ITB-100HD MPH Hack *Update*

It turns out that the branch that I removed in the original ITB-100HD MPH hack was not what I thought it was. It was actually a check to see if the GPS had received a signal yet.  This causes some problems because the string that prints the speed would get all messed up and overwrite itself.

I went back to the drawing board armed with a little more skill and came up with a pretty standard solution to the problem. I decided to try my hand at jumping to another area in the code, doing my conversion and then jumping back. I found a couple test functions that had no callers and figured that they would probably be a good place to start.

I already had the code I wanted to run, so that was easy to just stomp over the newly claimed test function. The harder part was figuring out how to branch correctly to end up with the results I wanted. I know branch with link was the way to go, but had no idea how to determine the offset of the branch. After looking around online it turns out it’s not as hard as I thought.

First you take the target location and subtract from it the starting location + 8 (account for prefetch), then right shift that by 2 and that’s your value.

After a few iterations and running it through IDA to make sure I got what I wanted, I was able to build a 100% working MPH firmware that no longer had strange behavior prior to GPS ready.

I also think I’ve learned quite a bit doing all this and look forward to tackling a couple other improvements. Some folks have requested an increase in the bitrate, but I’m not sure I want to run such a firmware on my camera.  (itb100hdfw.bin v2.1)