Porting chdk to the G9

[bongo_bingo]

Hello all,
this topic is aimed to concentrate the effort in order to have a working chdk for the canon powershot G9.

I'm a total newbie in this things like: assembling, disassembling, reverse engeenering, compiling etc., so I hope some of the developers could take to heart the issue and help us (G9 users interested in the porting) coordinating the job.

What we have/know:

1) G9 works with DryOs

2) G9 P-id

- should be 315A according to P-ID - CHDK Wiki

3) Fimware dumps:

- a complete dump made by Titan_G9 - Firmware G9 1.00D (from 0xFF810000 created by Titan_G9)
- 2 partitial dump of the Firmware G9 1.00f, one made by dew (not uploaded, at least as I know) and one made by me (avaible). Dew wrote that our two dumps are different.

The links to those firmwares can be found in G9 - CHDK Wiki

Useful links:

1) Knowledge

- G9 chdk wiki page at G9 - CHDK Wiki
- Loading dump to IDA at Loading dump to IDA - CHDK Wiki
- Dryos porting page at DryOS Porting - CHDK Wiki
- ADDING SUPPORT FOR NEW CAMERA at HDK/Adding support for new camera - chdk - Trac
- Property case list: PropertyCase - CHDK Wiki
- Modifying the CHDK Sources at Modifying the CHDK Sources - CHDK Wiki
- For Developers For Developers - CHDK Wiki
- Trunk /trunk - chdk - Trac

2) Video tutorials

- Happy dumping with IDA:

 - How to load dump in IDA 1:  "ida_load_g9"- Director: GrAnd
 - How to load dump in IDA 2: the  data offset method:
"ida_load_g9_with_offset"- Director: GrAnd
 

3) Tools

- udumper at
- Winmerge at WinMerge
- Notepad++ and Hex Plug-in at .:: NOTEPAD++ ::.

4) Files

- Signatures and idc for Dryos at DryOS - some success
- Auto-generated Dryos signatures.h for CHDK at /trunk/tools - chdk - Trac - file signatures_dryos.h

Hope this helps

[bongo_bingo]

What I'm doing at the moment:

I've loaded my dump in disassembler this way:

1) switched to Arm processor

2)- Rom start address: 0x00000000
   - Rom size: 0x003FFFFF

It seems that the instructions starts at ROM:0009BE00

I'm trying to apply the Dryos Signature:
 

- searching in the forum I've found this DryOS - some success
 GrAnd made IDA-signature file for DryOS firmwares (based on functions from A720 dump), wil this work for the G series?
 I'm trying

[tommi2water]

Hi,

have you already seen the signatures.zip in this message?

http://chdk.setepontos.com/index.php/topic,234.msg3146.html#msg3146

Best regards,
tommi

[bongo_bingo]

Hi,

have you already seen the signatures.zip in this message?

http://chdk.setepontos.com/index.php/topic,234.msg3146.html#msg3146

Best regards,
tommi

which differences with DryOS - some success ?

[ewavr]

which differences with DryOS - some success ?

This is signatures for IDA, "official" release is here: http://grandag.nm.ru/hdk/CanonFW_A-Series_Signatures_for_IDA.rar (for all cameras, VxWorks and DRYOS).

Auto-generated signatures.h for CHDK build already in trunk: http://tools.assembla.com/chdk/browser/trunk/tools -  signatures_dryos.h and signatures_vxworks.h files.

[bongo_bingo]

which differences with DryOS - some success ?

This is signatures for IDA, "official" release is there: http://grandag.nm.ru/hdk/CanonFW_A-Series_Signatures_for_IDA.rar

Auto-generated signatures.h for CHDK build already in trunk: http://tools.assembla.com/chdk/browser/trunk/tools - file signatures_dryos.h

thanks ewavr

But should I compile signatures_dryos.h before using it in Ida?

[ewavr]

But should I compile signatures_dryos.h before using it in Ida?

No. This signatures not for IDA.

[bongo_bingo]

But should I compile signatures_dryos.h before using it in Ida?

No. This signatures not for IDA.

Ok!
how should I use it?

Loaded CanonFW_DryOS_A-Series.sig, running CHDK.idc -> 17:18:26
It takes a lot of time! (turion 64 tl 50, 2.5 Gb ram)

[GrAnd]

No. This signatures not for IDA.

how should I use it?

They are used automatically during the compilation.

I've loaded my dump in disassembler this way:
1) switched to Arm processor
2)- Rom start address: 0x00000000
   - Rom size: 0x003FFFFF

Incorrect.
Before loading, you should strip zeros at least in the beginning of file. Then load it from 0xFF810000 in the way shown at Loading dump to IDA - CHDK Wiki

- 2 partitial dump of the Firmware G9 1.00f, one made by dew (not uploaded, at least as I know) and one made by me (avaible). Dew wrote that our two dumps are different.

Just have checked. There are no differences between them, of course in part you dumped.

[GrAnd]

Loaded CanonFW_DryOS_A-Series.sig, running CHDK.idc -> 17:18:26
It takes a lot of time! (turion 64 tl 50, 2.5 Gb ram)

4m 45s with all my actions from choosing the file to the readiness.
See flash movie - Loading G9 dump into IDA

[bongo_bingo]

Loaded CanonFW_DryOS_A-Series.sig, running CHDK.idc -> 17:18:26
It takes a lot of time! (turion 64 tl 50, 2.5 Gb ram)

4m 45s with all my actions from choosing the file to the readiness.
See flash movie - Loading G9 dump into IDA

Hello GrAnd,
thank for the movie, very clear I think it will be usefull for a lot of future developers.

I've made it wrong, the analisys went to 0x00000000 to eof, it tool more than 2 hours, I left the pc working alone.
No error, this is the log:

Executing function 'main'...
Plan  FLIRT signature: "DryOS Canon Firmware; A720-based"
Compiling file 'C:\Programmi\IDA\idc\CHDK.idc'...
Executing function 'main'...
*** START OF ANALYSIS ***
Searching for code...
Code found 86300 times
Please wait...
Using FLIRT signature: "DryOS Canon Firmware; A720-based"
Searching for tasks...
Tasks found 127 times
Please wait...
Searching for events...
Events found 286 times
Please wait...
Searching for strings...
Strings found 5131 times
Please wait...
Searching for references...
Refs found 71716 times
Please wait...
*** END OF ANALYSIS ***
Retrieving information from the database... ok

I'm restarting the analisys following yours direction, thanks again.

Are the sig and idc files you used the same present in http://grandag.nm.ru/hdk/CanonFW_A-Series_Signatures_for_IDA.rar ?
Can I use notepad to strip off the zeros?

[bongo_bingo]

hELLO,
just finished the analisys the way GrAnd showed, but less things where found.
At this point I have a lack competence, I'm posting the Ida log hoping you can help me to understand what's wrong.

[GrAnd]

Are the sig and idc files you used the same present in http://grandag.nm.ru/hdk/CanonFW_A-Series_Signatures_for_IDA.rar ?

Yes.

Can I use notepad to strip off the zeros?

No. It will replace some symbols, as notepad is textual editor, not binary.

edit: You can yse the following command line to strip your dump (empty.dum):
tail -c +638465 empty.dum | head -c 3345368 > PRIMARY.BIN
Both 'tail' and 'head' programs are in CHDK working environment for Windows.

[bongo_bingo]

Are the sig and idc files you used the same present in http://grandag.nm.ru/hdk/CanonFW_A-Series_Signatures_for_IDA.rar ?

Yes.

Can I use notepad to strip off the zeros?

No. It will replace some symbols, as notepad is textual editor, not binary.

edit: You can yse the following command line to strip your dump (empty.dum):
tail -c +638465 empty.dum | head -c 3345368 > PRIMARY.BIN
Both 'tail' and 'head' programs are in CHDK working environment for Windows.

ok,
I've used notepad++ to cut off the zeroes, will test tail-head in the afternoon.

bye

Have a nice sunday!

[GrAnd]

will test tail-head in the afternoon.

Or, you can load your dump "as-is" directly to IDA with specifying the offset of data:
Loading G9 dump into IDA, episode 2