 15 euros, the price was too good to not buy it. It was laying around pretty much untouched until a few days ago

It has a Canon FD mount, which means it is compatible with all Canon FD cameras. Sadly iam not a big fan of these cameras, I like conveniently working manual mode and digital. Adapters for FD->EOS exist but they require optical elements to compensate the otherwise negative adapter thickness that would be needed. So a more geeky solution is needed. But first problem with it is, its aperture is stuck and full of oil

Now cleaning an aperture is not hard, though do NOT try it with this lens if its your first such repair attempt, as this lens is a floating element design, which in laymen terms means complex. The tools you need are just a bunch of small screwdrivers (for most screws the cheapest will do), some paper towels for various things, a clean soft brush to remove dust. And something to clean the aperture blades, probably anything that removes oil would do. And a box of some kind to put all parts in when taking them apart so tiny things are trapped by gravity inside a quickly search-able space and not your whole room. First step is to loosen the screw on the side of the front

After that the top can be unscrewed, the next part is hold in place by a similar screw, loosen it too and unscrew the part, be careful as this exposes the front glass element and if you take it out, only thing you will achieve is getting dust in.

Now you need to remove the 2 screws and the part that holds the front lens group in correct distance/rotational alignment, you do want to take some notes or add markings to get it later back in exactly the same position. As i am lazy i relied on my carefully composed pic above instead of wimpy notes or markings. You also need a good screw driver here as these screws arent easy to loosen even after removing the stuff that holds them in place with aceton. After you removed the 2 screws and that thingy, put the ring that held the front element in place back so the element doesnt escape

Once the glass is secured you unscrew the front group as a whole (you have to turn it in the other direction from what you expect). After unscrewing it you reach the front side of the aperture. And here i believed i could just remove the 3 screws and take it out, but no its not nearly so easy.

So as we cant get it out yet, disassembling of the bottom is next, remove the 3 screws that hold the mount in place, beware there is a spring, a small pin and a metal ring that are more or less loose

The rear lens group is just screwed in and can easily be screwed out, allowing us access to the rear part of the aperture, what the annoying part is we still cannot take it out for proper cleaning.

To move forward next step is to remove the 2 screws and the part that hold the inner rear part in distance and rotational alignment, again take notes and make markings, the rear part is a little fiddly to put back together with markings (aka expect 2-3 minutes for doing that later) without markings, it would probably be fun but not impossible.

Now the inner rear can be screwed out. And hidden you will find 3 holes in the helix, in these holes there are screws that hold the aperture in place, to loosen them take careful note of their original position, or just be lazy and do like I and do exactly 3 full turns, so you can get it back with 3 exact full turns later. It shouldnt ruin the lens if the aperture isnt centered exactly but id guess there was a reason for this odd way to mount it

Once the 3 screws are loosened a bit (and a spring is removed) the aperture can be taken out, its further disassembly and reassembly should be obvious. To clean it you can probably use almost anything, i used a little window cleaner in a small container put all parts in and used the “shaken but not stirred” technique, in addition cotton buds and 100% ethanol. Note the pictures below dont look so oily because I tried cleaning it before full disassembly with cotton buds

Once cleaned, reassemble everything, its trivial just reverse of disassembly

From FD to M42 to EOS

The rear FD mount was kept in place by 3 screws, looking a bit around i found a worthless 35mm/2.8 M42 lens laying around that only produces blurry images no matter what, though it was in 100% perfect condition, surely used only once by any previous owner. Its rear fits almost, 2 out of 3 screws can be screwed in without modification. For all 3 a little drilling is needed

With this hack it can be mounted on any M42 camera or with M42-EOS adapter on any canon EOS DSLR. it doesnt focus beyond 1m in that configuration though. That is at 1m real distance you are at infinite on the scale. Also its easy to switch the mounts back :)

Now to get it focus to infinity we need to loose some material, first the M42 rear i picked had a circular ridge that screamed to me “flatten me”

The pic above shows it in the middle of the flattening process. This wasnt enough though, infinity focus still was far away, so the ring that keeps the aperture selection ring in place had to go too. Note, below the next (now loose) ring are 2 loose springs and 2 tiny steel balls dont loose them if you try this. A magnet is a pretty nice way to temporary store them safely.

With this ring too removed infinite focus becomes possible on M42 and EOS. But due to all the removals, one ring holding the aperture selection ring in place and the aperture controlling parts that where part of the FD mount. We still arent done, so next is rebuilding the aperture control parts that a manual lens would have. Ive build it out of a piece of aluminum that i found in a old box from my grandfather, I still remember how my mother wanted to throw all the stuff from him away, lucky i safed a few boxes…

Above picture shows it in partly finished state, it needed more filing and bending before it worked fully smoothly. The removed ring also needs to be replaced. One could have just made it thinner but i dont have the tools to do this exactly and quickly, besides it would make it impossibly to undo it. So i used a piece of plastic cut from a cap of something random from the bathroom, also to get the focus a bit closer to correct (it was way over infinity) i put the thin metal ring from the FD mount back in

And last fine-tuned the focus with the 3 screws intended for that purpose visible at an earlier picture, cleaned the glass a bit and ready is my 24mm f/2 vivitar/kiron for M42 and EOS.

Was the work worth it? For the lens/photography, probably not. For the fun and geek factor, absolutely yes. :)

There are SVQ3 files that ffmpeg cannot decode yet, the ones iam speaking of contain a image or watermark, often a logo in a global header (extradata in ffmpeg, QT has its own funky terminology for it). The binary decoder displays this watermark over the actually decoded video.

FFmpeg is in principle fully capable to decode these videos (and of course without these watermarks), the only problem is that 32bit of the header and following bitstream are modified by xoring them with a per file constant. Our problem is we do not know how the binary decoder calculates this constant. A example SVQ3 video and the corresponding constant of 0xA2A2A2A2 for this file as well as a bugreport on our tracker exist as well

The puzzle is to figure out how the binary decoder finds the constant, its likely not very hard for one knowing how to use a debugger, hint: memory breakpoint at the input data and a cup of coffee or tea or a can with cola.

Whats a scantable? A thing that tells you where to put the coefficients which you got from vlc/rle decoding, so for example with the famous zigzag table

    0,   1,  8, 16,  9,  2,  3, 10,
    17, 24, 32, 25, 18, 11,  4,  5,
    12, 19, 26, 33, 40, 48, 41, 34,
    27, 20, 13,  6,  7, 14, 21, 28,
    35, 42, 49, 56, 57, 50, 43, 36,
    29, 22, 15, 23, 30, 37, 44, 51,
    58, 59, 52, 45, 38, 31, 39, 46,
    53, 60, 61, 54, 47, 55, 62, 63

the first Coefficient would be written at position 0, the second one at 1, third at 8 and so on. As the destination array is a 8×8 matrix here this produces a nice zigzag from the top left corner to the bottom right corner, ordering the dct coefficients approximately from low frequency to high, and as the high ones are almost always zero the vlc-rle coding before ends up being quite effective, but back to the topic, what if we for whatever odd reason want to know if a binary contains such a table?
its quite easy to find such tables by brute force, their size is something like 16 or 64 entries with no duplicates and the first entry most often being 0 and none of their entries should be larger then the number of entries in the table, heres some (old) code which i wrote quite some time ago to implement this and a few other things

And now the interresting part, what do we find with this?

 0  1  4  8 
 5  2  3  6 
 9 12 13 10 
 7 11 14 15

o-->o   o-->o
  /   /   /
o   o   o   o
| /   /   / |
o   o   o   o
  /   /   /
o-->o   o-->o


and

 0  1  2  6 
10  3  7 11 
 4  8  5  9 
12 13 14 15  

 o-->o-->o   o
         |  /|
 o   o   o / o
 | / |   |/  |
 o   o   o   o
   /
 o-->o-->o-->o
(dual scan table ascii art stolen from libavcodec/svq3.c)

in drv3.so.6.0
note these tables are the 4×4 zigzag and dualscan tables from an old H.264 draft, so RV30 seems to be a H.264 variant like SVQ3