Ritz Dakota Digital
The Ritz Dakota Digital was a type of point-and-shoot digital camera, introduced in July 2003, and sold by the Ritz Camera Centers. It had a digital photo resolution of 1.2 megapixels (1280 pixels wide, 960 pixels high) and a storage capacity of 25 pictures.
When introduced, the Dakota Digital sparked massive interest, primarily due to its price tag: US$10.99. At the time, a digital camera of similar resolution and functionality was in the $40–$70 range. The reason for the low price was that the Dakota Digital was a single-use camera, i.e. the consumer takes the pictures, returns the camera to the store, and the pictures are returned to the consumer in print and CD-ROM format (after an additional $11 processing fee) while the camera is refurbished and resold. The Dakota Digital wasn't the very first digital camera introduced as a single-use concept camera - Pentax and Sanyo did it in Japan two years before. However, it was the first single-use digital camera to be mass-marketed (the Pentax/Sanyo camera was only a three-month trial run), as well as the first single-use digital camera sold in the United States.
Almost immediately after introduction, several people began work on hacking the single-use Dakota Digital in attempts to transform it into what would be the least expensive reusable digital camera available at the time. In November 2003, only four months after it was introduced, they succeeded in this task. Technical details about the internal components were publicly posted on the Internet, along with instructions for creating various compatible link cables that connected the Dakota Digital to home personal computers. In addition to this, special third-party software provided a way to download pictures and clear the camera's internal flash memory to allow more pictures to be taken. The technical data, instructions and software met all requirements to make the Dakota Digital reusable.
Public announcement of how to transform the single-use camera into a reusable camera, paired with the very low camera price, immediately created high demand for the Dakota Digital. So Ritz began pulling the Dakota Digital out of its stores after learning of the hack, and the original camera soon became difficult to find.
In July 2004, a group of hackers made available methods to further improve the original Dakota Digital by upgrading the camera's firmware, or internal programming. These firmware upgrades added several new features, most notably the ability to adjust or remove the original 25 picture limit, along with various other changes and improvements.
A few months after the original camera was pulled off the shelves, Ritz introduced two new models of Dakota Digital, the PV2 series. One was similar to the original model with a price of $10.99, while the other, priced at $18.99, contained a color LCD screen that displayed the most recent picture taken. Both were based on an entirely new chipset manufactured by SMaL Camera Technologies. Hacking of this camera has been more of a group effort than the first. John Maushammer removed and read the flash memory chip, wrote a disassembler, and commented significant portions of the firmware. Others investigated the USB interface, and John figured out the authentication mechanism and how to disable it. Others figured out how to download the images using modified versions of software for SMaL's other cameras, and other people are reverse-engineering the proprietary RAW file format.
The security mechanism on the original camera consisted of a challenge and response. The challenge was the camera's serial number, and the response was the 4-byte result of a simple hash function – the serial number converted from ASCII to binary-coded decimal, negated bitwise, and multiplied by 4. The weakness was that the hash function was stored in the firmware, so it could be completely understood and replicated. The PV2 used a better challenge and response mechanism. It was better not because it used a longer key (128 byte challenge, 128 byte response), but because the hash function was not stored algorithmically in firmware. Theoretically, the response could not be mathematically related to the challenge and the only correlation between the two could be a record saved in the manufacturer's database (which authorized processing systems would have to access to read pictures from the camera). In practice, though, only a few challenge/response pairs have been seen in the wild.
- Slashdot | Ritz Disposable Digital Camera Hacked
- Technical details for the Ritz Dakota Digital, with the original Mac and Linux drivers
- Windows driver & more technical details for the Ritz Dakota Digital, including hacking instructions (From cexx.org)
- Details and instructions for upgrading the Dakota Digital firmware
- PV2 photos & technical details
- Bulletin Board with latest PV2 hacking discussion