Posted on 22 Comments

DPF hacking

As some people avoid to get bored over christmas holidays, they tend to analyze presents like those cheap hongkong digital picture frames (DPF) that you normally give to your children so that they can lose it the next day.

Of course, other people always have kind of a similar idea, so it is not surprising that there are web pages describing internals of those undocumented devices.

However, the device I got is using another chip (AX206) than the already exploited st2205 based DPFs.
Since the AX206 has a 8051 instruction set, I had a sneak peak with my d52 disassembler. And it turned out, it was possible to have my own code run on the frame, without actually knowing anything about the environment. To access the internal flash, there are various tools listed at the site linked below. The DPF emulates a mass storage device over USB, vendor specific commands are used to do the standard SPI flash operations. The AX206 seems a powerful chip, and we were actually thinking on using it on a project, however there were too many unanswered open questions and the mass price (30k units) was not competitive considering the puzzling support. If a company buries a simple 8052 controller behind NDAs, the suspicion may arise that the chip has too many bugs.

Hacking a more or less unused vendor specific SCSI command in the DPF, I was able to make lcd4linux work with it:

lcd4linux on DPF
lcd4linux on DPF

Find more information on this Wiki: